No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Equipment Planning

Table 2-1 lists the devices that may be used at the egress of a broadcast and television network. For differences, if any, of the USG9500 and USG6000, supplementary description is to be provided.

Table 2-1  Device planning for the egress of a broadcast and television network

Device

Recommended Plan 1

Recommended Plan 2

Firewall

High-end firewalls (USG9500): distributed, high-performance, high-availability, and scalable

Mid-range firewalls (USG6000): centralized and content security

Log server

eLog

eLog

Hot Standby Planning

One ISP access point cannot be directly connected to two firewalls. Therefore, it is necessary to deploy an egress aggregation switch between the ISP and the firewalls. The egress aggregation switch can split one ISP link into two links and then connect the two links to the upstream interfaces of the two firewalls. OSPF runs between the firewalls and their downstream routers. Typical hot standby networking is achieved with two firewalls connected to the upstream switches and downstream routers. In such networking, a VRRP group is configured on the upstream interface of a firewall, and a VGMP group is configured on the downstream interface to monitor service interfaces.

Figure 2-3 shows the hot standby networking, where the interfaces of the active and standby firewalls connected to one ISP access point are added to one VRRP group.

Figure 2-3  Hot standby networking

Multi-egress Uplink Selection Planning

The broadcast and television network leases links from different carriers. Multi-egress uplink selection is particularly important. The firewall provides abundant multi-egress functions to meet the requirement:

  • A DNS transparent proxy is used to process DNS requests of intranet users, thereby achieving load balancing among multiple ISPs.

    To access the Internet, an intranet user needs to first access a domain name, and the DNS server resolves the domain name to an IP address. However, because intranet PCs are generally all served by the DNS server of one ISP, the user can obtain the address of only one ISP. As a result, the subsequent ISP link selection is meaningless. The DNS transparent proxy function provided by the firewall overcomes this defect. Using specific rules, the firewall distributes DNS requests of intranet users to the DNS servers of different ISPs and thereby obtains the addresses of different ISPs. Load balancing by link weight ratio is carried out for DNS requests.

  • Multi-egress PBR is employed to achieve ISP link selection.

    Multiple outbound interfaces can be specified for PBR of the firewall, and load balancing among multiple outbound interfaces can be configured. For example, it is specified that traffic destined to addresses of ISP 1 be transmitted from the two outbound interfaces of ISP 1 and that the two outbound interfaces share load based on weights.

  • Application-based PBR is employed to direct P2P traffic to the links of ISP 2.

  • Health check is employed to check the reachability of links.

    The firewall checks the health status of the link from an outbound interface to a designated destination address to ensure that traffic is not routed to a faulty link.

Source NAT Planning

Source NAT is configured on the FW to allow intranet users to access the Internet using limited public IP addresses.

  • Address pool

    Configure two address pools corresponding to different ISPs based on the public IP addresses requested from the ISPs. Note that the public IP addresses of VRRP groups and disclosed public IP addresses of servers should be excluded from the address pools.

  • Network Address and Port Translation (NAPT)

    NAPT translates both IP addresses and ports. When a packet from an intranet user to the Internet arrives at the firewall, NAPT translates the source address of the packet into a public address and translates its source port into a random unwell-known port. In this way, one public address can be used by multiple intranet users, and a large number of users can access the Internet simultaneously.

  • NAT ALG: When a NAT-enabled firewall needs to forward multi-path protocol (such as FTP, SIP, H323, RTSP, and QQ) packets, the corresponding NAT ALG function must be enabled. .

NAT Server Planning

The hosted server services of a broadcast and television network includes mainly website hosting, for example, the hosting of a school website, internal office network, or company portal website. Because the hosted servers are deployed in the internal DMZ, a NAT server function needs to be enabled on the firewall to translate the private address of a server into a public address. In addition, users of different ISPs should be provided with different public addresses.

If the DNS servers are deployed internally, smart DNS is needed to enable extranet users to obtain the most appropriate resolved addresses of servers. In other words, the address must belong to the serving ISP of the user.

Security Function Planning

By default, the FW denies all traffic. Therefore, it is necessary to define security policies to permit normal access traffic. For details, see the Data Planning below.

The egress gateway enables the communication between the broadcast and television network and the extranet. Therefore, it is necessary to configure security functions, including intrusion prevention (IPS) and attack defense.

The default IPS profile default is used to block detected intrusions. You can also use the profile ids to log attacks without blocking and then define a specific IPS profile according to the log.

User Tracing Planning

User tracing is completed through cooperation with the log server.

  1. The FW sends session logs to the log server. The log server records the original (pre-NAT) source IP address/port and destination IP address/port and the after-NAT source IP address/port and destination IP address/port.
  2. If a user submits an illegal post on an external network, the administrator traces the user on the log server from his/her public IP address to his/her private IP address.
  3. The administrator traces to specific user accounts through the authentication system inside a corporate network.

Data Planning

Data planning is based on the above service planning.

Item

FW_A

FW_B

Remarks

Interfaces and security zones

Eth-Trunk1

Member interfaces: GE1/0/1, GE1/0/6

Eth-Trunk1

Member interfaces: GE1/0/1, GE1/0/6

Plan public addresses for all public network interfaces and VRRP backup groups connected to the ISPs. Otherwise, the gateway cannot be designated.

Eth-Trunk2

Member interfaces: GE1/0/2, GE1/0/7

Eth-Trunk2

Member interfaces: GE1/0/2, GE1/0/7

Eth-Trunk1.1

IP address: 1.1.1.2/29

Security zone: isp1_1

Gateway: 1.1.1.6/29

VRRP backup group 1: 1.1.1.1/29

VGMP management group: Active

Eth-Trunk1.1

IP address: 1.1.1.3/29

Security zone: isp1_1

Gateway: 1.1.1.6/29

VRRP backup group 1: 1.1.1.1/29

VGMP management group: Standby

Eth-Trunk2.1

IP address: 2.2.2.2/29

Security zone: isp2_1

Gateway: 2.2.2.6/29

VRRP backup group 2: 2.2.2.1/29

VGMP management group: Active

Eth-Trunk2.1

IP address: 2.2.2.3/29

Security zone: isp2_1

Gateway: 2.2.2.6/29

VRRP backup group 2: 2.2.2.1/29

VGMP management group: Standby

Eth-Trunk1.2

IP address: 1.1.2.2/29

Security zone: isp1_2

Gateway: 1.1.2.6/29

VRRP backup group 3: 1.1.2.1/29

VGMP management group: Active

Eth-Trunk1.2

IP address: 1.1.2.3/29

Security zone: isp1_2

Gateway: 1.1.2.6/29

VRRP backup group 3: 1.1.2.1/29

VGMP management group: Standby

Eth-Trunk2.2

IP address: 2.2.3.2/29

Security zone: isp2_2

Gateway: 2.2.3.6/29

VRRP backup group 2: 2.2.3.1/29

VGMP management group: Active

Eth-Trunk2.2

IP address: 2.2.3.3/29

Security zone: isp2_2

Gateway: 2.2.3.6/29

VRRP backup group 2: 2.2.3.1/29

VGMP management group: Standby

Eth-Trunk0

Member interfaces: GE2/0/0, GE1/0/5

IP address: 10.0.7.1/24

Security zone: hrp

Eth-Trunk0

Member interfaces: GE2/0/0, GE1/0/5

IP address: 10.0.7.2/24

Security zone: hrp

Hot standby heartbeat interface.

GE1/0/3

IP address: 10.0.3.1/24

Security zone: Trust

GE1/0/3

IP address: 10.0.4.1/24

Security zone: Trust

Interface connecting the MAN.

GE1/0/4

IP address: 10.0.5.1/24

Security zone: DMZ

GE1/0/4

IP address: 10.0.6.1/24

Security zone: DMZ

Interface connecting the server area.

Security policy

trust_to_isp1

Source security zone: Trust

Destination security zone: isp1_1 and isp1_2

Action: permit

IPS configuration file: default

Allow intranet users to access ISP 1.

trust_to_isp2

Source security zone: Trust

Destination security zone: isp2_1 and isp2_2

Action: permit

IPS profile: default

Allow intranet users to access ISP 2.

isp1_to_http and isp2_to_http

Source security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Destination security zone: DMZ

Destination address: 10.0.10.10/24

Service: HTTP

Action: permit

IPS profile: default

Allow the ISPs to access the internal web server.

isp1_to_ftp and isp2_to_ftp

Source security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Destination security zone: DMZ

Destination address: 10.0.10.11/24

Service: FTP

Action: permit

IPS profile: default

Allow the ISPs to access the internal FTP server.

isp1_to_dns and isp2_to_dns

Source security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Destination security zone: DMZ

Destination address: 10.0.10.20/24

Service: dns

Action: permit

IPS profile: default

Allow the ISPs to access the internal DNS server.

local_to_eLog

Source security zone: local

Destination security zone: DMZ

Destination address: 10.0.10.30/24

Action: permit

Allow the firewall to access the internal log server.

local_to_trust

Source security zone: Local and Trust

Destination security zone: Local and Trust

Service: OSPF

Action: permit

Allow the firewall to exchange OSPF packets with the downstream router.

local_to_isp

Source security zone: local

Destination security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Action: permit

Allow the firewall to access the external network to update its signature databases.

NOTE:

For versions earlier than USG6000&USG9500 V500R001C80: You need to configure required security policies on the FW to allow the FW to send health check probe packets to the destination device. For versions later than V500R001C80: Probe packets for health check are not subject to security policies and are permitted by default. Therefore, you do not need to configure security policies.

Source NAT

ISP1_1 address pool: 1.1.1.10-1.1.1.12

ISP1_2 address pool: 1.1.2.10-1.1.2.12

ISP2_1 address pool: 2.2.2.10-2.2.2.12

ISP2_2 address pool: 2.2.3.10-2.2.3.12

Mode: NAPT

-
NAT Server

Web server

Private IP address: 10.0.10.10

ISP1_1 public IP address: 1.1.1.15

ISP1_2 public IP address: 1.1.2.15

ISP2_1 public IP address: 2.2.2.15

ISP2_2 public IP address: 2.2.3.15

-

FTP server

Private IP address: 10.0.10.11

ISP1_1 public IP address: 1.1.1.16

ISP1_2 public IP address: 1.1.2.16

ISP2_1 public IP address: 2.2.2.16

ISP2_2 public IP address: 2.2.3.16

DNS server

Private IP address: 10.0.10.20

ISP1_1 public IP address: 1.1.1.17

ISP1_2 public IP address: 1.1.2.17

ISP2_1 public IP address: 2.2.2.17

ISP2_2 public IP address: 2.2.3.17

ISP1

Address file: isp1.csv

Carrier: isp1

Active DNS server: 1.1.1.222

Standby DNS server: 1.1.1.223

-
ISP2

Address file: isp2.csv

Carrier: isp2

Active DNS server: 2.2.2.222

Standby DNS server: 2.2.2.223

-
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16836

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next