No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Procedure

Procedure

Configuring Interfaces and Security Zones

Procedure

  1. Configure interfaces and security zones for FW_A.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_A> system-view
    [FW_A] interface Eth-Trunk 0
    [FW_A-Eth-Trunk0] description To_FW_B
    [FW_A-Eth-Trunk0] ip address 10.10.0.1 24
    [FW_A-Eth-Trunk0] quit

    # Create Eth-Trunk 1.1 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 1
    [FW_A-Eth-Trunk1] quit
    [FW_A] interface Eth-Trunk 1.1
    [FW_A-Eth-Trunk1.1] description To_GGSN1
    [FW_A-Eth-Trunk1.1] ip address 10.2.0.1 24
    [FW_A-Eth-Trunk1.1] vlan-type dot1q 11
    [FW_A-Eth-Trunk1.1] quit

    # Create Eth-Trunk 1.2 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 1.2
    [FW_A-Eth-Trunk1.2] description To_GGSN2
    [FW_A-Eth-Trunk1.2] ip address 10.2.2.1 24
    [FW_A-Eth-Trunk1.2] vlan-type dot1q 12
    [FW_A-Eth-Trunk1.2] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 2
    [FW_A-Eth-Trunk2] quit
    [FW_A] interface Eth-Trunk 2.1
    [FW_A-Eth-Trunk2.1] description To_SCG
    [FW_A-Eth-Trunk2.1] ip address 10.3.0.1 24
    [FW_A-Eth-Trunk2.1] vlan-type dot1q 21
    [FW_A-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_A] interface GigabitEthernet 1/0/0
    [FW_A-GigabitEthernet1/0/0] eth-trunk 0
    [FW_A-GigabitEthernet1/0/0] quit
    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] eth-trunk 0
    [FW_A-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_A] interface GigabitEthernet 1/0/2
    [FW_A-GigabitEthernet1/0/2] eth-trunk 1
    [FW_A-GigabitEthernet1/0/2] quit
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet1/0/3] eth-trunk 1
    [FW_A-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_A] interface GigabitEthernet 1/0/4
    [FW_A-GigabitEthernet1/0/4] eth-trunk 2
    [FW_A-GigabitEthernet1/0/4] quit
    [FW_A] interface GigabitEthernet 1/0/5
    [FW_A-GigabitEthernet1/0/5] eth-trunk 2
    [FW_A-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_A] firewall zone name dmz
    [FW_A-zone-dmz] add interface Eth-Trunk 0
    [FW_A-zone-dmz] quit

    # Assign Eth-Trunk 1.1 and Eth-Trunk 1.2 to the untrust zone.

    [FW_A] firewall zone untrust
    [FW_A-zone-untrust] add interface Eth-Trunk 1.1
    [FW_A-zone-untrust] add interface Eth-Trunk 1.2
    [FW_A-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_A] firewall zone trust
    [FW_A-zone-trust] add interface Eth-Trunk 2.1
    [FW_A-zone-trust] quit

  2. Configure interfaces and security zones for FW_B.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_B> system-view
    [FW_B] interface Eth-Trunk 0
    [FW_B-Eth-Trunk0] description To_FW_A
    [FW_B-Eth-Trunk0] ip address 10.10.0.2 24
    [FW_B-Eth-Trunk0] quit

    # Create Eth-Trunk 1.1 and configure an IP address for it.

    [FW_B] interface Eth-Trunk 1
    [FW_B-Eth-Trunk1] quit
    [FW_B] interface Eth-Trunk 1.1
    [FW_B-Eth-Trunk1.1] description To_GGSN1
    [FW_B-Eth-Trunk1.1] ip address 10.2.0.2 24
    [FW_B-Eth-Trunk1.1] vlan-type dot1q 11
    [FW_B-Eth-Trunk1.1] quit

