No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

FW_A

FW_B

#
sysname FW_A
#
 hrp enable
 hrp interface Eth-Trunk 2 remote 2.1.1.2
 hrp track interface Eth-Trunk 1
 
 hrp adjust ospf-cost enable
#
 pki entity ngfwa
  country CN
  state jiangsu
  organization huawei
  organization-unit info
  common-name hello
  fqdn test.abc.com
  ip-address 3.1.1.1
  email test@user.com
#
 pki realm abc
  ca id ca_root
  enrollment-url http://9.1.2.4:80/certsrv/mscep/mscep.dll ra
  entity ngfwa
  fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf
  rsa local-key-pair rsa_scep
#
 pki import-certificate ca filename ngfwa_ca.cer
 pki import-certificate ca filename ngfw_ra.cer
 pki import-certificate local filename ngfwa_local.cer
#
 acl number 3000
  rule 5 permit ip source 8.1.1.0 0.0.0.255 destination 6.1.0.0 0.0.255.255
  rule 10 permit ip source 8.1.1.0 0.0.0.255 destination 7.1.0.0 0.0.255.255
#
 ipsec proposal tran1
  esp authentication-algorithm sha2-256
  esp encryption-algorithm aes-256
#
 ike proposal 10
  encryption-algorithm aes-256
  dh group2
  authentication-algorithm sha2-256
  authentication-method rsa-signature
  integrity-algorithm hmac-sha2-256
  prf hmac-sha2-256
#
 ike peer eNodeB
  undo version 1
  ike-proposal 10
  local-id-type dn
  remote-id-type dn
  remote-id /CN=eNodeB
  certificate local-filename ngfwa_local.cer
#
 ipsec policy-template policy1 1
  security acl 3000
  ike-peer eNodeB
  proposal tran1
  route inject dynamic
#
 ipsec policy map1 10 isakmp template policy1
#
 interface Eth-Trunk 1
#
 interface GigabitEthernet 1/0/1
  description eth-trunk1
  Eth-Trunk 1
#
 interface GigabitEthernet 1/0/2
  description eth-trunk1
  Eth-Trunk 1
#
 interface Eth-Trunk 2
  ip address 2.1.1.1 255.255.255.252
#
 interface GigabitEthernet 1/0/8
  description eth-trunk2
  Eth-Trunk 2
#
 interface GigabitEthernet 1/0/9
  description eth-trunk2
  Eth-Trunk 2
#
 interface Eth-Trunk 1.1
  vlan-type dot1q 100
  ip address 1.1.1.1 255.255.255.252
#
 interface Eth-Trunk 1.2
  vlan-type dot1q 200
  ip address 1.1.2.1 255.255.255.252
#
 interface Eth-Trunk 1.3
  vlan-type dot1q 300
  ip address 1.1.3.1 255.255.255.252
#
 interface Eth-Trunk 1.4
  vlan-type dot1q 400
  ip address 1.1.4.1 255.255.255.252
#
 interface Tunnel 1
  ip address 3.1.1.1 255.255.255.252
  tunnel-protocol ipsec
  ipsec policy map1
#
 router id 1.1.1.1
#
 ospf 1
  area 1.1.1.1
  network 1.1.1.0 0.0.0.3
  network 3.1.1.0 0.0.0.3
#
ospf 2
 import-route unr
 area 1.1.1.1 
  network 1.1.2.0 0.0.0.3
 area 1.1.2.1
  network 1.1.3.0 0.0.0.3
 area 1.1.3.1
  network 1.1.4.0 0.0.0.3
#
 ntp-service unicast-server 9.1.1.2
#
 log type traffic enable
 firewall log host 1 9.1.1.3 9002
#
 info-center enable
 snmp-agent
 snmp-agent sys-info version v2c
 snmp-agent target-host inform address udp-domain 9.1.1.1 params securitynam e private@123 v2c
#
 firewall zone trust
  set priority 85
  add interface Eth-Trunk1.2
  add interface Eth-Trunk1.3
  add interface Eth-Trunk1.4
#
 firewall zone untrust
  set priority 85
  add interface Eth-Trunk1.1
  add interface Tunnel1
#
 firewall zone dmz
  set priority 50
  add interface Eth-Trunk2
#
 security-policy
  rule name 1
   source-zone trust 
   source-zone untrust 
   destination-zone local
   service ospf
   action permit
 rule name 2
  source-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit 
 rule name 3
  source-zone local
  destination-zone untrust
  source-address 3.1.1.1 32
  destination-address 6.1.1.1 30
  destination-address 7.1.1.1 30
  action permit
 rule name 4
  source-zone untrust
  destination-zone local
  source-address 6.1.1.1 30
  source-address 7.1.1.1 30
  destination-address 3.1.1.1 32
  action permit
 rule name 5
  source-zone untrust
  destination-zone trust
  source-address 6.1.0.0 16
  source-address 7.1.0.0 16
  destination-address 8.1.1.1 30
  action permit
 rule name 6
  source-zone trust
  destination-zone untrust
  source-address 8.1.1.1 30
  destination-address 6.1.0.0 16
  destination-address 7.1.0.0 16
  action permit
# 
return
#
sysname FW_B
#
 hrp enable
 hrp interface Eth-Trunk 2 remote 2.1.1.1
 hrp track interface Eth-Trunk 1
 hrp standby-device
 hrp adjust ospf-cost enable
#     
 pki entity ngfwa
  country CN 
  state jiangsu
  organization huawei
  organization huaweiorganization-unit info 
  common-name hello 
  fqdn test.abc.com 
  ip-address 3.1.1.1
  email test@user.com
#
 pki realm abc
  ca id ca_root 
  enrollment-url http://9.1.2.4:80/certsrv/mscep/mscep.dll ra
  entity ngfwa
  fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf 
  rsa local-key-pair rsa_scep
#
 pki import-certificate ca filename ngfwa_ca.cer
 pki import-certificate ca filename ngfw_ra.cer
 pki import-certificate local filename ngfwa_local.cer
#
 acl number 3000
  rule 5 permit ip source 8.1.1.0 0.0.0.255 destination 6.1.0.0 0.0.255.255
  rule 10 permit ip source 8.1.1.0 0.0.0.255 destination 7.1.0.0 0.0.255.255
#
 ipsec proposal tran1
  esp authentication-algorithm sha2-256
  esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256
  dh group2
  authentication-algorithm sha2-256
  authentication-method rsa-signature
  integrity-algorithm hmac-sha2-256
  prf hmac-sha2-256
#
 ike peer eNodeB
  undo version 1
  ike-proposal 10
  local-id-type dn
  remote-id-type dn
  remote-id /CN=eNodeB
  certificate local-filename ngfwa_local.cer
#
 ipsec policy-template policy1 1
  security acl 3000
  ike-peer eNodeB
  proposal tran1
  route inject dynamic
#
 ipsec policy map1 10 isakmp template policy1
#
 interface Eth-Trunk 1
#
 interface GigabitEthernet 1/0/1
  description eth-trunk1
  Eth-Trunk 1
#
 interface GigabitEthernet 1/0/2
  description eth-trunk1
  Eth-Trunk 1
#
 interface Eth-Trunk 2
  ip address 2.1.1.2 255.255.255.252
#
 interface GigabitEthernet 1/0/8
  description eth-trunk2
  Eth-Trunk 2
#
 interface GigabitEthernet 1/0/9
  description eth-trunk2
  Eth-Trunk 2
#
 interface Eth-Trunk 1.1
  vlan-type dot1q 1
  ip address 5.1.1.1 255.255.255.252
#
 interface Eth-Trunk 1.2
  vlan-type dot1q 2
  ip address 5.1.2.1 255.255.255.252
#
 interface Eth-Trunk 1.3
  vlan-type dot1q 3
  ip address 5.1.3.1 255.255.255.252
#
 interface Eth-Trunk 1.4
  vlan-type dot1q 4
  ip address 5.1.4.1 255.255.255.252
#
 interface Tunnel 1
  ip address 3.1.1.1 255.255.255.252
  tunnel-protocol ipsec
  ipsec policy map1
#
 router id 5.1.1.1
#
 ospf 1
  area 1.1.1.1
   network 5.1.1.0 0.0.0.3
   network 3.1.1.0 0.0.0.3
#
ospf 2
 import-route unr
 area 1.1.1.1
  network 5.1.2.0 0.0.0.3
 area 1.1.2.1
  network 5.1.3.0 0.0.0.3
 area 1.1.3.1
  network 5.1.4.0 0.0.0.3
#
 ntp-service unicast-server 9.1.1.2
#
 log type traffic enable
 firewall log host 1 9.1.1.3 9002
#
 info-center enable
 snmp-agent
 snmp-agent sys-info version v2c
 snmp-agent target-host inform address udp-domain 9.1.1.1 params securitynam e private@123 v2c
#
 firewall zone trust
  set priority 85
  add interface Eth-Trunk1.2
  add interface Eth-Trunk1.3
  add interface Eth-Trunk1.4
#
 firewall zone untrust
  set priority 85
  add interface Eth-Trunk1.1
  add interface Tunnel1
#
 firewall zone dmz
  set priority 50
  add interface Eth-Trunk2
#
 security-policy
  rule name 1
   source-zone trust
   source-zone untrust 
   destination-zone local
   service ospf
   action permit
 rule name 2
  source-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit 
 rule name 3
  source-zone local
  destination-zone untrust
  source-address 3.1.1.1 32
  destination-address 6.1.1.1 30
  destination-address 7.1.1.1 30
  action permit
 rule name 4
  source-zone untrust
  destination-zone local
  source-address 6.1.1.1 30
  source-address 7.1.1.1 30
  destination-address 3.1.1.1 32
  action permit
 rule name 5
  source-zone untrust
  destination-zone trust
  source-address 6.1.0.0 16
  source-address 7.1.0.0 16
  destination-address 8.1.1.1 30
  action permit
 rule name 6
  source-zone trust
  destination-zone untrust
  source-address 8.1.1.1 30
  destination-address 6.1.0.0 16
  destination-address 7.1.0.0 16
  action permit
# 
return
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16439

Downloads: 708

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next