CN116366269A - Firewall configuration method, device, electronic equipment and computer readable storage medium - Google Patents

Firewall configuration method, device, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN116366269A
CN116366269A CN202111619609.3A CN202111619609A CN116366269A CN 116366269 A CN116366269 A CN 116366269A CN 202111619609 A CN202111619609 A CN 202111619609A CN 116366269 A CN116366269 A CN 116366269A
Authority
CN
China
Prior art keywords
target
session
configuration
firewall
pool
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111619609.3A
Other languages
Chinese (zh)
Inventor
陆文祥
王亮亮
王迅
郑钧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111619609.3A priority Critical patent/CN116366269A/en
Publication of CN116366269A publication Critical patent/CN116366269A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0889Techniques to speed-up the configuration process
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a firewall configuration method, a firewall configuration device, electronic equipment and a computer readable storage medium; the method comprises the following steps: receiving a firewall configuration request aiming at a target cloud network service, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service; based on the identification of the target resource pool, obtaining a target network configuration session corresponding to the target resource pool; constructing a first message in a target network configuration session, wherein the first message carries firewall configuration parameters; and sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters. By the method and the device, the firewall configuration efficiency can be improved.

Description

Firewall configuration method, device, electronic equipment and computer readable storage medium
Technical Field
The present disclosure relates to computer technologies, and in particular, to a firewall configuration method, apparatus, electronic device, and computer readable storage medium.
Background
In recent years, with active innovation in the global cloud computing field and development of cloud computing in China entering an application popularization stage, more and more enterprises start to deploy information systems by adopting a cloud computing technology, and cloud awareness and capability on the enterprises are continuously enhanced. The cloud network integration is a deep innovation of network architecture based on service requirements and technical innovation parallel driving, so that the cloud and the network are highly cooperated and mutually supported, and are mutually a conceptual mode for reference. In the cloud process of enterprises, most of traffic of cloud network services (especially private line services) can pass through a firewall, and the firewall is not only a network security barrier, but also has functions of VPN (virtual private network) and network address conversion, so that the configuration of the firewall is very important.
The current firewall configuration mode is generally that a cloud network service flow reaches a firewall configuration stage in cloud, a platform side informs specific network configuration personnel related to a current order through forms such as dispatch short message mail, after receiving a work order notification, the network configuration personnel logs in an order management system to collect order information, then logs in firewall equipment, parameter configuration is carried out on the current cloud network service by using a manual command mode, and after the configuration is completed, the correctness of the current configuration is required to be verified. The method has low opening efficiency, the work orders are dispatched to network configuration personnel, the network configuration personnel can not receive the tasks at the first time, and when the tasks are received, the firewall equipment is logged in again to manually execute a large number of commands according to the current order information, so that more time is required to finish the link, and the efficiency is low; in addition, the firewall equipment is configured by operators with stronger professional capability, because a large number of complex commands are involved in the operation process, any command is wrongly issued, a large amount of time is required for checking and even rollback, when a large amount of services are required to be opened, the working strength of network configuration personnel is improved, and the opening efficiency is blocked.
Disclosure of Invention
The embodiment of the application provides a firewall configuration method, a firewall configuration device, electronic equipment and a computer readable storage medium, which can improve the efficiency of firewall configuration.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a firewall configuration method, which is applied to firewall configuration equipment and comprises the following steps:
receiving a firewall configuration request aiming at a target cloud network service, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service;
based on the identification of the target resource pool, obtaining a target network configuration session corresponding to the target resource pool;
constructing a first message in a target network configuration session, wherein the first message carries firewall configuration parameters;
and sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters.
In the above solution, the obtaining, based on the identification of the target resource pool, a target network configuration session corresponding to the target resource pool includes:
obtaining the corresponding relation between the identification of the resource pool and the session pool;
based on the corresponding relation and the identification of the target resource pool, obtaining a session pool corresponding to the target resource pool;
and determining a network configuration session in an idle state from a session pool corresponding to the target resource pool, and determining the target network configuration session from the determined network configuration session.
In the above solution, the determining, from the session pool corresponding to the target resource pool, the network configuration session in the idle state includes:
acquiring state information of each network configuration session in the session pool;
based on the state information of each network configuration session, determining the network configuration session in the idle state in the session pool.
In the above scheme, the method further comprises:
and updating the state information of the target network configuration session to a non-idle state.
