CN115811434A - Firewall strategy convergence and intelligent issuing method and system - Google Patents

Firewall strategy convergence and intelligent issuing method and system Download PDF

Info

Publication number
CN115811434A
CN115811434A CN202211583430.1A CN202211583430A CN115811434A CN 115811434 A CN115811434 A CN 115811434A CN 202211583430 A CN202211583430 A CN 202211583430A CN 115811434 A CN115811434 A CN 115811434A
Authority
CN
China
Prior art keywords
strategy
database
source
port
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211583430.1A
Other languages
Chinese (zh)
Inventor
程伟
赖博林
潘润铿
陈木春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unicom Guangdong Industrial Internet Co Ltd
Original Assignee
China Unicom Guangdong Industrial Internet Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unicom Guangdong Industrial Internet Co Ltd filed Critical China Unicom Guangdong Industrial Internet Co Ltd
Priority to CN202211583430.1A priority Critical patent/CN115811434A/en
Publication of CN115811434A publication Critical patent/CN115811434A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of firewall policy processing, and provides a firewall policy convergence and intelligent issuing method, which comprises the following steps: obtaining a firewall policy work order; analyzing the work order and storing the work order into a strategy database; and (3) carrying out strategy convergence on the strategy database: carrying out convergence grouping on the source IP, the destination IP and the port; screening out any two or more same strategies of a source IP, a target IP and a port, and outputting corresponding strategy names; configuring a deletion strategy for strategy duplicate names, wherein the deletion strategy comprises executing undo operation to delete corresponding firewall configuration information; deleting the corresponding records in the database; and (5) recovering the work order: and if the firewall policies of more than two of any source IP, destination IP and port exist in the database, acquiring the policy name corresponding to the database and replying, otherwise, opening the policy and replying, further converging the policy, reducing the firewall load and ensuring the system operation.

Description

Firewall strategy convergence and intelligent issuing method and system
Technical Field
The invention relates to the field of firewall policy processing, in particular to a method and a system for converging and intelligently issuing firewall policies.
Background
In the cloud service system, cloud nodes are respectively built in cities, each node architecture purchases the same brand equipment, a work order management platform is uniformly used, a distributed architecture is adopted for deployment, and a system of a uniform standard and standard system is created. Because the data center of each cloud node is provided with the internet area service and the external network area service, the two service areas need to be isolated safely, and a network engineer opens a strategy through the work order data of the work order management platform. The database storage of the work order management platform includes but is not limited to address information, policy information and user information, but because the work order is not standardized and has a large amount of redundant data, the firewall policy data is huge and the performance is poor, so that the firewall policy needs to be converged and the policy work order needs to be intelligently issued.
Disclosure of Invention
The invention aims to overcome at least one defect in the prior art, solve the problems of firewall policy convergence and policy work order intelligent issuing, provide a method for converging and issuing firewall policies, converge the firewall policies, reduce firewall loads, and ensure stable operation of a service system, and the scheme of the invention specifically comprises the following steps:
s1, obtaining a firewall policy work order, wherein the work order comprises source information, unit information, operation and maintenance information, a firewall policy, a policy name, a source IP, a destination IP, a protocol and a port;
s2, analyzing the work order and storing the work order into a strategy database;
s3, carrying out strategy convergence on the strategy database, and specifically comprising the following steps:
carrying out convergence grouping on the source IP, the destination IP and the port;
screening out any two or more same strategies of a source IP, a target IP and a port, and outputting corresponding strategy names;
configuring a deletion strategy according to a strategy for strategy abbreviation duplication, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, which specifically comprises the following steps:
and acquiring the corresponding strategy name of the database and replying to the firewall strategy with more than any two of the source IP, the destination IP and the port in the database, otherwise, opening the strategy and replying. The database stores, including but not limited to, address information, policy information, and user information.
1. When a firewall policy work order with more than two of any same source IP, destination IP and port is obtained, a corresponding relationship exists between a private network IP address and a virtual IP, and configured source IP, destination IP and port information sent to a firewall are completely the same, so that resource loss is caused, the policy is also overstaffed, and in the past, the firewall has overlarge load and poor performance. Therefore, it is necessary to converge the firewall policy, and intelligently determine and issue a subsequent newly-opened policy. Firstly, information such as a policy name, a source IP, a destination IP, a protocol, a port and the like needs to be analyzed and stored in a database according to network policy quintuple information and necessary element information of a work order. For the policy database, information including policy name, address, port, etc. may be stored, where the policy name information is unique, the address information includes a single IP and a range of IPs, and the single IP is configured in a policy such as source-address 172.16.12.107mask255.255.255.255 (parsing the IP field of the database as 172.16.12.107) or destination-address 19.32.5.67mask 255.255.255.255.255 (parsing the IP field of the database as 19.32.5.67). One piece of IP is divided into a plurality of digits (/) or a plurality of ranges (-), such as destination-address range 19.15.28.16.15.28.28 (the IP field of the input source of the resolution database is 19.15.28.16-19.15.28.28) or source-address 19.16.232.0mask 255.255.255.0 (the IP field of the input source of the resolution database is 19.16.232.0/24); the port information is divided into a single port or a segment of a port. The single port policy configuration is, for example, service protocol tcp source-port 0to 65535destination-port 8088 (parsing database entry port field to 8088). One IP segment is divided into multiple ports or a range, such as a multi-port service protocol tcp source-port 0to 65535destination-port80 4438 (parsing the database entry port field to be 80 4438), such as a multi-port service protocol tcp source-port 0to 65535destination-port8081to 8082 (parsing the database entry port field to be 81to 8082).
