No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  1. Configure interfaces and security zones and configure a gateway address, bandwidth, and overload protection threshold for outbound interfaces involved in intelligent uplink selection.

    <FW> system-view
    [FW] interface GigabitEthernet 1/0/1
    [FW-GigabitEthernet1/0/1] description connect_to_edu
    [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252
    [FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2
    [FW-GigabitEthernet1/0/1] bandwidth ingress 10000000 threshold 90
    [FW-GigabitEthernet1/0/1] bandwidth egress 10000000 threshold 90
    [FW-GigabitEthernet1/0/1] quit
    [FW] interface GigabitEthernet 1/0/2
    [FW-GigabitEthernet1/0/2] description connect_to_isp1
    [FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252
    [FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2
    [FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
    [FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
    [FW-GigabitEthernet1/0/2] quit
    [FW] interface GigabitEthernet 1/0/3
    [FW-GigabitEthernet1/0/3] description connect_to_isp1
    [FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252
    [FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2
    [FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90
    [FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90
    [FW-GigabitEthernet1/0/3] quit
    [FW] interface GigabitEthernet 1/0/4
    [FW-GigabitEthernet1/0/4] description connect_to_isp1
    [FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252
    [FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2
    [FW-GigabitEthernet1/0/4] bandwidth ingress 2000000 threshold 90
    [FW-GigabitEthernet1/0/4] bandwidth egress 2000000 threshold 90
    [FW-GigabitEthernet1/0/4] quit
    [FW] interface GigabitEthernet 1/0/5
    [FW-GigabitEthernet1/0/5] description connect_to_isp2
    [FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252
    [FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2
    [FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90
    [FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90
    [FW-GigabitEthernet1/0/5] quit
    [FW] interface GigabitEthernet 1/0/6
    [FW-GigabitEthernet1/0/6] description connect_to_isp2
    [FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252
    [FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2
    [FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90
    [FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90
    [FW-GigabitEthernet1/0/6] quit
    [FW] interface GigabitEthernet 1/0/7
    [FW-GigabitEthernet1/0/7] description connect_to_campus
    [FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0
    [FW-GigabitEthernet1/0/7] quit
    

  2. Configure a security policy.
    1. Create the security zone for each of the education network, ISP1 network, and ISP2 network and assign interfaces to the security zone.

      [FW] firewall zone name edu_zone
      [FW-zone-edu_zone] set priority 20
      [FW-zone-edu_zone] add interface GigabitEthernet 1/0/1
      [FW-zone-edu_zone] quit
      [FW] firewall zone name isp1_zone1
      [FW-zone-isp1_zone1] set priority 30
      [FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2
      [FW-zone-isp1_zone1] quit
      [FW] firewall zone name isp1_zone2
      [FW-zone-isp1_zone2] set priority 40
      [FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3
      [FW-zone-isp1_zone2] quit
      [FW] firewall zone name isp1_zone3
      [FW-zone-isp1_zone3] set priority 50
      [FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4
      [FW-zone-isp1_zone3] quit
      [FW] firewall zone name isp2_zone1
      [FW-zone-isp2_zone1] set priority 60
      [FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5
      [FW-zone-isp2_zone1] quit
      [FW] firewall zone name isp2_zone2
      [FW-zone-isp2_zone2] set priority 70
      [FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6
      [FW-zone-isp2_zone2] quit
      [FW] firewall zone trust
      [FW-zone-trust] add interface GigabitEthernet 1/0/7
      [FW-zone-trust] quit
      

    2. Configure interzone security policies to control access between zones. Reference the default intrusion prevention profile in the security policies and configure intrusion prevention.

