No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  1. Configure interfaces and security zones.
    1. Configure the interfaces and security zones of FW_A.

      # Create Eth-Trunk0, setting its IP address.

      <FW_A> system-view
      [FW_A] interface Eth-Trunk 0
      [FW_A-Eth-Trunk0] description To_FW_B
      [FW_A-Eth-Trunk0] ip address 192.168.3.1 24
      [FW_A-Eth-Trunk0] undo service-manage enable
      [FW_A-Eth-Trunk0] quit

      # Create Eth-Trunk1, setting its IP address.

      [FW_A] interface Eth-Trunk 1
      [FW_A-Eth-Trunk1] description To_Backbone
      [FW_A-Eth-Trunk1] ip address 1.1.1.1 24
      [FW_A-Eth-Trunk1] undo service-manage enable
      [FW_A-Eth-Trunk1] quit

      # Create Eth-Trunk2, setting its IP address.

      [FW_A] interface Eth-Trunk 2
      [FW_A-Eth-Trunk2] description To_GI
      [FW_A-Eth-Trunk2] ip address 10.14.1.1 24
      [FW_A-Eth-Trunk2] undo service-manage enable
      [FW_A-Eth-Trunk2] quit

      # Assign GigabitEthernet2/0/0 and GigabitEthernet2/0/1 to Eth-Trunk0.

      [FW_A] interface GigabitEthernet 2/0/0
      [FW_A-GigabitEthernet2/0/0] Eth-Trunk 0
      [FW_A-GigabitEthernet2/0/0] quit
      [FW_A] interface GigabitEthernet 2/0/1
      [FW_A-GigabitEthernet2/0/1] Eth-Trunk 0
      [FW_A-GigabitEthernet2/0/1] quit

      # Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk1.

      [FW_A] interface GigabitEthernet 2/0/2
      [FW_A-GigabitEthernet2/0/2] Eth-Trunk 1
      [FW_A-GigabitEthernet2/0/2] quit
      [FW_A] interface GigabitEthernet 2/0/3
      [FW_A-GigabitEthernet2/0/3] Eth-Trunk 1
      [FW_A-GigabitEthernet2/0/3] quit

      # Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk2.

      [FW_A] interface GigabitEthernet 2/0/4
      [FW_A-GigabitEthernet2/0/4] Eth-Trunk 2
      [FW_A-GigabitEthernet2/0/4] quit
      [FW_A] interface GigabitEthernet 2/0/5
      [FW_A-GigabitEthernet2/0/5] Eth-Trunk 2
      [FW_A-GigabitEthernet2/0/5] quit

      # Assign Eth-Trunk0 to the hrpzone security zone.

      [FW_A] firewall zone name hrpzone
      [FW_A-zone-hrpzone] set priority 65
      [FW_A-zone-hrpzone] add interface Eth-Trunk 0
      [FW_A-zone-hrpzone] quit

      # Add Eth-Trunk1 to the untrust security zone.

      [FW_A] firewall zone untrust
      [FW_A-zone-untrust] add interface Eth-Trunk 1
      [FW_A-zone-untrust] quit

      # Assign Eth-Trunk2 to the trust security zone.

      [FW_A] firewall zone trust
      [FW_A-zone-trust] add interface Eth-Trunk 2
      [FW_A-zone-trust] quit

    2. Configure the interfaces and security zones of FW_B.

      # Create Eth-Trunk0, setting its IP address.

      <FW_B> system-view
      [FW_B] interface Eth-Trunk 0
      [FW_B-Eth-Trunk0] description To_FW_A
      [FW_B-Eth-Trunk0] ip address 192.168.3.2 24
      [FW_B-Eth-Trunk0] undo service-manage enable
      [FW_B-Eth-Trunk0] quit

      # Create Eth-Trunk1, setting its IP address.

      [FW_B] interface Eth-Trunk 1
      [FW_B-Eth-Trunk1] description To_Backbone
      [FW_B-Eth-Trunk1] ip address 1.1.2.1 24
      [FW_B-Eth-Trunk1] undo service-manage enable
      [FW_B-Eth-Trunk1] quit