According to the information of the warehouse entry, strategy convergence and intelligent judgment and issuing for the follow-up newly-opened strategy are needed. Executing the undo rule name operation to the strategy with the same source IP, destination IP and port and the repeated strategy, and deleting the database docking record; according to the database information, the source IP, the destination IP and the ports are gathered and grouped, strategies which are the same as the source IP, the destination IP and the ports are screened out, repeated strategy names are output, configuration information is generated, undoo deleting operation is carried out on the repeated strategy names, firewall configuration information is deleted, and database records which are the same as the source IP, the destination IP and the ports and correspond to the database are deleted.
For the strategy which is judged to be the same as the existing source IP, the destination IP and the port, the existing strategy name is obtained, and the work order is directly replied; and extracting a source IP, a target IP and a port of the new work order according to the work order management platform, and then judging, wherein if the strategy of the source IP, the target IP and the port in the database is the same, the opening is not needed.
Further, S3, performing policy convergence on the policy database further includes:
screening out a plurality of strategies with the same source IP and target IP and different ports;
converging and de-duplicating the screened strategies according to the ports;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and acquiring and replying the strategy name correspondingly existing in the database for the firewall strategies with the same source IP and target IP and different ports existing in the database, and issuing a command for adding the port strategy.
Converging all the ports according to the strategy that the existing source IP and the existing destination IP are the same and the ports are different, opening all the ports on one strategy, executing an undo rule name operation by other strategies, and deleting a database docking record;
and according to the database information, carrying out convergence grouping on the strategies the same as the source IP and the target IP. Screening out strategies with the same source IP and target IP and different ports, converging and de-duplicating the ports of the strategies, generating port configuration information and applying the port configuration information to a first strategy, then executing undo deletion operation on the repeated strategy name configuration strategies, deleting firewall configuration information, and deleting database records with the same source IP and target IP and different ports corresponding to the database.
Further, S3, performing policy convergence on the policy database further includes:
screening out a plurality of strategies with the same source IP and port and different target IPs;
converging and de-duplicating the screened strategies according to the target IP;
generating configuration information of a target IP and applying the configuration information to a first strategy of screening;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and for the firewall strategies with the same source IP and port and different target IPs existing in the database, acquiring the strategy names corresponding to the database and replying, and issuing a strategy command for increasing the target IP.
Converging all the target IPs according to the strategies that the existing source IPs have the same port and the target IPs have different ports, opening all the target IPs on one strategy, executing the undo rule name operation by other strategies, and deleting the database docking records;
and according to the database information, carrying out convergence grouping on the strategies that the source IP is the same as the port and the destination IP is different. Screening out strategies with the same source IP and port and different target IPs, converging and de-duplicating the target IPs of the strategies, generating target IP configuration information and applying the target IP configuration information to a first strategy, then executing undo deletion operation on the repeated strategy name configuration strategies, deleting firewall configuration information, and deleting database records with the same source IP and port and different target IPs corresponding to the database.
And acquiring the existing strategy name for the strategy which is judged to have the same source IP and port and different target IP, and issuing a strategy command for increasing the target IP.
Further, S3, performing policy convergence on the policy database further includes:
screening out a plurality of strategies with the same port and destination IP and different source IP;
converging the screened strategies according to the source IP and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and acquiring and replying the strategy name corresponding to the database for the firewall strategies with the same port and the same destination IP and different source IPs in the database, and issuing a command for increasing the source IP strategy.
Converging all source IPs according to the strategies that the existing destination IPs and ports are the same and the source IPs are different, opening all the source IPs on one strategy, executing undo rule name operation by other strategies, and deleting database docking records;
and according to the database information, carrying out convergence grouping on the strategies that the destination IP is the same as the port and the source IP is different from the port. Screening out strategies with the same destination IP and port and different source IPs, converging and de-duplicating the source IPs of the strategies, generating source IP configuration information and applying the source IP configuration information to a first strategy, then executing undo deletion operation on the repeated strategy name configuration strategies, deleting firewall configuration information, and deleting database records with the same destination IP and port and different source IPs corresponding to the database.
And acquiring the existing strategy name for the strategy that the existing target IP is judged to be the same as the port and the source IP is judged to be different, and issuing a strategy command for increasing the source IP.
Further, the aggregating and de-duplicating specifically includes:
the target IP or the source IP are gathered into a list;
screening IP sections in bit form and range form from the list and deleting the IP sections from the list;
judging whether the IP in the list belongs to the IP section in the bit form, if so, removing the IP from the list;
judging whether the IP in the list belongs to the IP section in the range form, if so, removing the IP from the list;
appending the bit-form IP segment and the range-form IP segment to a list;
the IP segment in the form of a range is two IP addresses connected by a "-" sign.
