No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Networking

Typical Networking

As shown in Figure 3-3, firewalls are attached to core switches as the hardware SACGs of the Agile Controller. When users in branch 1 access the data center service area, the firewalls work with the Agile Controller to control user access as follows:

  • To ensure the security of the service system and prevent external users or insecure terminal hosts from accessing the service system, only the users who have passed the identify authentication and terminal security check are allowed to access the service system.
  • The service system is the core network resource, and employees are allowed to access the system only in working hours.
  • The solution deployment has the minimum impact on the current network. The service first principle is applied to the entire network to ensure service continuity in the case that the access control system fails.

The data center network is logically divided into the pre-authentication domain, isolation domain, and post-authentication domain:

  • The pre-authentication domain is accessible to unauthenticated terminal hosts, and comprises the DNS, external authentication source, SC, and SM.
  • The isolation domain is accessible to terminal hosts that pass the identity authentication but not the security authentication, and comprises the patch server and anti-virus server.
  • The post-authentication domain is accessible for terminal hosts that have passed identity and security authentication. In this case, this domain is the data center service area.
Figure 3-3  Typical networking of firewalls in the intranet access area
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16686

Downloads: 717

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next