No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Application of Firewalls in the Campus Egress Security Solution
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Campus Egress Security Solution

Application of Firewalls in the Campus Egress Security Solution

Introduction

This section describes the application of firewalls in the campus egress security solution. Based on the main issues faced by campus security and network access management requirements of the campus, the section provides two typical applications that meet most campus network security solution deployment requirements.

This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

As the rapid growth of education informatization and the gradual improvement of campus network construction, teachers and students are facing increasingly serious security issues of the campus network while enjoying rich network resources. These security issues affect the teaching, management, and scientific research activities of the campus. Constructing a secure campus network with a high access speed has become the urgent problems for campus managers.

The network layer to the application layer of the campus network face different security threat:

  • Network border protection: The campus generally has multiple egresses, the link bandwidth is higher, and the network structure is complex. The spread of viruses and worms has become the most notorious threat to the campus. More and more remote network access brings great challenges to the campus security.
  • Content security defense: Network intrusion behaviors cannot be detected and blocked in a timely manner. URL access control is required to control the online behaviors of users. Improper network messages and contents need to be prevented to minimize their negative impact on society.

As a high-performance next generation firewall (NGFW), the FW can be deployed on the egress of the campus network to reduce security threats and help implement effective network management. Besides security isolation and routine attack defense, the FW provides multiple advanced application security capabilities, such as attack defense, IPS, antivirus, and online behavior auditing. It provides application-layer protection while implementing border protection.

As shown in Figure 1-1, the FW is deployed on the egress of the campus network as a security gateway to provide security isolation and protection for access between the intranet and extranet. The FW provides not only IP address-based security policies and network access control but also user-based access control and source tracking of user behaviors. The FW allows the network administrator to select the most effective management and control policies and reduces the security maintenance workload.

Figure 1-1 Application of the FW on a campus network

Solution 1: IP Address-based Policy Control

Typical Networking

As shown in Figure 1-2, the FW is deployed on the egress of the campus network as a security gateway. It provides bandwidth services for users in the campus and server access services for users outside the campus. Because the campus network is gradually developed phase by phase, the egress links have uneven bandwidth. The bandwidth of the link to the education network is 1G, the bandwidth of the three links to ISP1 network is 200M, 1G, and 200M respectively, and the bandwidth of the two links to ISP2 network is both 1G.

Figure 1-2 Typical networking of IP address-based policy control

The campus network is mainly used for learning and working. Therefore, in addition to ensuring the security of intranet users and servers, the egress needs to properly allocate bandwidth resources and implement load balancing for network traffic to improve the access experience of intranet and extranet users. The main requirements of the campus network are as follows:

  • Load balancing
    • The ISP links must be fully used to ensure the network access experience of intranet users. The campus wants the traffic destined to a specific ISP network to be preferentially forwarded by the outbound interface corresponding to the ISP. For example, traffic destined for the education traffic is preferentially forwarded by GE 1/0/1, and the traffic destined to ISP2 network is preferentially forwarded by GE 1/0/5 or GE 1/0/6. The links to the same ISP network can implement traffic load balancing by link bandwidth or weight ratio. To improve the forwarding reliability and prevent packet loss caused by an overburdened link, link backup is required among the links.
    • The LSP links have different transmission quality. The link to the education network and the links to ISP2 network have high quality and can forward service traffic that has high requirement on the delay, such as the traffic of the distance education system. The links to ISP1 network has poor quality and can forward bandwidth-consuming and small-value service traffic, such as P2P traffic. Considering the cost, the traffic destined to the servers of other campuses, network access traffic of users in the library, and traffic matching default routes are forwarded over the link to the education network.
    • The users on the campus automatically obtain the same DNS server address. Therefore, the traffic of the users is forwarded over the same ISP link. The campus wants to make full use of other link resources and requests to distribute some DNS request packets to other ISP links. Only changing the outbound interface of packets cannot resolve the issue that subsequent network access traffic is forwarded over one link. Therefore, DNS request packets need to be forwarded to the DNS servers of different ISP networks. Then the resolved addresses belong to different ISP networks.
    • A DNS server is deployed on the campus network to provide domain name resolution services. When users on different ISP networks access the campus network, they can use the resolved address that belongs to the same ISP as the users for access, improving the access quality.
    • The traffic destined to the server in the library is heavy, and thereby two servers are required for traffic load balancing.
  • Address translation
    • Users on the campus network require public IP addresses to access the Internet.
    • The servers, such as library servers, portal servers, and DNS servers, on the campus network use public IP addresses to provide services for intranet and extranet users.
  • Security defense
    • Assign network devices to different zones based on their locations, implement security isolation for interzone traffic, and control the permissions on mutual zone access. For example, allow users on the campus to access extranet resources, and allow extranet users to access only a specific port of an intranet server.
    • Common DDoS attacks (such as SYN flood attacks) and single-packet attacks (such as Land attacks) are effectively defended against.
    • Network intrusion behaviors are blocked and alerted.
  • Bandwidth management and control

    Due to limited bandwidth resources, the campus requests to limit the bandwidth percentage of P2P traffic as well as the bandwidth of each user's P2P traffic. Common P2P traffic is generated by download software (Thunder, eMule, BT, Ares, and Vuze), music software (Kugou Music, kugou, and SoulSeek), or video websites or software (Baidu player, QiYi, and SHPlayer).

  • Source tracing and auditing
    • To prevent the improper online behavior of users on the campus from harming the reputation of the campus, perform source tracing for the improper behavior and restore the improper behavior. The online behavior of users on the campus need to be audited for subsequent investigation and analysis. The behavior to be audited includes URL access records, BBS posts and microblogs, HTTP upload and download, and FTP upload and download.
    • Log servers are deployed on the campus. Attack defense and intrusion detection logs as well as pre-NAT and post-NAT IP addresses can be viewed on the log servers.

Service Planning

The FW can meet all requirements of the campus network. This section describes the functions of the FW and provides service planning based on the networking.

Basic Network Configuration and Access Control Configuration

The FW sets security zones and implements security isolation for these zones. It controls the permissions on mutual zone access by using security policies.

Users on the campus network in the Trust zone with the highest security level. The users can proactively access all the zones. Servers are also in the Trust zone and can access only extranets under the control of security policies, but not other devices in the Trust zone. The security zone is created for each ISP to separately control the policies between two zones. The devices on each ISP network can access the server area. In addition, ASPF needs to be enabled to ensure normal communication between zones through multi-channel protocols, such as FTP.

Table 1-1 Planning for basic network configuration

Item

Data

Description

GE1/0/1
  • IP address: 1.1.1.1/30
  • Security zone: edu_zone (priority value 20)
  • Gateway address: 1.1.1.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to the education network is assigned to user-defined security zone edu_zone. The priority of a user-defined security zone can be set as required.

GE1/0/2
  • IP address: 2.2.2.1/30
  • Security zone: isp1_zone1 (priority value 30)
  • Gateway address: 2.2.2.2
  • Sticky load balancing: enabled
  • Bandwidth: 200 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP1 network is assigned to user-defined security zone isp1_zone1.

GE1/0/3
  • IP address: 2.2.3.1/30
  • Security zone: isp1_zone2 (priority value 40)
  • Gateway address: 2.2.3.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP1 network is assigned to user-defined security zone isp1_zone2.

GE1/0/4
  • IP address: 2.2.4.1/30
  • Security zone: isp1_zone3 (priority value 50)
  • Gateway address: 2.2.4.2
  • Sticky load balancing: enabled
  • Bandwidth: 200 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP1 network is assigned to user-defined security zone isp1_zone3.

GE1/0/5
  • IP address: 3.3.3.1/30
  • Security zone: isp2_zone1 (priority value 60)
  • Gateway address: 3.3.3.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP2 network is assigned to user-defined security zone isp2_zone1.

GE1/0/6
  • IP address: 3.3.4.1/30
  • Security zone: isp2_zone2 (priority value 70)
  • Gateway address: 3.3.4.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP2 network is assigned to user-defined security zone isp2_zone2.

GE1/0/7
  • IP address: 10.2.0.1/24
  • Security zone: Trust

The interface connecting the FW to the campus network is assigned to the Trust zone. Users and servers on the campus are in the Trust zone.
Table 1-2 Planning for access control configuration

Item

Data

Description

security policy for users on the campus
  • Security policy name: user_inside
  • Source security zone: Trust
  • Action: permit

Users on the campus can access devices in any security zone.

By default, devices in the same security zone cannot access each other. A security policy must be configured to specify the source or destination security zone. For example, if the source and destination security zones are the Trust zone, the devices in the Trust zone can access each other. If the source security zone is the Trust zone and the destination security zone is any, the devices in the Trust zone can access any security zone. If the source security zone is any and the destination security zone is Trust, devices in any security zone can access the Trust zone.

Security policy for extranet users
  • Security policy name: user_outside
  • Source security zone: edu_zone, isp1_zone1, isp1_zone2, isp1_zone3, isp2_zone1 and isp2_zone2
  • Destination IP address: 10.1.10.0/24
  • Action: permit

Users outside the campus can access the server area, but not any devices in the Trust zone.

Security policy for the log server
  • Security policy name: local_to_any
  • Source security zone: Local
  • Destination security zone: Any
  • Action: permit

The FW is allowed to send log information to the log server and upgrade center.

Intrusion Prevention

Intrusion prevention needs to be enabled on the FW to alert or block the intrusion of Botnets, Trojan horses, and worms. To better identify intrusion behavior, the FW needs to periodically update the intrusion prevent signature database through the security center (sec.huawei.com).

Table 1-3 Planning for intrusion prevention configuration

Item

Data

Description

Intrusion prevention for extranets
  • Security policy name: user_inside
  • Intrusion prevention profile: default

Intrusion prevention is required when devices in the Trust zone access extranets. The security policies reference the default intrusion prevention profile default.

Intrusion prevention for the server area
  • Security policy name: user_outside
  • Intrusion prevention profile: default

Intrusion prevention is required when extranet users access devices in the server area. The security policy references the default intrusion prevention profile default.

Intrusion prevention signature database update
  • URL of the update center: sec.huawei.com
  • DNS server address: 10.1.10.30
  • Update mode: scheduled
  • Update frequency: every day
  • Update time: 02:30

The intrusion prevention signature database needs to be updated frequently to improve the security defense capability of devices. To reduce the workload of the administrator, configure the device to update the database in a scheduled manner when the network traffic is light.

DNS Transparent Proxy

DNS transparent proxy can change the destination address of a DNS request packet, implementing DNS server redirection. In this case, DNS transparent proxy works together with PBR intelligent uplink selection to enable DNS request packets to be forwarded based on the link bandwidth ratio. The resolved server addresses belong to different IPS networks, and therefore subsequent access traffic will be distributed to different ISP links.

Table 1-4 Planning for DNS transparent proxy configuration

Item

Data

Description

Servers to which interfaces are bound
  • GE1/0/1:
    • Primary DNS server: 1.1.22.22
    • Secondary DNS server: 1.1.23.23
  • GE1/0/2:
    • Primary DNS server: 2.2.22.22
    • Secondary DNS server: 2.2.23.23
  • GE1/0/3:
    • Primary DNS server: 2.2.24.24
    • Secondary DNS server: 2.2.25.25
  • GE1/0/4:
    • Primary DNS server: 2.2.26.26
    • Secondary DNS server: 2.2.27.27
  • GE1/0/5:
    • Primary DNS server: 3.3.22.22
    • Secondary DNS server: 3.3.23.23
  • GE1/0/6:
    • Primary DNS server: 3.3.24.24
    • Secondary DNS server: 3.3.25.25

The FW prefers the primary DNS server address to replace the destination address in a received DNS request packet. It uses the secondary DNS server address to replace the destination address in a received DNS request packet only when the primary DNS server is in the Down state.

Domain name exception
  • Domain name exception: www.example.com
  • DNS server: 1.1.25.25

DNS transparent proxy is not carried out for the domain name exception. The administrator can specify a DNS server to resolve the domain name exception.

DNS transparent proxy policy

dns_trans_rule:

  • Source IP address: any
  • Destination IP address: any
  • Action: tpdns (indicating that DNS transparent proxy is implemented)

The DNS transparent proxy policy defines which DNS request packets require DNS transparent proxy. In this case, all DNS request packets except those carrying a domain name exception require DNS transparent proxy.

Policy-based routing

pbr_dns_trans:

  • Source security zone: Trust
  • Service: DNS and DNS-TCP
  • Intelligent uplink selection mode: load balancing by link bandwidth
  • Outbound interfaces involved in intelligent uplink selection
    • GE1/0/1
    • GE1/0/2
    • GE1/0/3
    • GE1/0/4
    • GE1/0/5
    • GE1/0/6

The policy-based route must be placed in the front of the other ones. The route is matched with DNS request packets by the service type (DNS service that uses TCP or UDP). Load balancing by link bandwidth is carried out for matching DNS request packets. After users on the campus obtain resolved addresses, the service packets sent by the users will be matched with PBRs.

Intelligent Uplink Selection

To meet the traffic forwarding requirements of the campus network egress, you can enable intelligent uplink selection on the FW. Then the FW can forward traffic by ISP based on the ISP address set. To meet the forwarding requirement of some special traffic, use single-ISP PBR to forward the traffic from a fixed outbound interface. Use a link with better quality to forward the traffic that does not match any item in the ISP address set.

Table 1-5 Planning for intelligent uplink selection configuration

Item

Data

Description

Single-ISP PBR
  • other_edu_server:
    • Source security zone: Trust
    • Source address: 10.1.0.0/16
    • Destination address: other_edu_server_address
    • Outbound interface: GE1/0/1
    • Next-hop address: 1.1.1.2
  • lib_internet:
    • Source security zone: Trust
    • Source address: 10.1.50.0/22
    • Outbound interface: GE1/0/1
    • Next-hop address: 1.1.1.2

The priority of the PBRs is higher than that of specific routes and default routes. Therefore, special traffic can be forwarded using PBRs.

Single-ISP PBR and multi-LSP PBR have the same priority. However, the PBR configured before another is ranked ahead of the later configured one. You can adjust the sequence of PBRs based on service requirements and matching conditions. Generally, the PBR with strict matching conditions is ranked ahead of the PBR with loose matching conditions. The PBR matching special traffic is ranked ahead of the PBRs that match common traffic.

ISP address set
  • Address set of the education network:
    • ISP name: edu_address
    • ISP address file name: edu_address.csv
  • ISP1 address set:
    • ISP name: isp1_address
    • ISP address file name: isp1_address.csv
  • ISP2 address set:
    • ISP name: isp2_address
    • ISP address file name: isp2_address.csv
  • Address set of other campuses' servers:
    • ISP name: other_edu_server_address
    • ISP address file name: other_edu_server_address.csv

Before configuring ISP address sets, the administrator needs to write the IP addresses of each ISP network into different ISP address files and import the files into the FW. To modify the content of an ISP address file, export the file, modify it, and import it to the FW.

The following figure shows the requirements on filling in ISP address files.

Multi-ISP PBR
  • pbr_edu:
    • Source security zone: Trust
    • Source address: 10.1.0.0/16
    • Destination address: edu_address
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 8
    • GE1/0/2: priority value 5
    • GE1/0/3: priority value 5
    • GE1/0/4: priority value 5
    • GE1/0/5: priority value 1
    • GE1/0/6: priority value 1
  • pbr_isp1:
    • Source security zone: Trust
    • Source address: 10.1.0.0/16
    • Destination address: isp1_address
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 5
    • GE1/0/2: priority value 8
    • GE1/0/3: priority value 8
    • GE1/0/4: priority value 8
    • GE1/0/5: priority value 1
    • GE1/0/6: priority value 1
  • pbr_isp2:
    • Source security zone: Trust
    • Source address: 10.1.0.0/16
    • Destination address: isp2_address
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 5
    • GE1/0/2: priority value 1
    • GE1/0/3: priority value 1
    • GE1/0/4: priority value 1
    • GE1/0/5: priority value 8
    • GE1/0/6: priority value 8
  • p2p_traffic:
    • Source security zone: Trust
    • Application: P2P online video and P2P file sharing
    • Intelligent uplink selection mode: load balancing by link bandwidth
    • Outbound interfaces involved in intelligent uplink selection:‏
    • GE1/0/2
    • GE1/0/3
    • GE1/0/4
  • dis_edu_sys:
    • Source security zone: Trust
    • Application: UD_dis_edu_sys_app
    • Intelligent uplink selection mode: load balancing by link bandwidth
    • Outbound interfaces involved in intelligent uplink selection
    • GE1/0/1
    • GE1/0/5
    • GE1/0/6
  • pbr_rest:
    • Source security zone: Trust
    • Intelligent uplink selection mode: load balancing by link quality
    • Detection mode: TCP (simple detection)
    • Detection interval: 3s
    • Detection times: 5
    • Quality detection parameters:
    • Packet loss ratio
    • Delay
    • Jitter
    • Outbound interfaces involved in intelligent uplink selection:‏
    • GE1/0/1
    • GE1/0/2
    • GE1/0/3
    • GE1/0/4
    • GE1/0/5
    • GE1/0/6

After the destination addresses of PBRs are configured as an ISP address set, the FW will use a specific ISP link to forward traffic that matches all matching conditions of a PBR. If the same ISP has multiple links, the FW will use a random link to forward traffic. If the traffic is heavy, the proportion of traffic forwarded by each link is approximately equal to the link bandwidth ratio, indicating that load balancing by link bandwidth is carried out. After links with higher priorities are overloaded, ISP links with lower priorities will be used for traffic forwarding.

For example, if traffic matches all matching condition of PBR pbr_isp1, the destination address of the traffic belongs to ISP1 network. The three outbound interfaces, GE1/0/2, GE1/0/3, and GE1/0/4, connected to ISP1 network have the highest priority. Therefore, the FW randomly selects an interface from the three interfaces for traffic forwarding. If GE1/0/2, GE1/0/3, and GE1/0/4 are all overloaded and new traffic still matches pbr_isp1, traffic for which a session is created will be forwarded through the original outbound interface, but new traffic will not be forwarded through any of the three interfaces, but through GE1/0/1 with the second highest priority. After GE1/0/1 is overloaded, new traffic will be forwarded through GE1/0/5 and GE1/0/6 with the third highest priority. If all links are overloaded, the FW will forward traffic to the links based on the actual bandwidth ratio, not by link priority.

Because the distance education system software is not included in the application signature database of the FW, the administrator needs to create user-defined application UD_dis_edu_sys_app based on application features and set it as a matching condition of a PBR.

The link with the best quality can be selected through pbr_rest to forward traffic that does not match any item in the ISP address set, ensuring user experience.

Server Load Balancing

The two servers in the library function as one high-performance and high-reliability virtual server. For users, there is only one server. To improve user experience, the virtual server publishes the public IP addresses of multiple ISP networks.

Table 1-6 Planning for server load balancing configuration

Item

Data

Description

Servers in the library
  • Load balancing algorithm: round robin algorithm
  • Virtual server vs1:
    • VIP corresponding to the education network: 1.1.111.111
    • VIP corresponding to ISP1 network: 2.2.112.112
    • VIP corresponding to ISP2 network: 3.3.113.113
  • Real server group grp1:
    • rserver 1: 10.1.10.10
    • rserver 2: 10.1.10.11

The virtual server IP address is a public IP address, and the real server IP address is a private IP address.

After server load balancing is configured, the FW will automatically generate a black-hole route for the virtual server IP address to prevent routing loops. After you delete the virtual server IP address or cancel the binding between the virtual server and real server group, the black-hole route will be automatically deleted.

Smart DNS

When a private DNS server exists, the FW that has smart DNS enabled intelligently replies to DNS requests from different ISPs, so that the server address obtained by a user is in the same ISP network as the user.