In the above solution, before the receiving the firewall configuration request for the target cloud network service, the method further includes:
constructing session pools for at least two resource pools, wherein each resource pool corresponds to one cloud network service;
obtaining an identification of each of the at least two resource pools;
and constructing the corresponding relation between the identification of the resource pool and the session pool based on the identification of each resource pool in the at least two resource pools and the corresponding session pool.
In the above solution, the constructing a session pool for at least two resource pools includes:
obtaining performance parameters of the network configuration equipment;
and constructing a session pool for at least two resource pools based on the performance parameter and the number of the resource pools of the at least two resource pools.
In the above solution, the constructing a session pool for at least two resource pools based on the performance parameter and the number of resource pools of the at least two resource pools includes:
determining the session number of the network configuration session corresponding to each resource pool based on the performance parameter and the resource pool number of the at least two resource pools;
constructing a session pool for at least two resource pools based on the session number;
wherein the number of network configuration sessions contained in each session pool is the number of sessions.
In the above scheme, the method further comprises:
obtaining the number of network configuration sessions in an idle state in the target resource pool;
creating a new network resource configuration session when the number of network configuration sessions in the idle state is less than or equal to the number threshold;
and adding the created network resource configuration session to the target resource pool.
In the above solution, before the first packet is constructed in the target network configuration session, the method further includes:
constructing a second message in the target network configuration session, wherein the second message carries initial configuration parameters of the target firewall;
the second message is sent to the target firewall through the target network configuration session;
and when the parameter configuration of the target firewall based on the first message is abnormal, the second message is used for carrying out data rollback based on the second message so as to rollback the configuration parameters of the target firewall into the initial configuration parameters.
The embodiment of the application provides a firewall configuration device, which comprises:
the receiving module is used for receiving a firewall configuration request aiming at a target cloud network service, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service;
the obtaining module is used for obtaining a target network configuration session corresponding to the target resource pool based on the identification of the target resource pool;
the construction module is used for constructing a first message in the target network configuration session, wherein the first message carries firewall configuration parameters;
and the sending module is used for sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters.
An embodiment of the present application provides an electronic device, including:
a memory for storing executable instructions;
and the processor is used for realizing the firewall configuration method provided by the embodiment of the application when executing the executable instructions stored in the memory.
The embodiment of the application provides a computer readable storage medium, which stores executable instructions for implementing the firewall configuration method provided by the embodiment of the application when the executable instructions are executed by a processor.
According to the embodiment of the application, a firewall configuration request aiming at a target cloud network service is received, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service; based on the identification of the target resource pool, obtaining a target network configuration session corresponding to the target resource pool; constructing a first message in a target network configuration session, wherein the first message carries firewall configuration parameters; and sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters, and when the firewall configuration is required, directly acquiring the pre-constructed network configuration session, and sending the firewall configuration parameters to the target firewall through the network configuration session, thereby completing the configuration of the firewall with high efficiency.
Drawings
FIG. 1 is a schematic diagram of an alternative architecture of a firewall configuration system 100 provided in an embodiment of the application;
FIG. 2 is a schematic diagram of an alternative architecture of an electronic device provided in an embodiment of the present application;
FIG. 3 is a schematic flow chart of an alternative firewall configuration method according to an embodiment of the disclosure;
FIG. 4 is a schematic diagram of an alternative firewall configuration system provided in an embodiment of the application;
FIG. 5 is a schematic illustration of an alternative refinement flow of step 302 provided by an embodiment of the present application;
fig. 6 is an alternative flow chart of a network configuration method according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
In the following description, the terms "first", "second", "third" and the like are merely used to distinguish similar objects and do not represent a specific ordering of the objects, it being understood that the "first", "second", "third" may be interchanged with a specific order or sequence, as permitted, to enable embodiments of the application described herein to be practiced otherwise than as illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
Before further describing embodiments of the present application in detail, the terms and expressions that are referred to in the embodiments of the present application are described, and are suitable for the following explanation.
1) Netcon is a configuration protocol based on extensible markup language (XML). After the netcon session is established between the controller and the switching device, the controller issues netcon messages to the switching device based on the netcon session to perform network configuration on the switching device, which simplifies configuration operations of a network administrator and realizes more flexible and convenient network configuration.
