No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Application of Firewalls in the Core Network PS Domain

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Core Network PS Domain

Application of Firewalls in the Core Network PS Domain

Introduction

This section describes the application of firewalls in the PS security solution. By analyzing the security issues faced by the mobile core network, this section provides a typical application solution of the firewall.

This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00 and can be used as a reference for Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

Introduction to Mobile Core Networks

Figure 1-1 shows the architecture of a mobile network. Data from a mobile terminal passes through the mobile access/aggregation network (or RAN) and the mobile core network before it arrives at the Internet.

Figure 1-1 Application of the FW on the mobile core network

The 2G/3G mobile core network includes a Circuit Switched (CS) domain and a Packet Switched (PS) domain. The CS domain deals with voice services (such as telephony); the PS domain provides data services (such as Internet access).

Long Term Evolution (LTE) is the evolutionary technology of 3G. Currently, all mainstream carriers are regarding LTE as the major 4G trend. The LTE network includes the E-UTRAN (radio access subsystem) and SAE (core network subsystem). The LTE architecture builds entirely on the PS domain and has no CS domain of 2G/3G. The LTE core network is also referred to as the Evolved Packet Core (EPC).

Application of the FW on the Mobile Core Network

Because public IPv4 addresses are limited, private addresses are generally allocated to mobile terminals on the core network, and public addresses are normally not allocated. Therefore, where a mobile terminal needs to access the Internet, address translation is required.

As shown in Figure 1-1, the FW is deployed at the Internet egress of a mobile core network (the Internet egress of 2G/3G core networks is the Gi interface, and the Internet egress of 4G core networks is the SGi interface). The FW provides NAT, inter-zone isolation, and border protection.

Traffic Model

Traffic on the FW comes mainly from the Gi/SGi interface. Some of the traffic is directly routed to the Internet; other traffic is routed to the WAP gateway (and then forwarded by the WAP gateway to the Internet). The traffic from the mobile terminal directly to the Internet is referred to as Internet traffic; the traffic from the mobile terminal to the WAP gateway is referred to as WAP traffic. Internet traffic and WAP traffic are collectively referred as Gi/SGi traffic.

In addition to the Gi/SGi traffic, Gn and Gp traffic sometimes also passes through the firewall. Gn traffic is the traffic between the local GGSN (P-GW) and SGSN (S-GW).

The paths for various types of service traffic are as follows:

  • Internet traffic

    Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone > Internet

    Packets of the mobile terminal pass through the access/aggregation network and the core network and arrive at the Gi/SGi interface. Then the FW performs NAT for the packets and forwards them to the Internet. In this case, the FW processes the original TCP/UDP packets from the mobile terminal.

  • WAP traffic

    Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone > WAP

    A GRE tunnel is set up directly between the GGSN (P-GW) and WAP gateway. The traffic is sent to the WAP gateway which serves as a proxy to forward the packets to the Internet. In this case, the FW processes GRE packets. Such traffic shrinks on 4G networks.

Solution Design

Typical Networking

Networking Diagram

Figure 1-2 shows the typical networking of the FW at the Gi/SGi egress of a mobile core network. The service interface works at Layer 3, and the FW is connected to the backbone and GGSN/P-GW through routers.

Figure 1-2 Typical networking of the FW in a mobile core network

The following functions are deployed on the FW in the networking:

  1. HRP is configured on the FWs so that the FWs work in active/standby mode, improving network reliability and preventing single points of failure. A heartbeat link is connected between the two FWs for active/standby negotiation and status backup.

    If a great deal of data needs to be backed up, multiple heartbeat links are recommended. When a 10GE link serves as an HRP backup channel, it can support 50,000/s new session rate or 5 million concurrent sessions or carry 5G service traffic. The number of required interfaces is assessed based on the actual traffic volume. The N+1 backup mode is recommended for the interfaces. For example, if there are 10 million concurrent sessions, at least two 10GE links are required as HRP backup channels. During design, three 10GE interfaces are bundled for backup.

  2. OSPF is deployed between the FWs and their upstream and downstream devices. The FWs run in OSPF1 process with their upstream backbone network and in OSPF2 process with their downstream GGSN network.

