No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Scripts

Configuration Scripts

FW_A FW_B
#                              
 hrp enable
 hrp interface Eth-Trunk 0 remote 10.10.0.2          
 hrp adjust ospf-cost enable                        
 hrp preempt delay 300
 hrp track interface Eth-Trunk 1.1
 hrp track interface Eth-Trunk 1.2
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
interface Eth-Trunk0                 
 description To_FW_B
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1.1              
 description To_GGSN1
 ip address 10.2.0.1 255.255.255.0
 vlan-type dot1q 11
 ospf cost 10
 ospf network-type p2p
#
interface Eth-Trunk1.2              
 description To_GGSN2
 ip address 10.2.2.1 255.255.255.0
 vlan-type dot1q 12
 ospf cost 10
 ospf network-type p2p
#
interface Eth-Trunk2.1               
 description To_SCG
 ip address 10.3.0.1 255.255.255.0
 vlan-type dot1q 21
 vrrp vrid 1 virtual-ip 10.3.0.3 24 active
#
interface loopback 1
 ip address 10.2.0.10 32
 ospf cost 10
#
interface loopback 2
 ip address 10.2.0.11 32
 ospf cost 10
#                                                 
interface GigabitEthernet1/0/0            
 eth-trunk 0                         
#                                         
interface GigabitEthernet1/0/1                 
 eth-trunk 0                         
#                                                            
interface GigabitEthernet1/0/2              
 eth-trunk 1 
 link-group 1                              
#                                             
interface GigabitEthernet1/0/3           
 eth-trunk 1   
 link-group 1                              
#                                           
interface GigabitEthernet1/0/4      
 eth-trunk 2    
 link-group 1                 
#                                              
interface GigabitEthernet1/0/5        
 eth-trunk 2
 link-group 1
#
 firewall zone trust                     
 set priority 85                        
 add interface Eth-Trunk2.1            
#                                              
firewall zone untrust                    
 set priority 5                                
 add interface Eth-Trunk1.1 
 add interface Eth-Trunk1.2         
#                                                       
firewall zone dmz                  
 set priority 50                                      
 add interface Eth-Trunk0                 
#  
firewall zone tunnelzone                  
 set priority 20                                      
 add interface tunnel1  
 add interface tunnel2  
#                                                  
firewall interzone trust untrust           
 detect rtsp
 detect ftp
 detect pptp
#                               
security-policy 
#
 rule name trust_tunnelzone_outbound
  source-zone trust 
  destination-zone tunnelzone 
  source-address 10.3.0.0 24
  action permit 
#
 rule name trust_tunnelzone_inbound
  source-zone tunnelzone
  destination-zone trust
  destination-address 10.3.0.0 24
  action permit 
#
 rule name local_dmz_outbound 
  source-zone local 
  destination-zone dmz 
  source-address 10.10.0.0 24 
  action permit   
# 
 rule name local_dmz_inbound 
  source-zone dmz 
  destination-zone local
  destination-address 10.10.0.0 24 
  action permit  
#  
 rule name local_untrust_outbound 
  source-zone local
  destination-zone untrust
  source-address 10.2.0.0 16 
  action permit 
#   
 rule name local_untrust_inbound 
  source-zone dmz 
  destination-zone local
  destination-address 10.2.0.0 16 
  action permit    
#  
 nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80
#
acl number 2000
 description ospf1_import_ggsn
 rule 5 permit source 221.180.0.0 0.0.0.255  
 rule 100 deny
#
ospf 1 
 filter-policy 2000 import    
 area 0.0.0.1 
 authentication-mode md5 1 cipher Huawei-123
 network 10.2.0.0 0.0.0.255
 network 10.3.0.0 0.0.0.255
 network 172.16.2.0 0.0.0.255
#   
interface Tunnel1
 ip address 172.16.2.1 32
 tunnel-protocol gre
 source loopback1
 destination 10.2.10.1
 gre key cipher 123456
 ospf timer hello 30
#
interface Tunnel2
 ip address 172.16.2.2 32
 tunnel-protocol gre
 source loopback2
 destination 10.2.11.1
 gre key cipher 123456
 ospf timer hello 30
#                                                                                
 snmp-agent                                                                     
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                             
 snmp-agent sys-info version v3                                                 
 snmp-agent sys-info contact Mr.zhang
 snmp-agent sys-info location Beijing
 snmp-agent group v3 NMS1 privacy                         
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
 %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager 
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,
 5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.
 dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
# 
return
#                                      
 hrp enable
 hrp interface Eth-Trunk 0 remote 10.10.0.1        
 hrp adjust ospf-cost enable         
 hrp preempt delay 300
 hrp track interface Eth-Trunk 1.1
 hrp track interface Eth-Trunk 1.2
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
interface Eth-Trunk0                  
 description To_FW_A
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1.1               
 description To_GGSN1
 ip address 10.2.0.2 255.255.255.0
 vlan-type dot1q 11
 ospf cost 1000
 ospf network-type p2p
#
interface Eth-Trunk1.2              
 description To_GGSN2
 ip address 10.2.2.2 255.255.255.0
 vlan-type dot1q 12
 ospf cost 1000
 ospf network-type p2p
#
interface Eth-Trunk2.1             
 description To_SCG
 ip address 10.3.0.2 255.255.255.0
 vlan-type dot1q 21
 vrrp vrid 1 virtual-ip 10.3.0.3 24 standby
# 
interface loopback 1
 ip address 10.2.0.12 32
 ospf cost 1000
#
interface loopback 2
 ip address 10.2.0.13 32
 ospf cost 1000
#                                     
interface GigabitEthernet1/0/0          
 eth-trunk 0                          
#                                      
interface GigabitEthernet1/0/1         
 eth-trunk 0                             
#                                       
interface GigabitEthernet1/0/2          
 eth-trunk 1   
                          