      [FW] security-policy
      [FW-policy-security] rule name user_inside
      [FW-policy-security-rule-user_inside] source-zone trust
      [FW-policy-security-rule-user_inside] action permit
      [FW-policy-security-rule-user_inside] profile ips default
      [FW-policy-security-rule-user_inside] quit
      [FW-policy-security] rule name user_outside
      [FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
      [FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24
      [FW-policy-security-rule-user_outside] action permit
      [FW-policy-security-rule-user_outside] profile ips default
      [FW-policy-security-rule-user_outside] quit
      [FW-policy-security] rule name local_to_any
      [FW-policy-security-rule-local_to_any] source-zone local
      [FW-policy-security-rule-local_to_any] destination-zone any
      [FW-policy-security-rule-local_to_any] action permit
      [FW-policy-security-rule-local_to_any] quit
      [FW-policy-security] quit
      

    3. Configure the scheduled update function for the intrusion prevention function.

      NOTE:

      A license is available for updating the signature database, and the license is activated on the device.

      1. Configure an update center.

        [FW] update server domain sec.huawei.com
        
      2. The device can access the update server directly or through a proxy server. In this example, the device can directly access the update server.

        [FW] dns resolve
        [FW] dns server 10.1.10.30
        
      3. Configure the scheduled update function and set the scheduled update time.

        [FW] update schedule ips-sdb enable
        [FW] update schedule sa-sdb enable
        [FW] update schedule ips-sdb daily 02:30
        [FW] update schedule sa-sdb daily 02:30
        

  3. Configure IP-link to detect whether the status of each LSP is normal.

    NOTE:
    The IP-link configuration commands on the USG6000 and USG9500 are different. The USG6000 is used in this example for illustration.
    [FW] ip-link check enable
    [FW] ip-link name edu_ip_link
    [FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
    [FW-iplink-edu_ip_link] quit
    [FW] ip-link name isp1_ip_link
    [FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
    [FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
    [FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
    [FW-iplink-isp1_ip_link] quit
    [FW] ip-link name isp2_ip_link
    [FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
    [FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
    [FW-iplink-isp2_ip_link] quit
    

  4. Configure routes.

    Contact the administrator to configure the routes except the routes required in this example.

    # Configure a static route whose destination address belongs to the network segment of the intranet and next-hop address is the address of the intranet switch so that extranet traffic can reach the intranet.

    [FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
    

  5. Configure DNS transparent proxy.

    # Configure the IP address of each interface bound to the DNS server.

    [FW] dns-transparent-policy
    [FW-policy-dns] dns transparent-proxy enable
    [FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
    [FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
    [FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
    [FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
    [FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
    [FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
    

    # Configure a domain name exception.

    [FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
    

    # Configure a DNS transparent proxy policy.

    [FW-policy-dns] rule name dns_trans_rule
    [FW-policy-dns-rule-dns_trans_rule] action tpdns
    [FW-policy-dns-rule-dns_trans_rule] quit
    [FW-policy-dns] quit
    

    # Configure PBR intelligent uplink selection to load balance DNS request packets to each link.

    [FW] policy-based-route
    [FW-policy-pbr] rule name pbr_dns_trans
    [FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
    [FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
    [FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
    [FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
    [FW-policy-pbr-rule-pbr_dns_trans] quit
    [FW-policy-pbr] quit
    

  6. Configure intelligent uplink selection.

    # Configure ISP address sets.

    1. Upload ISP address files to the FW through SFTP.

    2. Create an ISP name for each of the education network, ISP1 network, and ISP2 network and associate it with the corresponding ISP address file.

      [FW] isp name edu_address set filename edu_address.csv
      [FW] isp name isp1_address set filename isp1_address.csv
      [FW] isp name isp2_address set filename isp2_address.csv
      [FW] isp name other_edu_server_address set filename other_edu_server_address.csv
      

    # Create an application corresponding to the distance education system software and reference the application in the PBR so that traffic generated by the distance education system software is forwarded over the education network and ISP2 links.

    NOTE:

    Ensure that the FW has the route configuration that guides the transmission of the traffic generated by the distance education system even if PBR is unavailable.

