No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

Configuration script for FW_A:

#                                                                               
sysname FW_A
#                                                                               
 hrp enable                                                                     
 hrp interface Eth-Trunk 1 remote 10.1.1.2                            
 hrp track interface GigabitEthernet 1/0/1
#                                                                               
vsys enable                                                                     
resource-class vfw1_car                                                         
 resource-item-limit bandwidth 100 entire
resource-class vfw2_car                                                         
 resource-item-limit bandwidth 100 entire
#                                                                               
#                                                                               
vsys name vfw1 1                                                                
 assign interface GigabitEthernet1/0/1.10                                      
 assign interface GigabitEthernet1/0/3.10
 assign resource-class vfw1_car                                                 
 assign global-ip 118.1.1.1 118.1.1.1 exclusive                                 
#                                                                               
vsys name vfw2 2                                                                
 assign interface GigabitEthernet1/0/1.11                                      
 assign interface GigabitEthernet1/0/3.11
 assign resource-class vfw2_car                                                 
 assign global-ip 118.1.1.2 118.1.1.2 exclusive                                 
#                                                                               
ip vpn-instance vfw1                                                            
 ipv4-family                                                                    
  route-distinguisher 10:1                                                     
 ipv6-family
#                                                                               
ip vpn-instance vfw2                                                            
 ipv4-family                                                                    
  route-distinguisher 11:1                                                     
 ipv6-family
#                                                                               
interface Eth-Trunk1                                                            
 ip address 10.1.1.1 255.255.255.252                                            
#                                                                               
interface GigabitEthernet1/0/1                                                  
 undo shutdown                                                                  
#                                                                                
interface GigabitEthernet1/0/1.10                                              
 ip binding vpn-instance vfw1                                                   
 ip address 172.16.10.252 255.255.255.0                                          
#                                                                               
interface GigabitEthernet1/0/1.11                                              
 ip binding vpn-instance vfw2                                                   
 ip address 172.16.11.252 255.255.255.0
#                                                                               
interface GigabitEthernet1/0/1.1000                                           
 ip address 172.16.9.252 255.255.255.0
#                                                                               
interface GigabitEthernet1/0/2                                                  
 undo shutdown                                                                  
#                                                                               
interface GigabitEthernet1/0/2.1                                             
 vlan-type dot1q 1
 ip address 10.159.1.252 255.255.255.0
 vrrp vrid 1 virtual-ip 10.159.1.254 active
#                                                                               
interface GigabitEthernet1/0/2.2                                             
 vlan-type dot1q 2
 ip address 10.159.2.252 255.255.255.0
 vrrp vrid 2 virtual-ip 10.159.2.254 active
#                                                                               
interface GigabitEthernet1/0/3                                                  
 undo shutdown                                                                  
#                                                                               
interface GigabitEthernet1/0/3.10                                              
 vlan-type dot1q 10                                                             
 ip binding vpn-instance vfw1                                                   
 ip address 10.159.10.252 255.255.255.0                                          
 vrrp vrid 10 virtual-ip 10.159.10.254 active
#                                                                               
interface GigabitEthernet1/0/3.11                                              
 vlan-type dot1q 11                                                             
 ip binding vpn-instance vfw2                                                   
 ip address 10.159.11.252 255.255.255.0                                          
 vrrp vrid 11 virtual-ip 10.159.11.254 active
#                                                                               
interface GigabitEthernet2/0/1                                              
 undo shutdown
 eth-trunk 1
#                                                                               
interface GigabitEthernet2/0/2                                              
 undo shutdown
 eth-trunk 1
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet1/0/3                                            
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet1/0/1                                             
 add interface GigabitEthernet1/0/1.1000
#                                                                               
firewall zone dmz                                                               
 set priority 50                                                                
 add interface GigabitEthernet1/0/2                                             
 add interface GigabitEthernet1/0/2.1
 add interface GigabitEthernet1/0/2.2
#                                                                               
firewall zone name hrpzone id 4                                                 
 set priority 65                                                                
 add interface Eth-Trunk1                                                       
#                                                                               
ospf 1 vpn-instance vfw1                                                    
 import-route static
 area 0.0.0.0
  network 172.16.10.0 0.0.0.255
#                                                                               
ospf 2 vpn-instance vfw2                                                    
 import-route static
 area 0.0.0.0
  network 172.16.11.0 0.0.0.255
#                                                                               
ospf 1000                                                   
 import-route static
 area 0.0.0.0
  network 172.16.9.0 0.0.0.255
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251                                    
ip route-static 117.1.1.1 255.255.255.255 NULL 0
ip route-static 117.1.1.2 255.255.255.255 NULL 0
#                                                                               
 nat server nat_server_portal1 0 global 117.1.1.1 inside 10.159.1.100
 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.159.2.100
#                                                                               
security-policy                                                                 
 rule name sec_portal                                                         
  source-zone untrust                                                           
  destination-zone dmz
  destination-address 10.159.0.0 16
  profile av default
  profile ips default
  action permit
 rule name sec_ospf                                                             
  source-zone local                                                             
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-zone untrust                                                      
  service ospf                                                                  
  action permit
#
return                                                                          
#                                                                               
switch vsys vfw1                                                                
#                                                                               
interface GigabitEthernet1/0/1.10                                              
 ip binding vpn-instance vfw1                                                   
 ip address 172.16.10.252 255.255.255.0                                          
#                                                                               
interface GigabitEthernet1/0/3.10                                              
 vlan-type dot1q 10                                                             
 ip binding vpn-instance vfw1                                                   
 ip address 10.159.10.252 255.255.255.0                                          
 vrrp vrid 10 virtual-ip 10.159.10.254 active
#                                                                               
interface Virtual-if1                                                           
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet1/0/3.10
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet1/0/1.10
#                                                                               
security-policy                                                                 
 rule name sec_vm1                                                             
  source-zone untrust                                            
  destination-zone trust                                                  
  destination-address 10.159.10.0 24
  profile av default
  profile ips default
  action permit
 rule name sec_vm1_ospf                                                             
  source-zone local                                                             
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-zone untrust                                                      
  service ospf                                                                  
  action permit
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
ip route-static 118.1.1.1 255.255.255.255 NULL 0
#                                                                               
 nat server nat_server_vm1 2 global 118.1.1.1 inside 10.159.10.100               
#                                                                               
return
#                                                                               
switch vsys vfw2                                                                
#                                                                               
interface GigabitEthernet1/0/1.11                                              
 ip binding vpn-instance vfw2                                                   
 ip address 172.16.11.252 255.255.255.0                                          
#                                                                               
interface GigabitEthernet1/0/3.11                                              
 vlan-type dot1q 11                                                             
 ip binding vpn-instance vfw2                                                   
 ip address 10.159.11.252 255.255.255.0                                          
 vrrp vrid 11 virtual-ip 10.159.11.254 active
#                                                                               
interface Virtual-if2                                                           
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet1/0/3.11
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet1/0/1.11
#                                                                               
security-policy                                                                 
 rule name sec_vm2                                                             
  source-zone untrust                                            
  destination-zone trust                                                  
  destination-address 10.159.11.0 24
  profile av default
  profile ips default
  action permit
 rule name sec_vm2_ospf                                                             
  source-zone local                                                             
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-zone untrust                                                      
  service ospf                                                                  
  action permit
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
ip route-static 118.1.1.2 255.255.255.255 NULL 0
#                                                                               
 nat server nat_server_vm2 3 global 118.1.1.2 inside 10.159.11.100               
#                                                                               
return

