No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Configuring Interfaces, Security Zones, and Routes

Procedure

  1. Configure IP addresses for the interfaces of FW-5.

    <sysname> system-view
    [sysname] sysname FW-5
    [FW-5] interface Eth-trunk 1
    [FW-5-Eth-Trunk1] description Link_To_SW5
    [FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
    [FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
    [FW-5-Eth-Trunk1] quit
    [FW-5] interface Eth-trunk 1.1
    [FW-5-Eth-Trunk1.1] vlan-type dot1q 10
    [FW-5-Eth-Trunk1.1] ip address 172.6.1.2 29
    [FW-5-Eth-Trunk1.1] quit
    [FW-5] interface Eth-trunk 1.2
    [FW-5-Eth-Trunk1.2] vlan-type dot1q 20
    [FW-5-Eth-Trunk1.2] ip address 172.6.2.2 29
    [FW-5-Eth-Trunk1.2] quit
    [FW-5] interface Eth-trunk 1.3
    [FW-5-Eth-Trunk1.3] vlan-type dot1q 30
    [FW-5-Eth-Trunk1.3] ip address 172.6.3.2 29
    [FW-5-Eth-Trunk1.3] quit
    [FW-5] interface Eth-trunk 1.4
    [FW-5-Eth-Trunk1.4] vlan-type dot1q 40
    [FW-5-Eth-Trunk1.4] ip address 172.6.4.2 29
    [FW-5-Eth-Trunk1.4] quit
    [FW-5] interface Eth-trunk 2
    [FW-5-Eth-Trunk2] description Link_To_SW1
    [FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/3
    [FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/4
    [FW-5-Eth-Trunk2] quit
    [FW-5] interface Eth-trunk 2.1
    [FW-5-Eth-Trunk2.1] vlan-type dot1q 103
    [FW-5-Eth-Trunk2.1] ip address 172.7.1.2 29
    [FW-5-Eth-Trunk2.1] quit
    [FW-5] interface Eth-trunk 2.2
    [FW-5-Eth-Trunk2.2] vlan-type dot1q 104
    [FW-5-Eth-Trunk2.2] ip address 172.7.2.2 29
    [FW-5-Eth-Trunk2.2] quit
    [FW-5] interface Eth-trunk 0
    [FW-5-Eth-Trunk0] description HRP_Interface
    [FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/5
    [FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/6
    [FW-5-Eth-Trunk0] ip address 12.12.12.1 24
    [FW-5-Eth-Trunk0] quit
    

  2. Assign the interfaces of FW-5 to appropriate security zones.

    [FW-5] firewall zone name zone1
    [FW-5-zone-zone1] set priority 45
    [FW-5-zone-zone1] add interface Eth-trunk1.1
    [FW-5-zone-zone1] quit
    [FW-5] firewall zone name zone2
    [FW-5-zone-zone2] set priority 40
    [FW-5-zone-zone2] add interface Eth-trunk1.2
    [FW-5-zone-zone2] quit
    [FW-5] firewall zone name zone3
    [FW-5-zone-zone3] set priority 10
    [FW-5-zone-zone3] add interface Eth-trunk1.3
    [FW-5-zone-zone3] quit
    [FW-5] firewall zone name zone4
    [FW-5-zone-zone4] set priority 30
    [FW-5-zone-zone4] add interface Eth-trunk1.4
    [FW-5-zone-zone4] quit
    [FW-5] firewall zone trust
    [FW-5-zone-trust] add interface Eth-trunk2.1
    [FW-5-zone-trust] quit
    [FW-5] firewall zone dmz
    [FW-5-zone-dmz] add interface Eth-trunk2.2
    [FW-5-zone-dmz] quit
    [FW-5] firewall zone name hrp
    [FW-5-zone-hrp] set priority 85
    [FW-5-zone-hrp] add interface Eth-trunk0
    [FW-5-zone-hrp] quit
    

  3. Configure static routes of FW.

    # On FW-5, configure a static route to the data center service area and set the next hop to the IP address of the core switch.