    [FW] sa
    [FW-sa] user-defined-application name UD_dis_edu_sys_app
    [FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems sub-category Enterprise_Application
    [FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server
    [FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications
    [FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1
    [FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32
    [FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000
    [FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit
    [FW-sa-user-defined-app-UD_dis_edu_sys_app] quit
    [FW-sa] quit
    [FW] policy-based-route
    [FW-policy-pbr] rule name dis_edu_sys
    [FW-policy-pbr-rule-dis_edu_sys] source-zone trust
    [FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app
    [FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface
    [FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth
    [FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1
    [FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5
    [FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6
    [FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit
    [FW-policy-pbr-rule-dis_edu_sys] quit
    

    # Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.

    NOTE:

    Ensure that the FW has the route configuration that guides P2P traffic transmission even if PBR is unavailable.

    [FW-policy-pbr] rule name p2p_traffic
    [FW-policy-pbr-rule-p2p_traffic] source-zone trust
    [FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
    [FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
    [FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
    [FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
    [FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
    [FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
    [FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
    [FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
    [FW-policy-pbr-rule-p2p_traffic] quit
    

    # Configure single-ISP PBR.

    1. Configure the traffic destined for servers of other campuses and the network access traffic of users in the library to be forwarded over the link to the education network.

      [FW-policy-pbr] rule name other_edu_server
      [FW-policy-pbr-rule-other_edu_server] source-zone trust
      [FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16
      [FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address
      [FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
      [FW-policy-pbr-rule-other_edu_server] quit
      [FW-policy-pbr] rule name lib_internet
      [FW-policy-pbr-rule-lib_internet] source-zone trust
      [FW-policy-pbr-rule-lib_internet] source-address 10.1.50.0 22
      [FW-policy-pbr-rule-lib_internet] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
      [FW-policy-pbr-rule-lib_internet] quit
      

    # Configure destination address-based PBR intelligent uplink selection.

    1. Prefer the link to the education network to forward traffic destined for an address in the address set of the education network.

      [FW-policy-pbr] rule name pbr_edu
      [FW-policy-pbr-rule-pbr_edu] source-zone trust
      [FW-policy-pbr-rule-pbr_edu] source-address 10.1.0.0 16
      [FW-policy-pbr-rule-pbr_edu] destination-address isp edu_address
      [FW-policy-pbr-rule-pbr_edu] action pbr egress-interface multi-interface
      [FW-policy-pbr-rule-pbr_edu-multi-inter] mode priority-of-userdefine
      [FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/1 priority 8
      [FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/2 priority 5
      [FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/3 priority 5
      [FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/4 priority 5
      [FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
      [FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
      [FW-policy-pbr-rule-pbr_edu-multi-inter] quit
      [FW-policy-pbr-rule-pbr_edu] quit
      
    2. Prefer ISP1 links to forward traffic destined for an address in the address set of ISP1 network.

      [FW-policy-pbr] rule name pbr_isp1
      [FW-policy-pbr-rule-pbr_isp1] source-zone trust
      [FW-policy-pbr-rule-pbr_isp1] source-address 10.1.0.0 16
      [FW-policy-pbr-rule-pbr_isp1] destination-address isp isp1_address
      [FW-policy-pbr-rule-pbr_isp1] action pbr egress-interface multi-interface
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] mode priority-of-userdefine
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/2 priority 8
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/3 priority 8
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/4 priority 8
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
      [FW-policy-pbr-rule-pbr_isp1-multi-inter] quit
      [FW-policy-pbr-rule-pbr_isp1] quit
      
    3. Prefer ISP2 links to forward traffic destined for an address in the address set of ISP2 network.

      [FW-policy-pbr] rule name pbr_isp2
      [FW-policy-pbr-rule-pbr_isp2] source-zone trust
      [FW-policy-pbr-rule-pbr_isp2] source-address 10.1.0.0 16
      [FW-policy-pbr-rule-pbr_isp2] destination-address isp isp2_address
      [FW-policy-pbr-rule-pbr_isp2] action pbr egress-interface multi-interface
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] mode priority-of-userdefine
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/2 priority 1
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/3 priority 1
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/4 priority 1
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/5 priority 8
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/6 priority 8
      [FW-policy-pbr-rule-pbr_isp2-multi-inter] quit
      [FW-policy-pbr-rule-pbr_isp2] quit
      

    # Select the link with the highest quality through PBR pbr_rest to forward the traffic that does not match any ISP address set.