For example, a school has a DNS server, which stores the portal server domain name (www.example.com) and the public IP address 1.1.15.15 assigned by the education network. Smart DNS is enabled on the FW's GE1/0/2. The mapped address is the ISP1-assigned public IP address 2.2.15.15.

When an education network user accesses the portal server address, as GE1/0/1 does not have the smart DNS function enabled, the user obtains the public IP address 1.1.15.15 assigned by the education network as the portal server address. When an ISP1 user accesses the portal server address, the DNS server replies a DNS response message to the user. After the FW's GE1/0/2 receives the message, the FW replaces the original public IP address 1.1.15.15 assigned by the education network with the ISP1-assigned address 2.2.15.15. After the user receives the message, he or she communicates with 2.2.15.15. Certainly, a NAT Server map must be configured on the FW to associate the private portal server address 10.1.10.20 with 2.2.15.15. In this manner, ISP1 users can use 2.2.15.15 to communicate with the portal server.

Table 1-7 Planning of smart DNS configuration

Item

Data

Description

Portal server
  • Original server IP address: 1.1.15.15
  • Outbound interfaces and mapped IP addresses:
    • GE1/0/2: 2.2.15.15
    • GE1/0/3: 2.2.16.16
    • GE1/0/4: 2.2.17.17
    • GE1/0/5: 3.3.15.15
    • GE1/0/6: 3.3.16.16

The original server IP address is the public IP address of the education network, and therefore it is unnecessary to configure smart DNS mappings for the outbound interface corresponding to the education network.

Servers in the library
  • Original server IP address: 1.1.101.101
  • Outbound interfaces and mapped IP addresses:
    • GE1/0/2: 2.2.102.102
    • GE1/0/3: 2.2.103.103
    • GE1/0/4: 2.2.104.104
    • GE1/0/5: 3.3.102.102
    • GE1/0/6: 3.3.103.103

-

NAT

  • NAT Server

    To ensure the users on each ISP network can access intranet servers, the NAT server function is required on the FW to translate the private addresses of servers into public IP addresses.

Table 1-8 Planning for NAT server configuration

Item

Data

Description

Portal server
  • Private IP address: 10.1.10.20
  • Public IP address:
    • For the education network: 1.1.15.15
    • For ISP1 network: 2.2.15.15, 2.2.16.16, and 2.2.17.17
    • For ISP2 network: 3.3.15.15 and 3.3.16.16

The NAT server can map multiple public IP addresses to the same private IP address based on the security zone.

DNS server
  • Private IP address: 10.1.10.30
  • Public IP address:
    • For the education network: 1.1.101.101
    • For ISP1 network: 2.2.102.102, 2.2.103.103, and 2.2.104.104
    • For ISP2 network: 3.3.102.102 and 3.3.103.103

-
  • Source NAT

    To enable a large number of intranet users to make full use of limited public IP addresses for access, source NAT needs to be configured on the FW to translate the private IP addresses in packets into public IP addresses.

Table 1-9 Planning for source NAT configuration

Item

Data

Description

Education network

edu_nat_policy:

  • Address pool: edu_nat_address_pool
    • Address segment: 1.1.30.31 to 1.1.30.33
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: edu_zone

The source IP addresses in the packets sent by intranet users to access the education network are translated into the public IP address of the education network.

ISP1 NAT policy

isp1_nat_policy1:

  • Address pool: isp1_nat_address_pool1
    • Address segment: 2.2.5.1-2.2.5.3
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: isp1_zone1

isp1_nat_policy2:

  • Address pool: isp1_nat_address_pool2
    • Address segment: 2.2.6.1-2.2.6.3
    • NAT mode: PAT
    • Source address: 10.1.0.0/16
    • Source security zone: Trust
    • Destination security zone: isp1_zone2

isp1_nat_policy3:

  • Address pool: isp1_nat_address_pool3
    • Address segment: 2.2.7.1-2.2.7.3
    • NAT mode: PAT
    • Source address: 10.1.0.0/16
    • Source security zone: Trust
    • Destination security zone: isp1_zone3

The source IP addresses in the packets sent by intranet users to access ISP1 network are translated into the public IP address of ISP1 network.

ISP2 NAT policy

isp2_nat_policy1:

  • Address pool: isp2_nat_address_pool1
    • Address segment: 3.3.1.1-3.3.1.3
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: isp2_zone1

isp2_nat_policy2:

  • Address pool: isp2_nat_address_pool2
    • Address segment: 3.3.2.1-3.3.2.3
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: isp2_zone2

The source IP addresses in the packets sent by intranet users to access ISP2 network are translated into the public IP address of ISP2 network.

Source NAT in the same security zone

inner_nat_policy:

  • Address pool: edu_nat_address_pool
    • Address segment: 1.1.30.31 to 1.1.30.33
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: Trust

Source address translation is required when an intranet user (Trust zone) wants to access an intranet zone (Trust zone) through a public address.
  • NAT ALG

    If the FW that has NAT enabled needs to forward packets of a multichannel protocol, such as FTP, the NAT ALG function of the protocol needs to be enabled to ensure correct address translation for the multichannel protocol packets. In this case, the NAT ALG functions of FTP, QQ, and RTSP are enabled.

Attack Defense

Attack defense can detect multiple types of network attacks, such as DDoS attack and single-packet attacks. This function protects the intranet against malicious attacks.

Table 1-10 Planning for attack defense configuration

Item

Data

Description

Anti-DDoS
  • DDoS attack type: SYN Flood
  • Interface: GE1/0/2, GE1/0/3, GE1/0/4, GE1/0/5, and GE1/0/6
  • Alarm-threshold rate: 24000

For the above flood attacks, the recommended maximum packet rate for GE attacks is 16,000 pps. In this case, the interfaces are all GE interfaces. The final interface threshold is 24000 pps, which is the test result. Configure a large threshold and adjust it according to the test until it falls into the normal range. A suitable threshold helps defend against attacks without affecting normal services.

Single-packet attack defense
  • Land attack defense
  • Smurf attack defense
  • Fraggle attack defense
  • WinNuke attack defense
  • IP packet with source route option attack defense
  • IP packet with route record option attack defense
  • IP packet with timestamp option attack defense
  • Ping of Death attack defense

If there are no special network security requirements, enable the function in this case to defend against single-packet attacks.

Audit Policy

The FW supports the audit function to record the Internet access behavior defined in the audit policy for future audit and analysis.

Table 1-11 Planning for audit policy configuration

Item

Data

Description

Audit policy
  • Source security zone: Trust
  • Destination security zone: edu_zone, isp1_zone1, isp1_zone2, isp1_zone3isp2_zone1, and isp2_zone2
  • Action: audit
  • Audit profile: trust_to_internet_audit
    • HTTP behavior audit:
    • URL access: Record all URLs.
    • BBS post: Record the content of the posts to the BBS.
    • Content of microblogs: record
    • File upload through HTTP: record
    • File download through HTTP: record
    • FTP behavior audit:
    • File upload through FTP: record
    • File download through FTP: record

The campus network administrator can record the HTTP and FTP behaviors of intranet users who access the extranet for subsequent auditing.

Bandwidth Management

As P2P traffic uses a lot of bandwidth resources, the campus requests to limit the bandwidth used by P2P traffic over each ISP1 link and implement bandwidth limiting for P2P traffic per IP address. Bandwidth management can implement global/per-IP/per-user traffic limiting for a specific type of traffic.

Table 1-12 Planning for bandwidth management configuration

Item

Data

Description

Traffic limiting for P2P traffic over the link where GE1/0/2 resides

Traffic profile: isp1_p2p_profile_01

  • Traffic limiting mode: setting the total of upstream and downstream bandwidth
  • Maximum total bandwidth for global traffic limiting: 100M
  • Maximum total bandwidth for per-IP address traffic limiting: 500K

Traffic policy: isp1_p2p_01

  • Inbound interface: GE1/0/7
  • Outbound interface: GE1/0/2
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: isp1_p2p_profile_01

Traffic policies define specific bandwidth resources and determine which traffic that bandwidth management applies to. After a traffic policy references a traffic profile, the traffic that matches the traffic policy can use only the bandwidth resources defined by the traffic profile.

Traffic limiting for P2P traffic over the link where GE1/0/3 resides

Traffic profile: isp1_p2p_profile_02

  • Traffic limiting mode: setting the total of upstream and downstream bandwidth
  • Maximum bandwidth for global traffic limiting: 300M
  • Maximum total bandwidth for per-IP address traffic limiting: 1M

Traffic policy: isp1_p2p_02

  • Inbound interface: GE1/0/7
  • Outbound interface: GE1/0/3
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: isp1_p2p_profile_02

-

Traffic limiting for P2P traffic over the link where GE1/0/4 resides

Traffic profile: isp1_p2p_profile_03

  • Traffic limiting mode: setting the total of upstream and downstream bandwidth
  • Maximum bandwidth for global traffic limiting: 700M
  • Maximum total bandwidth for per-IP address traffic limiting: 2M

Traffic policy: isp1_p2p_03

  • Inbound interface: GE1/0/7
  • Outbound interface: GE1/0/4
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: isp1_p2p_profile_03

-

Log serverDevices

The log server can collect, query, and display logs. After the FW is used together with the log server, you can view the session logs (sent by the FW) on the log server, including session logs before and after NAT. With these logs, you can view NAT-related address information. On the log server, you can also view the IPS and attack defense logs sent by the FW. With these logs, you can query attacks and intrusions on the network.

Table 1-13 Planning for interconnected NMS device configuration

Item

Data

Description

Log server
  • IP address: 10.1.10.30
  • System log type: IPS and attack defense logs

-

SNMP
  • SNMP version: V3
  • SNMPv3 user group:
    • Name: inside_snmp
    • Authentication and encryption mode: privacy (both authentication and encryption)
  • Trap:
    • Authentication password of an SNMPv3 user: Test@123
    • Encryption password of an SNMPv3 user: Test@123

-

NAT tracing

Enable Record Session Log for the following security policies:

  • user_inside
  • user_outside

NAT tracing allows you to view pre-NAT and post-NAT address information. After the session log function is enabled in the security policy view, the FW sends the logs on the sessions matching the security policy to the log host. You can view the log information through the log server to which the log host is connected. Some session logs include pre-NAT and post-NAT address information.

Precautions

Precautions

  • Whether the ISP address set includes all required IP addresses affects the implementation of intelligent uplink selection and smart DNS. Therefore, update the ISP address database regularly from the security center platform (isecurity.huawei.com).
  • In a multi-egress scenario, PBR intelligent uplink selection cannot be used together with the IP spoofing attack defense or Unicast Reverse Path Forwarding (URPF) function. If the IP spoofing attack defense or URPF function is enabled, the FW may discard packets.
  • A license is required to use smart DNS. In addition, smart DNS is available only after required components are loaded through the dynamic loading function.
  • The virtual server IP address used in server load balancing cannot be the same as any of the following ones:
    • Public IP address of the NAT server (global IP address)
    • IP addresses in the NAT address pool
    • Gateway IP address
    • Interface IP addresses of the FW
  • The real server IP address used in server load balancing cannot be the same as any of the following ones:
    • Virtual server IP address
    • Public IP address of the NAT server (global IP address)
    • Internal server IP address of the NAT server (inside IP)
  • After you configure server load balancing, configure IP addresses for real servers, but not the IP address of the virtual server, when configuring security policies and the routing function.
  • After you configure the NAT address pool and NAT server, configure black-hole routes to addresses in the address pool and the public address of the NAT server to prevent routing loops.
  • Only the audit administrator can configure the audit function and view audit logs.
  • You can view and export audit logs on the web UI only from the device that has an available disk installed.
  • On networks with different forward and return packet paths, the audit log contents may be incomplete.

Configuration Procedure

Procedure

  1. Configure interfaces and security zones and configure a gateway address, bandwidth, and overload protection threshold for outbound interfaces involved in intelligent uplink selection. 

    <FW> system-view 
[FW] interface GigabitEthernet 1/0/1 
[FW-GigabitEthernet1/0/1] description connect_to_edu 
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252 
[FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2 
[FW-GigabitEthernet1/0/1] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/1] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/1] quit 
[FW] interface GigabitEthernet 1/0/2 
[FW-GigabitEthernet1/0/2] description connect_to_isp1 
[FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252 
[FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2 
[FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90 
[FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90 
[FW-GigabitEthernet1/0/2] quit 
[FW] interface GigabitEthernet 1/0/3 
[FW-GigabitEthernet1/0/3] description connect_to_isp1 
[FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252 
[FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2 
[FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/3] quit 
[FW] interface GigabitEthernet 1/0/4 
[FW-GigabitEthernet1/0/4] description connect_to_isp1 
[FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252 
[FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2 
[FW-GigabitEthernet1/0/4] bandwidth ingress 200000 threshold 90 
[FW-GigabitEthernet1/0/4] bandwidth egress 200000 threshold 90 
[FW-GigabitEthernet1/0/4] quit 
[FW] interface GigabitEthernet 1/0/5 
[FW-GigabitEthernet1/0/5] description connect_to_isp2 
[FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252 
[FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2 
[FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/5] quit 
[FW] interface GigabitEthernet 1/0/6 
[FW-GigabitEthernet1/0/6] description connect_to_isp2 
[FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252 
[FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2 
[FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/6] quit 
[FW] interface GigabitEthernet 1/0/7 
[FW-GigabitEthernet1/0/7] description connect_to_campus 
[FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0 
[FW-GigabitEthernet1/0/7] quit

  2. Configure a security policy.

    1. Create a security zone for each of the education network, ISP1 network, and ISP2 network and assign interfaces to the security zone. 
      [FW] firewall zone name edu_zone 
[FW-zone-edu_zone] set priority 20 
[FW-zone-edu_zone] add interface GigabitEthernet 1/0/1 
[FW-zone-edu_zone] quit 
[FW] firewall zone name isp1_zone1 
[FW-zone-isp1_zone1] set priority 30 
[FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2 
[FW-zone-isp1_zone1] quit 
[FW] firewall zone name isp1_zone2 
[FW-zone-isp1_zone2] set priority 40 
[FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3 
[FW-zone-isp1_zone2] quit 
[FW] firewall zone name isp1_zone3 
[FW-zone-isp1_zone3] set priority 50 
[FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4 
[FW-zone-isp1_zone3] quit 
[FW] firewall zone name isp2_zone1 
[FW-zone-isp2_zone1] set priority 60 
[FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5 
[FW-zone-isp2_zone1] quit 
[FW] firewall zone name isp2_zone2 
[FW-zone-isp2_zone2] set priority 70 
[FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6 
[FW-zone-isp2_zone2] quit 
[FW] firewall zone trust 
[FW-zone-trust] add interface GigabitEthernet 1/0/7 
[FW-zone-trust] quit
    2. Configure interzone security policies to control access between zones. Reference the default intrusion prevention profile in the security policies and configure intrusion prevention.
      [FW] security-policy 
[FW-policy-security] rule name user_inside 
[FW-policy-security-rule-user_inside] source-zone trust 
[FW-policy-security-rule-user_inside] action permit 
[FW-policy-security-rule-user_inside] profile ips default 
[FW-policy-security-rule-user_inside] quit 
[FW-policy-security] rule name user_outside 
[FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2 
[FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24 
[FW-policy-security-rule-user_outside] action permit 
[FW-policy-security-rule-user_outside] profile ips default 
[FW-policy-security-rule-user_outside] quit 
[FW-policy-security] rule name local_to_any 
[FW-policy-security-rule-local_to_any] source-zone local 
[FW-policy-security-rule-local_to_any] destination-zone any 
[FW-policy-security-rule-local_to_any] action permit 
[FW-policy-security-rule-local_to_any] quit 
[FW-policy-security] quit
    3. Configure the scheduled update function for the intrusion prevention function.

    A license is available for updating the signature database, and the license is activated on the device.

    1. Configure an update center.
      [FW] update server domain sec.huawei.com
    2. The device can access the update server directly or through a proxy server. In this example, the device can directly access the update server.
      [FW] dns resolve 
[FW] dns server 10.1.10.30
    3. Configure the scheduled update function and set the scheduled update time. 
      [FW] update schedule ips-sdb enable 
[FW] update schedule sa-sdb enable 
[FW] update schedule ips-sdb daily 02:30 
[FW] update schedule sa-sdb daily 02:30

  3. Configure IP-link to detect whether the status of each LSP is normal.

    The IP-link configuration commands on the USG6000 and USG9500 are different. The USG6000 is used in this example for illustration.

    [FW] ip-link check enable 
[FW] ip-link name edu_ip_link 
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp 
[FW-iplink-edu_ip_link] quit 
[FW] ip-link name isp1_ip_link 
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp 
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp 
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp 
[FW-iplink-isp1_ip_link] quit 
[FW] ip-link name isp2_ip_link 
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp 
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp 
[FW-iplink-isp2_ip_link] quit

  4. Configure routes.

    Contact the administrator to configure the routes except the routes required in this example.

    # Configure a static route whose destination address belongs to the network segment of the intranet and next-hop address is the address of the intranet switch so that extranet traffic can reach the intranet.

    [FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2

  5. Configure DNS transparent proxy.

    # Configure the IP address of each interface bound to the DNS server.

    [FW] dns-transparent-policy 
[FW-policy-dns] dns transparent-proxy enable 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25

    # Configure a domain name exception.

    [FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25

    # Configure a DNS transparent proxy policy.

    [FW-policy-dns] rule name dns_trans_rule 
[FW-policy-dns-rule-dns_trans_rule] action tpdns 
[FW-policy-dns-rule-dns_trans_rule] quit 
[FW-policy-dns] quit

    # Configure PBR intelligent uplink selection to load balance DNS request packets to each link.

    [FW] policy-based-route 
[FW-policy-pbr] rule name pbr_dns_trans 
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust 
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp 
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit 
[FW-policy-pbr-rule-pbr_dns_trans] quit 
[FW-policy-pbr] quit

  6. Configure intelligent uplink selection.

    # Configure ISP address sets.

    1. Upload ISP address files to the FW through SFTP.
    2. Create an ISP name for each of the education network, ISP1 network, and ISP2 network and associate it with the corresponding ISP address file. 
      [FW] isp name edu_address set filename edu_address.csv 
[FW] isp name isp1_address set filename isp1_address.csv 
[FW] isp name isp2_address set filename isp2_address.csv 
[FW] isp name other_edu_server_address set filename other_edu_server_address.csv

    # Create an application corresponding to the distance education system software and reference the application in the PBR so that traffic generated by the distance education system software is forwarded over the education network and ISP2 links.

    Ensure that the FW has the route configuration that guides the transmission of the traffic generated by the distance education system even if PBR is unavailable.

    [FW] sa 
[FW-sa] user-defined-application name UD_dis_edu_sys_app 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems sub-category Enterprise_Application 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1 
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32 
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000 
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit 
[FW-sa] quit 
[FW] policy-based-route 
[FW-policy-pbr] rule name dis_edu_sys 
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust 
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app 
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit 
[FW-policy-pbr-rule-dis_edu_sys] quit

    # Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.

    Ensure that the FW has the route configuration that guides P2P traffic transmission even if PBR is unavailable.

