WO2020042471A1

WO2020042471A1 - Firewall policy verification method, system and device, and readable storage medium

Info

Publication number: WO2020042471A1
Application number: PCT/CN2018/122804
Authority: WO
Inventors: 翟士才; 马晓龙; 朱皓; 祁明远; 李林鸽
Original assignee: 平安科技（深圳）有限公司
Priority date: 2018-08-31
Filing date: 2018-12-21
Publication date: 2020-03-05
Also published as: CN109688093A; CN109688093B

Abstract

The present application provides a firewall policy verification method, system and device, and a readable storage medium. The method comprises: when a front end monitors a firewall policy verification request, the front end checking the firewall policy verification request, and sending, when the firewall policy verification request passes the check, the firewall policy verification request to a background server; the background server receiving the firewall policy verification request sent by the front end, and executing a remote log-in operation on source hosts in the firewall policy verification request; and when the source hosts in the firewall policy verification request are successfully remotely logged into, the background server sending firewall policies in the firewall policy verification request to corresponding source hosts for verification. The present application can effectively improve the convenience of verifying a firewall policy and reduce wastage of background resources.

Description

Firewall policy verification method, system, device and readable storage medium Ranch

This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on August 31, 2018, with an application number of 201811008170.9, and an invention name of "Firewall Policy Verification Method, System, Device, and Readable Storage Medium". Citations are incorporated in the application.

Technical field

The present application relates to the technical field of information network security, and in particular, to a firewall policy verification method, system, device, and computer-readable storage medium.

Background technique

With the rapid development of network technology, more and more enterprises use the network to implement personnel management, product sales, and business consulting. In order to achieve the above functions, companies need to build multiple servers. In order to improve the network information security within the enterprise, Verify the policies on the firewall, that is, firewall policy verification. Specifically, in the production environment of an enterprise system, when different services access each other, log in to the server and enter the verification instructions to verify the firewall policy set by the accessed service, and then return whether the firewall The result of the verification is to confirm whether the two services have access and access rights.

At present, the existing firewall policy verification is that the verifier manually enters the IP of the host to be verified through the test tool. However, when there are many hosts that need to be verified, they need to manually log in to different servers, or verify the access required on the same server one by one. Multiple hosts or multiple services are cumbersome and difficult to verify firewall policies. In addition, users can input on the page at will and call background programs, wasting background resources.

Therefore, how to improve the convenience of firewall policy verification and reduce the waste of background resources is an urgent problem to be solved.

Summary of the Invention

The main purpose of this application is to provide a firewall policy verification method, system, device, and computer-readable storage medium, which aims to improve the convenience of firewall policy verification and avoid waste of background resources.

To achieve the above object, the present application provides a firewall policy verification method. The firewall policy verification method includes the following steps:

When the front end detects a firewall policy verification request, the front end checks the firewall policy verification request, and sends the firewall policy verification request to a background server when the firewall policy verification request passes the verification;

Receiving, by the background server, a firewall policy verification request sent by the front end, and performing a remote login operation on each source host in the firewall policy verification request;

After each source host in the firewall policy verification request is successfully logged in remotely, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.

In addition, in order to achieve the above purpose, the present application also provides a firewall policy verification system. The firewall policy verification system includes a front-end and a background server, the front-end includes a verification module, and the background server includes a remote login module and policy verification Module, where

The verification module is configured to verify the firewall policy verification request when the front end detects a firewall policy verification request, and send the firewall policy verification request when the firewall policy verification request passes the verification. To the background server;

The remote login module is configured to receive the firewall policy verification request sent by the front end, and perform a remote login operation on each source host in the firewall policy verification request;

The policy verification module is configured to send a firewall policy in the firewall policy verification request to a corresponding source host for verification after each source host in the firewall policy verification request is successfully logged in remotely.

In addition, in order to achieve the above object, the present application also provides a firewall policy verification device, which includes a processor, a memory, and a firewall policy verification stored in the memory and executable by the processor. Read instructions, wherein when the firewall policy verifies that the readable instructions are executed by the processor, the following steps are implemented:

Receiving a verified firewall policy verification request sent by the front end, and performing a remote login operation on each source host in the firewall policy verification request;

After each source host in the firewall policy verification request is successfully logged in remotely, the firewall policy in the firewall policy verification request is sent to the corresponding source host for verification.