    [FW-policy-pbr] rule name pbr_rest
    [FW-policy-pbr-rule-pbr_rest] source-zone trust
    [FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
    [FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
    [FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
    [FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
    [FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
    [FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
    [FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
    [FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
    [FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
    [FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
    [FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
    [FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
    [FW-policy-pbr-rule-pbr_rest-multi-inter] quit
    [FW-policy-pbr-rule-pbr_rest] quit
    [FW-policy-pbr] quit
    

  7. Configure server load balancing.

    # Enable server load balancing.

    [FW] slb enable
    

    # Configure a load balancing algorithm.

    [FW] slb
    [FW-slb] group 1 grp1
    [FW-slb-group-1] metric roundrobin
    

    # Add real servers to the real server group.

    [FW-slb-group-1] rserver 1 rip 10.1.10.10
    [FW-slb-group-1] rserver 2 rip 10.1.10.11
    [FW-slb-group-1] quit
    

    # Configure a virtual server IP address.

    [FW-slb] vserver 1 vs1
    [FW-slb-vserver-1] vip 1 1.1.111.111
    [FW-slb-vserver-1] vip 2 2.2.112.112
    [FW-slb-vserver-1] vip 3 3.3.113.113
    

    # Associate the virtual server with the real server group.

    [FW-slb-vserver-1] group grp1
    [FW-slb-vserver-1] quit
    [FW-slb] quit
    

  8. Configure smart DNS.

    # Enable smart DNS.

    [FW] dns-smart enable
    

    # Create a smart DNS group and configure smart DNS mappings in the group.

    [FW] dns-smart group 1 type single
    [FW-dns-smart-group-1] real-server-ip 1.1.15.15
    [FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15
    [FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16
    [FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17
    [FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15
    [FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16
    [FW-dns-smart-group-1] quit
    [FW] dns-smart group 2 type single
    [FW-dns-smart-group-2] real-server-ip 1.1.101.101
    [FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102
    [FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103
    [FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104
    [FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102
    [FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103
    [FW-dns-smart-group-2] quit
    

  9. Configure the security zone-based NAT server function so that users on different ISP networks can use corresponding public IP addresses to access intranet servers.

    # Configure the NAT server function for the Portal server.

    [FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
    [FW] nat server portal_server02 zone isp1_zone global 2.2.15.15 inside 10.1.10.20 no-reverse
    [FW] nat server portal_server03 zone isp1_zone global 2.2.16.16 inside 10.1.10.20 no-reverse
    [FW] nat server portal_server04 zone isp1_zone global 2.2.17.17 inside 10.1.10.20 no-reverse
    [FW] nat server portal_server05 zone isp2_zone global 3.3.15.15 inside 10.1.10.20 no-reverse
    [FW] nat server portal_server06 zone isp2_zone global 3.3.16.16 inside 10.1.10.20 no-reverse
    

    # Configure the NAT server function for the DNS server.

    [FW] nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
    [FW] nat server dns_server02 zone isp1_zone global 2.2.102.102 inside 10.1.10.30 no-reverse
    [FW] nat server dns_server03 zone isp1_zone global 2.2.103.103 inside 10.1.10.30 no-reverse
    [FW] nat server dns_server04 zone isp1_zone global 2.2.104.104 inside 10.1.10.30 no-reverse
    [FW] nat server dns_server05 zone isp2_zone global 3.3.102.102 inside 10.1.10.30 no-reverse
    [FW] nat server dns_server06 zone isp2_zone global 3.3.103.103 inside 10.1.10.30 no-reverse
    

    # Configure a black-hole route to the public address of the NAT server to prevent routing loops.

    [FW] ip route-static 1.1.15.15 32 NULL 0
    [FW] ip route-static 2.2.15.15 32 NULL 0
    [FW] ip route-static 2.2.16.16 32 NULL 0
    [FW] ip route-static 2.2.17.17 32 NULL 0
    [FW] ip route-static 3.3.15.15 32 NULL 0
    [FW] ip route-static 3.3.16.16 32 NULL 0
    [FW] ip route-static 1.1.101.101 32 NULL 0
    [FW] ip route-static 2.2.102.102 32 NULL 0
    [FW] ip route-static 2.2.103.103 32 NULL 0
    [FW] ip route-static 2.2.104.104 32 NULL 0
    [FW] ip route-static 3.3.102.102 32 NULL 0
    [FW] ip route-static 3.3.103.103 32 NULL 0
    

  10. Configure source NAT.

    # Configure source NAT for traffic destined for the education network. The address in the address pool is the public address of the education network.