    The hrp adjust ospf-cost enable command is run to enable the function of adjusting the OSPF cost based on the active/standby status for HRP-OSPF association. In normal cases, the cost of OSPF routes advertised by the standby firewall increases by 65,500 so that the traffic is routed to the active firewall in priority. When an interface of the FW or the FW itself fails, an active/standby switchover takes place, and the cost of OSPF routes is adjusted. The cost of the OSPF route over the primary link increases by 65,500, and the cost of the OSPF route over the backup link decreases, so that traffic is routed to the original standby firewall in priority, ensuring service continuity.

  3. The upstream and downstream interfaces of the FW are bound to the same link group, and the HRP track function is configured to monitor the upstream and downstream interfaces.
  4. Unforced delivery of default routes is configured in OSPF2 process to divert traffic to the backbone network from the firewall.
  5. The HRP track BFD function is configured to detect remote link faults, such as faults in the link between RouterC and the backbone network.

    The bfd cfg-name bind peer-ip peer-ip [ interface interface-type interface-number ] command is used to bind a BFD session with a peer IP address, and the link to be detected needs to be specified. The process-interface-status command is used to associate the BFD session with the bound interface.

    If the peer device does not support BFD, IP-link can be used to carry out an active/standby switchover in case of a fault.

  6. The link-group link-group-id binding spu-cpu-limit [ limit-number ] command is used to bind a link group to an SPU CPU. If the SPU CPU fails, the device will check the number of existing SPU CPUs. If the number of existing SPU CPUs is smaller than the limit-number value, the device will change the status of all valid interfaces in the link group to Down.

Availability Analysis

Figure 1-3 shows the switchover upon failure of the active firewall FW_A. The specific process is as follows:

  • Switchover upon failure:

    FW_A fails, and FW_B becomes active. The OSPF neighbor relationships between the routers RouterA, RouterC, and FW_A no longer exist, and the route is switched to FW_B.

  • Recovery from failure:

    After FW_A recovers from the failure, the OSPF neighbor relationships between the routers RouterA, RouterC, and FW_A are restored, and FW_A becomes active. The route is switched back to FW_A, and traffic is routed to FW_A again.

Figure 1-3 Firewall failure

Figure 1-4 shows the switchover upon failure of the link connecting the active firewall FW_A fails (the link to the backbone or GGSN/P-GW). The specific process is as follows:

  • Switchover upon failure:

    When the active link fails, FW_A becomes standby, and its neighbor relationship with RouterA (RouterC) is torn down. FW_B becomes active, and the cost of the OSPF routes is adjusted. The route on the right side is selected in priority, and traffic is switched over to the corresponding link.

  • Recovery from failure:

    After the links recovers from the failure, FW_A becomes active, and its neighbor relationship with RouterA (RouterC) is restored. The route is switched back to FW_A, and the traffic is switched back to the original link.

Figure 1-4 Link failure

Service Planning

Interfaces and Security Zones

To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That is, the member interfaces of the Eth-Trunk interface are on different LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk, it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.

The upstream and downstream physical links must have the same bandwidth that is greater than the peak traffic. Otherwise, services are affected due to traffic congestion in case of traffic burst.

Table 1-1 describes the planning of interfaces and security zones on the FWs.

Table 1-1 Planning of interfaces and security zones

FW_A

FW_B

Description

Eth-Trunk0:

  • Member ports:
    1. GE2/0/0
    2. GE2/0/1
  • IP address: 192.168.3.1/24
  • Security zone: hrpzone

Eth-Trunk0:

  • Member ports:
    1. GE2/0/0
    2. GE2/0/1
  • IP address: 192.168.3.2/24
  • Security zone: hrpzone

HRP backup interface.

Eth-Trunk1:

  • Member ports:
    1. GE2/0/2
    2. GE2/0/3
  • IP address: 1.1.1.1/24
  • Security zone: untrust

Eth-Trunk1:

  • Member ports:
    1. GE2/0/2
    2. GE2/0/3
  • IP address: 1.1.2.1/24
  • Security zone: untrust

Interface connecting the Internet.