In addition, in order to achieve the above object, the present application further provides a readable storage medium, where the readable storage medium stores a firewall policy verification readable instruction, and when the firewall policy verification readable instruction is executed by a processor, The following steps:

This application provides a firewall policy verification method, system, device, and computer-readable storage medium. The front end of this application verifies a monitored firewall policy verification request, and after the firewall policy verification request passes the verification, the firewall The policy verification request is sent to the background server. The background server performs remote login operations on each source host in the firewall policy verification request. After the remote login is successful, the firewall policy in the firewall policy verification request is sent to the corresponding source host for verification. Because the front-end sends a firewall policy verification request to the background server, the firewall policy verification request is verified, and only when the firewall policy verification request passes the verification can it be sent to the background server, which effectively reduces the waste of background resources, and the background server can Automatically perform remote login operations on each source host, eliminating the need for users to manually log in to different servers, or verifying multiple hosts or services that need to be accessed one by one on the same server, effectively improving the convenience of firewall policy verification

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a hardware structure of a firewall policy verification device according to embodiments of the present application;

2 is a schematic flowchart of a first embodiment of a firewall policy verification method of the present application;

3 is a detailed flowchart of step S101 in a third embodiment of the present application;

FIG. 4 is a functional module diagram of a first embodiment of a firewall policy verification system of the present application.

The implementation, functional features and advantages of the purpose of this application will be further described with reference to the embodiments and the drawings.

detailed description

It should be understood that the specific embodiments described herein are only used to explain the application, and are not used to limit the application.

The firewall policy verification method according to the embodiment of the present application is mainly applied to a firewall policy verification device. The firewall policy verification device may be a PC (personal computer personal). computer), portable computers, mobile terminals and other devices with display and processing functions.

Referring to FIG. 1, FIG. 1 is a schematic diagram of a hardware structure of a firewall policy verification device involved in a solution according to an embodiment of the present application. In the embodiment of the present application, the firewall policy verification device may include a processor 1001 (for example, a central processor Central Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, and memory 1005. The communication bus 1002 is used to implement connection and communication between these components. The user interface 1003 may include a display and an input unit such as a keyboard. The network interface 1004 may optionally include a standard wired interface and a wireless interface. (Such as the WI-FI interface); the memory 1005 can be a high-speed RAM memory or a stable memory (non-volatile memory), for example, disk memory, the memory 1005 may optionally be a storage system independent of the foregoing processor 1001. Those skilled in the art can understand that the hardware structure shown in FIG. 1 does not constitute a limitation on the present application, and may include more or fewer components than shown in the figure, or combine some components, or arrange different components.

With continued reference to FIG. 1, the memory 1005 as a readable storage medium in FIG. 1 may include an operating system, a network communication module, and a firewall policy verification readable instruction. In FIG. 1, the network communication module is mainly used to connect to a server and perform data communication with the server; and the processor 1001 can call the firewall policy verification readable instructions stored in the memory 1005 and execute the firewall policy verification method provided in the embodiment of the present application. .

The embodiment of the present application provides a method for verifying a firewall policy.

Referring to FIG. 2, FIG. 2 is a schematic flowchart of a first embodiment of a firewall policy verification method of the present application.

In this embodiment, the method for verifying a firewall policy includes the following steps:

Step S101: When the front end detects a firewall policy verification request, the front end checks the firewall policy verification request, and when the firewall policy verification request passes the verification, sends the firewall policy verification request to the background server;

Step S102: The background server receives the firewall policy verification request sent by the front end, and performs a remote login operation on each source host in the firewall policy verification request;

In step S103, after each source host in the firewall policy verification request is successfully logged in remotely, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.

