No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

As shown in Figure 4-4, the FW is attached to the CE12800 and works at Layer 3. Logically, the CE12800 includes upstream part and downstream interfaces. The upstream interfaces provide Layer-3 forwarding, and the downstream interfaces provide Layer-2 forwarding. OSPF runs between the FW and the upstream interfaces the CE1800, and VRRP runs between the FW and the downstream interface of the CE12800. The virtual IP addresses of the VRRP groups on the FW serve as gateway addresses for the Portal system and virtual machines. Traffic from extranet enterprise users to the Portal system or virtual machines is forwarded by the upstream interfaces of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the downstream interfaces of the CE12800 to the Portal system or virtual machines. The return traffic is first forwarded by the downstream interfaces of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the downstream interfaces of the CE12800.

Figure 4-4  Off-line deployment of FWs

The following describes the service planning in detail.

Interfaces and Security Zones

This section describes the connection between FW_A and CE12800_A.

As shown in Figure 4-5, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of CE12800_A. Details are as follows:

  • Multiple (three in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each subinterface has an IP address. Most subinterfaces belong to different virtual systems and are assigned to the Untrust zone of the virtual systems. One subinterface belongs to the root system and is assigned to the Untrust zone of the root system.
  • 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 4-5  GE1/0/1 connection of FW_A

As shown in Figure 4-6, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of CE12800_A. Details are as follows:

  • Two (or more as required by the Portal system) subinterfaces are defined for GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the DMZ of the root system.
  • 10GE1/1/0/2 of CE12800_A is a trunk interface which allows packets of multiple VLANs to pass.
  • The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A serve as gateway addresses for the Portal system and terminate VLAN services. CE12800_A transparently transmits L2 packets.
Figure 4-6  GE1/0/2 connection of FW_A

As shown in Figure 4-7, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of CE12800_A. Details are as follows:

  • Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each subinterface has an IP address. Each subinterface belongs to a different virtual system and is assigned to the Trust zone of the virtual system.
  • 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of multiple VLANs.
  • The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A serve as gateway addresses for the virtual machines and terminate VLAN services. CE12800_A transparently transmits L2 packets.
Figure 4-7  GE1/0/3 connection of FW_A

The connection between FW_B and CE12800_B is the same.

NOTE:

One virtual machine can request to access the public address of another. The exchanged packets are forwarded by the CE12800.

Table 4-1 describes the planning of interfaces and security zones on the FWs.

Table 4-1  Planning of interfaces and security zones

FW_A

FW_B

Description

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

Connected to 10GE1/1/0/1 of the CE12800.

GE1/0/1.10

IP address: 172.16.10.252/24

Virtual system: vfw1

Security zone: Untrust

GE1/0/1.10

IP address: 172.16.10.253/24

Virtual system: vfw1

Security zone: Untrust

subinterface of vfw1.

GE1/0/1.11

IP address: 172.16.11.252/24

Virtual system: vfw2

Security zone: Untrust

GE1/0/1.11

IP address: 172.16.11.253/24

Virtual system: vfw2

Security zone: Untrust

subinterface of vfw2.

GE1/0/1.1000

IP address: 172.16.9.252/24

Virtual system: public

Security zone: Untrust

GE1/0/1.1000

IP address: 172.16.9.253/24

Virtual system: public

Security zone: Untrust

subinterface of the root system.

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

Connected to 10GE1/1/0/2 of the CE12800.

GE1/0/2.1

IP address: 10.159.1.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: active

GE1/0/2.1

IP address: 10.159.1.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: standby

subinterface of the root system.

10.159.1.254 serves as a gateway for the Portal system.

GE1/0/2.2

IP address: 10.159.2.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: active

GE1/0/2.2

IP address: 10.159.2.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: standby

subinterface of the root system.

10.159.2.254 serves as a gateway for the Portal system.

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

Connected to 10GE1/1/0/3 of the CE12800.

GE1/0/3.10

IP address: 10.159.10.252/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 10

Virtual IP address: 10.159.10.254

State: active

GE1/0/3.10

IP address: 10.159.10.253/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 10

Virtual IP address: 10.159.10.254

State: standby

subinterface of vfw1.

