No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Firewall Interface Planning

Interface planning for FW-5

No. Local Device Local Interface Peer Device Peer Interface Remarks
1 FW-5 GE1/0/1 SW-5 GE1/1/0/1 Eth-Trunk 1, upstream service interface
2 FW-5 GE1/0/2 SW-5 GE1/1/0/2 Eth-Trunk 1, upstream service interface
3 FW-5 GE1/0/3 SW-1 GE1/1/0/5 Eth-Trunk 2, downstream service interface
4 FW-5 GE1/0/4 SW-1 GE1/1/0/6 Eth-Trunk 2, downstream service interface
5 FW-5 GE1/0/5 FW-6 GE1/0/5

Eth-Trunk 0, heartbeat interface

6 FW-5 GE1/0/6 FW-6 GE1/0/6

Eth-Trunk 0, heartbeat interface

Interface planning for FW-6

No. Local Device Local Interface Peer Device Peer Interface Remarks
1 FW-6 GE1/0/1 SW-6 GE2/1/0/1 Eth-Trunk 1, upstream service interface
2 FW-6 GE1/0/2 SW-6 GE2/1/0/2 Eth-Trunk 1, upstream service interface
3 FW-6 GE1/0/3 SW-2 GE2/1/0/5 Eth-Trunk 2, downstream service interface
4 FW-6 GE1/0/4 SW-2 GE2/1/0/6 Eth-Trunk 2, downstream service interface
5 FW-6 GE1/0/5 FW-5 GE1/0/5

Eth-Trunk 0, heartbeat interface

6 FW-6 GE1/0/6 FW-5 GE1/0/6

Eth-Trunk 0, heartbeat interface

Firewall IP Address Planning

No. Local Device Local Interface VLAN ID Local IP Address Peer Device Remarks
1 FW-5 Eth-Trunk 1.1 10