At present, the existing firewall policy verification is that the verifier manually enters the IP of the host to be verified through the test tool. However, when there are many hosts that need to be verified, they need to manually log in to different servers, or verify the access to the same server one by one Multiple hosts or multiple services are cumbersome and difficult to verify firewall policies. In addition, users can input on the page at will and call background programs, wasting background resources. In view of the above problems, a firewall policy verification method is proposed in this embodiment. The specific steps of the firewall policy verification method are detailed below:

In this embodiment, the host information input by the user is received through the front-end page. After receiving the host information input by the user, the front-end triggers a firewall policy verification request carrying the host information. The host information includes, but is not limited to, the source host IP, Target host IP and port. When the front end detects a firewall policy verification request, the front end verifies the firewall policy verification request, and when the firewall policy verification request passes the verification, sends the firewall policy verification request to a background server, and the firewall policy verification When the request fails the verification, the front end displays a reminder message. In specific implementation, the firewall policy can be input by uploading attachments, that is, uploading the firewall policy file, analyzing the firewall policy file to obtain the firewall policy, and entering the firewall policy by uploading the attachment, which can avoid manually entering more firewall policies and improve Ease of entering firewall policies. The verification object includes, but is not limited to, a firewall policy file in the firewall policy verification request, and host information in the firewall policy file, that is, a source host IP, a destination host IP, and a port.

Specifically, if there is no firewall policy file in the firewall policy verification request, the front end directly obtains the host information from the firewall policy verification request, classifies the host information, and then classifies various types of hosts according to the verification rules corresponding to the category. The information is verified, specifically the type verification of the source host IP and the destination host IP, that is, the regular information is used to verify whether the entered information is IP. If the entered information is not IP, the verification fails. If the information is IP, the check is passed; the port is checked for non-null and digital type check, that is, check whether the data type of the input port is digital, whether the port is not entered, if the port is not entered, or the port is entered If the type is not a number, the verification fails. If the input port is a number, the verification passes; the physical host and cloud host verification, that is, whether the user selects at least the physical host firewall verification and the cloud host firewall verification. One, when the user selects both physical host firewall verification and cloud host firewall verification, the verification fails. Among them, the user can input multiple application IPs through the front end, that is, the user enters each application IP according to the separated characters agreed with the background server to obtain a string carrying multiple application IPs. After the background server receives the string, The delimiter character splits the string into a single IP and verifies each IP with a regular expression.

Further, during the verification process, the firewall policy verification process of the background service can also be verified. Specifically, the front end reads the background server status value in a preset storage area, and determines the background based on the background server status value. The status of the server, that is, when the status value of the background server is "0", the status of the background server is idle. When the status value of the background server is "1", the status of the background server is the firewall verification status. When the status is the firewall policy verification status, the page submission button on the front end is locked, and when it is detected that the status of the background server changes from the firewall policy verification status to the idle status, the front page submission button is unlocked. The verification through the firewall verification process prevents users from repeatedly submitting firewall policies, which increases the workload on the background server and reduces efficiency (due to the many firewall policies that need to be verified, the background server requires longer processing time).

In this embodiment, the background server receives a firewall policy verification request sent by the front end, and performs a remote login operation on each source host in the firewall policy verification request. The specific method of remote login operation of each source host may be remote password-free login and remote call password login.

Remote password-free login is to set up a service host, through which all hosts and services are managed, to achieve remote password-free login to all managed hosts and services, specifically to obtain the key information of the service host, and call the cloud interface to each The source host pushes the preset script and the key information, and each source host executes the preset script to detect whether the key information exists in the configuration file of each source host. If the key information exists in the configuration file of the source host, then Delete the preset script. If the key information does not exist in the configuration file of the source host, write the key information into the configuration file, so that the service host exists in the trust list of each source host. The key information of the host can remotely and secretly log in to each source host without the need to manually log in to different servers, which can effectively improve the convenience of firewall policy verification.

When remote source password login is used, each source host is assigned the corresponding logop user password when it is set up for registration, that is, the login password. When the background server receives the firewall policy verification request, it calls the interface by splicing the URL to obtain the source host ’s Login password, and use the login password to remotely log in to each source host by specifying the password. That is, send the instruction carrying the IP and login password to the corresponding source host, and remotely log in to each source host without manually logging in to a different server. Can effectively improve the convenience of firewall policy verification.

In this embodiment, after each source host in the firewall policy verification request is successfully logged in remotely, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification, that is, when each source host receives the firewall policy, , Execute the telnet verification instruction to get the firewall policy verification result, that is, whether the source host is connected to the target host, and each source host returns the firewall policy verification result to the background server. If the remote login of each source host in the firewall policy verification request fails, Then send a reminder message to the front end, wherein the firewall policy verification result includes but is not limited to connected and unconnected, the background server receives the firewall policy verification result returned by each source host, and sends the firewall policy verification result to the front end, which is displayed by the front end Firewall policy verification results.