    [FW-policy-pbr] rule name p2p_traffic 
[FW-policy-pbr-rule-p2p_traffic] source-zone trust 
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting 
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P 
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit 
[FW-policy-pbr-rule-p2p_traffic] quit

    # Configure single-ISP PBR.

    1. Configure the traffic destined for servers of other campuses and the network access traffic of users in the library to be forwarded over the link to the education network. 
      [FW-policy-pbr] rule name other_edu_server 
[FW-policy-pbr-rule-other_edu_server] source-zone trust 
[FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address 
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2 
[FW-policy-pbr-rule-other_edu_server] quit 
[FW-policy-pbr] rule name lib_internet 
[FW-policy-pbr-rule-lib_internet] source-zone trust 
[FW-policy-pbr-rule-lib_internet] source-address 10.1.50.0 22 
[FW-policy-pbr-rule-lib_internet] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2 
[FW-policy-pbr-rule-lib_internet] quit

    # Configure destination address-based PBR intelligent uplink selection.

    1. Prefer the link to the education network to forward traffic destined for an address in the address set of the education network. 
      [FW-policy-pbr] rule name pbr_edu 
[FW-policy-pbr-rule-pbr_edu] source-zone trust 
[FW-policy-pbr-rule-pbr_edu] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-pbr_edu] destination-address isp edu_address 
[FW-policy-pbr-rule-pbr_edu] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_edu-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/1 priority 8 
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/2 priority 5 
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/3 priority 5 
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/4 priority 5 
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/5 priority 1 
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/6 priority 1 
[FW-policy-pbr-rule-pbr_edu-multi-inter] quit 
[FW-policy-pbr-rule-pbr_edu] quit
    2. Prefer ISP1 links to forward traffic destined for an address in the address set of ISP1 network. 
      [FW-policy-pbr] rule name pbr_isp1 
[FW-policy-pbr-rule-pbr_isp1] source-zone trust 
[FW-policy-pbr-rule-pbr_isp1] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-pbr_isp1] destination-address isp isp1_address 
[FW-policy-pbr-rule-pbr_isp1] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/1 priority 5 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/2 priority 8 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/3 priority 8 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/4 priority 8 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/5 priority 1 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/6 priority 1 
[FW-policy-pbr-rule-pbr_isp1-multi-inter] quit 
[FW-policy-pbr-rule-pbr_isp1] quit
    3. Prefer ISP2 links to forward traffic destined for an address in the address set of ISP2 network. 
      [FW-policy-pbr] rule name pbr_isp2 
[FW-policy-pbr-rule-pbr_isp2] source-zone trust 
[FW-policy-pbr-rule-pbr_isp2] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-pbr_isp2] destination-address isp isp2_address 
[FW-policy-pbr-rule-pbr_isp2] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/1 priority 5 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/2 priority 1 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/3 priority 1 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/4 priority 1 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/5 priority 8 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/6 priority 8 
[FW-policy-pbr-rule-pbr_isp2-multi-inter] quit 
[FW-policy-pbr-rule-pbr_isp2] quit

    # Select the link with the highest quality through PBR pbr_rest to forward the traffic that does not match any ISP address set. 

    [FW-policy-pbr] rule name pbr_rest 
[FW-policy-pbr-rule-pbr_rest] source-zone trust 
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6 
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple 
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss 
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5 
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit 
[FW-policy-pbr-rule-pbr_rest] quit 
[FW-policy-pbr] quit

  7. Configure server load balancing.

    # Enable server load balancing.

    [FW] slb enable

    # Configure a load balancing algorithm.

    [FW] slb 
[FW-slb] group 1 grp1 
[FW-slb-group-1] metric roundrobin

    # Add real servers to the real server group.

    [FW-slb-group-1] rserver 1 rip 10.1.10.10 
[FW-slb-group-1] rserver 2 rip 10.1.10.11 
[FW-slb-group-1] quit

    # Configure a virtual server IP address.

    [FW-slb] vserver 1 vs1 
[FW-slb-vserver-1] vip 1 1.1.111.111 
[FW-slb-vserver-1] vip 2 2.2.112.112 
[FW-slb-vserver-1] vip 3 3.3.113.113

    # Associate the virtual server with the real server group.

    [FW-slb-vserver-1] group grp1 
[FW-slb-vserver-1] quit 
[FW-slb] quit

  8. Configure smart DNS.

    # Enable smart DNS.

    [FW] dns-smart enable

    # Create a smart DNS group and configure smart DNS mappings in the group.

    [FW] dns-smart group 1 type single 
[FW-dns-smart-group-1] real-server-ip 1.1.15.15 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16 
[FW-dns-smart-group-1] quit 
[FW] dns-smart group 2 type single 
[FW-dns-smart-group-2] real-server-ip 1.1.101.101 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103 
[FW-dns-smart-group-2] quit

  9. Configure the security zone-based NAT server function so that users on different ISP networks can use corresponding public IP addresses to access intranet servers.

    # Configure the NAT server function for the Portal server.

    [FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20 
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse

    # Configure the NAT server function for the DNS server.

    [FW] nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30 
[FW] nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse 
[FW] nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse 
[FW] nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse 
[FW] nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse 
[FW] nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse

    # Configure a black-hole route to the public address of the NAT server to prevent routing loops.

    [FW] ip route-static 1.1.15.15 32 NULL 0 
[FW] ip route-static 2.2.15.15 32 NULL 0 
[FW] ip route-static 2.2.16.16 32 NULL 0 
[FW] ip route-static 2.2.17.17 32 NULL 0 
[FW] ip route-static 3.3.15.15 32 NULL 0 
[FW] ip route-static 3.3.16.16 32 NULL 0 
[FW] ip route-static 1.1.101.101 32 NULL 0 
[FW] ip route-static 2.2.102.102 32 NULL 0 
[FW] ip route-static 2.2.103.103 32 NULL 0 
[FW] ip route-static 2.2.104.104 32 NULL 0 
[FW] ip route-static 3.3.102.102 32 NULL 0 
[FW] ip route-static 3.3.103.103 32 NULL 0

  10. Configure source NAT.

    # Configure source NAT for traffic destined for the education network. The address in the address pool is the public address of the education network.

    [FW] nat address-group edu_nat_address_pool 
[FW-address-group-edu_nat_address_pool] mode pat 
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33 
[FW-address-group-edu_nat_address_pool] quit 
[FW] nat-policy 
[FW-policy-nat] rule name edu_nat_policy 
[FW-policy-nat-rule-edu_nat_policy] source-zone trust 
[FW-policy-nat-rule-edu_nat_policy] destination-zone edu_zone 
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16 
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool 
[FW-policy-nat-rule-edu_nat_policy] quit 
[FW-policy-nat] quit

    # Configure the intrazone NAT, so that users can access the intranet server through the public address.

    [FW] nat-policy 
[FW-policy-nat] rule name inner_nat_policy 
[FW-policy-nat-rule-inner_nat_policy] source-zone trust 
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust 
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16 
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool 
[FW-policy-nat-rule-inner_nat_policy] quit 
[FW-policy-nat] quit

    # Configure source NAT for traffic destined for ISP1 network. The address in the address pool is the public address of ISP1 network.

    [FW] nat address-group isp1_nat_address_pool1 
[FW-address-group-isp1_nat_address_pool1] mode pat 
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3 
[FW-address-group-isp1_nat_address_pool1] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp1_nat_policy1 
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust 
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1 
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1 
[FW-policy-nat-rule-isp1_nat_policy1] quit 
[FW-policy-nat] quit 
[FW] nat address-group isp1_nat_address_pool2 
[FW-address-group-isp1_nat_address_pool2] mode pat 
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3 
[FW-address-group-isp1_nat_address_pool2] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp1_nat_policy2 
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust 
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2 
[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2 
[FW-policy-nat-rule-isp1_nat_policy2] quit 
[FW-policy-nat] quit 
[FW] nat address-group isp1_nat_address_pool3 
[FW-address-group-isp1_nat_address_pool3] mode pat 
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3 
[FW-address-group-isp1_nat_address_pool3] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp1_nat_policy3 
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust 
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3 
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3 
[FW-policy-nat-rule-isp1_nat_policy3] quit 
[FW-policy-nat] quit

    # Configure source NAT for traffic destined for ISP2 network. The address in the address pool is the public address of ISP2 network.

    [FW] nat address-group isp2_nat_address_pool1 
[FW-address-group-isp2_nat_address_pool1] mode pat 
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3 
[FW-address-group-isp2_nat_address_pool1] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp2_nat_policy1 
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust 
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1 
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1 
[FW-policy-nat-rule-isp2_nat_policy1] quit 
[FW-policy-nat] quit 
[FW] nat address-group isp2_nat_address_pool2 
[FW-address-group-isp2_nat_address_pool2] mode pat 
[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3 
[FW-address-group-isp2_nat_address_pool2] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp2_nat_policy2 
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust 
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2 
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2 
[FW-policy-nat-rule-isp2_nat_policy2] quit 
[FW-policy-nat] quit

    # Configure black-hole routes to public addresses of the NAT address pool to prevent routing loops.

    [FW] ip route-static 1.1.30.31 32 NULL 0 
[FW] ip route-static 1.1.30.32 32 NULL 0 
[FW] ip route-static 1.1.30.33 32 NULL 0 
[FW] ip route-static 2.2.5.1 32 NULL 0 
[FW] ip route-static 2.2.5.2 32 NULL 0 
[FW] ip route-static 2.2.5.3 32 NULL 0 
[FW] ip route-static 2.2.6.1 32 NULL 0 
[FW] ip route-static 2.2.6.2 32 NULL 0 
[FW] ip route-static 2.2.6.3 32 NULL 0 
[FW] ip route-static 2.2.7.1 32 NULL 0 
[FW] ip route-static 2.2.7.2 32 NULL 0 
[FW] ip route-static 2.2.7.3 32 NULL 0 
[FW] ip route-static 3.3.1.1 32 NULL 0 
[FW] ip route-static 3.3.1.2 32 NULL 0 
[FW] ip route-static 3.3.1.3 32 NULL 0 
[FW] ip route-static 3.3.2.1 32 NULL 0 
[FW] ip route-static 3.3.2.2 32 NULL 0 
[FW] ip route-static 3.3.2.3 32 NULL 0

  11. Configure NAT ALG between the Trust zone and other security zones. In this example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT ALG, enable ASPF.

    [FW] firewall interzone trust edu_zone 
[FW-interzone-trust-edu_zone] detect ftp 
[FW-interzone-trust-edu_zone] detect qq 
[FW-interzone-trust-edu_zone] detect rtsp 
[FW-interzone-trust-edu_zone] quit 
[FW] firewall interzone trust isp1_zone1 
[FW-interzone-trust-isp1_zone1] detect ftp 
[FW-interzone-trust-isp1_zone1] detect qq 
[FW-interzone-trust-isp1_zone1] detect rtsp 
[FW-interzone-trust-isp1_zone1] quit 
[FW] firewall interzone trust isp1_zone2 
[FW-interzone-trust-isp1_zone2] detect ftp 
[FW-interzone-trust-isp1_zone2] detect qq 
[FW-interzone-trust-isp1_zone2] detect rtsp 
[FW-interzone-trust-isp1_zone2] quit 
[FW] firewall interzone trust isp1_zone3 
[FW-interzone-trust-isp1_zone3] detect ftp 
[FW-interzone-trust-isp1_zone3] detect qq 
[FW-interzone-trust-isp1_zone3] detect rtsp 
[FW-interzone-trust-isp1_zone3] quit 
[FW] firewall interzone trust isp2_zone1 
[FW-interzone-trust-isp2_zone1] detect ftp 
[FW-interzone-trust-isp2_zone1] detect qq 
[FW-interzone-trust-isp2_zone1] detect rtsp 
[FW-interzone-trust-isp2_zone1] quit 
[FW] firewall interzone trust isp2_zone2 
[FW-interzone-trust-isp2_zone2] detect ftp 
[FW-interzone-trust-isp2_zone2] detect qq 
[FW-interzone-trust-isp2_zone2] detect rtsp 
[FW-interzone-trust-isp2_zone2] quit

  12. Configure attack defense.

    [FW] firewall defend land enable 
[FW] firewall defend smurf enable 
[FW] firewall defend fraggle enable 
[FW] firewall defend ip-fragment enable 
[FW] firewall defend tcp-flag enable 
[FW] firewall defend winnuke enable 
[FW] firewall defend source-route enable 
[FW] firewall defend teardrop enable 
[FW] firewall defend route-record enable 
[FW] firewall defend time-stamp enable 
[FW] firewall defend ping-of-death enable

  13. Configure an audit profile and reference it in an audit policy. 

    [FW] profile type audit name trust_to_internet_audit 
[FW-profile-audit-trust_to_internet_audit] http-audit url all 
[FW-profile-audit-trust_to_internet_audit] http-audit bbs-content 
[FW-profile-audit-trust_to_internet_audit] http-audit micro-blog 
[FW-profile-audit-trust_to_internet_audit] http-audit file direction both 
[FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both 
[FW-profile-audit-trust_to_internet_audit] quit 
[FW] audit-policy 
[FW-policy-audit] rule name trust_to_internet_audit_policy 
[FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust 
[FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2 
[FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit 
[FW-policy-audit-rule-trust_to_internet_audit_policy] quit 
[FW-policy-audit] quit

  14. Configure bandwidth management.

    # Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.

    [FW] traffic-policy 
[FW-policy-traffic] profile isp1_p2p_profile_01 
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000 
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-ip both 500 
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit 
[FW-policy-traffic] rule name isp1_p2p_01 
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7 
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2 
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting 
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P 
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01 
[FW-policy-traffic-rule-isp1_p2p_01] quit

    # Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.

    [FW-policy-traffic] profile isp1_p2p_profile_02 
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000 
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-ip both 1000 
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit 
[FW-policy-traffic] rule name isp1_p2p_02 
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7 
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3 
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting 
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P 
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02 
[FW-policy-traffic-rule-isp1_p2p_02] quit

    # Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.

    [FW-policy-traffic] profile isp1_p2p_profile_03 
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000 
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-ip both 2000 
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit 
[FW-policy-traffic] rule name isp1_p2p_03 
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7 
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4 
[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting 
[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P 
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03 
[FW-policy-traffic-rule-isp1_p2p_03] quit 
[FW-policy-traffic] quit

  15. Configure system log sending and NAT tracing to view logs on the eSight.

    # Configure the function of sending system logs to a log host at 10.1.10.30 (in this example, IPS and attack defense logs are sent).

    [FW] info-center enable 
[FW] engine log ips enable 
[FW] info-center source IPS channel loghost log level emergencies 
[FW] info-center source ANTIATTACK channel loghost 
[FW] info-center loghost 10.1.10.30

    # Configure the session log function.

    [FW] security-policy 
[FW-policy-security] rule name trust_edu_zone 
[FW-policy-security-rule-trust_edu_zone] source-zone trust 
[FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone 
[FW-policy-security-rule-trust_edu_zone] action permit 
[FW-policy-security-rule-trust_edu_zone] session logging 
[FW-policy-security-rule-trust_edu_zone] quit 
[FW-policy-security] rule name trust_isp1_zone 
[FW-policy-security-rule-trust_isp1_zone] source-zone trust 
[FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3 
[FW-policy-security-rule-trust_isp1_zone] action permit 
[FW-policy-security-rule-trust_isp1_zone] session logging 
[FW-policy-security-rule-trust_isp1_zone] quit 
[FW-policy-security] rule name trust_isp2_zone 
[FW-policy-security-rule-trust_isp2_zone] source-zone trust 
[FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2 
[FW-policy-security-rule-trust_isp2_zone] action permit 
[FW-policy-security-rule-trust_isp2_zone] session logging 
[FW-policy-security-rule-trust_isp2_zone] quit 
[FW-policy-security] quit

  16. Configure SNMP and ensure that the SNMP parameters on the eSight are consistent with those on the FW.

    [FW] snmp-agent sys-info version v3 
[FW] snmp-agent group v3 inside_snmp privacy 
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp 
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123 
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123

    After completing the configuration on the eSight, choose Log Analysis > Session Analysis > IPv4 Session Query to view session logs.

Verification

  1. When users on the campus access the extranet, the traffic destined to the education network is forwarded by GE1/0/1, the traffic destined to ISP1 network is forwarded by GE1/0/2, and the traffic destined to ISP2 network is forwarded by GE1/0/3.
  2. The traffic destined to servers of other campuses and the network access traffic of users in the library are forwarded by GE1/0/1.
  3. Check the configuration and update of the IPS signature database.

    # Run the display update configuration command to check the update information of the IPS signature database.

    [sysname] display update configuration 
Update Configuration Information:
------------------------------------------------------------
  Update Server               : sec.huawei.com
  Update Port                 : 80
  Proxy State                 : disable
  Proxy Server                : - 
  Proxy Port                  : - 
  Proxy User                  : - 
  Proxy Password              : - 
  IPS-SDB:
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily    
    Schedule Update Time      : 02:30 
  AV-SDB:                 
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily    
    Schedule Update Time      : 02:30
  SA-SDB:                         
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily    
    Schedule Update Time      : 02:30  
  IP-REPUTATION:              
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily    
    Schedule Update Time      : 02:30  
  CNC:                            
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily    
    Schedule Update Time      : 02:30  
------------------------------------------------------------

    # Run the display version ips-sdb command to check the configuration of the IPS signature database. 

    [sysname] display version ips-sdb 
IPS SDB Update Information List:  
---------------------------------------------------------------- 
  Current Version:                
    Signature Database Version    : 2015041503
    Signature Database Size(byte) : 2659606
    Update Time                   : 12:02:10 2015/05/27 
    Issue Time of the Update File : 16:06:30 2015/04/15

  Backup Version:                
    Signature Database Version    :
    Signature Database Size(byte) : 0  
    Update Time                   : 00:00:00 0000/00/00
    Issue Time of the Update File : 00:00:00 0000/00/00 
----------------------------------------------------------------
IPS Engine Information List:     
----------------------------------------------------------------
  Current Version: 
    IPS Engine Version            : V200R002C00SPC060 
    IPS Engine Size(byte)         : 3145728
    Update Time                   : 12:02:10 2015/05/27
    Issue Time of the Update File : 10:51:45 2015/05/20

  Backup Version:                
    IPS Engine Version            :
    IPS Engine Size(byte)         : 0  
    Update Time                   : 00:00:00 0000/00/00
    Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
  4. Run the display firewall server-map command to check server-map entries generated by server load balancing. 
    [sysname] display  firewall server-map slb 
 Current Total Server-map : 3    
 Type: SLB,  ANY -> 3.3.113.113[grp1/1],  Zone:---,  protocol:---
 Vpn: public -> public           
 Type: SLB,  ANY -> 2.2.112.112[grp1/1],  Zone:---,  protocol:---
 Vpn: public -> public           
 Type: SLB,  ANY -> 1.1.111.111[grp1/1],  Zone:---,  protocol:---
 Vpn: public -> public
  5. Run the display firewall server-map command to check server-map entries generated by the NAT server function. 
    [sysname] display  firewall server-map nat-server 
 Current Total Server-map : 12   
 Type: Nat Server,  ANY -> 1.1.15.15[10.1.10.20],  Zone: edu_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.15.15[10.1.10.20],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.16.16[10.1.10.20],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.17.17[10.1.10.20],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.15.15[10.1.10.20],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.16.16[10.1.10.20],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 1.1.101.101[10.1.10.30],  Zone: edu_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.102.102[10.1.10.30],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.103.103[10.1.10.30],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.104.104[10.1.10.30],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.102.102[10.1.10.30],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.103.103[10.1.10.30],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server Reverse,  10.1.10.20[3.3.16.16] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[3.3.15.15] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[2.2.17.17] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[2.2.16.16] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[2.2.15.15] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[1.1.15.15] -> ANY,  Zone: edu_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[3.3.103.103] -> ANY,  Zone: isp2_zone ,  protocol:--- Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[3.3.102.102] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[2.2.104.104] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[2.2.103.103] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[2.2.102.102] -> ANY,  Zone: isp1_zone ,  protocol:--- Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[1.1.101.101] -> ANY,  Zone: edu_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
  6. Check session logs on the eSight.

