No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Verification

Verification

  1. If a user successfully passes authentication and terminal security check, the user can access the service system in working hours but not in non-working hours.
  2. If a severe violation occurs, the terminal host cannot access a network and a message is displayed indicating that repair is required. The terminal host can access to the network after the repair.
  3. View the state of the Agile Controller.

    # View the state of the Agile Controller on the active FW.

    HRP_M<FW-3> display right-manager server-group                 
     Server group state  :  Enable                                                        
     Server number :     2                                                          
     Server ip address        Port        State       Master                        
     192.168.1.2              3288        active        Y                      
     192.168.1.3              3288        active        N                      
    

    active indicates that the status of the connection between the Agile Controller and FW is normal.

    # View the state of the Agile Controller on the standby FW.

    HRP_S<FW-4> display right-manager server-group                 
     Server group state  :  Enable                                                        
     Server number :     2                                                          
     Server ip address        Port        State       Master                        
     192.168.1.2              3288        active        Y                      
     192.168.1.3              3288        active        N                      
    
  4. After the branch user logs in, you can view the user login information on both FWs. The following part shows the display right-manager online-users command output on the active FW.

    HRP_M<FW-3> display right-manager online-users 
      User name    : lee
      Ip address   : 10.8.1.3
      ServerIp     : 192.168.1.2
      Login time   : 10:14:11 2016/05/06 ( Hour:Minute:Second Year/Month/Day)
    -----------------------------------------
      Role id      Rolename
         1          DefaultDeny  
         6          Permit_1  
       255          Last  
    -----------------------------------------

    Run the display right-manager role-info command to view the mappings between roles and ACLs.

    HRP_M<FW-3> display right-manager role-info
     All Role count:8 
     Role  ID      ACL number      Role name
    ------------------------------------------------------------------------------
     Role   0      3099            default
     Role   1      3100            DefaultDeny
     Role   2      3101            DefaultPermit
     Role   3      3102            Deny___0
     Role   4      3103            Permit_0
    ------------------------------------------------------------------------------
     Role   5      3104            Deny___1
     Role   6      3105            Permit_1
     Role 255      3354            Last

    Run the display acl acl-number command to view ACLs 3100, 3105, and 3354.

    HRP_M<FW-3> display acl 3100
    Advanced ACL  3100, 1 rule     //Default deny rule, used when Control mode in the isolation and post-authentication domains is selected as Permits                                 access to only controlled domain resources in the list.
    Acl's step is 1
    
    Acl's step is 1
     rule 1 deny ip (0 times matched)
    HRP_M<FW-3> display acl 3105
    Advanced ACL  3105, 1 rule     //Permit the access to the post-authentication domain.
    Acl's step is 1
     rule 1 permit ip destination 10.1.1.4 0 (0 times matched)
     rule 2 permit ip destination 10.1.1.5 0 (0 times matched)
    HRP_M<FW-3> display acl 3354
    Advanced ACL  3354, 3 rules     //Permit the access to the pre-authentication domain.
    Acl's step is 1
     rule 1 permit ip destination 192.168.1.2 0 (0 times matched)
     rule 2 permit ip destination 192.168.1.3 0 (0 times matched)
     rule 3 permit ip destination 192.168.3.3 0 (0 times matched)
    

    From the previous information, account lee corresponds to roles 1, 6, and 255, and the matching sequence is from top to bottom. The role-ACL relationship indicates the ACL rules for the three roles.

    Role 255 is allowed to access the pre-authentication domain, role 6 is allowed to access the service system, and role 1 is prohibited from accessing all services.

    In conclusion, account lee is allowed to access only the pre-authentication domain and the service system in the post-authentication domain.

  5. Choose Resource > User > Online User on the Agile Controller to check user login information.
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16441

Downloads: 708

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next