No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

#
sysname FW
#
info-center enable
engine log ips enable
info-center source IPS channel loghost log level emergencies
info-center source ANTIATTACK channel loghost
info-center loghost 10.1.10.30
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
 isp name edu_address set filename edu_address.csv
 isp name isp1_address set filename isp1_address.csv
 isp name isp2_address set filename isp2_address.csv
 isp name other_edu_server_address set filename other_edu_server_address.csv
#
 slb enable
#
 user-manage online-user aging-time 480
user-manage single-sign-on radius
  enable
  mode in-path
  interface GigabitEthernet1/0/7
  traffic server-ip 10.2.1.2 port 1813
#
 update schedule ips-sdb enable
 update schedule ips-sdb daily 02:30
 update server domain sec.huawei.com
#
 dns resolve
 dns server 10.1.10.30
#
ip-link check enable
ip-link name edu_ip_link
 destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
ip-link name isp1_ip_link
 destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
 destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
 destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
ip-link name isp2_ip_link
 destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
 destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
#
 dns-smart enable
#
aaa
 domain default
  new-user add-temporary group /default/newuser
#
interface GigabitEthernet1/0/1
 description connect_to_edu
 ip address 1.1.1.1 255.255.255.252
 bandwidth ingress 1000000 threshold 90
 bandwidth egress 1000000 threshold 90
 redirect-reverse next-hop 1.1.1.2
#
interface GigabitEthernet1/0/2
 description connect_to_isp1
 ip address 2.2.2.1 255.255.255.252
 bandwidth ingress 200000 threshold 90
 bandwidth egress 200000 threshold 90
 redirect-reverse next-hop 2.2.2.2
#
interface GigabitEthernet1/0/3
 description connect_to_isp1
 ip address 2.2.3.1 255.255.255.252
 bandwidth ingress 1000000 threshold 90
 bandwidth egress 1000000 threshold 90
 redirect-reverse next-hop 2.2.3.2
#
interface GigabitEthernet1/0/4
 description connect_to_isp1
 ip address 2.2.4.1 255.255.255.252
 bandwidth ingress 200000 threshold 90
 bandwidth egress 200000 threshold 90
 redirect-reverse next-hop 2.2.4.2
#
interface GigabitEthernet1/0/5
 description connect_to_isp2
 ip address 3.3.3.1 255.255.255.252
 bandwidth ingress 1000000 threshold 90
 bandwidth egress 1000000 threshold 90
 redirect-reverse next-hop 3.3.3.2
#
interface GigabitEthernet1/0/6
 description connect_to_isp2
 ip address 3.3.4.1 255.255.255.252
 bandwidth ingress 1000000 threshold 90
 bandwidth egress 1000000 threshold 90
 redirect-reverse next-hop 3.3.4.2
#
interface GigabitEthernet1/0/7
 description connect_to_campus
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet1/0/8
 description connect_to_radius
 ip address 10.2.1.1 255.255.255.252
#
firewall zone name edu_zone
 set priority 20
 add interface GigabitEthernet1/0/1
#  
firewall zone name isp1_zone1 
 set priority 30
 add interface GigabitEthernet1/0/2
#
firewall zone name isp1_zone2
 set priority 40
  add interface GigabitEthernet1/0/3
#
firewall zone name isp1_zone3
 set priority 50
 add interface GigabitEthernet1/0/4
#
firewall zone name isp2_zone1
 set priority 60 
 add interface GigabitEthernet1/0/5
#
firewall zone name isp2_zone2
 set priority 70 
 add interface GigabitEthernet1/0/6
# 
firewall zone trust 
 add interface GigabitEthernet1/0/7
# 
firewall zone dmz 
 add interface GigabitEthernet1/0/8
# 
firewall interzone trust edu_zone
 detect ftp 
 detect qq
 detect rtsp
firewall interzone trust isp1_zone1
 detect ftp 
 detect qq
 detect rtsp
firewall interzone trust isp1_zone2
 detect ftp 
 detect qq
 detect rtsp
firewall interzone trust isp1_zone3
 detect ftp 
 detect qq
 detect rtsp
firewall interzone trust isp2_zone1
 detect ftp 
 detect qq
 detect rtsp
firewall interzone trust isp2_zone2
 detect ftp 
 detect qq
 detect rtsp
#
 dns-smart group 1 type single
  real-server-ip 1.1.15.15
  out-interface GigabitEthernet 1/0/2 map 2.2.15.15
  out-interface GigabitEthernet 1/0/3 map 2.2.16.16
  out-interface GigabitEthernet 1/0/4 map 2.2.17.17
  out-interface GigabitEthernet 1/0/5 map 3.3.15.15
  out-interface GigabitEthernet 1/0/6 map 3.3.16.16
 dns-smart group 2 type single
  real-server-ip 1.1.101.101
  out-interface GigabitEthernet 1/0/2 map 2.2.102.102