Further, the background server receives the firewall policy verification results returned by the source hosts, and sends the firewall policy verification results to the front end, and the front end filters the firewall policy verification results according to preset filtering conditions, and displays the filtered results. Firewall policy verification results. It should be noted that the foregoing preset screening conditions can be set by those skilled in the art based on actual conditions, and this embodiment does not specifically limit this. This embodiment provides a filtering function for firewall policy verification results, which effectively improves the utilization rate of firewall policy verification results. In specific implementation, for the paging and filtering labels that element comes with, the filtering result can only filter the firewall policy verification results of the current page. For this reason, before filtering the firewall policy verification results, back up all the firewall policy verification results. In the process of filtering the firewall policy verification results, if the front-end page displays the firewall policy verification results, the backup firewall policy verification results are used as the filtering object and the filtering operation is performed to realize the filtering of all firewall policy verification results.

In this embodiment, the front end of the present application verifies the monitored firewall policy verification request, and after the firewall policy verification request passes the verification, sends the firewall policy verification request to the background server, and the background server verifies the firewall policy. Each source host in the request performs a remote login operation, and after the remote login is successful, the firewall policy in the firewall policy verification request is sent to the corresponding source host for verification. Because the front end sends the firewall policy verification request to the background server, the firewall The policy verification request is verified, and when the firewall policy verification request passes the verification, it can be sent to the background server, which effectively reduces the waste of background resources. At the same time, the background server can automatically perform remote login operations on each source host, without the need for users to manually log in. Different servers do not need to authenticate multiple hosts or services that need to be accessed one by one on the same server, which effectively improves the convenience of firewall policy verification.

Further, a second embodiment of the firewall policy verification method of the present application is proposed based on the first embodiment. The difference from the foregoing embodiment is that this step S102 includes:

Step a1: The background server obtains the key information of the service host, and pushes the preset script and key information to each source host in the firewall policy verification request;

In this embodiment, a service host is provided, and all hosts and services are managed by the service host, so as to achieve remote password-free login to all managed hosts and services. When the background service receives a firewall policy verification request sent by the front end, the background The server obtains the key information of the service host, and calls the cloud interface to push the preset script and key information to each source host in the firewall policy verification request. The preset script is used to detect whether the key information of the service host already exists in the configuration file of the source host. If the key information of the service host already exists in the configuration file of the source host, the preset script is automatically deleted. If the key information of the service host is not included in the configuration file of the source host, the key information of the service host is written into the configuration file of the source host.

Step a2: Each source host executes the preset script, writes the key information into a configuration file of each source host, and returns a script execution result to a background server;

In this embodiment, after receiving the preset script, each source host executes the preset script, writes the key information of the service host into the configuration file of each source host, and returns the script execution result to the background server, that is, The key information of the service host already exists in the configuration file of each source host. After the source host's key information is included in the configuration file of each source host, the service host exists in the trust list of each source host, that is, the background server can remotely log in to each source host through the key information of the service host. .

Step a3: When receiving the script execution result returned by each source host, perform a password-free login authentication on each source host, and log in to each source host when the password-free login authentication of each source host passes.

In this embodiment, when the background server receives the script execution result returned by each source host, it performs a password-free login authentication on each source host, and when the password-free login authentication of each source host passes, it logs in to each source host, that is, the background The server sends the key information of the service host to each source host, and each source host compares the key information in the configuration file with the key information of the received service host. If the two are the same, the password-free login authentication passes. If the two are not the same, the password-free login authentication fails.

Further, the remote login operation can also call a preset interface for the background server to obtain the login password of each source host in the firewall policy verification request, and send the login password of each source host in the firewall policy verification request to the corresponding source host, Remotely log in to each source host, that is, each source host receives the login password sent by the background server and verifies the login password. If the verification is passed, remote login is allowed. If the verification fails, remote login is not allowed. Effectively improve the efficiency of firewall policy verification.