Configuration Scripts

# 
sysname FW 
# 
 info-center loghost 10.1.10.30 514 
# 
 nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
 nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
 nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
 nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse 
 nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse 
 nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
 nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30      
 nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
 nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse 
 nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
 nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
 nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse 
#  
 dns resolve 
 dns server 10.1.10.30 
 dns transparent-proxy server 10.1.0.50 
#   
 dns-transparent-policy 
  dns transparent-proxy enable 
  dns server bind interface GigabitEthernet1/0/1 preferred 1.1.22.22 alternate 1.1.23.23 
  dns server bind interface GigabitEthernet1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
  dns server bind interface GigabitEthernet1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
  dns server bind interface GigabitEthernet1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
  dns server bind interface GigabitEthernet1/0/5 preferred 3.3.22.22 alternate 3.3.23.23 
  dns server bind interface GigabitEthernet1/0/6 preferred 3.3.24.24 alternate 3.3.25.25 
  dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25 
#    
 firewall defend land enable 
 firewall defend smurf enable 
 firewall defend fraggle enable 
 firewall defend ip-fragment enable 
 firewall defend tcp-flag enable 
 firewall defend winnuke enable 
 firewall defend source-route enable 
 firewall defend teardrop enable 
 firewall defend route-record enable 
 firewall defend time-stamp enable 
 firewall defend ping-of-death enable 
#  
ip-link name edu_ip_link 
 destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp 
ip-link name isp1_ip_link 
 destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp 
 destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp 
 destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp 
ip-link name isp2_ip_link 
 destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp 
 destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp 
# 
 dns-smart enable 
#       
 update schedule ips-sdb daily 02:30 
 update schedule sa-sdb daily 02:30 
#   
interface GigabitEthernet1/0/1 
 description connect_to_edu    
 ip address 1.1.1.1 255.255.255.252     
 reverse-route nexthop 1.1.1.2
 bandwidth ingress 1000000 threshold 90  
 bandwidth egress 1000000 threshold 90 
#  
interface GigabitEthernet1/0/2 
 description connect_to_isp1 
 ip address 2.2.2.1 255.255.255.252 
 reverse-route nexthop 2.2.2.2   
 bandwidth ingress 200000 threshold 90  
 bandwidth egress 200000 threshold 90  
#  
interface GigabitEthernet1/0/3 
 description connect_to_isp1
 ip address 2.2.3.1 255.255.255.252 
 reverse-route nexthop 2.2.3.2       
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90  
#  
interface GigabitEthernet1/0/4  
 description connect_to_isp1  
 ip address 2.2.4.1 255.255.255.252  
 reverse-route nexthop 2.2.4.2   
 bandwidth ingress 200000 threshold 90  
 bandwidth egress 200000 threshold 90  
#   
interface GigabitEthernet1/0/5   
 description connect_to_isp2  
 ip address 3.3.3.1 255.255.255.252    
 reverse-route nexthop 3.3.3.2  
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90 
#  
interface GigabitEthernet1/0/6  
 description connect_to_isp2   
 ip address 3.3.4.1 255.255.255.252     
 reverse-route nexthop 3.3.4.2   
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90 
#  
interface GigabitEthernet1/0/7
 description connect_to_campus   
 ip address 10.2.0.1 255.255.255.0 
#  
firewall zone trust 
 set priority 85  
 add interface GigabitEthernet1/0/7  
#  
firewall zone name edu_zone 
 set priority 20   
 add interface GigabitEthernet1/0/1    
#   
firewall zone name isp1_zone1 
 set priority 30  
 add interface GigabitEthernet1/0/2 
# 
firewall zone name isp1_zone2    
 set priority 40        
 add interface GigabitEthernet1/0/3
# 
firewall zone name isp1_zone3    
 set priority 50        
 add interface GigabitEthernet1/0/4 
# 
firewall zone name isp2_zone1   
 set priority 60        
 add interface GigabitEthernet1/0/5    
# 
firewall zone name isp2_zone2    
 set priority 70        
 add interface GigabitEthernet1/0/6   
# 
firewall interzone trust edu_zone 
 detect ftp
 detect rtsp   
 detect qq 
# 
firewall interzone trust isp1_zone1
 detect ftp
 detect rtsp   
 detect qq 
# 
firewall interzone trust isp1_zone2 
 detect ftp
 detect rtsp   
 detect qq 
# 
firewall interzone trust isp1_zone3 
 detect ftp     
 detect rtsp    
 detect qq 
# 
firewall interzone trust isp2_zone1  
 detect ftp
 detect rtsp   
 detect qq 
# 
firewall interzone trust isp2_zone2  
 detect ftp
 detect rtsp   
 detect qq 
#     
 ip route-static 1.1.15.15 255.255.255.255 NULL0 
 ip route-static 1.1.30.31 255.255.255.255 NULL0 
 ip route-static 1.1.30.32 255.255.255.255 NULL0 
 ip route-static 1.1.30.33 255.255.255.255 NULL0  
 ip route-static 1.1.101.101 255.255.255.255 NULL0  
 ip route-static 2.2.5.1 255.255.255.255 NULL0  
 ip route-static 2.2.5.2 255.255.255.255 NULL0  
 ip route-static 2.2.5.3 255.255.255.255 NULL0
 ip route-static 2.2.6.1 255.255.255.255 NULL0
 ip route-static 2.2.6.2 255.255.255.255 NULL0
 ip route-static 2.2.6.3 255.255.255.255 NULL0
 ip route-static 2.2.7.1 255.255.255.255 NULL0
 ip route-static 2.2.7.2 255.255.255.255 NULL0
 ip route-static 2.2.7.3 255.255.255.255 NULL0
 ip route-static 2.2.15.15 255.255.255.255 NULL0
 ip route-static 2.2.16.16 255.255.255.255 NULL0
 ip route-static 2.2.17.17 255.255.255.255 NULL0
 ip route-static 2.2.102.102 255.255.255.255 NULL0
 ip route-static 2.2.103.103 255.255.255.255 NULL0 
 ip route-static 2.2.104.104 255.255.255.255 NULL0
 ip route-static 3.3.1.1 255.255.255.255 NULL0
 ip route-static 3.3.1.2 255.255.255.255 NULL0
 ip route-static 3.3.1.3 255.255.255.255 NULL0
 ip route-static 3.3.2.1 255.255.255.255 NULL0
 ip route-static 3.3.2.2 255.255.255.255 NULL0
 ip route-static 3.3.2.3 255.255.255.255 NULL0
 ip route-static 3.3.15.15 255.255.255.255 NULL0
 ip route-static 3.3.16.16 255.255.255.255 NULL0
 ip route-static 3.3.102.102 255.255.255.255 NULL0
 ip route-static 3.3.103.103 255.255.255.255 NULL0
 ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
# 
 snmp-agent sys-info version v3 
 snmp-agent group v3 inside_snmp privacy 
 snmp-agent usm-user v3 snmp_user group inside_snmp 
 snmp-agent usm-user v3 snmp_user authentication-mode sha cipher %$%$jQlL6J6-$X05<;Csj**]uVn>IEUb,9<3.%$%$ 
 snmp-agent usm-user v3 user-name privacy-mode aes256 cipher %$%$jQlL6J6-$X05<;Csj**]uVn>IEUb,9<3.%$%$ 
#
isp name edu_address   
 isp name edu_address set filename edu_address.csv 
 isp name isp1_address  
 isp name isp1_address set filename isp1_address.csv 
 isp name isp2_address  
 isp name isp2_address set filename isp2_address.csv 
 isp name other_edu_server_address   
 isp name other_edu_server_address set filename other_edu_server_address.csv
# 
 slb       
  rserver 1 rip 10.1.10.10 weight 32 healthchk
  rserver 2 rip 10.1.10.11 weight 32 healthchk
  group grp1   
  metric roundrobin        
  addrserver 1 
  addrserver 2 
 vserver vs1 vip 1.1.111.111 group grp1
# 
sa
# 
sa
 user-defined-application name UD_dis_edu_sys_app
  category Business_Systems sub-category Enterprise_Application 
  data-model client-server 
  rule name 1       
   ip-address 2.2.50.50 32  
   port 5000      
#
 nat address-group edu_nat_address_pool
 section 0 1.1.30.31 1.1.30.33     
 nat address-group isp1_nat_address_pool1 
 section 0 2.2.5.1 2.2.5.3 
 nat address-group isp1_nat_address_pool2   
 section 0 2.2.6.1 2.2.6.3 
 nat address-group isp1_nat_address_pool3 
 section 0 2.2.7.1 2.2.7.3 
 nat address-group isp2_nat_address_pool1  
 section 0 3.3.1.1 3.3.1.3  
 nat address-group isp2_nat_address_pool2  
 section 0 3.3.2.1 3.3.2.3   
#       
dns-smart group 1 type single    
 real-server-ip 1.1.15.15  
 out-interface GigabitEthernet1/0/2 map 2.2.15.15  
 out-interface GigabitEthernet1/0/3 map 2.2.16.16  
 out-interface GigabitEthernet1/0/4 map 2.2.17.17   
 out-interface GigabitEthernet1/0/5 map 3.3.15.15  
 out-interface GigabitEthernet1/0/6 map 3.3.16.16  
#     
dns-smart group 2 type single  
 real-server-ip 1.1.101.101  
 out-interface GigabitEthernet1/0/2 map 2.2.102.102
 out-interface GigabitEthernet1/0/3 map 2.2.103.103 
 out-interface GigabitEthernet1/0/4 map 2.2.104.104 
 out-interface GigabitEthernet1/0/5 map 3.3.102.102
 out-interface GigabitEthernet1/0/6 map 3.3.103.103
# 
security-policy 
 rule name user_inside  
  source-zone trust     
  profile ips default   
  action permit
 rule name user_outside 
  source-zone edu_zone  
  source-zone isp1_zone1
  source-zone isp1_zone2
  source-zone isp1_zone3
  source-zone isp2_zone1
  source-zone isp2_zone2
  destination-address 10.1.10.0 mask 255.255.255.0
  profile ips default   
  action permit
 rule name local_to_any    
  source-zone local     
  destination-zone any
  action permit
# 
traffic-policy 
 profile isp1_p2p_profile_01     
  bandwidth total maximum-bandwidth 100000    
  bandwidth ip-car total maximum-bandwidth per-ip 500
 profile isp1_p2p_profile_02     
  bandwidth total maximum-bandwidth 300000    
  bandwidth ip-car total maximum-bandwidth per-ip 1000
 profile isp1_p2p_profile_03     
  bandwidth total maximum-bandwidth 700000    
  bandwidth ip-car total maximum-bandwidth per-ip 2000
 rule name isp1_p2p_01  
  ingress-interface GigabitEthernet1/0/7 
  egress-interface GigabitEthernet1/0/2 
  application category Entertainment sub-category PeerCasting  
  application category General_Internet sub-category FileShare_P2P
  action qos profile isp1_p2p_profile_01      
 rule name isp1_p2p_02  
  ingress-interface GigabitEthernet1/0/7      
  egress-interface GigabitEthernet1/0/3       
  application category Entertainment sub-category PeerCasting  
  application category General_Internet sub-category FileShare_P2P
  action qos profile isp1_p2p_profile_02      
 rule name isp1_p2p_03  
  ingress-interface GigabitEthernet1/0/7      
  egress-interface GigabitEthernet1/0/4       
  application category Entertainment sub-category PeerCasting  
  application category General_Internet sub-category FileShare_P2P 
  action qos profile isp1_p2p_profile_03      
# 
policy-based-route      
 rule name pbr_dns_trans
  source-zone trust     
  service dns  
  service dns-tcp       
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/1
   add interface GigabitEthernet1/0/2
   add interface GigabitEthernet1/0/3
   add interface GigabitEthernet1/0/4
   add interface GigabitEthernet1/0/5
   add interface GigabitEthernet1/0/6
   mode proportion-of-bandwidth  
 rule name dis_edu_sys  
  source-zone trust     
  application app UD_dis_edu_sys_app 
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/1
   add interface GigabitEthernet1/0/5
   add interface GigabitEthernet1/0/6   
   mode proportion-of-bandwidth 
 rule name p2p_traffic  
  source-zone trust     
  application category Entertainment sub-category PeerCasting  
  application category General_Internet sub-category FileShare_P2P      
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/2  
   add interface GigabitEthernet1/0/3
   add interface GigabitEthernet1/0/4
   mode proportion-of-bandwidth  
 rule name other_edu_server      
  source-zone trust     
  source-address 10.1.0.0 mask 255.255.0.0    
  destination-address isp other_edu_server_address
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
 rule name lib_internet 
  source-zone trust     
  source-address 10.1.48.0 mask 255.255.252.0 
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
 rule name pbr_edu      
  source-zone trust     
  source-address 10.1.0.0 mask 255.255.0.0    
  destination-address isp edu_address
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/1 priority 8  
   add interface GigabitEthernet1/0/2 priority 5  
   add interface GigabitEthernet1/0/3 priority 5  
   add interface GigabitEthernet1/0/4 priority 5  
   add interface GigabitEthernet1/0/5
   add interface GigabitEthernet1/0/6
   mode priority-of-userdefine   
 rule name pbr_isp1     
  source-zone trust     
  source-address 10.1.0.0 mask 255.255.0.0    
  destination-address isp isp1_address        
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/1 priority 5
   add interface GigabitEthernet1/0/2 priority 8
   add interface GigabitEthernet1/0/3 priority 8
   add interface GigabitEthernet1/0/4 priority 8
   add interface GigabitEthernet1/0/5
   add interface GigabitEthernet1/0/6
   mode priority-of-userdefine   
 rule name pbr_isp2     
  source-zone trust     
  source-address 10.1.0.0 mask 255.255.0.0    
  destination-address isp isp2_address        
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/1 priority 5
   add interface GigabitEthernet1/0/2
   add interface GigabitEthernet1/0/3
   add interface GigabitEthernet1/0/4
   add interface GigabitEthernet1/0/5 priority 8
   add interface GigabitEthernet1/0/6 priority 8
   mode priority-of-userdefine   
 rule name pbr_rest     
  source-zone trust     
  source-address 10.1.0.0 mask 255.255.0.0    
  action pbr egress-interface multi-interface 
   add interface GigabitEthernet1/0/1
   add interface GigabitEthernet1/0/2
   add interface GigabitEthernet1/0/3
   add interface GigabitEthernet1/0/4
   add interface GigabitEthernet1/0/5
   add interface GigabitEthernet1/0/6
   mode priority-of-link-quality 
   priority-of-link-quality parameter delay jitter loss
# 
nat-policy 
 rule name inner_nat_policy        
  source-zone trust     
  destination-zone trust      
  source-address 10.1.0.0 mask 255.255.0.0    
  action source-nat address-group edu_nat_address_pool 
 rule name edu_nat_policy        
  source-zone trust     
  destination-zone edu_zone      
  source-address 10.1.0.0 mask 255.255.0.0    
  action source-nat address-group edu_nat_address_pool
 rule name isp1_nat_policy1      
  source-zone trust     
  destination-zone isp1_zone1    
  source-address 10.1.0.0 mask 255.255.0.0    
  action source-nat address-group isp1_nat_address_pool1
 rule name isp1_nat_policy2      
  source-zone trust     
  destination-zone isp1_zone2    
  source-address 10.1.0.0 mask 255.255.0.0    
  action source-nat address-group isp1_nat_address_pool2
 rule name isp1_nat_policy3      
  source-zone trust     
  destination-zone isp1_zone3  
  source-address 10.1.0.0 mask 255.255.0.0
  action source-nat address-group isp1_nat_address_pool3
 rule name isp2_nat_policy1
  source-zone trust
  destination-zone isp2_zone1 
  source-address 10.1.0.0 mask 255.255.0.0 
  action source-nat address-group isp2_nat_address_pool1
 rule name isp2_nat_policy2
  source-zone trust
  destination-zone isp2_zone2        
  source-address 10.1.0.0 mask 255.255.0.0 
  action source-nat address-group isp2_nat_address_pool2
#        
return

Solution 2: Use-based Policy Control

Typical Networking

As shown in Figure 1-3, the FW is deployed on the egress of the campus network as a security gateway. It provides bandwidth services for users in the campus and server access services for users outside the campus. A RADIUS server is deployed on the campus network and stores user/user group and password information. To access network resources through the BRAS, users must be authenticated by the RADIUS server. According to the existing organization structure, the administrator can create users/user groups or use a file to import users/user groups in batches on the FW and then control the access behavior of the users/user groups through policies. To improve the reliability of the network egress, the campus leases 1G links from ISP1 and ISP2 and 10G links from the education network.

Figure 1-3 Networking of user-based policy control

The campus network is mainly used for learning and working. Therefore, in addition to ensuring the security of intranet users and servers, the egress needs to properly allocate bandwidth resources and implement load balancing for network traffic to improve the access experience of intranet and extranet users. The main requirements of the campus network are as follows:

  • User and authentication
    • Users access the Internet through the BRAS after being authenticated by the RADIUS server. Users do not need to be authenticated by the FW after being authenticated by the RADIUS server.
    • The Internet access users on the campus are classified into teachers, users who access the Internet from the library, users who access the Internet from the public area, users with monthly package of 20 Yuan, and users with monthly package of 50 Yuan. The administrator wants to control network permissions by users. The FW needs to store required user information to be referenced by security policies.
    • New users on the RADIUS server are allowed to access network resources even through their information does not exist on the FW.
  • Load balancing
    • The FW can control the network access permissions of users by user attribute and select ISP links for traffic forwarding based on the difference between user attributes. For example, the traffic of teachers and users with monthly package of 50 Yuan can be forwarded over multiple ISP links based on the destination address of the traffic; the traffic of users with monthly package of 20 Yuan and users that access the network from the library is forwarded only over the link to the education network; the traffic of users who access the network from the public area is preferentially forwarded over the link to the education network. If the link to the education network is overloaded, the traffic can be forwarded over other ISP links.
    • The LSP links have different transmission quality. The link to the education network and the links to ISP2 network have high quality and can forward service traffic that has high requirement on the delay, such as the traffic of the distance education system. The links to ISP1 network has poor quality and can forward bandwidth-consuming and small-value service traffic, such as P2P traffic. Considering the cost, the traffic destined to the servers of other campuses, network access traffic of users in the library, and traffic matching default routes are forwarded over the link to the education network.
    • The users on the campus automatically obtain the same DNS server address. Therefore, the traffic of the users is forwarded over the same ISP link. The campus wants to make full use of other link resources and requests to distribute some DNS request packets to other ISP links. Only changing the outbound interface of packets cannot resolve the issue that subsequent network access traffic is forwarded over one link. Therefore, DNS request packets need to be forwarded to the DNS servers of different ISP networks. Then the resolved addresses belong to different ISP networks.
    • A DNS server is deployed on the campus network to provide domain name resolution services. When users on different ISP networks access the campus network, they can use the resolved address that belongs to the same ISP as the users for access, improving the access quality.
    • The traffic destined to the server in the library is heavy, and thereby two servers are required for traffic load balancing.
  • Address translation
    • Users on the campus network require public IP addresses to access the Internet.
    • The servers, such as library servers, portal servers, and DNS servers, on the campus network use public IP addresses to provide services for intranet and extranet users.
  • Security defense
    • Assign network devices to different zones based on their locations, implement security isolation for interzone traffic, and control the permissions on mutual zone access. For example, allow users on the campus to access extranet resources, and allow extranet users to access only a specific port of an intranet server.
    • The network can defend against common DDoS attacks (such as SYN flood attacks) and single-packet attacks (such as Land attacks).
    • Network intrusion behaviors are blocked and alerted.
  • Bandwidth management and control

    Due to limited bandwidth resources, the campus requests to limit the bandwidth percentage of P2P traffic as well as the bandwidth of each user's P2P traffic. Teachers and users with monthly package of 50 Yuan are assigned 2M bandwidth for P2P traffic, and other users are assigned 500K bandwidth for P2P traffic. Common P2P traffic is generated by download software (Thunder, eMule, BT, Ares, and Vuze), music software (Kugou Music, kugou, and SoulSeek), or video websites or software (Baidu player, QiYi, and SHPlayer).