Configuration script for FW_B:

#                                                                               
sysname FW_B
#                                                                               
 hrp enable                                                                     
 hrp interface Eth-Trunk 1 remote 10.1.1.1                            
 hrp track interface GigabitEthernet 1/0/1
#                                                                               
vsys enable                                                                     
resource-class vfw1_car                                                         
 resource-item-limit bandwidth 100 entire
resource-class vfw2_car                                                         
 resource-item-limit bandwidth 100 entire
#                                                                               
#                                                                               
vsys name vfw1 1                                                                
 assign interface GigabitEthernet1/0/1.10                                      
 assign interface GigabitEthernet1/0/3.10
 assign resource-class vfw1_car                                                 
 assign global-ip 118.1.1.1 118.1.1.1 exclusive                                 
#                                                                               
vsys name vfw2 2                                                                
 assign interface GigabitEthernet1/0/1.11                                      
 assign interface GigabitEthernet1/0/3.11
 assign resource-class vfw2_car                                                 
 assign global-ip 118.1.1.2 118.1.1.2 exclusive                                 
#                                                                               
ip vpn-instance vfw1                                                            
 ipv4-family                                                                    
  route-distinguisher 10:1                                                     
 ipv6-family
#                                                                               
ip vpn-instance vfw2                                                            
 ipv4-family                                                                    
  route-distinguisher 11:1                                                     
 ipv6-family
#                                                                               
interface Eth-Trunk1                                                            
 ip address 10.1.1.2 255.255.255.252                                            
#                                                                               
interface GigabitEthernet1/0/1                                                  
 undo shutdown                                                                  
#                                                                                
interface GigabitEthernet1/0/1.10                                              
 ip binding vpn-instance vfw1                                                   
 ip address 172.16.10.253 255.255.255.0                                          
#                                                                               
interface GigabitEthernet1/0/1.11                                              
 ip binding vpn-instance vfw2                                                   
 ip address 172.16.11.253 255.255.255.0
#                                                                               
interface GigabitEthernet1/0/1.1000                                           
 ip address 172.16.9.253 255.255.255.0
#                                                                               
interface GigabitEthernet1/0/2                                                  
 undo shutdown                                                                  
#                                                                               
interface GigabitEthernet1/0/2.1                                             
 vlan-type dot1q 1
 ip address 10.159.1.253 255.255.255.0
 vrrp vrid 1 virtual-ip 10.159.1.254 standby
#                                                                               
interface GigabitEthernet1/0/2.2                                             
 vlan-type dot1q 2
 ip address 10.159.2.253 255.255.255.0
 vrrp vrid 1 virtual-ip 10.159.2.254 standby
#                                                                               
interface GigabitEthernet1/0/3                                                  
 undo shutdown                                                                  
#                                                                               
interface GigabitEthernet1/0/3.10                                              
 vlan-type dot1q 10                                                             
 ip binding vpn-instance vfw1                                                   
 ip address 10.159.10.253 255.255.255.0                                          
 vrrp vrid 10 virtual-ip 10.159.10.254 standby
#                                                                               
interface GigabitEthernet1/0/3.11                                              
 vlan-type dot1q 11                                                             
 ip binding vpn-instance vfw2                                                   
 ip address 10.159.11.253 255.255.255.0                                          
 vrrp vrid 11 virtual-ip 10.159.11.254 standby
#                                                                               
interface GigabitEthernet2/0/1                                              
 undo shutdown
 eth-trunk 1
#                                                                               
interface GigabitEthernet2/0/2                                              
 undo shutdown
 eth-trunk 1
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet1/0/3                                            
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet1/0/1                                             
 add interface GigabitEthernet1/0/1.1000
#                                                                               
firewall zone dmz                                                               
 set priority 50                                                                
 add interface GigabitEthernet1/0/2                                             
 add interface GigabitEthernet1/0/2.1
 add interface GigabitEthernet1/0/2.2
#                                                                               
firewall zone name hrpzone id 4                                                 
 set priority 65                                                                
 add interface Eth-Trunk1                                                       
