No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

Configuration scripts of interfaces, routes, and hot standby

FW-5 FW-6
#
 hrp enable
 hrp interface Eth-Trunk0 remote 12.12.12.2
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
#
interface Eth-Trunk0
 ip address 12.12.12.1 255.255.255.0
#
interface Eth-Trunk1
 description Link_To_SW5
#
interface Eth-trunk 2
 description Link_To_SW1
#
interface Eth-Trunk1.1
 vlan-type dot1q 10
 ip address 172.6.1.2 255.255.255.248
 vrrp vrid 1 virtual-ip 1.1.1.1 active
#
interface Eth-Trunk1.2
 vlan-type dot1q 20
 ip address 172.6.2.2 255.255.255.248
 vrrp vrid 2 virtual-ip 1.1.2.1 active
#
interface Eth-Trunk1.3
 vlan-type dot1q 30
 ip address 172.6.3.2 255.255.255.248
 vrrp vrid 3 virtual-ip 1.1.3.1 active
#
interface Eth-Trunk1.4
 vlan-type dot1q 40
 ip address 172.6.4.2 255.255.255.248
 vrrp vrid 4 virtual-ip 1.1.4.1 active
#
interface Eth-Trunk2.1
 vlan-type dot1q 103
 ip address 172.7.1.2 255.255.255.248
 vrrp vrid 5 virtual-ip 172.7.1.1 active
#
interface Eth-Trunk2.2
 vlan-type dot1q 104
 ip address 172.7.2.2 255.255.255.248
 vrrp vrid 6 virtual-ip 172.7.2.1 active
#
interface GigabitEthernet 1/0/1
 eth-trunk 1
#
interface GigabitEthernet 1/0/2
 eth-trunk 1
#
interface GigabitEthernet 1/0/3
 eth-trunk 2
#
interface GigabitEthernet 1/0/4
 eth-trunk 2
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
firewall zone trust
 add interface Eth-Trunk2.1
#
firewall zone dmz
 add interface Eth-Trunk2.2
#
firewall zone hrp
 set priority 85
 add interface Eth-Trunk0
#
firewall zone name zone1
 set priority 45
 add interface Eth-Trunk1.1
#
firewall zone name zone2
 set priority 40
 add interface Eth-Trunk1.2
#
firewall zone name zone3
 set priority 10
 add interface Eth-Trunk1.3
#
firewall zone name zone4
 set priority 30
 add interface Eth-Trunk1.4
#
ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
ip route-static 10.3.0.0 255.255.0.0 172.7.1.4
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
ip route-static 1.1.3.2 32 NULL 0
ip route-static 1.1.3.3 32 NULL 0
ip route-static 1.1.3.4 32 NULL 0
ip route-static 1.1.3.5 32 NULL 0
#
 hrp enable
 hrp interface Eth-Trunk0 remote 12.12.12.1
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
#
interface Eth-Trunk0
 ip address 12.12.12.2 255.255.255.0
#
interface Eth-Trunk1
 description Link_To_SW6
#
interface Eth-trunk 2
 description Link_To_SW2
#
interface Eth-Trunk1.1
 vlan-type dot1q 10
 ip address 172.6.1.3 255.255.255.248
 vrrp vrid 1 virtual-ip 1.1.1.1 standby
#
interface Eth-Trunk1.2
 vlan-type dot1q 20
 ip address 172.6.2.3 255.255.255.248
 vrrp vrid 2 virtual-ip 1.1.2.1 standby
#
interface Eth-Trunk1.3
 vlan-type dot1q 30
 ip address 172.6.3.3 255.255.255.248
 vrrp vrid 3 virtual-ip 1.1.3.1 standby
#
interface Eth-Trunk1.4
 vlan-type dot1q 40
 ip address 172.6.4.3 255.255.255.248
 vrrp vrid 4 virtual-ip 1.1.4.1 standby
#
interface Eth-Trunk2.1
 vlan-type dot1q 103
 ip address 172.7.1.3 255.255.255.248
 vrrp vrid 5 virtual-ip 172.7.1.1 standby
#
interface Eth-Trunk2.2
 vlan-type dot1q 104
 ip address 172.7.2.3 255.255.255.248
 vrrp vrid 6 virtual-ip 172.7.2.1 standby
#
interface GigabitEthernet 1/0/1
 eth-trunk 1
#
interface GigabitEthernet 1/0/2
 eth-trunk 1
#
interface GigabitEthernet 1/0/3
 eth-trunk 2
#
interface GigabitEthernet 1/0/4
 eth-trunk 2
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
interface GigabitEthernet 1/0/5
 eth-trunk 0
#
firewall zone trust
 add interface Eth-Trunk2.1
#
firewall zone dmz
 add interface Eth-Trunk2.2
#
firewall zone hrp
 set priority 85
 add interface Eth-Trunk0
#
firewall zone name zone1
 set priority 45
 add interface Eth-Trunk1.1
#
firewall zone name zone2
 set priority 40
 add interface Eth-Trunk1.2
#
firewall zone name zone3
 set priority 10
 add interface Eth-Trunk1.3
#
firewall zone name zone4
 set priority 30
 add interface Eth-Trunk1.4
#
ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
ip route-static 10.3.0.0 255.255.0.0 172.7.1.4
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
ip route-static 1.1.3.2 32 NULL 0
ip route-static 1.1.3.3 32 NULL 0
ip route-static 1.1.3.4 32 NULL 0
ip route-static 1.1.3.5 32 NULL 0