172.6.1.2/29

VRID: 1

VIP: 1.1.1.1/29

SW-5 SSL VPN gateway for employees on the move
2 FW-5 Eth-Trunk 1.2 20

172.6.2.2/29

VRID: 2

VIP: 1.1.2.1/29

SW-5 IPSec gateway
3 FW-5 Eth-Trunk 1.3 30

172.6.3.2/29

VRID: 3

VIP: 1.1.3.1/29

SW-5 Access gateway for Internet users
4 FW-5 Eth-Trunk 1.4 40

172.6.4.2/29

VRID: 4

VIP: 1.1.4.1/29

SW-5 SSL VPN gateway for the partner
5 FW-5 Eth-Trunk 2.1 103

172.7.1.2/29

VRID: 5

VIP: 172.7.1.1

SW-1 Data center service area
6 FW-5 Eth-Trunk 2.2 104

172.7.2.2/29

VRID: 6

VIP: 172.7.2.1

SW-1 DMZ
7 FW-5 Eth-Trunk 0 - 12.12.12.1/24 FW-6 -
8 FW-6 Eth-Trunk 1.1 10

172.6.1.3/29

VRID: 1

VIP: 1.1.1.1/29

SW-6 SSL VPN gateway for employees on the move
9 FW-6 Eth-Trunk 1.2 20

172.6.2.3/29

VRID: 2

VIP: 1.1.2.1/29

SW-6 IPSec gateway
10 FW-6 Eth-Trunk 1.3 30

172.6.3.3/29

VRID: 3

VIP: 1.1.3.1/29

SW-6 Access gateway for Internet users
11 FW-6 Eth-Trunk 1.4 40

172.6.4.3/29

VRID: 4

VIP: 1.1.4.1/29

SW-6 SSL VPN gateway for the partner
11 FW-6 Eth-Trunk 2.1 103

172.7.1.3/29

VRID: 5

VIP: 172.7.1.1

SW-2 Data center service area
11 FW-6 Eth-Trunk 2.2 104

172.7.2.3/29

VRID: 6

VIP: 172.7.2.1

SW-2 DMZ
12 FW-6 Eth-Trunk 0 - 12.12.12.2/24 FW-6 -

Firewall Security Zone Planning

No. Security Zone Security Zone Priority Included Interface Remarks
1 zone1 45 Eth-Trunk 1.1 Employees on the move
2 zone2 40 Eth-Trunk 1.2 Branch 2
3 zone3 10 Eth-Trunk 1.3 Internet users
4 zone4 30 Eth-Trunk 1.4 Partner
4 hrp 85 Eth-Trunk 0 Heartbeat interface
5 trust 100 Eth-Trunk 2.1 Data center service area
6 dmz 50 Eth-Trunk 2.2 DMZ

Firewall Security Policy Planning

Address group

No. Address Group Address Remarks
1 remote_users Address: 0 172.168.3.0; mask: 24 SSL VPN access for employees on the move
2 partner Address: 0 172.168.4.0; mask: 24 Partner
3 branch2 Address: 0 10.9.1.0; mask: 24 Branch 2
4 server1

Address: 0 10.1.1.10; mask: 32

Address: 1 10.1.1.11; mask: 32

Server that employees on the move can access
5 server2

Address: 0 10.2.1.4; mask: 32

Address: 1 10.2.1.5; mask: 32

Server that the partner can access
6 server4

Address: 0 10.1.1.4; mask: 32

Address: 1 10.1.1.5; mask: 32

Server that branch 2 can access
7 server5

Address: 0 192.168.4.2; mask: 32

Address: 1 192.168.4.3 mask 32

Address: 2 192.168.4.4; mask: 32

Address: 3 192.168.4.5 mask 32

Server that Internet users can access
8 ad_server

Address: 0 192.168.5.4; mask: 32

Address: 1 192.168.5.5 mask 32

AD authentication server that authenticates SSL VPN access users

User-defined services

No. Service Protocol/Port Remarks
1 tcp_1414 service 0 protocol tcp destination-port 1414 Service for the partner to access the server

Security policies

No. Policy Source Zone Source Address Destination Zone Destination Address Service Action
1 remote_users_to_server1 zone1 remote_users trust server1 ftp, http permit
2 partner_to_server2 zone4 partner trust server2 tcp_1414 permit
4 branch2_to_server4 zone2 branch2 trust server4 ftp permit
5 internet_to_server5 zone3 any dmz server5 https, http permit
6 ipsec zone2, local 1.1.2.1/32, 2.2.2.2/32 (IP address of the IPSec gateway of branch 2) local, zone2 1.1.2.1/32, 2.2.2.2/32 (IP address of the IPSec gateway of branch 2) any permit
7 ssl_vpn zone1, zone4 any local 1.1.1.1/32, 1.1.4.1/32 any permit
8 to_ad_server local any dmz ad_server any permit
8 default any any any any any deny
NOTE:

default indicates the default security policy. If the traffic does not match the security policy, the traffic will match the default security policy (all conditions are any, and all actions are deny). If only the PCs at specified IP addresses are allowed to access servers, keep the default security policy and configure security policies to allow the access of such IP addresses.

Hot standby heartbeat packets are not controlled by security policies. Do not configure security policies for heartbeat packets.

Firewall Persistent Connections

Prolonging the session aging time of a protocol

No. Protocol Aging Time
1 tcp_1414 40000 seconds

Using the persistent connection function

No. Policy Aging Time
1 branch2_to_server4 480 hours
NOTE:

Of the two methods, prolonging the session aging time of a protocol is more easy to configure. You can set specific conditions for the persistent connection function to keep persistent connections for specified traffic. The prolonged session aging time of a protocol is a global configuration and takes effect on all sessions of the protocol. As a result, sessions that do not need persistent connections cannot be aged, occupying session entry resources. Once session entry resources are exhausted, no services can be created.

Therefore, if you confirm that all sessions of a protocol require a long session aging time, you can prolong the session aging time of the protocol for persistent connections. Otherwise, use the persistent connection function.

