Firewall policy translation method and apparatus, computer device and storage medium
By acquiring and modifying the original firewall policy, and combining it with accessibility verification, the target firewall policy is generated and migrated. This solves the problems of low efficiency and insufficient accuracy in firewall policy migration in existing technologies, and achieves efficient and reliable policy migration.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- INDUSTRIAL AND COMMERCIAL BANK OF CHINA
- Filing Date
- 2023-06-07
- Publication Date
- 2026-06-16
Smart Images
Figure CN116566720B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a firewall policy shifting method, apparatus, computer device, and storage medium, which can be used in the financial technology field or other related fields. Background Technology
[0002] As cybersecurity threats become increasingly complex, firewalls are deployed across all network zones within the LANs of large financial industry data centers. Security controls between test clients and the test and production network zones are implemented using firewall policies. With the rapid growth of the financial industry in recent years, access control requirements within data centers, especially in test environments, have become increasingly complex, and the number of access control policies has grown rapidly, posing a significant challenge to the accurate implementation of firewall policies. Furthermore, large financial industry data center LANs typically deploy thousands of servers and storage devices, supporting the daily operation of hundreds of application systems. To ensure the normal operation of various businesses, extremely complex access relationships exist between different applications and between different nodes of the same application.
[0003] With the continuous development of cloud and virtualization technologies, the financial industry's data centers are increasingly requiring firewall policy migration. Because the IP addresses of application systems change before and after the migration, relevant firewall policies need to be re-enabled. Currently, the existing method for firewall policy migration typically involves operations personnel manually identifying and confirming application access relationships, and then manually identifying firewall requirements and implementing firewall policies based on these relationships. However, due to the extreme complexity of application access relationships, this approach is inefficient, prone to omissions, and introduces significant risks to the entire migration process. Summary of the Invention
[0004] Therefore, it is necessary to provide a firewall policy migration method, apparatus, computer equipment, and storage medium that can improve the accuracy and reliability of firewall policy migration and increase the efficiency of firewall policy migration, in order to address the above-mentioned technical problems.
[0005] Firstly, this application provides a firewall policy migration method, which includes:
[0006] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0007] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0008] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0009] Move the strategy to be moved to the second IP address.
[0010] In one embodiment, the original firewall policy is modified based on the first IP address and the second IP address to obtain the target firewall policy, including:
[0011] Determine the policy shift scenario based on the first IP address and the second IP address;
[0012] Based on the policy migration scenario, the original firewall policy is updated to obtain the updated original firewall policy;
[0013] The first IP address contained in the updated original firewall policy is replaced with the second IP address to obtain the target firewall policy.
[0014] In one embodiment, the original firewall policy is updated according to the policy migration scenario to obtain the updated original firewall policy, including:
[0015] Based on the policy migration scenario, extract the backup firewall policy from the original firewall policy;
[0016] The backup firewall policy is cleaned to obtain the updated original firewall policy.
[0017] In one embodiment, the accessibility of the target firewall policy is verified based on the second IP address to obtain the policy to be migrated, including:
[0018] Obtain the reference firewall policy corresponding to the second IP address;
[0019] Based on the reference firewall policy, perform an accessibility check on the target firewall policy;
[0020] Firewall policies whose accessibility verification results are "failed" in the target firewall policy will be designated as policies to be migrated.
[0021] In one embodiment, the accessibility verification of the target firewall policy is performed according to the reference firewall policy, including:
[0022] Compare the reference firewall policy with the target firewall policy;
[0023] Based on the comparison results, determine the accessibility verification result of the target firewall policy.
[0024] In one embodiment, shifting the strategy to be shifted to the second IP address includes:
[0025] Based on the firewall type of the policy to be migrated, migrate the policy to the second IP address.
[0026] In one embodiment, the policy to be migrated is migrated to a second IP address according to the firewall type, including:
[0027] If the firewall type is a software firewall, add the policy to be migrated to the reference firewall policy corresponding to the second IP address;
[0028] If the firewall type is a hard firewall, then obtain the firewall policy corresponding to the policy to be migrated from the reference firewall policy, and add the second IP address to the obtained firewall policy.
[0029] Secondly, this application also provides a firewall policy shifting device, which includes:
[0030] The policy acquisition module is used to obtain the original firewall policy corresponding to the first IP address in response to a policy migration request that includes a first IP address and a second IP address.
[0031] The policy generation module is used to modify the original firewall policy based on the first IP address and the second IP address to obtain the target firewall policy.
[0032] The policy verification module is used to verify the accessibility of the target firewall policy based on the second IP address to obtain the policy to be migrated.
[0033] The policy shifting module is used to shift the policy to be shifted to the second IP address.
[0034] Thirdly, this application also provides a computer device, which includes a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0035] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0036] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0037] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0038] Move the strategy to be moved to the second IP address.
[0039] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0040] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0041] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0042] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0043] Move the strategy to be moved to the second IP address.
[0044] Fifthly, this application also provides a computer program product, which includes a computer program that, when executed by a processor, performs the following steps:
[0045] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0046] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0047] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0048] Move the strategy to be moved to the second IP address.
[0049] The aforementioned firewall policy migration method, apparatus, computer equipment, and storage medium, upon receiving a policy migration request, modify the original firewall policy corresponding to the first IP address based on the first IP address and the second IP address to obtain the target firewall policy, thus simplifying the process of obtaining the target firewall policy. Subsequently, by introducing a process to verify the accessibility of the target firewall policy, the obtained policy to be migrated can be made more accurate, and then the policy to be migrated can be migrated to the second IP address, thereby achieving efficient and reliable migration of firewall policies between different IP addresses. Attached Figure Description
[0050] Figure 1 This is an application environment diagram of the firewall policy shifting method in one embodiment;
[0051] Figure 2 This is a flowchart illustrating a firewall policy migration method in one embodiment;
[0052] Figure 3 This is a flowchart illustrating the process of determining a target firewall policy in one embodiment;
[0053] Figure 4This is a flowchart illustrating the process of obtaining the translation strategy in one embodiment;
[0054] Figure 5 This is a flowchart illustrating the firewall policy shifting method in another embodiment;
[0055] Figure 6 This is a structural block diagram of a firewall policy shifting device in one embodiment;
[0056] Figure 7 This is a structural block diagram of a firewall policy shifting device in another embodiment;
[0057] Figure 8 This is a structural block diagram of the firewall policy shifting device in another embodiment;
[0058] Figure 9 This is a structural block diagram of the firewall policy shifting device in yet another embodiment;
[0059] Figure 10 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0060] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0061] The firewall policy shifting method provided in this application embodiment can be applied to, for example... Figure 1In the application environment shown, terminal 102 communicates with server 104 via a network. A data storage system can store data that server 104 needs to process, such as a first IP address and a second IP address. The data storage system can be integrated onto server 104 or placed on a cloud or other network server. Specifically, when maintenance personnel have a need to migrate firewall policies, they can input the first IP address and second IP address into the interface provided by the maintenance application configured on terminal 102. Terminal 102 can generate a policy migration request based on the first IP address and second IP address, and interact with server 104 via the network, sending a policy migration request containing the first IP address and second IP address to server 104. After receiving the policy migration request transmitted by terminal 102, server 104 can obtain the original firewall policy corresponding to the first IP address based on the first IP address and second IP address contained in the policy migration request, and generate a target firewall policy by combining it with the second IP address. After verifying the accessibility of the target firewall and obtaining the policy to be migrated, the policy to be migrated is migrated to the second IP address to achieve the migration of the firewall policy. Furthermore, server 104 can interact with terminal 102 via the network and transmit the migration results to terminal 102 so that terminal 102 can provide feedback on the migration results of firewall policies to maintenance personnel.
[0062] The terminal 102 can be, but is not limited to, various personal computers, laptops, smartphones, tablets, IoT devices, and portable wearable devices. IoT devices can include smart speakers, smart TVs, smart air conditioners, and smart in-vehicle systems. Portable wearable devices can include smartwatches, smart bracelets, and head-mounted devices. The server 104 can be implemented using a standalone server or a server cluster consisting of multiple servers.
[0063] In one embodiment, such as Figure 2 As shown, a firewall policy migration method is provided, which can be applied to... Figure 1 Taking server 104 as an example, the following steps are included:
[0064] S201, in response to a policy migration request including a first IP address and a second IP address, obtain the original firewall policy corresponding to the first IP address.
[0065] In this embodiment, the first IP address is the IP address corresponding to the firewall policy before the migration; there can be one or more first IP addresses. The second IP address is the IP address corresponding to the firewall policy after the migration. The policy migration request is the request sent by the terminal to the server to migrate the firewall policy. The original firewall policy is all firewall policies containing the first IP address, and may include one or more firewall policies.
[0066] Specifically, when maintenance personnel need to migrate firewall policies, they can enter data such as the first IP address and the second IP address in the interface provided by the maintenance application configured on the terminal. The terminal can generate a policy migration request based on the first IP address, the second IP address, and other data, and interact with the server through the network to send a policy migration request containing the first IP address and the second IP address to the server 104.
[0067] Furthermore, after receiving a policy migration request, the server can analyze the request to obtain the first IP address and the second IP address contained within it. Then, based on the obtained first IP address, it can call the firewall policy query interface to query and retrieve the original firewall policy corresponding to that first IP address.
[0068] Optionally, after obtaining the first IP address and the second IP address, the two IP addresses can be analyzed to determine whether they are in the same region. If it is determined that the first IP address and the second IP address are in the same region, then the firewall policy can be moved between the first IP address and the second IP address, and the steps after S201 can continue to be executed; if it is determined that the first IP address and the second IP address are not in the same region, then the firewall policy cannot be moved between the first IP address and the second IP address, and then the result of the inability to move can be sent to the terminal through interaction, so that the terminal can report the inability to move to the operation and maintenance personnel.
[0069] Furthermore, after determining that the first IP address and the second IP address are in the same jurisdiction zone, meaning a migration between them is possible, it's necessary to further determine whether both the first IP address and the second IP address exist within the basic network segment. If both exist, the firewall policy can be migrated directly, proceeding with the steps following S201. If neither exists, a migration work order containing information indicating the first and second IP addresses are not within the basic network segment needs to be sent to the terminal. This work order is then relayed to the operations and maintenance personnel to notify them of the absence of the first and second IP addresses within the basic network segment; only then should the steps following S201 be executed.
[0070] Optionally, to make the subsequent migration of firewall policies simpler and more accurate, if there are multiple first IP addresses, the first IP addresses can be merged to generate a total source IP address; furthermore, based on the total source IP address, the upper limit of the parent corresponding to each first IP address can be determined and modified, as well as whether a subset query is needed.
[0071] Specifically, modifying the parent level limit means determining the parent level limit for each first IP address and modifying it. For example, it can be determined whether the first IP address is for Mobile Cloud PASS or a regular application. If it is for Mobile Cloud PASS, the parent level limit needs to be modified to 16; if it is for a regular application, the parent level limit needs to be modified to 24. Subset query means determining whether a subset query is needed for each first IP address. Optionally, the policy migration request can be analyzed to determine if it contains a subset query requirement. If it is determined that the policy migration request contains a subset query requirement, then a subset query for the first IP address is needed; if it is determined that the policy migration request does not contain a subset query requirement, then a subset query for the first IP address is not needed. By default, subset queries are not performed on each first IP address.
[0072] S202: Modify the original firewall policy based on the first IP address and the second IP address to obtain the target firewall policy.
[0073] In this embodiment, the target firewall policy is the firewall policy that should be achieved after the firewall policy is migrated, and it may include one or more firewall policies.
[0074] Specifically, after obtaining the original firewall policy, it can be cleaned by combining the pre-set business logic and firewall management baseline to remove duplicate and erroneous firewall policies. Furthermore, the cleaned original firewall policy can be modified based on the first IP address and the second IP address to obtain the target firewall policy.
[0075] S203, based on the second IP address, perform a pass / fail verification on the target firewall policy to obtain the policy to be migrated.
[0076] In this embodiment, the accessibility check is a verification method to check whether there is an already enabled firewall policy in the target firewall policy. The policy to be migrated is the firewall policy that failed the accessibility check, and may include one or more firewall policies.
[0077] Specifically, after obtaining the target firewall policy, the openness of the target firewall policy can be verified according to the pre-set verification logic to determine whether each firewall policy in the target firewall policy has been enabled; furthermore, the firewall policies that have not been enabled in the target firewall policy are regarded as policies to be migrated.
[0078] S204, move the strategy to be moved to the second IP address.
[0079] Specifically, after obtaining the policy to be migrated, the policy can be migrated one by one to the second IP address based on the pre-set migration method, so as to realize the migration of firewall policies from the first IP address to the second IP address.
[0080] The aforementioned firewall policy migration method, upon receiving a policy migration request, modifies the original firewall policy corresponding to the first IP address based on the first IP address and the second IP address to obtain the target firewall policy, thus simplifying the process of obtaining the target firewall policy. Subsequently, by introducing a process to verify the accessibility of the target firewall policy, the obtained policy to be migrated is made more accurate, and then the policy to be migrated is migrated to the target IP address, thereby achieving efficient and reliable migration of firewall policies between different IP addresses.
[0081] In one embodiment, based on the above embodiments, such as Figure 3 As shown, further refinement of S202 above may include the following steps:
[0082] S301, determine the policy shift scenario based on the first IP address and the second IP address.
[0083] In this embodiment, the policy migration scenario refers to the scenario in which firewall policy migration is performed, which may include, but is not limited to, intranet migration, DMZ (Demilitarized Zone) migration, and other migrations.
[0084] Specifically, after obtaining the first IP address and the second IP address, the first IP address and the second IP address are analyzed to determine their respective regions, thereby determining the policy migration scenario. Optionally, if the regions where the first IP address and the second IP address are located are determined to be internal network regions, then the policy migration scenario can be determined to be internal network migration; if the regions where the first IP address and the second IP address are located are determined to be DMZ regions, then the policy migration scenario can be determined to be DMZ migration; if the regions where the first IP address and the second IP address are located are determined to be internal network regions, DMZ regions, or other regions, then the policy migration scenario can be determined to be other migrations.
[0085] S302, based on the policy migration scenario, updates the original firewall policy to obtain the updated original firewall policy.
[0086] Specifically, after determining the policy migration scenario, the firewall policy corresponding to the policy migration scenario in the original firewall policy can be determined based on the policy migration scenario. According to the pre-set update logic, the firewall policy corresponding to the policy migration scenario in the original firewall policy and other firewall policies are updated respectively, thereby obtaining the updated original firewall policy.
[0087] Optionally, to make the updated original firewall policy more concise and accurate, one possible implementation is to extract a backup firewall policy from the original firewall policy based on the policy migration scenario after determining the policy migration scenario; and to clean up the backup firewall policy to obtain the updated original firewall policy.
[0088] Specifically, after determining the policy migration scenario, firewall policies unrelated to the migration scenario are extracted from the original firewall policies and used as backup firewall policies. For example, if the policy migration scenario is an internal network migration, all internal network firewall policies and DMZ outbound firewall policies are deleted, and firewall policies unrelated to the internal network migration scenario are extracted as backup firewall policies; if the policy migration scenario is a DMZ migration, all DMZ firewall policies and internal network outbound firewall policies are deleted, and firewall policies unrelated to the DMZ migration scenario are extracted as backup firewall policies; if the policy migration scenario is another type of migration, no extraction is needed, and the original firewall policies are used as backup firewall policies.
[0089] Furthermore, after determining the backup firewall policy, the complete firewall policy table can be cleaned by combining the pre-defined business logic and firewall management baseline. Useless firewall policies (such as expired and disaster recovery firewall policies) will be deleted from the original firewall policy, and duplicate firewall policies (such as those with identical source address, destination address, protocol information, port information, timestamps, and long-lived connections) will be removed. This results in an updated original firewall policy.
[0090] It is understandable that cleaning the backup firewall policy extracted from the original firewall policy according to the policy migration scenario can make the updated original firewall policy more concise and accurate, thereby enabling rapid firewall policy migration and saving the migration time.
[0091] S303 uses the second IP address to replace the first IP address contained in the updated original firewall policy, thus obtaining the target firewall policy.
[0092] Specifically, after obtaining the updated original firewall policy, you can find all the first IP addresses contained in the updated original firewall policy, replace all the first IP addresses with the second IP addresses, and you will get the target firewall policy containing the second IP addresses.
[0093] Understandably, by identifying the policy migration scenario and updating the original firewall policy accordingly, the updated original firewall policy can be made more accurate and concise. Furthermore, by replacing the first IP address in the updated original firewall policy with the second IP address, the target firewall policy can be obtained, ensuring the accuracy of the target firewall policy and thus guaranteeing the reliability and effectiveness of subsequent firewall policy migrations.
[0094] To ensure that the determined translation strategy is more concise and accurate, in one embodiment, such as Figure 4 As shown, further detailing the above S203 can include the following steps:
[0095] S401, obtain the reference firewall policy corresponding to the second IP address.
[0096] In this embodiment, the reference firewall policy is all firewall policies that contain the second IP address, and may include one or more firewall policies.
[0097] Specifically, the firewall policy query interface can be called to query and obtain the original firewall policy corresponding to the second IP address.
[0098] S402, perform a pass / fail verification on the target firewall policy based on the reference firewall policy.
[0099] Specifically, after obtaining the reference firewall policy, based on the reference firewall policy and pre-defined verification logic, each firewall policy contained in the target firewall policy is verified to determine whether each firewall policy contained in the target firewall policy already exists in the reference firewall policy, thereby determining the accessibility verification result of the target firewall policy. For each firewall policy in the target firewall policy, if it is determined that the firewall policy already exists in the reference firewall policy, then the firewall policy is judged to have passed the accessibility verification, i.e., the accessibility verification result is passed; if it is determined that the firewall policy does not exist in the reference firewall policy, then the firewall policy is judged to have failed the accessibility verification, i.e., the accessibility verification result is failed.
[0100] One optional approach is to compare the reference firewall policy with the target firewall policy after obtaining the reference firewall policy; based on the comparison result, determine the accessibility verification result of the target firewall policy. Specifically, after obtaining the reference firewall policy, for each firewall policy in the target firewall policy, compare that firewall policy with the reference firewall policy to determine if there is a consistent firewall policy, thus obtaining the comparison result; further, based on the comparison result, determine the accessibility verification result of the firewall policy. For example, if the comparison result of a firewall policy in the target firewall policy is consistent with the reference firewall policy, then the accessibility verification result of that firewall policy is determined to be passed; if the comparison result of a firewall policy in the target firewall policy is inconsistent with the reference firewall policy, then the accessibility verification result of that firewall policy is determined to be failed.
