No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Prerequisites

The license file of virtual systems has been obtained and activated successfully on FW_A and FW_B.

Procedure

  1. Configure interfaces and security zones.

    # Create subinterfaces on FW_A.

    <FW_A> system-view
    [FW_A] interface GigabitEthernet 1/0/1.10
    [FW_A-GigabitEthernet1/0/1.10] quit
    [FW_A] interface GigabitEthernet 1/0/1.11
    [FW_A-GigabitEthernet1/0/1.11] quit
    [FW_A] interface GigabitEthernet 1/0/1.1000
    [FW_A-GigabitEthernet1/0/1.1000] quit
    [FW_A] interface GigabitEthernet 1/0/2.1
    [FW_A-GigabitEthernet1/0/2.1] quit
    [FW_A] interface GigabitEthernet 1/0/2.2
    [FW_A-GigabitEthernet1/0/2.2] quit
    [FW_A] interface GigabitEthernet 1/0/3.10
    [FW_A-GigabitEthernet1/0/3.10] quit
    [FW_A] interface GigabitEthernet 1/0/3.11
    [FW_A-GigabitEthernet1/0/3.11] quit

    # Create subinterfaces on FW_B.

    <FW_B> system-view
    [FW_B] interface GigabitEthernet 1/0/1.10
    [FW_B-GigabitEthernet1/0/1.10] quit
    [FW_B] interface GigabitEthernet 1/0/1.11
    [FW_B-GigabitEthernet1/0/1.11] quit
    [FW_B] interface GigabitEthernet 1/0/1.1000
    [FW_B-GigabitEthernet1/0/1.1000] quit
    [FW_B] interface GigabitEthernet 1/0/2.1
    [FW_B-GigabitEthernet1/0/2.1] quit
    [FW_B] interface GigabitEthernet 1/0/2.2
    [FW_B-GigabitEthernet1/0/2.2] quit
    [FW_B] interface GigabitEthernet 1/0/3.10
    [FW_B-GigabitEthernet1/0/3.10] quit
    [FW_B] interface GigabitEthernet 1/0/3.11
    [FW_B-GigabitEthernet1/0/3.11] quit

    # Configure an Eth-trunk interface on FW_A.

    [FW_A] interface Eth-Trunk 1
    [FW_A-Eth-Trunk1] ip address 10.1.1.1 30
    [FW_A-Eth-Trunk1] quit
    [FW_A] interface GigabitEthernet 2/0/1
    [FW_A-GigabitEthernet2/0/1] eth-trunk 1
    [FW_A-GigabitEthernet2/0/1] quit
    [FW_A] interface GigabitEthernet 2/0/2
    [FW_A-GigabitEthernet2/0/2] eth-trunk 1
    [FW_A-GigabitEthernet2/0/2] quit

    # Configure an Eth-trunk interface on FW_B.

    [FW_B] interface Eth-Trunk 1
    [FW_B-Eth-Trunk1] ip address 10.1.1.2 30
    [FW_B-Eth-Trunk1] quit
    [FW_B] interface GigabitEthernet 2/0/1
    [FW_B-GigabitEthernet2/0/1] eth-trunk 1
    [FW_B-GigabitEthernet2/0/1] quit
    [FW_B] interface GigabitEthernet 2/0/2
    [FW_B-GigabitEthernet2/0/2] eth-trunk 1
    [FW_B-GigabitEthernet2/0/2] quit

    # Configure IP addresses for root system interfaces on FW_A, and assign the interfaces to the security zones of the root system.

    [FW_A] interface GigabitEthernet 1/0/1.1000
    [FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24
    [FW_A-GigabitEthernet1/0/1.1000] quit
    [FW_A] interface GigabitEthernet 1/0/2.1
    [FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24
    [FW_A-GigabitEthernet1/0/2.1] quit
    [FW_A] interface GigabitEthernet 1/0/2.2
    [FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24
    [FW_A-GigabitEthernet1/0/2.2] quit
    [FW_A] firewall zone trust
    [FW_A-zone-trust] add interface GigabitEthernet 1/0/3
    [FW_A-zone-trust] quit
    [FW_A] firewall zone untrust
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000
    [FW_A-zone-untrust] quit
    [FW_A] firewall zone dmz
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2
    [FW_A-zone-dmz] quit
    [FW_A] firewall zone name hrpzone
    [FW_A-zone-hrpzone] set priority 65
    [FW_A-zone-hrpzone] add interface Eth-Trunk 1
    [FW_A-zone-hrpzone] quit

    # Configure IP addresses for root system interfaces on FW_B, and assign the interfaces to the security zones of the root system.

