No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Networking

Typical Networking

As shown in Figure 2-2, the broadcast and television network leases two links from two ISPs each to provide broadband Internet access for its MAN users. The broadcast and television network also deploys servers in the server area to provide hosted server services for intranet and extranet users.

Two firewalls are deployed at the Internet egress of the broadcast and television network for hot standby (active/standby backup). The upstream interfaces of the two firewalls are connected to the two ISPs through the egress aggregation switches. The downstream interfaces of the two firewalls are connected to the MAN through core routers and connected to the servers through the switch in the server area.

Figure 2-2  Typical networking of firewalls at the egress of a broadcast and television network

Specifically, the broadcast and television network has the following requirements on the egress firewalls:

  • Two firewalls are deployed in active/standby backup mode to improve network availability.
  • Source NAT is enabled on the firewalls to ensure that massive MAN users can access the Internet simultaneously.
  • To enhance the broadband Internet access experience of intranet users, the uplink selection should ensure that:
    • Traffic is sent to the ISP that owns the destination IP address. For example, traffic destined to a server of ISP 1 is forwarded by a link of ISP 1, and traffic destined to a server of ISP 2 is forwarded by a link of ISP 2.
    • Traffic destined to one ISP is distributed to the two links of the ISP based on weights for load balancing.
    • P2P traffic is routed to the lower-price and higher-bandwidth links of ISP 2.
  • Hosted servers can be accessed by extranet users for management operations.
  • DNS servers are also deployed inside the broadcast and television network to provide domain name resolution for the above servers. The broadcast and television network expects that a domain name can be resolved to an address that is allocated to a server by the serving ISP of an extranet user to increase the access speed.
  • The firewalls can protect the intranet against DDoS attacks and warn about intrusions of zombies, Trojan horses, and worms.
  • The firewalls can trace Internet access activities of intranet users for audit, including logging of pre-NAT and post-NAT addresses and the online and offline activities of IM users.
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16859

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next