In this embodiment, by setting a service host to manage all hosts and services, a password-free remote login to all managed hosts and services can be achieved, and the firewall policies of the source hosts to be measured can be verified at the same time, effectively improving the firewall policy verification. Convenience and efficiency.

Further, referring to FIG. 3, based on the above first or second embodiment, a third embodiment of a firewall policy verification method of the present application is proposed. The difference from the foregoing embodiment is that step S101 includes:

Step S1011, the front end determines whether a firewall policy file exists in the firewall policy verification request;

In this embodiment, a user enters a firewall policy by uploading an attachment, that is, uploading a firewall policy file through a front-end page, thereby triggering a firewall policy verification request carrying a firewall policy file. In the process of performing the verification, the front end may first determine whether a firewall policy file exists in the firewall policy verification request. If the firewall policy verification request does not exist, there is no need to perform a verification operation of the firewall policy file, that is, directly The firewall policy in the firewall policy verification request is verified.

Step S1012: if a firewall policy file exists in the firewall policy verification request, the front end checks the firewall policy file in the firewall policy verification request;

In this embodiment, if a firewall policy file exists in the firewall policy verification request, the front end checks the firewall policy file in the firewall policy verification request. Specifically, the attribute information of the firewall policy file is obtained from the firewall policy verification request. , Including but not limited to the file format and the number of file bytes, and determining whether the file format in the attribute information is a preset format, that is, obtaining the file name in the attribute information and dividing the file name to obtain the file suffix type And then determine whether the file suffix type is a preset type. If the file suffix type is a preset type, determine that the file format in the attribute information is a preset format. If the file suffix type is not a preset type, determine The file format in the attribute information is not a preset format. If the file format in the attribute information is a preset format, the front end determines whether the number of file bytes in the attribute information is less than or equal to a preset threshold. If the number of file bytes is less than or equal to a preset threshold, the firewall policy file is determined to be Check, otherwise it is determined firewall policy file fails verification. If the file format in the attribute information is not a preset format, it can also be determined that the firewall policy file fails the verification. It should be noted that the above preset format and preset suffix type can be set by those skilled in the art based on actual conditions, which is not specifically limited in this embodiment. Alternatively, the preset format is excel and the preset suffix type is. xls or .xlsx.

Step S1013: When the firewall policy file in the firewall policy verification request passes the verification, the front end parses the firewall policy file to obtain a firewall policy and verifies the firewall policy.

In this embodiment, when the firewall policy file in the firewall policy verification request passes the verification, the front end parses the firewall policy file to obtain the firewall policy, and verifies the firewall policy, that is, the IP and The port verification includes IP type verification, port non-empty verification, port type verification, physical host and cloud host verification. For the specific verification process, refer to the first embodiment described above, and details are not described herein. It should be noted that the parsing method of the fire prevention policy file in different formats is different. The parsing method of the fire prevention policy file can be set by a person skilled in the art according to the actual situation, which is not specifically limited in this embodiment.

In this embodiment, the user can enter the firewall policy by uploading the attachment. The user does not need to manually enter more firewall policies, which improves the convenience of entering the firewall policy. The front-end can verify the uploaded attachment file only when the file passes During the verification, the subsequent verification operation is continued. The firewall policy verification request can be sent to the background server after all the verification passes, which effectively reduces the waste of background resources.

In addition, an embodiment of the present application further provides a firewall policy verification system.

Referring to FIG. 4, FIG. 4 is a schematic diagram of functional modules of a first embodiment of a firewall policy verification system of the present application.

The firewall policy verification system of the present application is a virtual system, which is stored in the memory 1005 of the firewall policy verification device shown in FIG. 1 and is used to implement all functions of the readable instructions of the firewall policy verification. The firewall policy verification request is verified, and when the firewall policy verification request passes the verification, the firewall policy verification request is sent to a background server; the firewall policy verification request sent by the front end is received, and the firewall policy is verified. Each source host in the verification request performs a remote login operation; after each source host in the firewall policy verification request is successfully remotely logged in, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.