#                                                                               
ospf 1 vpn-instance vfw1                                                    
 import-route static
 area 0.0.0.0
  network 172.16.10.0 0.0.0.255
#                                                                               
ospf 2 vpn-instance vfw2                                                    
 import-route static
 area 0.0.0.0
  network 172.16.11.0 0.0.0.255
#                                                                               
ospf 1000                                                   
 import-route static
 area 0.0.0.0
  network 172.16.9.0 0.0.0.255
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251                                    
ip route-static 117.1.1.1 255.255.255.255 NULL 0
ip route-static 117.1.1.2 255.255.255.255 NULL 0
#                                                                               
 nat server nat_server_portal1 0 global 117.1.1.1 inside 10.159.1.100
 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.159.2.100
#                                                                               
security-policy                                                                 
 rule name sec_portal                                                         
  source-zone untrust                                                           
  destination-zone dmz
  destination-address 10.159.0.0 16
  profile av default
  profile ips default
  action permit
 rule name sec_ospf                                                             
  source-zone local                                                             
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-zone untrust                                                      
  service ospf                                                                  
  action permit
#
return                                                                          
#                                                                               
switch vsys vfw1                                                                
#                                                                               
interface GigabitEthernet1/0/1.10                                              
 ip binding vpn-instance vfw1                                                   
 ip address 172.16.10.253 255.255.255.0                                          
#                                                                               
interface GigabitEthernet1/0/3.10                                              
 vlan-type dot1q 10                                                             
 ip binding vpn-instance vfw1                                                   
 ip address 10.159.10.253 255.255.255.0                                          
 vrrp vrid 10 virtual-ip 10.159.10.254 standby
#                                                                               
interface Virtual-if1                                                           
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet1/0/3.10
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet1/0/1.10
#                                                                               
security-policy                                                                 
 rule name sec_vm1                                                             
  source-zone untrust                                            
  destination-zone trust                                                  
  destination-address 10.159.10.0 24
  profile av default
  profile ips default
  action permit
 rule name sec_vm1_ospf                                                             
  source-zone local                                                             
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-zone untrust                                                      
  service ospf                                                                  
  action permit
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
ip route-static 118.1.1.1 255.255.255.255 NULL 0
#                                                                               
 nat server nat_server_vm1 2 global 118.1.1.1 inside 10.159.10.100               
#                                                                               
return
#                                                                               
switch vsys vfw2                                                                
#                                                                               
interface GigabitEthernet1/0/1.11                                              
 ip binding vpn-instance vfw2                                                   
 ip address 172.16.11.253 255.255.255.0                                          
#                                                                               
interface GigabitEthernet1/0/3.11                                              
 vlan-type dot1q 11                                                             
 ip binding vpn-instance vfw2                                                   
 ip address 10.159.11.253 255.255.255.0                                          
 vrrp vrid 11 virtual-ip 10.159.11.254 standby
#                                                                               
interface Virtual-if2                                                           
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet1/0/3.11
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet1/0/1.11
#                                                                               
security-policy                                                                 
 rule name sec_vm2                                                             
  source-zone untrust                                            
  destination-zone trust                                                  
  destination-address 10.159.11.0 24
  profile av default
  profile ips default
  action permit
 rule name sec_vm2_ospf                                                             
  source-zone local                                                             
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-zone untrust                                                      
  service ospf                                                                  
  action permit
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
ip route-static 118.1.1.2 255.255.255.255 NULL 0
#                                                                               
 nat server nat_server_vm2 3 global 118.1.1.2 inside 10.159.11.100               
#                                                                               
return
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18656

Downloads: 773

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next