Eth-Trunk2:

  • Member ports:
    1. GE2/0/4
    2. GE2/0/5
  • IP address: 10.14.1.1/24
  • Security zone: trust

Eth-Trunk2:

  • Member ports:
    1. GE2/0/4
    2. GE2/0/5
  • IP address: 10.14.2.1/24
  • Security zone: trust

Eth-Trunk2 is the interface connecting to Gi/SGi services.

Security Policies

Table 1-2 describes the planning of security policies on the FW.

Table 1-2 Planning of security policies

Item

Data

Description

Local - Trust

Outbound

The security policy for access of the FW to the trust zone, which may be set to permit all packets. If a fine-grained policy is required, note that OSPF packets should be permitted.

Inbound

The security policy for access from the inbound trust zone to the FW, which may be set to:

  • Permit packets for login and device management, including SSH and HTTPS packets.
  • Permit OSPF packets.

Local - Untrust

Outbound

The security policy for access of the FW to the untrust zone, which may be set to permit all packets. If a fine-grained policy is required, note that OSPF packets should be permitted.

Inbound

The security policy for access from the untrust zone to the FW, which may be set to:

  • Permit packets for login and device management, including SSH and HTTPS packets.
  • Permit OSPF packets.

Local - hrpzone

Outbound

Security policy between the backup interfaces of the active and standby firewalls, which can be used for the login switching between the firewalls.

Inbound

Security policy between the backup interfaces of the active and standby firewalls, which can be used for the login switching between the firewalls.

Trust - Untrust

Outbound

  • Configure a rule that permits packets whose source address is a private address of a mobile terminal, and configure NAT for the private address.
  • Configure packet filtering for the start GGSN and WAP-side end router of a GRE tunnel.

Inbound

Configure packet filtering for the start GGSN and WAP-side end router of a GRE tunnel.

Routes

The route planning is as follows:

  1. Black-hole routes are configured for NAT addresses, and static routes are advertised to avoid routing loops.
  2. The firewall learns the default route from the Internet-side device and advertises the default route to the core network-side device in the way of unforced delivery of OSPF routes. Routing policies also need to be configured. When the firewall and Internet-side device import static routes, only the routes to addresses in the NAT address pool are advertised, and the routes to the other private addresses are not advertised.
  3. The firewall learns the addresses of intranet servers and terminal IP addresses from the core network side device and advertises the routes of the servers to the Internet side device. Filtering policies are configured for the firewall and the core network side device, and the firewall does not need to learn the default route from the core network side device.

Table 1-3 describes the planning of routes on the FWs.

Table 1-3 Planning of routes

FW_A

FW_B

Description

  • Destination Address:

    0.0.0.0/0

  • Next hop:

    1.1.1.2 (IP address of RouterC)

  • Destination Address:

    0.0.0.0/0

  • Next hop:

    1.1.2.2 (IP address of RouterD)

Default routes learned through OSPF.

  • Destination Address:

    10.20.0.0/16

  • Next hop:

    10.14.1.2 (IP address of RouterA)

  • Destination Address:

    10.20.0.0/16

  • Next hop:

    10.14.2.2 (IP address of RouterB)

The route to the GGSN side learned through OSPF.

  • Destination Address:

    1.1.10.10

    1.1.10.11

    1.1.10.12

    1.1.10.13

    1.1.10.14

    1.1.10.15

  • Next hop:

    NULL0

  • Destination Address:

    1.1.10.10

    1.1.10.11

    1.1.10.12

    1.1.10.13

    1.1.10.14

    1.1.10.15

  • Next hop:

    NULL0

Black-hole routes to prevent route loops.

NAT

If the IP address obtained by a mobile terminal is a private address, NAT is required on the FW. The public address obtained through NAT is used for Internet access. NAT reduces the use of public addresses and improves the intranet security.

The usual NAT mode for FWs is NAT PAT. Empirically, one NAT address supports the NAT for 5,000 to 10,000 private IP addresses. Table 1-4 describes the planning of the NAT address pool. The configuration is the same for the active and standby firewalls.

Table 1-4 Planning of the NAT address pool

Item

FW_A

FW_B

ID

1

1

Mode

pat

pat

Addresses

1.1.10.10-1.1.10.15

1.1.10.10-1.1.10.15

Table 1-5 describes the planning of NAT policies.

Table 1-5 Planning of the NAT policies

Item

FW_A

FW_B

Security zone

Trust - Untrust

Trust - Untrust

Direction

Outbound

Outbound

Match condition

All packets from the 10.14.0.0/16 network segment

All packets from the 10.14.0.0/16 network segment

Action

source-nat

source-nat

NAT address pool ID

1

1

NAT is performed by the FW for FTP, RTSP, and PPTP traffic from mobile terminals to the Internet. It is necessary to configure ASPF between the zone where the Gi/SGi interface resides and the Untrust zone to ensure normal functioning of these applications.

Attack Defense

Attack defense should be enabled on the FW for security defense. The recommended configuration is as follows:

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

Network Management (SNMP)

The Simple Network Management Protocol (SNMP) is the most widely used network management protocol on TCP/IP networks. An SNMP proxy should be configured on the FW so that the FW can be managed through an NMS server.

Logs (LogCenter)

The LogCenter server is used to collect NAT session logs for source tracing. Configure the FW to output session logs to the LogCenter server, including the log output format, source address, and source port.

Precautions

Hot Standby

  • The recommended preemption delay of a VGMP group is 300s.
  • Hot standby supports only OSPF and BGP route adjustment, but not IS-IS route adjustment. If OSPF or BGP route adjustment is configured, configure an interzone policy to permit OSPF or BGP packets.
  • HRP is associated with routing protocols for cost adjustment. Table 1-6 describes the support for routes.
Table 1-6

Item

Supported or Not

BGP routes that can be associated with HRP

By route type

  1. BGP IPv4 unicast routes
  2. BGP VPNv4 routes
  3. BGP IPv6 unicast routes

By route origin

  1. Routes learned from IBGP peers
  2. Routes learned from EBGP peers
  3. Routes learned from other routing protocols
  4. Advertised default routes

OSPF routes that can be associated with HRP

By route origin

  1. Direct routes advertised using the network command
  2. Imported external routes
  3. Advertised default routes

By LSA type

  1. Type 1 LSA: router LSA
  2. Type 3 LSA: summary LSA
  3. Type 5 LSA: AS-external-LSA
  4. Type 7 LSA: NSSA AS-external-LSA

Security Policies

Considering security, interzone security policies are designed based on the security policy planning. Do not open all interzone security policies.

Attack Defense

The recommended configuration should be used.

NAT

  • When planning the NAT address pool, keep the ratio of public addresses to private addresses at about 1:5,000.
  • If servers on the core network provide extranet access services, use port-based mapping, but not one-to-one IP address mapping, when configuring the NAT server.
  • The recommended NAT mode is 5-tuple NAT. If customers require to use triplet NAT, contact service or R&D engineers to reassess the solution.
  • In load balancing scenarios, both devices process service traffic. If NAT is configured, the devices may have conflicting public ports in the NAPT mode. To prevent such conflicts, configure respective NAT port resources for the devices. You can run the hrp nat resource primary-group command on the active device. The standby device will automatically generate the hrp nat resource secondary-group command.
  • You are advised to configure blackhole routes for the NAT address pool to prevent such issues as routing loops.

GRE

When the following conditions are met, you are recommended to enable the function of using GRE inner packets for selecting the SPU. In this way, traffic is evenly distributed on multiple CPUs.

  • All traffic is encapsulated over one or more GRE tunnels.
  • The number of CPU sessions over a single GRE tunnel is more than 1,000,000.

You can run the firewall gre inner hash enable command to enable the function of selecting a CPU based on the hash value calculated according to GRE inner packet information.

Performance

In load-balancing hot standby scenarios, ensure that the traffic does not exceed 70% of the interface bandwidth utilization and SPU CPU processing capability after being switched to a device. You can run the display interface command to check the interface bandwidth utilization and the display cpu-usage command to check the SPU CPU processing capability.