    # Create Eth-Trunk 1.2 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 1.2
    [FW_A-Eth-Trunk1.2] description To_GGSN2
    [FW_A-Eth-Trunk1.2] ip address 10.2.2.2 24
    [FW_A-Eth-Trunk1.2] vlan-type dot1q 12
    [FW_A-Eth-Trunk1.2] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_B] interface Eth-Trunk 2
    [FW_B-Eth-Trunk2] quit
    [FW_B] interface Eth-Trunk 2.1
    [FW_B-Eth-Trunk2.1] description To_SCG
    [FW_B-Eth-Trunk2.1] ip address 10.3.0.2 24
    [FW_B-Eth-Trunk2.1] vlan-type dot1q 21
    [FW_B-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_B] interface GigabitEthernet 1/0/0
    [FW_B-GigabitEthernet1/0/0] eth-trunk 0
    [FW_B-GigabitEthernet1/0/0] quit
    [FW_B] interface GigabitEthernet 1/0/1
    [FW_B-GigabitEthernet1/0/1] eth-trunk 0
    [FW_B-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_B] interface GigabitEthernet 1/0/2
    [FW_B-GigabitEthernet1/0/2] eth-trunk 1
    [FW_B-GigabitEthernet1/0/2] quit
    [FW_B] interface GigabitEthernet 1/0/3
    [FW_B-GigabitEthernet1/0/3] eth-trunk 1
    [FW_B-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_B] interface GigabitEthernet 1/0/4
    [FW_B-GigabitEthernet1/0/4] eth-trunk 2
    [FW_B-GigabitEthernet1/0/4] quit
    [FW_B] interface GigabitEthernet 1/0/5
    [FW_B-GigabitEthernet1/0/5] eth-trunk 2
    [FW_B-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_B] firewall zone name dmz
    [FW_B-zone-dmz] add interface Eth-Trunk 0
    [FW_B-zone-dmz] quit

    # Assign Eth-Trunk 1.1 and Eth-Trunk 1.2 to the untrust zone.

    [FW_B] firewall zone untrust
    [FW_B-zone-untrust] add interface Eth-Trunk 1.1
    [FW_B-zone-untrust] add interface Eth-Trunk 1.2
    [FW_B-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_B] firewall zone trust
    [FW_B-zone-trust] add interface Eth-Trunk 2.1
    [FW_B-zone-trust] quit

  3. Configure interfaces and security zones for FW_C.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_C> system-view
    [FW_C] interface Eth-Trunk 0
    [FW_C-Eth-Trunk0] description To_FW_D
    [FW_C-Eth-Trunk0] ip address 10.10.0.3 24
    [FW_C-Eth-Trunk0] quit

    # Create Eth-Trunk 1 and configure an IP address for it.

    [FW_C] interface Eth-Trunk 1
    [FW_C-Eth-Trunk1] quit
    [FW_C] interface Eth-Trunk 1.1
    [FW_C-Eth-Trunk1.1] description To_Internet
    [FW_C-Eth-Trunk1.1] ip address 10.2.1.1 24
    [FW_C-Eth-Trunk1.1] vlan-type dot1q 11
    [FW_C-Eth-Trunk1.1] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_C] interface Eth-Trunk 2
    [FW_C-Eth-Trunk2] quit
    [FW_C] interface Eth-Trunk 2.1
    [FW_C-Eth-Trunk2.1] description To_SCG
    [FW_C-Eth-Trunk2.1] ip address 10.3.1.1 24
    [FW_C-Eth-Trunk2.1] vlan-type dot1q 21
    [FW_C-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_C] interface GigabitEthernet 1/0/0
    [FW_C-GigabitEthernet1/0/0] eth-trunk 0
    [FW_C-GigabitEthernet1/0/0] quit
    [FW_C] interface GigabitEthernet 1/0/1
    [FW_C-GigabitEthernet1/0/1] eth-trunk 0
    [FW_C-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_C] interface GigabitEthernet 1/0/2
    [FW_C-GigabitEthernet1/0/2] eth-trunk 1
    [FW_C-GigabitEthernet1/0/2] quit
    [FW_C] interface GigabitEthernet 1/0/3
    [FW_C-GigabitEthernet1/0/3] eth-trunk 1
    [FW_c-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_C] interface GigabitEthernet 1/0/4
    [FW_C-GigabitEthernet1/0/4] eth-trunk 2
    [FW_C-GigabitEthernet1/0/4] quit
    [FW_C] interface GigabitEthernet 1/0/5
    [FW_C-GigabitEthernet1/0/5] eth-trunk 2
    [FW_C-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_C] firewall zone name dmz
    [FW_C-zone-dmz] add interface Eth-Trunk 0
    [FW_C-zone-dmz] quit