Further, the determining whether the IP in the list belongs to the IP segment in the range format, and if so, removing the IP from the list, specifically including:
converting the IP addresses on the left side and the right side of the < - > sign into integer numerical values to obtain the number of the IP addresses in the range;
collecting all IP addresses of the range into an address pool list;
and traversing according to the number to judge whether all the IP sections in the list are the same as the IP addresses in the address pool list, if so, removing the IP sections from the list.
Based on the same inventive concept, the invention also provides a firewall policy convergence and intelligent issuing system, which comprises:
the system comprises a work order obtaining module, a firewall policy obtaining module and a firewall policy obtaining module, wherein the work order obtaining module is used for obtaining a firewall policy work order, and comprises source information, unit information, operation and maintenance information, a firewall policy, a policy name, a source IP, a destination IP, a protocol and a port;
the analysis module is used for analyzing the work order and storing the work order into a strategy database;
the strategy convergence module is used for carrying out strategy convergence on the strategy database, and comprises the following steps:
carrying out convergence grouping on the source IP, the destination IP and the port;
screening out any two or more same strategies of a source IP, a target IP and a port, and outputting corresponding strategy names;
configuring a deletion strategy according to a strategy for strategy abbreviation duplication, specifically comprising:
executing undo operation to delete corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module is used for replying the work order and comprises:
and acquiring the corresponding strategy name of the database and replying to the firewall strategy with more than any two of the source IP, the destination IP and the port in the database, otherwise, opening the strategy and replying.
Further, the policy convergence module further comprises:
screening out a plurality of strategies with the same source IP and target IP and different ports;
converging and de-duplicating the screened strategies according to the ports;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and acquiring and replying the strategy name correspondingly existing in the database for the firewall strategies with the same source IP and target IP and different ports existing in the database, and issuing a command for adding the port strategy.
Further, the policy convergence module further comprises:
screening out a plurality of strategies with the same source IP and port and different target IPs;
converging and de-duplicating the screened strategies according to the target IP;
generating configuration information of a target IP and applying the configuration information to a first strategy of screening;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and for the firewall strategies with the same source IP and port and different target IPs existing in the database, acquiring the strategy names corresponding to the database and replying, and issuing a strategy command for increasing the target IP.
Further, the policy convergence module further comprises:
screening out a plurality of strategies with the same port and destination IP and different source IP;
converging the screened strategies according to the source IP and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, which specifically comprises the following steps:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and acquiring and replying the strategy name corresponding to the database for the firewall strategies with the same port and the same destination IP and different source IPs in the database, and issuing a command for increasing the source IP strategy.
Compared with the prior art, the invention has the beneficial effects that:
and the firewall strategy is converged, the firewall load is reduced, and the stable operation of the service system is ensured.
Drawings
FIG. 1 is a flow chart of a method of practicing the present invention.
Detailed Description
The drawings are only for purposes of illustration and are not to be construed as limiting the invention. For a better understanding of the following embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
Example 1
As shown in fig. 1, this embodiment provides a method for converging and intelligently issuing a firewall policy, which converges the firewall policy, reduces the firewall load, and ensures stable operation of a service system, including:
s1, obtaining a firewall policy work order, wherein the work order comprises source information, unit information, operation and maintenance information, a firewall policy, a policy name, a source IP, a destination IP, a protocol and a port;
s2, analyzing the work order and storing the work order into a strategy database;
s3, carrying out strategy convergence on the strategy database, and specifically comprising the following steps:
carrying out convergence grouping on the source IP, the destination IP and the port;
screening out any two or more same strategies of a source IP, a target IP and a port, and outputting corresponding strategy names;
configuring a deletion strategy according to a strategy for strategy abbreviation duplication, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, which specifically comprises the following steps:
and acquiring the corresponding strategy name of the database and replying to the firewall strategy with more than any two of the source IP, the destination IP and the port in the database, otherwise, opening the strategy and replying. The database stores, including but not limited to, address information, policy information, and user information.
