No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Precautions

Precautions

Hot Standby

  • The recommended preemption delay of a VGMP group is 300s.

  • Hot standby supports only OSPF and BGP route adjustment, but not IS-IS route adjustment. If OSPF or BGP route adjustment is configured, configure an interzone policy to permit OSPF or BGP packets.

  • HRP is associated with routing protocols for cost adjustment. The Table 7-6 describes the support for routes.

    Table 7-6  

    Item

    Supported or Not

    BGP routes that can be associated with HRP

    By route type

    1. BGP IPv4 unicast routes
    2. BGP VPNv4 routes
    3. BGP IPv6 unicast routes

    By route origin

    1. Routes learned from IBGP peers
    2. Routes learned from EBGP peers
    3. Routes learned from other routing protocols
    4. Advertised default routes

    OSPF routes that can be associated with HRP

    By route origin

    1. Direct routes advertised using the network command
    2. Imported external routes
    3. Advertised default routes

    By LSA type

    1. Type 1 LSA: router LSA
    2. Type 3 LSA: summary LSA
    3. Type 5 LSA: AS-external-LSA
    4. Type 7 LSA: NSSA AS-external-LSA

Security Policies

Considering security, interzone security policies are designed based on the security policy planning. Do not open all interzone security policies.

Attack Defense

The recommended configuration should be used.

NAT

  • When planning the NAT address pool, keep the ratio of public addresses to private addresses at about 1:5,000.

  • If servers on the core network provide extranet access services, use port-based mapping, but not one-to-one IP address mapping, when configuring the NAT server.

  • The recommended NAT mode is 5-tuple NAT. If customers require to use triplet NAT, contact service or R&D engineers to reassess the solution.

  • In load balancing scenarios, both devices process service traffic. If NAPT is configured, the devices may have conflicting public ports. To prevent such conflicts, configure respective NAT port resources for the devices. You can run the hrp nat resource primary-group command on the active device. The standby device will automatically generate the hrp nat resource secondary-group command.

  • You are advised to configure blackhole routes for the NAT address pool to prevent such issues as routing loops.

GRE

When the following conditions are met, you are recommended to enable the function of using GRE inner packets for selecting the SPU. In this way, traffic is evenly distributed on multiple CPUs.
  • All traffic is encapsulated over one or multiple GRE tunnels.
  • The number of CPU sessions over a single GRE tunnel is more than 1,000,000.

You can run the firewall gre inner hash enable command to enable the function of selecting a CPU based on the hash value calculated according to GRE inner packet information.

Performance

In load-balancing hot standby scenarios, ensure that the traffic does not exceed 70% of the interface bandwidth utilization and SPU CPU processing capability after being switched to a device. You can run the display interface command to check the interface bandwidth utilization and the display cpu-usage command to check the SPU CPU processing capability.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16569

Downloads: 713

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next