  out-interface GigabitEthernet 1/0/3 map 2.2.103.103
  out-interface GigabitEthernet 1/0/4 map 2.2.104.104
  out-interface GigabitEthernet 1/0/5 map 3.3.102.102
  out-interface GigabitEthernet 1/0/6 map 3.3.103.103
#
ip route-static 1.1.15.15 32 NULL 0
ip route-static 2.2.15.15 32 NULL 0
ip route-static 2.2.16.16 32 NULL 0
ip route-static 2.2.17.17 32 NULL 0
ip route-static 3.3.15.15 32 NULL 0
ip route-static 3.3.16.16 32 NULL 0
ip route-static 1.1.101.101 32 NULL 0
ip route-static 2.2.102.102 32 NULL 0
ip route-static 2.2.103.103 32 NULL 0
ip route-static 2.2.104.104 32 NULL 0
ip route-static 3.3.102.102 32 NULL 0
ip route-static 3.3.103.103 32 NULL 0
ip route-static 1.1.30.31 32 NULL 0
ip route-static 1.1.30.32 32 NULL 0
ip route-static 1.1.30.33 32 NULL 0
ip route-static 2.2.5.1 32 NULL 0
ip route-static 2.2.5.2 32 NULL 0
ip route-static 2.2.5.3 32 NULL 0
ip route-static 2.2.6.1 32 NULL 0
ip route-static 2.2.6.2 32 NULL 0
ip route-static 2.2.6.3 32 NULL 0
ip route-static 2.2.7.1 32 NULL 0
ip route-static 2.2.7.2 32 NULL 0
ip route-static 2.2.7.3 32 NULL 0
ip route-static 3.3.1.1 32 NULL 0
ip route-static 3.3.1.2 32 NULL 0
ip route-static 3.3.1.3 32 NULL 0
ip route-static 3.3.2.1 32 NULL 0
ip route-static 3.3.2.2 32 NULL 0
ip route-static 3.3.2.3 32 NULL 0
ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
#
snmp-agent sys-info version v3
snmp-agent group v3 inside_snmp privacy
snmp-agent usm-user v3 snmp_user group inside_snmp
snmp-agent usm-user v3 snmp_user authentication-mode sha cipher %$%$k)>GV7woERAFb8XL]i9!F[RI\\D(-#s.c$S;ZC3[MPc"qaXS%$%$
snmp-agent usm-user v3 user-name privacy-mode aes256 cipher %$%$k)>GV7woERAFb8XL]i9!F[RI\\D(-#s.c$S;ZC3[MPc"qaXS%$%$
#
profile type audit name trust_to_internet_audit
 http-audit url all
 http-audit bbs-content
 http-audit micro-blog
 http-audit file direction both
 ftp-audit file direction both
#
 nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
 nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
 nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
 nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
 nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
 nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
 nat server portal_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
 nat server portal_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
 nat server portal_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
 nat server portal_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
 nat server portal_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
 nat server portal_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse
#
sa
 user-defined-application name UD_dis_edu_sys_app
  category Business_Systems
  data-model client-server
  label Encrypted-Communications Business-Applications
  rule name 1
   ip-address 2.2.50.50 32
   port 5000
#
nat address-group edu_nat_address_pool
 mode pat
 section 0 1.1.30.31 1.1.30.33
nat address-group isp1_nat_address_pool1
 mode pat
 section 0 2.2.5.1 2.2.5.3
nat address-group isp1_nat_address_pool2
 mode pat
 section 0 2.2.6.1 2.2.6.3
nat address-group isp1_nat_address_pool3
 mode pat
 section 0 2.2.7.1 2.2.7.3
nat address-group isp2_nat_address_pool1
 mode pat
 section 0 3.3.1.1 3.3.1.3
nat address-group isp2_nat_address_pool2
 mode pat
 section 0 3.3.2.1 3.3.2.3
#
 slb
  group 1 grp1
   metric roundrobin
   rserver 1 rip 10.1.10.10
   rserver 2 rip 10.1.10.11
  vserver 1 vs1
   vip 1 1.1.111.111
   vip 2 2.2.112.112
   vip 3 3.3.113.113
   group grp1
#                                                                                                                                   
security-policy                                                                                                                     
 rule name user_inside                                                                                                              
  source-zone trust                                                                                                                 
  profile ips default                                                                                                               
  action permit                                                                                                                     
 rule name user_outside                                                                                                             
