No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

Configuration script for FW_A:

#
acl number 3000
 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
 hrp enable
 hrp interface GigabitEthernet 1/0/3 remote 10.10.0.2
 hrp track interface GigabitEthernet 1/0/1
 hrp track interface GigabitEthernet 1/0/4
#                                                                               
 time-range work_time                                                           
  period-range 09:00:00 to 18:00:00 working-day           
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
ike proposal 10
  encryption-algorithm 3des                                                   
  dh group5                                                                                                                    
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha1 
#
ike peer b
  pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%$%$
  ike-proposal 10
  remote-address 1.1.5.1
#
ike peer c
  pre-shared-key %$%$d([VET@941t/q_56S-f7,ra/%$%$
  ike-proposal 10
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha1                                          
 esp encryption-algorithm aes-128   
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
ipsec policy-template map_temp 11
 security acl 3000
 ike-peer headquarter
 proposal tran1
#
ipsec policy map1 20 isakmp template map_temp
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.2 255.255.255.0 
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
 anti-ddos syn-flood source-detect alert-rate 100000                            
 anti-ddos udp-flood relation-defend source-detect alert-speed 10000  
 ipsec policy map1
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 2.2.2.2 255.255.255.0 
 vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 active
 anti-ddos syn-flood source-detect alert-rate 100000                            
 anti-ddos udp-flood relation-defend source-detect alert-speed 10000  
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.10.0.1 255.255.255.0 
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 10.1.1.1 255.255.0.0 
#
interface GigabitEthernet1/0/5
 portswitch
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/4
 add interface GigabitEthernet1/0/5
#
firewall zone ISP1
 set priority 15
 add interface GigabitEthernet1/0/1
#
firewall zone ISP2
 set priority 20
 add interface GigabitEthernet1/0/2
#
firewall zone Heart
 set priority 75
 add interface GigabitEthernet1/0/3
#  
ospf 100
 default-route-advertise
 area 0
  network 1.1.1.0 0.0.0.255
  network 10.2.0.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
 destination 1.1.1.254
ip-link name ip_link_2
 destination 2.2.2.254
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1        
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on ad
  mode no-plug-in
  no-plug-in interface GigabitEthernet1/0/5
  no-plug-in traffic server-ip 10.3.0.251 port 88
  enable
#            
ad-server template auth_server_ad
 ad-server authentication 10.3.0.251 88
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name ad.cce.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
#            
 user-manage import-policy policy_import from ad
 server template auth_server_ad  
 server basedn dc=cce,dc=com     
 destination-group /cce.com    
 user-attribute sAMAccountName   
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
 group-filter (|(objectclass=organizationalUnit)(ou=*))
 import-type user-group     
 import-override enable    
#
user-manage user vpdnuser
 password Hello123
# 
aaa
 domain cce.com
  service-type internetaccess
  new-user add-temporary group /cce.com auto-import policy_import
#
url-filter category user-defined name abc
#
profile type url-filter name default
profile type url-filter name profile_url_1987
 category pre-defined control-level medium 
# 
nat address-group 1
 mode pat
 route enable
 section 0 1.1.1.1 1.1.1.4
#
 multi-interface
  mode priority-of-link-quality
  priority-of-link-quality parameter delay jitter loss
  priority-of-link-quality protocol tcp-simple
  priority-of-link-quality interval 3 times 5
  priority-of-link-quality table aging-time 60
  add interface GigabitEthernet1/0/1
  add interface GigabitEthernet1/0/2
#
policy-based-route
 rule name pbr_1
  description pbr_1
  source-zone trust
  application category Business_Systems
  track ip-link pbr_1
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.254
 rule name pbr_2
  description pbr_2
  source-zone trust
  application category Entertainment sub-category VoIP
  application category Entertainment sub-category PeerCasting
  track ip-link pbr_2
  action pbr egress-interface GigabitEthernet1/0/2 next-hop 2.2.2.254
#  
security-policy   
  rule name policy_sec_management
    source-zone trust 
    destination-zone ISP1
    destination-zone ISP2
    user user-group /default/management
    profile av default
    profile ips default
    profile url-filter profile_url
    action permit 
  rule name policy_sec_marketing_1
    source-zone trust 
    destination-zone ISP1
    destination-zone ISP2
    user user-group /default/marketing
    application category Entertainment sub-category Media_Sharing
    application category Entertainment sub-category Game
    action deny
  rule name policy_sec_marketing_2
    source-zone trust 
    destination-zone ISP1
    destination-zone ISP2
    user user-group /default/marketing
    profile av default
    profile ips default
    profile url-filter profile_url
    action permit 
  rule name policy_sec_research_1
    source-zone trust 
    destination-zone ISP1
    destination-zone ISP2
    user user-group /default/research
    application category Entertainment
    action deny
  rule name policy_sec_research_2
    source-zone trust 
    destination-zone ISP1
    destination-zone ISP2
    user user-group /default/research
    profile av default
    profile ips default
    profile url-filter profile_url
    action permit 
  rule name policy_sec_manufacture
    source-zone trust 
    destination-zone ISP1
    destination-zone ISP2
    user user-group /default/manufacture
    action deny
  rule name policy_sec_ipsec_1
    source-zone local
    source-zone ISP1
    source-zone ISP2
    destination-zone local
    destination-zone ISP1
    destination-zone ISP2
    source-address 1.1.1.2 32
    source-address 3.3.3.1 32
    destination-address 1.1.1.2 32
    destination-address 3.3.3.1 32
    action permit
  rule name policy_sec_ipsec_2
    source-zone trust
    destination-zone ISP1
    destination-zone ISP2
    source-address 10.1.0.0 16
    destination-address 192.168.1.0 24
    profile av default
    profile ips default
    action permit
  rule name policy_sec_ipsec_3
    source-zone ISP1
    source-zone ISP2
    destination-zone trust
    source-address 192.168.1.0 24
    profile av default
    profile ips default
    action permit
  rule name local_policy_ad_01
    source-zone local
    destination-zone trust
    destination-address 10.3.0.251 32
    action permit
  rule name local_policy_ad_02
    source-zone trust
    destination-zone local
    source-address 10.3.0.251 32
    action permit
#  
nat-policy  
  rule name policy_nat_internet_01
    source-zone trust 
    destination-zone ISP1
    action source-nat address-group 1
  rule name policy_nat_internet_02
    source-zone trust 
     destination-zone ISP2
    action source-nat address-group 1
  rule name policy_nat_ipsec_01
    source-zone trust 
    destination-zone ISP1
      destination-address 192.168.1.0 24
    action no-pat
  rule name policy_nat_ipsec_02
    source-zone trust 
    destination-zone ISP2
    destination-address 192.168.1.0 24
    action no-pat
#                                                                               
traffic-policy                                                                  
 profile profile_p2p                                                            
  bandwidth maximum-bandwidth whole both 30000                                  
  bandwidth connection-limit whole both 10000                                   
 profile profile_email
  bandwidth guaranteed-bandwidth whole both 60000
 profile profile_management
  bandwidth maximum-bandwidth whole downstream 50000
 profile profile_marketing
  bandwidth maximum-bandwidth whole downstream 30000
 profile profile_research
  bandwidth maximum-bandwidth whole downstream 20000
 rule name policy_p2p                                                           
  source-zone trust                                                             
  destination-zone ISP1
  destination-zone ISP2
  application category Entertainment sub-category PeerCasting
  application category General_Internet sub-category FileShare_P2P
  action qos profile profile_p2p
 rule name policy_email
  source-zone trust
  destination-zone ISP1
  destination-zone ISP2
  application app LotusNotes
  application app OWA
  time-range work_time
  action qos profile profile_email
 rule name policy_management
  source-zone ISP1
  source-zone ISP2
  destination-zone trust
  user user-group /default/management
  action qos profile profile_management
 rule name policy_marketing
  source-zone ISP1
  source-zone ISP2
  destination-zone trust
  user user-group /default/marketing
  action qos profile profile_marketing
 rule name policy_research
  source-zone ISP1
  source-zone ISP2
  destination-zone trust
  user user-group /default/research
  action qos profile profile_research
# The following configurations are used to create users/groups. These configurations are stored in the database and are not contained in the configuration file.
user-manage group /default/management
user-manage group /default/marketing
user-manage group /default/research
user-manage user user_0001
 alias Tom
 parent-group /default/management
 password *********
 undo multi-ip online enable
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16169

Downloads: 702

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next