    # Assign Eth-Trunk 1.1 to the untrust zone.

    [FW_C] firewall zone untrust
    [FW_C-zone-untrust] add interface Eth-Trunk 1.1
    [FW_C-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_C] firewall zone trust
    [FW_C-zone-trust] add interface Eth-Trunk 2.1
    [FW_C-zone-trust] quit

  4. Configure interfaces and security zones for FW_D.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_D> system-view
    [FW_D] interface Eth-Trunk 0
    [FW_D-Eth-Trunk0] description To_FW_C
    [FW_D-Eth-Trunk0] ip address 10.10.0.4 24
    [FW_D-Eth-Trunk0] quit

    # Create Eth-Trunk 1.1 and configure an IP address for it.

    [FW_D] interface Eth-Trunk 1
    [FW_D-Eth-Trunk1] quit
    [FW_D] interface Eth-Trunk 1.1
    [FW_D-Eth-Trunk1.1] description To_Internet
    [FW_D-Eth-Trunk1.1] ip address 10.2.1.2 24
    [FW_D-Eth-Trunk1.1] vlan-type dot1q 11
    [FW_D-Eth-Trunk1.1] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_D] interface Eth-Trunk 2
    [FW_D-Eth-Trunk2] quit
    [FW_D] interface Eth-Trunk 2.1
    [FW_D-Eth-Trunk2.1] description To_SCG
    [FW_D-Eth-Trunk2.1] ip address 10.3.1.2 24
    [FW_D-Eth-Trunk2.1] vlan-type dot1q 21
    [FW_D-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_D] interface GigabitEthernet 1/0/0
    [FW_D-GigabitEthernet1/0/0] eth-trunk 0
    [FW_D-GigabitEthernet1/0/0] quit
    [FW_D] interface GigabitEthernet 1/0/1
    [FW_D-GigabitEthernet1/0/1] eth-trunk 0
    [FW_D-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_D] interface GigabitEthernet 1/0/2
    [FW_D-GigabitEthernet1/0/2] eth-trunk 1
    [FW_D-GigabitEthernet1/0/2] quit
    [FW_D] interface GigabitEthernet 1/0/3
    [FW_D-GigabitEthernet1/0/3] eth-trunk 1
    [FW_D-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_D] interface GigabitEthernet 1/0/4
    [FW_D-GigabitEthernet1/0/4] eth-trunk 2
    [FW_D-GigabitEthernet1/0/4] quit
    [FW_D] interface GigabitEthernet 1/0/5
    [FW_D-GigabitEthernet1/0/5] eth-trunk 2
    [FW_D-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_D] firewall zone name dmz
    [FW_D-zone-dmz] add interface Eth-Trunk 0
    [FW_D-zone-dmz] quit

    # Assign Eth-Trunk 1.1 to the untrust zone.

    [FW_D] firewall zone untrust
    [FW_D-zone-untrust] add interface Eth-Trunk 1.1
    [FW_D-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_D] firewall zone trust
    [FW_D-zone-trust] add interface Eth-Trunk 2.1
    [FW_D-zone-trust] quit

Configuring Availability

Procedure

  1. Configure the hot standby configuration on FW_A.

    # Enable the HRP function.

    [FW_A] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_A] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_A] hrp preempt delay 300
    NOTE:
    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_A] hrp interface Eth-Trunk 0 remote 10.10.0.2

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_A] hrp track interface Eth-Trunk 1.1
    [FW_A] hrp track interface Eth-Trunk 1.2

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to active.

    [FW_A] interface Eth-Trunk 2.1
    [FW_A-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 active
    [FW_A-Eth-Trunk2.1] quit

    # Add the interfaces connected to the intranet switch to a link group.

    [FW_A] interface GigabitEthernet 1/0/2
    [FW_A-GigabitEthernet 1/0/2] link-group 1
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet 1/0/3] link-group 1
    [FW_A] interface GigabitEthernet 1/0/4
    [FW_A-GigabitEthernet 1/0/4] link-group 1
    [FW_A] interface GigabitEthernet 1/0/5 
    [FW_A-GigabitEthernet 1/0/5] link-group 1

  2. Configure the hot standby configuration on FW_B.

    # Enable the HRP function.

    [FW_B] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_B] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_B] hrp preempt delay 300
    NOTE:
    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_B] hrp interface Eth-Trunk 0 remote 10.10.0.1

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_B] hrp track interface Eth-trunk 1.1
    [FW_B] hrp track interface Eth-trunk 1.2

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to slave.

    [FW_B] interface Eth-Trunk 2.1
    [FW_B-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 standby
    [FW_B-Eth-Trunk2.1] quit

  3. Configure the hot standby configuration on FW_C.

    # Enable the HRP function.

    [FW_C] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_C] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_C] hrp preempt delay 300
    NOTE:
    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_C] hrp interface Eth-Trunk 0 remote 10.10.0.4

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_C] hrp track interface Eth-Trunk 1.1

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to active.

    [FW_C] interface Eth-trunk 2.1
    [FW_C-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 active
    [FW_C-Eth-Trunk2.1] quit

    # Add the interfaces connected to the intranet switch to a link group.

    [FW_C] interface GigabitEthernet 1/0/2 
    [FW_C-GigabitEthernet 1/0/2] link-group 1
    [FW_C] interface GigabitEthernet 1/0/3 
    [FW_C-GigabitEthernet 1/0/3] link-group 1
    [FW_C] interface GigabitEthernet 1/0/4 
    [FW_C-GigabitEthernet 1/0/4] link-group 1
    [FW_C] interface GigabitEthernet 1/0/5 
    [FW_C-GigabitEthernet 1/0/5] link-group 1

  4. Configure the hot standby configuration on FW_D.

    # Enable the HRP function.

    [FW_D] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_D] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_D] hrp preempt delay 300
    NOTE:
    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_D] hrp interface Eth-Trunk 0 remote 10.10.0.3

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_D] hrp track interface Eth-Trunk 1.1

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to slave.

    [FW_D] interface Eth-Trunk 2.1
    [FW_D-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 standby
    [FW_D-Eth-Trunk2.1] quit

Configuring GRE Tunnels

Procedure

  1. Configure GRE tunnels on FW_A and FW_B.

    NOTE:

    Set required parameters on the devices at both end of a GRE tunnel.

    For details on security policy configuration, see the related section.

    Configure GRE tunnels on FW_A.

    HRP_M[FW_A] interface loopback 1
    HRP_M[FW_A-loopback1] ospf cost 10
    HRP_M[FW_A-loopback1] ip address 10.2.0.10 32
    HRP_M[FW_A-loopback1] quit
    HRP_M[FW_A] interface loopback 2
    HRP_M[FW_A-loopback2] ospf cost 10
    HRP_M[FW_A-loopback2] ip address 10.2.0.11 32
    HRP_M[FW_A-loopback2] quit
    HRP_M[FW_A] interface Tunnel 1
    HRP_M[FW_A-Tunnel1]ip address 172.16.2.1 32
    HRP_M[FW_A-Tunnel1] quit
    HRP_M[FW_A] interface Tunnel 2
    HRP_M[FW_A-Tunnel2] ip address 172.16.2.2 32
    HRP_M[FW_A-Tunnel2] quit
    HRP_M[FW_A]firewall zone name tunnelzone
    HRP_M[FW_A-zone-tunnelzone] set priority 20
    HRP_M[FW_A-zone-tunnelzone] add interface tunnel 1
    HRP_M[FW_A-zone-tunnelzone] add interface tunnel 2
    HRP_M[FW_A-zone-tunnelzone] quit
    HRP_M[FW_A] ospf 1
    HRP_M[FW_A-ospf-1] area 1
    HRP_M[FW_A-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255
    HRP_M[FW_A-ospf-1] quit
    HRP_M[FW_A] interface Tunnel 1
    HRP_M[FW_A-Tunnel1] tunnel-protocol gre
    HRP_M[FW_A-Tunnel1] source loopback1
    HRP_M[FW_A-Tunnel1] destination 10.2.10.1//IP address of the peer tunnel interface
    HRP_M[FW_A-Tunnel1] gre key cipher 123456
    HRP_M[FW_A-Tunnel1] ospf timer hello 30
    HRP_M[FW_A-Tunnel1] quit 
    HRP_M[FW_A] interface Tunnel 2
    HRP_M[FW_A-Tunnel2] tunnel-protocol gre
    HRP_M[FW_A-Tunnel2] source loopback2
    HRP_M[FW_A-Tunnel2] destination 10.2.11.1//IP address of the peer tunnel interface
    HRP_M[FW_A-Tunnel2] gre key cipher 123456
    HRP_M[FW_A-Tunnel2] ospf timer hello 30
    HRP_M[FW_A-Tunnel2] quit

    Configure GRE tunnels on FW_B.

    HRP_S[FW_B] interface loopback 1
    HRP_S[FW_B-loopback1] ospf cost 1000
    HRP_S[FW_B-loopback1] ip address 10.2.0.12 32
    HRP_S[FW_B-loopback1] quit
    HRP_S[FW_B] interface loopback 2
    HRP_S[FW_B-loopback2] ospf cost 1000
    HRP_S[FW_B-loopback2] ip address 10.2.0.13 32
    HRP_S[FW_B-loopback2] quit
    HRP_S[FW_B] interface Tunnel 1
    HRP_S[FW_B-Tunnel1] ip address 172.16.2.3 32
    HRP_S[FW_B-Tunnel1] quit
    HRP_S[FW_B] interface Tunnel 2
    HRP_S[FW_B-Tunnel2] ip address 172.16.2.4 32
    HRP_S[FW_B-Tunnel2] quit
    HRP_S[FW_B] ospf 1
    HRP_S[FW_B-ospf-1] area 1
    HRP_S[FW_B-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255
    HRP_S[FW_B-ospf-1] quit
    HRP_S[FW_B] interface Tunnel 1
    HRP_S[FW_B-Tunnel1] tunnel-protocol gre
    HRP_S[FW_B-Tunnel1] source loopback1
    HRP_S[FW_B-Tunnel1] destination 10.2.10.2//IP address of the peer tunnel interface
    HRP_S[FW_B-Tunnel1] gre key cipher 123456
    HRP_S[FW_B-Tunnel1] ospf timer hello 30
    HRP_S[FW_B-Tunnel1] quit
    HRP_S[FW_B] interface Tunnel 2
    HRP_S[FW_B-Tunnel2] tunnel-protocol gre
    HRP_S[FW_B-Tunnel2] source loopback2
    HRP_S[FW_B-Tunnel2] destination 10.2.11.2//IP address of the peer tunnel interface
    HRP_S[FW_B-Tunnel2] gre key cipher 123456
    HRP_S[FW_B-Tunnel2] ospf timer hello 30
    HRP_S[FW_B-Tunnel2] quit

Configuring Security Policies

Procedure

  1. Configure security policies on FW_A and FW_B.

    NOTE:

    After hot standby is implemented, the security policy configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    Configure a Trust-tunnelzone interzone security policy to permit pre-encapsulated packets.

    HRP_M[FW_A-policy-security] rule name trust_tunnelzone_outbound
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] source-zone trust
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] destination-zone tunnel_zone
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] source-address 10.3.0.0 24
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] action permit
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] quit
    HRP_M[FW_A-policy-security] rule name trust_tunnelzone_inbound
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] source-zone tunnelzone
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] destination-zone trust
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] destination-address 10.3.0.0 24
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] action permit
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] quit

    # Configure a Local-DMZ interzone security policy to permit heartbeat packets.

    HRP_M[FW_A-policy-security] rule name local_dmz_outbound
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] source-zone local
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] destination-zone dmz
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] source-address 10.10.0.0 24
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] action permit
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] quit
    HRP_M[FW_A-policy-security] rule name local_dmz_inbound
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] source-zone dmz
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] destination-zone local
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] destination-address 10.10.0.0 24
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] action permit
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] quit

    Configure a Local-Untrust interzone security policy to permit encapsulated GRE packets.

    HRP_M[FW_A-policy-security] rule name local_untrust_outbound
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] source-zone untrust
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] destination-zone local
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] source-address 10.2.0.0 16
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] action permit
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] quit
    HRP_M[FW_A-policy-security] rule name local_untrust_inbound
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] destination-zone local
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] destination-address 10.2.0.0 16
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] action permit
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] quit

  2. Configure security policies on FW_C and FW_D.

    NOTE:

    After hot standby is implemented, the security policy configuration on FW_C is automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

    # Configure a Local-DMZ interzone security policy to permit heartbeat packets.

    HRP_M[FW_C-policy-security] rule name local_dmz_outbound
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] source-zone local
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] destination-zone dmz
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] source-address 10.10.0.0 24
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] action permit
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] quit
    HRP_M[FW_C-policy-security] rule name local_dmz_inbound
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] source-zone dmz
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] destination-zone local
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] destination-address 10.10.0.0 24
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] action permit
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] quit

    # Configure a Trust-Untrust interzone security policy.

    HRP_M[FW_C-policy-security] rule name trust_untrust_outbound
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] source-zone trust
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] destination-zone untrust
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] destination-address 10.2.1.0 24
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] action permit
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] quit
    HRP_M[FW_C-policy-security] rule name trust_untrust_inbound
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] source-zone trust
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] destination-zone untrust
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] source-address 10.2.1.0 24
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] action permit
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] quit

Configuring NAT

Procedure

  1. Configure the NAT Server function on FW_A and FW_B.

    NOTE:

    After hot standby is implemented, the NAT configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    Configure NAT Server based on the service requirements.

    Configure the NAT Server function on FW_A.
    HRP_M[FW_A] nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80
    

  2. Configure source NAT on FW_C and FW_D.

    NOTE:

    After hot standby is implemented, the NAT and ASPF configurations on FW_C are automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.

    # Create a NAT address pool on FW_C.

    HRP_M[FW_C] nat address-group addressgroup1
    HRP_M[FW_C-address-group-addressgroup1] section 1.1.1.6 1.1.1.10
    HRP_M[FW_C-address-group-addressgroup1] mode pat
    HRP_M[FW_C-address-group-addressgroup1] quit

    # Configure a NAT policy. In this section, the source addresses of the packets from network segment 10.3.1.0/24 at the SCG are translated. Add rules to the NAT policy as required.

    HRP_M[FW_C] nat-policy
    HRP_M[FW_C-policy-nat] rule name trust_untrust_outbound
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-zone trust
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-address 10.3.1.0 0.0.0.255
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addressgroup1 
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] quit
    HRP_M[FW_C-policy-nat] quit

Configuring Routes

Procedure

  1. Configure routes on FW_A.

    HRP_M[FW_A] acl number 2000
    HRP_M[FW_A-acl-basic-2000] description ospf1_import_ggsn
    HRP_M[FW_A-acl-basic-2000] rule 5 permit source 221.180.0.0 0.0.0.255//Network segmentof GGSN
    HRP_M[FW_A-acl-basic-2000] rule 100 deny
    HRP_M[FW_A] interface eth-Trunk 1
    HRP_M[FW_A-Eth-trunk1] ospf cost 10
    HRP_M[FW_A-Eth-trunk1] ospf network-type p2p
    HRP_M[FW_A-Eth-trunk1] quit
    HRP_M[FW_A] ospf 1
    HRP_M[FW_A-ospf-1] filter-policy 2000 import 
    HRP_M[FW_A-ospf-1] area 1
    HRP_M[FW_A-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123
    HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255
    HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255
    HRP_M[FW_A-ospf-1-area-0.0.0.1] quit
    HRP_M[FW_A-ospf-1] quit

  2. Configure routes on FW_B.

    NOTE:

    After hot standby is implemented, the alc configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    HRP_S[FW_B] interface eth-Trunk 1
    HRP_S[FW_B-Eth-trunk1] ospf cost 1000
    HRP_S[FW_B-Eth-trunk1] ospf network-type p2p
    HRP_S[FW_B-Eth-trunk1] quit
    HRP_S[FW_B] ospf 1
    HRP_S[FW_B-ospf-1] filter-policy 2000 import
    HRP_S[FW_B-ospf-1] area 1
    HRP_S[FW_B-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123
    HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255
    HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255
    HRP_S[FW_B-ospf-1-area-0.0.0.1] quit
    HRP_S[FW_B-ospf-1] quit

  3. Configure routes on FW_C.

    HRP_M[FW_C] acl number 2100
    HRP_M[FW_C-acl-basic-2000] description ospf1_import_ggsn
    HRP_M[FW_C-acl-basic-2000] rule 5 permit source 0.0.0.0 0
    HRP_M[FW_C-acl-basic-2000] rule 1000 deny
    HRP_M[FW_C] interface eth-Trunk 1
    HRP_M[FW_C-Eth-trunk1] ospf cost 10
    HRP_M[FW_c-Eth-trunk1] ospf network-type p2p
    HRP_M[FW_C-Eth-trunk1] quit
    HRP_M[FW_C] ospf 2
    HRP_M[FW_C-ospf-2] filter-policy 2100 import
    HRP_M[FW_C-ospf-2] import-route static
    HRP_M[FW_C-ospf-2] area 2
    HRP_M[FW_C-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123
    HRP_M[FW_C-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255
    HRP_M[FW_C-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255
    HRP_M[FW_C-ospf-2-area-0.0.0.2] quit
    HRP_M[FW_C-ospf-2] quit
    

    # Configure black-hole routes.

    HRP_M[FW_C] ip route-static 1.1.1.6 32 NULL 0
    HRP_M[FW_C] ip route-static 1.1.1.7 32 NULL 0
    HRP_M[FW_C] ip route-static 1.1.1.8 32 NULL 0
    HRP_M[FW_C] ip route-static 1.1.1.9 32 NULL 0
    HRP_M[FW_C] ip route-static 1.1.1.10 32 NULL 0

  4. Configure routes on FW_D.

    NOTE:

    After hot standby is implemented, the acl configuration on FW_C is automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

    HRP_S[FW_D] interface eth-Trunk 1
    HRP_S[FW_D-Eth-trunk1] ospf cost 10
    HRP_S[FW_D-Eth-trunk1] ospf network-type p2p
    HRP_S[FW_D-Eth-trunk1] quit
    HRP_S[FW_D] ospf 2
    HRP_S[FW_D-ospf-2] filter-policy 2100 import
    HRP_S[FW_D-ospf-2] import-route static
    HRP_S[FW_D-ospf-2] area 2
    HRP_S[FW_D-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123
    HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255
    HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255
    HRP_S[FW_D-ospf-2-area-0.0.0.2] quit
    HRP_S[FW_D-ospf-2] quit
    

    # Configure black-hole routes.

    HRP_S[FW_D] ip route-static 1.1.1.6 32 NULL 0
    HRP_S[FW_D] ip route-static 1.1.1.7 32 NULL 0
    HRP_S[FW_D] ip route-static 1.1.1.8 32 NULL 0
    HRP_S[FW_D] ip route-static 1.1.1.9 32 NULL 0
    HRP_S[FW_D] ip route-static 1.1.1.10 32 NULL 0

Others

Procedure

  1. Configure ASPF.

    NOTE:

    After hot standby is implemented, the ASPF configurations on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    # Configure ASPF on FW_A.
    HRP_M[FW_A] firewall interzone trust untrust
    HRP_M[FW_A-interzone-trust-untrust] detect rtsp
    HRP_M[FW_A-interzone-trust-untrust] detect ftp
    HRP_M[FW_A-interzone-trust-untrust] detect pptp
    HRP_M[FW_A-interzone-trust-untrust] quit

    NOTE:

    After hot standby is implemented, the NAT and ASPF configurations on FW_C are automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.

