No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

As shown in Figure 4-14, the FW is attached to the CE12800 and works at Layer 3. VRF is configured on the CE12800 to virtualize the CE12800 as an upstream switch (root switch Public) and downstream switches (multiple virtual switches VRF). VRRP runs between the FW and the root switch Public and virtual switches VRF of the CE12800. The virtual IP addresses of the VRRP groups on the CE12800 serve as gateway addresses for the Portal system and virtual machines. Traffic from extranet enterprise users to the Portal system or virtual machines is forwarded by the root switch Public of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the virtual switches VRF of the CE12800 to the Portal system or virtual machines. The return traffic is first forwarded by the virtual switch VRF of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the root switch Public of the CE12800.

Figure 4-14  Off-line deployment of FWs

The following describes the service planning in detail.

Interfaces and Security Zones

This section describes the connection between FW_A and CE12800_A.

As shown in Figure 4-15, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of CE12800_A. Details are as follows:

  • Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each subinterface has an IP address. Most subinterfaces belong to different virtual systems and are assigned to the Untrust zone of the virtual systems. One subinterface belongs to the root system and is assigned to the Untrust zone of the root system.
  • 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 4-15  GE1/0/1 connection of FW_A

As shown in Figure 4-16, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of CE12800_A. Details are as follows:

  • Two (or more as required by the Portal system) subinterfaces are defined for GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the DMZ of the root system.
  • 10GE1/1/0/2 interface of CE12800_A is a trunk interface that permits packets of two VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 4-16  GE1/0/2 connection of FW_A

As shown in Figure 4-17, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of CE12800_A. Details are as follows:

  • Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each subinterface has an IP address. Each subinterface belongs to a different virtual system and is assigned to the Trust zone of the virtual system.
  • 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 4-17  GE1/0/3 connection of FW_A

The connection between FW_B and CE12800_B is the same as the only difference in IP addresses.

NOTE:

One virtual machine can request to access the public address of another. The exchanged packets are forwarded by the CE12800.

Table 4-6 describes the planning of interfaces and security zones on the FWs.

Table 4-6  Planning of interfaces and security zones

FW_A

FW_B

Description

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

Connected to 10GE1/1/0/1 of the CE12800.

GE1/0/1.10

IP address: 172.16.10.252/24

Virtual system: vfw1

Security zone: Untrust

VRRP ID: 10

Virtual IP address: 172.16.10.254

State: active

GE1/0/1.10

IP address: 172.16.10.253/24

Virtual system: vfw1

Security zone: Untrust

VRRP ID: 10

Virtual IP address: 172.16.10.254

State: standby

subinterface of vfw1.

GE1/0/1.11

IP address: 172.16.11.252/24

Virtual system: vfw2

Security zone: Untrust

VRRP ID: 11

Virtual IP address: 172.16.11.254

State: active

GE1/0/1.11

IP address: 172.16.11.253/24

Virtual system: vfw2

Security zone: Untrust

VRRP ID: 11

Virtual IP address: 172.16.11.254

State: standby

subinterface of vfw2.

GE1/0/1.1000

IP address: 172.16.9.252/24

Virtual system: public

Security zone: Untrust

VRRP ID: 9

Virtual IP address: 172.16.9.254

State: active

GE1/0/1.1000

IP address: 172.16.9.253/24

Virtual system: public

Security zone: Untrust

VRRP ID: 9

Virtual IP address: 172.16.9.254

State: standby

subinterface of the root system.

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

Connected to 10GE1/1/0/2 of the CE12800.

GE1/0/2.1

IP address: 10.159.1.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: active

GE1/0/2.1

IP address: 10.159.1.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: standby

subinterface of the root system.

GE1/0/2.2

IP address: 10.159.2.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: active

GE1/0/2.2

IP address: 10.159.2.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: standby

subinterface of the root system.

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

Connected to 10GE1/1/0/3 of the CE12800.

GE1/0/3.10

IP address: 10.159.10.252/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 110

Virtual IP address: 10.159.10.254

State: active

GE1/0/3.10

IP address: 10.159.10.253/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 110

Virtual IP address: 10.159.10.254

State: standby

subinterface of vfw1.

GE1/0/3.11

IP address: 10.159.11.252/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 111

Virtual IP address: 10.159.11.254

State: active

GE1/0/3.11

IP address: 10.159.11.253/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 111

Virtual IP address: 10.159.11.254

State: standby

subinterface of vfw2.

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.1/30

Virtual system: public

Security zone: hrpzone

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.2/30

Virtual system: public

Security zone: hrpzone

HRP backup interface.

Virtual System

Virtual systems carry virtual machine services. Each virtual system corresponds to one virtual machine. The planning of interfaces for the virtual systems has been described in the above interfaces and security zones. In addition, to limit the bandwidth available for each virtual system, it is also necessary to configure resource classes for the virtual systems.

Table 4-7 describes the planning of virtual systems on the FWs. Only two virtual systems are listed. In practice, you can create multiple virtual systems as needed.

Table 4-7  Planning of virtual systems
Item

FW_A

FW_B

Description

Resource class

Name: vfw1_car

Maximum bandwidth: 100M

Name: vfw1_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw1 is 100M.

Name: vfw2_car

Maximum bandwidth: 100M

Name: vfw2_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw2 is 100M.

Virtual System

Name: vfw1

Resource class: vfw1_car

Name: vfw1

Resource class: vfw1_car

-

Name: vfw2

Resource class: vfw2_car

Name: vfw2

Resource class: vfw2_car

-

Routes

Traffic is forwarded using static routes between the FW and CE12800.

  • Static routes are configured in the root switch Public on the CE12800. The destination addresses of these static routes are public addresses of the Portal system and virtual machines, and the next-hop addresses are the addresses of the subinterfaces on the FW. With these static routes, traffic from external enterprise users to the Portal system or virtual systems can be forwarded to the FW.
  • A default route is configured in each virtual switch VRF on the CE12800. The next-hop addresses of these default routes are the addresses of the subinterfaces on the FW. With these default routes, the return traffic from the Portal system or virtual machines can be forwarded to the FW.
  • Static routes are configured on the FW. The destination addresses of these static routes are private addresses of the Portal system and virtual machines, and the next-hop addresses are the VLANIF addresses of the virtual switches VRF of the CE12800. With these static routes, traffic from external enterprise users to the public addresses of the Portal system and virtual systems can be forwarded by the FW after processing to the CE12800.
  • Default routes are configured on the FW. The next-hop addresses of these default routes are the VLANIF address of the root switch Public on the CE12800. With these default routes, return traffic from the Portal system or virtual machines can be forwarded by the FW after processing to the CE12800.

Routes on the FW include routes in the root system and routes in the virtual systems. Table 4-8 describes the planning of routes.

Table 4-8  Planning of routes
Item

FW_A

FW_B

Description

Routes in the root system

Default route

Next hop: 172.16.9.251

Default route

Next hop: 172.16.9.251

Default routes of the root system, the next-hop address being the CE12800.

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole routes to the global addresses of the Portal system to prevent a routing loop.

Static route

Destination address: 10.160.1.0/24

Next hop: 10.159.1.251

Destination address: 10.160.2.0/24

Next hop: 10.159.2.251

Static route

Destination address: 10.160.1.0/24

Next hop: 10.159.1.251

Destination address: 10.160.2.0/24

Next hop: 10.159.2.251

Static routes to the private addresses of the Portal system, the next-hop address being the CE12800.

Routes in the virtual system vfw1

Default route

Next hop: 172.16.10.251

Default route

Next hop: 172.16.10.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.1/32

Black-hole route

Destination address: 118.1.1.1/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

Static route

Destination address: 10.160.10.0/24

Next hop: 10.159.10.251

Static route

Destination address: 10.160.10.0/24

Next hop: 10.159.10.251

Static routes to the private address of the virtual machine, the next-hop address being the CE12800.

Routes in the virtual system vfw2

Default route

Next hop: 172.16.11.251

Default route

Next hop: 172.16.11.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.2/32

Black-hole route

Destination address: 118.1.1.2/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

Static route

Destination address: 10.160.11.0/24

Next hop: 10.159.11.251

Static route

Destination address: 10.160.11.0/24

Next hop: 10.159.11.251

Static routes to the private address of the virtual machine, the next-hop address being the CE12800.

Hot Standby

The hot standby networking is typical where firewalls are connected to Layer-2 devices on both the upstream and the downstream. Figure 4-18 shows the logical networking where extranet enterprise users access services of the virtual machines. For the ease of description, only one virtual machine is described.

Figure 4-18  Logical networking of virtual machine services

Figure 4-19 shows the logical networking where external enterprise users access services of the Portal system. For the ease of description, only one Portal system is described.

Figure 4-19  Logical networking of Portal systems

After hot standby is configured, FW_A serves as the active firewall, and FW_B serves as the standby firewall. As shown in Figure 4-20, when the network is normal, FW_A responds to the ARP packet sent by the root switch Public of the CE12800 to request the MAC address of the gateway, and traffic from external enterprise users to the Portal system or virtual machines is forwarded by the FW_A. Likewise, the return traffic from the Portal system or virtual machines is also forwarded to FW_A.

Figure 4-20  Normal traffic flow

When FW_A or the link connecting FW_A fails, an active/standby switchover takes place. Then, FW_B sends a gratuitous ARP packet to make the CE12800 update the mapping between the virtual MAC address and port. All traffic is forwarded by FW_B, as shown in Figure 4-21. Likewise, the return traffic from the Portal system or virtual machines is also forwarded to FW_B.

Figure 4-21  Traffic flow when the active link fails

Security Policies

There are security policies in the root system and security policies in virtual systems. Security policies in the root system permit packets from extranet enterprise users to the Portal system. Security policies in a virtual system permit packets from external enterprise users to the virtual machine.

In addition, antivirus and IPS profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and zombies. Normally, the default antivirus and IPS profiles can be used.

Table 4-9 describes the planning of security policies on the FWs.

Table 4-9  Planning of security policies
Item

FW_A

FW_B

Description

Security policies in the root system

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.160.0.0/16

Action: permit

Antivirus: default

IPS: default

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.160.0.0/16

Action: permit

Antivirus: default

IPS: default

Permit packets from external enterprise users to the Portal system.

Security policies in the virtual system vfw1

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.10.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.10.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from external enterprise users to the virtual machine.

Security policies in the virtual system vfw2

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.11.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.11.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from external enterprise users to the virtual machine.

NAT Servers

There are NAT servers in the root system and NAT servers in virtual systems. The NAT servers in the root system mirror the address of Portal system to a public address for access of extranet enterprise users. The NAT server in a virtual system mirrors the address of a virtual machine to a public address to access of extranet enterprise users.

In order that extranet enterprise users can access the Portal system and virtual machines, it is necessary to apply for public addresses for every Portal system and virtual machine. It is assumed that the public addresses for the Portal system are 117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are 118.1.1.1 and 118.1.1.2. Table 4-10 describes the planning of NAT servers on the FWs.

Table 4-10  Planning of NAT servers
Item

FW_A

FW_B

Description

NAT servers in the root system

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.160.1.100

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.160.1.100

NAT servers of the Portal system

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.160.2.100

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.160.2.100

NAT servers of the Portal system

NAT server in the virtual system vfw1

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.160.10.100

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.160.10.100

NAT server of the virtual machine

NAT server in the virtual system vfw2

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.160.11.100

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.160.11.100

NAT server of the virtual machine

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16606

Downloads: 713

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next