2) The firewall technology is a technology for helping computer networks to construct a relatively isolated protection barrier between the internal network and the external network by organically combining various software and hardware devices for safety management and screening so as to protect user data and information safety.
The firewall technology mainly aims at timely finding and processing the possible problems of security risk, data transmission and the like when the computer network runs, wherein the processing measures comprise isolation and protection, and meanwhile, recording and detection can be implemented on each operation in the security of the computer network so as to ensure the running security of the computer network, ensure the integrity of user data and information and provide better and safer computer network use experience for users.
3) The cloud network service is a service platform provided by the cloud as required and comprises an operation platform, a communication platform and a framework platform.
The embodiment of the application provides a firewall configuration method, a firewall configuration device, electronic equipment and a computer readable storage medium, which can improve the firewall configuration efficiency.
First, referring to fig. 1, fig. 1 is an optional architecture schematic diagram of a firewall configuration system 100 according to an embodiment of the present application, where a client 103 is connected to a server 101 through a network 102. In some embodiments, client 103 may be, but is not limited to, a notebook computer, tablet computer, desktop computer, smart phone, dedicated messaging device, portable gaming device, smart speaker, smart watch, etc. The server 101 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery network (CDN, content Delivery Network) services, basic cloud computing services such as big data and an artificial intelligence platform. The network 102 may be a wide area network or a local area network, or a combination of both. The client 103 and the server 101 may be directly or indirectly connected through wired or wireless communication, which is not limited in the embodiment of the present application.
Next, referring to fig. 2, fig. 2 is an optional schematic structural diagram of an electronic device 200 provided in the embodiment of the present application, where in practical application, the electronic device 200 may be implemented as the client 103 or the server 101 in fig. 1, and the electronic device is taken as the client 103 shown in fig. 1 as an example, and an electronic device implementing the firewall configuration method in the embodiment of the present application is described. The electronic device 200 shown in fig. 2 includes: at least one processor 201, a memory 205, at least one network interface 202, and a user interface 203. The various components in the electronic device 200 are coupled together by a bus system 204. It is understood that the bus system 204 is used to enable connected communications between these components. The bus system 204 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus system 204 in fig. 2.
The processor 201 may be an integrated circuit chip with signal processing capabilities such as a general purpose processor, which may be a microprocessor or any conventional processor, or the like, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
The user interface 203 includes one or more output devices 2031, including one or more speakers and/or one or more visual displays, that enable presentation of media content. The user interface 203 also includes one or more input devices 2032 including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.
The memory 205 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard drives, optical drives, and the like. Memory 205 may optionally include one or more storage devices physically located remote from processor 201.
Memory 205 includes volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a random access Memory (RAM, random Access Memory). The memory 205 described in embodiments of the present application is intended to comprise any suitable type of memory.
In some embodiments, the memory 205 is capable of storing data to support various operations, examples of which include programs, modules and data structures, or subsets or supersets thereof, in which the memory 205 stores an operating system 2051, a network communication module 2052, a presentation module 2053, an input processing module 2054, and a firewall configuration device 2055; in particular, the method comprises the steps of,
the operating system 2051, which includes system programs for handling various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and handling hardware-based tasks;
the network communication module 2052 is used to reach other computing devices via one or more (wired or wireless) network interfaces 202, the exemplary network interfaces 202 including: bluetooth, wireless compatibility authentication (WiFi), and universal serial bus (USB, universal Serial Bus), etc.;
a presentation module 2053 for enabling presentation of information (e.g., user interfaces for operating peripheral devices and displaying content and information) via one or more output devices 2031 (e.g., a display screen, speakers, etc.) associated with the user interface 203;
the input processing module 2054 is configured to detect one or more user inputs or interactions from one of the one or more input devices 2032 and translate the detected inputs or interactions.
In some embodiments, the firewall configuration device provided in the embodiments of the present application may be implemented in software, and fig. 2 shows a firewall configuration device 2055 stored in the memory 205, which may be software in the form of a program and a plug-in, and includes the following software modules: the receiving module 20551, obtaining module 20552, constructing module 20553 and transmitting module 20554 are logical, and thus may be arbitrarily combined or further split according to the implemented functions. The functions of the respective modules will be described hereinafter.
