Firewall policy generation method and apparatus, electronic device, and storage medium
By acquiring the target object's IP information and port protocol, and combining this with a firewall policy database, firewall policies are automatically generated. This solves the problems of high communication costs and large errors in the firewall policy generation process, and improves the efficiency and accuracy of firewall management.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NETSUNION CLEARING CORP
- Filing Date
- 2025-01-13
- Publication Date
- 2026-07-14
AI Technical Summary
The existing firewall policy generation process suffers from numerous problems, including high communication costs, large errors in human judgment, and complex and inefficient operations, resulting in low firewall management efficiency.
By obtaining the source Internet Protocol address (IP) and target IP of the target object, and combining port protocol information with the firewall policy database, firewall policies in the firewall path are automatically generated, reducing manual intervention and errors.
This improves the accuracy and efficiency of firewall policy generation, reducing errors and time costs associated with manually generating firewall policies.
Smart Images

Figure CN122394822A_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of firewall technology, and in particular to a firewall policy generation method, apparatus, electronic device, and storage medium. Background Technology
[0002] In related technologies, firewall activation is usually accomplished by security engineers who, by inquiring about user needs and relying on experience, check the firewall's policies upon login to determine if services are being blocked. Through continuous communication with users and manual review of policy requirements to ensure compliance with specifications, firewall configuration scripts are manually written and then deployed by logging into the firewall device through the change window.
[0003] In this approach, users need to communicate with security engineers to query, add, or modify firewall policies, which leads to significant communication costs and low efficiency in firewall management. Security engineers rely on their own experience to make further judgments, and their accuracy and efficiency become a bottleneck for the timely activation of a large number of integrated services. The high frequency and complexity of firewall activation requests inevitably lead to errors, causing firewall policy changes to fail. Summary of the Invention
[0004] This disclosure aims to at least partially address one of the technical problems in the related art.
[0005] Therefore, the purpose of this disclosure is to propose a firewall policy generation method, device, electronic device, storage medium, and computer program product that can accurately analyze the firewall path traversed by the target object and automatically generate the firewall policy corresponding to the target firewall in the firewall path, thereby reducing the error and time cost of manually generating firewall policies and effectively improving the generation efficiency and accuracy of firewall policies.
[0006] The first aspect of this disclosure proposes a firewall policy generation method, comprising: obtaining a firewall policy database corresponding to a target object, wherein the firewall policy database contains multiple candidate firewall policies; obtaining the source Internet Protocol address (IP) and target IP of the target object; determining the target firewall that the target object passes through based on the source IP and target IP; determining the policy request information of the target firewall based on the port protocol information of the target object, the source IP, the target IP, and the multiple candidate firewall policies; and generating a target firewall policy corresponding to each target firewall based on the policy request information.
[0007] The firewall policy generation method proposed in the first aspect of this disclosure obtains a firewall policy database corresponding to a target object, wherein the firewall policy database contains multiple candidate firewall policies. It obtains the source Internet Protocol address (IP) and target IP of the target object, determines the target firewall traversed by the target object based on the source IP and target IP, determines the policy request information of the target firewall based on the target object's port protocol information, source IP, target IP, and multiple candidate firewall policies, and generates a target firewall policy corresponding to each target firewall based on the policy request information. This method can more accurately analyze the firewall paths traversed by the target object and automatically generate firewall policies corresponding to the target firewalls in the firewall paths, reducing the errors and time costs of manually generating firewall policies and effectively improving the efficiency and accuracy of firewall policy generation.
[0008] A second aspect of this disclosure provides a firewall policy generation apparatus, comprising: a first acquisition module for acquiring a firewall policy database corresponding to a target object, wherein the firewall policy database contains multiple candidate firewall policies; a second acquisition module for acquiring the source Internet Protocol address (IP) and the target IP of the target object; a first determination module for determining the target firewall traversed by the target object based on the source IP and the target IP; a second determination module for determining policy request information of the target firewall based on the port protocol information of the target object, the source IP, the target IP, and the multiple candidate firewall policies; and a generation module for generating a target firewall policy corresponding to each target firewall based on the policy request information.
[0009] The firewall policy generation apparatus proposed in the second aspect of this disclosure obtains a firewall policy database corresponding to a target object, wherein the firewall policy database contains multiple candidate firewall policies. It obtains the source Internet Protocol address (IP) and target IP of the target object, determines the target firewall that the target object passes through based on the source IP and target IP, determines the policy request information of the target firewall based on the port protocol information of the target object, the source IP, the target IP, and multiple candidate firewall policies, and generates a target firewall policy corresponding to each target firewall based on the policy request information. This apparatus can more accurately analyze the firewall path that the target object passes through and automatically generate the firewall policy corresponding to the target firewall in the firewall path, reducing the error and time cost of manually generating firewall policies and effectively improving the generation efficiency and accuracy of firewall policies.
[0010] A third aspect of this disclosure provides an electronic device including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements the firewall policy generation method as proposed in the first aspect of this disclosure.
[0011] The fourth aspect of this disclosure provides a non-transitory computer-readable storage medium having a computer program stored thereon that, when executed by a processor, implements the firewall policy generation method as proposed in the first aspect of this disclosure.
[0012] A fifth aspect of this disclosure provides a computer program product in which, when instructions in the computer program product are executed by a processor, the firewall policy generation method as described in the first aspect of this disclosure is performed.
[0013] Additional aspects and advantages of this disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of this disclosure. Attached Figure Description
[0014] The above and / or additional aspects and advantages of this disclosure will become apparent and readily understood from the following description of the embodiments taken in conjunction with the accompanying drawings, in which:
[0015] Figure 1 This is a flowchart illustrating a firewall policy generation method proposed in an embodiment of this disclosure;
[0016] Figure 2 This is a schematic diagram of the firewall management system in an embodiment of this disclosure;
[0017] Figure 3 This is a schematic diagram of the firewall policy generation process in an embodiment of this disclosure;
[0018] Figure 4 This is a flowchart illustrating a firewall policy generation method according to another embodiment of this disclosure;
[0019] Figure 5 This is a timing diagram of firewall policy generation in an embodiment of this disclosure;
[0020] Figure 6 This is a flowchart illustrating a firewall policy generation method according to another embodiment of this disclosure;
[0021] Figure 7 This is a schematic diagram of the configuration file backup process in an embodiment of this disclosure;
[0022] Figure 8 This is a schematic diagram of the structure of a firewall policy generation device according to an embodiment of the present disclosure;
[0023] Figure 9 This is a schematic diagram of the structure of a firewall policy generation apparatus according to another embodiment of the present disclosure;
[0024] Figure 10 A block diagram of an exemplary electronic device suitable for implementing embodiments of the present disclosure is shown. Detailed Implementation
[0025] Embodiments of this disclosure are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are used only to explain this disclosure, and should not be construed as limiting this disclosure. Rather, embodiments of this disclosure include all variations, modifications, and equivalents falling within the spirit and scope of the appended claims.
[0026] Figure 1 This is a flowchart illustrating a firewall policy generation method proposed in an embodiment of this disclosure.
[0027] It should be noted that the execution subject of the firewall policy generation method in this embodiment is a firewall policy generation device, which can be implemented by software and / or hardware, and can be configured in an electronic device, without limitation.
[0028] like Figure 1 As shown, the firewall policy generation method includes:
[0029] S101: Obtain the firewall policy database corresponding to the target object, where the firewall policy database contains multiple candidate firewall policies.
[0030] The target object refers to the object for which corresponding firewall policies need to be set for the firewall it passes through. The target object can be the user, application, and communication data for which firewall policy requests are generated, and there are no restrictions on this.
[0031] The firewall policy database refers to a pre-established policy library that stores firewall policies corresponding to multiple firewalls. The firewall policy database stores multiple candidate firewall policies, and the firewall policy required by the target object can be requested and generated based on the multiple candidate firewall policies in the firewall policy database.
[0032] Among them, candidate firewall policies refer to existing historical firewall policies or pre-defined firewall policies that have been obtained in advance. Candidate firewall policies can be used to match and process them in order to apply for and generate the firewall policy required by the target object.
[0033] In this embodiment of the disclosure, when obtaining the firewall policy database corresponding to the target object, a pre-built firewall policy database can be obtained, or all firewalls that may be passed through in the target object's path can be obtained, and the firewall policies used by all the passed firewalls can be obtained. The obtained policies are used as candidate firewall policies to obtain the firewall policy database corresponding to the target object.
[0034] In other embodiments, the target object's current firewall configuration file can be copied to the local machine for backup every 2 hours. The backup configuration file is then parsed to extract routing table information and store it. Access Control Lists (ACLs) and Network Address Translation (NAT) information are also extracted and stored from the backup configuration file. The metadata (five-tuples and routing table) corresponding to the parsed ACL and NAT information is stored in the firewall policy database to establish and retrieve the firewall policy database.
[0035] In this embodiment of the disclosure, a copy of the firewall configuration file is made to the local machine for backup every 2 hours. When the firewall configuration needs to be restored, the backed-up configuration file can be sent to replace the current firewall file, thereby ensuring that the recovery point object (RPO) is less than 2 hours and the recovery time objective (RTO) is less than 30 minutes, thus achieving timely recovery of the firewall policy.
[0036] S102: Obtain the source Internet Protocol address (IP) and target IP of the target object.
[0037] The source Internet Protocol address (IP) refers to the source network address of the target object.
[0038] The target IP refers to the destination network address of the target object's travel path.
[0039] In this embodiment of the disclosure, when obtaining the source Internet Protocol address (IP) and the target IP of the target object, the source Internet Protocol address (IP) of the target object and the destination network address of the target object's travel path can be obtained first as the target IP. The source IP and the target IP can be used to determine the firewall policies passed through on the target object's path.
[0040] S103: Determine the target firewall that the target object passes through based on the source IP and destination IP.
[0041] Among them, the target firewall refers to the firewall that the target object actually passes through on its travel path.
[0042] In this embodiment of the disclosure, when determining the target firewall traversed by the target object based on the source IP and the destination IP, all firewalls that the target object may pass through along its travel path can be obtained first. From the obtained multiple firewalls, the target firewall traversed by the target object can be selected. Longest route matching can be performed to calculate the interface of the source IP and destination IP of the target object on each obtained firewall. If the interface corresponding to the calculated source IP is different from the interface corresponding to the destination IP, it is determined that the target object passes through the firewall. If the interface corresponding to the calculated source IP is the same as the interface corresponding to the destination IP, it is determined that the target object does not pass through the firewall. All firewalls are traversed and calculated, and the firewalls traversed by the target object are taken as the target firewalls.
[0043] S104: Determine the policy request information for the target firewall based on the port protocol information of the target object, the source IP, the target IP, and multiple candidate firewall policies.
[0044] Among them, port protocol information refers to the target port information of the target firewall corresponding to the target object and the protocol information corresponding to the target object.
[0045] Policy request information refers to data information that can be used to assist in generating firewall policies corresponding to the target firewall.
[0046] In this embodiment of the disclosure, when determining the policy request information of the target firewall based on the port protocol information, source IP, target IP, and multiple candidate firewall policies of the target object, a matching query process can first be performed on the target firewall from multiple candidate firewall policies in the firewall policy database based on the port protocol information, source IP, and target IP of the target object. This involves matching the target IP first, then the protocol, then the port, then the source IP, and so on, until all candidate firewall policies in the firewall policy database have been traversed and matched. The Access Control List (ACL) node information corresponding to the matched target firewall is then output. Then, the candidate firewall policies in the firewall policy database are matched using the method of first matching the IP, then the port, and then the direction, until all candidate firewall policies in the firewall policy database have been traversed and matched. The Network Address Translation (NAT) result information corresponding to the target firewall is then output. Finally, the policy request information of the target firewall is based on the business scenario corresponding to the target object and the obtained ACL result information and NAT result information. The target firewall policy information may also include the business scenario identifier information corresponding to the target object. The target firewall policy request information can be used to generate the target firewall policy corresponding to the target firewall.
[0047] S105: Generate the target firewall policy for each target firewall based on the policy request information.
[0048] Among them, the target firewall policy refers to the firewall policy that is deployed to the target firewall for execution.
[0049] In this embodiment of the disclosure, after determining the policy request information of the target firewall based on the port protocol information of the target object, the source IP, the target IP, and multiple candidate firewall policies, the target firewall policy corresponding to each target firewall can be generated based on the policy request information.
[0050] In this embodiment of the disclosure, when generating a target firewall policy corresponding to each target firewall based on the policy application information, the policy generation rule information such as object naming rules and field separators corresponding to the target firewall policy can be determined based on the business scenario information of the target object in the policy application information. The target firewall policy corresponding to the target firewall can be generated based on the policy generation rule information and the access control list information and network address translation information in the policy application information.
[0051] For example, the object naming rules could be as follows: fields are separated by ":", the first field represents the work order number, the second field represents the requirement information, the third field represents the inbound / outbound direction, the character 'S' represents the source, the character 'D' represents the destination, etc. (For example, network object-group NI-12345:01-S means that the work order is the first requirement source IP in NI-12345). The business scenario corresponding to the target object could be a fixed integration testing business or a non-fixed business scenario. The fixed integration testing business can determine the policy generation rule information corresponding to the target firewall based on the predefined object group and different business scenarios. Based on the policy generation rule information and the access control list information and network address translation information in the policy application information, the target firewall policy corresponding to the target firewall is generated.
[0052] For example, such as Figure 2 As shown, Figure 2This is a schematic diagram of the firewall management system in this embodiment. The firewall of the target object may include: firewall 1, firewall 2, and firewall 3. The configuration file of the firewall corresponding to the target object can be copied to the local machine for backup every 2 hours. This configuration file can be used to restore the firewall configuration of the target object. Then, the backup configuration file can be processed by route parsing and configuration parsing. The parsed ACL information, NAT information, and metadata (five-tuple and routing table) are stored in the firewall policy database. When it is necessary to apply for and generate firewall policies, the path query, policy query, policy application, and policy generation of the target object can be executed respectively. The generated firewall policies are connected to the firewalls of each area through the connection module and distributed to the corresponding firewalls. Abnormal policies can also be automatically filtered out. After manual review and approval by security engineers, the abnormal firewall policies are deleted. All modules in the system are called through the system API. Data can be shared or called with other systems through the system API. The WEB module provides a unified web portal entry for users to query or apply for firewall policies.
[0053] For example, such as Figure 3 As shown, Figure 3 This is a schematic diagram of the firewall policy generation process in this embodiment. When a user needs to apply for a firewall policy, they can first perform a self-service query to find the target firewall that the target object passes through, and then match the Access Control List (ACL) and Network Address Translation (NAT) information corresponding to the target firewall from the firewall policy database. Then, they can check if a firewall policy already exists. If a policy already exists, it is directly put into service testing. If no firewall policy exists, a firewall policy application is made, and a firewall policy is automatically generated based on the application information. After review by the approver, if the review is approved, the firewall policy is issued for automatic execution. If the review is not approved, the firewall configuration script is manually modified and reviewed, and the approved firewall configuration script is issued for execution.
[0054] In this embodiment, by obtaining the firewall policy database corresponding to the target object, which contains multiple candidate firewall policies, the source Internet Protocol address (IP) and destination IP of the target object are obtained. Based on the source IP and destination IP, the target firewall traversed by the target object is determined. Based on the port protocol information of the target object, the source IP, the destination IP, and multiple candidate firewall policies, the policy request information of the target firewall is determined. Based on the policy request information, the target firewall policy corresponding to each target firewall is generated. This method can more accurately analyze the firewall path traversed by the target object and automatically generate the firewall policy corresponding to the target firewall in the firewall path, reducing the error and time cost of manually generating firewall policies and effectively improving the generation efficiency and accuracy of firewall policies.
[0055] Figure 4 This is a flowchart illustrating a firewall policy generation method proposed in another embodiment of this disclosure.
[0056] like Figure 4 As shown, the firewall policy generation method includes:
[0057] S401: Obtain the firewall policy database corresponding to the target object, where the firewall policy database contains multiple candidate firewall policies.
