A firewall configuration method and apparatus
By using automated firewall configuration methods and devices, the challenges of firewall configuration in containerized deployments of financial systems have been solved, enabling efficient network problem detection and improving business processing efficiency and user experience.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- PING AN BANK CO LTD
- Filing Date
- 2023-06-05
- Publication Date
- 2026-07-03
Smart Images

Figure CN116599837B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and more specifically, to a firewall configuration method and apparatus. Background Technology
[0002] Currently, the trend in system deployment is towards containerization. Therefore, conventional systems need to be modified for containerization. During this process, testing will encounter many issues that are difficult to assess and verify, especially in financial systems. To comply with the regulatory requirements of the China Banking and Insurance Regulatory Commission (CBIRC), strict data security controls are in place, particularly regarding external network access and file transfer. For example, firewall issues frequently arise that prevent access to external networks. Existing technologies require testers to conduct thorough functional testing to identify which functions are unavailable due to external network access restrictions. This is wasteful of manpower and resources, inefficient, and ultimately reduces the business processing efficiency of financial systems. Summary of the Invention
[0003] The purpose of this application is to provide a firewall configuration method and apparatus that can automatically perform network problem checks, thereby discovering system problems in advance, saving troubleshooting time, improving work efficiency, and ultimately improving the business processing efficiency of the financial system and enhancing the user experience.
[0004] The first aspect of this application provides a firewall configuration method, including:
[0005] Read the target system's configuration file;
[0006] The IP addresses and domain names in the configuration file are identified to obtain the identification results;
[0007] Based on the identification results, the target public network address in the target system that needs to be transferred through a public egress gateway is determined;
[0008] Output a firewall configuration report for the target public IP address;
[0009] Configure the firewall according to the firewall configuration report.
[0010] In the above implementation process, this method first reads the target system's configuration file; then, it identifies the IP addresses and domain names in the configuration file to obtain the identification results; next, based on the identification results, it determines the target public network address in the target system that needs to be forwarded through the public egress gateway; then, it outputs a firewall configuration report for the target public network address; finally, it configures the firewall based on the firewall configuration report. It is evident that this method can automatically perform network problem checks, thereby proactively identifying system issues, saving troubleshooting time, improving work efficiency, and ultimately enhancing the business processing efficiency of the financial system and improving user experience.
[0011] Furthermore, the process of identifying the IP addresses and domain names in the configuration file to obtain the identification results includes:
[0012] The target system is parsed to obtain parsed data; wherein, the target system includes at least a system attribute configuration file and an Apollo configuration, and the parsed data includes IP configuration data and domain name configuration data;
[0013] The parsed data is identified to obtain identification results; wherein, the identification results include domain name identification results and IP identification results.
[0014] Further, determining the target public network address in the target system that needs to be transferred through a public egress gateway based on the identification result includes:
[0015] The public network address in the target system is determined based on the identification results;
[0016] Identify the target public network address among the public network addresses that needs to be forwarded through a public egress gateway.
[0017] Furthermore, the output of the firewall configuration report for the target public network address includes:
[0018] Obtain firewall configuration recommendations for the target system based on the target public IP address;
[0019] A firewall configuration report is generated based on the target public IP address and the firewall configuration recommendations.
[0020] Output the firewall configuration report.
[0021] Further, configuring the firewall based on the firewall configuration report includes:
[0022] Receive firewall configuration instructions for the configuration report;
[0023] Obtain firewall configuration data according to the firewall configuration instructions;
[0024] Configure the firewall according to the firewall configuration data.
[0025] A second aspect of this application provides a firewall configuration apparatus, the firewall configuration apparatus comprising:
[0026] The reading unit is used to read the target system's configuration files.
[0027] The identification unit is used to identify the IP addresses and domain names in the configuration file and obtain the identification results;
[0028] The determining unit is used to determine, based on the identification result, the target public network address in the target system that needs to be transferred through a public egress gateway;
[0029] The output unit is used to output a firewall configuration report for the target public network address;
[0030] The configuration unit is used to configure the firewall based on the firewall configuration report.
[0031] In the above implementation process, the device can read the target system's configuration file through the reading unit; identify the IP addresses and domain names in the configuration file through the identification unit to obtain the identification results; determine the target public network address in the target system that needs to be forwarded through the public egress gateway based on the identification results through the determination unit; output a firewall configuration report for the target public network address through the output unit; and then configure the firewall based on the firewall configuration report through the configuration unit. It is evident that this device can automatically perform network problem checks, thereby proactively identifying system issues, saving troubleshooting time, improving work efficiency, and ultimately enhancing the business processing efficiency of the financial system and improving user experience.
[0032] Furthermore, the identification unit includes:
[0033] The parsing subunit is used to parse the target system to obtain parsed data; wherein the target system includes at least a system attribute configuration file and an Apollo configuration, and the parsed data includes IP configuration data and domain name configuration data;
[0034] The first identification subunit is used to identify the parsed data and obtain identification results; wherein, the identification results include domain name identification results and IP identification results.
[0035] Furthermore, the determining unit includes:
[0036] A determining subunit is used to determine the public network address in the target system based on the identification result;
[0037] The second identification subunit is used to identify the target public network address among the public network addresses that needs to be transferred through a public exit gateway.
[0038] Furthermore, the output unit includes:
[0039] The first acquisition subunit is used to obtain firewall configuration suggestions for the target system based on the target public network address;
[0040] A generation subunit is used to generate a firewall configuration report based on the target public network address and the firewall configuration suggestions;
[0041] The output subunit is used to output the firewall configuration report.
[0042] Furthermore, the configuration unit includes:
[0043] A receiving subunit is configured to receive firewall configuration instructions for the configuration report.
[0044] The second acquisition subunit is used to acquire firewall configuration data according to the firewall configuration instructions;
[0045] The configuration subunit is used to configure the firewall based on the firewall configuration data.
[0046] A third aspect of this application provides an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the processor runs the computer program to cause the electronic device to perform the firewall configuration method described in any one of the first aspects of this application.
[0047] A fourth aspect of this application provides a computer-readable storage medium storing computer program instructions, which, when read and executed by a processor, perform the firewall configuration method described in any one of the first aspects of this application. Attached Figure Description
[0048] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0049] Figure 1 A flowchart illustrating a firewall configuration method provided in an embodiment of this application;
[0050] Figure 2 A flowchart illustrating another firewall configuration method provided in an embodiment of this application;
[0051] Figure 3 This is a schematic diagram of the structure of a firewall configuration device provided in an embodiment of this application;
[0052] Figure 4 This is a schematic diagram of another firewall configuration device provided in an embodiment of this application. Detailed Implementation
[0053] The technical solutions in the embodiments of this application will now be described with reference to the accompanying drawings.
[0054] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0055] Example 1
[0056] Please refer to Figure 1 , Figure 1 This embodiment provides a flowchart illustrating a firewall configuration method. The firewall configuration method includes:
[0057] S101, Read the target system's configuration file.
[0058] S102. Identify the IP addresses and domain names in the configuration file to obtain the identification results.
[0059] S103. Based on the identification results, determine the target public network address in the target system that needs to be transferred through the public egress gateway.
[0060] S104. Output a firewall configuration report for the target public IP address.
[0061] S105. Configure the firewall according to the firewall configuration report.
[0062] In this embodiment, the subject executing the method can be a computing device such as a computer or server, and no limitation is made in this embodiment.
[0063] In this embodiment, the subject executing the method can also be a smart device such as a smartphone or tablet, and no limitation is made in this embodiment.
[0064] In this embodiment, when this technology is applied in a bank, the target public IP address can be a list of external networks set up internally by the bank, or any website other than accessible websites, especially information storage websites that have file upload capabilities, etc. This embodiment of the application does not limit this.
[0065] In this embodiment of the application, implementing the method in a financial system can strictly control data security while complying with the regulatory requirements of the China Banking and Insurance Regulatory Commission, and can avoid various firewall problems that prevent access to external networks.
[0066] As can be seen, implementing the firewall configuration method described in this embodiment can automatically check for network problems, thereby discovering system problems in advance, saving troubleshooting time, improving work efficiency, and ultimately improving the business processing efficiency of the financial system and enhancing the user experience.
[0067] Example 2
[0068] Please refer to Figure 2 , Figure 2 This embodiment provides a flowchart illustrating a firewall configuration method. The firewall configuration method includes:
[0069] S201, Read the target system's configuration file.
[0070] S202. Analyze the target system to obtain the analytical data.
[0071] In this embodiment, the target system includes at least a system attribute configuration file and an Apollo configuration file, and the resolved data includes IP configuration data and domain name configuration data.
[0072] In this embodiment, for example, the system's configuration file is read and parsed, including the system's own properties and XML configuration files and external Apollo configuration files, and the analysis is performed to extract whether IP configuration or domain name configuration is involved.
[0073] S203. Recognize the parsed data to obtain the recognition result.
[0074] In this embodiment, the identification results include domain name identification results and IP identification results.
[0075] In this embodiment, the system can determine domain names such as .com, .net, .edu, .gov, and .cn based on keywords, perform DNS resolution, and identify domain name formats and structures. It then performs hierarchical resolution.
[0076] In this embodiment, IP digital resolution can be used to determine which networks, such as those belonging to banks or groups, are used for multi-regional office operations.
[0077] S204. Determine the public network address in the target system based on the identification results.
[0078] S205. Identify the target public network address that needs to be transferred through a public egress gateway.
[0079] S206. Obtain firewall configuration suggestions for the target system based on the target public IP address.
[0080] S207. Generate a firewall configuration report based on the target public IP address and firewall configuration recommendations.
[0081] S208, Output firewall configuration report.
[0082] S209. Receive firewall configuration instructions for the configuration report.
[0083] S210. Obtain firewall configuration data according to firewall configuration instructions.
[0084] S211. Configure the firewall according to the firewall configuration data.
[0085] In this embodiment, the method can read the IP segment of the container itself, and determine whether it is in the same network as the system or an external network based on the network segment IP.
[0086] In this embodiment, the method can verify the network segment address of the current system to distinguish whether it is an external address. Internal addressing integrates address and port detection commands, such as the telnet command, which automatically sends heartbeat probes and identifies whether the connection is possible based on the returned results.
[0087] In this embodiment, the method can perform a probing request to determine whether the accessibility is available.
[0088] In this embodiment, the method can intelligently identify which public network addresses in the system need to be transferred through a public egress gateway based on the above steps, such as whether they need to be transferred through an intermediate system like a mesh.
[0089] In this embodiment, the method can directly generate a test report based on the above analysis, informing the relevant testers which addresses need to be activated at once and what scheme to use.
[0090] In this embodiment, the subject executing the method can be a computing device such as a computer or server, and no limitation is made in this embodiment.
[0091] In this embodiment, the subject executing the method can also be a smart device such as a smartphone or tablet, and no limitation is made in this embodiment.
[0092] As can be seen, implementing the firewall configuration method described in this embodiment can automatically check for network problems, thereby discovering system problems in advance, saving troubleshooting time, improving work efficiency, and ultimately improving the business processing efficiency of the financial system and enhancing the user experience.
[0093] Example 3
[0094] Please refer to Figure 3 , Figure 3 This is a schematic diagram of a firewall configuration device provided in this embodiment. Figure 3 As shown, the firewall configuration device includes:
[0095] Reading unit 310 is used to read the configuration file of the target system;
[0096] The identification unit 320 is used to identify the IP address and domain name in the configuration file and obtain the identification result;
[0097] The determining unit 330 is used to determine, based on the identification results, the target public network address in the target system that needs to be transferred through the public egress gateway;
[0098] Output unit 340 is used to output a firewall configuration report for the target public network address;
[0099] Configuration unit 350 is used to configure the firewall based on the firewall configuration report.
[0100] In this embodiment, the explanation of the firewall configuration device can be referred to the description in Embodiment 1 or Embodiment 2, and will not be repeated here.
[0101] As can be seen, implementing the firewall configuration device described in this embodiment can automatically perform network problem checks, thereby discovering system problems in advance, saving troubleshooting time, improving work efficiency, and thus helping to improve the business processing efficiency of the financial system and enhance the user experience.
[0102] Example 4
[0103] Please refer to Figure 4 , Figure 4 This is a schematic diagram of a firewall configuration device provided in this embodiment. Figure 4 As shown, the firewall configuration device includes:
[0104] Reading unit 310 is used to read the configuration file of the target system;
[0105] The identification unit 320 is used to identify the IP address and domain name in the configuration file and obtain the identification result;
[0106] The determining unit 330 is used to determine, based on the identification results, the target public network address in the target system that needs to be transferred through the public egress gateway;
[0107] Output unit 340 is used to output a firewall configuration report for the target public network address;
[0108] Configuration unit 350 is used to configure the firewall based on the firewall configuration report.
[0109] As an optional implementation, the identification unit 320 includes:
[0110] The parsing subunit 321 is used to parse the target system and obtain parsed data; wherein the target system includes at least the system attribute configuration file and the Apollo configuration, and the parsed data includes IP configuration data and domain name configuration data;
[0111] The first identification subunit 322 is used to identify the parsed data and obtain the identification results; wherein, the identification results include domain name identification results and IP identification results.
[0112] As an optional implementation, the determining unit 330 includes:
[0113] The determination subunit 331 is used to determine the public network address in the target system based on the identification result;
[0114] The second identification subunit 332 is used to identify the target public network address that needs to be transferred through a public egress gateway.
[0115] As an optional implementation, the output unit 340 includes:
[0116] The first acquisition subunit 341 is used to obtain firewall configuration suggestions for the target system based on the target public network address;
[0117] Generating subunit 342 is used to generate a firewall configuration report based on the target public network address and firewall configuration suggestions;
[0118] Output subunit 343 is used to output the firewall configuration report.
[0119] As an optional implementation, the configuration unit 350 includes:
[0120] The receiving subunit 351 is used to receive firewall configuration instructions for the configuration report;
[0121] The second acquisition subunit 352 is used to acquire firewall configuration data according to firewall configuration instructions;
[0122] Configuration subunit 353 is used to configure the firewall based on firewall configuration data.
[0123] In this embodiment, for example, the system's configuration file is read and parsed, including the system's own property configuration file (xml) and external Apollo configuration, and the analysis is performed to extract whether IP configuration or domain name configuration is involved.
[0124] In this embodiment, the identification results include domain name identification results and IP identification results.
[0125] In this embodiment, the system can determine domain names such as .com, .net, .edu, .gov, and .cn based on keywords, perform DNS resolution, and identify domain name formats and structures. It then performs hierarchical resolution.
[0126] In this embodiment, IP digital resolution can be used to determine which networks, such as those belonging to banks or groups, are used for multi-regional office operations.
[0127] In this embodiment, the method can read the IP segment of the container itself, and determine whether it is in the same network as the system or an external network based on the network segment IP.
[0128] In this embodiment, the method can verify the network segment address of the current system to distinguish whether it is an external address. Internal addressing integrates address and port detection commands, such as the telnet command, which automatically sends heartbeat probes and identifies whether the connection is possible based on the returned results.
[0129] In this embodiment, the method can perform a probing request to determine whether the accessibility is available.
[0130] In this embodiment, the method can intelligently identify which public network addresses in the system need to be transferred through a public egress gateway based on the above steps, such as whether they need to be transferred through an intermediate system like a mesh.
[0131] In this embodiment, the method can directly generate a test report based on the above analysis, informing the relevant testers which addresses need to be activated at once and what scheme to use.
[0132] In this embodiment, the explanation of the firewall configuration device can be referred to the description in Embodiment 1 or Embodiment 2, and will not be repeated here.
[0133] As can be seen, implementing the firewall configuration device described in this embodiment can automatically perform network problem checks, thereby discovering system problems in advance, saving troubleshooting time, improving work efficiency, and thus helping to improve the business processing efficiency of the financial system and enhance the user experience.
[0134] This application provides an electronic device, including a memory and a processor. The memory stores a computer program, and the processor runs the computer program to enable the electronic device to perform the firewall configuration method in embodiment 1 or embodiment 2 of this application.
[0135] This application provides a computer-readable storage medium storing computer program instructions. When these computer program instructions are read and executed by a processor, the firewall configuration method described in embodiment 1 or embodiment 2 of this application is performed.
[0136] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can also be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram and / or flowchart, and combinations of blocks in block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.
[0137] In addition, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.
[0138] If the aforementioned functions are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0139] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application. It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.
[0140] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0141] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
Claims
1. A method of configuring a firewall, characterized by, include: Read the target system's configuration file; The IP addresses and domain names in the configuration file are identified to obtain the identification results; Based on the identification results, the target public network address in the target system that needs to be transferred through a public egress gateway is determined; The target public IP address is an accessible public IP address; Output a firewall configuration report for the target public network address; the firewall configuration report is used to inform the testers of the address to be activated at once and the activation plan; Configure the firewall according to the firewall configuration report; The step of determining the target public network address in the target system that needs to be transferred through a public egress gateway based on the identification result includes: The public network address in the target system is determined based on the identification results; Identify the target public network address among the public network addresses that needs to be forwarded through a public egress gateway.
2. The firewall configuration method according to claim 1, wherein, The process of identifying IP addresses and domain names in the configuration file to obtain identification results includes: The target system is parsed to obtain parsed data; wherein, the target system includes at least a system attribute configuration file and an Apollo configuration, and the parsed data includes IP configuration data and domain name configuration data; The parsed data is identified to obtain identification results; wherein, the identification results include domain name identification results and IP identification results.
3. The firewall configuration method of claim 1, wherein, The output firewall configuration report for the target public network address includes: Obtain firewall configuration recommendations for the target system based on the target public IP address; A firewall configuration report is generated based on the target public IP address and the firewall configuration recommendations. Output the firewall configuration report.
4. The firewall configuration method of claim 1, wherein, The step of configuring the firewall according to the firewall configuration report includes: Receive firewall configuration instructions for the configuration report; Obtain firewall configuration data according to the firewall configuration instructions; Configure the firewall according to the firewall configuration data.
5. A firewall configuration apparatus characterized by comprising: The firewall configuration device includes: The reading unit is used to read the target system's configuration files. The identification unit is used to identify the IP addresses and domain names in the configuration file and obtain the identification results; The determining unit is used to determine, based on the identification result, the target public network address in the target system that needs to be transferred through a public egress gateway; the target public network address is an accessible public network address; The output unit is used to output a firewall configuration report for the target public network address; the firewall configuration report is used to inform the testers of the address to be activated at once and the activation plan; The configuration unit is used to configure the firewall according to the firewall configuration report; The determining unit includes: A determining subunit is used to determine the public network address in the target system based on the identification result; The second identification subunit is used to identify the target public network address among the public network addresses that needs to be transferred through a public egress gateway.
6. The firewall configuration apparatus according to claim 5, wherein The identification unit includes: The parsing subunit is used to parse the target system to obtain parsed data; wherein the target system includes at least a system attribute configuration file and an Apollo configuration, and the parsed data includes IP configuration data and domain name configuration data; The first identification subunit is used to identify the parsed data and obtain identification results; wherein, the identification results include domain name identification results and IP identification results.
7. An electronic device, comprising: The electronic device includes a memory and a processor, the memory being used to store a computer program, and the processor running the computer program to cause the electronic device to perform the firewall configuration method according to any one of claims 1 to 4.
8. A readable storage medium, characterized by, The readable storage medium stores computer program instructions, which, when read and executed by a processor, perform the firewall configuration method according to any one of claims 1 to 4.