No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


  • License

    Licenses are required for IPS and smart DNS services. Smart DNS also requires loading of a content security component.

  • Hardware requirement

    For the USG9500, IPS, application-based PBR, and smart DNS require that the SPC-APPSEC-FW is in position. Otherwise, these functions are unavailable.

  • Networking

    • To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That is, the member interfaces of the Eth-Trunk interface are on different LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk, it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.

    • When hot standby and intelligent uplink selection are used together, if the upstream switch runs VRRP, the upstream physical port of the firewall must be a public IP address in the same network segment as the address of the ISP router. Otherwise, the gateway of the port cannot be specified. The gateway command is mandatory for intelligent uplink selection and link health check.

      If the upstream device of the firewall is a router, this restriction does not apply.

  • Intelligent uplink selection

    • The firewall generates an equal-cost default route using the gateway command. The protocol is UNR, and the route priority is 70, which is lower than the priority (60) of a static route. When this command takes effect, you can no longer configure a multi-egress equal-cost static route manually.
    • Intelligent uplink selection cannot be used together with IP address spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP address spoofing defense or URPF is enabled, the firewall may drop packets.
  • Black-hole route

    The firewall allows a User Network Route (UNR) for addresses in the NAT address pool. The UNR functions the same as a black-hole route. It can prevent a routing loop and can also be advertised using dynamic routing protocols, such as OSPF. For the NAT server, if the protocol and port are specified, it is also necessary to configure a black-hole route with the destination address being a public address. With this black-hole route, packets from external sources destined to a public address but not matching any entry the server-map table are matched to the black-hole route and dropped directly to prevent a routing loop.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16136

Downloads: 696

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next