    [FW_B] interface GigabitEthernet 1/0/1.1000
    [FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24
    [FW_B-GigabitEthernet1/0/1.1000] quit
    [FW_B] interface GigabitEthernet 1/0/2.1
    [FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24
    [FW_B-GigabitEthernet1/0/2.1] quit
    [FW_B] interface GigabitEthernet 1/0/2.2
    [FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24
    [FW_B-GigabitEthernet1/0/2.2] quit
    [FW_B] firewall zone trust
    [FW_B-zone-trust] add interface GigabitEthernet 1/0/3
    [FW_B-zone-trust] quit
    [FW_B] firewall zone untrust
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000
    [FW_B-zone-untrust] quit
    [FW_B] firewall zone dmz
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2
    [FW_B-zone-dmz] quit
    [FW_B] firewall zone name hrpzone
    [FW_B-zone-hrpzone] set priority 65
    [FW_B-zone-hrpzone] add interface Eth-Trunk 1
    [FW_B-zone-hrpzone] quit

  2. Configure virtual systems.

    # Enable the virtual system function on FW_A.

    [FW_A] vsys enable

    # Enable the virtual system function on FW_B.

    [FW_B] vsys enable

    Configure resource classes on FW_A.

    [FW_A] resource-class vfw1_car
    [FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire
    [FW_A-resource-class-vfw1_car] quit
    [FW_A] resource-class vfw2_car
    [FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire
    [FW_A-resource-class-vfw2_car] quit

    Configure resource classes on FW_B.

    [FW_B] resource-class vfw1_car
    [FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire
    [FW_B-resource-class-vfw1_car] quit
    [FW_B] resource-class vfw2_car
    [FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire
    [FW_B-resource-class-vfw2_car] quit

    # Create virtual systems on FW_A, and allocate resources to the virtual systems.

    [FW_A] vsys name vfw1
    [FW_A-vsys-vfw1] assign resource-class vfw1_car
    [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
    [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
    [FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
    [FW_A-vsys-vfw1] quit
    [FW_A] vsys name vfw2
    [FW_A-vsys-vfw2] assign resource-class vfw2_car
    [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
    [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
    [FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
    [FW_A-vsys-vfw2] quit

    # Create virtual systems on FW_B, and allocate resources to the virtual systems.

    [FW_B] vsys name vfw1
    [FW_B-vsys-vfw1] assign resource-class vfw1_car
    [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
    [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
    [FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
    [FW_B-vsys-vfw1] quit
    [FW_B] vsys name vfw2
    [FW_B-vsys-vfw2] assign resource-class vfw2_car
    [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
    [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
    [FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
    [FW_B-vsys-vfw2] quit

    # Configure IP addresses for interfaces in virtual system vfw1 on FW_A, and assign the interfaces to security zones.

    [FW_A] switch vsys vfw1
    <FW_A-vfw1> system-view
    [FW_A-vfw1] interface GigabitEthernet 1/0/1.10
    [FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24
    [FW_A-vfw1-GigabitEthernet1/0/1.10] quit
    [FW_A-vfw1] interface GigabitEthernet 1/0/3.10
    [FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24
    [FW_A-vfw1-GigabitEthernet1/0/3.10] quit
    [FW_A-vfw1] firewall zone untrust
    [FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
    [FW_A-vfw1-zone-untrust] quit
    [FW_A-vfw1] firewall zone trust
    [FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
    [FW_A-vfw1-zone-trust] quit
    [FW_A-vfw1] quit
    <FW_A-vfw1> quit

    Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_A, and assign the interfaces to security zones.

    # Configure IP addresses for interfaces in virtual system vfw1 on FW_B, and assign the interfaces to security zones.

    [FW_B] switch vsys vfw1
    <FW_B-vfw1> system-view
    [FW_B-vfw1] interface GigabitEthernet 1/0/1.10
    [FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24
    [FW_B-vfw1-GigabitEthernet1/0/1.10] quit
    [FW_B-vfw1] interface GigabitEthernet 1/0/3.10
    [FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24
    [FW_B-vfw1-GigabitEthernet1/0/3.10] quit
    [FW_B-vfw1] firewall zone untrust
    [FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
    [FW_B-vfw1-zone-untrust] quit
    [FW_B-vfw1] firewall zone trust
    [FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
    [FW_B-vfw1-zone-trust] quit
    [FW_B-vfw1] quit
    <FW_B-vfw1> quit

    Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B, and assign the interfaces to security zones.