#                                        
interface GigabitEthernet1/0/3           
 eth-trunk 1  
                            
#                                       
interface GigabitEthernet1/0/4            
 eth-trunk 2   
 
#                         
interface GigabitEthernet1/0/5              
 eth-trunk 2   
 
# 
 firewall zone trust 
 set priority 85                              
 add interface Eth-Trunk2.1        
#                                                       
firewall zone untrust                                   
 set priority 5                      
 add interface Eth-Trunk1.1
 add interface Eth-Trunk1.2 
#                                     
firewall zone dmz                          
 set priority 50                               
 add interface Eth-Trunk0                   
#  
firewall zone tunnelzone                  
 set priority 20                                      
 add interface tunnel1  
 add interface tunnel2  
#                                          
firewall interzone trust untrust  
 detect rtsp
 detect ftp
 detect pptp
#                            
security-policy 
#
 rule name trust_tunnelzone_outbound
  source-zone trust 
  destination-zone tunnelzone 
  source-address 10.3.0.0 24
  action permit 
#
 rule name trust_tunnelzone_inbound
  source-zone tunnelzone
  destination-zone trust
  destination-address 10.3.0.0 24
  action permit 
#
 rule name local_dmz_outbound 
  source-zone local 
  destination-zone dmz 
  source-address 10.10.0.0 24 
  action permit    
#
 rule name local_dmz_inbound 
  source-zone dmz 
  destination-zone local
  destination-address 10.10.0.0 24 
  action permit    
#
 rule name local_untrust_outbound 
  source-zone local
  destination-zone untrust
  source-address 10.2.0.0 16 
  action permit    
#
 rule name local_untrust_inbound 
  source-zone dmz 
  destination-zone local
  destination-address 10.2.0.0 16 
  action permit    
#  
 nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80
#
acl number 2000
 description ospf1_import_ggsn
 rule 5 permit source 221.180.0.0 0.0.0.255  
 rule 100 deny
#
ospf 1 
 filter-policy 2000 import   
 area 0.0.0.1 
 authentication-mode md5 1 cipher Huawei-123
 network 10.2.0.0 0.0.0.255
 network 10.3.0.0 0.0.0.255
 network 172.16.2.0 0.0.0.255
#
interface Tunnel1
 ip address 172.16.2.3 32
 tunnel-protocol gre
 source loopback1
 destination 10.2.10.2
 gre key cipher 123456
 ospf timer hello 30
#
interface Tunnel2
 ip address 172.16.2.4 32
 tunnel-protocol gre
 source loopback2
 destination 10.2.11.2
 gre key cipher 123456
 ospf timer hello 30
#                                                         
 snmp-agent                                                    
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                  
 snmp-agent sys-info version v3                                 
 snmp-agent sys-info contact Mr.zhang
 snmp-agent sys-info location Beijing
 snmp-agent group v3 NMS1 privacy                               
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
 %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager 
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,
 5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.
 dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
# 
return
FW_C FW_D
#
 hrp enable
 hrp interface Eth-Trunk 0 remote 10.10.0.4            
 hrp adjust ospf-cost enable                        
 hrp preempt delay 300
 hrp track interface Eth-Trunk 1.1
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
interface Eth-Trunk0                 
 description To_FW_B
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1.1              
 description To_Internet
 ip address 10.2.1.1 255.255.255.0
 vlan-type dot1q 11
 ospf cost 10
 ospf network-type p2p
 ospf timer hello 30
#
interface Eth-Trunk2.1                      
 description To_SCG
 ip address 10.3.1.1 255.255.255.0
 vlan-type dot1q 21
 vrrp vrid 1 virtual-ip 10.3.1.3 24 active
#                                                  
interface GigabitEthernet1/0/0            
 eth-trunk 0                         
#                                         
interface GigabitEthernet1/0/1                 
 eth-trunk 0                         
#                                              
interface GigabitEthernet1/0/2              
 eth-trunk 1   
 link-group 1                            
#                                             
interface GigabitEthernet1/0/3           
 eth-trunk 1    
 link-group 1                           
#                                           
interface GigabitEthernet1/0/4      
 eth-trunk 2                      
 link-group 1
#                                              
interface GigabitEthernet1/0/5        
 eth-trunk 2                      
 link-group 1               
#
 firewall zone trust                     
 set priority 85                        
 add interface Eth-Trunk2.1  
#                                              
firewall zone untrust                    
 set priority 5                                
 add interface Eth-Trunk1.1                  
#                                                       
firewall zone dmz                  
 set priority 50                                      
 add interface Eth-Trunk0                 
#                                                
firewall interzone trust untrust           
 detect rtsp
 detect ftp
 detect pptp
#                               
security-policy 
 rule name local_dmz_outbound 
  source-zone local
  destination-zone dmz
  destination-address 10.10.0.0 24
  action permit    
 rule name local_dmz_intbound 
  source-zone dmz
  destination-zone local
  source-address 10.10.0.0 24
  action permit    
 rule name trust_untrust_outbound 
  source-zone trust
  destination-zone untrust
  destination-address 10.2.1.0 24
  action permit    
 rule name trust_untrust_intbound 
  source-zone untrust
  destination-zone trust
  source-address 10.2.1.0 24
  action permit    
# 
 nat address-group 1 
 mode pat      
 section 0 1.1.1.6 1.1.1.10 
#
nat-policy
 rule name trust_untrust_outbound
  source-zone trust
  destination-zone untrust
  source-address 10.3.1.0 0.0.0.255
  action source-nat address-group addressgroup1
#   
acl number 2100
 description ospf2_import_default
 rule 5 permit source 0.0.0.0 0      
 rule 1000 deny
#
ospf 2 
 filter-policy 2100 import 
 import-route static
 area 0.0.0.2 
 authentication-mode md5 1 cipher Huawei-123
 network 10.2.1.0 0.0.0.255
 network 10.3.1.0 0.0.0.255   
#  
 ip route-static 1.1.1.6 255.255.255.255 NULL0  
 ip route-static 1.1.1.7 255.255.255.255 NULL0  
 ip route-static 1.1.1.8 255.255.255.255 NULL0  
 ip route-static 1.1.1.9 255.255.255.255 NULL0   
 ip route-static 1.1.1.10 255.255.255.255 NULL0 
#                                                                               
 snmp-agent                                                                     
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                             
 snmp-agent sys-info version v3                                                 
 snmp-agent sys-info contact Mr.zhang
 snmp-agent sys-info location Beijing
 snmp-agent group v3 NMS1 privacy                         
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
 %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager 
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,
 5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.
 dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
# 
return
# 
 hrp enable
 hrp interface Eth-Trunk 0 remote 10.10.0.3 
 hrp adjust ospf-cost enable         
 hrp preempt delay 300
 hrp track interface Eth-Trunk 1.1
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend ip-fragment enable
 firewall defend tcp-flag enable
 firewall defend winnuke enable
 firewall defend source-route enable
 firewall defend teardrop enable
 firewall defend route-record enable
 firewall defend time-stamp enable
 firewall defend ping-of-death enable
#
interface Eth-Trunk0                 
 description To_FW_B
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1.1               
 description To_Internet
 ip address 10.2.1.2 255.255.255.0
 vlan-type dot1q 11
 ospf cost 1000
 ospf network-type p2p
 ospf timer hello 30
#
interface Eth-Trunk2.1              
 description To_SCG
 ip address 10.3.1.2 255.255.255.0
 vlan-type dot1q 21
 vrrp vrid 1 virtual-ip 10.3.1.3 24 standby
#                                      
interface GigabitEthernet1/0/0          
 eth-trunk 0                          
#                                      
interface GigabitEthernet1/0/1         
 eth-trunk 0                             
#                                       
interface GigabitEthernet1/0/2          
 eth-trunk 1  
                           
#                                        
interface GigabitEthernet1/0/3           
 eth-trunk 1 
                             
#                                       
interface GigabitEthernet1/0/4            
 eth-trunk 2      
                      
#                                             
interface GigabitEthernet1/0/5              
 eth-trunk 2
                              
# 
 firewall zone trust 
 set priority 85                              
 add interface Eth-Trunk2.1      
#                                           
firewall zone untrust                                   
 set priority 5                                 
 add interface Eth-Trunk1.1    
#                                     
firewall zone dmz                          
 set priority 50                               
 add interface Eth-Trunk0                   
#                                       
firewall interzone trust untrust  
 detect rtsp
 detect ftp
 detect pptp
#                            
security-policy 
 rule name local_dmz_outbound 
  source-zone local
  destination-zone dmz
  destination-address 10.10.0.0 24
  action permit    
 rule name local_dmz_intbound 
  source-zone dmz
  destination-zone local
  source-address 10.10.0.0 24
  action permit    
 rule name trust_untrust_outbound 
  source-zone trust
  destination-zone untrust
  destination-address 10.2.1.0 24
  action permit    
 rule name trust_untrust_intbound 
  source-zone untrust
  destination-zone trust
  source-address 10.2.1.0 24
  action permit  
# 
 nat address-group 1 
 mode pat 
 section 0 1.1.1.6 1.1.1.10 
#
nat-policy
 rule name trust_untrust_outbound
  source-zone trust
  destination-zone untrust
  source-address 10.3.1.0 0.0.0.255
  action source-nat address-group addressgroup1
#
acl number 2100
 description ospf2_import_default
 rule 5 permit source 0.0.0.0 0      
 rule 1000 deny
#
ospf 2 
 filter-policy 2100 import 
 import-route static
 area 0.0.0.2 
 authentication-mode md5 1 cipher Huawei-123
 network 10.2.1.0 0.0.0.255
 network 10.3.1.0 0.0.0.255 
#  
 ip route-static 1.1.1.6 255.255.255.255 NULL0  
 ip route-static 1.1.1.7 255.255.255.255 NULL0  
 ip route-static 1.1.1.8 255.255.255.255 NULL0  
 ip route-static 1.1.1.9 255.255.255.255 NULL0   
 ip route-static 1.1.1.10 255.255.255.255 NULL0 
#                                                        
 snmp-agent                                                    
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                  
 snmp-agent sys-info version v3                                 
 snmp-agent sys-info contact Mr.zhang
 snmp-agent sys-info location Beijing
 snmp-agent group v3 NMS1 privacy                               
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
 %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager 
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,
 5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.
 dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
# 
return
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18925

Downloads: 780

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next