No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

Configuration script for FW_A:

#                                                                               
 sysname FW_A
#                                                                               
info-center source default channel 2 log level warning                            
 info-center loghost 10.2.0.10                                                  
#                                                                               
 firewall log session log-type syslog                                           
 firewall log session multi-host-mode concurrent
 firewall log source 3.3.3.3 6000
 firewall log host 1 2.2.2.2 514                                              
# 
nat address-group 1
 mode pat
 status active 
 section 0 1.1.10.10 1.1.10.15                                                                                                  
# 
 hrp enable
 hrp interface Eth-Trunk 0 remote 192.168.3.2                                  
 hrp adjust ospf-cost enable                                                    
 hrp preempt delay 300
 hrp track interface Eth-Trunk 1
 hrp track interface Eth-Trunk 2
#                                                                               
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
interface Eth-Trunk0                                                            
 description To_FW_B
 ip address 192.168.3.1 255.255.255.0  
 undo service-manage enable 
#
interface Eth-Trunk1                                                            
 description To_Backbone
 ip address 1.1.1.1 255.255.255.0 
 undo service-manage enable                                             
 link-group 1
#
interface Eth-Trunk2                                                                                                           
 description To_GI
 ip address 10.14.1.1 255.255.255.0 
 undo service-manage enable    
 link-group 1                                           
#                                                                               
interface GigabitEthernet2/0/0                                                  
 eth-trunk 0                                                                    
#                                                                               
interface GigabitEthernet2/0/1                                                  
 eth-trunk 0                                                                    
#                                                                               
interface GigabitEthernet2/0/2                                                  
 eth-trunk 1                                                                    
#                                                                               
interface GigabitEthernet2/0/3                                                  
 eth-trunk 1                                                                    
#                                                                               
interface GigabitEthernet2/0/4                                                  
 eth-trunk 2                                                                    
#                                                                               
interface GigabitEthernet2/0/5                                                  
 eth-trunk 2                                                                    
#                                                                                
firewall zone trust                                                             
 set priority 85                                                                
 add interface Eth-Trunk2                                        
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface Eth-Trunk1                                             
#                                                                               
firewall zone hrpzone                                                               
 set priority 65                                                                
 add interface Eth-Trunk0                                                       
#                                                                               
firewall interzone trust untrust                                                               
 detect rtsp
 detect ftp
 detect pptp
#                                                                               
security-policy 
 rule name local_trust_outbound 
  source-zone local 
  destination-zone trust 
  source-address 10.14.0.0 16
  action permit 
 rule name local_trust_inbound 
  source-zone trust 
  destination-zone local 
  destination-address 10.14.0.0 16 
  action permit   
 rule name local_untrust_outbound 
  source-zone local 
  destination-zone untrust 
  source-address 1.1.0.0 16
  action permit     
 rule name local_untrust_inbound 
  source-zone untrust 
  destination-zone local 
  destination-address 1.1.0.0 16
  action permit  
 rule name local_hrpzone_outbound 
  source-zone local 
  destination-zone hrpzone 
  source-address 192.168.3.0 24 
  action permit     
 rule name local_hrpzone_inbound 
  source-zone hrpzone 
  destination-zone local 
  destination-address 192.168.3.0 24 
  action permit  
 rule name trust_untrust_outbound1 
  source-zone trust 
  destination-zone untrust 
  source-address 10.14.0.0 16
  destination-address 1.1.0.0 16
  action permit    
 rule name trust_untrust_inbound1 
  source-zone untrust 
  destination-zone trust 
  source-address 1.1.0.0 16
  destination-address 10.14.0.0 16 
  action permit 
 rule name trust_untrust_outbound2 
  source-zone trust 
  destination-zone untrust 
  source-address 10.14.0.0 16
  action permit    
 rule name trust_untrust 
  session logging 
  action permit  
#  
nat-policy
 rule name trust_untrust_outbound
  source-zone trust
  destination-zone untrust
  source-address 10.14.0.0 16
  action source-nat address-group addressgroup1
#
ip ip-prefix natAddress permit 1.1.10.10 32 
ip ip-prefix natAddress permit 1.1.10.11 32 
ip ip-prefix natAddress permit 1.1.10.12 32 
ip ip-prefix natAddress permit 1.1.10.13 32 
ip ip-prefix natAddress permit 1.1.10.14 32 
ip ip-prefix natAddress permit 1.1.10.15 32 
ip ip-prefix no-default deny 0.0.0.0 0
ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
#
route-policy PS_NAT permit node 10
 if-match ip-prefix natAddress
#
ospf 1 router-id 1.1.1.1  
 import-route static route-policy PS_NAT 
 area 0.0.0.0 
  network 1.1.1.0 0.0.0.255   
#   
ospf 2 router-id 10.14.1.1 
 default-route-advertise
 filter-policy ip-prefix no-default import
 area 0.0.0.0 
  network 10.14.1.0 0.0.0.255   
#   
 ip route-static 1.1.10.10 255.255.255.255 NULL0  
 ip route-static 1.1.10.11 255.255.255.255 NULL0  
 ip route-static 1.1.10.12 255.255.255.255 NULL0  
 ip route-static 1.1.10.13 255.255.255.255 NULL0   
 ip route-static 1.1.10.14 255.255.255.255 NULL0 
 ip route-static 1.1.10.15 255.255.255.255 NULL0   
#                                                                               
 snmp-agent                                                                     
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                             
 snmp-agent sys-info version v3                                                 
 snmp-agent sys-info contact Mr.zhang
 snmp-agent sys-info location Beijing
 snmp-agent group v3 NMS1 privacy                                            
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy 
 private-netmanager                 
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ 
 privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
#                                                                               
return

Configuration script for FW_B:

#                                                                               
 sysname FW_B
#                                                                               
info-center source default channel 2 log level warning                            
 info-center loghost 10.2.0.10                                                  
#                                                                               
 firewall log session log-type syslog                                           
 firewall log session multi-host-mode concurrent
 firewall log source 3.3.3.4 6000
 firewall log host 1 2.2.2.2 514                                              
# 
nat address-group 1  
 mode pat 
 status active
 section 0 1.1.10.10 1.1.10.15                                                                                                  
#
 hrp enable
 hrp standby-device
 hrp interface Eth-Trunk 0 remote 192.168.3.1                                  
 hrp adjust ospf-cost enable                                                    
 hrp track interface Eth-Trunk 1
 hrp track interface Eth-Trunk 2
#                                                                               
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
interface Eth-Trunk0                                                            
 description To_FW_A
 ip address 192.168.3.2 255.255.255.0  
 undo service-manage enable                                            
#
interface Eth-Trunk1                                                            
 description To_Backbone
 ip address 1.1.1.3 255.255.255.0 
 undo service-manage enable                                             
#
interface Eth-Trunk2                                                                                                                  
 description To_GI
 ip address 10.14.1.3 255.255.255.0   
 undo service-manage enable                                           
#                                                                               
interface GigabitEthernet2/0/0                                                  
 eth-trunk 0                                                                    
#                                                                               
interface GigabitEthernet2/0/1                                                  
 eth-trunk 0                                                                    
#                                                                               
interface GigabitEthernet2/0/2                                                  
 eth-trunk 1                                                                    
#                                                                               
interface GigabitEthernet2/0/3                                                  
 eth-trunk 1                                                                    
#                                                                               
interface GigabitEthernet2/0/4                                                  
 eth-trunk 2                                                                    
#                                                                               
interface GigabitEthernet2/0/5                                                  
 eth-trunk 2                                                                    
#                                                                                
firewall zone trust                                                             
 set priority 85                                                                
 add interface Eth-Trunk2                                            
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface Eth-Trunk1                                             
#                                                                               
firewall zone hrpzone                                                               
 set priority 65                                                                
 add interface Eth-Trunk0                                                       
#                                                                               
firewall interzone trust untrust                                                               
 detect rtsp
 detect ftp
 detect pptp
#  
security-policy
 rule name local_trust_outbound 
  source-zone local 
  destination-zone trust
  source-address 10.14.0.0 16
  action permit    
 rule name local_trust_inbound 
  source-zone trust 
  destination-zone local 
  destination-address 10.14.0.0 16
  action permit
 rule name local_untrust_outbound 
  source-zone local 
  destination-zone untrust 
  source-address 1.1.0.0 16
  action permit 
 rule name local_untrust_inbound 
  source-zone Untrust 
  destination-zone local 
  destination-address 1.1.0.0 16 
  action permit 
 rule name local_hrpzone_outbound 
  source-zone local 
  destination-zone hrpzone 
  source-address 192.168.3.0 24 
  action permit 
 rule name local_hrpzone_inbound 
  source-zone hrpzone 
  destination-zone local 
  destination-address 192.168.3.0 24 
  action permit 
 rule name trust_untrust_outbound1 
  source-zone trust 
  destination-zone untrust 
  source-address 10.14.0.0 16
  destination-address 1.1.0.0 16 
  action permit    
 rule name trust_untrust_inbound1 
  source-zone Untrust 
  destination-zone trust 
  source-address 1.1.0.0 16 
  destination-address 10.14.0.0 16
  action permit
 rule name trust_untrust_outbound2 
  source-zone trust 
  destination-zone untrust 
  source-address 10.14.0.0 16 
  action permit 
 rule name trust_untrust 
  session logging 
  action permit    
#  
nat-policy
 rule name trust_untrust_outbound
  source-zone trust
  destination-zone untrust
  source-address 10.14.0.0 16
  action source-nat address-group addressgroup1
#
ip ip-prefix natAddress permit 1.1.1.10 32 
ip ip-prefix natAddress permit 1.1.1.11 32 
ip ip-prefix natAddress permit 1.1.1.12 32 
ip ip-prefix natAddress permit 1.1.1.13 32 
ip ip-prefix natAddress permit 1.1.1.14 32 
ip ip-prefix natAddress permit 1.1.1.15 32 
ip ip-prefix no-default deny 0.0.0.0 0
ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
#
route-policy PS_NAT permit node 10
 if-match ip-prefix natAddress
#
ospf 1 router-id 1.1.1.3  
 import-route static route-policy PS_NAT 
 area 0.0.0.0 
  network 1.1.2.0 0.0.0.255   
#   
ospf 2 router-id 10.14.1.3 
 default-route-advertise
 filter-policy ip-prefix no-default import
 area 0.0.0.0 
  network 10.15.1.0 0.0.0.255   
#                                                                               
 ip route-static 1.1.10.10 255.255.255.255 NULL0                            
 ip route-static 1.1.10.11 255.255.255.255 NULL0                            
 ip route-static 1.1.10.12 255.255.255.255 NULL0                            
 ip route-static 1.1.10.13 255.255.255.255 NULL0                            
 ip route-static 1.1.10.14 255.255.255.255 NULL0                            
 ip route-static 1.1.10.15 255.255.255.255 NULL0                            
#                                                                               
 snmp-agent                                                                     
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                             
 snmp-agent sys-info version v3                                                 
 snmp-agent sys-info contact Mr.zhang
 snmp-agent sys-info location Beijing
 snmp-agent group v3 NMS1 privacy                                            
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy 
 private-netmanager                 
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$
 privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
#                                                                               
return
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16168

Downloads: 702

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next