  3. Configure routes.

    # Configure routes of the root system on FW_A.

    [FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
    [FW_A] ip route-static 117.1.1.1 32 NULL 0
    [FW_A] ip route-static 117.1.1.2 32 NULL 0
    [FW_A] ospf 1000
    [FW_A-ospf-1000] import-route static
    [FW_A-ospf-1000] area 0
    [FW_A-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255
    [FW_A-ospf-1000-area-0.0.0.0] quit
    [FW_A-ospf-1000] quit

    # Configure routes of the root system on FW_B.

    [FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
    [FW_B] ip route-static 117.1.1.1 32 NULL 0
    [FW_B] ip route-static 117.1.1.2 32 NULL 0
    [FW_B] ospf 1000
    [FW_B-ospf-1000] import-route static
    [FW_B-ospf-1000] area 0
    [FW_B-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255
    [FW_B-ospf-1000-area-0.0.0.0] quit
    [FW_B-ospf-1000] quit

    # Configure routes of the virtual systems on FW_A.

    [FW_A] ip vpn-instance vfw1
    [FW_A-vpn-instance-vfw1] route-distinguisher 10:1
    [FW_A-vpn-instance-vfw1] quit
    [FW_A] ip vpn-instance vfw2
    [FW_A-vpn-instance-vfw2] route-distinguisher 11:1
    [FW_A-vpn-instance-vfw2] quit
    [FW_A] ospf 1 vpn-instance vfw1
    [FW_A-ospf-1] import-route static
    [FW_A-ospf-1] area 0
    [FW_A-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
    [FW_A-ospf-1-area-0.0.0.0] quit
    [FW_A-ospf-1] quit
    [FW_A] ospf 2 vpn-instance vfw2
    [FW_A-ospf-2] import-route static
    [FW_A-ospf-2] area 0
    [FW_A-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255
    [FW_A-ospf-2-area-0.0.0.0] quit
    [FW_A-ospf-2] quit
    [FW_A] switch vsys vfw1
    <FW_A-vfw1> system-view
    [FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
    [FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0
    [FW_A-vfw1] quit
    <FW_A-vfw1> quit
    [FW_A] switch vsys vfw2
    <FW_A-vfw2> system-view
    [FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
    [FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0
    [FW_A-vfw2] quit
    <FW_A-vfw2> quit

    # Configure routes of the virtual systems on FW_B.

    [FW_B] ip vpn-instance vfw1
    [FW_B-vpn-instance-vfw1] route-distinguisher 10:1
    [FW_B-vpn-instance-vfw1] quit
    [FW_B] ip vpn-instance vfw2
    [FW_B-vpn-instance-vfw2] route-distinguisher 11:1
    [FW_B-vpn-instance-vfw2] quit
    [FW_B] ospf 1 vpn-instance vfw1
    [FW_B-ospf-1] import-route static
    [FW_B-ospf-1] area 0
    [FW_B-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
    [FW_B-ospf-1-area-0.0.0.0] quit
    [FW_B-ospf-1] quit
    [FW_B] ospf 2 vpn-instance vfw2
    [FW_B-ospf-2] import-route static
    [FW_B-ospf-2] area 0
    [FW_B-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255
    [FW_B-ospf-2-area-0.0.0.0] quit
    [FW_B-ospf-2] quit
    [FW_B] switch vsys vfw1
    <FW_B-vfw1> system-view
    [FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
    [FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0
    [FW_B-vfw1] quit
    <FW_B-vfw1> quit
    [FW_B] switch vsys vfw2
    <FW_B-vfw2> system-view
    [FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
    [FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0
    [FW_B-vfw2] quit
    <FW_B-vfw2> quit

  4. Configure hot standby.

    # Configure a VGMP group to track GE1/0/1 on FW_A.

    [FW_A] hrp track interface GigabitEthernet 1/0/1

    # Configure OSPF cost adjustment according to the VGMP status on FW_A.

    [FW_A] hrp adjust ospf-cost enable

    # Configure VRRP groups on FW_A, setting their states to Active.

    [FW_A] interface GigabitEthernet 1/0/3.10
    [FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10
    [FW_A-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 active
    [FW_A-GigabitEthernet1/0/3.10] quit
    [FW_A] interface GigabitEthernet 1/0/3.11
    [FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11
    [FW_A-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 active
    [FW_A-GigabitEthernet1/0/3.11] quit
    [FW_A] interface GigabitEthernet 1/0/2.1
    [FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active
    [FW_A-GigabitEthernet1/0/2.1] quit
    [FW_A] interface GigabitEthernet 1/0/2.2
    [FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2
    [FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active
    [FW_A-GigabitEthernet1/0/2.2] quit

    # Specify the heartbeat interface on FW_A and enable hot standby.

    [FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2
    [FW_A] hrp enable

    # Configure a VGMP group to track GE1/0/1 on FW_B.

    [FW_B] hrp track interface GigabitEthernet 1/0/1

    # Configure OSPF cost adjustment according to the VGMP status on FW_B.

    [FW_B] hrp adjust ospf-cost enable

    # Configure VRRP groups on FW_B, setting their states to Standby.

    [FW_B] interface GigabitEthernet 1/0/3.10
    [FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10
    [FW_B-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 standby
    [FW_B-GigabitEthernet1/0/3.10] quit
    [FW_B] interface GigabitEthernet 1/0/3.11
    [FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11
    [FW_B-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 standby
    [FW_B-GigabitEthernet1/0/3.11] quit
    [FW_B] interface GigabitEthernet 1/0/2.1
    [FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby
    [FW_B-GigabitEthernet1/0/2.1] quit
    [FW_B] interface GigabitEthernet 1/0/2.2
    [FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2
    [FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby
    [FW_B-GigabitEthernet1/0/2.2] quit

    # Specify the heartbeat interface on FW_B and enable hot standby.

    [FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1
    [FW_B] hrp enable

  5. Configure security policies.

    # Configure security policies in the root system on FW_A.

    HRP_M[FW_A] security-policy
    HRP_M[FW_A-policy-security] rule name sec_portal
    HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust
    HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.159.0.0 16
    HRP_M[FW_A-policy-security-rule-sec_portal] action permit
    HRP_M[FW_A-policy-security-rule-sec_portal] profile av default
    HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default
    HRP_M[FW_A-policy-security-rule-sec_portal] quit
    HRP_M[FW_A-policy-security] rule name sec_ospf
    HRP_M[FW_A-policy-security-rule-sec_ospf] source-zone untrust local
    HRP_M[FW_A-policy-security-rule-sec_ospf] destination-zone local untrust
    HRP_M[FW_A-policy-security-rule-sec_ospf] service ospf
    HRP_M[FW_A-policy-security-rule-sec_ospf] action permit
    HRP_M[FW_A-policy-security-rule-sec_ospf] quit
    HRP_M[FW_A-policy-security] quit

    # Configure security policies in virtual system vfw1 on FW_A.

    HRP_M[FW_A] switch vsys vfw1
    HRP_M<FW_A-vfw1> system-view
    HRP_M[FW_A-vfw1] security-policy
    HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.159.10.0 24
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit
    HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1_ospf
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] source-zone untrust local
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] destination-zone local untrust
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] service ospf
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] action permit
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] quit
    HRP_M[FW_A-vfw1-policy-security] quit
    HRP_M[FW_A-vfw1] quit
    HRP_M<FW_A-vfw1> quit

    Similarly, configure security policies in virtual system vfw2 on FW_A.

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure security policies manually on FW_B.

  6. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-A] policy accelerate standby enable

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure policy backup-based acceleration function manually on FW_B.

  7. Configure NAT servers.

    NOTE:

    The NAT server configuration commands are only exemplary. In practice, NAT servers are configured on the management component, and the management component delivers the configuration to the FW.

    # Configure NAT servers in the root system on FW_A.

    HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.159.1.100
    HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.159.2.100

    # Configure a NAT server in virtual system vfw1 on FW_A.

    HRP_M[FW_A] switch vsys vfw1
    HRP_M<FW_A-vfw1> system-view
    HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.159.10.100
    HRP_M[FW_A-vfw1] quit
    HRP_M<FW_A-vfw1> quit

    Similarly, configure a NAT server in virtual system vfw2 on FW_A.

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure NAT servers manually on FW_B.

  8. Configure other network devices.

    The present case focuses on the configuration on the FW. For the configuration on other network devices, note that:

    • You need to configure routes to the global addresses of the Portal system and virtual machines on the upstream router, and set the next hop of the routes to the CE12800.
    • When configuring OSPF on the CE12800, you need to run the default-route-advertise always command in the OSPF process.
    • The CE6800 transmits Layer-2 packets transparently, and you only need to configure Layer-2 forwarding on it.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16831

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next