The persistent connection function is valid only for TCP-based connections.

Firewall NAT Planning

NAT Server

No. Name Protocol Public IP Address Public Port Private IP Address Private Port
1 https_server1 tcp 1.1.3.2 4433 192.168.4.2 443
2 https_server2 tcp 1.1.3.3 4433 192.168.4.3 443
3 https_server1 tcp 1.1.3.4 8000 192.168.4.4 80
4 https_server2 tcp 1.1.3.5 8000 192.168.4.5 80

Firewall Route Planning

Static routes on firewalls

No. Destination Address Mask Next Hop Remarks
1 10.1.0.0 255.255.0.0 172.7.1.4 Route to data center service area 1
2 10.2.0.0 255.255.0.0 172.7.1.4 Route to data center service area 2
3 10.3.0.0 255.255.0.0 172.7.1.4 Route to data center service area 3
4 192.168.0.0 255.255.0.0 172.7.1.4 Route to the DMZ
4 172.168.3.0 255.255.255.0 1.1.1.2 Route to SSL VPN access terminals of employees on the move
5 172.168.4.0 255.255.255.0 1.1.4.2 Route to the partner's network
7 10.9.1.0 255.255.255.0 1.1.2.2 Route to branch 2's network
8 0.0.0.0 0.0.0.0 1.1.3.2 Default route to the Internet

IPSec Data Planning

VPN Gateway Location IPSec Policy Creation Mode Local Address Peer Address Authentication Mode Pre-shared Key Local ID Peer ID
HQ Policy template - - Pre-shared key Test!1234 IP address IP address
Branch ISAKMP mode 2.2.2.2 1.1.2.1 Pre-shared key Test!1234 IP address IP address

SSL VPN Data Planning

The SSL VPN configuration is almost the same for employees on the move and partners. The SSL VPN configuration for employees on the move is used as an example.

Item

Data

Virtual gateway

Name: example

IP address: 1.1.1.1

Domain name: www.example.com

Maximum number of users: 150

Maximum number of online users: 100

AD server

Primary server IP address: 192.168.5.4

Secondary server IP address: 192.168.5.5

Web proxy resource

Name: resource1; link: http://10.1.1.10

Name: resource2; link: http://10.1.1.11

Network extension

Network extension address pool: 172.168.3.2-172.168.3.254

Routing mode: manual

Intranet subnet accessible to network extension users: 10.1.1.0/24

Security Defense Planning

  • Attack defense planning

    To defend the internal network against network attacks, you need to configure attack defense on the firewalls.

    Normally, you are recommended to configure the defense against the following attacks:

    • Smurf attacks
    • Land attacks
    • Fraggle attacks
    • Ping of Death attacks
    • WinNuke attacks
    • IP packet with route record option attacks
    • IP packet with source route option attacks
    • IP packet with timestamp option attacks
    • SYN flood attacks
    • UDP flood attacks
    • ICMP flood attacks

    In practice, you can set a comparatively large value for the maximum rate of attack packets on interfaces for the preceding flood attacks, observe the attack traffic, and gradually change the rate to smaller values until a proper one (limiting the attack traffic but not affecting services).

  • IPS planning

    To prevent hackers, zombies, Trojan horses, and worms from intruding the internal network, you need to configure IPS on the firewalls.

    NOTE:
    The IPS may be deployed on the firewalls or deployed as an independent IPS device.

    To configure the IPS functions, you reference an IPS profile when defining security polices. In the present case, the IPS profile is referenced in all the above planned security policies (except those for the local zone). This means that IPS detection is carried out for all traffic permitted by the security policies.

    Generally, when the firewalls are initially deployed, you can select the default IPS profile default. After the firewalls are active for some time, the administrator can define a profile based on the network status. The IPS also supports the default profile ids, which means alarms are generated upon the detection of intrusions but the intrusions are not blocked. If high security is required, to reduce false positives reported by the IPS, you can select the ids profile.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16021

Downloads: 694

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next