When a firewall policy work order with more than two of any of a source IP, a destination IP and a port being the same is obtained, according to firewall configuration analysis, the private network pri _ IP and a virtual IP (vip) have the following corresponding relation:
19.15.0.77>172.16.12.107
19.15.63.80>172.16.13.23
19.15.63.75>172.16.122.122
rule name CRQ202208030000811000081
description CRQ202208030000811
source-zone trust
destination-zone untrust
source-address 172.16.12.107mask 255.255.255.255
source-address 172.16.13.23mask 255.255.255.255
source-address 172.16.122.122mask 255.255.255.255
destination-address 19.32.5.67mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8088
action permit
rule name CRQ202207260000903000090
description CRQ202207260000903
source-zone trust
destination-zone untrust
source-address 172.16.12.107mask 255.255.255.255
source-address 172.16.13.23mask 255.255.255.255
source-address 172.16.122.122mask 255.255.255.255
destination-address 19.32.5.67mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8088
action permit
any more than two of the configured source IP, destination IP and port information sent to the firewall are the same, so that resource loss is caused, the strategy is also overstaffed, and in the past, the load of the firewall is too large, and the performance is not good. Therefore, it is necessary to converge the firewall policy and intelligently judge and issue the following newly-opened policy. Firstly, information such as a policy name, a source IP, a destination IP, a protocol, a port and the like needs to be analyzed and stored in a database according to network policy quintuple information and necessary element information of a work order. For the policy database, information including a policy name, an address, a port and the like can be stored, wherein the policy name information is unique, such as rule name CRQ202207260000903000090 (a field for analyzing the policy name of the database is CRQ 202207260000903000090);
the address information comprises a single IP and a range of IPs, and the single IP is configured in a policy such as source-address 172.16.12.107mask255.255.255.255 (the IP field of the input source of the resolution database is 172.16.12.107) or destination-address 19.32.5.67mask255.255.255.255 (the IP field of the input destination of the resolution database is 19.32.5.67). One piece of IP is divided into a plurality of digits (/) or a plurality of ranges (-), such as destination-address range 19.15.28.16.15.28.28 (the IP field of the input source of the resolution database is 19.15.28.16-19.15.28.28) or source-address 19.16.232.0mask 255.255.255.0 (the IP field of the input source of the resolution database is 19.16.232.0/24);
the port information is divided into a single port or a segment of a port. The single port policy configuration is, for example, service protocol tcp source-port 0to 65535destination-port 8088 (parsing database entry port field to 8088). One IP segment is divided into multiple ports or a range, such as a multi-port service protocol tcp source-port 0to 65535destination-port80 4438 (parsing the database entry port field to be 80 4438), such as a multi-port service protocol tcp source-port 0to 65535destination-port8081to 8082 (parsing the database entry port field to be 81to 8082).
According to the information of the warehouse entry, strategy convergence and intelligent judgment and issuing for the follow-up newly-opened strategy are needed. Executing the undo rule name operation to the strategy with the same source IP, destination IP and port and the repeated strategy, and deleting the database docking record; according to the database information, carrying out convergence grouping on the source IP, the destination IP and the ports, screening out strategies which are the same as the source IP, the destination IP and the ports, outputting repeated strategy names, generating configuration information, executing undo deletion operation on the configuration strategies of the repeated strategy names, deleting firewall configuration information, and deleting database records which are the same as the source IP, the destination IP and the ports and correspond to the database, wherein the specific operations are as follows:
rule name CRQ202208030000811000081
description CRQ202208030000811
source-zone trust
destination-zone untrust
source-address 172.16.12.107mask 255.255.255.255
source-address 172.16.13.23mask 255.255.255.255
source-address 172.16.122.122mask 255.255.255.255
destination-address 19.32.5.67mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8088
action permit
undo rule name CRQ202207260000903000090
for the strategy which is judged to be the same as the existing source IP, the destination IP and the port, the existing strategy name is obtained, and the work order is directly replied; according to the work order management platform, extracting a source IP, a target IP and a port of a new work order, and then judging, wherein if the same strategies of the source IP, the target IP and the port exist in a database, the operation does not need to be opened, and the specific operation is as follows: rule name CRQ202111020000601000060
description CRQ202111020000601
source-zone untrust
destination-zone trust
source-address 19.88.231.95mask 255.255.255.255
destination-address 172.16.12.235mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8081
service protocol tcp source-port 0to 65535destination-port 8088
action permit
undo rule name CRQ202201060001064000106
Preferably, S3, performing policy convergence on the policy database further includes:
screening out a plurality of strategies with the same source IP and destination IP and different ports, which are as follows: rule name CRQ202110180001291000129
description CRQ202110180001291
source-zone untrust
destination-zone trust
source-address 19.15.69.85mask 255.255.255.255
destination-address 172.16.13.104mask 255.255.255.255
destination-address 172.16.13.123mask 255.255.255.255
destination-address 172.16.13.155mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 80 443 8080action permit
rule name CRQ202110180001295000129
description CRQ202110180001295
source-zone untrust
destination-zone trust
source-address 19.15.69.85mask 255.255.255.255
destination-address 172.16.13.107mask 255.255.255.255
destination-address 172.16.13.220mask 255.255.255.255
destination-address 172.16.13.236mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 80 443 8080
action permit
Converging and de-duplicating the screened strategies according to the ports;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database, and specifically operating as follows:
rule name CRQ202110180001291000129
description CRQ202110180001291
source-zone untrust
destination-zone trust
source-address 19.15.69.85mask 255.255.255.255
destination-address 172.16.13.104mask 255.255.255.255
destination-address 172.16.13.123mask 255.255.255.255
destination-address 172.16.13.155mask 255.255.255.255
destination-address 172.16.13.107mask 255.255.255.255
destination-address 172.16.13.220mask 255.255.255.255
destination-address 172.16.13.236mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 80 443 8080
action permit
undo rule name CRQ202110180001295000129
s4, replying the work order, and further comprising:
and acquiring and replying the strategy name correspondingly existing in the database for the firewall strategies with the same source IP and target IP and different ports existing in the database, and issuing a command for adding the port strategy.