[0101] Understandably, by comparing the reference firewall policy with the target firewall policy, the accessibility verification result of the target firewall policy can be quickly and accurately determined based on the comparison result, thereby quickly generating the policy to be migrated and improving the efficiency of firewall policy migration.
[0102] S403: Firewall policies whose accessibility verification result is "failed" in the target firewall policy will be used as policies to be migrated.
[0103] Specifically, for firewall policies whose accessibility verification result is "failed", the firewall policy can be used as a policy to be migrated, so that the firewall policy can be migrated from the first IP address to the second IP address in the future.
[0104] Understandably, by introducing the reference firewall policy corresponding to the second IP address, the target firewall policy is validated for openness, and firewall policies that fail the openness validation are selected as policies to be migrated. This reduces the number of repetitive firewall policy migration steps, thereby enabling rapid firewall policy migration and saving time.
[0105] Optionally, in order to ensure efficient and accurate firewall policy migration, one possible implementation is to migrate the policy to be migrated to a second IP address based on the firewall type of the policy to be migrated.
[0106] Firewall types can be categorized into software firewalls and hardware firewalls. Software firewalls use software systems to perform firewall functions, while hardware firewalls integrate the firewall program into a chip, executing the firewall functions through hardware.
[0107] Specifically, after obtaining the policy to be migrated, the policy can be analyzed to determine the firewall type of the policy to be migrated. Based on the firewall type, the corresponding migration method can be determined, and then the policy to be migrated can be migrated to the second IP address.
[0108] For example, if the firewall type is a software firewall, the policy to be migrated is added to the reference firewall policy corresponding to the second IP address. Specifically, after analyzing the policy to be migrated, if it is determined that the firewall type of the policy to be migrated is a software firewall, then the policy to be migrated can be directly added to the reference firewall policy corresponding to the second IP address to achieve the migration of the firewall policy.
[0109] Optionally, if the firewall type is a hard firewall, the firewall policy corresponding to the policy to be migrated can be obtained from the reference firewall policies, and the second IP address can be added to the obtained firewall policy. Specifically, after analyzing the policy to be migrated and determining that the firewall type is a hard firewall, the policy number corresponding to the policy to be migrated can be obtained. Based on the policy number of the policy to be migrated, the firewall policy corresponding to that policy number can be found in the reference firewall policies corresponding to the second IP address. According to the policy to be migrated, the firewall policy corresponding to that policy number can be modified (e.g., adding the second IP address to the original address of the firewall policy corresponding to that policy number) to make the firewall policy corresponding to that policy number meet the requirements of the policy to be migrated, thereby realizing the migration of the firewall policy.
[0110] It is understandable that by determining the migration method of the policy based on the type of firewall to be migrated, and then migrating the firewall policy according to the migration method, the consistency of the firewall policy before and after migration can be guaranteed, and the migration of the firewall policy can be completed efficiently and accurately.
[0111] In one embodiment, such as Figure 5 As shown, a preferred example of a resource adjustment method is provided. The specific process is as follows:
[0112] S501, in response to a policy migration request including a first IP address and a second IP address, retrieves the original firewall policy corresponding to the first IP address.
[0113] S502, determine the policy shift scenario based on the first IP address and the second IP address.
[0114] S503 extracts backup firewall policies from the original firewall policies based on policy migration scenarios.
[0115] S504 cleans up the backup firewall policy to obtain the updated original firewall policy.
[0116] S505 uses the second IP address to replace the first IP address contained in the updated original firewall policy, thus obtaining the target firewall policy.
[0117] S506, obtain the reference firewall policy corresponding to the second IP address.
[0118] S507 compares the reference firewall policy with the target firewall policy.
[0119] S508: Based on the comparison results, determine the accessibility verification result of the target firewall policy.
[0120] S509 designates firewall policies whose accessibility verification results fail as pending migration policies.
[0121] S510, determine whether the firewall type for the policy to be migrated is a soft firewall; if yes, proceed to S511; if no, proceed to S512.
[0122] S511, add the policy to be migrated to the reference firewall policy corresponding to the second IP address.
[0123] S512, determine that the firewall type of the policy to be migrated is a hard firewall, obtain the firewall policy corresponding to the policy to be migrated from the reference firewall policy, and add the second IP address to the obtained firewall policy.
[0124] The specific processes of S501-S512 described above can be found in the description of the above method embodiments. Their implementation principles and technical effects are similar, and will not be repeated here.
[0125] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0126] Based on the same inventive concept, this application also provides a firewall policy shifting device for implementing the firewall policy shifting method described above. The solution provided by this device is similar to the implementation described in the above method; therefore, the specific limitations in one or more firewall policy shifting device embodiments provided below can be found in the limitations of the firewall policy shifting method described above, and will not be repeated here.
[0127] In one embodiment, such as Figure 6 As shown, a firewall policy shifting device 1 is provided, comprising: a policy acquisition module 10, a policy generation module 20, a policy verification module 30, and a policy shifting module 40, wherein:
[0128] The policy acquisition module 10 is used to obtain the original firewall policy corresponding to the first IP address in response to a policy migration request including the first IP address and the second IP address.
[0129] The policy generation module 20 is used to modify the original firewall policy based on the first IP address and the second IP address to obtain the target firewall policy.
[0130] The policy verification module 30 is used to verify the accessibility of the target firewall policy based on the second IP address to obtain the policy to be migrated.
[0131] The policy shifting module 40 is used to shift the policy to be shifted to the second IP address.
[0132] In one embodiment, in the above Figure 6 On the basis of, such as Figure 7 As shown, the strategy generation module 20 may include:
[0133] The scenario determination unit 21 is used to determine the strategy-shifted scenario based on the first IP address and the second IP address;
[0134] The policy update unit 22 is used to update the original firewall policy according to the policy migration scenario, so as to obtain the updated original firewall policy.
[0135] The first acquisition unit 23 is used to replace the first IP address contained in the updated original firewall policy with the second IP address to obtain the target firewall policy.
[0136] In one embodiment, the policy update unit 22 described above can also be used for:
[0137] Based on the policy migration scenario, a backup firewall policy is extracted from the original firewall policy; the backup firewall policy is then cleaned to obtain the updated original firewall policy.
[0138] In one embodiment, in the above Figure 6 or Figure 7 On the basis of, such as Figure 8 As shown, the above-mentioned policy verification module 30 may include:
[0139] The second acquisition unit 31 is used to acquire the reference firewall policy corresponding to the second IP address;
[0140] The policy verification unit 32 is used to perform an accessibility verification on the target firewall policy based on the reference firewall policy.
[0141] The third acquisition unit 33 is used to take firewall policies whose accessibility verification result is "verification failed" in the target firewall policy as policies to be migrated.
[0142] In one embodiment, the policy verification unit 32 described above can also be used for:
[0143] The reference firewall policy is compared with the target firewall policy; based on the comparison results, the accessibility verification result of the target firewall policy is determined.
[0144] In one embodiment, in the above Figure 6 , Figure 7 or Figure 8 On the basis of, such as Figure 9 As shown, the strategy translation module 40 described above may include:
[0145] Policy shifting unit 41 is used to shift the policy to be shifted to a second IP address according to the firewall type of the policy to be shifted.
[0146] In one embodiment, the strategy translation unit 41 described above can also be used for:
[0147] If the firewall type is a software firewall, the policy to be migrated is added to the reference firewall policy corresponding to the second IP address; if the firewall type is a hard firewall, the firewall policy corresponding to the policy to be migrated is obtained from the reference firewall policy, and the second IP address is added to the obtained firewall policy.
[0148] The modules in the aforementioned firewall policy migration device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the computer device's memory as software, so that the processor can invoke and execute the corresponding operations of each module.
[0149] In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 10As shown, the computer device includes a processor, memory, and a network interface connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores data such as a first IP address and a second IP address. The network interface communicates with external terminals via a network connection. When executed by the processor, the computer program implements a firewall policy migration method.
[0150] Those skilled in the art will understand that Figure 10 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0151] In one embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0152] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0153] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0154] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0155] Move the strategy to be moved to the second IP address.
[0156] In one embodiment, when the processor executes a computer program to modify the original firewall policy based on the first IP address and the second IP address to obtain the target firewall policy, it also performs the following steps:
[0157] Based on the first IP address and the second IP address, determine the policy migration scenario; based on the policy migration scenario, update the original firewall policy to obtain the updated original firewall policy; use the second IP address to replace the first IP address contained in the updated original firewall policy to obtain the target firewall policy.
[0158] In one embodiment, when the processor executes a computer program to update the original firewall policy according to the policy shift scenario and obtains the updated original firewall policy, it also implements the following steps:
[0159] Based on the policy migration scenario, a backup firewall policy is extracted from the original firewall policy; the backup firewall policy is then cleaned to obtain the updated original firewall policy.
[0160] In one embodiment, when the processor executes a computer program to perform an accessibility check on the target firewall policy based on the second IP address and obtains the logic for the policy to be migrated, it also implements the following steps:
[0161] Obtain the reference firewall policy corresponding to the second IP address; perform an accessibility check on the target firewall policy based on the reference firewall policy; and designate firewall policies that fail the accessibility check as the policies to be migrated.
[0162] In one embodiment, when the processor executes the logic of a computer program performing an accessibility check on a target firewall policy based on a reference firewall policy, it also implements the following steps:
[0163] The reference firewall policy is compared with the target firewall policy; based on the comparison results, the accessibility verification result of the target firewall policy is determined.
[0164] In one embodiment, when the processor executes the logic of the computer program to shift the strategy to be shifted to the second IP address, it also performs the following steps:
[0165] Based on the firewall type of the policy to be migrated, migrate the policy to the second IP address.
[0166] In one embodiment, when the processor executes the logic of a computer program to migrate a policy to a second IP address based on the firewall type of the policy to be migrated, it also implements the following steps:
[0167] If the firewall type is a software firewall, the policy to be migrated is added to the reference firewall policy corresponding to the second IP address; if the firewall type is a hard firewall, the firewall policy corresponding to the policy to be migrated is obtained from the reference firewall policy, and the second IP address is added to the obtained firewall policy.
[0168] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0169] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0170] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0171] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0172] Move the strategy to be moved to the second IP address.
[0173] In one embodiment, when the computer program modifies the original firewall policy based on the first IP address and the second IP address to obtain the logic of the target firewall policy, and the processor executes it, the following steps are also implemented:
[0174] Based on the first IP address and the second IP address, determine the policy migration scenario; based on the policy migration scenario, update the original firewall policy to obtain the updated original firewall policy; use the second IP address to replace the first IP address contained in the updated original firewall policy to obtain the target firewall policy.
[0175] In one embodiment, when the computer program updates the original firewall policy according to the policy shift scenario, and the logic for obtaining the updated original firewall policy is executed by the processor, the following steps are also implemented:
[0176] Based on the policy migration scenario, a backup firewall policy is extracted from the original firewall policy; the backup firewall policy is then cleaned to obtain the updated original firewall policy.
[0177] In one embodiment, when the computer program performs an accessibility check on the target firewall policy based on the second IP address, and the logic for obtaining the policy to be migrated is executed by the processor, the following steps are also implemented:
[0178] Obtain the reference firewall policy corresponding to the second IP address; perform an accessibility check on the target firewall policy based on the reference firewall policy; and designate firewall policies that fail the accessibility check as the policies to be migrated.
[0179] In one embodiment, when the logic for a computer program to perform an accessibility check on a target firewall policy based on a reference firewall policy is executed by the processor, the following steps are also implemented:
[0180] The reference firewall policy is compared with the target firewall policy; based on the comparison results, the accessibility verification result of the target firewall policy is determined.
[0181] In one embodiment, when the logic for the computer program to shift the strategy to the second IP address is executed by the processor, the following steps are also implemented:
[0182] Based on the firewall type of the policy to be migrated, migrate the policy to the second IP address.
[0183] In one embodiment, when the logic of the computer program shifting the policy to be shifted to the second IP address according to the firewall type of the policy to be shifted is executed by the processor, the following steps are also implemented:
[0184] If the firewall type is a software firewall, the policy to be migrated is added to the reference firewall policy corresponding to the second IP address; if the firewall type is a hard firewall, the firewall policy corresponding to the policy to be migrated is obtained from the reference firewall policy, and the second IP address is added to the obtained firewall policy.
[0185] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:
[0186] In response to a policy migration request that includes both the first IP address and the second IP address, the original firewall policy corresponding to the first IP address is obtained.
[0187] Based on the first IP address and the second IP address, the original firewall policy is modified to obtain the target firewall policy;
[0188] Based on the second IP address, the accessibility of the target firewall policy is verified to obtain the policy to be migrated.
[0189] Move the strategy to be moved to the second IP address.
[0190] In one embodiment, when the computer program modifies the original firewall policy based on the first IP address and the second IP address to obtain the logic of the target firewall policy, and the processor executes it, the following steps are also implemented:
[0191] Based on the first IP address and the second IP address, determine the policy migration scenario; based on the policy migration scenario, update the original firewall policy to obtain the updated original firewall policy; use the second IP address to replace the first IP address contained in the updated original firewall policy to obtain the target firewall policy.
[0192] In one embodiment, when the computer program updates the original firewall policy according to the policy shift scenario, and the logic for obtaining the updated original firewall policy is executed by the processor, the following steps are also implemented:
[0193] Based on the policy migration scenario, a backup firewall policy is extracted from the original firewall policy; the backup firewall policy is then cleaned to obtain the updated original firewall policy.
[0194] In one embodiment, when the computer program performs an accessibility check on the target firewall policy based on the second IP address, and the logic for obtaining the policy to be migrated is executed by the processor, the following steps are also implemented:
[0195] Obtain the reference firewall policy corresponding to the second IP address; perform an accessibility check on the target firewall policy based on the reference firewall policy; and designate firewall policies that fail the accessibility check as the policies to be migrated.
[0196] In one embodiment, when the logic for a computer program to perform an accessibility check on a target firewall policy based on a reference firewall policy is executed by the processor, the following steps are also implemented:
[0197] The reference firewall policy is compared with the target firewall policy; based on the comparison results, the accessibility verification result of the target firewall policy is determined.
[0198] In one embodiment, when the logic for the computer program to shift the strategy to the second IP address is executed by the processor, the following steps are also implemented:
[0199] Based on the firewall type of the policy to be migrated, migrate the policy to the second IP address.
[0200] In one embodiment, when the logic of the computer program shifting the policy to be shifted to the second IP address according to the firewall type of the policy to be shifted is executed by the processor, the following steps are also implemented:
[0201] If the firewall type is a software firewall, the policy to be migrated is added to the reference firewall policy corresponding to the second IP address; if the firewall type is a hard firewall, the firewall policy corresponding to the policy to be migrated is obtained from the reference firewall policy, and the second IP address is added to the obtained firewall policy.
[0202] It should be noted that the data involved in this application (including the first IP address, the second IP address, etc.) are all information and data that have been authorized or fully authorized by all parties.
[0203] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.
[0204] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0205] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A firewall policy migration method, characterized in that, The method includes: In response to a policy migration request that includes a first IP address and a second IP address, the original firewall policy corresponding to the first IP address is obtained; Based on the first IP address and the second IP address, a policy migration scenario is determined; wherein, the policy migration scenario includes intranet migration, DMZ migration, and other migrations; Based on the policy migration scenario, a backup firewall policy is extracted from the original firewall policy. Specifically, if the policy migration scenario is an internal network migration, all internal network firewall policies and DMZ outbound firewall policies are deleted, and firewall policies unrelated to the internal network migration scenario are extracted as backup firewall policies. If the policy migration scenario is a DMZ migration, all DMZ firewall policies and internal network outbound firewall policies are deleted, and firewall policies unrelated to the DMZ migration scenario are extracted as backup firewall policies. If the policy migration scenario is another type of migration, no extraction is required, and the original firewall policy is used as the backup firewall policy. The backup firewall policy is cleaned to obtain the updated original firewall policy; The first IP address contained in the updated original firewall policy is replaced with the second IP address to obtain the target firewall policy. Obtain the reference firewall policy corresponding to the second IP address; Based on the reference firewall policy, the accessibility of the target firewall policy is verified. Firewall policies whose accessibility verification result is "failed" in the target firewall policy will be used as policies to be migrated. The strategy to be migrated is migrated to the second IP address.
2. The method according to claim 1, characterized in that, The step of performing an accessibility verification on the target firewall policy based on the reference firewall policy includes: The reference firewall policy is compared with the target firewall policy; Based on the comparison results, the accessibility verification result of the target firewall policy is determined.
3. The method according to claim 1, characterized in that, The step of translating the strategy to be translated to the second IP address includes: Based on the firewall type of the policy to be migrated, the policy to be migrated is migrated to the second IP address.
4. The method according to claim 3, characterized in that, The step of migrating the policy to be migrated to the second IP address according to the firewall type of the policy to be migrated includes: If the firewall type is a software firewall, then the policy to be migrated is added to the reference firewall policy corresponding to the second IP address; If the firewall type is a hard firewall, then obtain the firewall policy corresponding to the policy to be migrated from the reference firewall policy, and add the second IP address to the obtained firewall policy.
5. A firewall policy shifting device, characterized in that, The device includes: The policy acquisition module is used to obtain the original firewall policy corresponding to the first IP address in response to a policy migration request including a first IP address and a second IP address. A policy generation module is used to determine a policy migration scenario based on the first IP address and the second IP address; wherein the policy migration scenario includes intranet migration, DMZ migration, and other migrations; based on the policy migration scenario, a backup firewall policy is extracted from the original firewall policy; wherein, if the policy migration scenario is an intranet migration, all intranet firewall policies and DMZ outbound firewall policies are deleted, and firewall policies not related to the intranet migration scenario are extracted as backup firewall policies; if the policy migration scenario is a DMZ migration, all DMZ firewall policies and intranet outbound firewall policies are deleted, and firewall policies not related to the DMZ migration scenario are extracted as backup firewall policies; if the policy migration scenario is another type of migration, no extraction is required, and the original firewall policy is used as the backup firewall policy; the backup firewall policy is cleaned to obtain an updated original firewall policy; the second IP address is used to replace the first IP address contained in the updated original firewall policy to obtain the target firewall policy. The policy verification module is used to obtain the reference firewall policy corresponding to the second IP address; perform an accessibility verification on the target firewall policy according to the reference firewall policy; and take the firewall policies in the target firewall policy whose accessibility verification result is unsuccessful as the policies to be migrated. The policy shifting module is used to shift the policy to be shifted to the second IP address.
6. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 4.
7. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 4.
8. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 4.