      # Create Eth-Trunk2, setting its IP address.

      [FW_B] interface Eth-Trunk 2
      [FW_B-Eth-Trunk2] description To_GI
      [FW_B-Eth-Trunk2] ip address 10.14.2.1 24
      [FW_B-Eth-Trunk2] undo service-manage enable
      [FW_B-Eth-Trunk2] quit

      # Add GigabitEthernet2/0/0 and GigabitEthernet2/0/1 to Eth-Trunk0.

      [FW_B] interface GigabitEthernet 2/0/0
      [FW_B-GigabitEthernet2/0/0] Eth-Trunk 0
      [FW_B-GigabitEthernet2/0/0] quit
      [FW_B] interface GigabitEthernet 2/0/1
      [FW_B-GigabitEthernet2/0/1] Eth-Trunk 0
      [FW_B-GigabitEthernet2/0/1] quit

      # Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk1.

      [FW_B] interface GigabitEthernet 2/0/2
      [FW_B-GigabitEthernet2/0/2] Eth-Trunk 1
      [FW_B-GigabitEthernet2/0/2] quit
      [FW_B] interface GigabitEthernet 2/0/3
      [FW_B-GigabitEthernet2/0/3] Eth-Trunk 1
      [FW_B-GigabitEthernet2/0/3] quit

      # Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk2.

      [FW_B] interface GigabitEthernet 2/0/4
      [FW_B-GigabitEthernet2/0/4] Eth-Trunk 2
      [FW_B-GigabitEthernet2/0/4] quit
      [FW_B] interface GigabitEthernet 2/0/5
      [FW_B-GigabitEthernet2/0/5] Eth-Trunk 2
      [FW_B-GigabitEthernet2/0/5] quit

      # Assign Eth-Trunk0 to the hrpzone security zone.

      [FW_B] firewall zone name hrpzone
      [FW_B-zone-hrpzone] set priority 65
      [FW_B-zone-hrpzone] add interface Eth-Trunk 0
      [FW_B-zone-hrpzone] quit

      # Assign Eth-Trunk1 to the untrust security zone.

      [FW_B] firewall zone untrust
      [FW_B-zone-untrust] add interface Eth-Trunk 1
      [FW_B-zone-untrust] quit

      # Assign Eth-Trunk2 to the trust security zone.

      [FW_B] firewall zone trust
      [FW_B-zone-trust] add interface Eth-Trunk 2
      [FW_B-zone-trust] quit

  2. Configure security policies.
    1. Configure the security policies of FW_A.

      # Configure the security policy between the local and trust zones.

      [FW_A] security-policy
      [FW_A-policy-security] rule name local_trust_outbound
      [FW_A-policy-security-rule-local_trust_outbound] source-zone local 
      [FW_A-policy-security-rule-local_trust_outbound] destination-zone trust
      [FW_A-policy-security-rule-local_trust_outbound] source-address 10.14.0.0 16
      [FW_A-policy-security-rule-local_trust_outbound] action permit
      [FW_A-policy-security-rule-local_trust_outbound] quit
      [FW_A-policy-security]  rule name local_trust_inbound
      [FW_A-policy-security-rule-local_trust_inbound] source-zone trust
      [FW_A-policy-security-rule-local_trust_inbound] destination-zone local
      [FW_A-policy-security-rule-local_trust_inbound] destination-address 10.14.0.0 16
      [FW_A-policy-security-rule-local_trust_inbound] action permit
      [FW_A-policy-security-rule-local_trust_inbound] quit
      