Given the existing policy, as above, a new work order now needs to be added, source IP 19.15.69.85 accesses 80 443 8080 port of destination IP172.16.13.107. After the database is inquired, the strategy of finding the CRQ202110180001291000129 is the source IP
19.15.69.85 with open 80 443 8080 port, then it needs to enter CRQ202110180001291000129, and execute the following policy command:
rule name CRQ202110180001291000129
destination-address 172.16.13.107mask 255.255.255.255
converging all the ports according to the strategy that the existing source IP and the existing destination IP are the same and the ports are different, opening all the ports on one strategy, executing a undo rule name operation on other strategies, and deleting a database docking record;
and carrying out convergence grouping on the strategies identical to the source IP and the target IP according to the database information. Screening out strategies with the same source IP and target IP and different ports, converging and de-duplicating the ports of the strategies, generating port configuration information and applying the port configuration information to a first strategy, then executing undo deletion operation on the repeated strategy name configuration strategies, deleting firewall configuration information, and deleting database records with the same source IP and target IP and different ports corresponding to the database.
Preferably, S3, performing policy convergence on the policy database further includes:
screening out a plurality of strategies with the same source IP and port and different destination IPs, and operating as follows:
rule name CRQ202110180001291000129
description CRQ202110180001291
source-zone untrust
destination-zone trust
source-address 19.15.69.85mask 255.255.255.255
destination-address 172.16.13.104mask 255.255.255.255
destination-address 172.16.13.123mask 255.255.255.255
destination-address 172.16.13.155mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 80 443 8080
action permit
rule name CRQ202110180001295000129
description CRQ202110180001295
source-zone untrust
destination-zone trust
source-address 19.15.69.85mask 255.255.255.255
destination-address 172.16.13.107mask 255.255.255.255
destination-address 172.16.13.220mask 255.255.255.255
destination-address 172.16.13.236mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 80 443 8080
action permit
converging and de-duplicating the screened strategies according to the target IP;
generating configuration information of a target IP and applying the configuration information to a first strategy of screening;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and for the firewall strategies with the same source IP and port and different target IPs existing in the database, acquiring the strategy names corresponding to the database and replying, and issuing a strategy command for increasing the target IP.
Converging all the target IPs for the strategies that the existing source IPs and ports are the same and the target IPs are different, opening all the target IPs on one strategy, executing undo rule name operation by other strategies, and deleting the database docking records;
and according to the database information, carrying out convergence grouping on the strategies that the source IP is the same as the port and the destination IP is different. Screening out strategies with the same source IP and port and different target IPs, converging and de-duplicating the target IPs of the strategies, generating target IP configuration information and applying the target IP configuration information to a first strategy, then executing undo deletion operation on the repeated strategy name configuration strategies, deleting firewall configuration information, and deleting database records with the same source IP and port and different target IPs corresponding to the database.
And acquiring the existing strategy name for the strategy which is judged to have the same source IP and port and different target IP, and issuing a strategy command for increasing the target IP.
The destination IP is converged to IP _ list. <xnotran> IP IP, ip _ list _ bit (xxx.xxx.xxx.xxx/xx), - ip _ list _ range (xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx), . </xnotran>
1. According to the IP format, screening an IP section IP _ list _ bit in a bit form from the IP _ list, screening an IP section IP _ list _ range in a-x form from the IP _ list, and deleting the IP _ list _ bit and the IP _ list _ range from the IP _ list.
2. The ip _ list _ bit is then deduplicated. And sequentially judging whether the IP of the IP _ list belongs to the range of the IP _ list _ bit, and if so, removing the duplication from the IP _ list.
3. And then the ip _ list _ range is deduplicated. And dividing IP _ list _ range by '-', converting left and right IPs of '-' into integers IntStartIP and IntlastIP, sequentially converting the integers in the range of IntStartIP and IntlastIP into IP address formats, collecting the IP address formats in an address pool list ipPool, sequentially judging whether the IP of IP _ list belongs to the ipPool address pool, and removing the duplicate from the IP _ list if the IP of IP _ list belongs to the ipPool address pool.
4. After the ip _ list is deduplicated with the ip _ list _ bit and the ip _ list _ range, the ip _ list does not have the addresses accessed by the ip _ list _ bit and the ip _ list _ range. And then adding an IP _ list _ bit and an IP _ list _ range to the IP _ list, thereby finishing the convergence and de-duplication of the target IP.
