一、web配置
1、建立地址对象
Security——address-Book
2、添加阻塞策略
Security——Policy——Apply Policy
3、配置过滤策略
添加策略关键信息;
此策略为untrust——trust,拒绝源IP为1.1.1.1访问内部任何服务器和应用端口
过滤策略方向;从untrust到trust
调动策略顺序;
二、命令行配置
1、建立地址对象
set security address-book Deny_IP address1.1.1.11.1.1.1/32 set security address-book Deny_IP attach zone untrust 2、建立策略
set security policies from-zone untrust to-zone trust policy Deny_Policy match source-address 1.1.1.1
set security policies from-zone untrust to-zone trust policy Deny_Policy match destination-address any
set security policies from-zone untrust to-zone trust policy Deny_Policymatch application any
set security policies from-zone untrust to-zone trust policy Deny_Policy then deny
3、将策略Deny_Policy移动到default-deny策略之前
insert security policies from-zone untrust to-zone trust policy Deny_Policybefore policy default-deny