      # Configure the security policy between the local and untrust zones.

      [FW_A-policy-security] rule name local_untrust_outbound
      [FW_A-policy-security-rule-local_untrust_outbound] source-zone local
      [FW_A-policy-security-rule-local_untrust_outbound] destination-zone untrust
      [FW_A-policy-security-rule-local_untrust_outbound] source-address 1.1.0.0 16
      [FW_A-policy-security-rule-local_untrust_outbound] action permit
      [FW_A-policy-security-rule-local_untrust_outbound] quit
      [FW_A-policy-security] rule name local_untrust_inbound
      [FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust
      [FW_A-policy-security-rule-local_untrust_inbound] destination-zone local
      [FW_A-policy-security-rule-local_untrust_inbound] destination-address 1.1.0.0 16
      [FW_A-policy-security-rule-local_untrust_inbound] action permit
      [FW_A-policy-security-rule-local_untrust_inbound] quit
      

      # Configure the security policy between the local and hrpzone zones.

      [FW_A-policy-security] rule name local_hrpzone_outbound
      [FW_A-policy-security-rule-local_hrpzone_outbound] source-zone local
      [FW_A-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
      [FW_A-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
      [FW_A-policy-security-rule-local_hrpzone_outbound] action permit
      [FW_A-policy-security-rule-local_hrpzone_outbound] quit
      [FW_A-policy-security] rule name local_hrpzone_inbound
      [FW_A-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
      [FW_A-policy-security-rule-local_hrpzone_inbound] destination-zone local
      [FW_A-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
      [FW_A-policy-security-rule-local_untrust_inbound] action permit
      [FW_A-policy-security-rule-local_untrust_inbound] quit
      

      # Configure the security policy between the trust and untrust zones, permitting GRE tunnel packets from the WAP side router to the GGSN/P-GW.

      [FW_A-policy-security] rule name trust_untrust_outbound1
      [FW_A-policy-interzone-trust_untrust_outbound1] source-zone trust
      [FW_A-policy-interzone-trust_untrust_outbound1] destination-zone untrust
      [FW_A-policy-interzone-trust_untrust_outbound1] source-address 10.14.0.0 16
      [FW_A-policy-interzone-trust_untrust_outbound1] destination-address 1.1.0.0 16
      [FW_A-policy-interzone-trust_untrust_outbound1] action permit
      [FW_A-policy-interzone-trust_untrust_outbound1] quit
      [FW_A-policy-security] rule name trust_untrust_inbound1
      [FW_A-policy-interzone-trust_untrust_inbound1] source-zone untrust
      [FW_A-policy-interzone-trust_untrust_inbound1] destination-zone trust
      [FW_A-policy-interzone-trust_untrust_inbound1] source-address 1.1.0.0 16
      [FW_A-policy-interzone-trust_untrust_inbound1] destination-address 10.14.0.0 16
      [FW_A-policy-interzone-trust_untrust_inbound1] action permit
      [FW_A-policy-interzone-trust_untrust_inbound1] quit
      

      # Configure the security policy between the trust and untrust zones, permitting packets from mobile terminals to the Internet. All packets from the 10.14.0.0/16 network segment are matched. In practice, you can add rules as needed.

      [FW_A-policy-security] rule name trust_untrust_outbound2
      [FW_A-policy-security-rule-trust_untrust_outbound2] source-zone trust
      [FW_A-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
      [FW_A-policy-security-rule-trust_untrust_outbound2] source-address 10.14.0.0 16
      [FW_A-policy-security-rule-trust_untrust_outbound2] action permit
      [FW_A-policy-security-rule-trust_untrust_outbound2] quit

    2. Configure the security policies of FW_B.

      # Configure the security policy between the local and trust zones.

      [FW_B] security-policy
      [FW_B-policy-security] rule name local_trust_outbound
      [FW_B-policy-security-rule-local_trust_outbound] source-zone local 
      [FW_B-policy-security-rule-local_trust_outbound] destination-zone trust
      [FW_B-policy-security-rule-local_trust_outbound] source-address 10.14.0.0 16
      [FW_B-policy-security-rule-local_trust_outbound] action permit
      [FW_B-policy-security-rule-local_trust_outbound] quit
      [FW_B-policy-security]  rule name local_trust_inbound
      [FW_B-policy-security-rule-local_trust_inbound] source-zone trust
      [FW_B-policy-security-rule-local_trust_inbound] destination-zone local
      [FW_B-policy-security-rule-local_trust_inbound] destination-address 10.14.0.0 16
      [FW_B-policy-security-rule-local_trust_inbound] action permit
      [FW_B-policy-security-rule-local_trust_inbound] quit
      