And (4) convergence results:
rule name CRQ202110180001291000129
description CRQ202110180001291
source-zone untrust
destination-zone trust
source-address 19.15.69.85mask 255.255.255.255
destination-address 172.16.13.104mask 255.255.255.255
destination-address 172.16.13.123mask 255.255.255.255
destination-address 172.16.13.155mask 255.255.255.255
destination-address 172.16.13.107mask 255.255.255.255
destination-address 172.16.13.220mask 255.255.255.255
destination-address 172.16.13.236mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 80 443 8080
action permit
undo rule name CRQ202110180001295000129
newly opening a strategy, judging that the active IP and the port are the same and the target IP is different in a newly-coming work order, acquiring the name of the existing strategy, and issuing a strategy command for increasing the target IP;
given the existing policy, as above, a new work order now needs to be added, source IP 19.15.69.85 accesses 80 443 8080 port of destination IP172.16.13.107. After the database is inquired, the strategy of finding the CRQ202110180001291000129 is the source IP
5363, if the 80 443 8080 port of 19.15.69.85 is opened, CRQ202110180001291000129 needs to be entered, and the following policy command is executed:
rule name CRQ202110180001291000129
destination-address 172.16.13.107mask 255.255.255.255
preferably, S3, performing policy convergence on the policy database further includes:
screening a plurality of strategies that the ports are the same as the target IP and the source IP is different: rule name CRQ202210180001291000129
description CRQ202210180001291
source-zone trust
destination-zone untrust
source-address 172.16.13.104mask 255.255.255.255
source-address 172.16.13.123mask 255.255.255.255
source-address 172.16.13.155mask 255.255.255.255
destination-address 19.96.245.25mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8087action permit
rule name CRQ202112200000504000050
description CRQ202112200000504
source-zone trust
destination-zone untrust
source-address 172.16.13.107mask 255.255.255.255
source-address 172.16.13.220mask 255.255.255.255
source-address 172.16.13.236mask 255.255.255.255
destination-address 19.96.245.25mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8087action permit
Converging the screened strategies according to the source IP and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the source IP is converged to IP _ list. Since IP has a single IP, a bit-form segment IP _ list _ bit (xxx.xxx.xxx.xxx/xx), -a bit-form segment IP _ list _ range (xxx.xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx.xxx) needs to be formatted and de-duplicated, including:
1. according to the IP format, screening an IP section IP _ list _ bit in a bit form from the IP _ list, screening an IP section IP _ list _ range in a-x form from the IP _ list, and deleting the IP _ list _ bit and the IP _ list _ range from the IP _ list.
2. The ip _ list _ bit is then deduplicated. And sequentially judging whether the IP of the IP _ list belongs to the range of the IP _ list _ bit, and if so, removing the duplication from the IP _ list.
3. And then the ip _ list _ range is deduplicated. And dividing IP _ list _ range by '-', converting left and right IPs of '-' into integers IntStartIP and IntlastIP, sequentially converting the integers in the range of IntStartIP and IntlastIP into IP address formats, collecting the IP address formats in an address pool list ipPool, sequentially judging whether the IP of IP _ list belongs to the ipPool address pool, and removing the duplicate from the IP _ list if the IP of IP _ list belongs to the ipPool address pool.
4. After the ip _ list is deduplicated with the ip _ list _ bit and the ip _ list _ range, the ip _ list does not have the addresses accessed by the ip _ list _ bit and the ip _ list _ range. And then adding an IP _ list _ bit and an IP _ list _ range to the IP _ list, thereby finishing the convergence and de-duplication of the target IP.
And (4) converging a result:
rule name CRQ202210180001291000129
description CRQ202210180001291
source-zone trust
destination-zone untrust
source-address 172.16.13.107mask 255.255.255.255
source-address 172.16.13.220mask 255.255.255.255
source-address 172.16.13.236mask 255.255.255.255
source-address 172.16.13.104mask 255.255.255.255
source-address 172.16.13.123mask 255.255.255.255
source-address 172.16.13.155mask 255.255.255.255
destination-address 19.96.245.25mask 255.255.255.255
service icmp
service protocol tcp source-port 0to 65535destination-port 8087
action permit
undo rule name CRQ202112200000504000050
newly opening a strategy, judging that the existing target IP is the same as the port and the source IP is different from the new work order, acquiring the name of the existing strategy, and issuing a strategy command for adding the source IP;
if the existing strategy is as above, and a new work order is obtained, a source IP172.16.13.107 access destination IP needs to be added
19.96.245.25 8087 port. After the database is queried, an 8087 port opened by the IP 19.15.69.85 with the CRQ202210180001291000129 policy as a target is found, the CRQ202210180001291000129 needs to be entered, and the following policy command is executed:
the rule name CRQ202210180001291000129 enters the rule name which is the same as the IP of the source destination.
source-address 172.16.13.107mask 255.255.255.255, adding a new source IP172.16.13.107.
There are 10729 policies configured according to one existing firewall. The same source IP and destination IP and ports are 1163, and the duplication can be removed to 533. The source IP and the destination IP are identical, and the ports are different, 2268, and the duplication can be reduced to 974. 4073 pieces of IP which are consistent with source IP and port identity and have different destination IP, and 1230 pieces of IP can be deduplicated. The compatible destination IP has 6546 pieces of same port and different source IPs, and the duplication can be reduced to 1192 pieces. According to the practical application condition, the number of the strategies can be reduced by more than half, the load of the firewall is reduced, the stable operation of the service is ensured, and the service perception is improved.
Example 2
Based on the same inventive concept as the firewall policy convergence and intelligent issuing method of the present invention, this embodiment further provides a firewall policy convergence and intelligent issuing system, including:
the system comprises a work order obtaining module, a firewall policy obtaining module and a firewall policy obtaining module, wherein the work order obtaining module is used for obtaining a firewall policy work order, and comprises source information, unit information, operation and maintenance information, a firewall policy, a policy name, a source IP, a destination IP, a protocol and a port;
the analysis module is used for analyzing the work order and storing the work order into a strategy database;
the strategy convergence module is used for carrying out strategy convergence on the strategy database and comprises the following steps:
carrying out convergence grouping on the source IP, the destination IP and the port;
screening out any two or more same strategies of a source IP, a target IP and a port, and outputting corresponding strategy names;
configuring a deletion strategy for strategy name duplication, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module is used for replying the work order and comprises:
and acquiring the corresponding strategy name of the database and replying to the firewall strategy with more than any two of the source IP, the destination IP and the port in the database, otherwise, opening the strategy and replying.