Solution Configuration

Configuration Procedure

Procedure

  1. Configure interfaces and security zones.

    1. Configure the interfaces and security zones of FW_A.

      # Create Eth-Trunk0, setting its IP address.

      <FW_A> system-view 
      [FW_A] interface Eth-Trunk 0 
      [FW_A-Eth-Trunk0] description To_FW_B 
      [FW_A-Eth-Trunk0] ip address 192.168.3.1 24 
      [FW_A-Eth-Trunk0] undo service-manage enable 
      [FW_A-Eth-Trunk0] quit

      # Create Eth-Trunk1, setting its IP address.

      [FW_A] interface Eth-Trunk 1 
      [FW_A-Eth-Trunk1] description To_Backbone 
      [FW_A-Eth-Trunk1] ip address 1.1.1.1 24 
      [FW_A-Eth-Trunk1] undo service-manage enable 
      [FW_A-Eth-Trunk1] quit

      # Create Eth-Trunk2, setting its IP address.

      [FW_A] interface Eth-Trunk 2 
      [FW_A-Eth-Trunk2] description To_GI 
      [FW_A-Eth-Trunk2] ip address 10.14.1.1 24 
      [FW_A-Eth-Trunk2] undo service-manage enable 
      [FW_A-Eth-Trunk2] quit

      # Add GigabitEthernet2/0/0 and GigabitEthernet2/0/1 to Eth-Trunk0.

      [FW_A] interface GigabitEthernet 2/0/0 
      [FW_A-GigabitEthernet2/0/0] Eth-Trunk 0 
      [FW_A-GigabitEthernet2/0/0] quit 
      [FW_A] interface GigabitEthernet 2/0/1 
      [FW_A-GigabitEthernet2/0/1] Eth-Trunk 0 
      [FW_A-GigabitEthernet2/0/1] quit

      # Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk1.

      [FW_A] interface GigabitEthernet 2/0/2 
      [FW_A-GigabitEthernet2/0/2] Eth-Trunk 1 
      [FW_A-GigabitEthernet2/0/2] quit 
      [FW_A] interface GigabitEthernet 2/0/3 
      [FW_A-GigabitEthernet2/0/3] Eth-Trunk 1 
      [FW_A-GigabitEthernet2/0/3] quit

      # Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk2.

      [FW_A] interface GigabitEthernet 2/0/4 
      [FW_A-GigabitEthernet2/0/4] Eth-Trunk 2 
      [FW_A-GigabitEthernet2/0/4] quit 
      [FW_A] interface GigabitEthernet 2/0/5 
      [FW_A-GigabitEthernet2/0/5] Eth-Trunk 2 
      [FW_A-GigabitEthernet2/0/5] quit

      # Add Eth-Trunk0 to the hrpzone security zone.

      [FW_A] firewall zone name hrpzone 
      [FW_A-zone-hrpzone] set priority 65 
      [FW_A-zone-hrpzone] add interface Eth-Trunk 0 
      [FW_A-zone-hrpzone] quit

      # Add Eth-Trunk1 to the untrust security zone.

      [FW_A] firewall zone untrust 
      [FW_A-zone-untrust] add interface Eth-Trunk 1 
      [FW_A-zone-untrust] quit

      # Add Eth-Trunk2 to the trust security zone.

      [FW_A] firewall zone trust 
      [FW_A-zone-trust] add interface Eth-Trunk 2 
      [FW_A-zone-trust] quit
    2. Configure the interfaces and security zones of FW_B.

      # Create Eth-Trunk0, setting its IP address.

      <FW_B> system-view 
      [FW_B] interface Eth-Trunk 0 
      [FW_B-Eth-Trunk0] description To_FW_A 
      [FW_B-Eth-Trunk0] ip address 192.168.3.2 24 
      [FW_B-Eth-Trunk0] undo service-manage enable 
      [FW_B-Eth-Trunk0] quit

      # Create Eth-Trunk1, setting its IP address.

      [FW_B] interface Eth-Trunk 1 
      [FW_B-Eth-Trunk1] description To_Backbone 
      [FW_B-Eth-Trunk1] ip address 1.1.2.1 24 
      [FW_B-Eth-Trunk1] undo service-manage enable 
      [FW_B-Eth-Trunk1] quit

      # Create Eth-Trunk2, setting its IP address.

      [FW_B] interface Eth-Trunk 2 
      [FW_B-Eth-Trunk2] description To_GI 
      [FW_B-Eth-Trunk2] ip address 10.14.2.1 24 
      [FW_B-Eth-Trunk2] undo service-manage enable 
      [FW_B-Eth-Trunk2] quit

      # Add GigabitEthernet2/0/0 and GigabitEthernet2/0/1 to Eth-Trunk0.

      [FW_B] interface GigabitEthernet 2/0/0 
      [FW_B-GigabitEthernet2/0/0] Eth-Trunk 0 
      [FW_B-GigabitEthernet2/0/0] quit 
      [FW_B] interface GigabitEthernet 2/0/1 
      [FW_B-GigabitEthernet2/0/1] Eth-Trunk 0 
      [FW_B-GigabitEthernet2/0/1] quit

      # Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk1.

