No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Conclusion and Suggestions

Conclusion and Suggestions


This case describes the networking and deployment of firewalls at the egress of a broadcast and television network. In practice, you can select functions to configure according to your requirements. This solution can be concluded as follows:

  • Hot standby network deployment is used. The upstream switches of the firewalls run VRRP, and the downstream routers of the firewalls run OSPF. In practice, the firewalls can connect to upstream routers running OSPF. Particularly, public addresses must be planned for upstream interfaces of the firewalls. Otherwise, you cannot specify the interface gateway.
  • Multi-egress intelligent uplink selection is an important requirement of a broadcast and television network. This requirement is met in the following means:

    • Outgoing traffic:

      The use of multi-egress PBR fulfills two requirements. Traffic destined to a specific ISP is forwarded by a link of this ISP, and traffic destined to one ISP is distributed to the multiple links of the ISP for load balancing.

    • Incoming traffic:

      The NAT server is configured to advertise different public IP addresses of a server to different ISPs. If the DNS server that provides domain name resolution for a server is deployed in the intranet, the firewalls also provide smart DNS to enable external users of an ISP to obtain the address allocated by the ISP to the server. This increases the access speed.

Other Configuration Suggestions

In this solution, the most common NAPT is used for address translation. In the case of large quantities of P2P traffic on the network, you can configure triplet NAT to reduce the OPEX of tier-2 carriers.

P2P applications, including file sharing, voice communication, and video, are all implemented by first obtaining the peer IP address and port from the server and then directly setting up a connection with the peer. In this case, NAPT and P2P applications are not well compatible to each other.

For example, intranet PC 1 first interacts with the extranet P2P server (login and authentication), the firewall performs NAPT on the packets from PC 1 to the P2P server, and the P2P server records the after-NAPT public address and port of PC 1. When PC 2 needs to download a file, the server sends the address and port of PC 1 to PC 2, and PC 2 then downloads the file from PC 1. However, the access of PC 2 to PC 1 cannot be matched to a session table. Therefore, the firewall denies the access, and PC 2 can only request the resource file from other hosts.

As a result, even if PC 1 and PC 2 are both in the intranet, PC 2 still has to request the resource file from an external host. When large quantities of internet users request P2P download, such traffic occupies much bandwidth of the carrier and wastes the traffic expenditure of tier-2 carriers. In addition, for inter-network access, the download experience of users is poor.

Triplet NAT can resolve this problem. No matter whether PC 1 used to access PC 2, so long as PC 2 can obtain the after-NAT address and port of PC1, PC 2 can initiate access to this address and port. Such packets are permitted even if a corresponding security policy is not defined on the firewall. P2P download can be implemented between two intranet PCs directly. This helps to reduce the traffic expenditure of tier-2 carriers.

The configuration of triplet NAT is not greatly different from that of NAPT. The only difference is that you need to specify the address pool type as full-cone.

HRP_M[FW_A] nat address-group pool_isp1
HRP_M[FW_A-address-group-pool_isp1] mode full-cone global
HRP_M[FW_A-address-group-pool_isp1] section
HRP_M[FW_A-address-group-isp1] quit

For the USG9500, before configuring triplet NAT, you must make sure that the hash board selection mode is source address-based hash. The configuration command is as follows:

[FW] firewall hash-mode source-only

After the configuration, you need to restart the device to make the configuration take effect.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16861

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next