No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Interfaces and Security Zones

To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That is, the member interfaces of the Eth-Trunk interface are on different LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk, it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.

The upstream and downstream physical links must have the same bandwidth that is greater than the peak traffic. Otherwise, services are affected due to traffic congestion in case of traffic burst.

Table 6-1 describes the planning of interfaces and security zones on FW_A and FW_B, and Table 6-2 describes the planning of interfaces and security zones on FW_C and FW_D.

Table 6-1  Interface and security zone planning for FW_A and FW_B
FW_A FW_B Description

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.1/24
  • Security zone: DMZ

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.2/24
  • Security zone: DMZ

Heartbeat interface

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.0.1/24
    • Security zone: Untrust
  • Subinterface: Eth-Trunk1.2
    • Associated VLAN ID: 12
    • IP address: 10.2.2.1/24
    • Security zone: Untrust

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.0.2/24
    • Security zone: Untrust
  • Subinterface: Eth-Trunk1.2
    • Associated VLAN ID: 12
    • IP address: 10.2.2.2/24
    • Security zone: Untrust

Service interface connected to the GGSN

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.0.1/24
    • Security zone: Trust

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.0.2/24
    • Security zone: Trust

Service interface connected to the SCG

Table 6-2  Interface and security zone planning for FW_C and FW_D
FW_C FW_D Description

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.3/24
  • Security zone: DMZ

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.4/24
  • Security zone: DMZ

Heartbeat interface

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.1.1/24
    • Security zone: Untrust

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.1.1/24
    • Security zone: Untrust

Interface connected to the Internet

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.1.1/24
    • Security zone: Trust

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.1.2/24
    • Security zone: Trust

Service interface connected to the SCG

Availability

Hot standby in active/standby mode is carried out between FW_A and FW_B and between FW_C and FW_D. When services at the uplink side are operating properly, the traffic that enters the SCG is forwarded by FW_A. If FW_A fails, the traffic is forwarded by FW_B. When services at the downlink side are operating properly, the traffic that leaves the SCG is forwarded by FW_C. If FW_C fails, the traffic is forwarded by FW_D. In this way, service continuity at both sides of the SCG is ensured. Table 6-3 describes the availability planning for FW_A and FW_B, and Table 6-4 describes the availability planning for FW_C and FW_D.

Table 6-3  Availability planning

Item

FW_A

FW_B

Backup mode

Active/standby backup

Active/standby backup

Heartbeat interface

Eth-trunk0

Eth-trunk0

Preemption delay

300s

300s

Monitoring interface

Eth-trunk1

Eth-trunk1

Function of automatically adjusting the cost

Enabled

Enabled

Table 6-4  Availability planning

Item

FW_C

FW_D

Backup mode

Active/standby backup

Active/standby backup

Heartbeat interface

Eth-trunk0

Eth-trunk0

Preemption delay

300s

300s

Monitoring interface

Eth-trunk1

Eth-trunk1

Function of automatically adjusting the cost

Enabled

Enabled

GRE Tunnels

GRE tunnels are established between the GGSN and two private networks connected to the uplink FW so that the two network segments can communicate. In this way, service traffic, such as mobile phone traffic, can reach the FW over the GRE tunnels. In this section, two GRE tunnels are planned. Table 6-5 describes the GRE tunnel planning.
NOTE:

Plan the number of GRE tunnels based on actual service requirements.

Table 6-5  GRE tunnel planning

Item

FW_A

FW_B

Loopback interface

Loopback1 address: 10.2.0.10/32

Loopback2 address: 10.2.0.11/32

Loopback1 address: 10.2.0.12/32

Loopback2 address: 10.2.0.13/32

Tunnel interface 1

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback1
  • Key word: 123456
  • Security zone: tunnelzone

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback1
  • Key word: 123456
  • Security zone: tunnelzone

Tunnel interface 2

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback2
  • Key word: 123456
  • Security zone: tunnelzone

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback2
  • Key word: 123456
  • Security zone: tunnelzone

Route

OSFP is used to advertise routes to direct traffic to a specific GRE tunnel.

  • network 172.16.2.0 0.0.0.255//tunnel interface

OSFP is used to advertise routes to direct traffic to a specific GRE tunnel.

  • network 172.16.2.0 0.0.0.255//tunnel interface

Security policy

Permit GRE packets.

  • Configure a security policy to permit pre-encapsulated GRE packets.
  • Configure a security policy to permit encapsulated GRE packets.

Permit GRE packets.

  • Configure a security policy to permit pre-encapsulated GRE packets.
  • Configure a security policy to permit encapsulated GRE packets.

Security Policies

This section describes how to configure security policies to permit packet exchanges between security zones. Table 6-6 describes the security policy planning of FW_A and FW_B, and Table 6-7 describes the security policy planning of FW_C and FW_D.

