No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Precautions

Precautions

Intelligent Uplink Selection

For versions earlier than V500R001C30SPC600, global intelligent uplink selection and PBR intelligent uplink selection cannot be used together with IP address spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP address spoofing defense or URPF is enabled, the FW may drop packets.

Hot Standby

  • When hot standby runs together with IPSec, the upstream and downstream tunneling interfaces of the active and standby devices must be Layer-3 interfaces.
  • When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone.
  • IPSec policy configuration of the active firewall is automatically replicated to the standby firewall, but the configuration on interfaces is not replicated. Therefore, it is necessary to apply the replicated IPSec policy on the egress interface of the standby firewall.
  • If the local device is the initiator of an IPSec tunnel, the tunnel local ip-address command must be run to set the local address that initiates negotiation to the virtual IP address of the VRRP backup group.

Security and Applications

  • Intrusion prevention is available no matter whether the firewall is licensed. When no license is available, intrusion prevention can run by means of user-defined signatures.
  • When the license expires or is deactivated, the existing intrusion prevention signature database and user-defined signatures can still be used, but the signature database cannot be updated.
  • Update of the intrusion prevention signature database requires license support. After the license is loaded, the signature database needs to be loaded manually.
  • After the intrusion prevention signature database is updated, if an old predefined signature is not in the new signature database, all configuration related to the signature is not effective.
  • Update of the antivirus function and its signature database also requires license support. Before a license is loaded, the antivirus function can be configured but the configuration is not effective. After the license is loaded, the AV signature database needs to be loaded manually. Otherwise, the antivirus function cannot work normally. After the license expires, the antivirus function can continue functioning but the AV signature database cannot be updated. For better security protection, you are recommended to purchase a new license.
  • The AV signature database is updated frequently. To ensure an effective antivirus function, you are recommended to update the signature database periodically.
  • In IPv6 networking, no antivirus function is available for IMAP, SMTP, and POP3 services.
  • For files whose transfer is resumed from the last disconnected location, antivirus detection is not available.
  • In a networking environment where the paths for packets in two directions are different, the detection of network intrusions may be not effective, and no antivirus function is available for SMTP and POP3 services.
  • Predefined applications are dependent on the embedded application signature database of the system. Because new applications keep emerging, when a new application cannot be identified using the embedded application signature database, you are recommended to update the application signature database.

User and Authentication

Users are organized into multiple tree structures with an authentication domain being the top-level node. Note the following:

  • For a command referencing a user or security group in a non-default authentication domain to run, the command must carry "@authentication domain name". For example, "user1@test" represents the user user1 in the test authentication domain, secgroup1 represents the security group secgroup1 in the test authentication domain.
  • User related actions, including creating a user, moving a user, and importing a user from the server, are all based on one authentication domain. Inter-domain actions are not supported.

NAT Policies

  • When configuring the two source NAT mechanisms, NAT No-PAT and triplet NAT, do not set the address of a firewall interface to an address in the NAT address pool to avoid impact on access to the firewall itself.
  • When NAT and VPN functions work together, define precise matching conditions for NAT policies to ensure that NAT is not performed for packets needing VPN encapsulation.

IPSec VPN

  • When the IPSec proposal is configured, the security protocol, authentication algorithm, encryption algorithm, and packet encapsulation must be exactly the same at both ends of the IPSec tunnel.
  • It is recommended that the MTU on the interface where an IPSec security policy group is applied be not smaller than 256 bytes. This is because the size of IP packets increases after IPSec processing and the increased part varies with the encapsulation mode, security protocol, authentication algorithm, and encryption algorithm (at most over 100 bytes). If the MTU is too small, large IP packets will be fragmented. When there are too many fragments, the peer device may have a problem in processing the received fragments.
  • When both IPSec and NAT are configured, NAT cannot be performed for IPSec traffic, and no-NAT is required.
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18399

Downloads: 773

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next