智能安全策略技术白皮书
目录 1.1产生背景··············································································································································· 11.2技术优点··············································································································································· 2 2技术实现··················································································································································1 2.1.1安全策略规则····························································································································· 12.1.2过滤条件···································································································································· 12.1.3动作··········································································································································· 12.1.4 DPI深度安全检测······················································································································ 12.1.5安全策略组································································································································· 12.1.6安全策略加速····························································································································· 12.1.7时间段········································································································································ 1 2.3.1源/目的安全域···························································································································· 22.3.2源/目的IP地址·························································································································· 32.3.3源MAC地址······························································································································ 32.3.4用户/用户组································································································································ 32.3.5应用/应用组································································································································ 42.3.6终端/终端组································································································································ 52.3.7地区/地区组································································································································ 52.3.8 URL过滤分类···························································································································· 62.3.9 VPN实例··································································································································· 62.3.10服务········································································································································· 6 3.1本设备需被其他设备访问······················································································································ 13.2本设备需访问其他设备························································································································· 23.3流量由本设备转发································································································································ 2 4.1策略冗余分析········································································································································ 14.2策略命中分析········································································································································ 14.3应用风险调优········································································································································ 2 4.4宽泛策略分析········································································································································ 35典型组网应用···········································································································································15.1基于应用控制报文组网························································································································· 15.2 OSPF组网··········································································································································· 25.3 NAT组网·············································································································································· 45.3.1 NAT源地址转换组网················································································································· 45.3.2 NAT目的地址转换组网·············································································································· 45.4 IPsec VPN组网···································································································································· 5 1概述 1.1产生背景 传统的防火墙的包过滤防护策略配置通常都是基于报文入接口、出接口配置,在复杂的组网环境中,基于接口的策略配置方式需要为每一个接口配置防护策略,给网络管理员带来了极大的负担,防护策略的维护工作量成倍增加,从而也增加了因为配置不当引入安全风险的概