      # Configure the security policy between the local and untrust zones.

      [FW_B-policy-security] rule name local_untrust_outbound
      [FW_B-policy-security-rule-local_untrust_outbound] source-zone local
      [FW_B-policy-security-rule-local_untrust_outbound] destination-zone untrust
      [FW_B-policy-security-rule-local_untrust_outbound] source-address 1.1.0.0 16
      [FW_B-policy-security-rule-local_untrust_outbound] action permit
      [FW_B-policy-security-rule-local_untrust_outbound] quit
      [FW_B-policy-security] rule name local_untrust_inbound
      [FW_B-policy-security-rule-local_untrust_inbound] source-zone untrust
      [FW_B-policy-security-rule-local_untrust_inbound] destination-zone local
      [FW_B-policy-security-rule-local_untrust_inbound] destination-address 1.1.0.0 16
      [FW_B-policy-security-rule-local_untrust_inbound] action permit
      [FW_B-policy-security-rule-local_untrust_inbound] quit
      

      # Configure the security policy between the local and hrpzone zones.

      [FW_B-policy-security] rule name local_hrpzone_outbound
      [FW_B-policy-security-rule-local_hrpzone_outbound] source-zone local
      [FW_B-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
      [FW_B-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
      [FW_B-policy-security-rule-local_hrpzone_outbound] action permit
      [FW_B-policy-security-rule-local_hrpzone_outbound] quit
      [FW_B-policy-security] rule name local_hrpzone_inbound
      [FW_B-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
      [FW_B-policy-security-rule-local_hrpzone_inbound] destination-zone local
      [FW_B-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
      [FW_B-policy-security-rule-local_untrust_inbound] action permit
      [FW_B-policy-security-rule-local_untrust_inbound] quit
      

      # Configure the security policy between the trust and untrust zones, permitting GRE tunnel packets from the WAP side router to the GGSN/P-GW.

      [FW_B-policy-security] rule name trust_untrust_outbound1
      [FW_B-policy-interzone-trust_untrust_outbound1] source-zone trust
      [FW_B-policy-interzone-trust_untrust_outbound1] destination-zone untrust
      [FW_B-policy-interzone-trust_untrust_outbound1] source-address 10.14.0.0 16
      [FW_B-policy-interzone-trust_untrust_outbound1] destination-address 1.1.0.0 16
      [FW_B-policy-interzone-trust_untrust_outbound1] action permit
      [FW_B-policy-interzone-trust_untrust_outbound1] quit
      [FW_B-policy-security] rule name trust_untrust_inbound1
      [FW_B-policy-interzone-trust_untrust_inbound1] source-zone untrust
      [FW_B-policy-interzone-trust_untrust_inbound1] destination-zone trust
      [FW_B-policy-interzone-trust_untrust_inbound1] source-address 1.1.0.0 16
      [FW_B-policy-interzone-trust_untrust_inbound1] destination-address 10.14.0.0 16
      [FW_B-policy-interzone-trust_untrust_inbound1] action permit
      [FW_B-policy-interzone-trust_untrust_inbound1] quit
      

      # Configure the security policy between the trust and untrust zones, permitting packets from mobile terminals to the Internet. All packets from the 10.14.0.0/16 network segment are matched. In practice, you can add rules as needed.

      [FW_B-policy-security] rule name trust_untrust_outbound2
      [FW_B-policy-security-rule-trust_untrust_outbound2] source-zone trust
      [FW_B-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
      [FW_B-policy-security-rule-trust_untrust_outbound2] source-address 10.14.0.0 16
      [FW_B-policy-security-rule-trust_untrust_outbound2] action permit
      [FW_B-policy-security-rule-trust_untrust_outbound2] quit

  3. Configure routes.

    NOTE:

    Specify different router IDs for the active and standby firewalls to support the OSPF process so as to prevent OSPF route flapping.

    1. Configure the OSPF routes of FW_A.

      # Configure routing policies to advertise only addresses in the NAT address pool and Gn public addresses but not private addresses when static routes are imported to the side of the FW_A connecting the backbone.

      [FW_A] ip ip-prefix natAddress permit 1.1.10.10 32 
      [FW_A] ip ip-prefix natAddress permit 1.1.10.11 32 
      [FW_A] ip ip-prefix natAddress permit 1.1.10.12 32 
      [FW_A] ip ip-prefix natAddress permit 1.1.10.13 32 
      [FW_A] ip ip-prefix natAddress permit 1.1.10.14 32 
      [FW_A] ip ip-prefix natAddress permit 1.1.10.15 32 
      [FW_A] route-policy PS_NAT permit node 10
      [FW_A-route-policy] if-match ip-prefix natAddress
      [FW_A-route-policy] quit
      [FW_A] ospf 1 router-id 1.1.1.1
      [FW_A-ospf-1] import-route static route-policy PS_NAT
      [FW_A-ospf-1] area 0.0.0.0
      [FW_A-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255
      [FW_A-ospf-1-area-0.0.0.0] quit
      [FW_A-ospf-1] quit

      # Configure route filtering policies for the side of the FW_A connecting the core network so as not to learn the default route.

      [FW_A] ip ip-prefix no-default deny 0.0.0.0 0
      [FW_A] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
      [FW_A] ospf 2 router-id 10.14.1.1
      [FW_A-ospf-2] filter-policy ip-prefix no-default import
      [FW_A-ospf-2] default-route-advertise
      [FW_A-ospf-2] area 0.0.0.0
      [FW_A-ospf-2-area-0.0.0.0] network 10.14.1.0 0.0.0.255
      [FW_A-ospf-2-area-0.0.0.0] quit
      [FW_A-ospf-2] quit

      # Configure black-hole routes.

      [FW_A] ip route-static 1.1.10.10 32 NULL 0
      [FW_A] ip route-static 1.1.10.11 32 NULL 0
      [FW_A] ip route-static 1.1.10.12 32 NULL 0
      [FW_A] ip route-static 1.1.10.13 32 NULL 0
      [FW_A] ip route-static 1.1.10.14 32 NULL 0
      [FW_A] ip route-static 1.1.10.15 32 NULL 0

    2. Configure the OSPF routes of FW_B.

      # Configure routing policies to advertise only addresses in the NAT address pool but not private addresses when static routes are imported to the side of the FW_B connecting the backbone.

      [FW_B] ip ip-prefix natAddress permit 1.1.10.10 32 
      [FW_B] ip ip-prefix natAddress permit 1.1.10.11 32 
      [FW_B] ip ip-prefix natAddress permit 1.1.10.12 32 
      [FW_B] ip ip-prefix natAddress permit 1.1.10.13 32 
      [FW_B] ip ip-prefix natAddress permit 1.1.10.14 32 
      [FW_B] ip ip-prefix natAddress permit 1.1.10.15 32 
      [FW_B] route-policy PS_NAT permit node 10
      [FW_B-route-policy] if-match ip-prefix natAddress
      [FW_B-route-policy] quit
      [FW_B] ospf 1 router-id 1.1.2.1
      [FW_B-ospf-1] import-route static route-policy PS_NAT
      [FW_B-ospf-1] area 0.0.0.0
      [FW_B-ospf-1-area-0.0.0.0] network 1.1.2.0 0.0.0.255
      [FW_B-ospf-1-area-0.0.0.0] quit
      [FW_B-ospf-1] quit

      # Configure route filtering policies for the side of the FW_B connecting the core network so as not to learn the default route.