Specifically, in this embodiment, the firewall policy verification system includes a front-end 100 and a background server 200. The front-end 100 includes a verification module 101. The background server 200 includes a remote login module 201 and a policy verification module 202. ,

The verification module 101 is configured to verify the firewall policy verification request when the front end detects a firewall policy verification request, and to verify the firewall policy verification request when the firewall policy verification request passes the verification. Send to background server;

The remote login module 201 is configured to receive the firewall policy verification request sent by the front end, and perform a remote login operation on each source host in the firewall policy verification request;

The policy verification module 202 is configured to send a firewall policy in the firewall policy verification request to a corresponding source host for verification after each source host in the firewall policy verification request is successfully logged in remotely.

Further, the remote login module 201 is further configured to:

Obtaining key information of a service host, and pushing a preset script and the key information to each source host in the firewall policy verification request;

Each source host executes the preset script, writes the key information into a configuration file of each source host, and returns a script execution result to the background server;

When receiving the script execution results returned by the source hosts, perform a password-free login authentication on the source hosts, and log in to the source hosts when the password-free login authentication of the source hosts passes.

Further, the remote login module 201 is further configured to:

Calling a preset interface to obtain a login password of each source host in the firewall policy verification request;

Sending the login password of each source host in the firewall policy verification request to the corresponding source host to remotely log in to the source hosts.

Further, the verification module 101 is further configured to:

Determining whether a firewall policy file exists in the firewall policy verification request;

If a firewall policy file exists in the firewall policy verification request, verifying the firewall policy file in the firewall policy verification request;

When the firewall policy file in the firewall policy verification request passes verification, the firewall policy file is parsed to obtain a firewall policy, and the firewall policy is verified.

Further, the verification module 101 is further configured to:

Acquiring attribute information of the firewall policy file from the firewall policy verification request, and determining whether a file format in the attribute information is a preset format;

If the file format in the attribute information is a preset format, determining whether the number of file bytes in the attribute information is less than or equal to a preset threshold;

If the number of file bytes in the attribute information is less than or equal to a preset threshold, it is determined that the firewall policy file passes verification, otherwise the front end determines that the firewall policy file fails verification.

Further, the background server further includes:

A transceiver module, configured to receive a firewall policy verification result returned by each source host, and send the firewall policy verification result to the front end;

The front end filters the firewall policy verification result according to a preset filtering condition, and displays the filtered firewall policy verification result.

Further, the front end further includes:

A status determining module, configured to read a background server status value in a preset storage area, and determine a status of the background server according to the background server status value;

A button control module for locking the current page submit button if the state of the background server is a firewall policy verification state, and unlocking the current state when it is detected that the state of the background server changes from a firewall policy verification state to an idle state Page submit button.

The function implementation of each module in the foregoing firewall policy verification system corresponds to each step in the embodiment of the above-mentioned firewall policy verification method, and the functions and implementation processes thereof will not be described here one by one.

In addition, an embodiment of the present application further provides a computer-readable storage medium.

The computer-readable storage medium of the present application stores a firewall policy verification readable instruction. When the firewall policy verification readable instruction is executed by a processor, the steps performed by the background server in the firewall policy verification method described above are implemented.

The computer-readable storage medium may be a non-volatile readable storage medium. For the method implemented when the firewall policy verification readable instruction stored in the computer-readable storage medium is executed, refer to the method for firewall policy verification in this application. Various embodiments are not repeated here.

It should be noted that, in this article, the terms "including", "including" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements includes not only those elements, It also includes other elements not explicitly listed, or elements inherent to such a process, method, article, or system. Without more restrictions, an element limited by the sentence "including a ..." does not exclude the existence of other identical elements in the process, method, article, or system that includes the element.

The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the superiority or inferiority of the embodiments.

Through the description of the above embodiments, those skilled in the art can clearly understand that the methods in the above embodiments can be implemented by means of software plus a necessary universal hardware platform, and of course, also by hardware, but in many cases the former is better. Implementation. Based on such an understanding, the technical solution of this application that is essentially or contributes to the existing technology can be embodied in the form of a software product. The computer software product is stored in a storage medium (such as ROM / RAM) as described above. , Magnetic disk, optical disc), including a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in the embodiments of the present application.

The above are only preferred embodiments of the present application, and thus do not limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made by using the contents of the specification and drawings of the present application, or directly or indirectly used in other related technical fields Are included in the scope of patent protection of this application.