    [FW] nat address-group edu_nat_address_pool
    [FW-address-group-edu_nat_address_pool] mode pat
    [FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33
    [FW-address-group-edu_nat_address_pool] quit
    [FW] nat-policy
    [FW-policy-nat] rule name edu_nat_policy
    [FW-policy-nat-rule-edu_nat_policy] source-zone trust
    [FW-policy-nat-rule-edu_nat_policy] destination-zone edu_zone
    [FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16
    [FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool
    [FW-policy-nat-rule-edu_nat_policy] quit
    [FW-policy-nat] quit
    
    # Configure the intrazone NAT, so that users can access the intranet server through the public address.
    [FW] nat-policy
    [FW-policy-nat] rule name inner_nat_policy
    [FW-policy-nat-rule-inner_nat_policy] source-zone trust
    [FW-policy-nat-rule-inner_nat_policy] destination-zone trust
    [FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
    [FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
    [FW-policy-nat-rule-inner_nat_policy] quit
    [FW-policy-nat] quit
    

    # Configure source NAT for traffic destined for ISP1 network. The address in the address pool is the public address of ISP1 network.

    [FW] nat address-group isp1_nat_address_pool1
    [FW-address-group-isp1_nat_address_pool1] mode pat
    [FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
    [FW-address-group-isp1_nat_address_pool1] quit
    [FW] nat-policy
    [FW-policy-nat] rule name isp1_nat_policy1
    [FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
    [FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
    [FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
    [FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
    [FW-policy-nat-rule-isp1_nat_policy1] quit
    [FW-policy-nat] quit
    [FW] nat address-group isp1_nat_address_pool2
    [FW-address-group-isp1_nat_address_pool2] mode pat
    [FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
    [FW-address-group-isp1_nat_address_pool2] quit
    [FW] nat-policy
    [FW-policy-nat] rule name isp1_nat_policy2
    [FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
    [FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2
    [FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16
    [FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2
    [FW-policy-nat-rule-isp1_nat_policy2] quit
    [FW-policy-nat] quit
    [FW] nat address-group isp1_nat_address_pool3
    [FW-address-group-isp1_nat_address_pool3] mode pat
    [FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3
    [FW-address-group-isp1_nat_address_pool3] quit
    [FW] nat-policy
    [FW-policy-nat] rule name isp1_nat_policy3
    [FW-policy-nat-rule-isp1_nat_policy3] source-zone trust
    [FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3
    [FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16
    [FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3
    [FW-policy-nat-rule-isp1_nat_policy3] quit
    [FW-policy-nat] quit
    

    # Configure source NAT for traffic destined for ISP2 network. The address in the address pool is the public address of ISP2 network.

    [FW] nat address-group isp2_nat_address_pool1
    [FW-address-group-isp2_nat_address_pool1] mode pat
    [FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
    [FW-address-group-isp2_nat_address_pool1] quit
    [FW] nat-policy
    [FW-policy-nat] rule name isp2_nat_policy1
    [FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
    [FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
    [FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
    [FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
    [FW-policy-nat-rule-isp2_nat_policy1] quit
    [FW-policy-nat] quit
    [FW] nat address-group isp2_nat_address_pool2
    [FW-address-group-isp2_nat_address_pool2] mode pat
    [FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3
    [FW-address-group-isp2_nat_address_pool2] quit
    [FW] nat-policy
    [FW-policy-nat] rule name isp2_nat_policy2
    [FW-policy-nat-rule-isp2_nat_policy2] source-zone trust
    [FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2
    [FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16
    [FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2
    [FW-policy-nat-rule-isp2_nat_policy2] quit
    [FW-policy-nat] quit
    

