No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Security Policies and Security Protection

Configuring Security Policies and Security Protection

Procedure

  1. Configure the Trust-to-isp1 security policy, allowing intranet users to access the Internet through ISP 1 and enabling intrusion prevention.

    HRP_M[FW_A] security-policy
    HRP_M[FW_A-policy-security] rule name trust_to_isp1
    HRP_M[FW_A-policy-security-rule-trust_to_isp1] source-zone trust
    HRP_M[FW_A-policy-security-rule-trust_to_isp1] destination-zone isp1_1 isp1_2
    HRP_M[FW_A-policy-security-rule-trust_to_isp1] profile ips default
    HRP_M[FW_A-policy-security-rule-trust_to_isp1] action permit
    HRP_M[FW_A-policy-security-rule-trust_to_isp1] quit
    

  2. Configure the Trust-to-isp2 security policy, allowing intranet users to access the Internet through ISP 2 and enabling intrusion prevention.

    HRP_M[FW_A-policy-security] rule name trust_to_isp2
    HRP_M[FW_A-policy-security-rule-trust_to_isp2] source-zone trust
    HRP_M[FW_A-policy-security-rule-trust_to_isp2] destination-zone isp2_1 isp2_2
    HRP_M[FW_A-policy-security-rule-trust_to_isp2] profile ips default
    HRP_M[FW_A-policy-security-rule-trust_to_isp2] action permit
    HRP_M[FW_A-policy-security-rule-trust_to_isp2] quit
    

  3. Configure the isp1-to-DMZ security policy, allowing extranet users to access the web server, FTP server, and DNS server in the DMZ through an ISP 1 link and enabling intrusion prevention.

    HRP_M[FW_A-policy-security] rule name isp1_to_http
    HRP_M[FW_A-policy-security-rule-isp1_to_http] source-zone isp1_1 isp1_2
    HRP_M[FW_A-policy-security-rule-isp1_to_http] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-isp1_to_http] destination-address 10.0.10.10 24
    HRP_M[FW_A-policy-security-rule-isp1_to_http] service http
    HRP_M[FW_A-policy-security-rule-isp1_to_http] profile ips default
    HRP_M[FW_A-policy-security-rule-isp1_to_http] action permit
    HRP_M[FW_A-policy-security-rule-isp1_to_http] quit
    HRP_M[FW_A-policy-security] rule name isp1_to_ftp
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] source-zone isp1_1 isp1_2
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] destination-address 10.0.10.11 24
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] service ftp
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] profile ips default
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] action permit
    HRP_M[FW_A-policy-security-rule-isp1_to_ftp] quit
    HRP_M[FW_A-policy-security] rule name isp1_to_dns
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] source-zone isp1_1 isp1_2
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] destination-address 10.0.10.20 24
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] service dns
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] profile ips default
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] action permit
    HRP_M[FW_A-policy-security-rule-isp1_to_dns] quit
    

  4. Configure the isp2-to-DMZ security policy, allowing extranet users to access the web server, FTP server, and DNS server in the DMZ through an ISP 2 link and enabling intrusion prevention.

    HRP_M[FW_A-policy-security] rule name isp2_to_http
    HRP_M[FW_A-policy-security-rule-isp2_to_http] source-zone isp2_1 isp2_2
    HRP_M[FW_A-policy-security-rule-isp2_to_http] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-isp2_to_http] destination-address 10.0.10.10 24
    HRP_M[FW_A-policy-security-rule-isp2_to_http] service http
    HRP_M[FW_A-policy-security-rule-isp2_to_http] profile ips default
    HRP_M[FW_A-policy-security-rule-isp2_to_http] action permit
    HRP_M[FW_A-policy-security-rule-isp2_to_http] quit
    HRP_M[FW_A-policy-security] rule name isp2_to_ftp
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] source-zone isp2_1 isp2_2
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] destination-address 10.0.10.11 24
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] service ftp
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] profile ips default
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] action permit
    HRP_M[FW_A-policy-security-rule-isp2_to_ftp] quit
    HRP_M[FW_A-policy-security] rule name isp1_to_dns
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] source-zone isp2_1 isp2_2
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] destination-address 10.0.10.20 24
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] service dns
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] profile ips default
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] action permit
    HRP_M[FW_A-policy-security-rule-isp2_to_dns] quit
    

  5. Configure the Trust-to-DMZ security policy, allowing intranet users to access the web server, FTP server, and DNS server in the DMZ zone and enabling intrusion prevention.

    HRP_M[FW_A-policy-security] rule name trust_to_http
    HRP_M[FW_A-policy-security-rule-trust_to_http] source-zone trust
    HRP_M[FW_A-policy-security-rule-trust_to_http] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-trust_to_http] destination-address 10.0.10.10 24
    HRP_M[FW_A-policy-security-rule-trust_to_http] service http
    HRP_M[FW_A-policy-security-rule-trust_to_http] profile ips default
    HRP_M[FW_A-policy-security-rule-trust_to_http] action permit
    HRP_M[FW_A-policy-security-rule-trust_to_http] quit
    HRP_M[FW_A-policy-security] rule name trust_to_ftp
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] source-zone trust
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-address 10.0.10.11 24
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] service ftp
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] profile ips default
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] action permit
    HRP_M[FW_A-policy-security-rule-trust_to_ftp] quit
    HRP_M[FW_A-policy-security] rule name trust_to_dns
    HRP_M[FW_A-policy-security-rule-trust_to_dns] source-zone trust
    HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-address 10.0.10.20 24
    HRP_M[FW_A-policy-security-rule-trust_to_dns] service dns
    HRP_M[FW_A-policy-security-rule-trust_to_dns] profile ips default
    HRP_M[FW_A-policy-security-rule-trust_to_dns] action permit
    HRP_M[FW_A-policy-security-rule-trust_to_dns] quit
    

  6. Configure the Local-to-Trust security policy, allowing the firewall to send logs to the log server.

    HRP_M[FW_A-policy-security] rule name local_to_logcenter
    HRP_M[FW_A-policy-security-rule-local_to_logcenter] source-zone local
    HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-zone dmz
    HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-address 10.0.10.30 24
    HRP_M[FW_A-policy-security-rule-local_to_logcenter] action permit
    HRP_M[FW_A-policy-security-rule-local_to_logcenter] quit
    

  7. Configure the Local-to-Trust security policy, allowing the firewall to set up an OSPF neighbor relationship with a router.

    HRP_M[FW_A-policy-security] rule name local_to_trust
    HRP_M[FW_A-policy-security-rule-local_to_trust] source-zone local trust
    HRP_M[FW_A-policy-security-rule-local_to_trust] destination-zone local trust
    HRP_M[FW_A-policy-security-rule-local_to_trust] service ospf
    HRP_M[FW_A-policy-security-rule-local_to_trust] action permit
    HRP_M[FW_A-policy-security-rule-local_to_trust] quit
    

  8. Configure the Local-to-isp1 and Local-to-isp2 security policy, allowing the FW to connect to the security center and update its signature databases.

    HRP_M[FW_A-policy-security] rule name local_to_isp
    HRP_M[FW_A-policy-security-rule-local_to_isp] source-zone local
    HRP_M[FW_A-policy-security-rule-local_to_isp] destination-zone isp1_1 isp1_2 isp2_1 isp2_2
    HRP_M[FW_A-policy-security-rule-local_to_isp] action permit
    HRP_M[FW_A-policy-security-rule-local_to_isp] quit
    HRP_M[FW_A-policy-security] quit
    
    NOTE:

    For versions earlier than USG6000&USG9500 V500R001C80: You need to configure required security policies on the FW to allow the FW to send health check probe packets to the destination device. For versions later than V500R001C80: Probe packets for health check are not subject to security policies and are permitted by default. Therefore, you do not need to configure security policies.

  9. Update the IPS signature database and service awareness signature database automatically.
    1. Make sure that the firewall has activated the license that supports the IPS signature database update server.

      HRP_M[FW_A] display license
      IPS        : Enabled;   service expire time: 2015/06/12                         
      

    2. Configure the DNS server, allowing the firewall to access the security center using a domain name.

      HRP_M[FW_A] dns resolve
      HRP_M[FW_A] dns server 1.1.1.222
      

    3. Configure automatic scheduled update of signature databases.

      HRP_M[FW_A] update schedule ips-sdb enable
      HRP_M[FW_A] update schedule sa-sdb enable
      HRP_M[FW_A] update schedule ips-sdb daily 03:00
      HRP_M[FW_A] update schedule sa-sdb weekly Mon 03:00

  10. Configure attack defense.

    HRP_M[FW_A] firewall defend land enable
    HRP_M[FW_A] firewall defend smurf enable
    HRP_M[FW_A] firewall defend fraggle enable
    HRP_M[FW_A] firewall defend ip-fragment enable
    HRP_M[FW_A] firewall defend tcp-flag enable
    HRP_M[FW_A] firewall defend winnuke enable
    HRP_M[FW_A] firewall defend source-route enable
    HRP_M[FW_A] firewall defend teardrop enable
    HRP_M[FW_A] firewall defend route-record enable
    HRP_M[FW_A] firewall defend time-stamp enable
    HRP_M[FW_A] firewall defend ping-of-death enable

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16261

Downloads: 708

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next