In other embodiments, the firewall configuration device provided in the embodiments of the present application may be implemented in hardware, and by way of example, the firewall configuration device provided in the embodiments of the present application may be a processor in the form of a hardware decoding processor that is programmed to perform the firewall configuration method provided in the embodiments of the present application, for example, the processor in the form of a hardware decoding processor may employ one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSP, programmable logic device (PLD, programmable Logic Device), complex programmable logic device (CPLD, complex Programmable Logic Device), field programmable gate array (FPGA, field-Programmable Gate Array), or other electronic component.
The firewall configuration method provided by the embodiment of the application will be described with reference to an exemplary application and implementation of the client provided by the embodiment of the application.
Referring to fig. 3, fig. 3 is a schematic flowchart of an alternative firewall configuration method according to an embodiment of the present application, and will be described with reference to the steps shown in fig. 3.
Step 301, receiving a firewall configuration request for a target cloud network service, where the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service;
step 302, obtaining a target network configuration session corresponding to the target resource pool based on the identification of the target resource pool;
step 303, constructing a first message in a target network configuration session, wherein the first message carries firewall configuration parameters;
step 304, through the target network configuration session, the first message is sent to a target firewall corresponding to the target resource pool, so that the target firewall performs parameter configuration based on the firewall configuration parameters.
It should be noted that, referring to fig. 4, fig. 4 is an optional structural schematic diagram of a firewall configuration system according to an embodiment of the present application. In this embodiment of the present application, the firewall configuration system includes an equipment management module, a session pool module, a packet encapsulation module, a packet sending module, a packet parsing module, an anomaly alarm module, and a log recording module. Wherein, the liquid crystal display device comprises a liquid crystal display device,
and the equipment management module: the method is used for enabling network configuration personnel to enter basic information of the firewall equipment in advance, wherein the basic information comprises a resource pool number, a region number, an IP address of the firewall equipment, a connection port, a login user name, a password, a connection protocol and the like of the firewall. The entered base information is provided to the session pool module.
Session pool module: the server where the system is located is a NETCONF client, the firewall equipment is a NETCONF server, when the system is started, firewall basic information in the equipment management module is obtained, a user name and a password are authenticated based on an IP address and SSH authentication of a target firewall, NETCONF sessions with the number of core sessions are established with the target firewall according to the number of core sessions of each resource pool set by a session pool, a call request of a cloud network service platform side is received, and the session pool module dispatches idle NETCONF sessions of the corresponding resource pools in the service to issue configuration.
Message packaging module: the NETCONF protocol message is encoded based on an XML format, and according to order information transferred by a platform side calling interface, the message packaging module constructs a message interacted by a NETCONF client side and a server side, converts Java entity classes into an XML format message through a marshalling function of a native JAXB, and provides the XML format message to the message sending module.
And a message sending module: based on the XML format message constructed by the message packaging module, writing the message into an output stream in a NETCONF session, remotely requesting a NETCONF server through an RPC mechanism in the message, and issuing cloud network service firewall configuration, wherein the NETCONF server correctly executes the operation on the current firewall according to the received message content.
And a message analysis module: the NETCONF server integrates the result of the message sending module operation equipment, writes NETCONF messages in an XML format, sends the NETCONF messages back to the NETCONF client, and the message analysis module converts the returned XML format messages into Java objects through the function of native JAXB solution group, and judges whether the configuration is successfully issued or not according to response content in the < rpc-reply > element, and meanwhile acquires the < data > data returned by the message.
An abnormality alarm module: the message analysis module analyzes the < rpc-error > element, judges that the message is issued in error, acquires an error message prompt recorded in the < rpc-error > element, and the abnormality alarming module distinguishes error types according to the error message and gives an abnormality alarm.
And a log recording module: and recording XML format request and response messages between the NETCONF client and the server, wherein each time the request and response messages are recorded independently, when the abnormal alarm module gives an alarm, the request and response messages are inquired from the log recording module, and the reasons of the issuing configuration error are checked through error message prompt and request parameters.
It should be noted that, the firewall configuration system according to the embodiment of the present application is disposed in the client provided by the embodiment of the present application. In practical implementation, after the cloud network service platform sends a firewall configuration request to the network configuration device (i.e. the client), the network configuration device responds to the request to obtain the identifier of the target resource pool corresponding to the target cloud network service carried by the request, and obtains the target network configuration session corresponding to the target resource pool based on the identifier of the target resource pool.