    # Configure black-hole routes to public addresses of the NAT address pool to prevent routing loops.

    [FW] ip route-static 1.1.30.31 32 NULL 0
    [FW] ip route-static 1.1.30.32 32 NULL 0
    [FW] ip route-static 1.1.30.33 32 NULL 0
    [FW] ip route-static 2.2.5.1 32 NULL 0
    [FW] ip route-static 2.2.5.2 32 NULL 0
    [FW] ip route-static 2.2.5.3 32 NULL 0
    [FW] ip route-static 2.2.6.1 32 NULL 0
    [FW] ip route-static 2.2.6.2 32 NULL 0
    [FW] ip route-static 2.2.6.3 32 NULL 0
    [FW] ip route-static 2.2.7.1 32 NULL 0
    [FW] ip route-static 2.2.7.2 32 NULL 0
    [FW] ip route-static 2.2.7.3 32 NULL 0
    [FW] ip route-static 3.3.1.1 32 NULL 0
    [FW] ip route-static 3.3.1.2 32 NULL 0
    [FW] ip route-static 3.3.1.3 32 NULL 0
    [FW] ip route-static 3.3.2.1 32 NULL 0
    [FW] ip route-static 3.3.2.2 32 NULL 0
    [FW] ip route-static 3.3.2.3 32 NULL 0
    

  11. Configure NAT ALG between the Trust zone and other security zones. In this example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT ALG, enable ASPF.

    [FW] firewall interzone trust edu_zone
    [FW-interzone-trust-edu_zone] detect ftp
    [FW-interzone-trust-edu_zone] detect qq
    [FW-interzone-trust-edu_zone] detect rtsp
    [FW-interzone-trust-edu_zone] quit
    [FW] firewall interzone trust isp1_zone1
    [FW-interzone-trust-isp1_zone1] detect ftp
    [FW-interzone-trust-isp1_zone1] detect qq
    [FW-interzone-trust-isp1_zone1] detect rtsp
    [FW-interzone-trust-isp1_zone1] quit
    [FW] firewall interzone trust isp1_zone2
    [FW-interzone-trust-isp1_zone2] detect ftp
    [FW-interzone-trust-isp1_zone2] detect qq
    [FW-interzone-trust-isp1_zone2] detect rtsp
    [FW-interzone-trust-isp1_zone2] quit
    [FW] firewall interzone trust isp1_zone3
    [FW-interzone-trust-isp1_zone3] detect ftp
    [FW-interzone-trust-isp1_zone3] detect qq
    [FW-interzone-trust-isp1_zone3] detect rtsp
    [FW-interzone-trust-isp1_zone3] quit
    [FW] firewall interzone trust isp2_zone1
    [FW-interzone-trust-isp2_zone1] detect ftp
    [FW-interzone-trust-isp2_zone1] detect qq
    [FW-interzone-trust-isp2_zone1] detect rtsp
    [FW-interzone-trust-isp2_zone1] quit
    [FW] firewall interzone trust isp2_zone2
    [FW-interzone-trust-isp2_zone2] detect ftp
    [FW-interzone-trust-isp2_zone2] detect qq
    [FW-interzone-trust-isp2_zone2] detect rtsp
    [FW-interzone-trust-isp2_zone2] quit
    

  12. Configure attack defense.

    [FW] firewall defend land enable
    [FW] firewall defend smurf enable
    [FW] firewall defend fraggle enable
    [FW] firewall defend ip-fragment enable
    [FW] firewall defend tcp-flag enable
    [FW] firewall defend winnuke enable
    [FW] firewall defend source-route enable
    [FW] firewall defend teardrop enable
    [FW] firewall defend route-record enable
    [FW] firewall defend time-stamp enable
    [FW] firewall defend ping-of-death enable