  source-zone edu_zone                                                                                                              
  source-zone isp1_zone1                                                                                                            
  source-zone isp1_zone2                                                                                                            
  source-zone isp1_zone3                                                                                                            
  source-zone isp2_zone1                                                                                                            
  source-zone isp2_zone2                                                                                                            
  destination-address 10.1.10.0 mask 255.255.255.0                                                                                  
  profile ips default                                                                                                               
  action permit                                                                                                                     
 rule name local_to_any                                                                                                       
  source-zone local                                                                                                                 
  destination-zone any                                                                                                            
  action permit         
#
traffic-policy
 profile isp1_p2p_profile_01
  bandwidth maximum-bandwidth whole both 100000
  bandwidth maximum-bandwidth per-ip both 500
 profile isp1_p2p_profile_02
  bandwidth maximum-bandwidth whole both 300000
  bandwidth maximum-bandwidth per-ip both 1000
 profile isp1_p2p_profile_03
  bandwidth maximum-bandwidth whole both 700000
  bandwidth maximum-bandwidth per-ip both 2000
 rule name isp1_p2p_01
  ingress-interface GigabitEthernet 1/0/7
  egress-interface GigabitEthernet 1/0/2
  application category Entertainment sub-category PeerCasting
  application category General_Internet sub-category FileShare_P2P
  action qos profile isp1_p2p_profile_01
 rule name isp1_p2p_02
  ingress-interface GigabitEthernet 1/0/7
  egress-interface GigabitEthernet 1/0/3
  application category Entertainment sub-category PeerCasting
  application category General_Internet sub-category FileShare_P2P
  action qos profile isp1_p2p_profile_02
 rule name isp1_p2p_03
  ingress-interface GigabitEthernet 1/0/7
  egress-interface GigabitEthernet 1/0/4
  application category Entertainment sub-category PeerCasting
  application category General_Internet sub-category FileShare_P2P
  action qos profile isp1_p2p_profile_03
#
policy-based-route
 rule name pbr_dns_trans
  source-zone trust
  service dns
  service dns-tcp
  action pbr egress-interface multi-interface
   mode proportion-of-bandwidth
   add interface GigabitEthernet 1/0/1
   add interface GigabitEthernet 1/0/2
   add interface GigabitEthernet 1/0/3
   add interface GigabitEthernet 1/0/4
   add interface GigabitEthernet 1/0/5
   add interface GigabitEthernet 1/0/6
 rule name dis_edu_sys
  source-zone trust
  application app UD_dis_edu_sys_app
  action pbr egress-interface multi-interface
   mode proportion-of-bandwidth
   add interface GigabitEthernet 1/0/1
   add interface GigabitEthernet 1/0/5
   add interface GigabitEthernet 1/0/6
 rule name p2p_traffic
  source-zone trust
  application category Entertainment sub-category PeerCasting
  application category General_Internet sub-category FileShare_P2P
  action pbr egress-interface multi-interface
   mode proportion-of-bandwidth
   add interface GigabitEthernet 1/0/2
   add interface GigabitEthernet 1/0/3
   add interface GigabitEthernet 1/0/4
 rule name pbr_edu
  source-zone trust
  source-address 10.1.0.0 16
  destination-address isp edu_address
  action pbr egress-interface multi-interface
   mode priority-of-userdefine
   add interface GigabitEthernet 1/0/1 priority 8
   add interface GigabitEthernet 1/0/2 priority 5
   add interface GigabitEthernet 1/0/3 priority 5
   add interface GigabitEthernet 1/0/4 priority 5
   add interface GigabitEthernet 1/0/5 priority 1
   add interface GigabitEthernet 1/0/6 priority 1
 rule name pbr_isp1
  source-zone trust
  source-address 10.1.0.0 16
  destination-address isp isp1_address
  action pbr egress-interface multi-interface
   mode priority-of-userdefine
   add interface GigabitEthernet 1/0/1 priority 5
   add interface GigabitEthernet 1/0/2 priority 8
   add interface GigabitEthernet 1/0/3 priority 8
   add interface GigabitEthernet 1/0/4 priority 8
   add interface GigabitEthernet 1/0/5 priority 1
   add interface GigabitEthernet 1/0/6 priority 1
 rule name pbr_isp2
  source-zone trust
  source-address 10.1.0.0 16
  destination-address isp isp2_address
  action pbr egress-interface multi-interface
   mode priority-of-userdefine
   add interface GigabitEthernet 1/0/1 priority 5
   add interface GigabitEthernet 1/0/2 priority 1
   add interface GigabitEthernet 1/0/3 priority 1
   add interface GigabitEthernet 1/0/4 priority 1
   add interface GigabitEthernet 1/0/5 priority 8
   add interface GigabitEthernet 1/0/6 priority 8
 rule name pbr_rest
  source-zone trust
  source-address 10.1.0.0 16
  action pbr egress-interface multi-interface
   mode priority-of-link-quality
   priority-of-link-quality parameter delay jitter loss 
   priority-of-link-quality protocol tcp-simple 
   priority-of-link-quality interval 3 times 5 
   add interface GigabitEthernet 1/0/1
   add interface GigabitEthernet 1/0/2
   add interface GigabitEthernet 1/0/3
   add interface GigabitEthernet 1/0/4
   add interface GigabitEthernet 1/0/5
   add interface GigabitEthernet 1/0/6
 rule name other_edu_server
  source-zone trust
  source-address 10.1.0.0 16
  destination-address isp other_edu_server_address
  action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
 rule name lib_internet
  source-zone trust
  source-address 10.1.50.0 22
  action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
#
nat-policy
 rule name inner_nat_policy                                                                                                           
  source-zone trust                                                                                                                 
  destination-zone trust                                                                                                         
  source-address 10.1.0.0 mask 255.255.0.0                                                                                          
  action source-nat address-group edu_nat_address_pool
 rule name edu_nat_policy
  source-zone trust
  source-address 10.1.0.0 16
  source-address 10.50.1.0 24
  action source-nat address-group edu_nat_address_pool
 rule name isp1_nat_policy1
  source-zone trust
  destination-zone isp1_zone1
  source-address 10.1.0.0 16
  action source-nat address-group isp1_nat_address_pool1
 rule name isp1_nat_policy2
  source-zone trust
  destination-zone isp1_zone2
  source-address 10.1.0.0 16
  action source-nat address-group isp1_nat_address_pool2
 rule name isp1_nat_policy3
  source-zone trust
  destination-zone isp1_zone3
  source-address 10.1.0.0 16
  action source-nat address-group isp1_nat_address_pool3 
 rule name isp2_nat_policy1
  source-zone trust
  destination-zone isp2_zone1
  source-address 10.1.0.0 16
  action source-nat address-group isp2_nat_address_pool1
 rule name isp2_nat_policy2
  source-zone trust
  destination-zone isp2_zone2
  source-address 10.1.0.0 16
#
audit-policy
 rule name trust_to_internet_audit_policy
 source-zone trust
 destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
 action audit profile trust_to_internet_audit
#
dns-transparent-policy
 dns transparent-proxy enable
 dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
 dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
 dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
 dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
 dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
 dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
 dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
#
rule name dns_trans_rule
  action tpdns
#
return
# The following configuration takes effect only one time and is not saved into the configuration file.
 user-manage user-import demo.csv auto-create-group override
 user-manage group /default/newuser
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16155

Downloads: 700

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next