In some embodiments, referring to fig. 5, fig. 5 is an optional refinement flowchart of step 302 provided in the embodiment of the present application, and step 302 may be further implemented by:
step 501, obtaining the corresponding relation between the identification of the resource pool and the session pool;
step 502, obtaining a session pool corresponding to the target resource pool based on the corresponding relation and the identification of the target resource pool;
step 503, determining a network configuration session in an idle state from a session pool corresponding to the target resource pool;
step 504, determining the target network configuration session from the determined network configuration sessions.
In actual implementation, the terminal obtains the identifier of the firewall resource pool and the corresponding relation between the session pools corresponding to the resource pool. Here, the correspondence relationship may be stored in the form of a table. In step 502, the terminal obtains a session pool corresponding to the target resource pool based on the correspondence and the identifier of the target resource pool.
In some embodiments, the step 503 may also be implemented as follows: acquiring state information of each network configuration session in the session pool; based on the state information of each network configuration session, determining the network configuration session in the idle state in the session pool.
In some embodiments, it may also perform: and updating the state information of the target network configuration session to a non-idle state.
In some embodiments, prior to step 301, it may also be performed: constructing session pools for at least two resource pools, wherein each resource pool corresponds to one cloud network service; obtaining an identification of each of the at least two resource pools; and constructing the corresponding relation between the identification of the resource pool and the session pool based on the identification of each resource pool in the at least two resource pools and the corresponding session pool.
In some embodiments, the building of the session pool for at least two resource pools may also be achieved by: obtaining performance parameters of the network configuration equipment; and constructing a session pool for at least two resource pools based on the performance parameter and the number of the resource pools of the at least two resource pools.
In some embodiments, the constructing the session pool for the at least two resource pools based on the performance parameter and the number of resource pools of the at least two resource pools may be further implemented by: determining the session number of the network configuration session corresponding to each resource pool based on the performance parameter and the resource pool number of the at least two resource pools; constructing a session pool for at least two resource pools based on the session number; wherein the number of network configuration sessions contained in each session pool is the number of sessions.
In some embodiments, it may also perform: obtaining the number of network configuration sessions in an idle state in the target resource pool; creating a new network resource configuration session when the number of network configuration sessions in the idle state is less than or equal to the number threshold; and adding the created network resource configuration session to the target resource pool.
In some embodiments, before the first packet is constructed in the target network configuration session, the method may further include: constructing a second message in the target network configuration session, wherein the second message carries initial configuration parameters of the target firewall; the second message is sent to the target firewall through the target network configuration session; and when the parameter configuration of the target firewall based on the first message is abnormal, the second message is used for carrying out data rollback based on the second message so as to rollback the configuration parameters of the target firewall into the initial configuration parameters.
According to the embodiment of the application, a firewall configuration request aiming at a target cloud network service is received, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service; based on the identification of the target resource pool, obtaining a target network configuration session corresponding to the target resource pool; constructing a first message in a target network configuration session, wherein the first message carries firewall configuration parameters; and sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters, and when the firewall configuration is required, directly acquiring the pre-constructed network configuration session, and sending the firewall configuration parameters to the target firewall through the network configuration session, thereby completing the configuration of the firewall with high efficiency.
In the following, an exemplary application of the embodiments of the present application in a practical application scenario will be described. Referring to fig. 6, fig. 6 is an alternative flow chart of a network configuration method according to an embodiment of the present application.
Step1, before a network configurator goes on line in a resource pool, acquiring an IP address, a connection port of a target firewall, a user name and a password of SSH authentication, and recording the user name and the password in a device configuration module of the system;
step2, constructing a NETCONF session pool according to information in the equipment configuration module, wherein the method comprises the following specific steps of:
step2.1, first calculate the number of core sessions required for each resource pool by the following formula:
Figure BDA0003437455350000121
wherein n is session Representing the number of core sessions per resource pool, n cpu Representing the number of servers cpu, p cpu Indicating the expected utilization rate, t, of the CPU of the server where the system is located wait Representing the waiting time of a task, t work Represents the execution time of a task, n resource Representing the number of resource pools;
step2.2, initialize a session instance list, according to n resource Initializing a list s of core session instances in a resource pool core Setting the maximum session number n max Let the list of session instances in the resource pool be equal to the list of core session instances s in the resource pool ture =s core At this time, the status flag e of the session instance is 0 (0 represents that the status flag is idle, and 1 represents that the status flag is used).