  • Source tracing and auditing
    • To prevent the improper online behavior of users on the campus from harming the reputation of the campus, perform source tracing for the improper behavior and restore the improper behavior. The online behavior of users on the campus needs to be audited for subsequent investigation and analysis. The behavior to be audited includes URL access records, BBS posts and microblogs, HTTP upload and download, and FTP upload and download.
    • Log server devices are deployed on the campus. Attack defense and intrusion detection logs as well as pre-NAT and post-NAT IP addresses can be viewed on the log server.

Service Planning

The FW can meet all requirements of the campus network. This section describes the functions of the FW and provides service planning based on the networking.

Basic Network Configuration and Access Control Configuration

The FW sets security zones and implements security isolation for these zones. It controls the permissions on mutual zone access by using security policies.

Users on the campus network in the Trust zone with the highest security level. The users can proactively access all the zones. Servers are also in the Trust zone and can access only extranets under the control of security policies, but not other devices in the Trust zone. A security zone is created for each ISP to separately control the policies between two zones. The devices on each ISP network can access the server area. In addition, ASPF needs to be enabled to ensure normal communication between zones through multichannel protocols, such as FTP.

Table 1-14 Planning for basic network configuration

Item

Data

Description

GE1/0/1
  • IP address: 1.1.1.1/30
  • Security zone: edu_zone (priority value 20)
  • Gateway address: 1.1.1.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to the education network is assigned to user-defined security zone edu_zone. The priority of a user-defined security zone can be set as required.

GE1/0/2
  • IP address: 2.2.2.1/30
  • Security zone: isp1_zone1 (priority value 30)
  • Gateway address: 2.2.2.2
  • Sticky load balancing: enabled
  • Bandwidth: 200 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP1 network is assigned to user-defined security zone isp1_zone1.

GE1/0/3
  • IP address: 2.2.3.1/30
  • Security zone: isp1_zone2 (priority value 40)
  • Gateway address: 2.2.3.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP1 network is assigned to user-defined security zone isp1_zone2.

GE1/0/4
  • IP address: 2.2.4.1/30
  • Security zone: isp1_zone3 (priority value 50)
  • Gateway address: 2.2.4.2
  • Sticky load balancing: enabled
  • Bandwidth: 200 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP1 network is assigned to user-defined security zone isp1_zone3.

GE1/0/5
  • IP address: 3.3.3.1/30
  • Security zone: isp2_zone1 (priority value 60)
  • Gateway address: 3.3.3.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP2 network is assigned to user-defined security zone isp2_zone1.

GE1/0/6
  • IP address: 3.3.4.1/30
  • Security zone: isp2_zone2 (priority value 70)
  • Gateway address: 3.3.4.2
  • Sticky load balancing: enabled
  • Bandwidth: 1000 Mbit/s
  • Overload protection threshold: 90%

The interface connecting the FW to ISP2 network is assigned to user-defined security zone isp2_zone2.

GE1/0/7
  • IP address: 10.2.0.1/24
  • Security zone: Trust

The interface connecting the FW to the campus network is assigned to the Trust zone. Users on the campus and servers are in the Trust zone.

GE1/0/8
  • IP address: 10.2.1.1/30
  • Security zone: DMZ

The interface connecting the FW to the RADIUS server is assigned to the DMZ.
Table 1-15 Planning for access control configuration

Item

Data

Description

security policy for users on the campus
  • Security policy name: user_inside
  • Source security zone: Trust
  • Action: permit

Users on the campus can access devices in any security zone.

By default, devices in the same security zone cannot access each other. A security policy must be configured to specify the source or destination security zone. For example, if the source and destination security zones are the Trust zone, the devices in the Trust zone can access each other. If the source security zone is the Trust zone and the destination security zone is any, the devices in the Trust zone can access any security zone. If the source security zone is any and the destination security zone is Trust, devices in any security zone can access the Trust zone.

Security policy for extranet users
  • Security policy name: user_outside
  • Source security zone: edu_zone, isp1_zone1, isp1_zone2, isp1_zone3, isp2_zone1 and isp2_zone2
  • Destination IP address: 10.1.10.0/24
  • Action: permit

Users outside the campus can access the server area, but not any devices in the Trust zone.

Security policy for the log server
  • Security policy name: local_to_any
  • Source security zone: Local
  • Destination security zone: Any
  • Action: permit

The FW is allowed to send log information to the log server and update center.

Intrusion Prevention

Intrusion prevention needs to be enabled on the FW to alert or block the intrusion of Botnets, Trojan horses, and worms. To better identify intrusion behavior, the FW needs to periodically update the intrusion prevent signature database through the security center (sec.huawei.com).

Table 1-16 Planning for intrusion prevention configuration

Item

Data

Description

Intrusion prevention for extranets
  • Security policy name: user_inside
  • Intrusion prevention profile: default

Intrusion prevention is required when devices in the Trust zone access extranets. The security policies reference the default intrusion prevention profile default.

Intrusion prevention for the server area
  • Security policy name: user_outside
  • Intrusion prevention profile: default

Intrusion prevention is required when extranet users access devices in the server area. The security policy references the default intrusion prevention profile default.

Intrusion prevention signature database update
  • URL of the update center: sec.huawei.com
  • DNS server address: 10.1.10.30
  • Update mode: scheduled
  • Update frequency: every day
  • Update time: 02:30

The intrusion prevention signature database needs to be updated frequently to improve the security defense capability of devices. To reduce the workload of the administrator, configure the device to update the database in a scheduled manner when the network traffic is light.

DNS Transparent Proxy

DNS transparent proxy can change the destination address of a DNS request packet, implementing DNS server redirection. In this case, DNS transparent proxy works together with PBR intelligent uplink selection to enable DNS request packets to be forwarded based on the link bandwidth ratio. The resolved server addresses belong to different IPS networks, and therefore subsequent access traffic will be distributed to different ISP links.

Table 1-17 Planning for DNS transparent proxy configuration

Item

Data

Description

Servers to which interfaces are bound
  • GE1/0/1:
    • Primary DNS server: 1.1.22.22
    • Secondary DNS server: 1.1.23.23
  • GE1/0/2:
    • Primary DNS server: 2.2.22.22
    • Secondary DNS server: 2.2.23.23
  • GE1/0/3:
    • Primary DNS server: 2.2.24.24
    • Secondary DNS server: 2.2.25.25
  • GE1/0/4:
    • Primary DNS server: 2.2.26.26
    • Secondary DNS server: 2.2.27.27
  • GE1/0/5:
    • Primary DNS server: 3.3.22.22
    • Secondary DNS server: 3.3.23.23
  • GE1/0/6:
    • Primary DNS server: 3.3.24.24
    • Secondary DNS server: 3.3.25.25

The FW prefers the primary DNS server address to replace the destination address in a received DNS request packet. It uses the secondary DNS server address to replace the destination address in a received DNS request packet only when the primary DNS server is in the Down state.

Domain name exception
  • Domain name exception: www.example.com
  • DNS server: 1.1.25.25

DNS transparent proxy is not carried out for the domain name exception. The administrator can specify a DNS server to resolve the domain name exception.

DNS transparent proxy policy

dns_trans_rule:

  • Source IP address: any
  • Destination IP address: any
  • Action: tpdns (indicating that DNS transparent proxy is implemented)

The DNS transparent proxy policy defines which DNS request packets require DNS transparent proxy. In this case, all DNS request packets except those carrying a domain name exception require DNS transparent proxy.

Policy-based routing

pbr_dns_trans:

  • Source security zone: Trust
  • Service: DNS and DNS-TCP
  • Intelligent uplink selection mode: load balancing by link bandwidth
  • Outbound interfaces involved in intelligent uplink selection:‏
    • GE1/0/1
    • GE1/0/2
    • GE1/0/3
    • GE1/0/4
    • GE1/0/5
    • GE1/0/6

The policy-based route must be placed in the front of the other ones. The route is matched with DNS request packets by the service type (DNS service that uses TCP or UDP). Load balancing by link bandwidth is carried out for matching DNS request packets. After users on the campus obtain resolved addresses, the service packets sent by the users will be matched with PBRs.

User and authentication

To enable users to be automatically authenticated by the FW after they are authenticated by the RADIUS server, configure RADIUS SSO to trigger user authentication on the FW.

To implement RADIUS SSO, the FW needs to parse the RADIUS accounting packets exchanged between the BRAS and RADIUS server to obtain user-IP address mappings. In this case, the packets exchanged between the BRAS and RADIUS server pass through the FW, and the authentication policy configured on the FW does not authenticate these packets but ensures that these packets are permitted by the FW.

Table 1-18 Planning for user and authentication configuration

Item

Data

Description

CSV file
  • User groups:
    • User group to which teachers belong: /default/teacher
    • User group to which users with monthly package of 50 Yuan belong: /default/50user
    • User group to which users with monthly package of 20 Yuan belong: /default/20user
    • User group to which users accessing the network from the library belong: /default/lib
    • User group to which users accessing the network from the public network belong: /default/public_user
    • User group to which new network access users belong: /default/newuser
  • Multiple users cannot share the same account for network access.

Fill the user information stored on the RADIUS server in the CSV file template according to the specified format and import the CSV file into the FW to create users and user groups in batches.

Because information on new network access user may not be synchronized to the FW in time, create a temporary user group /default/newuser so that these users can normally access network resources.

RADIUS SSO
  • RADIUS SSO: enabled
  • Working mode: in-line
  • Interface for receiving accounting packets: GigabitEthernet 1/0/7
  • Parsed traffic: 10.2.1.2:1813 (IP address of the RADIUS server: IP address of the accounting interface)

Set SSO parameters on the FW for the FW to parse received RADIUS accounting packets to obtain user-IP address mappings.

Security policy
  • Security policy name: policy_sec_radius
  • Source security zone: Trust
  • Destination security zone: DMZ
  • Destination IP address: 10.2.1.0/24
  • Action: permit

Configure a security policy between the Trust zone (users and BRAS server) and DMZ (RADIUS server) for users to get authenticated by the RADIUS server.

Intelligent Uplink Selection

The FW deployed between the BRAS and RADIUS server can parse exchanged authentication packets to obtain user/user group-IP address mappings.

To meet the traffic forwarding requirement of the campus network egress, deploy the PBR intelligent uplink selection on the FW based on user/user group information. To meet the forwarding requirement of some special traffic, use single-ISP PBR to forward the traffic from a fixed outbound interface. Use a link with better quality to forward the traffic that does not match any item in the ISP address set.

Table 1-19 Planning for intelligent uplink selection configuration

Item

Data

Description

Single-ISP PBR
  • p2p_traffic:
    • Source security zone: Trust
    • Application: P2P online video and P2P file sharing
    • Intelligent uplink selection mode: load balancing by link bandwidth
    • Outbound interfaces involved in intelligent uplink selection:‏
    • GE1/0/2
    • GE1/0/3
    • GE1/0/4
  • dis_edu_sys:
    • Source security zone: Trust
    • Application: UD_dis_edu_sys_app
    • Intelligent uplink selection mode: load balancing by link bandwidth
    • Outbound interfaces involved in intelligent uplink selection:‏
    • GE1/0/1
    • GE1/0/5
    • GE1/0/6
  • other_edu_server:
    • Source security zone: Trust
    • Source address: 10.1.0.0/16
    • Destination address: other_edu_server_address
    • Outbound interface: GE1/0/1
    • Next-hop address: 1.1.1.2
  • pbr_edu_lib_20user:
    • Source security zone: Trust
    • User: /default/lib and /default/20user
    • Outbound interface: GE1/0/1
    • Next-hop address: 1.1.1.2

The priority of policy-based routes is higher than that of specific routes and default routes. Therefore, special traffic can be forwarded using policy-based routes.

Single-ISP PBR and multi-LSP PBR have the same priority. However, the PBR rule configured before another is ranked ahead of the later configured one. You can adjust the sequence of PBR rules based on service requirements and matching conditions. Generally, the PBR with strict matching conditions is ranked ahead of the PBR with loose matching conditions. The PBR matching special traffic is ranked ahead of the PBRs that match common traffic.

Because the distance education system software is not included in the application signature database of the FW, the administrator needs to create user-defined application UD_dis_edu_sys_app based on application features and set it as a matching condition of a PBR.

ISP address set
  • Address set of the education network:
    • ISP name: edu_address
    • ISP address file name: edu_address.csv
  • ISP1 address set:
    • ISP name: isp1_address
    • ISP address file name: isp1_address.csv
  • ISP2 address set:
    • ISP name: isp2_address
    • ISP address file name: isp2_address.csv
  • Address set of other campuses' servers:
    • ISP name: other_edu_server_address
    • ISP address file name: other_edu_server_address.csv

Before configuring ISP address sets, the administrator needs to write the IP addresses of each ISP network into different ISP address files and import the files into the FW. To modify the content of an ISP address file, export the file, modify it, and import it to the FW.

The following figure shows the descriptions and requirements on filling in ISP address files.

Multi-ISP PBR
  • pbr_edu_teacher_50user:
    • Source security zone: Trust
    • Destination address: edu_address
    • User: /default/teacher and /default/50user
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 8
    • GE1/0/2: priority value 5
    • GE1/0/3: priority value 5
    • GE1/0/4: priority value 5
    • GE1/0/5: priority value 1
    • GE1/0/6: priority value 1
  • pbr_isp1_teacher_50user:
    • Source security zone: Trust
    • Destination address: isp1_address
    • User: /default/teacher and /default/50user
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 5
    • GE1/0/2: priority value 8
    • GE1/0/3: priority value 8
    • GE1/0/4: priority value 8
    • GE1/0/5: priority value 1
    • GE1/0/6: priority value 1
  • pbr_isp2_teacher_50user:
    • Source security zone: Trust
    • Destination address: isp2_address
    • User: /default/teacher and /default/50user
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 5
    • GE1/0/2: priority value 1
    • GE1/0/3: priority value 1
    • GE1/0/4: priority value 1
    • GE1/0/5: priority value 8
    • GE1/0/6: priority value 8
  • pbr_public_user:
    • Source security zone: Trust
    • User: /default/public_user
    • Intelligent uplink selection mode: active/standby backup by link priority
    • Outbound interfaces involved in intelligent uplink selection and their priorities
    • GE1/0/1: priority value 8
    • GE1/0/2: priority value 5
    • GE1/0/3: priority value 5
    • GE1/0/4: priority value 5
    • GE1/0/5: priority value 1
    • GE1/0/6: priority value 1
  • pbr_rest:
    • Source security zone: Trust
    • Intelligent uplink selection mode: load balancing by link quality
    • Detection mode: TCP (simple detection)
    • Detection interval: 3s
    • Detection times: 5
    • Quality detection parameters:
    • Packet loss ratio
    • Delay
    • Jitter
    • Outbound interfaces involved in intelligent uplink selection:‏
    • GE1/0/1
    • GE1/0/2
    • GE1/0/3
    • GE1/0/4
    • GE1/0/5
    • GE1/0/6

After the destination addresses of PBRs are configured as an ISP address set, the FW will use a specific ISP link to forward traffic that matches all matching conditions of a PBR. If the same ISP has multiple links, the FW will use a random link to forward traffic. If the traffic is heavy, the proportion of traffic forwarded by each link is approximately equal to the link bandwidth ratio, indicating that load balancing by link bandwidth is carried out. After links with higher priorities are overloaded, ISP links with lower priorities will be used for traffic forwarding.

pbr_isp1_teacher_50user is used as an example to illustrate PBR intelligent uplink selection. The destination address of the PBR is configured as ISP1 address set, and users are classified into teachers and users with monthly package of 50 Yuan. If traffic matches all matching conditions of the PRB, the destination address of the traffic belongs to ISP1 network. The three outbound interfaces, GE1/0/2, GE1/0/3, and GE1/0/4, connected to ISP1 network have the highest priority. Therefore, the FW randomly selects an interface from the three interfaces for traffic forwarding. If GE1/0/2, GE1/0/3, and GE1/0/4 are all overloaded and new traffic still matches pbr_isp1_teacher_50user, traffic for which a session is created will be forwarded through the original outbound interface, but new traffic will not be forwarded through any of the three interfaces, but through GE1/0/1 with the second highest priority. After GE1/0/1 is overloaded, new traffic will be forwarded through GE1/0/5 and GE1/0/6 with the third highest priority. If all links are overloaded, the FW will forward traffic to the links based on the actual bandwidth ratio, not by link priority.

The link with the best quality can be selected through pbr_rest to forward traffic that does not match any item in the ISP address set, ensuring user experience.

Server Load Balancing

The two servers in the library function as one high-performance and high-reliability virtual server. For users, there is only one server. To improve user experience, the virtual server publishes the public IP addresses of multiple ISP networks.

Table 1-20 Planning for server load balancing configuration

Item

Data

Description

Servers in the library
  • Load balancing algorithm: round robin algorithm
  • Virtual server vs1:
    • VIP corresponding to the education network: 1.1.111.111
    • VIP corresponding to ISP1 network: 2.2.112.112
    • VIP corresponding to ISP2 network: 3.3.113.113
  • Real server group grp1:
    • rserver 1: 10.1.10.10
    • rserver 2: 10.1.10.11

The virtual server IP address is a public IP address, and the real server IP address is a private IP address.

After server load balancing is configured, the FW will automatically generate a black-hole route for the virtual server IP address to prevent routing loops. After you delete the virtual server IP address or cancel the binding between the virtual server and real server group, the black-hole route will be automatically deleted.

Smart DNS

When a private DNS server exists, the FW that has smart DNS enabled intelligently replies to DNS requests from different ISPs, so that the server address obtained by a user is in the same ISP network as the user.

For example, a school has a DNS server, which stores the portal server domain name (www.example.com) and the public IP address 1.1.15.15 assigned by the education network. Smart DNS is enabled on the FW's GE1/0/2. The mapped address is the ISP1-assigned public IP address 2.2.15.15.

When an education network user accesses the portal server address, as GE1/0/1 does not have the smart DNS function enabled, the user obtains the public IP address 1.1.15.15 assigned by the education network as the portal server address. When an ISP1 user accesses the portal server address, the DNS server replies a DNS response message to the user. After the FW's GE1/0/2 receives the message, the FW replaces the original public IP address 1.1.15.15 assigned by the education network with the ISP1-assigned address 2.2.15.15. After the user receives the message, he or she communicates with 2.2.15.15. Certainly, a NAT Server map must be configured on the FW to associate the private portal server address 10.1.10.20 with 2.2.15.15. In this manner, ISP1 users can use 2.2.15.15 to communicate with the portal server.

Table 1-21 Planning of smart DNS configuration

Item

Data

Description

Portal server
  • Original server IP address: 1.1.15.15
  • Outbound interfaces and mapped IP addresses:
    • GE1/0/2: 2.2.15.15
    • GE1/0/3: 2.2.16.16
    • GE1/0/4: 2.2.17.17
    • GE1/0/5: 3.3.15.15
    • GE1/0/6: 3.3.16.16

The original server IP address is the public IP address of the education network, and therefore it is unnecessary to configure smart DNS mappings for the outbound interface corresponding to the education network.

Servers in the library
  • Original server IP address: 1.1.101.101
  • Outbound interfaces and mapped IP addresses:
    • GE1/0/2: 2.2.102.102
    • GE1/0/3: 2.2.103.103
    • GE1/0/4: 2.2.104.104
    • GE1/0/5: 3.3.102.102
    • GE1/0/6: 3.3.103.103

-

NAT

  • NAT Server

    To ensure the users on each ISP network can access intranet servers, the NAT server function is required on the FW to translate the private addresses of servers into public IP addresses.

Table 1-22 Planning for NAT server configuration

Item

Data

Description

Portal server
  • Private IP address: 10.1.10.20
  • Public IP address:
    • For the education network: 1.1.15.15
    • For ISP1 network: 2.2.15.15, 2.2.16.16, and 2.2.17.17
    • For ISP2 network: 3.3.15.15 and 3.3.16.16

The NAT server can map multiple public IP addresses to the same private IP address based on the security zone.

DNS server
  • Private IP address: 10.1.10.30
  • Public IP address:
    • For the education network: 1.1.101.101
    • For ISP1 network: 2.2.102.102, 2.2.103.103, and 2.2.104.104
    • For ISP2 network: 3.3.102.102 and 3.3.103.103

-
  • Source NAT

    To enable a large number of intranet users to make full use of limited public IP addresses for access, source NAT needs to be configured on the FW to translate the private IP addresses in packets into public IP addresses.

Table 1-23 Planning for source NAT configuration

Item

Data

Description

Education network

edu_nat_policy:

  • Address pool: edu_nat_address_pool
    • Address segment: 1.1.30.31 to 1.1.30.33
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust

The source IP addresses in the packets sent by intranet users to access the education network are translated into the public IP address of the education network.

ISP1 NAT policy

isp1_nat_policy1:

  • Address pool: isp1_nat_address_pool1
    • Address segment: 2.2.5.1-2.2.5.3
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: isp1_zone1

isp1_nat_policy2:

  • Address pool: isp1_nat_address_pool2
    • Address segment: 2.2.6.1-2.2.6.3
    • NAT mode: PAT
    • Source address: 10.1.0.0/16
    • Source security zone: Trust
    • Destination security zone: isp1_zone2

isp1_nat_policy3:

  • Address pool: isp1_nat_address_pool3
    • Address segment: 2.2.7.1-2.2.7.3
    • NAT mode: PAT
    • Source address: 10.1.0.0/16
    • Source security zone: Trust
    • Destination security zone: isp1_zone3

The source IP addresses in the packets sent by intranet users to access ISP1 network are translated into the public IP address of ISP1 network.

ISP2 NAT policy

isp2_nat_policy1:

  • Address pool: isp2_nat_address_pool1
    • Address segment: 3.3.1.1-3.3.1.3
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: isp2_zone1

isp2_nat_policy2:

  • Address pool: isp2_nat_address_pool2
    • Address segment: 3.3.2.1-3.3.2.3
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: isp2_zone2

The source IP addresses in the packets sent by intranet users to access ISP2 network are translated into the public IP address of ISP2 network.

Source NAT in the same security zone

inner_nat_policy:

  • Address pool: edu_nat_address_pool
    • Address segment: 1.1.30.31 to 1.1.30.33
    • NAT mode: PAT
  • Source address: 10.1.0.0/16
  • Source security zone: Trust
  • Destination security zone: Trust

Source address translation is required when an intranet user (Trust zone) wants to access an intranet zone (Trust zone) through a public address.
  • NAT ALG

    If the FW that has NAT enabled needs to forward packets of a multichannel protocol, such as FTP, the NAT ALG function of the protocol needs to be enabled to ensure correct address translation for the multichannel protocol packets. In this case, the NAT ALG functions of FTP, QQ, and RTSP are enabled.

Attack Defense

Attack defense can detect multiple types of network attacks, such as DDoS attack and single-packet attacks. This function protects the intranet against malicious attacks.

Table 1-24 Planning for attack defense configuration

Item

Data

Description

Anti-DDoS
  • DDoS attack type: SYN Flood
  • Interface: GE1/0/2, GE1/0/3, GE1/0/4, GE1/0/5, and GE1/0/6
  • Alarm-threshold rate: 24000

For the above flood attacks, the recommended maximum packet rate for GE attacks is 16,000 pps. In this case, the interfaces are all GE interfaces. The final interface threshold is 24000 pps, which is the test result. Configure a large threshold and adjust it according to the test until it falls into the normal range. A suitable threshold helps defend against attacks without affecting normal services.

Single-packet attack defense
  • Land attack defense
  • Smurf attack defense
  • Fraggle attack defense
  • WinNuke attack defense
  • IP packet with source route option attack defense
  • IP packet with route record option attack defense
  • IP packet with timestamp option attack defense
  • Ping of Death attack defense

If there are no special network security requirements, enable the function in this case to defend against single-packet attacks.

Audit Policy

The FW supports the audit function to record the Internet access behavior defined in the audit policy for future audit and analysis.

Table 1-25 Planning for audit policy configuration

Item

Data

Description

Audit Policy
  • Source security zone: Trust
  • Destination security zone: edu_zone, isp1_zone1, isp1_zone2, isp1_zone3, isp2_zone1, and isp2_zone2
  • Action: audit
  • Audit profile: trust_to_internet_audit
    • HTTP behavior audit:
    • URL access: Record all URLs.
    • BBS post: Record the content of the posts to the BBS.
    • Content of microblogs: record
    • File upload through HTTP: record
    • File download through HTTP: record
    • FTP behavior audit:
    • File upload through FTP: record
    • File download through FTP: record

The campus network administrator can record the HTTP and FTP behaviors of intranet users who access the extranet for subsequent auditing.

Bandwidth Management

As P2P traffic uses a lot of bandwidth resources, the campus requests to limit the bandwidth used by P2P traffic over each ISP1 link and implement bandwidth limiting for P2P traffic per IP address. Bandwidth management can implement global/per-IP/per-user traffic limiting for a specific type of traffic.

Table 1-26 Planning for bandwidth management configuration

Item

Data

Description

Traffic limiting for P2P traffic over the link where GE1/0/2 resides

Traffic profile: isp1_p2p_profile_01

  • Traffic limiting mode: setting the total of upstream and downstream bandwidth
  • Maximum bandwidth for global traffic limiting: 100M
  • Maximum total bandwidth for per-IP address traffic limiting: 500K

Traffic policy: isp1_p2p_01

  • Inbound interface: GE1/0/7
  • Outbound interface: GE1/0/2
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: isp1_p2p_profile_01

Traffic policies define specific bandwidth resources and determine which traffic that bandwidth management applies to. After a traffic policy references a traffic profile, the traffic that matches the traffic policy can use only the bandwidth resources defined by the traffic profile.

Traffic limiting for P2P traffic over the link where GE1/0/3 resides

Traffic profile: isp1_p2p_profile_02

  • Traffic limiting mode: setting the total of upstream and downstream bandwidth
  • Maximum bandwidth for global traffic limiting: 300M
  • Maximum total bandwidth for per-IP address traffic limiting: 1M

Traffic policy: isp1_p2p_02

  • Inbound interface: GE1/0/7
  • Outbound interface: GE1/0/3
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: isp1_p2p_profile_02

-

Traffic limiting for P2P traffic over the link where GE1/0/4 resides

Traffic profile: isp1_p2p_profile_03

  • Traffic limiting mode: setting the total of upstream and downstream bandwidth
  • Maximum bandwidth for global traffic limiting: 700M
  • Maximum total bandwidth for per-IP address traffic limiting: 2M

Traffic policy: isp1_p2p_03

  • Inbound interface: GE1/0/7
  • Outbound interface: GE1/0/4
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: isp1_p2p_profile_03

-

Log server Devices

The log server can collect, query, and display logs. After the FW is interconnected with the log server, you can view the session logs (sent by the FW) on the log server, including session logs before and after NAT. With these logs, you can view NAT-related address information. On the log server, you can also view the IPS and attack defense logs sent by the FW. With these logs, you can query attacks and intrusions on the network.

Table 1-27 Planning for interconnected NMS device configuration

Item

Data

Description

Log server
  • IP address: 10.1.10.30
  • System log type: IPS and attack defense logs

-

SNMP
  • SNMP version: V3
  • SNMPv3 user group:
    • Name: inside_snmp
    • Authentication and encryption mode: privacy (both authentication and encryption)
  • Trap:
    • Authentication password of an SNMPv3 user: Test@123
    • Encryption password of an SNMPv3 user: Test@123
    • Target host:

-

NAT tracing

Enable Record Session Log for the following security policies:

  • user_inside
  • user_outside

NAT tracing allows you to view pre-NAT and post-NAT address information. After the session log function is enabled in the security policy view, the NGFW sends the logs on the sessions matching the security policy to the log host. You can view the log information through the log server to which the log host is connected. Some session logs include pre-NAT and post-NAT address information.

Precautions

Precautions

  • Whether the ISP address set includes all required IP addresses affects the implementation of intelligent uplink selection and smart DNS. Therefore, update the ISP address database regularly from the security center platform (isecurity.huawei.com).
  • In a multi-egress scenario, PBR intelligent uplink selection cannot be used together with the IP spoofing attack defense or Unicast Reverse Path Forwarding (URPF) function. If the IP spoofing attack defense or URPF function is enabled, the FW may discard packets.
  • A license is required to use smart DNS. In addition, smart DNS is available only after required components are loaded through the dynamic loading function.
  • The virtual server IP address used in server load balancing cannot be the same as any of the following ones:
    • Public IP address of the NAT server (global IP address)
    • IP addresses in the NAT address pool
    • Gateway IP address
    • Interface IP addresses of the FW
  • The real server IP address used in server load balancing cannot be the same as any of the following ones:
    • Virtual server IP address
    • Public IP address of the NAT server (global IP address)
    • Internal server IP address of the NAT server (inside IP)
  • After you configure server load balancing, configure IP addresses for real servers, but not the IP address of the virtual server, when configuring security policies and the routing function.
  • After you configure the NAT address pool and NAT server, configure black-hole routes to addresses in the address pool and the public address of the NAT server to prevent routing loops.
  • Only the audit administrator can configure the audit function and view audit logs.
  • You can view and export audit logs on the web UI only from the device that has an available disk installed.
  • On networks with different forward and return packet paths, the audit log contents may be incomplete.

Configuration Procedure

Procedure

  1. Configure interfaces and security zones and configure a gateway address, bandwidth, and overload protection threshold for outbound interfaces involved in intelligent uplink selection. 

    <FW> system-view 
[FW] interface GigabitEthernet 1/0/1 
[FW-GigabitEthernet1/0/1] description connect_to_edu 
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252 
[FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2 
[FW-GigabitEthernet1/0/1] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/1] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/1] quit 
[FW] interface GigabitEthernet 1/0/2 
[FW-GigabitEthernet1/0/2] description connect_to_isp1 
[FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252 
[FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2 
[FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90 
[FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90 
[FW-GigabitEthernet1/0/2] quit 
[FW] interface GigabitEthernet 1/0/3 
[FW-GigabitEthernet1/0/3] description connect_to_isp1 
[FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252 
[FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2 
[FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/3] quit 
[FW] interface GigabitEthernet 1/0/4 
[FW-GigabitEthernet1/0/4] description connect_to_isp1 
[FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252 
[FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2 
[FW-GigabitEthernet1/0/4] bandwidth ingress 2000000 threshold 90 
[FW-GigabitEthernet1/0/4] bandwidth egress 2000000 threshold 90 
[FW-GigabitEthernet1/0/4] quit 
[FW] interface GigabitEthernet 1/0/5 
[FW-GigabitEthernet1/0/5] description connect_to_isp2 
[FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252 
[FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2 
[FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/5] quit 
[FW] interface GigabitEthernet 1/0/6 
[FW-GigabitEthernet1/0/6] description connect_to_isp2 
[FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252 
[FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2 
[FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90 
[FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90 
[FW-GigabitEthernet1/0/6] quit 
[FW] interface GigabitEthernet 1/0/7 
[FW-GigabitEthernet1/0/7] description connect_to_campus 
[FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0 
[FW-GigabitEthernet1/0/7] quit 
[FW] interface GigabitEthernet 1/0/8 
[FW-GigabitEthernet1/0/8] description connect_to_radius 
[FW-GigabitEthernet1/0/8] ip address 10.2.1.1 255.255.255.252 
[FW-GigabitEthernet1/0/8] quit

  2. Configure a security policy.

    1. Create a security zone for each of the education network, ISP1 network, and ISP2 network and assign interfaces to the security zone. 
      [FW] firewall zone name edu_zone 
[FW-zone-edu_zone] set priority 20 
[FW-zone-edu_zone] add interface GigabitEthernet 1/0/1 
[FW-zone-edu_zone] quit 
[FW] firewall zone name isp1_zone1 
[FW-zone-isp1_zone1] set priority 30 
[FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2 
[FW-zone-isp1_zone1] quit 
[FW] firewall zone name isp1_zone2 
[FW-zone-isp1_zone2] set priority 40 
[FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3 
[FW-zone-isp1_zone2] quit 
[FW] firewall zone name isp1_zone3 
[FW-zone-isp1_zone3] set priority 50 
[FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4 
[FW-zone-isp1_zone3] quit 
[FW] firewall zone name isp2_zone1 
[FW-zone-isp2_zone1] set priority 60 
[FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5 
[FW-zone-isp2_zone1] quit 
[FW] firewall zone name isp2_zone2 
[FW-zone-isp2_zone2] set priority 70 
[FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6 
[FW-zone-isp2_zone2] quit 
[FW] firewall zone trust 
[FW-zone-trust] add interface GigabitEthernet 1/0/7 
[FW-zone-trust] quit 
[FW] firewall zone dmz 
[FW-zone-dmz] add interface GigabitEthernet 1/0/8 
[FW-zone-dmz] quit
    2. Configure interzone security policies to control access between zones. Reference the default intrusion prevention profile in the security policies and configure intrusion prevention.
      [FW] security-policy 
[FW-policy-security] rule name user_inside 
[FW-policy-security-rule-user_inside] source-zone trust 
[FW-policy-security-rule-user_inside] action permit 
[FW-policy-security-rule-user_inside] profile ips default 
[FW-policy-security-rule-user_inside] quit 
[FW-policy-security] rule name user_outside 
[FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2 
[FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24 
[FW-policy-security-rule-user_outside] action permit 
[FW-policy-security-rule-user_outside] profile ips default 
[FW-policy-security-rule-user_outside] quit 
[FW-policy-security] rule name local_to_any 
[FW-policy-security-rule-local_to_any] source-zone local 
[FW-policy-security-rule-local_to_any] destination-zone any 
[FW-policy-security-rule-local_to_any] action permit 
[FW-policy-security-rule-local_to_any] quit 
[FW-policy-security] quit
    3. Configure the scheduled update function for the intrusion prevention function.

    A license is available for updating the signature database, and the license is activated on the device.

    1. Configure an update center.
      [FW] update server domain sec.huawei.com
    2. The device can access the update server directly or through a proxy server. In this example, the device can directly access the update server.
      [FW] dns resolve 
[FW] dns server 10.1.10.30
    3. Configure the scheduled update function and set the scheduled update time. 
      [FW] update schedule ips-sdb enable 
[FW] update schedule sa-sdb enable 
[FW] update schedule ips-sdb daily 02:30 
[FW] update schedule sa-sdb daily 02:30

  3. Configure IP-link to detect whether the status of each ISP is normal.

    The IP-link configuration commands on the USG6000 and USG9500 are different. The USG6000 is used in this example for illustration.

    [FW] ip-link check enable 
[FW] ip-link name edu_ip_link 
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp 
[FW-iplink-edu_ip_link] quit 
[FW] ip-link name isp1_ip_link 
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp 
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp 
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp 
[FW-iplink-isp1_ip_link] quit 
[FW] ip-link name isp2_ip_link 
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp 
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp 
[FW-iplink-isp2_ip_link] quit

  4. Configure routes.

    Contact the administrator to configure the routes except the routes required in this example.

    # Configure a static route whose destination address belongs to the network segment of the intranet and next-hop address is the address of the intranet switch so that extranet traffic can reach the intranet.

    [FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2

  5. Configure users and authentication.

    # Use a CSV file to import users/user groups.

    1. Fill the user information stored on the RADIUS server in the CSV file template according to the specified format.

      Read the comments in the CSV file template before filling in the CSV file template. The following figure shows how to fill in required user information.

    2. Upload the CSV file to the FW through SFTP.
    3. Import the CSV file named demo.csv.
      [FW] user-manage user-import demo.csv auto-create-group override

    # Create a user group for new users.

    [FW] user-manage group /default/newuser 
[FW-usergroup-/default/newuser] quit

    # Configure RADIUS SSO parameters.

    [FW] user-manage single-sign-on radius 
[FW-sso-radius] enable 
[FW-sso-radius] mode in-path 
[FW-sso-radius] interface GigabitEthernet 1/0/7 
[FW-sso-radius] traffic server-ip 10.2.1.2 port 1813 
[FW-sso-radius] quit

    # Set new user options in the default authentication domain.

    [FW] aaa 
[FW-aaa] domain default 
[FW-aaa-domain-default] new-user add-temporary group /default/newuser 
[FW-aaa-domain-default] quit 
[FW-aaa] quit

    # Set the online user timeout duration to 480 minutes.

    [FW] user-manage online-user aging-time 480

  6. Configure DNS transparent proxy.

    # Configure the IP address of each interface bound to the DNS server.

    [FW] dns-transparent-policy 
[FW-policy-dns] dns transparent-proxy enable 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23 
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25

    # Configure a domain name exception.

    [FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25

    # Configure a DNS transparent proxy policy.

    [FW-policy-dns] rule name dns_trans_rule 
[FW-policy-dns-rule-dns_trans_rule] action tpdns 
[FW-policy-dns-rule-dns_trans_rule] quit 
[FW-policy-dns] quit

    # Configure PBR intelligent uplink selection to load balance DNS request packets to each link.

    [FW] policy-based-route 
[FW-policy-pbr] rule name pbr_dns_trans 
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust 
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp 
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6 
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit 
[FW-policy-pbr-rule-pbr_dns_trans] quit 
[FW-policy-pbr] quit

  7. Configure intelligent uplink selection.

    # Configure ISP address sets.

    1. Upload ISP address files to the FW through SFTP.
    2. Create an ISP name for each of the education network, ISP1 network, and ISP2 network and associate it with the corresponding ISP address file. 
      [FW] isp name edu_address 
[FW] isp name edu_address set filename edu_address.csv 
[FW] isp name isp1_address 
[FW] isp name isp1_address set filename isp1_address.csv 
[FW] isp name isp2_address 
[FW] isp name isp2_address set filename isp2_address.csv 
[FW] isp name other_edu_server_address 
[FW] isp name other_edu_server_address set filename other_edu_server_address.csv

    # Create an application corresponding to the distance education system software and reference the application in the PBR so that traffic generated by the distance education system software is forwarded over the education network and ISP2 links.

    Ensure that the FW has the route configuration that guides the transmission of the traffic generated by the distance education system even if PBR is unavailable.

    [FW] sa 
[FW-sa] user-defined-application name UD_dis_edu_sys_app 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1 
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32 
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000 
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit 
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit 
[FW-sa] quit 
[FW] policy-based-route 
[FW-policy-pbr] rule name dis_edu_sys 
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust 
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app 
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6 
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit 
[FW-policy-pbr-rule-dis_edu_sys] quit

    # Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.

    Ensure that the FW has the route configuration that guides P2P traffic transmission even if PBR is unavailable.

    [FW-policy-pbr] rule name p2p_traffic 
[FW-policy-pbr-rule-p2p_traffic] source-zone trust 
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting 
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P 
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4 
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit 
[FW-policy-pbr-rule-p2p_traffic] quit

    # Configure single-ISP PBR.

    1. Configure the traffic destined for servers of other campuses to be forwarded over the link to the education network. 
      [FW-policy-pbr] rule name other_edu_server 
[FW-policy-pbr-rule-other_edu_server] source-zone trust 
[FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address 
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2 
[FW-policy-pbr-rule-other_edu_server] quit
    2. Configure the traffic of users with monthly package of 20 Yuan and users who access network resources from the library to be forwarded over the link to the education network. 
      [FW-policy-pbr] rule name other_edu_server 
[FW-policy-pbr-rule-other_edu_server] source-zone trust 
[FW-policy-pbr-rule-other_edu_server] user user-group /default/lib 
[FW-policy-pbr-rule-other_edu_server] user user-group /default/20user 
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2 
[FW-policy-pbr-rule-other_edu_server] quit

    # Configure destination address-based PBR intelligent uplink selection for teachers and users with monthly package of 50 Yuan.

    1. Prefer the link to the education network to forward traffic destined for an address in the address set of the education network. 
      [FW-policy-pbr] rule name pbr_edu_teacher_50user 
[FW-policy-pbr-rule-pbr_edu_teacher_50user] source-zone trust 
[FW-policy-pbr-rule-pbr_edu_teacher_50user] destination-address isp edu_address 
[FW-policy-pbr-rule-pbr_edu_teacher_50user] user user-group /default/teacher 
[FW-policy-pbr-rule-pbr_edu_teacher_50user] user user-group /default/50user 
[FW-policy-pbr-rule-pbr_edu_teacher_50user] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/1 priority 8 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/2 priority 5 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/3 priority 5 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/4 priority 5 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/5 priority 1 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/6 priority 1 
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] quit 
[FW-policy-pbr-rule-pbr_edu_teacher_50user] quit
    2. Prefer ISP1 links to forward traffic destined for an address in the address set of ISP1 network. 
      [FW-policy-pbr] rule name pbr_isp1_teacher_50user 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] source-zone trust 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] destination-address isp isp1_address 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] user user-group /default/teacher 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] user user-group /default/50user 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/1 priority 5 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/2 priority 8 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/3 priority 8 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/4 priority 8 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/5 priority 1 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/6 priority 1 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] quit 
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] quit
    3. Prefer ISP2 links to forward traffic destined for an address in the address set of ISP2 network. 
      [FW-policy-pbr] rule name pbr_isp2_teacher_50user 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] source-zone trust 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] destination-address isp isp2_address 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] user user-group /default/teacher 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] user user-group /default/50user 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/1 priority 5 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/2 priority 1 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/3 priority 1 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/4 priority 1 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/5 priority 8 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/6 priority 8 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] quit 
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] quit

    # Configure the traffic of users who access network resources from the public area to be preferentially forwarded over the link to the education network.

    [FW-policy-pbr] rule name pbr_public_user 
[FW-policy-pbr-rule-pbr_public_user] source-zone trust 
[FW-policy-pbr-rule-pbr_public_user] user user-group /default/public_user 
[FW-policy-pbr-rule-pbr_public_user] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] mode priority-of-userdefine 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/1 priority 8 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/2 priority 5 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/3 priority 5 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/4 priority 5 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/5 priority 1 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/6 priority 1 
[FW-policy-pbr-rule-pbr_public_user-multi-inter] quit 
[FW-policy-pbr-rule-pbr_public_user] quit

    # Select the link with the highest quality through PBR pbr_rest to forward the traffic that does not match any ISP address set. 

    [FW-policy-pbr] rule name pbr_rest 
[FW-policy-pbr-rule-pbr_rest] source-zone trust 
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16 
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface 
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5 
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6 
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple 
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss 
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5 
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit 
[FW-policy-pbr-rule-pbr_rest] quit 
[FW-policy-pbr] quit

  8. Configure server load balancing.

    # Enable server load balancing.

    [FW] slb enable

    # Configure a load balancing algorithm.

    [FW] slb 
[FW-slb] group 1 grp1 
[FW-slb-group-1] metric roundrobin

    # Add real servers to the real server group.

    [FW-slb-group-1] rserver 1 rip 10.1.10.10 
[FW-slb-group-1] rserver 2 rip 10.1.10.11 
[FW-slb-group-1] quit

    # Configure a virtual server IP address.

    [FW] vserver 1 vs1 
[FW-slb-vserver-1] vip 1 1.1.111.111 
[FW-slb-vserver-1] vip 2 2.2.112.112 
[FW-slb-vserver-1] vip 3 3.3.113.113

    # Associate the virtual server with the real server group.

    [FW-slb-vserver-1] group grp1 
[FW-slb-vserver-1] quit 
[FW-slb] quit

  9. Configure smart DNS.

    # Enable smart DNS.

    [FW] dns-smart enable

    # Create a smart DNS group and configure smart DNS mappings in the group.

    [FW] dns-smart group 1 type single 
[FW-dns-smart-group-1] real-server-ip 1.1.15.15 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15 
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16 
[FW-dns-smart-group-1] quit 
[FW] dns-smart group 2 type single 
[FW-dns-smart-group-2] real-server-ip 1.1.101.101 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102 
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103 
[FW-dns-smart-group-2] quit

  10. Configure the security zone-based NAT server function so that users on different ISP networks can use corresponding public IP addresses to access intranet servers.

    # Configure the NAT server function for the Portal server.

    [FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20 
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse 
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse

    # Configure the NAT server function for the DNS server.

    [FW] nat server portal_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30 
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse 
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse 
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse 
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse 
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse

    # Configure a black-hole route to the public address of the NAT server to prevent routing loops.

    [FW] ip route-static 1.1.15.15 32 NULL 0 
[FW] ip route-static 2.2.15.15 32 NULL 0 
[FW] ip route-static 2.2.16.16 32 NULL 0 
[FW] ip route-static 2.2.17.17 32 NULL 0 
[FW] ip route-static 3.3.15.15 32 NULL 0 
[FW] ip route-static 3.3.16.16 32 NULL 0 
[FW] ip route-static 1.1.101.101 32 NULL 0 
[FW] ip route-static 2.2.102.102 32 NULL 0 
[FW] ip route-static 2.2.103.103 32 NULL 0 
[FW] ip route-static 2.2.104.104 32 NULL 0 
[FW] ip route-static 3.3.102.102 32 NULL 0 
[FW] ip route-static 3.3.103.103 32 NULL 0

  11. Configure source NAT.

    # Configure source NAT for traffic destined for the education network. The address in the address pool is the public address of the education network.

    [FW] nat address-group edu_nat_address_pool 
[FW-address-group-edu_nat_address_pool] mode pat 
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33 
[FW-address-group-edu_nat_address_pool] quit 
[FW] nat-policy 
[FW-policy-nat] rule name edu_nat_policy 
[FW-policy-nat-rule-edu_nat_policy] source-zone trust 
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16 
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool 
[FW-policy-nat-rule-edu_nat_policy] quit 
[FW-policy-nat] quit

    # Configure the intrazone NAT, so that users can access the intranet server through the public address.

    [FW] nat-policy 
[FW-policy-nat] rule name inner_nat_policy 
[FW-policy-nat-rule-inner_nat_policy] source-zone trust 
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust 
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16 
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool 
[FW-policy-nat-rule-inner_nat_policy] quit 
[FW-policy-nat] quit

    # Configure source NAT for traffic destined for ISP1 network. The address in the address pool is the public address of ISP1 network.

    [FW] nat address-group isp1_nat_address_pool1 
[FW-address-group-isp1_nat_address_pool1] mode pat 
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3 
[FW-address-group-isp1_nat_address_pool1] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp1_nat_policy1 
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust 
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1 
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1 
[FW-policy-nat-rule-isp1_nat_policy1] quit 
[FW-policy-nat] quit 
[FW] nat address-group isp1_nat_address_pool2 
[FW-address-group-isp1_nat_address_pool2] mode pat 
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3 
[FW-address-group-isp1_nat_address_pool2] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp1_nat_policy2 
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust 
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2 
[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2 
[FW-policy-nat-rule-isp1_nat_policy2] quit 
[FW-policy-nat] quit 
[FW] nat address-group isp1_nat_address_pool3 
[FW-address-group-isp1_nat_address_pool3] mode pat 
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3 
[FW-address-group-isp1_nat_address_pool3] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp1_nat_policy3 
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust 
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3 
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3 
[FW-policy-nat-rule-isp1_nat_policy3] quit 
[FW-policy-nat] quit

    # Configure source NAT for traffic destined for ISP2 network. The address in the address pool is the public address of ISP2 network.

    [FW] nat address-group isp2_nat_address_pool1 
[FW-address-group-isp2_nat_address_pool1] mode pat 
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3 
[FW-address-group-isp2_nat_address_pool1] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp2_nat_policy1 
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust 
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1 
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1 
[FW-policy-nat-rule-isp2_nat_policy1] quit 
[FW-policy-nat] quit 
[FW] nat address-group isp2_nat_address_pool2 
[FW-address-group-isp2_nat_address_pool2] mode pat 
[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3 
[FW-address-group-isp2_nat_address_pool2] quit 
[FW] nat-policy 
[FW-policy-nat] rule name isp2_nat_policy2 
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust 
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2 
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16 
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2 
[FW-policy-nat-rule-isp2_nat_policy2] quit 
[FW-policy-nat] quit

    # Configure black-hole routes to public addresses of the NAT address pool to prevent routing loops.

    [FW] ip route-static 1.1.30.31 32 NULL 0 
[FW] ip route-static 1.1.30.32 32 NULL 0 
[FW] ip route-static 1.1.30.33 32 NULL 0 
[FW] ip route-static 2.2.5.1 32 NULL 0 
[FW] ip route-static 2.2.5.2 32 NULL 0 
[FW] ip route-static 2.2.5.3 32 NULL 0 
[FW] ip route-static 2.2.6.1 32 NULL 0 
[FW] ip route-static 2.2.6.2 32 NULL 0 
[FW] ip route-static 2.2.6.3 32 NULL 0 
[FW] ip route-static 2.2.7.1 32 NULL 0 
[FW] ip route-static 2.2.7.2 32 NULL 0 
[FW] ip route-static 2.2.7.3 32 NULL 0 
[FW] ip route-static 3.3.1.1 32 NULL 0 
[FW] ip route-static 3.3.1.2 32 NULL 0 
[FW] ip route-static 3.3.1.3 32 NULL 0 
[FW] ip route-static 3.3.2.1 32 NULL 0 
[FW] ip route-static 3.3.2.2 32 NULL 0 
[FW] ip route-static 3.3.2.3 32 NULL 0

  12. Configure NAT ALG between the Trust zone and other security zones. In this example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT ALG, enable ASPF.

    [FW] firewall interzone trust edu_zone 
[FW-interzone-trust-edu_zone] detect ftp 
[FW-interzone-trust-edu_zone] detect qq 
[FW-interzone-trust-edu_zone] detect rtsp 
[FW-interzone-trust-edu_zone] quit 
[FW] firewall interzone trust isp1_zone1 
[FW-interzone-trust-isp1_zone1] detect ftp 
[FW-interzone-trust-isp1_zone1] detect qq 
[FW-interzone-trust-isp1_zone1] detect rtsp 
[FW-interzone-trust-isp1_zone1] quit 
[FW] firewall interzone trust isp1_zone2 
[FW-interzone-trust-isp1_zone2] detect ftp 
[FW-interzone-trust-isp1_zone2] detect qq 
[FW-interzone-trust-isp1_zone2] detect rtsp 
[FW-interzone-trust-isp1_zone2] quit 
[FW] firewall interzone trust isp1_zone3 
[FW-interzone-trust-isp1_zone3] detect ftp 
[FW-interzone-trust-isp1_zone3] detect qq 
[FW-interzone-trust-isp1_zone3] detect rtsp 
[FW-interzone-trust-isp1_zone3] quit 
[FW] firewall interzone trust isp2_zone1 
[FW-interzone-trust-isp2_zone1] detect ftp 
[FW-interzone-trust-isp2_zone1] detect qq 
[FW-interzone-trust-isp2_zone1] detect rtsp 
[FW-interzone-trust-isp2_zone1] quit 
[FW] firewall interzone trust isp2_zone2 
[FW-interzone-trust-isp2_zone2] detect ftp 
[FW-interzone-trust-isp2_zone2] detect qq 
[FW-interzone-trust-isp2_zone2] detect rtsp 
[FW-interzone-trust-isp2_zone2] quit

  13. Configure attack defense.

    [FW] firewall defend land enable 
[FW] firewall defend smurf enable 
[FW] firewall defend fraggle enable 
[FW] firewall defend ip-fragment enable 
[FW] firewall defend tcp-flag enable 
[FW] firewall defend winnuke enable 
[FW] firewall defend source-route enable 
[FW] firewall defend teardrop enable 
[FW] firewall defend route-record enable 
[FW] firewall defend time-stamp enable 
[FW] firewall defend ping-of-death enable

  14. Configure an audit profile and reference it in an audit policy. 

    [FW] profile type audit name trust_to_internet_audit 
[FW-profile-audit-trust_to_internet_audit] http-audit url all 
[FW-profile-audit-trust_to_internet_audit] http-audit bbs-content 
[FW-profile-audit-trust_to_internet_audit] http-audit micro-blog 
[FW-profile-audit-trust_to_internet_audit] http-audit file direction both 
[FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both 
[FW-profile-audit-trust_to_internet_audit] quit 
[FW] audit-policy 
[FW-policy-audit] rule name trust_to_internet_audit_policy 
[FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust 
[FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2 
[FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit 
[FW-policy-audit-rule-trust_to_internet_audit_policy] quit 
[FW-policy-audit] quit

  15. Configure bandwidth management.

    # Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.

    [FW] traffic-policy 
[FW-policy-traffic] profile isp1_p2p_profile_01 
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000 
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-user both 500 
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit 
[FW-policy-traffic] rule name isp1_p2p_01 
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7 
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2 
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting 
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P 
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01 
[FW-policy-traffic-rule-isp1_p2p_01] quit

    # Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.

    [FW-policy-traffic] profile isp1_p2p_profile_02 
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000 
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-user both 1000 
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit 
[FW-policy-traffic] rule name isp1_p2p_02 
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7 
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3 
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting 
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P 
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02 
[FW-policy-traffic-rule-isp1_p2p_02] quit

    # Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.

    [FW-policy-traffic] profile isp1_p2p_profile_03 
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000 
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-user both 2000 
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit 
[FW-policy-traffic] rule name isp1_p2p_03 
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7 
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4 
[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting 
[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P 
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03 
[FW-policy-traffic-rule-isp1_p2p_03] quit 
[FW-policy-traffic] quit

  16. Configure system log and NAT tracing to view logs on the eSight.

    # Configure the function of sending system logs to a log host at 10.1.10.30 (in this example, IPS and attack defense logs are sent).

    [FW] info-center enable 
[FW] engine log ips enable 
[FW] info-center source IPS channel loghost log level emergencies 
[FW] info-center source ANTIATTACK channel loghost 
[FW] info-center loghost 10.1.10.30

    # Configure the session log function.

    [FW] security-policy 
[FW-policy-security] rule name trust_edu_zone 
[FW-policy-security-rule-trust_edu_zone] source-zone trust 
[FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone 
[FW-policy-security-rule-trust_edu_zone] action permit 
[FW-policy-security-rule-trust_edu_zone] session logging 
[FW-policy-security-rule-trust_edu_zone] quit 
[FW-policy-security] rule name trust_isp1_zone 
[FW-policy-security-rule-trust_isp1_zone] source-zone trust 
[FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3 
[FW-policy-security-rule-trust_isp1_zone] action permit 
[FW-policy-security-rule-trust_isp1_zone] session logging 
[FW-policy-security-rule-trust_isp1_zone] quit 
[FW-policy-security] rule name trust_isp2_zone 
[FW-policy-security-rule-trust_isp2_zone] source-zone trust 
[FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2 
[FW-policy-security-rule-trust_isp2_zone] action permit 
[FW-policy-security-rule-trust_isp2_zone] session logging 
[FW-policy-security-rule-trust_isp2_zone] quit 
[FW-policy-security] quit

  17. Configure SNMP and ensure that the SNMP parameters on the eSight are consistent with those on the FW.

    [FW] snmp-agent sys-info version v3 
[FW] snmp-agent group v3 inside_snmp privacy 
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp 
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123 
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123

    After completing the configuration on the eSight, choose Log Analysis > Session Analysis > IPv4 Session Query to view session logs.

Verification

  1. When teachers and users with monthly package of 50 Yuan access the extranet, the traffic destined to the education network is forwarded by GE1/0/1, the traffic destined to ISP1 network is forwarded by GE1/0/2, GE1/0/3, or GE1/0/4, and the traffic destined to ISP2 network is forwarded by GE1/0/5 or GE1/0/6.
  2. The traffic of the distance education system is forwarded over the link to the education network or ISP2 link, P2P traffic is forwarded over ISP1 link, and the traffic of users with monthly package of 20 Yuan and users who access network resources from the library is forwarded over the link to the education network.
  3. Check the configuration and update of the IPS signature database.

    # Run the display update configuration command to check the update information of the IPS signature database.

    [sysname] display update configuration 
Update Configuration Information: 
------------------------------------------------------------
  Update Server               : sec.huawei.com 
  Update Port                 : 80
  Proxy State                 : disable
  Proxy Server                : - 
  Proxy Port                  : - 
  Proxy User                  : - 
  Proxy Password              : - 
  IPS-SDB:                        
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily
    Schedule Update Time      : 02:30  
  AV-SDB:                 
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily
    Schedule Update Time      : 02:30  
  SA-SDB:                         
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily
    Schedule Update Time      : 02:30  
  IP-REPUTATION:              
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily
    Schedule Update Time      : 02:30  
  CNC:                            
    Application Confirmation  : Disable
    Schedule Update           : Enable
    Schedule Update Frequency : Daily
    Schedule Update Time      : 02:30  
------------------------------------------------------------

    # Run the display version ips-sdb command to check the configuration of the IPS signature database. 

    [sysname] display version ips-sdb 
IPS SDB Update Information List:  
----------------------------------------------------------------
  Current Version:                
    Signature Database Version    : 2015041503 
    Signature Database Size(byte) : 2659606
    Update Time                   : 12:02:10 2015/05/27
    Issue Time of the Update File : 16:06:30 2015/04/15
             
  Backup Version:                 
    Signature Database Version    :
    Signature Database Size(byte) : 0
    Update Time                   : 00:00:00 0000/00/00
    Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:      
----------------------------------------------------------------
  Current Version:                
    IPS Engine Version            : V200R002C00SPC060
    IPS Engine Size(byte)         : 3145728
    Update Time                   : 12:02:10 2015/05/27
    Issue Time of the Update File : 10:51:45 2015/05/20
             
  Backup Version:                 
    IPS Engine Version            :
    IPS Engine Size(byte)         : 0
    Update Time                   : 00:00:00 0000/00/00
    Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
  4. Run the display firewall server-map command to check server-map entries generated by server load balancing. 
    [sysname] display  firewall server-map slb 
 Current Total Server-map : 3     
 Type: SLB,  ANY -> 3.3.113.113[grp1/1],  Zone:---,  protocol:---
 Vpn: public -> public            
 Type: SLB,  ANY -> 2.2.112.112[grp1/1],  Zone:---,  protocol:---
 Vpn: public -> public            
 Type: SLB,  ANY -> 1.1.111.111[grp1/1],  Zone:---,  protocol:---
 Vpn: public -> public
  5. Run the display firewall server-map command to check server-map entries generated by the NAT server function. 
    [sysname] display  firewall server-map nat-server 
 Current Total Server-map : 12    
 Type: Nat Server,  ANY -> 1.1.15.15[10.1.10.20],  Zone: edu_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.15.15[10.1.10.20],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.16.16[10.1.10.20],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.17.17[10.1.10.20],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.15.15[10.1.10.20],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.16.16[10.1.10.20],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 1.1.101.101[10.1.10.30],  Zone: edu_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.102.102[10.1.10.30],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.103.103[10.1.10.30],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 2.2.104.104[10.1.10.30],  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.102.102[10.1.10.30],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server,  ANY -> 3.3.103.103[10.1.10.30],  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public
 Type: Nat Server Reverse,  10.1.10.20[3.3.16.16] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[3.3.15.15] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[2.2.17.17] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[2.2.16.16] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[2.2.15.15] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.20[1.1.15.15] -> ANY,  Zone: edu_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[3.3.103.103] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[3.3.102.102] -> ANY,  Zone: isp2_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[2.2.104.104] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[2.2.103.103] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[2.2.102.102] -> ANY,  Zone: isp1_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
 Type: Nat Server Reverse,  10.1.10.30[1.1.101.101] -> ANY,  Zone: edu_zone ,  protocol:---
 Vpn: public -> public,  counter: 1
  6. Check session logs on the eSight.

Configuration Scripts

# 
sysname FW 
# 
info-center enable 
engine log ips enable 
info-center source IPS channel loghost log level emergencies 
info-center source ANTIATTACK channel loghost 
info-center loghost 10.1.10.30 
# 
 firewall defend land enable 
 firewall defend smurf enable 
 firewall defend fraggle enable 
 firewall defend ip-fragment enable 
 firewall defend tcp-flag enable 
 firewall defend winnuke enable 
 firewall defend source-route enable 
 firewall defend teardrop enable 
 firewall defend route-record enable 
 firewall defend time-stamp enable 
 firewall defend ping-of-death enable 
# 
 isp name edu_address set filename edu_address.csv 
 isp name isp1_address set filename isp1_address.csv 
 isp name isp2_address set filename isp2_address.csv 
 isp name other_edu_server_address set filename other_edu_server_address.csv 
# 
 slb enable 
# 
 user-manage online-user aging-time 480 
user-manage single-sign-on radius 
  enable 
  mode in-path 
  interface GigabitEthernet1/0/7 
  traffic server-ip 10.2.1.2 port 1813 
# 
 update schedule ips-sdb enable 
 update schedule ips-sdb daily 02:30 
 update server domain sec.huawei.com 
# 
 dns resolve 
 dns server 10.1.10.30 
# 
ip-link check enable 
ip-link name edu_ip_link 
 destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp 
ip-link name isp1_ip_link 
 destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp 
 destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp 
 destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp 
ip-link name isp2_ip_link 
 destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp 
 destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp 
# 
 dns-smart enable 
# 
aaa 
 domain default 
  new-user add-temporary group /default/newuser 
# 
interface GigabitEthernet1/0/1 
 description connect_to_edu 
 ip address 1.1.1.1 255.255.255.252 
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90 
 redirect-reverse next-hop 1.1.1.2 
# 
interface GigabitEthernet1/0/2 
 description connect_to_isp1 
 ip address 2.2.2.1 255.255.255.252 
 bandwidth ingress 200000 threshold 90 
 bandwidth egress 200000 threshold 90 
 redirect-reverse next-hop 2.2.2.2 
# 
interface GigabitEthernet1/0/3 
 description connect_to_isp1 
 ip address 2.2.3.1 255.255.255.252 
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90 
 redirect-reverse next-hop 2.2.3.2 
# 
interface GigabitEthernet1/0/4 
 description connect_to_isp1 
 ip address 2.2.4.1 255.255.255.252 
 bandwidth ingress 200000 threshold 90 
 bandwidth egress 200000 threshold 90 
 redirect-reverse next-hop 2.2.4.2 
# 
interface GigabitEthernet1/0/5 
 description connect_to_isp2 
 ip address 3.3.3.1 255.255.255.252 
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90 
 redirect-reverse next-hop 3.3.3.2 
# 
interface GigabitEthernet1/0/6 
 description connect_to_isp2 
 ip address 3.3.4.1 255.255.255.252 
 bandwidth ingress 1000000 threshold 90 
 bandwidth egress 1000000 threshold 90 
 redirect-reverse next-hop 3.3.4.2 
# 
interface GigabitEthernet1/0/7 
 description connect_to_campus 
 ip address 10.2.0.1 255.255.255.0 
# 
interface GigabitEthernet1/0/8 
 description connect_to_radius 
 ip address 10.2.1.1 255.255.255.252 
# 
firewall zone name edu_zone 
 set priority 20 
 add interface GigabitEthernet1/0/1 
#   
firewall zone name isp1_zone1  
 set priority 30 
 add interface GigabitEthernet1/0/2 
# 
firewall zone name isp1_zone2 
 set priority 40 
  add interface GigabitEthernet1/0/3 
# 
firewall zone name isp1_zone3 
 set priority 50 
 add interface GigabitEthernet1/0/4 
# 
firewall zone name isp2_zone1 
 set priority 60  
 add interface GigabitEthernet1/0/5 
# 
firewall zone name isp2_zone2 
 set priority 70  
 add interface GigabitEthernet1/0/6 
#  
firewall zone trust  
 add interface GigabitEthernet1/0/7 
#  
firewall zone dmz  
 add interface GigabitEthernet1/0/8 
#  
firewall interzone trust edu_zone 
 detect ftp  
 detect qq 
 detect rtsp 
firewall interzone trust isp1_zone1 
 detect ftp  
 detect qq 
 detect rtsp 
firewall interzone trust isp1_zone2 
 detect ftp  
 detect qq 
 detect rtsp 
firewall interzone trust isp1_zone3 
 detect ftp  
 detect qq 
 detect rtsp 
firewall interzone trust isp2_zone1 
 detect ftp  
 detect qq 
 detect rtsp 
firewall interzone trust isp2_zone2 
 detect ftp  
 detect qq 
 detect rtsp 
# 
 dns-smart group 1 type single 
  real-server-ip 1.1.15.15 
  out-interface GigabitEthernet 1/0/2 map 2.2.15.15 
  out-interface GigabitEthernet 1/0/3 map 2.2.16.16 
  out-interface GigabitEthernet 1/0/4 map 2.2.17.17 
  out-interface GigabitEthernet 1/0/5 map 3.3.15.15 
  out-interface GigabitEthernet 1/0/6 map 3.3.16.16 
 dns-smart group 2 type single 
  real-server-ip 1.1.101.101 
  out-interface GigabitEthernet 1/0/2 map 2.2.102.102 
  out-interface GigabitEthernet 1/0/3 map 2.2.103.103 
  out-interface GigabitEthernet 1/0/4 map 2.2.104.104 
  out-interface GigabitEthernet 1/0/5 map 3.3.102.102 
  out-interface GigabitEthernet 1/0/6 map 3.3.103.103 
# 
ip route-static 1.1.15.15 32 NULL 0 
ip route-static 2.2.15.15 32 NULL 0 
ip route-static 2.2.16.16 32 NULL 0 
ip route-static 2.2.17.17 32 NULL 0 
ip route-static 3.3.15.15 32 NULL 0 
ip route-static 3.3.16.16 32 NULL 0 
ip route-static 1.1.101.101 32 NULL 0 
ip route-static 2.2.102.102 32 NULL 0 
ip route-static 2.2.103.103 32 NULL 0 
ip route-static 2.2.104.104 32 NULL 0 
ip route-static 3.3.102.102 32 NULL 0 
ip route-static 3.3.103.103 32 NULL 0 
ip route-static 1.1.30.31 32 NULL 0 
ip route-static 1.1.30.32 32 NULL 0 
ip route-static 1.1.30.33 32 NULL 0 
ip route-static 2.2.5.1 32 NULL 0 
ip route-static 2.2.5.2 32 NULL 0 
ip route-static 2.2.5.3 32 NULL 0 
ip route-static 2.2.6.1 32 NULL 0 
ip route-static 2.2.6.2 32 NULL 0 
ip route-static 2.2.6.3 32 NULL 0 
ip route-static 2.2.7.1 32 NULL 0 
ip route-static 2.2.7.2 32 NULL 0 
ip route-static 2.2.7.3 32 NULL 0 
ip route-static 3.3.1.1 32 NULL 0 
ip route-static 3.3.1.2 32 NULL 0 
ip route-static 3.3.1.3 32 NULL 0 
ip route-static 3.3.2.1 32 NULL 0 
ip route-static 3.3.2.2 32 NULL 0 
ip route-static 3.3.2.3 32 NULL 0 
ip route-static 10.1.0.0 255.255.0.0 10.2.0.2 
# 
snmp-agent sys-info version v3 
snmp-agent group v3 inside_snmp privacy 
snmp-agent usm-user v3 snmp_user group inside_snmp 
snmp-agent usm-user v3 snmp_user authentication-mode sha cipher %$%$k)>GV7woERAFb8XL]i9!F[RI\\D(-#s.c$S;ZC3[MPc"qaXS%$%$ 
snmp-agent usm-user v3 user-name privacy-mode aes256 cipher %$%$k)>GV7woERAFb8XL]i9!F[RI\\D(-#s.c$S;ZC3[MPc"qaXS%$%$ 
# 
profile type audit name trust_to_internet_audit 
 http-audit url all 
 http-audit bbs-content 
 http-audit micro-blog 
 http-audit file direction both 
 ftp-audit file direction both 
# 
 nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20 
 nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse 
 nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse 
 nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse 
 nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse 
 nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse 
 nat server portal_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30 
 nat server portal_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse 
 nat server portal_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse 
 nat server portal_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse 
 nat server portal_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse 
 nat server portal_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse 
# 
sa 
 user-defined-application name UD_dis_edu_sys_app 
  category Business_Systems 
  data-model client-server 
  label Encrypted-Communications Business-Applications 
  rule name 1 
   ip-address 2.2.50.50 32 
   port 5000 
# 
nat address-group edu_nat_address_pool 
 mode pat 
 section 0 1.1.30.31 1.1.30.33 
nat address-group isp1_nat_address_pool1 
 mode pat 
 section 0 2.2.5.1 2.2.5.3 
nat address-group isp1_nat_address_pool2 
 mode pat 
 section 0 2.2.6.1 2.2.6.3 
nat address-group isp1_nat_address_pool3 
 mode pat 
 section 0 2.2.7.1 2.2.7.3 
nat address-group isp2_nat_address_pool1 
 mode pat 
 section 0 3.3.1.1 3.3.1.3 
nat address-group isp2_nat_address_pool2 
 mode pat 
 section 0 3.3.2.1 3.3.2.3 
# 
 slb 
  group 1 grp1 
   metric roundrobin 
   rserver 1 rip 10.1.10.10 
   rserver 2 rip 10.1.10.11 
  vserver 1 vs1 
   vip 1 1.1.111.111 
   vip 2 2.2.112.112 
   vip 3 3.3.113.113 
   group grp1 
#        
security-policy 
 rule name user_inside
  source-zone trust         
  profile ips default       
  action permit             
 rule name user_outside     
  source-zone edu_zone      
  source-zone isp1_zone1    
  source-zone isp1_zone2    
  source-zone isp1_zone3    
  source-zone isp2_zone1    
  source-zone isp2_zone2    
  destination-address 10.1.10.0 mask 255.255.255.0
  profile ips default       
  action permit             
 rule name local_to_any
  source-zone local         
  destination-zone any    
  action permit          
# 
traffic-policy 
 profile isp1_p2p_profile_01 
  bandwidth maximum-bandwidth whole both 100000 
  bandwidth maximum-bandwidth per-ip both 500 
 profile isp1_p2p_profile_02 
  bandwidth maximum-bandwidth whole both 300000 
  bandwidth maximum-bandwidth per-ip both 1000 
 profile isp1_p2p_profile_03 
  bandwidth maximum-bandwidth whole both 700000 
  bandwidth maximum-bandwidth per-ip both 2000 
 rule name isp1_p2p_01 
  ingress-interface GigabitEthernet 1/0/7 
  egress-interface GigabitEthernet 1/0/2 
  application category Entertainment sub-category PeerCasting 
  application category General_Internet sub-category FileShare_P2P 
  action qos profile isp1_p2p_profile_01 
 rule name isp1_p2p_02 
  ingress-interface GigabitEthernet 1/0/7 
  egress-interface GigabitEthernet 1/0/3 
  application category Entertainment sub-category PeerCasting 
  application category General_Internet sub-category FileShare_P2P 
  action qos profile isp1_p2p_profile_02 
 rule name isp1_p2p_03 
  ingress-interface GigabitEthernet 1/0/7 
  egress-interface GigabitEthernet 1/0/4 
  application category Entertainment sub-category PeerCasting 
  application category General_Internet sub-category FileShare_P2P 
  action qos profile isp1_p2p_profile_03 
# 
policy-based-route 
 rule name pbr_dns_trans 
  source-zone trust 
  service dns 
  service dns-tcp 
  action pbr egress-interface multi-interface 
   mode proportion-of-bandwidth 
   add interface GigabitEthernet 1/0/1 
   add interface GigabitEthernet 1/0/2 
   add interface GigabitEthernet 1/0/3 
   add interface GigabitEthernet 1/0/4 
   add interface GigabitEthernet 1/0/5 
   add interface GigabitEthernet 1/0/6 
 rule name dis_edu_sys 
  source-zone trust 
  application app UD_dis_edu_sys_app 
  action pbr egress-interface multi-interface 
   mode proportion-of-bandwidth 
   add interface GigabitEthernet 1/0/1 
   add interface GigabitEthernet 1/0/5 
   add interface GigabitEthernet 1/0/6 
 rule name p2p_traffic 
  source-zone trust 
  application category Entertainment sub-category PeerCasting 
  application category General_Internet sub-category FileShare_P2P 
  action pbr egress-interface multi-interface 
   mode proportion-of-bandwidth 
   add interface GigabitEthernet 1/0/2 
   add interface GigabitEthernet 1/0/3 
   add interface GigabitEthernet 1/0/4 
 rule name pbr_edu 
  source-zone trust 
  source-address 10.1.0.0 16 
  destination-address isp edu_address 
  action pbr egress-interface multi-interface 
   mode priority-of-userdefine 
   add interface GigabitEthernet 1/0/1 priority 8 
   add interface GigabitEthernet 1/0/2 priority 5 
   add interface GigabitEthernet 1/0/3 priority 5 
   add interface GigabitEthernet 1/0/4 priority 5 
   add interface GigabitEthernet 1/0/5 priority 1 
   add interface GigabitEthernet 1/0/6 priority 1 
 rule name pbr_isp1 
  source-zone trust 
  source-address 10.1.0.0 16 
  destination-address isp isp1_address 
  action pbr egress-interface multi-interface 
   mode priority-of-userdefine 
   add interface GigabitEthernet 1/0/1 priority 5 
   add interface GigabitEthernet 1/0/2 priority 8 
   add interface GigabitEthernet 1/0/3 priority 8 
   add interface GigabitEthernet 1/0/4 priority 8 
   add interface GigabitEthernet 1/0/5 priority 1 
   add interface GigabitEthernet 1/0/6 priority 1 
 rule name pbr_isp2 
  source-zone trust 
  source-address 10.1.0.0 16 
  destination-address isp isp2_address 
  action pbr egress-interface multi-interface 
   mode priority-of-userdefine 
   add interface GigabitEthernet 1/0/1 priority 5 
   add interface GigabitEthernet 1/0/2 priority 1 
   add interface GigabitEthernet 1/0/3 priority 1 
   add interface GigabitEthernet 1/0/4 priority 1 
   add interface GigabitEthernet 1/0/5 priority 8 
   add interface GigabitEthernet 1/0/6 priority 8 
 rule name pbr_rest 
  source-zone trust 
  source-address 10.1.0.0 16 
  action pbr egress-interface multi-interface 
   mode priority-of-link-quality 
   priority-of-link-quality parameter delay jitter loss  
   priority-of-link-quality protocol tcp-simple  
   priority-of-link-quality interval 3 times 5  
   add interface GigabitEthernet 1/0/1 
   add interface GigabitEthernet 1/0/2 
   add interface GigabitEthernet 1/0/3 
   add interface GigabitEthernet 1/0/4 
   add interface GigabitEthernet 1/0/5 
   add interface GigabitEthernet 1/0/6 
 rule name other_edu_server 
  source-zone trust 
  source-address 10.1.0.0 16 
  destination-address isp other_edu_server_address 
  action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2 
 rule name lib_internet 
  source-zone trust 
  source-address 10.1.50.0 22 
  action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2 
# 
nat-policy 
 rule name inner_nat_policy   
  source-zone trust         
  destination-zone trust 
  source-address 10.1.0.0 mask 255.255.0.0                 
  action source-nat address-group edu_nat_address_pool 
 rule name edu_nat_policy 
  source-zone trust 
  source-address 10.1.0.0 16 
  source-address 10.50.1.0 24 
  action source-nat address-group edu_nat_address_pool 
 rule name isp1_nat_policy1 
  source-zone trust 
  destination-zone isp1_zone1 
  source-address 10.1.0.0 16 
  action source-nat address-group isp1_nat_address_pool1 
 rule name isp1_nat_policy2 
  source-zone trust 
  destination-zone isp1_zone2 
  source-address 10.1.0.0 16 
  action source-nat address-group isp1_nat_address_pool2 
 rule name isp1_nat_policy3 
  source-zone trust 
  destination-zone isp1_zone3 
  source-address 10.1.0.0 16 
  action source-nat address-group isp1_nat_address_pool3  
 rule name isp2_nat_policy1 
  source-zone trust 
  destination-zone isp2_zone1 
  source-address 10.1.0.0 16 
  action source-nat address-group isp2_nat_address_pool1 
 rule name isp2_nat_policy2 
  source-zone trust 
  destination-zone isp2_zone2 
  source-address 10.1.0.0 16 
# 
audit-policy 
 rule name trust_to_internet_audit_policy 
 source-zone trust 
 destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2 
 action audit profile trust_to_internet_audit 
# 
dns-transparent-policy 
 dns transparent-proxy enable 
 dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25 
 dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23 
 dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23 
 dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25 
 dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27 
 dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23 
 dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25 
# 
rule name dns_trans_rule 
  action tpdns 
# 
return 
# The following configuration takes effect only one time and is not saved into the configuration file. 
 user-manage user-import demo.csv auto-create-group override 
 user-manage group /default/newuser

Conclusion and Suggestions

This case has important reference value. You can deploy only required functions during actual firewall deployment. This solution can be concluded as follows:

  • This case demonstrates multiple classical features of the firewall, including security policies, NAT, ASPF, attack defense, IPS and bandwidth management (application-based bandwidth limiting and per-IP/per-user bandwidth limiting).
  • This case shows the capabilities of the firewall that acts as an egress gateway. Uplink selection is one of the most important features of the gateway. In this case, the PBR, intelligent uplink selection, DNS transparent proxy, smart DNS, and server load balancing provided by the firewall can meet the increasing complex link selection, improving the bandwidth utilization and user experience. Compared with a router that acts a gateway, the firewall that acts as a gateway has more powerful NAT and security defense capabilities.
  • This case also shows the NAT tracing function of the firewall. The firewall that has an audit policy configured sends session logs to the NMS. The administrator can view pre-NAT and post-NAT IP addresses on the NMS. NAT tracing helps audit user online behavior.
Translation
简体中文
Download
Updated: 2019-06-17

Document ID: EDOC1100087914

Views: 5603

Downloads: 204

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :