No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Verification

Verification

  1. On FW-1 and FW-2, run the display hrp state verbose command to view the hot standby status.

    HRP_M<FW-1> display hrp state verbose
     Role: active, peer: standby
     Running priority: 45000, peer: 45000
     Backup channel usage: 0.00%
     Stable time: 0 days, 3 hours, 8 minutes
     Last state change information: 2016-05-14 11:18:13 HRP core state changed, old_state = abnormal(active), new_state = normal, local_priority = 45000, peer_priority = 45000.
    
     Configuration:
     hello interval:              1000ms
     preempt:                     60s
     mirror configuration:        off
     mirror session:              off
     track trunk member:          on
     auto-sync configuration:     on
     auto-sync connection-status: on
     adjust ospf-cost:            on
     adjust ospfv3-cost:          on
     adjust bgp-cost:             on
     nat resource:                off
    
     Detail information:
                         Eth-Trunk1 vrrp vrid 1: active
                         Eth-Trunk2 vrrp vrid 2: active
                           GigabitEthernet1/0/1: up
                           GigabitEthernet1/0/2: up
                           GigabitEthernet1/0/3: up
                           GigabitEthernet1/0/4: up
                                      ospf-cost: +0
                                    ospfv3-cost: +0
                                       bgp-cost: +0
    HRP_S<FW-2> display hrp state verbose
     Role: standby, peer: active
     Running priority: 45000, peer: 45000
     Backup channel usage: 0.00%
     Stable time: 0 days, 3 hours, 8 minutes
     Last state change information: 2016-05-14 11:18:18 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.
    
     Configuration:
     hello interval:              1000ms
     preempt:                     60s
     mirror configuration:        off
     mirror session:              off
     track trunk member:          on
     auto-sync configuration:     on
     auto-sync connection-status: on
     adjust ospf-cost:            on
     adjust ospfv3-cost:          on
     adjust bgp-cost:             on
     nat resource:                off
    
     Detail information:
                         Eth-Trunk1 vrrp vrid 1: standby
                         Eth-Trunk2 vrrp vrid 2: standby
                           GigabitEthernet1/0/1: up
                           GigabitEthernet1/0/2: up
                           GigabitEthernet1/0/3: up
                           GigabitEthernet1/0/4: up
                                      ospf-cost: +65500
                                    ospfv3-cost: +65500
                                       bgp-cost: +100
  2. Test the active/standby switchover.

    Configure a PC in the untrust zone to constantly the server address and run the shutdown command on Eth-trunk1 of FW-1. Then check the status switchover of the FW and discarded ping packets. If the status switchover is normal, FW-2 switches to the active device and carries services. The command prompt of FW-2 is changed from HRP_S to HRP_M, and the command prompt of FW-1 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of FW-1 and check the status switchover of the FW and discarded ping packets. If the status switchover is normal, FW-1 switches to the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of FW-1 is changed from HRP_S to HRP_M, and the command prompt of FW-2 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

  3. Check the configuration and update of the IPS signature database.

    # Run the display update configuration command to check the update information of the IPS signature database.

    HRP_M<FW-1> display update configuration
    Update Configuration Information:                                               
    ------------------------------------------------------------                    
      Update Server               : sec.huawei.com                                  
      Update Port                 : 80                                              
      Proxy State                 : disable                                         
      Proxy Server                : -                                               
      Proxy Port                  : -                                               
      Proxy User                  : -                                               
      Proxy Password              : -                                               
      IPS-SDB:                                                                      
        Application Confirmation  : Disable                                         
        Schedule Update           : Enable                                          
        Schedule Update Frequency : Daily                                           
        Schedule Update Time      : 02:30                                           
      AV-SDB:                
        Application Confirmation  : Disable                                         
        Schedule Update           : Enable                                          
        Schedule Update Frequency : Daily                                           
        Schedule Update Time      : 02:30                                           
      SA-SDB:                                                                       
        Application Confirmation  : Disable                                         
        Schedule Update           : Enable                                          
        Schedule Update Frequency : Daily                                           
        Schedule Update Time      : 02:30                                           
      IP-REPUTATION:                                                            
        Application Confirmation  : Disable                                         
        Schedule Update           : Enable                                          
        Schedule Update Frequency : Daily                                           
        Schedule Update Time      : 02:30                                           
      CNC:                                                                          
        Application Confirmation  : Disable                                         
        Schedule Update           : Enable                                          
        Schedule Update Frequency : Daily                                           
        Schedule Update Time      : 02:30                                           
    ------------------------------------------------------------                    

    # Run the display version ips-sdb command to check the configuration of the IPS signature database.

    HRP_M<FW-1> display version ips-sdb
    IPS SDB Update Information List:                                                
    ----------------------------------------------------------------                
      Current Version:                                                              
        Signature Database Version    : 2016050703                                  
        Signature Database Size(byte) : 2659606                                     
        Update Time                   : 02:30:00 2016/05/08                         
        Issue Time of the Update File : 16:06:30 2016/05/07                         
                                                                                    
      Backup Version:                                                               
        Signature Database Version    :                                             
        Signature Database Size(byte) : 0                                           
        Update Time                   : 00:00:00 0000/00/00                         
        Issue Time of the Update File : 00:00:00 0000/00/00                         
    ----------------------------------------------------------------                
    IPS Engine Information List:                                                    
    ----------------------------------------------------------------                
      Current Version:                                                              
        IPS Engine Version            : V200R002C00SPC060                           
        IPS Engine Size(byte)         : 3145728                                     
        Update Time                   : 02:30:00 2016/05/08                         
        Issue Time of the Update File : 16:06:30 2016/05/07                         
                                                                                    
      Backup Version:                                                               
        IPS Engine Version            :                                             
        IPS Engine Size(byte)         : 0                                           
        Update Time                   : 00:00:00 0000/00/00                         
        Issue Time of the Update File : 00:00:00 0000/00/00                         
    ----------------------------------------------------------------                
    
  4. Verify the access permission of users in each security zone to the data center network.

    If the access control result conforms to the security policy planning in Service Planning, the configuration is successful.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16703

Downloads: 717

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next