No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Firewall Interface Planning

No. Local Device Local Interface Peer Device Peer Interface Remarks
1 FW-3 GE1/0/1 SW-1 GE1/1/0/3 Upstream service interface
2 FW-3 GE1/0/2 SW-1 GE1/1/0/4 Downstream service interface
3 FW-4 GE1/0/1 SW-2 GE2/1/0/3 Upstream service interface
4 FW-4 GE1/0/2 SW-2 GE2/1/0/4 Downstream service interface
5 FW-3 GE1/0/3 FW-4 GE1/0/3 Heartbeat interface
6 FW-4 GE1/0/3 FW-3 GE1/0/3 Heartbeat interface

Firewall IP Address Planning

No. Local Device Local Interface Local IP Address Peer Device Peer Interface Peer IP Address
1 FW-3 GE1/0/1

10.4.1.2/29

VRID: 1

VIP: 10.4.1.1

SW-1 VLANIF101 10.4.1.4/29
2 FW-3 GE1/0/2

10.5.1.2/29

VRID: 2

VIP: 10.5.1.1

SW-1 VLANIF102 10.5.1.4/29
3 FW-3 GE1/0/3 10.10.10.1/24 FW-4 GE1/0/3 10.10.10.2/24
4 FW-4 GE1/0/1

10.4.1.3/29

VRID: 1

VIP: 10.4.1.1

SW-2 VLANIF101 10.4.1.4/29
5 FW-4 GE1/0/2

10.5.1.3/29

VRID: 2

VIP: 10.5.1.1

SW-2 VLANIF102 10.5.1.4/29
6 FW-4 GE1/0/3 10.10.10.2/24 FW-1 GE1/0/3 10.10.10.1/24

Firewall Security Zone Planning

No. Security Zone Security Zone Priority Included Interface Remarks
1 untrust 5 GE1/0/2 Downstream service interface
2 trust 100 GE1/0/1 Upstream service interface
3 dmz 50 GE1/0/3 Heartbeat interface

Firewall Security Policy Planning

No. Policy Source Zone Source Address Destination Zone Destination Address Action
1 sc_to_sacg trust any local any permit
2 sacg_to_client local any untrust any permit

Firewall Route Planning

Static routes on firewalls

No. Destination Address Mask Next Hop Remarks
1 0.0.0.0 0.0.0.0 10.4.1.4 Route that guides traffic back to the switch

Agile Controller Data Planning

Item

Data

Remarks

Service Controller 1

IP address: 192.168.1.2/24

Port: 3288

Shared key: TSM_Security

The port and shared key configured on the FW must be consistent with those configured on the Service Controller.

If an unauthenticated terminal user attempts to access the Web server in the post-authentication domain in the case that the Web push function is configured on the FW, the FW pushes the Web authentication page to the terminal user, facilitating terminal user's identity authentication on the web page.

Service Controller 2

IP address: 192.168.1.3/24

Port: 3288

Shared key: TSM_Security

Same as Service Controller 1.

Service Manager

Login address: https://192.168.1.2:8443

User name: admin

Password: Admin@123

The Service Manager and Service Controller 1 are installed on the same server. You need to log in to the Service Manager to configure the Agile Controller.

Network segment on which the terminal user resides

10.8.1.0/24

Network segment of users in branch 1.

Post-authentication domain

10.1.1.4

10.1.1.5

Add the servers in the data center service area to the post-authentication domain and apply user accounts in branch 1.

Isolation domain

Patch server: 192.168.2.3/24

Antivirus server: 192.168.2.5/24

Add the patch server and antivirus server to the isolation domain and apply user accounts in branch 1.

Pre-authentication domain

DNS server: 192.168.3.3/24

Service Controller 1: 192.168.1.2/24

Service Controller 2: 192.168.1.3/24

Add the DNS server and Service Controllers to the pre-authentication domain.

Agile Controller User Data Planning

User Name User IP Address User Group Role ID Role Name
lee 10.8.1.3 ROOT\development

1

DefaultDeny

This role is prohibited from accessing all services.

6

Permit_1

This role is allowed to access the service system.

255

Last

This role is allowed to access the pre-authentication domain.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16533

Downloads: 710

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next