Table 6-6  Security policy planning
Item Data Flow Direction Description

trust - tunnelzone

Outbound

Security policy for pre-encapsulated GRE packets

Inbound

Security policy for pre-encapsulated GRE packets

local - dmz

Outbound

Security policy for the backup interfaces of the active and standby firewalls

Inbound

Security policy for the backup interfaces of the active and standby firewalls

local- untrust

Outbound

Security policy for encapsulated GRE packets

Inbound

Security policy for encapsulated GRE packets

Table 6-7  Security policy planning
Item Data Flow Direction Description

local - dmz

Outbound

Security policy for the backup interfaces of the active and standby firewalls

Inbound

Security policy for the backup interfaces of the active and standby firewalls

trust - untrust

Outbound

Security policy for implementing source NAT for private addresses

Inbound

Security policy for implementing source NAT for private addresses

NAT

The GGSN sends user information to the RADIUS server for authentication. If the authentication succeeds, the RADIUS server sends the user information to the FW. The NAT Server function is configured at the SCG side to translate private addresses of the SCG network into public addresses for the RADIUS server to access, as listed in Table 6-8.

NOTE:

The recommended number of addresses in the public addresses of the firewall at the downlink side is [Maximum number of online users x 60%]/[2 x 60000].

Table 6-8  NAT Server planning

Item

FW_A

FW_B

Public IP address

3.3.3.3

3.3.3.3

Private IP address

10.3.0.10

10.3.0.10

The FW needs to perform NAT for traffic sent by users connected to the SCG so that these users can use post-NAT addresses (public addresses) to access Internet services. NAT saves public address resources and improves intranet security.

The FW usually uses NAT PAT. Table 6-9 describes the NAT address pool planning. The active and standby firewalls must have the same NAT address pool planning.

Table 6-9  NAT address pool planning

Item

FW_C

FW_D

Security zone

Trust - Untrust

Trust - Untrust

Direction

Outbound

Outbound

Action

source-nat

source-nat

Addresses in the address pool

1.1.1.6 to 1.1.1.10

1.1.1.6 to 1.1.1.10

Routes

As shown in Figure 6-5,the egress gateways of the SCG are the FWs at the uplink and downlink sides of the GGSN. OSPF process 1 is planned on FW_A and FW_B to connect to the GGSN, and OSPF process 2 is planned on FW_C and FW_D to connect to the Internet.

The route planning is as follows:

  • The FW advertises routes through OSPF.
  • A black-hole route is configured on FW_C and FW_D.
  • The firewalls work in active/standby mode. Therefore, the recommended interface cost is 10 on the active firewall and 1000 on the standby firewall. The firewall adjust the OSPF cost based on the HRP status to adjust the routes for service forwarding.
    NOTE:

    Different costs are set for FW interfaces to advertise the routes from the firewalls to the SCG to the GGSN and Internet so that return packets will be sent to the active firewalls.

    The Holddown timer and Multipath parameter use their default values on the Layer-2 switch at the GGSN side and the router at the Internet.

Figure 6-5  Route Planning

Table 6-10 describes route planning for FW_A and FW_B.

Table 6-10  Route planning

Item

FW_A

FW_B

Protocol type

OSPF

OSPF

Area ID

0.0.0.0

0.0.0.0

Process ID

1

1

Authentication mode

MD5

MD5

Authentication password

NOTE:

You can set an authentication password as required.

Huawei-123

Huawei-123

Cost

10

1000

Hello interval

30s

30s

OSPF interface mode

P2P

P2P

SPF calculation interval

Default value

Default value

Network segment

  • 10.2.0.0 0.0.0.255
  • 10.3.0.0 0.0.0.255
  • 10.2.0.0 0.0.0.255
  • 10.3.0.0 0.0.0.255

Table 6-11 describes route planning for FW_C and FW_D.

Table 6-11  Route planning

Item

FW_C

FW_D

Protocol type

OSPF

OSPF

Area ID

0.0.0.0

0.0.0.0

Process ID

2

2

Authentication mode

MD5

MD5

Authentication password

NOTE:

You can set an authentication password as required.

Huawei-123

Huawei-123

Cost

10

1000

Hello interval

30s

30s

OSPF interface mode

P2P

P2P

SPF calculation interval

Default value

Default value

Network segment

  • 10.2.1.0 0.0.0.255
  • 10.3.1.0 0.0.0.255
  • 10.2.1.0 0.0.0.255
  • 10.3.1.0 0.0.0.255

Configure a black-hole route to avoid routing loops.

  • Destination address:

    1.1.1.6

    1.1.1.7

    1.1.1.8

    1.1.1.9

    1.1.1.10

  • Next-hop address:

    NULL0

  • Destination address:

    1.1.1.6

    1.1.1.7

    1.1.1.8

    1.1.1.9

    1.1.1.10

  • Next-hop address:

    NULL0

Others

ASPF

If multi-channel protocols, such as FTP, RTSP, and PPTP, are used between zones, run the detect command in the interzone view. Recommended detect commands are as follows:

detect rtsp

detect ftp

detect pptp

NOTE:

The detect qq and detect msn commands are not recommended in the interzone view.

Attack Defense

Attack defense is configured on the FWs to provide security protection. Recommended attack defense configuration commands are as follows:

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

NMS (SNMP)

The Simple Network Management Protocol (SNMP) is the most widely used network management protocol on TCP/IP networks. On the FW, configure the SNMP proxy to manage the FWs through the NMS server.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16690

Downloads: 717

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next