      [FW_B] ip ip-prefix no-default deny 0.0.0.0 0
      [FW_B] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
      [FW_B] ospf 2 router-id 10.14.2.1
      [FW_B-ospf-2] filter-policy ip-prefix no-default import
      [FW_B-ospf-2] default-route-advertise
      [FW_B-ospf-2] area 0
      [FW_B-ospf-2-area-0.0.0.0] network 10.14.2.0 0.0.0.255
      [FW_B-ospf-2-area-0.0.0.0] quit
      [FW_B-ospf-2] quit

      # Configure black-hole routes.

      [FW_B] ip route-static 1.1.10.10 32 NULL 0
      [FW_B] ip route-static 1.1.10.11 32 NULL 0
      [FW_B] ip route-static 1.1.10.12 32 NULL 0
      [FW_B] ip route-static 1.1.10.13 32 NULL 0
      [FW_B] ip route-static 1.1.10.14 32 NULL 0
      [FW_B] ip route-static 1.1.10.15 32 NULL 0

  4. Complete the availability configuration.
    1. Configure a link group on FW_A and bind the upstream downstream interfaces of FW_A to the link group.

      [FW_A] interface Eth-Trunk 1
      [FW_A-Eth-Trunk1] link-group 1
      [FW_A] interface Eth-Trunk 2
      [FW_A-Eth-Trunk2] link-group 1

    2. Complete the hot standby configuration of FW_A.

      # Configure HRP to track the interfaces connecting FW_A to the backbone and core networks.

      [FW_A] hrp track interface Eth-Trunk 1
      [FW_A] hrp track interface Eth-Trunk 2

      # Enable OSPF cost adjustment based on the HRP state.

      [FW_A] hrp adjust ospf-cost enable

      # Configure the heartbeat interface.

      [FW_A] hrp interface Eth-Trunk 0 remote 192.168.3.2

      # Enable HRP.

      [FW_A] hrp enable

      # Set the preemption delay of the VGMP group to 300s.

      [FW_A] hrp preempt delay 300

    3. Complete the hot standby configuration of FW_B.

      # Configure HRP to track the upstream and downstream interfaces.

      [FW_B] hrp track interface Eth-Trunk 1
      [FW_B] hrp track interface Eth-Trunk 2

      # Enable OSPF cost adjustment based on the HRP state.

      [FW_B] hrp adjust ospf-cost enable

      # Configure the heartbeat interface.

      [FW_B] hrp interface Eth-Trunk 0 remote 192.168.3.1

      # Enable HRP.

      [FW_B] hrp enable

      # Configure the current device as the standby device.

      [FW] hrp standby-device

  5. Configure NAT.

    NOTE:

    After hot standby is enabled, the NAT and ASPF configuration of FW_A is automatically synchronized to FW_B.

    # Create the NAT address pool.

    1. Configure NAT for FW_A.

      HRP_M[FW_A] nat address-group addressgroup1
      HRP_M[FW_A-address-group-addressgroup1] section 1.1.10.10 1.1.10.15
      HRP_M[FW_A-address-group-addressgroup1] quit

      # Configure the NAT policy. The source addresses of all packets from the 10.14.0.0/16 network segment are translated. In practice, you can add rules as needed.

      HRP_M[FW_A] nat-policy
      HRP_M[FW_A-policy-nat] rule name trust_untrust_outbound
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-zone trust
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-address 10.14.0.0 0.0.255.255
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addressgroup1 
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] quit
      HRP_M[FW_A-policy-nat] quit

    2. Configure ASPF for FW_A.

      HRP_M[FW_A] firewall interzone trust untrust
      HRP_M[FW_A-interzone-trust-untrust] detect rtsp
      HRP_M[FW_A-interzone-trust-untrust] detect ftp
      HRP_M[FW_A-interzone-trust-untrust] detect pptp
      HRP_M[FW_A-interzone-trust-untrust] quit

  6. Configure attack defense.

    NOTE:

    After hot standby is enabled, the attack defense configuration of FW_A is automatically synchronized to FW_B.

    Configure attack defense for FW_A.

    HRP_M[FW_A] firewall defend land enable
    HRP_M[FW_A] firewall defend smurf enable
    HRP_M[FW_A] firewall defend fraggle enable
    HRP_M[FW_A] firewall defend ip-fragment enable
    HRP_M[FW_A] firewall defend tcp-flag enable
    HRP_M[FW_A] firewall defend winnuke enable
    HRP_M[FW_A] firewall defend source-route enable
    HRP_M[FW_A] firewall defend teardrop enable
    HRP_M[FW_A] firewall defend route-record enable
    HRP_M[FW_A] firewall defend time-stamp enable
    HRP_M[FW_A] firewall defend ping-of-death enable
    

  7. Configure network management (SNMP).
    1. Configure network management (SNMP) on FW_A.

      # Configure the SNMP version of the FW. This step is optional. By default, the SNMP version is SNMPv3. Carry out this step if it is not SNMPv3.

      HRP_M[FW_A] snmp-agent sys-info version v3
      

      # Configure the SNMPv3 user group.

      HRP_M[FW_A] snmp-agent group v3 NMS1 privacy
      

      # Configure the SNMPv3 user.

      HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456
      

      # Configure the contact information.

      HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang
      

      @ Configure the location information.

      HRP_M[FW_A] snmp-agent sys-info location Beijing
      

      # Configure the alarm function of SNMP on the Eudemon.

      HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy
      HRP_M[FW_A] snmp-agent trap enable 
      Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

    2. Configure network management (SNMP) on FW_B.

      # Configure the SNMP version of the FW. This step is optional. By default, the SNMP version is SNMPv3. Carry out this step if it is not SNMPv3.

      HRP_S[FW_B] snmp-agent sys-info version v3
      

      # Configure the SNMPv3 user group.

      HRP_S[FW_B] snmp-agent group v3 NMS1 privacy
      

      # Configure the SNMPv3 user.

      HRP_S[FW_B] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456
      

      # Configure the contact information.

      HRP_S[FW_B] snmp-agent sys-info contact Mr.zhang
      

      @ Configure the location information.

      HRP_S[FW_B] snmp-agent sys-info location Beijing
      

      # Configure the alarm function of SNMP on the Eudemon.

      HRP_S[FW_B] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy
      HRP_S[FW_B] snmp-agent trap enable 
      Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

  8. Configure the LogCenter.

    NOTE:

    For the configuration on the LogCenter log server, see the product manual of the LogCenter. Only the configuration on the FW is described.

    After hot standby is enabled, the LogCenter configuration of FW_A is automatically synchronized to FW_B. However, the source address and source port for log export need to be configured on FW_B.

    1. Configure FW_A.

      # Configure a log host. When the log format is syslog, the address of the log host is 2.2.2.2, and the host port must be 514.

      HRP_M[FW_A] firewall log host 1 2.2.2.2 514
      

      # Enable the session log function in the security policy as required.

      HRP_M[FW_A] security-policy
      HRP_M[FW_A-policy-security] rule name trust_untrust
      HRP_M[FW_A-policy-security-rule-trust_untrust] session logging
      HRP_M[FW_A-policy-security-rule-trust_untrust] quit
      HRP_M[FW_A-policy-security] quit
      

      Configure the log output format, concurrent mode, and source address/port (3.3.3.3/ 6000) of the logs.

      HRP_M[FW_A] firewall log session log-type syslog
      HRP_M[FW_A] firewall log session multi-host-mode concurrent
      HRP_M[FW_A] firewall log source 3.3.3.3 6000
      
    2. Configure FW_B.

      Configure the source address and source port for log export (3.3.3.4/6000).

      HRP_S[FW_B] firewall log source 3.3.3.4 6000
      
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 19080

Downloads: 782

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next