Configuration scripts of NAT Server

FW-5 FW-6
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

Configuration scripts of security policies and attack defense

FW-5 FW-6
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
ip address-set remote_users type object
 description "for remote users"
 address 0 172.168.3.0 mask 24
#
ip address-set partner type object
 description "for partner"
 address 0 172.168.4.0 mask 24
#
ip address-set branch2 type object
 description "for branch2"
 address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
 description "for server1"
 address 0 10.1.1.10 mask 32
 address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
 description "for server2"
 address 0 10.2.1.4 mask 32
 address 1 10.2.1.5 mask 32
#
ip address-set server4 type object
 description "for server4"
 address 0 10.1.1.4 mask 32
 address 1 10.1.1.5 mask 32
#
ip address-set server5 type object
 description "for server5"
 address 0 192.168.4.2 mask 32
 address 1 192.168.4.3 mask 32
 address 2 192.168.4.4 mask 32
 address 3 192.168.4.5 mask 32
#
ip address-set ad_server type object
 description "for ad_server"
 address 0 192.168.5.4 mask 32
 address 1 192.168.5.5 mask 32
#
ip service-set tcp_1414 type object
 service 0 protocol tcp destination-port 1414
#
 firewall session aging-time service-set tcp_1414 40000
#
security-policy
 rule name remote_users_to_server1
  source-zone zone1
  destination-zone trust
  source-address address-set remote_users
  destination-address address-set server1
  service http
  service ftp
  profile ips default
  action permit
 rule name partner_to_server2
  source-zone zone4
  destination-zone trust
  source-address address-set partner
  destination-address address-set server2
  service tcp_1414
  profile ips default
  action permit
 rule name branch2_to_server4
  source-zone zone2
  destination-zone trust
  source-address address-set branch2
  destination-address address-set server4
  service ftp
  profile ips default
  long-link enable
  long-link aging-time 480
  action permit
 rule name internet_to_server5
  source-zone zone3
  destination-zone dmz
  destination-address address-set server5
  service http
  service https
  profile ips default
  action permit
 rule name ipsec
  source-zone zone2
  source-zone local
  destination-zone zone2
  destination-zone local
  source-address 1.1.2.1 32
  source-address 2.2.2.2 32
  destination-address 1.1.2.1 32
  destination-address 2.2.2.2 32
  action permit
 rule name ssl_vpn
  source-zone zone1
  source-zone zone4
  destination-zone local
  destination-address 1.1.1.1 32
  destination-address 1.1.4.1 32
  action permit
 rule name to_ad_server
  source-zone local
  destination-zone dmz
  destination-address address-set ad_server
  action permit
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
ip address-set remote_users type object
 description "for remote users"
 address 0 172.168.3.0 mask 24
#
ip address-set partner type object
 description "for partner"
 address 0 172.168.4.0 mask 24
#
ip address-set branch2 type object
 description "for branch2"
 address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
 description "for server1"
 address 0 10.1.1.10 mask 32
 address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
 description "for server2"
 address 0 10.2.1.4 mask 32
 address 1 10.2.1.5 mask 32
#
ip address-set server4 type object
 description "for server4"
 address 0 10.1.1.4 mask 32
 address 1 10.1.1.5 mask 32
#
ip address-set server5 type object
 description "for server5"
 address 0 192.168.4.2 mask 32
 address 1 192.168.4.3 mask 32
 address 2 192.168.4.4 mask 32
 address 3 192.168.4.5 mask 32
#
ip address-set ad_server type object
 description "for ad_server"
 address 0 192.168.5.4 mask 32
 address 1 192.168.5.5 mask 32
#
ip service-set tcp_1414 type object
 service 0 protocol tcp destination-port 1414
#
 firewall session aging-time service-set tcp_1414 40000
#
security-policy
 rule name remote_users_to_server1
  source-zone zone1
  destination-zone trust
  source-address address-set remote_users
  destination-address address-set server1
  service http
  service ftp
  profile ips default
  action permit
 rule name partner_to_server2
  source-zone zone4
  destination-zone trust
  source-address address-set partner
  destination-address address-set server2
  service tcp_1414
  profile ips default
  action permit
 rule name branch2_to_server4
  source-zone zone2
  destination-zone trust
  source-address address-set branch2
  destination-address address-set server4
  service ftp
  profile ips default
  long-link enable
  long-link aging-time 480
  action permit
 rule name internet_to_server5
  source-zone zone3
  destination-zone dmz
  destination-address address-set server5
  service http
  service https
  profile ips default
  action permit
 rule name ipsec
  source-zone zone2
  source-zone local
  destination-zone zone2
  destination-zone local
  source-address 1.1.2.1 32
  source-address 2.2.2.2 32
  destination-address 1.1.2.1 32
  destination-address 2.2.2.2 32
  action permit
 rule name ssl_vpn
  source-zone zone1
  source-zone zone4
  destination-zone local
  destination-address 1.1.1.1 32
  destination-address 1.1.4.1 32
  action permit
 rule name to_ad_server
  source-zone local
  destination-zone dmz
  destination-address address-set ad_server
  action permit

Configuration scripts of IPSec VPN

FW-5 FW-6
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256
  dh group2
  authentication-algorithm sha2-256
  authentication-method pre-share
  integrity-algorithm hmac-sha2-256
  prf hmac-sha2-256
#
ike peer b
  pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@
  ike-proposal 10
  remote-address 1.1.5.1
#
ipsec policy-template policy1 1
 security acl 3000
 ike-peer b
 proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface Eth-Trunk1.2
 ip address 1.1.3.1 255.255.255.0
 ipsec policy map1
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256
  dh group2
  authentication-algorithm sha2-256
  authentication-method pre-share
  integrity-algorithm hmac-sha2-256
  prf hmac-sha2-256
#
ike peer b
  pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@
  ike-proposal 10
  remote-address 1.1.5.1
#
ipsec policy-template policy1 1
 security acl 3000
 ike-peer b
 proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface Eth-Trunk1.2
 ip address 1.1.3.1 255.255.255.0
 ipsec policy map1

Configuration scripts of SSL VPN

FW-5 FW-6
#
ad-server template ad_server             
 ad-server authentication 192.168.5.4 88       
 ad-server authentication 192.168.5.5 88 secondary
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name info-server2.cce.com secondary
 ad-server authentication host-name info-server.cce.com
 ad-server authentication ldap-port 389       
 ad-server user-filter sAMAccountName         
 ad-server group-filter ou 
#  
 user-manage import-policy ad_server from ad 
 server template ad_server
 server basedn dc=cce,dc=com
 server searchdn ou=remoteusers,dc=cce,dc=com
 destination-group /cce.com
 user-attribute sAMAccountName
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
 group-filter (|(objectclass=organizationalUnit)(ou=*)) 
 import-type all          
 import-override enable 
 sync-mode incremental schedule interval 120
 sync-mode full schedule daily 01:00
#
aaa 
 authentication-scheme ad
  authentication-mode ad
 #
 domain cce.com
  authentication-scheme ad 
  ad-server ad_server 
  service-type ssl-vpn 
  reference user current-domain
  new-user add-temporary group /cce.com auto-import ad_server
#
v-gateway example 1.1.1.1 private www.example.com
v-gateway example authentication-domain cce.com
v-gateway example max-user 150
v-gateway example cur-max-user 100
#
v-gateway example
 service
  web-proxy enable
  web-proxy web-link enable
  web-proxy proxy-resource resource1 http://10.1.1.10 show-link
  web-proxy proxy-resource resource2 http://10.1.1.11 show-link
  network-extension enable
  network-extension keep-alive enable
  network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0
  network-extension mode manual
  network-extension manual-route 10.1.1.0 255.255.255.0
 role
  role remoteusers condition all
  role remoteusers network-extension enable
  role remoteusers web-proxy enable
  role remoteusers web-proxy resource resource1
  role remoteusers web-proxy resource resource2

# The following configuration is one-time operation and is not saved in the configuration file.
 execute user-manage import-policy ad_server
# The following configuration is saved in the database, not displayed in the configuration file.
 v-gateway example
  vpndb
   group /cce.com/remoteusers
  role
   role director group /cce.com/remoteusers
#
ad-server template ad_server             
 ad-server authentication 192.168.5.4 88       
 ad-server authentication 192.168.5.5 88 secondary
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name info-server2.cce.com secondary
 ad-server authentication host-name info-server.cce.com
 ad-server authentication ldap-port 389       
 ad-server user-filter sAMAccountName         
 ad-server group-filter ou 
#  
 user-manage import-policy ad_server from ad 
 server template ad_server
 server basedn dc=cce,dc=com
 server searchdn ou=remoteusers,dc=cce,dc=com
 destination-group /cce.com
 user-attribute sAMAccountName
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
 group-filter (|(objectclass=organizationalUnit)(ou=*)) 
 import-type all          
 import-override enable 
 sync-mode incremental schedule interval 120
 sync-mode full schedule daily 01:00
#
aaa 
 authentication-scheme ad
  authentication-mode ad
 #
 domain cce.com
  authentication-scheme ad 
  ad-server ad_server 
  service-type ssl-vpn 
  reference user current-domain
  new-user add-temporary group /cce.com auto-import ad_server
#
v-gateway example 1.1.1.1 private www.example.com
v-gateway example authentication-domain cce.com
v-gateway example max-user 150
v-gateway example cur-max-user 100
#
v-gateway example
 service
  web-proxy enable
  web-proxy web-link enable
  web-proxy proxy-resource resource1 http://10.1.1.10 show-link
  web-proxy proxy-resource resource2 http://10.1.1.11 show-link
  network-extension enable
  network-extension keep-alive enable
  network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0
  network-extension mode manual
  network-extension manual-route 10.1.1.0 255.255.255.0
 role
  role remoteusers condition all
  role remoteusers network-extension enable
  role remoteusers web-proxy enable
  role remoteusers web-proxy resource resource1
  role remoteusers web-proxy resource resource2

# The following configuration is one-time operation and is not saved in the configuration file.
 execute user-manage import-policy ad_server
# The following configuration is saved in the database, not displayed in the configuration file.
 v-gateway example
  vpndb
   group /cce.com/remoteusers
  role
   role director group /cce.com/remoteusers
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18272

Downloads: 762

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next