No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Networking

Typical Networking

On the cloud computing network, the core switches are the CE12800, the access switches are the CE6800, and the firewalls are the USG9500. The present case focuses on the configuration on the firewalls. Figure 4-3 shows the overall networking.

Figure 4-3  Cloud computing network

The cloud computing network requires that:

  • Access of different extranet enterprise users to the virtual machines must be isolated, and the bandwidth resources available for each virtual machine service is limited to a specific range to avoid the consumption of large quantities of resources.
  • Private addresses are configured for the Portal system and virtual machines for intranet use, and their public addresses are advertised to the extranet to allow external enterprise users to access the Portal system and virtual machines.
  • Access behavior of extranet enterprise users to the Portal system and virtual machines is controlled to permit only service access traffic.
  • Device availability is improved to avoid service interruption caused by the failure of only one device.

The firewalls are attached to the CE12800 core switches in off-path mode. The above requirements are satisfied by the following features:

  • Virtual system: Virtual systems are used to isolate virtual machine services accessed by external enterprise users. Each virtual machine belongs to one virtual system, and each virtual system has its maximum bandwidth.

  • Subinterface: The firewall is connected to the CE12800 through subinterfaces. The subinterfaces are assigned to the virtual systems and the root system. The subinterfaces in the virtual systems carry virtual machine services, and the subinterface in the root system carries portal services.

  • NAT server: The NAT servers advertise the public addresses of the Portal system and virtual machines to the extranet. A NAT server dedicated to a virtual machine is configured in each virtual system, and NAT servers dedicated to the Portal system are configured in the root system.

  • Security policy: Security policies are applied to control access to the Portal system and virtual machines. Security policies used to control access to services of a virtual machine are configured in each virtual system, and security policies used to control access to services of the Portal system are configured in the root system.

  • Hot standby: Two firewalls are deployed in hot standby mode to improve availability. When the active firewall fails, the standby firewall take over without services interrupted.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16570

Downloads: 713

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next