Preferably, the policy convergence module further comprises:
screening out a plurality of strategies with the same source IP and target IP and different ports;
converging and de-duplicating the screened strategies according to the ports;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and acquiring and replying the strategy name correspondingly existing in the database for the firewall strategies with the same source IP and target IP and different ports existing in the database, and issuing a command for adding the port strategy.
Preferably, the policy convergence module further comprises:
screening out a plurality of strategies with the same source IP and port and different target IPs;
converging and de-duplicating the screened strategies according to the target IP;
generating configuration information of a target IP and applying the configuration information to a first strategy of screening;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and for the firewall strategies with the same source IP and port and different target IPs existing in the database, acquiring the strategy names corresponding to the database and replying, and issuing a strategy command for increasing the target IP.
Preferably, the policy convergence module further comprises:
screening out a plurality of strategies with the same port and destination IP and different source IP;
converging the screened strategies according to the source IP and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and acquiring and replying the strategy name corresponding to the database for the firewall strategies with the same port and the same destination IP and different source IPs in the database, and issuing a command for increasing the source IP strategy.
It should be understood that the above-mentioned embodiments of the present invention are only examples for clearly illustrating the technical solutions of the present invention, and are not intended to limit the specific embodiments of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention claims should be included in the protection scope of the present invention claims.

Claims (10)

1. A firewall policy convergence and intelligent issuing method is characterized by comprising the following steps:
s1, obtaining a firewall policy work order, wherein the work order comprises source information, unit information, operation and maintenance information, a firewall policy, a policy name, a source IP, a destination IP, a protocol and a port;
s2, analyzing the work order and storing the work order into a strategy database;
s3, carrying out strategy convergence on the strategy database, and specifically comprising the following steps:
carrying out convergence grouping on the source IP, the destination IP and the port;
screening out any two or more same strategies of a source IP, a target IP and a port, and outputting corresponding strategy names;
configuring a deletion strategy according to a strategy for strategy abbreviation duplication, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, which specifically comprises the following steps:
and acquiring the corresponding strategy name of the database and replying to the firewall strategy with more than any two of the source IP, the destination IP and the port in the database, otherwise, opening the strategy and replying.
2. The firewall policy convergence and intelligent delivery method according to claim 1, wherein the S3 performing policy convergence on the policy database further comprises:
screening out a plurality of strategies with the same source IP and target IP and different ports;
converging and de-duplicating the screened strategies according to the ports;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and acquiring and replying the strategy name correspondingly existing in the database for the firewall strategies with the same source IP and target IP and different ports existing in the database, and issuing a command for adding the port strategy.
3. The firewall policy convergence and intelligent issuing method according to claim 1, wherein the S3 performing policy convergence on the policy database further comprises:
screening out a plurality of strategies with the same source IP and port and different target IPs;
converging and de-duplicating the screened strategies according to the target IP;
generating configuration information of a target IP and applying the configuration information to a first strategy of screening;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and for the firewall strategies with the same source IP and port and different target IPs existing in the database, acquiring the strategy names corresponding to the database and replying, and issuing a strategy command for increasing the target IP.
4. The firewall policy convergence and intelligent issuing method according to claim 1, wherein the S3 performing policy convergence on the policy database further comprises:
screening out a plurality of strategies with the same port and destination IP and different source IP;
converging the screened strategies according to the source IP and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete corresponding firewall configuration information;
deleting the corresponding record in the database;
s4, replying the work order, and further comprising:
and acquiring and replying the strategy name corresponding to the database for the firewall strategies with the same port and the same destination IP and different source IPs in the database, and issuing a command for increasing the source IP strategy.
5. The firewall policy convergence and intelligent delivery method according to claim 3 or claim 4, wherein the converging and de-duplicating specifically includes:
the target IP or the source IP are gathered into a list;
screening IP sections in bit form and range form from the list and deleting the IP sections from the list;
judging whether the IP in the list belongs to the IP section in the bit form, if so, removing the IP from the list;
judging whether the IP in the list belongs to the IP section in the range form, if so, removing the IP from the list;
appending the bit-form IP segment and the range-form IP segment to a list;
the IP segment in the form of a range is two IP addresses connected by a "-" sign.
6. The firewall policy convergence and intelligent delivery method according to claim 5,
judging whether the IP in the list belongs to the IP section in the range form, if so, removing the IP from the list, and specifically comprising the following steps:
converting the IP addresses on the left side and the right side of the symbol into integer values to obtain the number of the IP addresses in the range;
collecting all IP addresses of the range into an address pool list;
and traversing according to the number to judge whether all the IP sections in the list are the same as the IP addresses in the address pool list, if so, removing the IP sections from the list.
7. A firewall policy convergence and intelligent issuing system is characterized by comprising:
the system comprises a work order acquisition module, a firewall policy management module and a firewall policy management module, wherein the work order acquisition module is used for acquiring a firewall policy work order, and the work order comprises source information, unit information, operation and maintenance information, a firewall policy, a policy name, a source IP, a destination IP, a protocol and a port;
the analysis module is used for analyzing the work order and storing the work order into a strategy database;
the strategy convergence module is used for carrying out strategy convergence on the strategy database and comprises the following steps:
carrying out convergence grouping on the source IP, the destination IP and the port;
screening out any two or more of the same policies of the source IP, the destination IP and the port, and outputting corresponding policy names;
configuring a deletion strategy according to a strategy for strategy abbreviation duplication, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module is used for replying the work order and comprises:
and acquiring the corresponding strategy name of the database and replying to the firewall strategy with more than any two of the source IP, the destination IP and the port in the database, otherwise, opening the strategy and replying.
8. The firewall policy convergence and intelligent delivery system according to claim 7, wherein the policy convergence module further comprises:
screening out a plurality of strategies with the same source IP and target IP and different ports;
converging the screened strategies according to the ports and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, which specifically comprises the following steps:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and acquiring and replying the strategy name correspondingly existing in the database for the firewall strategies with the same source IP and target IP and different ports existing in the database, and issuing a command for adding the port strategy.
9. The firewall policy convergence and intelligent delivery system according to claim 7, wherein the policy convergence module further comprises:
screening out a plurality of strategies with the same source IP and port and different target IPs;
converging and de-duplicating the screened strategies according to the target IP;
generating configuration information of a target IP and applying the configuration information to a first strategy of screening;
configuring a deletion strategy for the screened repeated strategies, specifically comprising:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding records in the database;
the work order processing module further comprises:
and for the firewall strategies with the same source IP and port and different target IPs existing in the database, acquiring the strategy names corresponding to the database and replying, and issuing a strategy command for increasing the target IP.
10. The firewall policy convergence and intelligent delivery system according to claim 7, wherein the policy convergence module further comprises:
screening out a plurality of strategies with the same port and destination IP and different source IP;
converging the screened strategies according to the source IP and removing the duplication;
generating port configuration information and applying the port configuration information to the screened first strategy;
configuring a deletion strategy for the screened repeated strategies, which specifically comprises the following steps:
executing undo operation to delete the corresponding firewall configuration information;
deleting the corresponding record in the database;
the work order processing module further comprises:
and acquiring and replying the strategy name corresponding to the database for the firewall strategies with the same port and the same destination IP and different source IPs in the database, and issuing a command for increasing the source IP strategy.
CN202211583430.1A 2022-12-09 2022-12-09 Firewall strategy convergence and intelligent issuing method and system Pending CN115811434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211583430.1A CN115811434A (en) 2022-12-09 2022-12-09 Firewall strategy convergence and intelligent issuing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211583430.1A CN115811434A (en) 2022-12-09 2022-12-09 Firewall strategy convergence and intelligent issuing method and system

Publications (1)

Publication Number Publication Date
CN115811434A true CN115811434A (en) 2023-03-17

Family

ID=85485506

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211583430.1A Pending CN115811434A (en) 2022-12-09 2022-12-09 Firewall strategy convergence and intelligent issuing method and system

Country Status (1)

Country Link
CN (1) CN115811434A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582362A (en) * 2023-07-11 2023-08-11 建信金融科技有限责任公司 Network access control method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582362A (en) * 2023-07-11 2023-08-11 建信金融科技有限责任公司 Network access control method and device, electronic equipment and storage medium
CN116582362B (en) * 2023-07-11 2023-09-26 建信金融科技有限责任公司 Network access control method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
Khare et al. Big data in IoT
CN103064933B (en) Data query method and system
CN112367211B (en) Method, device and storage medium for generating configuration template by device command line
CN105426375A (en) Relationship network calculation method and apparatus
CN113542074B (en) Method and system for visually managing east-west network flow of kubernets cluster
CN115811434A (en) Firewall strategy convergence and intelligent issuing method and system
CN111198918B (en) Data processing system based on big data platform and link optimization method
CN106326082A (en) Method and device for recording log in network system
CN113505048A (en) Unified monitoring platform based on application system portrait and implementation method
CN114401516B (en) 5G slice network anomaly detection method based on virtual network traffic analysis
CN107733716A (en) Distributed file system log analysis method, system, equipment and storage medium
CN114265957A (en) Multiple data source combined query method and system based on graph database
CN114021155A (en) Enterprise network security domain visual management and policy audit system and method
CN112612832B (en) Node analysis method, device, equipment and storage medium
CN111064619A (en) Configuration information management method and device, electronic equipment and storage medium
CN110290226A (en) A kind of general client and server-side mating interface protocol method
US7624425B1 (en) Method and apparatus for generating a security document for a farm in a utility computing environment
CN112291088B (en) Method for automatically combing and classifying Web interfaces
CN117650899A (en) Cloud security anomaly detection method based on graph neural network
US7487256B2 (en) Dynamic management method for forwarding information in router having distributed architecture
CN108366024A (en) Message forwarding method and device
KR102093764B1 (en) Managment server for managing the server and storage
CN114374622A (en) Shunting method based on fusion shunting equipment and fusion shunting equipment
CN111049801B (en) Firewall strategy detection method
CN106209420A (en) A kind of method positioning data forwarding service fault and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination