No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Firewall in HSB Mode

Firewall in HSB Mode

A firewall is a node that traffic must pass through on a network. If the firewall is faulty, traffic is interrupted. To ensure uninterrupted traffic, prevent firewall single-point failures.

To prevent firewall single-point failures, deploy two firewalls in hot standby (HSB) mode. One functions as the master firewall, and the other functions as the backup firewall. Interfaces on the master and backup firewalls connect to corresponding security zones. The Virtual Router Redundancy Protocol (VRRP) determines the master and backup firewalls. The firewall session entry synchronization is performed using HSB.

Firewall in HSB Mode

The firewall is a stateful firewall that checks only the first packet in a session and dynamically generates session entries. A session entry records the status of a session. Only subsequent packets (including response packets) that match the session entry can pass through the firewall.

Figure 5-18  Networking diagram of firewalls in HSB mode

As shown in Figure 5-18, Firewall A functions as the master firewall that traffic must pass through. Firewall B is in backup state and no traffic pass through it.

If Firewall A is faulty or links are faulty, traffic is switched to Firewall B. Before master/backup switchover, if session entries are not backed up on Firewall B, previous sessions that pass through Firewall A match no entry on Firewall B and are interrupted.

To ensure that the backup firewall takes over the work of the master firewall smoothly when the master firewall is faulty, back up session entries and status information between the master firewall and the backup firewall in real time. Currently, session entries and status information between the master firewall and the backup firewall are backed up using HSB.

Interface Status Requirement

Figure 5-19  Packets forwarding routes

On a firewall, interfaces that connect to security zones must be in the same state, that is, all interfaces are in master or backup state at the same time.

As shown in Figure 5-19:
  • Assume that all interfaces on Firewall A are in master state, and all interfaces on Firewall B are in backup state. PC1 in Trust zone connects to PC2 in Untrust zone. Packets are forwarded along (1) > (2) > (3) > (4). When forwarding the access packet, Firewall A dynamically generates a session entry. The response packet sent from PC2 is forwarded along (5) > (6) > (7) > (8). When reaching Firewall A, the response packet can match the session entry and passes through Firewall A. Communication between Firewall A and Firewall B is successful.
  • Assume that interfaces on Firewall B that connect to Trust zone are in backup state, but interfaces that connect to Untrust zone are in master state. When a packet sent from PC1 passes through Firewall A and reaches PC2, Firewall A dynamically generates a session entry. The response packet sent from PC2 is forwarded along (5) > (9), and reaches Firewall B. No matched session entry is recorded on Firewall B. If the response packet is not allowed based on other rules, Firewall B discards the packet, and communicate is interrupted.

Smart Link ensures the stability of links connected to switches. A directly connected link is deployed between the master and backup firewalls to ensure that traffic is forwarded to the peer firewall when a link is faulty.

NOTE:
  • Data configured by users are not backed up on the master and backup firewalls. Users must perform the same configuration on the master and backup firewalls.
  • Firewalls that back up each other must be of the same model, have the same memory, CPU, and configurations.
  • Firewalls that back up each other must use the same software version.
  • Backup interfaces cannot be service interfaces on the firewall and must be dedicated interfaces. Backup interfaces do not forward data.
  • Firewall HSB in the asymmetry route mode is not supported. The bidirectional traffic of a session must pass through the same firewall.
  • Statistics data synchronization is not supported. Only TCP/UDP sessions are synchronized.
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13247

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next