    [FW-5] ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
    [FW-5] ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
    [FW-5] ip route-static 10.3.0.0 255.255.0.0 172.7.1.4

    # On FW-5, configure static routes to the SSL VPN access terminal, branch, partner network, and Internet and set the next hop to the IP address of the ISP router.

    [FW-5] ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
    [FW-5] ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
    [FW-5] ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
    [FW-5] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
    

  4. Configure the IP addresses, security zones, and routes of FW-6 interfaces according to the above procedure. The difference lies in the IP addresses of the interfaces.

Configuring Hot Standby

Procedure

  1. Configure VRRP group on the interfaces of FW-5, setting its state to Active.

    <FW-5> system-view
    [FW-5] interface Eth-Trunk1.1
    [FW-5-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active
    [FW-5-Eth-Trunk1.1] quit
    [FW-5] interface Eth-Trunk1.2
    [FW-5-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 active
    [FW-5-Eth-Trunk1.2] quit
    [FW-5] interface Eth-Trunk1.3
    [FW-5-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 active
    [FW-5-Eth-Trunk1.3] quit
    [FW-5] interface Eth-Trunk1.4
    [FW-5-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 active
    [FW-5-Eth-Trunk1.4] quit
    [FW-5] interface Eth-Trunk2.1
    [FW-5-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 active
    [FW-5-Eth-Trunk2.1] quit
    [FW-5] interface Eth-Trunk2.2
    [FW-5-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 active
    [FW-5-Eth-Trunk2.2] quit

  2. Designate Eth-Trunk 0 as the heartbeat interface of FW-5, and enable hot standby.

    [FW-5] hrp interface Eth-Trunk0 remote 12.12.12.2
    [FW-5] hrp enable

  3. Configure VRRP group on the interfaces of FW-6, setting its state to Standby.

    <FW-6> system-view
    [FW-6] interface Eth-Trunk1.1
    [FW-6-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 standby
    [FW-6-Eth-Trunk1.1] quit
    [FW-6] interface Eth-Trunk1.2
    [FW-6-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 standby
    [FW-6-Eth-Trunk1.2] quit
    [FW-6] interface Eth-Trunk1.3
    [FW-6-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 standby
    [FW-6-Eth-Trunk1.3] quit
    [FW-6] interface Eth-Trunk1.4
    [FW-6-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 standby
    [FW-6-Eth-Trunk1.4] quit
    [FW-6] interface Eth-Trunk2.1
    [FW-6-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 standby
    [FW-6-Eth-Trunk2.1] quit
    [FW-6] interface Eth-Trunk2.2
    [FW-6-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 standby
    [FW-6-Eth-Trunk2.2] quit

  4. Designate Eth-Trunk 0 as the heartbeat interface of FW-6, and enable hot standby.

    [FW-6] hrp interface Eth-Trunk0 remote 12.12.12.1
    [FW-6] hrp enable

Result

A hot-standby relationship has been established to back up most subsequent configurations. Therefore, in the subsequent steps, you only need to make configurations on the active FW-5 (unless otherwise stated).

Configuring the NAT Server

Procedure

  1. Configure NAT Server to map the pre-service servers' private IP addresses to public IP addresses.

    HRP_M[FW-5] nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
    HRP_M[FW-5] nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
    HRP_M[FW-5] nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
    HRP_M[FW-5] nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
    

  2. Configure a black-hole route to the public address of the NAT server to prevent routing loops between the firewall and ISP routers.

    Route configuration does not support backup. Therefore, you need to configure black-hole routes on both FW-5 and FW-6.

    HRP_M[FW-5] ip route-static 1.1.3.2 32 NULL 0
    HRP_M[FW-5] ip route-static 1.1.3.3 32 NULL 0
    HRP_M[FW-5] ip route-static 1.1.3.4 32 NULL 0
    HRP_M[FW-5] ip route-static 1.1.3.5 32 NULL 0
    
    HRP_S[FW-6] ip route-static 1.1.3.2 32 NULL 0
    HRP_S[FW-6] ip route-static 1.1.3.3 32 NULL 0
    HRP_S[FW-6] ip route-static 1.1.3.4 32 NULL 0
    HRP_S[FW-6] ip route-static 1.1.3.5 32 NULL 0
    

Configuring Security Policies and Security Protection

Procedure

  1. Configure security policies and IPS functions.

    # Configure an address group on FW-5.

    HRP_M[FW-5] ip address-set remote_users type object
    HRP_M[FW-5-object-address-set-remote_users] address 0 172.168.3.0 mask 24
    HRP_M[FW-5-object-address-set-remote_users] description "for remote users"
    HRP_M[FW-5-object-address-set-remote_users] quit
    HRP_M[FW-5] ip address-set partner type object
    HRP_M[FW-5-object-address-set-partner] address 0 172.168.4.0 mask 24
    HRP_M[FW-5-object-address-set-partner] description "for partner"
    HRP_M[FW-5-object-address-set-partner] quit
    HRP_M[FW-5] ip address-set branch2 type object
    HRP_M[FW-5-object-address-set-branch2] address 0 10.9.1.0 mask 24
    HRP_M[FW-5-object-address-set-branch2] description "for branch2"
    HRP_M[FW-5-object-address-set-branch2] quit
    HRP_M[FW-5] ip address-set server1 type object
    HRP_M[FW-5-object-address-set-server1] address 0 10.1.1.10 mask 32
    HRP_M[FW-5-object-address-set-server1] address 1 10.1.1.11 mask 32
    HRP_M[FW-5-object-address-set-server1] description "for server1"
    HRP_M[FW-5-object-address-set-server1] quit
    HRP_M[FW-5] ip address-set server2 type object
    HRP_M[FW-5-object-address-set-server2] address 0 10.2.1.4 mask 32
    HRP_M[FW-5-object-address-set-server2] address 1 10.2.1.5 mask 32
    HRP_M[FW-5-object-address-set-server2] description "for server2"
    HRP_M[FW-5-object-address-set-server2] quit
    HRP_M[FW-5] ip address-set server4 type object
    HRP_M[FW-5-object-address-set-server4] address 0 10.1.1.4 mask 32
    HRP_M[FW-5-object-address-set-server4] address 1 10.1.1.5 mask 32
    HRP_M[FW-5-object-address-set-server4] description "for server4"
    HRP_M[FW-5-object-address-set-server4] quit
    HRP_M[FW-5] ip address-set server5 type object
    HRP_M[FW-5-object-address-set-server5] address 0 192.168.4.2 mask 32
    HRP_M[FW-5-object-address-set-server5] address 1 192.168.4.3 mask 32
    HRP_M[FW-5-object-address-set-server5] address 2 192.168.4.4 mask 32
    HRP_M[FW-5-object-address-set-server5] address 3 192.168.4.5 mask 32
    HRP_M[FW-5-object-address-set-server5] description "for server5"
    HRP_M[FW-5-object-address-set-server5] quit
    HRP_M[FW-5] ip address-set ad_server type object
    HRP_M[FW-5-object-address-set-ad_server] address 0 192.168.5.4 mask 32
    HRP_M[FW-5-object-address-set-ad_server] address 1 192.168.5.5 mask 32
    HRP_M[FW-5-object-address-set-ad_server] description "for ad_server"
    HRP_M[FW-5-object-address-set-ad_server] quit
    

    # Configure a service set onFW-5.

    HRP_M[FW-5] ip service-set tcp_1414 type object
    HRP_M[FW-5-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414
    HRP_M[FW-5-object-service-set-tcp_1414] quit
    

    # Configure the security policy remote_users_to_server1 on FW-5 and reference the IPS profile.

    HRP_M[FW-5] security-policy
    HRP_M[FW-5-policy-security] rule name remote_users_to_server1
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-zone zone1 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-zone trust 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-address address-set remote_users 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-address address-set server1 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] service ftp http
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] action permit
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] profile ips default
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] quit

    # Configure the security policy partner_to_server2 on FW-5 and reference the IPS profile.

    HRP_M[FW-5-policy-security] rule name partner_to_server2
    HRP_M[FW-5-policy-security-rule-partner_to_server2] source-zone zone4 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-zone trust 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] source-address address-set partner 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-address address-set server2 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] service tcp_1414
    HRP_M[FW-5-policy-security-rule-partner_to_server2] action permit
    HRP_M[FW-5-policy-security-rule-partner_to_server2] profile ips default
    HRP_M[FW-5-policy-security-rule-partner_to_server2] quit
    

    # Configure the security policy branch2_to_server4 on FW-5 and reference the IPS profile.

    HRP_M[FW-5-policy-security] rule name branch2_to_server4
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-zone zone2 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-zone trust 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-address address-set branch2 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-address address-set server4 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] service ftp
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] action permit
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] profile ips default
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit

    # Configure the security policy internet_to_server5 on FW-5 and reference the IPS profile.

    HRP_M[FW-5-policy-security] rule name internet_to_server5
    HRP_M[FW-5-policy-security-rule-internet_to_server5] source-zone zone3 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-zone dmz 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-address address-set server5 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] service https http
    HRP_M[FW-5-policy-security-rule-internet_to_server5] action permit
    HRP_M[FW-5-policy-security-rule-internet_to_server5] profile ips default
    HRP_M[FW-5-policy-security-rule-internet_to_server5] quit

    # Configure the security policy remote_users_to_server1 on FW-5.

    HRP_M[FW-5-policy-security] rule name ipsec
    HRP_M[FW-5-policy-security-rule-ipsec] source-zone zone2 local 
    HRP_M[FW-5-policy-security-rule-ipsec] destination-zone zone2 local 
    HRP_M[FW-5-policy-security-rule-ipsec] source-address 1.1.2.1 32 
    HRP_M[FW-5-policy-security-rule-ipsec] source-address 2.2.2.2 32 
    HRP_M[FW-5-policy-security-rule-ipsec] destination-address 1.1.2.1 32
    HRP_M[FW-5-policy-security-rule-ipsec] destination-address 2.2.2.2 32
    HRP_M[FW-5-policy-security-rule-ipsec] action permit
    HRP_M[FW-5-policy-security-rule-ipsec] quit

    # Configure the security policy ssl_vpn on FW-5.

    HRP_M[FW-5-policy-security] rule name ssl_vpn
    HRP_M[FW-5-policy-security-rule-ssl_vpn] source-zone zone1 zone4 
    HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-zone local 
    HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.1.1 32
    HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.4.1 32
    HRP_M[FW-5-policy-security-rule-ssl_vpn] action permit
    HRP_M[FW-5-policy-security-rule-ssl_vpn] quit

    # Configure the security policy to_ad_server on FW-5.

    HRP_M[FW-5-policy-security] rule name to_ad_server
    HRP_M[FW-5-policy-security-rule-to_ad_server] source-zone local 
    HRP_M[FW-5-policy-security-rule-to_ad_server] destination-zone dmz 
    HRP_M[FW-5-policy-security-rule-to_ad_server] destination-address address-set ad_server
    HRP_M[FW-5-policy-security-rule-to_ad_server] action permit
    HRP_M[FW-5-policy-security-rule-to_ad_server] quit
    HRP_M[FW-5-policy-security] quit

  2. Configure persistent connections.

    # Change the session aging time to 40000 seconds for tcp_1414.

    HRP_M[FW-5] firewall session aging-time service-set tcp_1414 40000

    # Enable the persistent connection function in security policy branch2_to_server4 and change the aging time to 480 hours for connections matching this policy.

    HRP_M[FW-5] security-policy
    HRP_M[FW-5-policy-security] rule name branch2_to_server4
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link enable
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link aging-time 480
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit
    HRP_M[FW-5-policy-security] quit

  3. Configure attack defense.

    # Configure defense against single packet attacks on FW-5.

    HRP_M[FW-5] firewall defend land enable
    HRP_M[FW-5] firewall defend smurf enable
    HRP_M[FW-5] firewall defend fraggle enable
    HRP_M[FW-5] firewall defend ip-fragment enable
    HRP_M[FW-5] firewall defend tcp-flag enable
    HRP_M[FW-5] firewall defend winnuke enable
    HRP_M[FW-5] firewall defend source-route enable
    HRP_M[FW-5] firewall defend teardrop enable
    HRP_M[FW-5] firewall defend route-record enable
    HRP_M[FW-5] firewall defend time-stamp enable
    HRP_M[FW-5] firewall defend ping-of-death enable

  4. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-5] policy accelerate standby enable

Configuring IPSec VPN

Procedure

  1. Configure an IPSec policy on FW-5 and apply the policy to the corresponding interface.
    1. Configure advanced ACL 3000 to permit the users on network segment 10.1.1.0/24 to access network segment 10.9.1.0/24.

      HRP_M<FW-5> system-view
      HRP_M[FW-5] acl 3000
      HRP_M[FW-5-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
      HRP_M[FW-5-acl-adv-3000] quit

    2. Configure an IPSec proposal using the default parameters.

      HRP_M[FW-5] ipsec proposal tran1
      HRP_M[FW-5-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      HRP_M[FW-5-ipsec-proposal-tran1] esp encryption-algorithm aes-256
      HRP_M[FW-5-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal using the default parameters.

      HRP_M[FW-5] ike proposal 10
      HRP_M[FW-5-ike-proposal-10] authentication-method pre-share
      HRP_M[FW-5-ike-proposal-10] prf hmac-sha2-256
      HRP_M[FW-5-ike-proposal-10] encryption-algorithm aes-256
      HRP_M[FW-5-ike-proposal-10] dh group2
      HRP_M[FW-5-ike-proposal-10] integrity-algorithm hmac-sha2-256  
      HRP_M[FW-5-ike-proposal-10] quit

    4. Configure an IKE peer.

      HRP_M[FW-5] ike peer b
      HRP_M[FW-5-ike-peer-b] ike-proposal 10
      HRP_M[FW-5-ike-peer-b] pre-shared-key Test!1234
      HRP_M[FW-5-ike-peer-b] quit

    5. Configure an IPSec policy.

      HRP_M[FW-5] ipsec policy-template policy1 1
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] security acl 3000
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] proposal tran1
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] ike-peer b
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] quit
      HRP_M[FW-5] ipsec policy map1 10 isakmp template policy1
      

    6. Apply IPSec policy map1 to Eth-Trunk1.2.

      HRP_M[FW-5] interface Eth-Trunk1.2
      HRP_M[FW-5-Eth-Trunk1.2] ipsec policy map1
      HRP_M[FW-5-Eth-Trunk1.2] quit

  2. Configure an IPSec policy on the FW of branch and apply the policy to the corresponding interface.
    1. Configure advanced ACL 3000 to permit the users on network segment 10.9.1.0/24 to access network segment 10.1.1.0/24.

      <FW-branch> system-view
      [FW-branch] acl 3000
      [FW-branch-acl-adv-3000] rule 5 permit ip source 10.9.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
      [FW-branch-acl-adv-3000] quit

    2. Configure an IPSec proposal using the default parameters.

      [FW-branch] ipsec proposal tran1
      [FW-branch-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [FW-branch-ipsec-proposal-tran1] esp encryption-algorithm aes-256
      [FW-branch-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal using the default parameters.

      [FW-branch] ike proposal 10
      [FW-branch-ike-proposal-10] authentication-method pre-share
      [FW-branch-ike-proposal-10] prf hmac-sha2-256
      [FW-branch-ike-proposal-10] encryption-algorithm aes-256
      [FW-branch-ike-proposal-10] dh group2
      [FW-branch-ike-proposal-10] integrity-algorithm hmac-sha2-256  
      [FW-branch-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW-branch] ike peer a 
      [FW-branch-ike-peer-a] ike-proposal 10 
      [FW-branch-ike-peer-a] remote-address 1.1.2.1 
      [FW-branch-ike-peer-a] pre-shared-key Test!1234 
      [FW-branch-ike-peer-a] quit

    5. Configure an IPSec policy.

      [FW-branch] ipsec policy map1 10 isakmp 
      [FW-branch-ipsec-policy-isakmp-map1-10] security acl 3000 
      [FW-branch-ipsec-policy-isakmp-map1-10] proposal tran1 
      [FW-branch-ipsec-policy-isakmp-map1-10] ike-peer a 
      [FW-branch-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy group map1 to the interface. In this example, the WAN interface is GE1/0/1 for the branch.

      [FW-branch] interface GigabitEthernet 1/0/1 
      [FW-branch-GigabitEthernet1/0/1] ipsec policy map1
      [FW-branch-GigabitEthernet1/0/1] quit

Configuring SSL VPN

Procedure

  1. Set parameters for interconnection between the FW and AD server.

    The parameter settings on the FW must be consistent with those on the AD server.

    HRP_M[FW-5] ad-server template ad_server   
    HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.4 88
    HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.5 88 secondary
    HRP_M[FW-5-ad-ad_server] ad-server authentication base-dn dc=cce,dc=com
    HRP_M[FW-5-ad-ad_server] ad-server authentication manager cn=administrator,cn=users Admin@123 Admin@123
    HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server.cce.com
    HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server2.cce.com secondary
    HRP_M[FW-5-ad-ad_server] ad-server authentication ldap-port 389      
    HRP_M[FW-5-ad-ad_server] ad-server user-filter sAMAccountName         
    HRP_M[FW-5-ad-ad_server] ad-server group-filter ou

    If you are unfamiliar with the AD server and cannot provide the server name, Base DN, or filter field values, you can use the AD Explorer or LDAP Browser software to connect to the AD server to query the attribute values. The AD Explorer is used as an example. The AD server attributes and mappings between the server attributes and parameters on the FW are as follows.

    # Test the connectivity between the FW and AD server.

    HRP_M[FW-5-ad-ad_server] test-aaa user_0001 Admin@123 ad-template ad_server
     Info: Server detection succeeded.
    HRP_M[FW-5-ad-ad_server] quit
    NOTE:

    The user name and password used for the test must be the same as those on the AD server.

  2. Configure an authentication domain.

    NOTE:
    When the FW uses AD or LDAP authentication, the authentication domain name configured on the FW must be the same as that configured on the authentication server. In this example, the domain name on the AD server is cce.com. Therefore, the authentication domain name must be set to cce.com on the FW.
    HRP_M[FW-5] aaa
    HRP_M[FW-5-aaa] authentication-scheme ad
    HRP_M[FW-5-aaa-authen-ad] authentication-mode ad
    HRP_M[FW-5-aaa-authen-ad] quit
    HRP_M[FW-5-aaa] domain cce.com
    HRP_M[FW-5-aaa-domain-cce.com] service-type ssl-vpn 
    HRP_M[FW-5-aaa-domain-cce.com] authentication-scheme ad
    HRP_M[FW-5-aaa-domain-cce.com] ad-server ad_server 
    HRP_M[FW-5-aaa-domain-cce.com] reference user current-domain
    HRP_M[FW-5-aaa-domain-cce.com] quit
    HRP_M[FW-5-aaa] quit

  3. Configure a policy to import user information from the AD server to the FW.

    HRP_M[FW-5] user-manage import-policy ad_server from ad 
    HRP_M[FW-5-import-ad_server] server template ad_server
    HRP_M[FW-5-import-ad_server] server basedn dc=cce,dc=com
    HRP_M[FW-5-import-ad_server] server searchdn ou=remoteusers,dc=cce,dc=com
    HRP_M[FW-5-import-ad_server] destination-group /cce.com
    HRP_M[FW-5-import-ad_server] user-attribute sAMAccountName
    HRP_M[FW-5-import-ad_server] import-type all         
    HRP_M[FW-5-import-ad_server] import-override enable 
    HRP_M[FW-5-import-ad_server] sync-mode incremental schedule interval 120
    HRP_M[FW-5-import-ad_server] sync-mode full schedule daily 01:00
    HRP_M[FW-5-import-ad_server] quit
    
    NOTE:
    • If you need to import user groups only, set import-type to group and set the new user option in 5 to new-user add-temporary group /cce.com auto-import ad_server. Authenticated users use the permissions of their owning groups.

    • The user and user group filtering conditions in this example use the default values (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)). To change them, run the user-filter and group-filter commands.

  4. Execute the import policy to import users to the FW.

    HRP_M[FW-5] execute user-manage import-policy ad_server
     Now importing user, security group and user-group information from remote server...successfully.

    After the import succeeds, you can run the display user-manage user verbose command to view information about the imported users.

  5. Set the new user option for the authentication domain on the FW.

    HRP_M[FW-5] aaa
    HRP_M[FW-5-aaa] domain cce.com
    HRP_M[FW-5-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import ad_server
    HRP_M[FW-5-aaa-domain-cce.com] quit
    HRP_M[FW-5-aaa] quit

  6. Configure an SSL VPN virtual gateway.

    # Create an SSL VPN virtual gateway.

    HRP_M[FW-5] v-gateway example 1.1.1.1 private www.example.com
    HRP_M[FW-5-example] quit

    # Configure the maximum number of users and maximum number of concurrent users allowed by the virtual gateway.

    HRP_M[FW-5] v-gateway example max-user 150
    HRP_M[FW-5] v-gateway example cur-max-user 100

    # Bind the virtual gateway to the authentication domain.

    HRP_M[FW-5] v-gateway example authentication-domain cce.com
    NOTE:
    If the virtual gateway is bound to an authentication domain, the user name entered for a login should not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the string following the at sign (@) as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain cce.com, you should enter user_0001, not user_0001@cce.com, as the user name.

  7. Configure the web proxy function.

    # Enable the web proxy function.

    HRP_M[FW-5] v-gateway example
    HRP_M[FW-5-example] service
    HRP_M[FW-5-example-service] web-proxy enable

    # Add web proxy resources Webmail and ERP.

    HRP_M[FW-5-example-service] web-proxy proxy-resource resource1 http://10.1.1.10 show-link
    HRP_M[FW-5-example-service] web-proxy proxy-resource resource2 http://10.1.1.11 show-link

  8. Configure the network extension function.

    # Enable the network extension function.

    HRP_M[FW-5-example-service] network-extension enable

    # Configure the network extension address pool.

    HRP_M[FW-5-example-service] network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0

    # Set the network extension routing mode to manual.

    HRP_M[FW-5-example-service] network-extension mode manual

    # Configure the intranet subnet accessible to network extension users.

    HRP_M[FW-5-example-service] network-extension manual-route 10.1.1.0 255.255.255.0
    HRP_M[FW-5-example-service] quit

  9. Configure SSL VPN role authorization/users.

    # Add user group remoteusers to the virtual gateway.

    HRP_M[FW-5-example] vpndb
    HRP_M[FW-5-example-vpndb] group /cce.com/remoteusers
    HRP_M[FW-5-example-vpndb] quit

    # Create role remoteusers.

    HRP_M[FW-5-example] role
    HRP_M[FW-5-example-role] role remoteusers

    # Bind the role to corresponding user group.

    HRP_M[FW-5-example-role] role remoteusers group /cce.com/remoteusers

    # Configure functions for the roles. Enable web proxy and network extension for role remoteusers.

    HRP_M[FW-5-example-role] role remoteusers web-proxy network-extension enable

    # Associate the roles with web proxy resources.

    HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1
    HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1
    HRP_M[FW-5-example-role] quit
    HRP_M[FW-5-example] quit
    

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16450

Downloads: 708

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next