No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Networking

Typical Networking

As shown in Figure 1-2, the FW is deployed on the egress of the campus network as a security gateway. It provides bandwidth services for users in the campus and server access services for users outside the campus. Because the campus network is gradually developed phase by phase, the egress links have uneven bandwidth. The bandwidth of the link to the education network is 1G, the bandwidth of the three links to ISP1 network is 200M, 1G, and 200M respectively, and the bandwidth of the two links to ISP2 network is both 1G.

Figure 1-2  Typical networking of IP address-based policy control

The campus network is mainly used for learning and working. Therefore, in addition to ensuring the security of intranet users and servers, the egress needs to properly allocate bandwidth resources and implement load balancing for network traffic to improve the access experience of intranet and extranet users. The main requirements of the campus network are as follows:

  • Load balancing

    • The ISP links must be fully used to ensure the network access experience of intranet users. The campus wants the traffic destined to a specific ISP network to be preferentially forwarded by the outbound interface corresponding to the ISP. For example, traffic destined for the education traffic is preferentially forwarded by GE 1/0/1, and the traffic destined to ISP2 network is preferentially forwarded by GE 1/0/5 or GE 1/0/6. The links to the same ISP network can implement traffic load balancing by link bandwidth or weight ratio. To improve the forwarding reliability and prevent packet loss caused by a overburdened link, link backup is required among the links.

    • The LSP links have different transmission quality. The link to the education network and the links to ISP2 network have high quality and can forward service traffic that has high requirement on the delay, such as the traffic of the distance education system. The links to ISP1 network has poor quality and can forward bandwidth-consuming and small-value service traffic, such as P2P traffic. Considering the cost, the traffic destined to the servers of other campuses, network access traffic of users in the library, and traffic matching default routes are forwarded over the link to the education network.

    • The users on the campus automatically obtain the same DNS server address. Therefore, the traffic of the users is forwarded over the same ISP link. The campus wants to make full use of other link resources and requests to distribute some DNS request packets to other ISP links. Only changing the outbound interface of packets cannot resolve the issue that subsequent network access traffic is forwarded over one link. Therefore, DNS request packets need to be forwarded to the DNS servers of different ISP networks. Then the resolved addresses belong to different ISP networks.

    • A DNS server is deployed on the campus network to provide domain name resolution services. When users on different ISP networks access the campus network, they can use the resolved address that belongs to the same ISP as the users for access, improving the access quality.

    • The traffic destined to the server in the library is heavy, and thereby two servers are required for traffic load balancing.

  • Address translation

    • Users on the campus network require public IP addresses to access the Internet.

    • The servers, such as library servers, portal servers, and DNS servers, on the campus network use public IP addresses to provide services for intranet and extranet users.

  • Security defense

    • Assign network devices to different zones based on their locations, implement security isolation for interzone traffic, and control the permissions on mutual zone access. For example, allow users on the campus to access extranet resources, and allow extranet users to access only a specific port of an intranet server.

    • Common DDoS attacks (such as SYN flood attacks) and single-packet attacks (such as Land attacks) are effectively defended against.

    • Network intrusion behaviors are blocked and alerted.

  • Bandwidth management and control

    Due to limited bandwidth resources, the campus requests to limit the bandwidth percentage of P2P traffic as well as the bandwidth of each user's P2P traffic. Common P2P traffic is generated by download software (Thunder, eMule, BT, Ares, and Vuze), music software (Kugou Music, kugou, and SoulSeek), or video websites or software (Baidu player, QiYi, and SHPlayer).

  • Source tracing and auditing

    • To prevent the improper online behavior of users on the campus from harming the reputation of the campus, perform source tracing for the improper behavior and restore the improper behavior. The online behavior of users on the campus need to be audited for subsequent investigation and analysis. The behavior to be audited includes URL access records, BBS posts and microblogs, HTTP upload and download, and FTP upload and download.

    • Log servers are deployed on the campus. Attack defense and intrusion detection logs as well as pre-NAT and post-NAT IP addresses can be viewed on the log servers.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16351

Downloads: 708

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next