    # Configure ASPF on FW_C.
    HRP_M[FW_A] firewall interzone trust untrust
    HRP_M[FW_C-interzone-trust-untrust] detect rtsp
    HRP_M[FW_C-interzone-trust-untrust] detect ftp
    HRP_M[FW_C-interzone-trust-untrust] detect pptp
    HRP_M[FW_C-interzone-trust-untrust] quit

  2. Configure attack defense.

    NOTE:

    After hot standby is implemented, the attack defense configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    Configure attack defense on FW_A.

    HRP_M[FW_A] firewall defend land enable
    HRP_M[FW_A] firewall defend smurf enable
    HRP_M[FW_A] firewall defend fraggle enable
    HRP_M[FW_A] firewall defend ip-fragment enable
    HRP_M[FW_A] firewall defend tcp-flag enable
    HRP_M[FW_A] firewall defend winnuke enable
    HRP_M[FW_A] firewall defend source-route enable
    HRP_M[FW_A] firewall defend teardrop enable
    HRP_M[FW_A] firewall defend route-record enable
    HRP_M[FW_A] firewall defend time-stamp enable
    HRP_M[FW_A] firewall defend ping-of-death enable
    
    NOTE:

    After hot standby is implemented, the attack defense configuration on FW_C is automatically backed up to FW_B. You do not need to repeat the configuration on FW_D.

    Configure attack defense on FW_C.

    HRP_M[FW_C] firewall defend land enable
    HRP_M[FW_C] firewall defend smurf enable
    HRP_M[FW_C] firewall defend fraggle enable
    HRP_M[FW_C] firewall defend ip-fragment enable
    HRP_M[FW_C] firewall defend tcp-flag enable
    HRP_M[FW_C] firewall defend winnuke enable
    HRP_M[FW_C] firewall defend source-route enable
    HRP_M[FW_C] firewall defend teardrop enable
    HRP_M[FW_C] firewall defend route-record enable
    HRP_M[FW_C] firewall defend time-stamp enable
    HRP_M[FW_C] firewall defend ping-of-death enable
    

  3. Configure the NMS (SNMP).

    NOTE:

    After hot standby is implemented, the SNMP configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    You need to refer to the configuration guide of the NMS that is deployed. Make sure the configuration of authentication parameters on the NMS is consistent with the configuration on the FWs. Otherwise, the NMS cannot manage the FWs. In this example, SNMPv3 is used by the FWs and NMS to communicate.

    Configure the SNMP version on the FW. This step is optional. By default, SNMPv3 is used. To change the SNMP version, perform this step.

    HRP_M[FW_A] snmp-agent sys-info version v3
    

    # Configure an SNMPv3 user group.

    HRP_M[FW_A] snmp-agent group v3 NMS1 privacy
    

    # Configure an SNMPv3 user.

    HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456
    

    # Configure contact information.

    HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang
    

    # Configure location information.

    HRP_M[FW_A] snmp-agent sys-info location Beijing
    

    # Configure the SNMP alarm function on the FW.

    HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy
    HRP_M[FW_A] snmp-agent trap enable 
    Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

    NOTE:

    After hot standby is implemented, the SNMP configuration on FW_C is automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

    You need to refer to the configuration guide of the NMS that is deployed. Make sure the configuration of authentication parameters on the NMS is consistent with the configuration on the FWs. Otherwise, the NMS cannot manage the FWs. In this example, SNMPv3 is used by the FWs and NMS to communicate.

    Configure the SNMP version on the FW. This step is optional. By default, SNMPv3 is used. To change the SNMP version, perform this step.

    HRP_M[FW_C] snmp-agent sys-info version v3
    

    # Configure an SNMPv3 user group.

    HRP_M[FW_C] snmp-agent group v3 NMS1 privacy
    

    # Configure an SNMPv3 user.

    HRP_M[FW_C] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456
    

    # Configure contact information.

    HRP_M[FW_C] snmp-agent sys-info contact Mr.zhang
    

    # Configure location information.

    HRP_M[FW_C] snmp-agent sys-info location Beijing
    

    # Configure the SNMP alarm function on the FW.

    HRP_M[FW_C] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy
    HRP_M[FW_A] snmp-agent trap enable 
    Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

  4. For basic network parameter settings and active/standby configurations of the upstream and downstream switches and routers, see the product documentation of the switches and routers.
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18450

Downloads: 773

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next