  13. Configure an audit profile and reference it in an audit policy.

    [FW] profile type audit name trust_to_internet_audit
    [FW-profile-audit-trust_to_internet_audit] http-audit url all
    [FW-profile-audit-trust_to_internet_audit] http-audit bbs-content
    [FW-profile-audit-trust_to_internet_audit] http-audit micro-blog
    [FW-profile-audit-trust_to_internet_audit] http-audit file direction both
    [FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both
    [FW-profile-audit-trust_to_internet_audit] quit
    [FW] audit-policy
    [FW-policy-audit] rule name trust_to_internet_audit_policy
    [FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust
    [FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
    [FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit
    [FW-policy-audit-rule-trust_to_internet_audit_policy] quit
    [FW-policy-audit] quit
    

  14. Configure bandwidth management.

    # Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.

    [FW] traffic-policy
    [FW-policy-traffic] profile isp1_p2p_profile_01
    [FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
    [FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-ip both 500
    [FW-policy-traffic-profile-isp1_p2p_profile_01] quit
    [FW-policy-traffic] rule name isp1_p2p_01
    [FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
    [FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
    [FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
    [FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
    [FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
    [FW-policy-traffic-rule-isp1_p2p_01] quit
    

    # Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.

    [FW-policy-traffic] profile isp1_p2p_profile_02
    [FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
    [FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-ip both 1000
    [FW-policy-traffic-profile-isp1_p2p_profile_02] quit
    [FW-policy-traffic] rule name isp1_p2p_02
    [FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
    [FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
    [FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
    [FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
    [FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
    [FW-policy-traffic-rule-isp1_p2p_02] quit
    

    # Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.

    [FW-policy-traffic] profile isp1_p2p_profile_03
    [FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
    [FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-ip both 2000
    [FW-policy-traffic-profile-isp1_p2p_profile_03] quit
    [FW-policy-traffic] rule name isp1_p2p_03
    [FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
    [FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4
    [FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting
    [FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P
    [FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03
    [FW-policy-traffic-rule-isp1_p2p_03] quit
    [FW-policy-traffic] quit
    

  15. Configure system log sending and NAT tracing to view logs on the eSight.

    # Configure the function of sending system logs to a log host at 10.1.10.30 (in this example, IPS and attack defense logs are sent).

    [FW] info-center enable
    [FW] engine log ips enable
    [FW] info-center source IPS channel loghost log level emergencies
    [FW] info-center source ANTIATTACK channel loghost
    [FW] info-center loghost 10.1.10.30
    

    # Configure the session log function.

    [FW] security-policy
    [FW-policy-security] rule name trust_edu_zone
    [FW-policy-security-rule-trust_edu_zone] source-zone trust
    [FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone
    [FW-policy-security-rule-trust_edu_zone] action permit
    [FW-policy-security-rule-trust_edu_zone] session logging
    [FW-policy-security-rule-trust_edu_zone] quit
    [FW-policy-security] rule name trust_isp1_zone
    [FW-policy-security-rule-trust_isp1_zone] source-zone trust
    [FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3
    [FW-policy-security-rule-trust_isp1_zone] action permit
    [FW-policy-security-rule-trust_isp1_zone] session logging
    [FW-policy-security-rule-trust_isp1_zone] quit
    [FW-policy-security] rule name trust_isp2_zone
    [FW-policy-security-rule-trust_isp2_zone] source-zone trust
    [FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2
    [FW-policy-security-rule-trust_isp2_zone] action permit
    [FW-policy-security-rule-trust_isp2_zone] session logging
    [FW-policy-security-rule-trust_isp2_zone] quit
    [FW-policy-security] quit
    

  16. Configure SNMP and ensure that the SNMP parameters on the eSight are consistent with those on the FW.

    [FW] snmp-agent sys-info version v3
    [FW] snmp-agent group v3 inside_snmp privacy
    [FW] snmp-agent usm-user v3 snmp_user group inside_snmp
    [FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123
    [FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123
    

    After completing the configuration on the eSight, choose Log Analysis > Session Analysis > IPv4 Session Query to view session logs.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16654

Downloads: 717

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next