No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Planning of Interfaces and Security Zones

As shown in , one firewall has five interfaces that are connected to different security zones. Therefore, the five interfaces need to be assigned to the different security zones.

Figure 5-3  Security zones of interfaces of the FWs
  • GE1/0/1 is connected to the ISP1 link and assigned to the ISP1 zone. The ISP1 zone needs to be created, and its priority is 15.
  • GE1/0/2 is connected to the ISP2 link and assigned to the ISP2 zone. The ISP2 zone needs to be created, and its priority is 20.
  • GE1/0/3 is connected to the core router and assigned to the Heart zone. The Heart zone needs to be created, and its priority is 75.
  • GE1/0/4 is connected to the server area and assigned to the Trust zone. The Trust zone is a default security zone of the firewall. Its priority is 85.

Hot Standby Planning

One ISP provides one link, and one link cannot be directly connected to two firewalls. Therefore, it is necessary to deploy an egress aggregation switch between the ISP and the firewalls. The egress aggregation switch can split one ISP link into two links and then connect the two links to the upstream interfaces of the two firewalls. OSPF runs between the firewalls and downstream core switches. The two firewalls are connected to the upstream interfaces of the two core switches.

To save public IP addresses, private IP addresses are planned for the upstream interfaces of the firewalls. However, the address of a VRRP group must be a public address allocated by the ISP to enable the communication with the ISP.

Table 5-1  Hot standby planning
Item Data Description

FW_A

Interface GE1/0/1

  • Security zone: ISP1
  • IP address: 1.1.1.2/24

Interface connecting FW_A to the upstream L2 switch. It is connected to ISP1 and assigned to the ISP1 security zone.

Interface GE1/0/2

  • Security zone: ISP2
  • IP address: 2.2.2.2/24

Interface connecting FW_A to the upstream L2 switch. It is connected to ISP2 and assigned to the ISP2 security zone.

Interface GE1/0/3

  • Security zone: Heart
  • IP address: 10.10.0.1/24

Heartbeat interface connected to FW_B. It is assigned to the Heart security zone.

Interface GE1/0/4

  • Security zone: Trust
  • IP address: 10.1.1.1/16

Interface connecting FW_A to the downstream L3 switch. It is assigned to the Trust security zone.

VRRP group 1

  • Interface: GE1/0/1
  • ID: 1
  • Virtual IP address: 1.1.1.1
  • State: master

VRRP group 1 on FW_A.

VRRP group 2

  • Interface: GE1/0/2
  • ID: 2
  • Virtual IP address: 2.2.2.1
  • State: master

VRRP group 2 on FW_A.

OSPF

  • Process ID: 100
  • Network segment: 1.1.1.0 0.0.0.255
  • Network segment: 10.1.0.0 0.0.0.255

OSPF on FW_A.

FW_B

Interface GE1/0/1

  • Security zone: ISP1
  • IP address: 1.1.1.3/24

Interface connecting FW_B to the upstream L2 switch. It is connected to ISP1 and assigned to the ISP1 security zone.

Interface GE1/0/2

  • Security zone: ISP2
  • IP address: 2.2.2.3/24

Interface connecting FW_B to the upstream L2 switch. It is connected to ISP2 and assigned to the ISP2 security zone.

Interface GE1/0/3

  • Security zone: Heart
  • IP address: 10.10.0.2/24

Heartbeat interface connected to FW_A. It is assigned to the Heart security zone.

Interface GE1/0/4

  • Security zone: Trust
  • IP address: 10.2.1.1/16

Interface connecting FW_B to the downstream L3 switch. It is assigned to the Trust security zone.

VRRP group 1

  • Interface: GE1/0/1
  • ID: 1
  • Virtual IP address: 1.1.1.1
  • State: slave

VRRP group 1 on FW_B.

VRRP group 2

  • Interface: GE1/0/2
  • ID: 2
  • Virtual IP address: 2.2.2.1
  • State: slave

VRRP group 2 on FW_B.

OSPF

  • Process ID: 100
  • Network segment: 2.2.2.0 0.0.0.255
  • Network segment: 10.2.0.0 0.0.0.255

OSPF on FW_B.

Multi-ISP Uplink Selection Planning

When the FW serves as the egress gateway and provides multiple outbound interfaces, the administrator must plan multi-ISP uplink selection. The matching order for multi-ISP uplink selection is PBRs, specific routes, and default routes. For the two ISP links leased by the enterprise for Internet access, ISP1 provides fast Internet access and stable bandwidth but at a higher price; ISP2 is cheap but provides slower access. The enterprise expects that traffic of different applications is forwarded through different links and that Internet traffic is carried over the link of the best transmission quality. Therefore, the global uplink selection policies in the present case include application-based PBR and link quality-based load balancing. Such multi-egress routing planning is as follows:

  • Application-based PBR

    P2P traffic and web video traffic use much bandwidth. Therefore, the two types of traffic are routed to specific links for forwarding. This is implemented through application-based PBR.

    PBRs pbr_1 and pbr_2 are created. All traffic related to the Intranet and services goes out from GE1/0/1 and is forwarded by ISP1 to the Internet. The intranet entertainment traffic, such as traffic of video and VoIP all goes out from GE1/0/2 and is forwarded by ISP2 to the Internet.

  • Intelligent uplink selection (link quality-based load balancing)

    Because the enterprise requests to use the link of the best transmission quality to carry Internet traffic, the intelligent uplink selection mode is set to link quality-based load balancing. The outbound interfaces of the FWs directly connected to ISP1 and ISP2 are set as the member interfaces for intelligent uplink selection.

User Authentication Planning

R&D employees and marketing employees can log in to the AD domain using their domain accounts and passwords and access network resources without further authentication. The user information of new employees may have been created in the AD server but not stored in the FW. Therefore, it is required that the user information be imported to the FW according to the organizational structure in the AD server after the users are authenticated.

  1. Configure the AD server on the FW, and ensure normal communication between the FW and AD server.
  2. Configure an authentication domain on the FW, setting the name of the authentication domain to the domain name on the AD server.
  3. Configure the server import policy on the FW to import the user information in the AD server to the FW.
  4. Configure the new user option of the authentication domain,authenticated user that does not exist in the FW login as temporary user.
  5. Configure SSO parameters on the FW, ensuring that the FW monitors the authentication result packet sent by the AD server to the user PC.

    In the present case, the authentication packet does not pass through the FW. Therefore, it is necessary to mirror the authentication result packet sent by the AD server to the user PC.

  6. Set the online user aging time to 480 hours to avoid frequent sign-on authentication due to the aging of online connections during business hours (assuming 8 hours).
  7. Configure port mirroring on the switch to mirror the authentication packets to the FW.
Table 5-2  User authentication planning
Item Data Description

AD server

  • Name: auth_server_ad

  • IP address of the primary authentication server: 10.3.0.251

  • Port: 88

  • Device name of the primary authentication server: ad.cce.com

  • Base DN/Port DN: dc=cce, dc=com

  • LDAP port: 389

  • Administrator DN: cn=administrator, cn=users

  • Administrator password: Admin@123

Configure the AD server on the FW. This is to set the parameters used for communication between the FW and the AD server.

The parameters set here must be consistent with those set on the AD server.

Import policy

  • Name: policy_import

  • Server type: AD

  • Server name: auth_server_ad

  • Import type: import users and user groups locally

  • Destination group: /cce.com

  • Automatic synchronization with server: 120 minutes

  • Override the local user record when the current user already exists

Import user information from the AD server to the FW.

AD single-sign-on

  • AD single-sign-on: enable

  • Work mode: no-plug-in
  • Interface receiving mirrored authentication packets: GigabitEthernet 1/0/4
  • Parsed traffic: 10.3.0.251:88 (server IP address:authentication port)

Configure single-sign-on parameters on the FW to receive user sign-on information sent by the AD server.

Security Policy Planning

Different security policies are configured for different user groups to control the Internet permissions for users of different departments:

  • Senior managers can access the Internet freely.
  • Marketing employees can access the Internet but cannot play games or view videos on the Internet.
  • R&D employees can access the Internet but cannot carry out entertainment activities, including games, IM chatting, video calls, voice calls, and access to social websites.

In addition, antivirus, IPS, and URL filtering profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and Botnet and filter websites.

Normally, you can just use the default antivirus and IPS profiles. Create an URL filtering profile, setting the URL filtering control level to "medium", which can restrict the access to all adult and illegal websites.

Table 5-3  Security policy planning
Item Data Description
Security policy for senior management
  • Name: policy_sec_management
  • Source security zone: Trust
  • Destination security zone: ISP1 and ISP2
  • User: management
  • Action: permit
  • Antivirus: default
  • IPS: default
  • URL filtering: profile_url

The policy_sec_management security policy allows the senior managers to access the Internet freely.

Security policy 1 for marketing
  • Name: policy_sec_marketing_1
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: marketing
  • Application: Game and Media_Sharing
  • Action: deny

The policy_sec_marketing_1 security policy prohibits marketing employees from playing games through the Internet.

Security policy 2 for marketing
  • Name: policy_sec_marketing_2
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: marketing
  • Action: permit
  • Antivirus: default
  • IPS: default
  • URL filtering: profile_url

The policy_sec_marketing_2 security policy allows marketing employees to access the Internet.

Security policy 1 for R&D
  • Name: policy_sec_research_1
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: research
  • Application: Entertainment
  • Action: deny

The policy_sec_research_1 security policy prohibits R&D employees from entertainment activities through the Internet.

Security policy 2 for R&D
  • Name: policy_sec_research_2
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: research
  • Action: permit
  • Antivirus: default
  • IPS: default
  • URL filtering: profile_url

The policy_sec_research_2 security policy allows R&D employees to access the Internet.

IPSec security policy 1
  • Name: policy_sec_ipsec_1
  • Source security zone: local, ISP1, and ISP2
  • Destination security zone: local, ISP1, and ISP2
  • Source address/region: 1.1.1.2/32 and 3.3.3.1/32
  • Destination address/region: 1.1.1.2/32 and 3.3.3.1/32
  • Action: permit

The policy_sec_ipsec_1 security policy allows setup of IPSec tunnels between NGFWs of the headquarters and branches.

IPSec security policy 2
  • Name: policy_sec_ipsec_2
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • Source address/region: 10.1.0.0/16
  • Destination address/region: 192.168.1.0/24
  • Action: permit
  • Antivirus: default
  • IPS: default

The policy_sec_ipsec_2 security policy allows headquarter employees to access branch employees through IPSec tunnels.

The source address/region is the network segment for the headquarter employees, and the destination address/region is the network segment for branch employees.

IPSec security policy 3
  • Name: policy_sec_ipsec_3
  • Source security zone: ISP1 and ISP2
  • Destination security zone: trust
  • Source address/region: 192.168.1.0/24
  • Action: permit
  • Antivirus: default
  • IPS: default

The policy_sec_ipsec_3 security policy allows branch employees to access headquarter employees through IPSec tunnels.

The source address/region is the network segment for branch employees.

Security policy 1 for L2TP over IPSec
  • Name: policy_sec_l2tp_ipsec_1
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • Destination address/region: 10.1.1.1/16
  • Destination address/region: 10.1.1.2 -10.1.1.100
  • Action: permit

The policy_sec_l2tp_ipsec_1 security policy allows headquarter employees to access mobile employees.

The destination address is the network segment of the L2TP address pool.

Security policy 2 for L2TP over IPSec
  • Name: policy_sec_l2tp_ipsec_2
  • Source security zone: untrust
  • Destination security zone: trust
  • Source address/region: 10.1.1.2-10.1.1.100
  • Destination address/region: 10.1.1.1/16
  • Action: permit
  • Antivirus: default
  • IPS: default

The policy_sec_l2tp_ipsec_2 security policy allows mobile employees to access the enterprise intranet.

Security policy for server access of extranet users
  • Name: policy_sec_server
  • Source security zone: ISP1 and ISP2
  • Destination security zone: trust
  • Destination address/region: 10.2.0.10/32 and 10.2.0.11/32
  • Action: permit
  • Antivirus: default
  • IPS: default

The policy_sec_server security policy allows extranet users to access intranet servers of the enterprise network.

The destination address/region is the mirrored-to private IP address of a server.

NAT Planning

The enterprise has 500 employees but limited public IP addresses. To enable a large number of intranet users to access the Internet with the limited public addresses, it is necessary to deploy source NAT on the FW to translate the source addresses of packets from intranet users to the Internet from private addresses to public addresses.

In addition, the enterprise network provides web servers and FTP servers for public network users. However, because the servers are deployed inside the enterprise network, it is necessary to configure server mapping to map the private IP address of a server to a public address.

Table 5-4  NAT planning

Item

Data

Description

NAT policy for traffic to branches

  • Name: policy_nat_ipsec_01
  • Source security zone: trust
  • Destination security zone: ISP1
  • Destination address: 192.168.1.0/24

  • Action: no NAT

NAT is not performed for traffic to the branches (destination IP address: 192.168.1.0/24). This traffic is routed directly to the IPSec tunnel.

  • Name: policy_nat_ipsec_02
  • Source security zone: trust
  • Destination security zone: ISP2
  • Destination address: 192.168.1.0/24

  • Action: no NAT

NAT policy for traffic to the Internet

NAT policy

  • Name: policy_nat_internet_01
  • Source security zone: trust
  • Destination security zone: ISP1
  • Source address: addresses in the address pool
  • Address pool: 1

NAT is performed for traffic to the Internet. The source address is translated from a private IP address to a public IP address in the address pool.

The four IP addresses, 1.1.1.1-1.1.1.4, obtained from the carrier are used as addresses in the NAT address pool.

NAT policy

  • Name: policy_nat_internet_02
  • Source security zone: trust
  • Destination security zone: ISP2
  • Source address: addresses in the address pool
  • Address pool: 1

NAT address pool

  • Name: nataddr
  • IP address range: 1.1.1.1-1.1.1.4
Web server mapping policy
  • Name: policy_nat_web
  • Zone: ISP1
  • Public address: 1.1.1.5
  • Private address: 10.2.0.10
  • Public port: 8080
  • Private port: 80
  • Name: policy_nat_web
  • Zone: ISP2
  • Public address: 2.2.2.5
  • Private address: 10.2.0.10
  • Public port: 8080
  • Private port: 80

With this mapping, extranet users can access 1.1.1.5 and 2.2.2.6, and traffic to port 8080 can be routed to the intranet web server.

The private address of the web server is 10.2.0.10, and its private port number is 80.

FTP server mapping policy
  • Name: policy_nat_ftp
  • Zone: ISP1
  • Public address: 1.1.1.6
  • Private address: 10.2.0.11
  • Public port: 21
  • Private port: 21
  • Name: policy_nat_ftp
  • Zone: ISP2
  • Public address: 2.2.2.6
  • Private address: 10.2.0.11
  • Public port: 21
  • Private port: 21

With this mapping, extranet users can access 1.1.1.6 and 2.2.2.6, and traffic to port 21 can be routed to the intranet FTP server.

The private address of the FTP server is 10.2.0.811, and its private port number is 21.

Bandwidth Management Planning

The total bandwidth is 20 Gbit/s. To ensure bandwidth for normal work, it is necessary to configure a traffic policy that restricts P2P traffic. In addition, different traffic profiles and traffic policies are also needed for different intranet users.

  1. The maximum upstream bandwidth for P2P traffic between intranet users and the Internet is 2 Gbit/s, and the maximum downstream bandwidth is 6 Gbit/s, to avoid the consumption of large quantities of bandwidth resources.
  2. To ensure the normal operation of email and ERP applications during business hours, bandwidth for such traffic is at least 4 Gbit/s.
  3. For Internet access of senior managers, the minimum upstream and downstream bandwidth is 20 Mbit/s, and the maximum downstream bandwidth per user is 20 Mbit/s.
Table 5-5  Planning of traffic policies

Item

Data

Description

Traffic policy restricting P2P traffic

Traffic policy

  • Name: policy_bandwidth_p2p
  • Source security zone: trust
  • Destination security zone: ISP1,ISP2
  • Application: P2P online video and P2P file sharing
  • Action: restrict
  • Traffic profile: profile_p2p

The P2P online video and P2P file sharing applications are selected, which are P2P media and P2P download.

Traffic profile

  • Name: profile_p2p
  • Restrict mode: upstream bandwidth and downstream bandwidth
  • Maximum upstream bandwidth: 2,000 Mbit/s
  • Maximum downstream bandwidth: 6,000 Mbit/s
  • Whole maximum connections: 10,000

Traffic policy ensuring major services

Traffic policy

  • Name: policy_bandwidth_email
  • Source security zone: trust
  • Destination security zone: ISP1,ISP2
  • Application: Outlook Web Access and LotusNotes
  • Time range: work_time
  • Action: restrict
  • Traffic profile: profile_email

The Outlook Web Access and LotusNotes application are selected, which are email applications.

Traffic profile

  • Name: profile_email
  • Restrict mode: upstream bandwidth and downstream bandwidth
  • Guaranteed upstream bandwidth: 4,000 Mbit/s
  • Guaranteed downstream bandwidth: 4,000 Mbit/s

Traffic policy for senior management

Traffic policy

  • Name: policy_bandwidth_management
  • Source security zone: ISP1,ISP2
  • Destination security zone: trust
  • User: /management
  • Action: restrict
  • Traffic profile: profile_management
-

Traffic profile

  • Name: profile_management
  • Restrict mode: upstream bandwidth and downstream bandwidth
  • Guaranteed upstream bandwidth: 200 Mbit/s
  • Guaranteed downstream bandwidth: 200 Mbit/s
  • Maximum upstream bandwidth for one IP address: 2 Mbit/s
  • Maximum downstream bandwidth for one IP address: 2 Mbit/s

Attack Defense

Attack defense should be enabled on the FW for security defense. The recommended configuration is as follows:

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

IPSec Planning

For branch employees, to ensure their secure communication with the headquarter employees and ensure their access to the headquarter servers, IPSec VPN is needed. If there are not many branches, point-to-point IPSec VPN in IKE mode is recommended. In the case of many branches, point-to-multipoint IPSec VPN is recommended.

Table 5-6  IPSec VPN planning

Item

Data

Description

IPSec policy for headquarter FW_A
IPSec policy
  • Scenario: point-to-point
  • Authentication mode: pre-shared key
  • Pre-shared key: Admin@123
  • Local ID: IP address
  • Peer ID: IP address
  • The headquarter and branch must have consistent pre-shared keys.
  • The peer gateway IP address is the IP address of the branch public interface.
  • The source address is the network segment of the headquarter intranet.
  • The destination address is the network segment of the branch intranet.
  • The default values of the parameters not in the data plan can be used. Any modification must be made at both ends to keep the configuration consistent.
IPSec policy for branch FW_C
IPSec policy
  • Scenario: point-to-point
  • Authentication mode: pre-shared key
  • Pre-shared key: Admin@123
  • Local ID: IP address
  • Peer ID: IP address
  • The headquarter and branch must have consistent pre-shared keys.
  • The peer gateway IP address is the IP address of the headquarter public interface.
  • The source address is the network segment of the branch intranet.
  • The destination address is the network segment of the headquarter intranet.
  • The destination address is the network segment of the branch intranet. Any modification must be made at both ends to keep the configuration consistent.

To ensure access of mobile and home-office employees to the enterprise network, L2TP over IPSec is needed.

Table 5-7  L2TP over IPSec planning

Item

Data

FW_A (LNS)

Port number: GigabitEthernet 1/0/1

IP address: 1.1.1.2/24

Security zone: ISP1

Port number: GigabitEthernet 1/0/4

IP address: 10.1.1.1/16

Security zone: trust

Virtual-Template port

Port number: Virtual-Template 1

IP address: 10.11.1.1/24

L2TP configuration

Authentication mode: CHAP and PAP

Tunnel authentication: enable

Tunnel peer name: client1

Tunnel local name: lns

Tunnel password: Password@123

Address pool and user configuration

IP pool 1

Address range: 10.1.1.2 -10.1.1.100

Name for user authentication: vpdnuser

Password for user authentication: Hello123

IPSec configuration

Use the LNS server's IP address: enable

Encapsulation mode: tunnel

Security protocol: ESP

ESP authentication algorithm: SHA-1

ESP encryption algorithm: AES-128

NAT traversal: enable

LAC

L2TP configuration

Authentication mode: CHAP

Tunnel name: client1

User configuration

Name for user authentication: vpdnuser

Password for user authentication: Hello123

IPSec configuration

Pre-shared key: Test!1234

Peer address: 1.1.1.2

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16620

Downloads: 713

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next