No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

FW-1 FW-2
#
 hrp enable
 hrp interface Eth-Trunk0 remote 11.11.11.2
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
ip address-set remote_users type object
 description "for remote users"
 address 0 172.168.3.0 mask 24
#
ip address-set partner type object
 description "for partner"
 address 0 172.168.4.0 mask 24
#
ip address-set branch1 type object
 description "for branch1"
 address 0 10.8.1.0 mask 24
#
ip address-set branch2 type object
 description "for branch2"
 address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
 description "for server1"
 address 0 10.1.1.10 mask 32
 address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
 description "for server2"
 address 0 10.2.1.4 mask 32
 address 1 10.2.1.5 mask 32
#
ip address-set server3 type object
 description "for server3"
 address 0 10.1.2.4 mask 32
 address 1 10.1.2.5 mask 32
#
ip address-set server4 type object
 description "for server4"
 address 0 10.1.1.4 mask 32
 address 1 10.1.1.5 mask 32
#
ip service-set tcp_1414 type object
 service 0 protocol tcp destination-port 1414
#
ip service-set tcp_8888_9000 type object
 service 0 protocol tcp destination-port 8888
 service 1 protocol tcp destination-port 9000
#
interface Eth-Trunk0
 ip address 11.11.11.1 255.255.255.0
#
interface Eth-Trunk1
 ip address 10.6.1.2 255.255.255.248
 vrrp vrid 1 virtual-ip 10.6.1.1 active
#
interface Eth-Trunk2
 ip address 10.7.1.2 255.255.255.248
 vrrp vrid 2 virtual-ip 10.7.1.1 active
#
interface GigabitEthernet 1/0/1
 eth-trunk 1
#
interface GigabitEthernet 1/0/2
 eth-trunk 1
#
interface GigabitEthernet 1/0/3
 eth-trunk 2
#
interface GigabitEthernet 1/0/4
 eth-trunk 2
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
firewall zone trust
 add interface Eth-Trunk2
#
firewall zone untrust
 add interface Eth-Trunk1
#
firewall zone dmz
 add interface Eth-Trunk0
#
ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
ip route-static 192.168.3.0 255.255.255.0 10.6.1.4
ip route-static 192.168.4.0 255.255.255.0 10.6.1.4
#
 firewall session aging-time service-set tcp_1414 40000
#
security-policy
 rule name remote_users_to_server1
  source-zone untrust
  destination-zone trust
  source-address address-set remote_users
  destination-address address-set server1
  service http
  service ftp
  profile ips default
  action permit
 rule name partner_to_server2
  source-zone untrust
  destination-zone trust
  source-address address-set partner
  destination-address address-set server2
  service tcp_1414
  profile ips default
  action permit
 rule name branch1_to_server3
  source-zone untrust
  destination-zone trust
  source-address address-set branch1
  destination-address address-set server3
  service tcp_8888_9000
  profile ips default
  action permit
 rule name branch2_to_server4
  source-zone untrust
  destination-zone trust
  source-address address-set branch2
  destination-address address-set server4
  service ftp
  profile ips default
  long-link enable
  long-link aging-time 480
  action permit
#
 hrp enable
 hrp interface Eth-Trunk0 remote 11.11.11.1
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
ip address-set remote_users type object
 description "for remote users"
 address 0 172.168.3.0 mask 24
#
ip address-set partner type object
 description "for partner"
 address 0 172.168.4.0 mask 24
#
ip address-set branch1 type object
 description "for branch1"
 address 0 10.8.1.0 mask 24
#
ip address-set branch2 type object
 description "for branch2"
 address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
 description "for server1"
 address 0 10.1.1.10 mask 32
 address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
 description "for server2"
 address 0 10.2.1.4 mask 32
 address 1 10.2.1.5 mask 32
#
ip address-set server3 type object
 description "for server3"
 address 0 10.1.2.4 mask 32
 address 1 10.1.2.5 mask 32
#
ip address-set server4 type object
 description "for server4"
 address 0 10.1.1.4 mask 32
 address 1 10.1.1.5 mask 32
#
ip service-set tcp_1414 type object
 service 0 protocol tcp destination-port 1414
#
ip service-set tcp_8888_9000 type object
 service 0 protocol tcp destination-port 8888
 service 1 protocol tcp destination-port 9000
#
interface Eth-Trunk0
 ip address 11.11.11.2 255.255.255.0
#
interface Eth-Trunk1
 ip address 10.6.1.3 255.255.255.248
 vrrp vrid 1 virtual-ip 10.6.1.1 standby
#
interface Eth-Trunk2
 ip address 10.7.1.3 255.255.255.248
 vrrp vrid 2 virtual-ip 10.7.1.1 standby
#
interface GigabitEthernet 1/0/1
 eth-trunk 1
#
interface GigabitEthernet 1/0/2
 eth-trunk 1
#
interface GigabitEthernet 1/0/3
 eth-trunk 2
#
interface GigabitEthernet 1/0/4
 eth-trunk 2
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
firewall zone trust
 add interface Eth-Trunk2
#
firewall zone untrust
 add interface Eth-Trunk1
#
firewall zone dmz
 add interface Eth-Trunk0
#
ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
ip route-static 192.168.3.0 255.255.255.0 10.6.1.4
ip route-static 192.168.4.0 255.255.255.0 10.6.1.4
#
 firewall session aging-time service-set tcp_1414 40000
#
security-policy
 rule name remote_users_to_server1
  source-zone untrust
  destination-zone trust
  source-address address-set remote_users
  destination-address address-set server1
  service http
  service ftp
  profile ips default
  action permit
 rule name partner_to_server2
  source-zone untrust
  destination-zone trust
  source-address address-set partner
  destination-address address-set server2
  service tcp_1414
  profile ips default
  action permit
 rule name branch1_to_server3
  source-zone untrust
  destination-zone trust
  source-address address-set branch1
  destination-address address-set server3
  service tcp_8888_9000
  profile ips default
  action permit
 rule name branch2_to_server4
  source-zone untrust
  destination-zone trust
  source-address address-set branch2
  destination-address address-set server4
  service ftp
  profile ips default
  long-link enable
  long-link aging-time 480
  action permit
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18367

Downloads: 773

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next