Claims

A firewall policy verification method is characterized in that the firewall policy verification method includes the following steps:

When the front end detects a firewall policy verification request, the front end checks the firewall policy verification request, and sends the firewall policy verification request to a background server when the firewall policy verification request passes the verification;

Receiving, by the background server, a firewall policy verification request sent by the front end, and performing a remote login operation on each source host in the firewall policy verification request;

After each source host in the firewall policy verification request is successfully logged in remotely, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.
The firewall policy verification method according to claim 1, wherein the step of performing a remote login operation on each source host in the firewall policy verification request comprises:

The background server obtains key information of a service host, and pushes a preset script and the key information to each source host in the firewall policy verification request;

Each source host executes the preset script, writes the key information into a configuration file of each source host, and returns a script execution result to the background server;

When the background server receives the script execution results returned by the source hosts, perform a password-free login authentication on the source hosts, and log in to each of the source hosts when the password-free login authentication passes. Source host.
The firewall policy verification method according to claim 1, wherein the step of performing a remote login operation on each source host in the firewall policy verification request comprises:

The background server calls a preset interface to obtain a login password of each source host in the firewall policy verification request;

The background server sends the login password of each source host in the firewall policy verification request to a corresponding source host to remotely log in to each source host.
The firewall policy verification method according to claim 1, wherein the step of verifying the firewall policy verification request by the front end comprises:

Determining, by the front end, whether a firewall policy file exists in the firewall policy verification request;

If a firewall policy file exists in the firewall policy verification request, the front end checks the firewall policy file in the firewall policy verification request;

When the firewall policy file in the firewall policy verification request passes verification, the front end parses the firewall policy file to obtain a firewall policy, and verifies the firewall policy.
The firewall policy verification method according to claim 4, wherein the step of verifying the firewall policy file in the firewall policy verification request by the front end comprises:

The front end obtains attribute information of the firewall policy file from the firewall policy verification request, and determines whether a file format in the attribute information is a preset format;

If the file format in the attribute information is a preset format, the front end judges whether the number of file bytes in the attribute information is less than or equal to a preset threshold;

If the number of file bytes in the attribute information is less than or equal to a preset threshold, the front end determines that the firewall policy file passes verification, otherwise the front end determines that the firewall policy file fails verification.
The method for verifying a firewall policy according to claim 1, wherein after the background server sends the firewall policy in the firewall policy verification request to a corresponding source host for verification, further comprising:

The background server receives a firewall policy verification result returned by each source host, and sends the firewall policy verification result to the front end;

The front end filters the firewall policy verification result according to a preset filtering condition, and displays the filtered firewall policy verification result.
The firewall policy verification method according to claim 1, wherein the firewall policy verification method further comprises:

Reading, by the front end, a background server status value in a preset storage area, and determining the status of the background server according to the background server status value;

If the status of the background server is a firewall policy verification status, the front end locks the current page submit button, and when the front end detects that the status of the background server is transitioning from a firewall policy verification status to an idle status, the The front end unlocks the submit button for the current page.
A firewall policy verification system is characterized in that the firewall policy verification system includes a front-end and a background server, the front-end includes a verification module, and the background server includes a remote login module and a policy verification module, wherein:

The verification module is configured to verify the firewall policy verification request when the front end detects a firewall policy verification request, and send the firewall policy verification request when the firewall policy verification request passes the verification. To the background server;

The remote login module is configured to receive the firewall policy verification request sent by the front end, and perform a remote login operation on each source host in the firewall policy verification request;

The policy verification module is configured to send a firewall policy in the firewall policy verification request to a corresponding source host for verification after each source host in the firewall policy verification request is successfully logged in remotely.
The firewall policy verification system according to claim 8, wherein the remote login module is further configured to:

Obtain the key information of the service host, and push the preset script and the key information to each source host in the firewall policy verification request, wherein each source host executes the preset script to transfer the The key information is written into a configuration file of each source host, and a script execution result is returned to the background server;

Receiving the script execution result returned by each source host, and performing a password-free login authentication on each source host, and logging in to each source host when the password-free login authentication of each source host passes.
The firewall policy verification system according to claim 8, wherein the remote login module is further configured to:

Calling a preset interface to obtain a login password of each source host in the firewall policy verification request;

Sending the login password of each source host in the firewall policy verification request to the corresponding source host to remotely log in to the source hosts.
The firewall policy verification system according to claim 8, wherein the verification module is further configured to:

Determining whether a firewall policy file exists in the firewall policy verification request;

If a firewall policy file exists in the firewall policy verification request, verifying the firewall policy file in the firewall policy verification request;

When the firewall policy file in the firewall policy verification request passes verification, the firewall policy file is parsed to obtain a firewall policy, and the firewall policy is verified.
The firewall policy verification system according to claim 11, wherein the verification module is further configured to:

Acquiring attribute information of the firewall policy file from the firewall policy verification request, and determining whether a file format in the attribute information is a preset format;

If the file format in the attribute information is a preset format, determining whether the number of file bytes in the attribute information is less than or equal to a preset threshold;

If the number of file bytes in the attribute information is less than or equal to a preset threshold, it is determined that the firewall policy file passes verification, otherwise it is determined that the firewall policy file fails verification.
A firewall policy verification device, characterized in that the firewall policy verification device includes a processor, a memory, and a firewall policy verification readable instruction stored on the memory and executable by the processor, wherein the firewall When a policy verification readable instruction is executed by the processor, the following steps are implemented:

Receiving a verified firewall policy verification request sent by the front end, and performing a remote login operation on each source host in the firewall policy verification request;

After each source host in the firewall policy verification request is successfully logged in remotely, the firewall policy in the firewall policy verification request is sent to the corresponding source host for verification.
The firewall policy verification device according to claim 13, wherein the step of performing a remote login operation on each source host in the firewall policy verification request comprises:

Obtaining key information of a service host, and pushing a preset script and the key information to each source host in the firewall policy verification request;

Each source host executes the preset script, writes the key information into a configuration file of each source host, and returns a script execution result to the background server;

When the background server receives the script execution results returned by the source hosts, perform a password-free login authentication on the source hosts, and log in to each of the source hosts when the password-free login authentication passes. Source host.
The firewall policy verification device according to claim 13, wherein the step of performing a remote login operation on each source host in the firewall policy verification request comprises:

Calling a preset interface to obtain a login password of each source host in the firewall policy verification request;

The background server sends the login password of each source host in the firewall policy verification request to a corresponding source host to remotely log in to each source host.
The firewall policy verification device according to claim 13, wherein after the step of sending the firewall policy in the firewall policy verification request to a corresponding source host for verification, further comprising:

Receive the firewall policy verification result returned by each source host, and send the firewall policy verification result to the front end for the front end to filter the firewall policy verification result according to a preset filtering condition, and display Filtered firewall policy verification results.
A computer-readable storage medium is characterized in that a firewall policy verification readable instruction is stored on the computer-readable storage medium, and when the firewall policy verification readable instruction is executed by a processor, the following steps are implemented:

Receiving a verified firewall policy verification request sent by the front end, and performing a remote login operation on each source host in the firewall policy verification request;

After each source host in the firewall policy verification request is successfully logged in remotely, the firewall policy in the firewall policy verification request is sent to the corresponding source host for verification.
The computer-readable storage medium of claim 17, wherein the step of performing a remote login operation on each source host in the firewall policy verification request comprises:

Obtaining key information of a service host, and pushing a preset script and the key information to each source host in the firewall policy verification request;

Each source host executes the preset script, writes the key information into a configuration file of each source host, and returns a script execution result to the background server;

When the background server receives the script execution results returned by the source hosts, perform a password-free login authentication on the source hosts, and log in to each of the source hosts when the password-free login authentication passes. Source host.
The computer-readable storage medium of claim 17, wherein the step of performing a remote login operation on each source host in the firewall policy verification request comprises:

Calling a preset interface to obtain a login password of each source host in the firewall policy verification request;

The background server sends the login password of each source host in the firewall policy verification request to a corresponding source host to remotely log in to each source host.
The computer-readable storage medium of claim 17, wherein after the step of sending the firewall policy in the firewall policy verification request to a corresponding source host for verification, further comprising:

Receive the firewall policy verification result returned by each source host, and send the firewall policy verification result to the front end for the front end to filter the firewall policy verification result according to a preset filtering condition, and display Filtered firewall policy verification results. Ranch