10.159.10.254 serves as a gateway for the virtual machine.

GE1/0/3.11

IP address: 10.159.11.252/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 11

Virtual IP address: 10.159.11.254

State: active

GE1/0/3.11

IP address: 10.159.11.253/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 11

Virtual IP address: 10.159.11.254

State: standby

subinterface of vfw2.

10.159.11.254 serves as a gateway for the virtual machine.

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.1/30

Virtual system: public

Security zone: hrpzone

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.2/30

Virtual system: public

Security zone: hrpzone

HRP backup interface.

Virtual Systems

Virtual systems carry virtual machine services. Each virtual system corresponds to one virtual machine. The planning of interfaces for the virtual systems has been described in the above interfaces and security zones. In addition, to limit the bandwidth available for each virtual system, it is also necessary to configure resource classes for the virtual systems.

Table 4-2 describes the planning of virtual systems on the FWs. Only two virtual systems are listed. In practice, you can create multiple virtual systems as needed.

Table 4-2  Planning of virtual systems
Item

FW_A

FW_B

Description

Resource classes

Name: vfw1_car

Maximum bandwidth: 100M

Name: vfw1_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw1 is 100M.

Name: vfw2_car

Maximum bandwidth: 100M

Name: vfw2_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw2 is 100M.

Virtual systems

Name: vfw1

Resource class: vfw1_car

Name: vfw1

Resource class: vfw1_car

-

Name: vfw2

Resource class: vfw2_car

Name: vfw2

Resource class: vfw2_car

-

Routes

There are routes in the root system and routes in virtual systems, both including the default route, black-hole route, and OSPF route. The OSPF routes run on the upstream subinterface connecting the FW to the CE12800, as shown in Figure 4-8.

Figure 4-8  OSPF routes on FW_A

Specifically:

  • A default route is configured for the root system with the next hop being the related VLANIF IP address of CE12800_A. A default route is configured for each virtual system with the next hop being the related VLANIF IP address of CE12800_A.
  • Black-hole routes with destination addresses being the public addresses of the Portal system are configured in the root system. These black-hole routes are advertised to CE12800_A by the root system through OSPF. A black-hole route with the destination address being the public address of the virtual machine is configured for each virtual system. This black-hole route is advertised to CE12800_A by the virtual system through OSPF.
  • OSPF runs on both the root system and virtual systems. The VPN instance corresponding to a virtual system is bound in the root system to run OSPF in the virtual system.

OSPF also runs on CE12800_A to advertise the network segment of each VLANIF interface.

Table 4-3 describes the planning of routes on the FWs.

Table 4-3  Planning of routes
Item

FW_A

FW_B

Description

Routes in the root system

Default route

Next hop: 172.16.9.251

Default route

Next hop: 172.16.9.251

Default routes of the root system, the next-hop address being the CE12800.

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole routes to the global addresses of the Portal system to prevent a routing loop.

OSPF

Advertised network segment: 172.16.9.0/24

Static routes are used.

OSPF

Advertised network segment: 172.16.9.0/24

Static routes are used.

The global addresses of the Portal system are introduced to OSPF and advertised to the CE12800.

Routes in the virtual system vfw1

Default route

Next hop: 172.16.10.251

Default route

Next hop: 172.16.10.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.1/32

Black-hole route

Destination address: 118.1.1.1/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

OSPF

Bound VPN instance: vfw1

Advertised network segment: 172.16.10.0/24

Static routes are used.

OSPF

Bound VPN instance: vfw1

Advertised network segment: 172.16.10.0/24

Static routes are used.

The global address of the virtual machine is introduced to OSPF and advertised to the CE12800.

Routes in the virtual system vfw2

Default route

Next hop: 172.16.11.251

Default route

Next hop: 172.16.11.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.2/32

Black-hole route

Destination address: 118.1.1.2/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

OSPF

Bound VPN instance: vfw2

Advertised network segment: 172.16.11.0/24

Static routes are used.

OSPF

Bound VPN instance: vfw2

Advertised network segment: 172.16.11.0/24

Static routes are used.

The global address of the virtual machine is introduced to OSPF and advertised to the CE12800.

Hot Standby

The hot standby networking is typical, where firewalls are connected to upstream Layer-3 devices and connected to downstream Layer-2 devices. Figure 4-9 shows the logical networking where extranet enterprise users access services of the virtual machines.

Figure 4-9  Logical networking of virtual machine services

Figure 4-10 shows the logical networking where extranet enterprise users access services of the Portal system.

Figure 4-10  Logical networking of Portal systems

After hot standby is configured, FW_A serves as the active firewall, and FW_B serves as the standby firewall. As shown in Figure 4-11, when the network is normal, FW_A advertises routes normally, and the cost of routes advertised by FW_A increases by 65,500 (default value, configurable). When Router_A or Router_B forwards the traffic of extranet enterprise users to a Portal system or virtual machine, it selects a path with a smaller cost. Therefore, the traffic is forwarded by FW_A.

For the return traffic, when the Portal system or virtual machine requests the MAC address of the gateway, only the active firewall FW_A responds and sends the virtual MAC address to the Portal system or virtual machine. The CE6800 records the mapping between the virtual MAC address and port and forwards the return traffic to FW_A.

Figure 4-11  Normal traffic flow

When FW_A or the link of FW_A fails, an active/standby switchover takes place. Then, FW_B advertises routes normally, and the cost of routes advertised by FW_A increases by 65,500. After the routes converge again, all traffic is forwarded by FW_B, as shown in Figure 4-12.

For the return traffic, after the active/standby switchover, FW_B sends a gratuitous ARP packet to make the CE6800 update the mapping between the virtual MAC address and port. Then, the return traffic is forwarded by the CE6800 to FW_B.

Figure 4-12  Traffic flow when the active link fails

Security Policies

There are security policies in the root system and security policies in virtual systems. Security policies in the root system permit packets from extranet enterprise users to the Portal system and permit OSPF packets exchanged between the root system and the CE12800. Security policies in a virtual system permit packets from extranet enterprise users to the virtual machine and permit OSPF packets exchanged between the virtual system and the CE12800.

In addition, antivirus and IPS profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and zombies. Normally, the default antivirus and IPS profiles can be used.

Table 4-4 describes the planning of security policies on the FWs.

Table 4-4  Planning of security policies
Item

FW_A

FW_B

Description

Security policies in the root system

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.159.0.0/16

Action: permit

Antivirus: default

IPS: default

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.159.0.0/16

Action: permit

Antivirus: default

IPS: default

Permit packets from extranet enterprise users to the Portal system.

Name: sec_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Name: sec_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Permit OSPF packets exchanged between the FW and CE12800.

Security policies in the virtual system vfw1

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.10.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.10.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from extranet enterprise users to the virtual machine.

Name: sec_vm1_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Name: sec_vm1_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Permit OSPF packets exchanged between the FW and CE12800.

Security policies in the virtual system vfw2

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.11.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.11.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from extranet enterprise users to the virtual machine.

Name: sec_vm2_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Name: sec_vm2_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Permit OSPF packets exchanged between the FW and CE12800.

NAT Servers

There are NAT servers in the root system and NAT servers in virtual systems. The NAT servers in the root system mirror the address of Portal system to a public address for access of extranet enterprise users. The NAT server in a virtual system mirrors the address of a virtual machine to a public address to access of extranet enterprise users.

In order that extranet enterprise users can access the Portal system and virtual machines, it is necessary to apply for public addresses for every Portal system and virtual machine. It is assumed that the public addresses for the Portal system are 117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are 118.1.1.1 and 118.1.1.2. Table 4-5 describes the planning of NAT servers on the FWs.

Table 4-5  Planning of NAT servers
Item

FW_A

FW_B

Description

NAT servers in the root system

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.159.1.100

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.159.1.100

NAT servers of the Portal system

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.159.2.100

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.159.2.100

NAT servers of the Portal system

NAT server in the virtual system vfw1

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.159.10.100

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.159.10.100

NAT server of the virtual machine

NAT server in the virtual system vfw2

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.159.11.100

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.159.11.100

NAT server of the virtual machine

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16645

Downloads: 717

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next