Step2.3 when the number of session instance uses in the resource pool is smaller than the list s of core session instances in the resource pool core When the size is large, the actual number of session instances is still s core Is of a size of (a) and (b). When the number of session instance uses in the resource pool is greater than the list s of core session instances in the resource pool core When the number is calculated, the calculation formula of the actual conversation instance list is as follows:
s ture =s core +s dynamic
wherein s is dynamic Representing a list of session instances dynamically created when there are no idle core session instances, and s true Not exceeding n in size max
Step2.4, constructing a dictionary for acquiring the idle session instance, and indexing the session instance in a key value pair mode, wherein the key name of the dictionary is the number p of the resource pool i The key value is a conversation instance list of the corresponding resource pool, and then the idle conversation of the current resource pool can be obtained by means of the status flag bit e of the conversation instance.
Step3, receiving a request of a cloud network service platform side, and obtaining an idle session from a session pool according to the number of a resource pool of the current service;
step4, constructing a message for storing the current firewall configuration in the NETCONF session, transmitting the message to a target firewall, and recording the firewall configuration in a CFG file;
step5, constructing and configuring messages such as firewall VPN, subinterfaces, static routes, NAT policies, security domain policies and the like through native JAXB according to cloud network service;
step6, transmitting configuration messages related to cloud network service to target firewall equipment;
step7, analyzing XML messages of response of the configuration operation completion of the target firewall equipment, if an < ok > element is analyzed, then, representing that the issuing is successful, if an < rpc-error > element is analyzed, then, judging that the issuing of the configuration is abnormal, intercepting an error message prompt and sending an alarm, and storing the XML messages of the request and the response in a database;
step8, in the numerous configuration processes of the firewall for issuing the cloud network service, if one configuration issuing abnormality occurs, acquiring file names of CFG configuration files of the firewall stored in advance, constructing a firewall configuration rollback message, issuing the firewall configuration rollback message to a target firewall, and rollback the configuration of the firewall to a state before the request of the platform side;
according to the embodiment of the application, the mode of scheduling the session by the NETCONF session pool reduces resource consumption caused by creating the session for the cloud network service each time, and greatly shortens the time for automatically configuring the firewall; in addition, in the process of issuing a plurality of messages by one request, the abnormal detection and alarm are supported, and the abnormal state can be rolled back to the firewall state before the request in time, so that abnormal and redundant data cannot exist.
Continuing with the description below of an exemplary architecture of the firewall configuration device 255 implemented as a software module provided by embodiments of the present application, in some embodiments, as shown in fig. 2, the software modules stored in the firewall configuration device 255 of the memory 250 may include:
a receiving module 2551, configured to receive a firewall configuration request for a target cloud network service, where the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service;
an obtaining module 2552, configured to obtain a target network configuration session corresponding to the target resource pool based on the identifier of the target resource pool;
a construction module 2553, configured to construct a first packet in a target network configuration session, where the first packet carries firewall configuration parameters;
and the sending module 2554 is configured to send the first packet to a target firewall corresponding to the target resource pool through the target network configuration session, so that the target firewall performs parameter configuration based on the firewall configuration parameter.
In some embodiments, the obtaining, based on the identification of the target resource pool, a target network configuration session corresponding to the target resource pool includes: obtaining the corresponding relation between the identification of the resource pool and the session pool; based on the corresponding relation and the identification of the target resource pool, obtaining a session pool corresponding to the target resource pool; and determining a network configuration session in an idle state from a session pool corresponding to the target resource pool, and determining the target network configuration session from the determined network configuration session.
In some embodiments, the determining the network configuration session in the idle state from the session pool corresponding to the target resource pool includes: acquiring state information of each network configuration session in the session pool; based on the state information of each network configuration session, determining the network configuration session in the idle state in the session pool.
In some embodiments, the method further comprises: and updating the state information of the target network configuration session to a non-idle state.
In some embodiments, before the receiving the firewall configuration request for the target cloud network service, the method further comprises: constructing session pools for at least two resource pools, wherein each resource pool corresponds to one cloud network service; obtaining an identification of each of the at least two resource pools; and constructing the corresponding relation between the identification of the resource pool and the session pool based on the identification of each resource pool in the at least two resource pools and the corresponding session pool.
In some embodiments, the building a session pool for at least two resource pools comprises: obtaining performance parameters of the network configuration equipment; and constructing a session pool for at least two resource pools based on the performance parameter and the number of the resource pools of the at least two resource pools.
In some embodiments, the constructing a session pool for at least two resource pools based on the performance parameter and the number of resource pools of the at least two resource pools comprises: determining the session number of the network configuration session corresponding to each resource pool based on the performance parameter and the resource pool number of the at least two resource pools; constructing a session pool for at least two resource pools based on the session number; wherein the number of network configuration sessions contained in each session pool is the number of sessions.
In some embodiments, the method further comprises: obtaining the number of network configuration sessions in an idle state in the target resource pool; creating a new network resource configuration session when the number of network configuration sessions in the idle state is less than or equal to the number threshold; and adding the created network resource configuration session to the target resource pool.
In some embodiments, before the first packet is constructed in the target network configuration session, the method further includes: constructing a second message in the target network configuration session, wherein the second message carries initial configuration parameters of the target firewall; the second message is sent to the target firewall through the target network configuration session; and when the parameter configuration of the target firewall based on the first message is abnormal, the second message is used for carrying out data rollback based on the second message so as to rollback the configuration parameters of the target firewall into the initial configuration parameters.
Embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the above-described embodiments of the present application. . The method.
The present embodiments provide a computer readable storage medium storing executable instructions that, when executed by a processor, cause the processor to perform the firewall configuration method provided by the embodiments of the present application.
In some embodiments, the computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; but may be a variety of devices including one or any combination of the above memories.
In some embodiments, the executable instructions may be in the form of programs, software modules, scripts, or code, written in any form of programming language (including compiled or interpreted languages, or declarative or procedural languages), and they may be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment.
As an example, the executable instructions may, but need not, correspond to files in a file system, may be stored as part of a file that holds other programs or data, for example, in one or more scripts in a hypertext markup language (HTML, hyper Text Markup Language) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
As an example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices located at one site or, alternatively, distributed across multiple sites and interconnected by a communication network.
In summary, by the embodiment of the application, the efficiency of firewall configuration can be improved.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. that are within the spirit and scope of the present application are intended to be included within the scope of the present application.

Claims (12)

1. A firewall configuration method, applied to a network configuration device, comprising:
receiving a firewall configuration request aiming at a target cloud network service, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service;
based on the identification of the target resource pool, obtaining a target network configuration session corresponding to the target resource pool;
constructing a first message in a target network configuration session, wherein the first message carries firewall configuration parameters;
and sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters.
2. The firewall configuration method according to claim 1, wherein the obtaining, based on the identification of the target resource pool, a target network configuration session corresponding to the target resource pool includes:
obtaining the corresponding relation between the identification of the resource pool and the session pool;
based on the corresponding relation and the identification of the target resource pool, obtaining a session pool corresponding to the target resource pool;
and determining a network configuration session in an idle state from a session pool corresponding to the target resource pool, and determining the target network configuration session from the determined network configuration session.
3. The firewall configuration method according to claim 2, wherein the determining a network configuration session in an idle state from a session pool corresponding to the target resource pool comprises:
acquiring state information of each network configuration session in the session pool;
based on the state information of each network configuration session, determining the network configuration session in the idle state in the session pool.
4. A firewall configuration method according to claim 3, characterized in that the method further comprises:
and updating the state information of the target network configuration session to a non-idle state.
5. The firewall configuration method of claim 2, wherein prior to receiving the firewall configuration request for the target cloud service, the method further comprises:
constructing session pools for at least two resource pools, wherein each resource pool corresponds to one cloud network service;
obtaining an identification of each of the at least two resource pools;
and constructing the corresponding relation between the identification of the resource pool and the session pool based on the identification of each resource pool in the at least two resource pools and the corresponding session pool.
6. The firewall configuration method of claim 5, wherein the building a session pool for at least two resource pools comprises:
obtaining performance parameters of the network configuration equipment;
and constructing a session pool for at least two resource pools based on the performance parameter and the number of the resource pools of the at least two resource pools.
7. The firewall configuration method of claim 6, wherein constructing a session pool for at least two resource pools based on the performance parameter and the number of resource pools of the at least two resource pools comprises:
determining the session number of the network configuration session corresponding to each resource pool based on the performance parameter and the resource pool number of the at least two resource pools;
constructing a session pool for at least two resource pools based on the session number;
wherein the number of network configuration sessions contained in each session pool is the number of sessions.
8. The firewall configuration method of claim 2, further comprising:
obtaining the number of network configuration sessions in an idle state in the target resource pool;
creating a new network resource configuration session when the number of network configuration sessions in the idle state is less than or equal to the number threshold;
and adding the created network resource configuration session to the target resource pool.
9. The firewall configuration method of claim 1, wherein prior to constructing the first message in the target network configuration session, the method further comprises:
constructing a second message in the target network configuration session, wherein the second message carries initial configuration parameters of the target firewall;
the second message is sent to the target firewall through the target network configuration session;
and when the parameter configuration of the target firewall based on the first message is abnormal, the second message is used for carrying out data rollback based on the second message so as to rollback the configuration parameters of the target firewall into the initial configuration parameters.
10. A firewall configuration apparatus, comprising:
the receiving module is used for receiving a firewall configuration request aiming at a target cloud network service, wherein the firewall configuration request carries an identifier of a target resource pool corresponding to the target cloud network service;
the obtaining module is used for obtaining a target network configuration session corresponding to the target resource pool based on the identification of the target resource pool;
the construction module is used for constructing a first message in the target network configuration session, wherein the first message carries firewall configuration parameters;
and the sending module is used for sending the first message to a target firewall corresponding to the target resource pool through the target network configuration session so that the target firewall performs parameter configuration based on the firewall configuration parameters.
11. An electronic device, comprising:
a memory for storing executable instructions;
a processor for implementing the firewall configuration method of any one of claims 1 to 9 when executing executable instructions stored in said memory.
12. A computer readable storage medium storing executable instructions for implementing the firewall configuration method of any one of claims 1 to 9 when executed by a processor.
CN202111619609.3A 2021-12-27 2021-12-27 Firewall configuration method, device, electronic equipment and computer readable storage medium Pending CN116366269A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111619609.3A CN116366269A (en) 2021-12-27 2021-12-27 Firewall configuration method, device, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111619609.3A CN116366269A (en) 2021-12-27 2021-12-27 Firewall configuration method, device, electronic equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN116366269A true CN116366269A (en) 2023-06-30

Family

ID=86939301

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111619609.3A Pending CN116366269A (en) 2021-12-27 2021-12-27 Firewall configuration method, device, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN116366269A (en)

Similar Documents

Publication Publication Date Title
EP3111433B1 (en) Wireless sensor network
WO2021203979A1 (en) Operation and maintenance processing method and apparatus, and computer device
US10445335B2 (en) Computing environment connectivity system
WO2012088905A1 (en) Polling sub-system and polling method for communication network system and communication apparatus
JP7453426B2 (en) Network management systems, methods, devices and electronic equipment
CN104636678B (en) The method and system of management and control is carried out under a kind of cloud computing environment to terminal device
US8938680B2 (en) Methods and apparatus for E-mail-based management of virtualized environments
US11711241B2 (en) Techniques for utilizing multiple network interfaces for a cloud shell
US11650888B2 (en) Workflow error handling for device driven management
CN110011875A (en) Dial testing method, device, equipment and computer readable storage medium
CN113037545A (en) Network simulation method, device, equipment and storage medium
CN110958206A (en) Data security method for mobile equipment application based on virtualization
JP2024508473A (en) Techniques for validating container framework network policies
CN112738138A (en) Cloud security hosting method, device, equipment and storage medium
JP2018092565A (en) Cloud relay device, cloud connection processing method, and program
WO2022228156A1 (en) Policy orchestration processing method, apparatus, device and system and storage medium
US11243755B1 (en) Resource aware patching service
US11330053B1 (en) Making eventual consistency cache updates deterministic
CN112235300A (en) Cloud virtual network vulnerability detection method, system and device and electronic equipment
CN116366269A (en) Firewall configuration method, device, electronic equipment and computer readable storage medium
US11880791B2 (en) Attachment and detachment of compute instances owned by different tenancies
US20230063458A1 (en) Restricted operations due to attachment of compute instances owned by different tenancies
US20160285819A1 (en) Sharing and controlling electronic devices located at remote locations using xmpp server
CN110808943B (en) Client connection emergency management method, client and computer readable storage medium
CN113010331A (en) Abnormal data processing method and device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination