No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    # Configure IP addresses for the Eth-Trunk interfaces of FW-1.

    <sysname> system-view
    [sysname] sysname FW-1
    [FW-1] interface Eth-Trunk 1
    [FW-1-Eth-Trunk1] description Link_To_CoreSwitch_SW1
    [FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
    [FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
    [FW-1-Eth-Trunk1] ip address 10.6.1.2 29
    [FW-1-Eth-Trunk1] quit
    [FW-1] interface Eth-Trunk 2
    [FW-1-Eth-Trunk2] description Link_To_Aggregation_SW3
    [FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/3
    [FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/4
    [FW-1-Eth-Trunk2] ip address 10.7.1.2 29
    [FW-1-Eth-Trunk2] quit
    [FW-1] interface Eth-Trunk 0
    [FW-1-Eth-Trunk0] description HRP_Interface
    [FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/5
    [FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/6
    [FW-1-Eth-Trunk0] ip address 11.11.11.1 24
    [FW-1-Eth-Trunk0] quit
    

    # Configure IP addresses for the Eth-Trunk interfaces of FW-2.

    <sysname> system-view
    [sysname] sysname FW-2
    [FW-2] interface Eth-Trunk 1
    [FW-2-Eth-Trunk1] description Link_To_CoreSwitch_SW2
    [FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
    [FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
    [FW-2-Eth-Trunk1] ip address 10.6.1.3 29
    [FW-2-Eth-Trunk1] quit
    [FW-2] interface Eth-Trunk 2
    [FW-2-Eth-Trunk2] description Link_To_Aggregation_SW4
    [FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/3
    [FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/4
    [FW-2-Eth-Trunk2] ip address 10.7.1.3 29
    [FW-2-Eth-Trunk2] quit
    [FW-2] interface Eth-Trunk 0
    [FW-2-Eth-Trunk0] description HRP_Interface
    [FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/5
    [FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/6
    [FW-2-Eth-Trunk0] ip address 11.11.11.2 24
    [FW-2-Eth-Trunk0] quit
    

    # Assign the interfaces of FW-1 to appropriate security zones.

    [FW-1] firewall zone trust
    [FW-1-zone-trust] add interface Eth-Trunk 2
    [FW-1-zone-trust] quit
    [FW-1] firewall zone untrust
    [FW-1-zone-untrust] add interface Eth-Trunk 1
    [FW-1-zone-untrust] quit
    [FW-1] firewall zone dmz
    [FW-1-zone-dmz] add interface Eth-Trunk 0
    [FW-1-zone-dmz] quit
    

    # Assign the interfaces of FW-2 to appropriate security zones.

    [FW-2] firewall zone trust
    [FW-2-zone-trust] add interface Eth-Trunk 2
    [FW-2-zone-trust] quit
    [FW-2] firewall zone untrust
    [FW-2-zone-untrust] add interface Eth-Trunk 1
    [FW-2-zone-untrust] quit
    [FW-2] firewall zone dmz
    [FW-2-zone-dmz] add interface Eth-Trunk 0
    [FW-2-zone-dmz] quit
    

  2. Configure static routes.

    # On FW-1, configure a static route to the data center service area and set the next hop to the IP address of the aggregation switch.

    [FW-1] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
    [FW-1] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
    [FW-1] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

    # On FW-2, configure a static route to the data center service area and set the next hop to the IP address of the aggregation switch.

    [FW-2] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
    [FW-2] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
    [FW-2] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

    # On FW-1, configure static routes to the SSL VPN access terminal, branch, and partner network and set the next hop to the IP address of the core switch.

    [FW-1] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4
    [FW-1] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4
    [FW-1] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
    [FW-1] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
    

    # On FW-2, configure static routes to the SSL VPN access terminal, branch, and partner network and set the next hop to the IP address of the core switch.

    [FW-2] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4
    [FW-2] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4
    [FW-2] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
    [FW-2] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
    

  3. Configure hot standby.

    # Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-1, setting its state to Active.

    [FW-1] interface Eth-Trunk1
    [FW-1-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 active
    [FW-1-Eth-Trunk1] quit

    # Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-1, setting its state to Active.

    [FW-1] interface Eth-Trunk2
    [FW-1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 active
    [FW-1-Eth-Trunk2] quit

    # Designate Eth-Trunk 0 as the heartbeat interface of FW-1, and enable hot standby.

    [FW-1] hrp interface Eth-Trunk0 remote 11.11.1.2
    [FW-1] hrp enable

    # Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-2, setting its state to Active.

    [FW-2] interface Eth-Trunk1
    [FW-2-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 standby
    [FW-2-Eth-Trunk1] quit

    # Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-2, setting its state to Active.

    [FW-2] interface Eth-Trunk2
    [FW-2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 standby
    [FW-2-Eth-Trunk2] quit

    # Designate Eth-Trunk 0 as the heartbeat interface of FW-2, and enable hot standby.

    [FW-2] hrp interface Eth-Trunk0 remote 11.11.11.1
    [FW-2] hrp enable

  4. Configure security policies and IPS functions.

    NOTE:
    After hot standby is configured, you only need to configure security policies and attack defense on the active device FW-1. The configuration on FW-1 is automatically backed up on FW-2.

    # Configure an address group on FW-1.

    HRP_M[FW-1] ip address-set remote_users type object
    HRP_M[FW-1-object-address-set-remote_users] address 0 172.168.3.0 mask 24
    HRP_M[FW-1-object-address-set-remote_users] description "for remote users"
    HRP_M[FW-1-object-address-set-remote_users] quit
    HRP_M[FW-1] ip address-set partner type object
    HRP_M[FW-1-object-address-set-partner] address 0 172.168.4.0 mask 24
    HRP_M[FW-1-object-address-set-partner] description "for partner"
    HRP_M[FW-1-object-address-set-partner] quit
    HRP_M[FW-1] ip address-set branch1 type object
    HRP_M[FW-1-object-address-set-branch1] address 0 10.8.1.0 mask 24
    HRP_M[FW-1-object-address-set-branch1] description "for branch1"
    HRP_M[FW-1-object-address-set-branch1] quit
    HRP_M[FW-1] ip address-set branch2 type object
    HRP_M[FW-1-object-address-set-branch2] address 0 10.9.1.0 mask 24
    HRP_M[FW-1-object-address-set-branch2] description "for branch2"
    HRP_M[FW-1-object-address-set-branch2] quit
    HRP_M[FW-1] ip address-set server1 type object
    HRP_M[FW-1-object-address-set-server1] address 0 10.1.1.10 mask 32
    HRP_M[FW-1-object-address-set-server1] address 1 10.1.1.11 mask 32
    HRP_M[FW-1-object-address-set-server1] description "for server1"
    HRP_M[FW-1-object-address-set-server1] quit
    HRP_M[FW-1] ip address-set server2 type object
    HRP_M[FW-1-object-address-set-server2] address 0 10.2.1.4 mask 32
    HRP_M[FW-1-object-address-set-server2] address 1 10.2.1.5 mask 32
    HRP_M[FW-1-object-address-set-server2] description "for server2"
    HRP_M[FW-1-object-address-set-server2] quit
    HRP_M[FW-1] ip address-set server3 type object
    HRP_M[FW-1-object-address-set-server3] address 0 10.1.2.4 mask 32
    HRP_M[FW-1-object-address-set-server3] address 1 10.1.2.5 mask 32
    HRP_M[FW-1-object-address-set-server3] description "for server3"
    HRP_M[FW-1-object-address-set-server3] quit
    HRP_M[FW-1] ip address-set server4 type object
    HRP_M[FW-1-object-address-set-server4] address 0 10.1.1.4 mask 32
    HRP_M[FW-1-object-address-set-server4] address 1 10.1.1.5 mask 32
    HRP_M[FW-1-object-address-set-server4] description "for server4"
    HRP_M[FW-1-object-address-set-server4] quit

    # Configure a service set onFW-1.

    HRP_M[FW-1] ip service-set tcp_1414 type object
    HRP_M[FW-1-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414
    HRP_M[FW-1-object-service-set-tcp_1414] quit
    HRP_M[FW-1] ip service-set tcp_8888_9000 type object
    HRP_M[FW-1-object-service-set-tcp_8888_9000] service 0 protocol tcp destination-port 8888
    HRP_M[FW-1-object-service-set-tcp_8888_9000] service 1 protocol tcp destination-port 9000
    HRP_M[FW-1-object-service-set-tcp_8888_9000] quit
    

    # Configure the security policy remote_users_to_server1 on FW-1 and reference the IPS profile.

    HRP_M[FW-1] security-policy
    HRP_M[FW-1-policy-security] rule name remote_users_to_server1
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-zone untrust 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-zone trust 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-address address-set remote_users 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-address address-set server1 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] service ftp http
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] action permit
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] profile ips default
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] quit

    # Configure the security policy partner_to_server2 on FW-1 and reference the IPS profile.

    HRP_M[FW-1-policy-security] rule name partner_to_server2
    HRP_M[FW-1-policy-security-rule-partner_to_server2] source-zone untrust 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-zone trust 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] source-address address-set partner 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-address address-set server2 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] service tcp_1414
    HRP_M[FW-1-policy-security-rule-partner_to_server2] action permit
    HRP_M[FW-1-policy-security-rule-partner_to_server2] profile ips default
    HRP_M[FW-1-policy-security-rule-partner_to_server2] quit
    

    # Configure the security policy branch1_to_server3 on FW-1 and reference the IPS profile.

    HRP_M[FW-1-policy-security] rule name branch1_to_server3
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-zone untrust 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-zone trust 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-address address-set branch1 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-address address-set server3 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] service tcp_8888_9000
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] action permit
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] profile ips default
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] quit
    

    # Configure the security policy branch2_to_server4 on FW-1 and reference the IPS profile.

    HRP_M[FW-1-policy-security] rule name branch2_to_server4
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-zone untrust 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-zone trust 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-address address-set branch2 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-address address-set server4 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] service ftp
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] action permit
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] profile ips default
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit
    HRP_M[FW-1-policy-security] quit

  5. Configure persistent connections.

    # Change the session aging time to 40000 seconds for tcp_1414.

    HRP_M[FW-1] firewall session aging-time service-set tcp_1414 40000

    # Enable the persistent connection function in security policy branch2_to_server4 and change the aging time to 480 hours for connections matching this policy.

    HRP_M[FW-1] security-policy
    HRP_M[FW-1-policy-security] rule name branch2_to_server4
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link enable
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link aging-time 480
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit
    HRP_M[FW-1-policy-security] quit

  6. Configure attack defense.

    # Configure defense against single packet attacks on FW-1.

    HRP_M[FW-1] firewall defend land enable
    HRP_M[FW-1] firewall defend smurf enable
    HRP_M[FW-1] firewall defend fraggle enable
    HRP_M[FW-1] firewall defend ip-fragment enable
    HRP_M[FW-1] firewall defend tcp-flag enable
    HRP_M[FW-1] firewall defend winnuke enable
    HRP_M[FW-1] firewall defend source-route enable
    HRP_M[FW-1] firewall defend teardrop enable
    HRP_M[FW-1] firewall defend route-record enable
    HRP_M[FW-1] firewall defend time-stamp enable
    HRP_M[FW-1] firewall defend ping-of-death enable

  7. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-1] policy accelerate standby enable

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16080

Downloads: 694

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next