[0058] S402: Obtain the source Internet Protocol address (IP) and target IP of the target object.
[0059] For a detailed description of S401 and S402, please refer to the above embodiments, which will not be repeated here.
[0060] S403: Obtain multiple candidate firewalls.
[0061] Among them, candidate firewalls refer to the firewalls that the target object may pass through on its travel path after performing a path lookup on the target object.
[0062] In this embodiment of the disclosure, when obtaining multiple candidate firewalls, a path query process can be performed on the target object to obtain all firewalls that the target object may pass through on its travel path, and the obtained multiple firewalls can be used as multiple candidate firewalls.
[0063] S404: Determine the target firewall from multiple candidate firewalls based on the source IP and the destination IP.
[0064] In this embodiment of the disclosure, after obtaining the source Internet Protocol address (IP) and target IP of the target object and obtaining multiple candidate firewalls, the target firewall can be determined from the multiple candidate firewalls based on the source IP and target IP.
[0065] In this embodiment of the disclosure, when determining the target firewall from multiple candidate firewalls based on the source IP and the target IP, the interface corresponding to the source IP and the target IP on each candidate firewall can be determined, and the target firewall can be determined from multiple candidate firewalls based on the interface corresponding to the source IP and the target IP.
[0066] Optionally, in some embodiments, the target firewall is determined from multiple candidate firewalls based on the source IP and the target IP. The source interface of the source IP on the candidate firewall and the target interface of the target IP on the candidate firewall can be determined. When the source interface of the candidate firewall is different from the target interface of the candidate firewall, the candidate firewall is determined as the target firewall.
[0067] In this embodiment of the disclosure, when determining the target firewall from multiple candidate firewalls based on the source IP and the destination IP, the longest route matching process can be performed for each candidate firewall. The source interface of the source IP on the candidate firewall and the destination interface of the destination IP on the candidate firewall can be calculated. Then, based on the source interface corresponding to the source IP and the destination interface corresponding to the destination IP, it can be determined whether the candidate firewall is the target firewall. The source interface and the destination interface can be compared. If the source interface of the candidate firewall is different from the destination interface of the candidate firewall, it is determined that the target object passes through the candidate firewall, and the candidate firewall is taken as the target firewall. If the source interface of the candidate firewall is the same as the destination interface of the candidate firewall, it is determined that the target object does not pass through the candidate firewall, and the candidate firewall is not the target firewall. After traversing and processing all candidate firewalls one by one, the candidate firewalls passed by the target object are obtained as the target firewall.
[0068] S405: Obtain candidate access control list information and candidate network address translation information corresponding to each candidate firewall policy.
[0069] In this embodiment of the disclosure, candidate access control list information and candidate network address translation information corresponding to each candidate firewall policy can be obtained from the firewall policy database.
[0070] S406: Based on the port protocol information, source IP, and destination IP, determine the target access control list information and target network address translation information corresponding to the target firewall from the candidate access control list information and candidate network address translation information.
[0071] In this embodiment of the disclosure, after obtaining the candidate access control list information and candidate network address translation information corresponding to each candidate firewall policy, the target access control list information and target network address translation information corresponding to the target firewall can be determined from the candidate access control list information and candidate network address translation information based on the port protocol information, source IP, and target IP.
[0072] In this embodiment of the disclosure, when determining the target access control list information and target network address translation information corresponding to the target firewall from the candidate access control list information and candidate network address translation information based on the port protocol information, source IP, and target IP, the matching process can be performed for each candidate firewall policy's candidate access control list information and candidate network address translation information, according to the target object's source IP, target IP, target firewall's target port, and protocol information, following the order of matching the target IP, then the protocol, then the target port, then the source IP, and then the action. After traversing and matching all candidate firewall policies, the ACL result obtained from the matching is uniformly output, and the obtained ACL result is used as the target access control list information. Then, the matching process can be performed in the candidate access control list information and candidate network address translation information following the order of matching the IP, then the port, and then the direction. After traversing and matching all candidate firewall policies, the NAT result obtained from the matching is uniformly output, and the obtained NAT result is used as the target network address translation information.
[0073] S407: Use target access control list information and target network address translation information as policy request information.
[0074] In the embodiments of this disclosure, the target access control list information and target network address translation information corresponding to the target firewall are determined from the candidate access control list information and candidate network address translation information based on the port protocol information, source IP, and target IP. The target access control list information and target network address translation information can be used as policy request information.
[0075] S408: Generate the target firewall policy for each target firewall based on the policy request information.
[0076] Optionally, in some embodiments, a target firewall policy corresponding to each target firewall is generated based on the policy application information. The service type of the test service corresponding to the target object can be obtained, and the field pattern information of the target firewall policy can be determined based on the service type. Based on the field pattern information, the target firewall policy is generated according to the target access control list information and the target network address translation information.
[0077] The business type of the testing business can be, for example, a fixed integration testing business or a non-fixed business scenario.
[0078] Among them, field pattern information refers to the field rule information when generating the target firewall policy.
[0079] In this embodiment of the disclosure, the service type of the test task corresponding to the target object can be obtained first. Based on the service type, the field generation rule information when the target firewall policy is generated can be determined as the field pattern information. Based on the field pattern information, the target firewall policy can be generated according to the target access control list information and the target network address translation information.
[0080] For example, when the business type of the test service corresponding to the target object is a fixed integration test service, a whitelist application for fixed integration test services can be submitted, providing multiple scenario options, covering oat business integration test, reserve fund verification business integration test, member institution integration test, cross-border business integration test, and joint operation and maintenance integration test. According to the predefined IP group description, the application for the IP whitelist to be added can be submitted. When the business type of the test service corresponding to the target object is a non-fixed business scenario, four elements are provided: source IP, protocol, target IP, and target port. By default, outbound traffic is dynamically NATed to the firewall interface IP. Inbound traffic is provided by the offline security administrator who applies for public network IP resources separately and then performs static NAT to provide services to the outside world with a fixed IP + port. The field pattern information can be: fields are separated by ":", the first field represents the application work order number, the second field represents the requirement information, and the third field represents the inbound and outbound directions, where the character S represents the source and the character D represents the destination (for example, network object-group NI-12345:01-S means that the work order is the first requirement source IP in NI-12345).
[0081] In other embodiments, the fixed integration test service modifies the object group according to the predefined object group and adds new whitelisted IPs. In non-fixed service scenarios, an ACL is generated with "-" as the separator between fields. The first field represents the physical interface name, and the second field represents the interface inbound and outbound access direction, where in indicates inbound access from the interface and out indicates outbound access from the interface. In non-fixed service scenarios, a NAT is generated to provide static NAT to the outside world.
[0082] For example, such as Figure 5 As shown, Figure 5This is a sequence diagram of firewall policy generation in this embodiment. The firewall policy generation method in this embodiment provides functions for querying, modifying, and adding firewall policies, and has the function of automatically deleting redundant and invalid policies. It performs configuration backup once every two hours through the firewall API interface, performs route parsing and configuration parsing on the configuration file, and stores them uniformly in the firewall policy database. Based on the policy database, users can query the firewall path they need to pass through and whether there is already an enabled policy. It provides a self-service policy application function. After the policy application is approved through the relevant process, a change order and the corresponding policy configuration are generated. The security engineer performs manual review. If it meets the expectations, the configuration is automatically issued to the firewall for execution. If it does not meet the expectations, the change is implemented manually by logging into the firewall.
[0083] The firewall policy generation method proposed in this embodiment automatically determines the path required by the user's needs and its activation status using the routing and policy information parsed from the firewall configuration. It automatically generates the required policies based on standardized requirement requests. Regular, high-frequency configuration file backups enable rapid rollback and one-click recovery when policies are abnormal, with configuration backup and recovery performed every two hours. If firewall configuration is lost, the recovery module can quickly distribute the configuration back to the firewall. Policy queries help users understand whether they need to apply for policies and which policies to apply for, reducing communication costs and improving execution efficiency. Automatic policy generation and distribution reduce execution time and improve efficiency. From policy application, generation, distribution, and querying, everything is completed automatically by the system, reducing errors caused by human intervention and lowering the error rate. Users can perform self-service policy queries to clearly know whether their needs are enabled and can quickly locate firewall permission issues when services are down.
[0084] In this embodiment, by obtaining the firewall policy database corresponding to the target object, which contains multiple candidate firewall policies, the source Internet Protocol address (IP) and destination IP of the target object are obtained. Based on the source IP and destination IP, the target firewall traversed by the target object is determined. Based on the port protocol information of the target object, the source IP, the destination IP, and multiple candidate firewall policies, the policy request information of the target firewall is determined. Based on the policy request information, the target firewall policy corresponding to each target firewall is generated. This method can more accurately analyze the firewall path traversed by the target object and automatically generate the firewall policy corresponding to the target firewall in the firewall path, reducing the error and time cost of manually generating firewall policies and effectively improving the generation efficiency and accuracy of firewall policies.
[0085] Figure 6 This is a flowchart illustrating a firewall policy generation method proposed in another embodiment of this disclosure.
[0086] like Figure 6 As shown, the firewall policy generation method includes:
[0087] S601: Obtain the firewall policy database corresponding to the target object, where the firewall policy database contains multiple candidate firewall policies.
[0088] Optionally, in some embodiments, obtaining the firewall policy database corresponding to the target object can be achieved by obtaining the firewall configuration file of the target object when the time interval reaches a preset time interval, parsing the firewall configuration file to obtain routing table information, access control information and network address translation information, and generating multiple candidate firewall policies based on the routing table information, access control information and network address translation information to obtain the firewall policy database.
[0089] The preset time interval refers to the time interval set in advance for backing up firewall configuration files. This time interval can be set to 2 hours.
[0090] In this embodiment of the disclosure, when the interval reaches a preset time interval, i.e., when the time interval reaches 2 hours, the firewall configuration file of the target object can be obtained, backed up and saved locally, and then the firewall configuration file can be processed to extract the routing table information, access control category (ACL) information and network address translation (NAT) information in the firewall configuration file. The parsed routing table information, access control information and network address translation information are stored in the firewall policy database in the form of metadata (five-tuples and routing table).
[0091] For example, such as Figure 7 As shown, Figure 7 This is a schematic diagram of the configuration file backup process in this embodiment. The firewall configuration file of the target object can be obtained every 2 hours. The firewall configuration file is processed for routing and policy parsing. The parsing results are stored in the database. The firewall configuration file can also be used to select the firewall configuration file to be restored according to the time node when a failure occurs, and perform firewall configuration file restoration processing on the target object. The configuration backup operation is automatically performed every two hours. Historical configurations are archived and stored. The device can be restored at any time when the configuration is lost due to a failure.
[0092] S602: Obtain the source Internet Protocol address (IP) and target IP of the target object.
[0093] S603: Determine the target firewall that the target object passes through based on the source IP and destination IP.
[0094] S604: Determine the policy request information for the target firewall based on the target object's port protocol information, source IP, target IP, and multiple candidate firewall policies.
[0095] S605: Generate the target firewall policy for each target firewall based on the policy request information.
[0096] For a detailed description of S602 to S605, please refer to the above embodiments, which will not be repeated here.
[0097] S606: Perform anomaly identification processing on multiple candidate firewall policies in the firewall policy database to obtain abnormal firewall policies.
[0098] In this embodiment of the disclosure, anomaly identification processing is performed on multiple candidate firewall policies in the firewall policy database, and firewall policies that have been invalid for a long time and conflicting firewall policies are automatically cleaned up on a regular basis to converge potential risks and reduce service response latency.
[0099] Optionally, in some embodiments, anomaly identification processing is performed on multiple candidate firewall policies in the firewall policy database to obtain abnormal firewall policies. Conflicting firewall policies with conflicting execution actions can be identified from multiple candidate firewall policies based on the execution action information corresponding to the candidate firewall policies. Unused firewall policies can be identified from multiple candidate firewall policies based on the number of hits of the candidate firewall policies within a preset statistical time period. Conflicting firewall policies and unused firewall policies are then identified as abnormal firewall policies.
[0100] In this embodiment of the disclosure, when performing anomaly identification processing on multiple candidate firewall policies in the firewall policy database to obtain abnormal firewall policies, conflicting firewall policies with conflicting execution actions can be identified from the multiple candidate firewall policies. Among them, conflicting firewall policies have the same source IP and destination IP, the same port, but inconsistent action attributes. Unused firewall policies can be identified from the multiple candidate firewall policies. A statistical time period can be set as a preset statistical time period according to requirements to obtain the number of hits of candidate firewall policies within the preset statistical time period. Policies whose hit count does not increase can be regarded as unused firewall policies. Conflicting firewall policies and unused firewall policies are regarded as abnormal firewall policies.
[0101] S607: Remove abnormal firewall policies from multiple candidate firewall policies.
[0102] In this embodiment of the disclosure, after identifying conflicting firewall policies and unused firewall policies as aberrant firewall policies from multiple candidate firewall policies, the aberrant firewall policies can be deleted from the multiple candidate firewall policies.
[0103] In this embodiment, by acquiring the firewall policy database corresponding to the target object, which contains multiple candidate firewall policies, the source Internet Protocol address (IP) and destination IP of the target object are obtained. Based on the source IP and destination IP, the target firewall traversed by the target object is determined. Based on the port protocol information of the target object, the source IP, the destination IP, and multiple candidate firewall policies, the policy request information of the target firewall is determined. Based on the policy request information, the target firewall policy corresponding to each target firewall is generated. This allows for a relatively accurate analysis of the firewall path traversed by the target object and the automated generation of firewall policies corresponding to the target firewalls along the firewall path. This reduces the error and time cost of manually generating firewall policies and effectively improves the efficiency and accuracy of firewall policy generation. By performing anomaly identification processing on multiple candidate firewall policies in the firewall policy database, abnormal firewall policies are obtained and deleted from the multiple candidate firewall policies. This allows for the periodic automatic cleanup of long-term invalid firewall policies and conflicting firewall policies, converging potential risks and reducing service response latency.
[0104] Figure 8 This is a schematic diagram of the structure of a firewall policy generation device proposed in another embodiment of this disclosure.
[0105] like Figure 8 As shown, the firewall policy generation device includes:
[0106] The first acquisition module 801 is used to acquire the firewall policy database corresponding to the target object, wherein the firewall policy database contains multiple candidate firewall policies.
[0107] The second acquisition module 802 is used to acquire the source Internet Protocol address (IP) and the target IP of the target object;
[0108] The first determination module 803 is used to determine the target firewall that the target object passes through based on the source IP and the target IP.
[0109] The second determining module 804 is used to determine the policy request information of the target firewall based on the target object's port protocol information, source IP, target IP, and multiple candidate firewall policies; and
[0110] The generation module 805 is used to generate the target firewall policy corresponding to each target firewall based on the policy request information.
[0111] In some embodiments of this disclosure, the first determining module 803 is specifically used for:
[0112] Obtain multiple candidate firewalls;
[0113] The target firewall is determined from multiple candidate firewalls based on the source IP and the destination IP.
[0114] In some embodiments of this disclosure, the first determining module 803 is further configured to:
[0115] Determine the source interface of the source IP on the candidate firewall and the target interface of the target IP on the candidate firewall;
[0116] When the source interface of a candidate firewall is different from the target interface of the candidate firewall, the candidate firewall is determined as the target firewall.
[0117] In some embodiments of this disclosure, the second determining module 804 is specifically used for:
[0118] Obtain the candidate access control list information and candidate network address translation information corresponding to each candidate firewall policy;
[0119] Based on port protocol information, source IP, and destination IP, determine the target access control list information and target network address translation information corresponding to the target firewall from candidate access control list information and candidate network address translation information.
[0120] The target access control list information and the target network address translation information are used as policy request information.
[0121] In some embodiments of this disclosure, the generation module 805 is specifically used for:
[0122] Obtain the business type of the test application corresponding to the target object;
[0123] Determine the field schema information of the target firewall policy based on the business type;
[0124] Based on field pattern information, target firewall policies are generated according to target access control list information and target network address translation information.
[0125] In some embodiments of this disclosure, the first acquisition module 801 is specifically used for:
[0126] When the preset time interval is reached, the firewall configuration file of the target object is retrieved;
[0127] Parse the firewall configuration file to obtain routing table information, access control information, and network address translation information;
[0128] Based on routing table information, access control information, and network address translation information, multiple candidate firewall policies are generated to obtain a firewall policy database.
[0129] In some embodiments of this disclosure, such as Figure 9As shown, Figure 9 This is a schematic diagram of the structure of a firewall policy generation apparatus according to another embodiment of the present disclosure, which further includes:
[0130] The first processing module 806 is used to perform anomaly identification processing on multiple candidate firewall policies in the firewall policy database to obtain anomaly firewall policies.
[0131] The second processing module 807 is used to remove abnormal firewall policies from multiple candidate firewall policies.
[0132] In some embodiments of this disclosure, the first processing module 806 is specifically used for:
[0133] Based on the execution action information corresponding to the candidate firewall policies, identify conflicting firewall policies with conflicting execution actions from multiple candidate firewall policies;
[0134] Based on the number of hits of candidate firewall policies within a preset statistical time period, identify unused firewall policies from multiple candidate firewall policies;
[0135] Treat conflicting firewall policies and unused firewall policies as anomalous firewall policies.
[0136] With the above Figures 1 to 7 Corresponding to the firewall policy generation method provided in the embodiments, this disclosure also provides a firewall policy generation apparatus. Since the firewall policy generation apparatus provided in the embodiments of this disclosure is similar to the one described above... Figures 1 to 7 The firewall policy generation method provided in the embodiments corresponds to the firewall policy generation method provided in the embodiments of this disclosure. Therefore, the implementation method of the firewall policy generation method is also applicable to the firewall policy generation apparatus provided in the embodiments of this disclosure, and will not be described in detail in the embodiments of this disclosure.
[0137] In this embodiment, by obtaining the firewall policy database corresponding to the target object, which contains multiple candidate firewall policies, the source Internet Protocol address (IP) and destination IP of the target object are obtained. Based on the source IP and destination IP, the target firewall traversed by the target object is determined. Based on the port protocol information of the target object, the source IP, the destination IP, and multiple candidate firewall policies, the policy request information of the target firewall is determined. Based on the policy request information, the target firewall policy corresponding to each target firewall is generated. This method can more accurately analyze the firewall path traversed by the target object and automatically generate the firewall policy corresponding to the target firewall in the firewall path, reducing the error and time cost of manually generating firewall policies and effectively improving the generation efficiency and accuracy of firewall policies.
[0138] To implement the above embodiments, this disclosure also proposes a non-transitory computer-readable storage medium storing a computer program that, when executed by a processor, implements the firewall policy generation method proposed in the foregoing embodiments of this disclosure.
[0139] To implement the above embodiments, this disclosure also proposes a computer program product that, when the instruction processor in the computer program product is executed, performs the firewall policy generation method as proposed in the foregoing embodiments of this disclosure.
[0140] Figure 10 A block diagram of an exemplary electronic device suitable for implementing embodiments of the present disclosure is shown.
[0141] Figure 10 The electronic device 10 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.
[0142] like Figure 10 As shown, the electronic device 10 is presented in the form of a general-purpose computing device. The components of the electronic device 10 may include, but are not limited to: one or more processors or processing units 16, memory 28, and a bus 18 connecting different system components (including memory 28 and processing unit 16).
[0143] Bus 18 represents one or more of several bus architectures, including a memory bus or memory controller, a peripheral bus, a graphics acceleration port, a processor, or a local bus using any of the various bus architectures. Examples of these architectures include, but are not limited to, the Industry Standard Architecture (ISA) bus, the Micro Channel Architecture (MAC) bus, the Enhanced ISA bus, the Video Electronics Standards Association (VESA) local bus, and the Peripheral Component Interconnect (PCI) bus.
[0144] Electronic device 10 typically includes a variety of computer system readable media. These media can be any available media that can be accessed by electronic device 10, including volatile and non-volatile media, removable and non-removable media.
[0145] Memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and / or cache memory 32. Electronic device 10 may further include other removable / non-removable, volatile / non-volatile computer system storage media. By way of example only, storage system 34 may be used to read and write non-removable, non-volatile magnetic media (… Figure 10 Not shown; usually referred to as a "hard drive".
[0146] although Figure 10 Not shown, a disk drive for reading and writing to a removable non-volatile disk (e.g., a "floppy disk") and an optical disc drive for reading and writing to a removable non-volatile optical disc (e.g., a compact disc read-only memory (CD-ROM), a digital video disc read-only memory (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 18 via one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to perform the functions of the embodiments of this disclosure.
[0147] A program / utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28. Such program modules 42 include, but are not limited to, an operating system, one or more application programs, other program modules, and program data. Each or some combination of these examples may include an implementation of a network environment. Program modules 42 typically perform the functions and / or methods described in the embodiments of this disclosure.
[0148] Electronic device 10 can also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), and with one or more devices that enable human interaction with the electronic device 10, and / or with any device that enables the electronic device 10 to communicate with one or more other computing devices (e.g., network card, modem, etc.). This communication can be performed via input / output (I / O) interface 22. Furthermore, electronic device 10 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 20. As shown, network adapter 20 communicates with other modules of electronic device 10 via bus 18. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 10, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
[0149] The processing unit 16 executes various functional applications and parameter information determination by running programs stored in the memory 28, such as implementing the firewall policy generation method mentioned in the foregoing embodiments.
[0150] It should be noted that in the description of this disclosure, the terms "first," "second," etc., are used for descriptive purposes only and should not be construed as indicating or implying relative importance. Furthermore, in the description of this disclosure, unless otherwise stated, "a plurality of" means two or more.
[0151] Any process or method description in the flowchart or otherwise herein can be understood as representing a module, segment, or portion of code comprising one or more executable instructions for implementing a particular logical function or process, and the scope of preferred embodiments of this disclosure includes additional implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the function involved, as will be understood by those skilled in the art to which embodiments of this disclosure pertain.
[0152] It should be understood that various parts of this disclosure can be implemented using hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented using software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.
[0153] Those skilled in the art will understand that all or part of the steps of the methods in the above embodiments can be implemented by a program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
[0154] Furthermore, the functional units in the various embodiments of this disclosure can be integrated into a processing module, or each unit can exist physically separately, or two or more units can be integrated into a module. The integrated module can be implemented in hardware or as a software functional module. If the integrated module is implemented as a software functional module and sold or used as an independent product, it can also be stored in a computer-readable storage medium.
[0155] The storage media mentioned above can be read-only memory, disk, or optical disk, etc.
[0156] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of this disclosure. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.
[0157] Although embodiments of the present disclosure have been shown and described above, it is to be understood that the above embodiments are exemplary and should not be construed as limiting the present disclosure. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of the present disclosure.
Claims
1. A firewall policy generation method, characterized in that, include: Obtain the firewall policy database corresponding to the target object, wherein the firewall policy database contains multiple candidate firewall policies; Obtain the source Internet Protocol address (IP) and target IP of the target object; Based on the source IP and the destination IP, determine the target firewall that the target object passes through; Based on the port protocol information of the target object, the source IP, the target IP, and the multiple candidate firewall policies, determine the policy request information of the target firewall; and Based on the policy application information, a target firewall policy is generated for each target firewall.
2. The method as described in claim 1, characterized in that, The step of determining the target firewall traversed by the target object based on the source IP and the target IP includes: Obtain multiple candidate firewalls; The target firewall is determined from the plurality of candidate firewalls based on the source IP and the target IP.
3. The method as described in claim 2, characterized in that, The step of determining the target firewall from the plurality of candidate firewalls based on the source IP and the target IP includes: Determine the source interface of the source IP on the candidate firewall and the target interface of the target IP on the candidate firewall; When the source interface of the candidate firewall is different from the target interface of the candidate firewall, the candidate firewall is determined to be the target firewall.
4. The method as described in claim 1, characterized in that, The step of determining the policy request information of the target firewall based on the port protocol information of the target object, the source IP, the target IP, and the multiple candidate firewall policies includes: Obtain the candidate access control list information and candidate network address translation information corresponding to each of the candidate firewall policies; Based on the port protocol information, the source IP, and the target IP, determine the target access control list information and target network address translation information corresponding to the target firewall from the candidate access control list information and the candidate network address translation information; The target access control list information and the target network address translation information are used as the policy request information.
5. The method as described in claim 4, characterized in that, The step of generating a target firewall policy for each target firewall based on the policy application information includes: Obtain the business type of the test service corresponding to the target object; Based on the service type, determine the field pattern information of the target firewall policy; Based on the field pattern information, the target firewall policy is generated according to the target access control list information and the target network address translation information.
6. The method as described in claim 1, characterized in that, The step of obtaining the firewall policy database corresponding to the target object includes: When the preset time interval is reached, the firewall configuration file of the target object is obtained; Parse the firewall configuration file to obtain routing table information, access control information, and network address translation information; Based on the routing table information, the access control information, and the network address translation information, multiple candidate firewall policies are generated to obtain the firewall policy database.
7. The method as described in claim 1, characterized in that, Also includes: Anomaly identification processing is performed on the multiple candidate firewall policies in the firewall policy database to obtain abnormal firewall policies. The abnormal firewall policy is removed from the plurality of candidate firewall policies.
8. The method as described in claim 7, characterized in that, The step of performing anomaly identification processing on the multiple candidate firewall policies in the firewall policy database to obtain abnormal firewall policies includes: Based on the execution action information corresponding to the candidate firewall policies, identify conflicting firewall policies with conflicting execution actions from among the multiple candidate firewall policies; Based on the number of hits of the candidate firewall policies within a preset statistical time period, identify the unused firewall policies from the multiple candidate firewall policies; The conflicting firewall policy and the unused firewall policy are used as the abnormal firewall policy.
9. A firewall policy generation device, characterized in that, include: The first acquisition module is used to acquire the firewall policy database corresponding to the target object, wherein the firewall policy database contains multiple candidate firewall policies. The second acquisition module is used to acquire the source Internet Protocol address (IP) and the target IP of the target object; The first determining module is used to determine the target firewall that the target object passes through based on the source IP and the target IP; The second determining module is used to determine the policy request information of the target firewall based on the port protocol information of the target object, the source IP, the target IP, and the multiple candidate firewall policies; and The generation module is used to generate a target firewall policy corresponding to each target firewall based on the policy request information.
10. An electronic device, characterized in that, include: At least one processor; as well as A memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-8.
11. A non-transitory computer-readable storage medium storing computer instructions, characterized in that, in, The computer instructions are used to cause the computer to perform the method according to any one of claims 1-8.