      [FW_B] interface GigabitEthernet 2/0/2 
      [FW_B-GigabitEthernet2/0/2] Eth-Trunk 1 
      [FW_B-GigabitEthernet2/0/2] quit 
      [FW_B] interface GigabitEthernet 2/0/3 
      [FW_B-GigabitEthernet2/0/3] Eth-Trunk 1 
      [FW_B-GigabitEthernet2/0/3] quit

      # Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk2.

      [FW_B] interface GigabitEthernet 2/0/4 
      [FW_B-GigabitEthernet2/0/4] Eth-Trunk 2 
      [FW_B-GigabitEthernet2/0/4] quit 
      [FW_B] interface GigabitEthernet 2/0/5 
      [FW_B-GigabitEthernet2/0/5] Eth-Trunk 2 
      [FW_B-GigabitEthernet2/0/5] quit

      # Add Eth-Trunk0 to the hrpzone security zone.

      [FW_B] firewall zone name hrpzone 
      [FW_B-zone-hrpzone] set priority 65 
      [FW_B-zone-hrpzone] add interface Eth-Trunk 0 
      [FW_B-zone-hrpzone] quit

      # Add Eth-Trunk1 to the untrust security zone.

      [FW_B] firewall zone untrust 
      [FW_B-zone-untrust] add interface Eth-Trunk 1 
      [FW_B-zone-untrust] quit

      # Add Eth-Trunk2 to the trust security zone.

      [FW_B] firewall zone trust 
      [FW_B-zone-trust] add interface Eth-Trunk 2 
      [FW_B-zone-trust] quit

  2. Configure security policies.

    1. Configure the security policies of FW_A.

      # Configure the security policy between the local and trust zones.

      [FW_A] security-policy 
      [FW_A-policy-security] rule name local_trust_outbound 
      [FW_A-policy-security-rule-local_trust_outbound] source-zone local  
      [FW_A-policy-security-rule-local_trust_outbound] destination-zone trust 
      [FW_A-policy-security-rule-local_trust_outbound] source-address 10.14.0.0 16 
      [FW_A-policy-security-rule-local_trust_outbound] action permit 
      [FW_A-policy-security-rule-local_trust_outbound] quit 
      [FW_A-policy-security]  rule name local_trust_inbound 
      [FW_A-policy-security-rule-local_trust_inbound] source-zone trust 
      [FW_A-policy-security-rule-local_trust_inbound] destination-zone local 
      [FW_A-policy-security-rule-local_trust_inbound] destination-address 10.14.0.0 16 
      [FW_A-policy-security-rule-local_trust_inbound] action permit 
      [FW_A-policy-security-rule-local_trust_inbound] quit

      # Configure the security policy between the local and untrust zones.

      [FW_A-policy-security] rule name local_untrust_outbound 
      [FW_A-policy-security-rule-local_untrust_outbound] source-zone local 
      [FW_A-policy-security-rule-local_untrust_outbound] destination-zone untrust 
      [FW_A-policy-security-rule-local_untrust_outbound] source-address 1.1.0.0 16 
      [FW_A-policy-security-rule-local_untrust_outbound] action permit 
      [FW_A-policy-security-rule-local_untrust_outbound] quit 
      [FW_A-policy-security] rule name local_untrust_inbound 
      [FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust 
      [FW_A-policy-security-rule-local_untrust_inbound] destination-zone local 
      [FW_A-policy-security-rule-local_untrust_inbound] destination-address 1.1.0.0 16 
      [FW_A-policy-security-rule-local_untrust_inbound] action permit 
      [FW_A-policy-security-rule-local_untrust_inbound] quit

      # Configure the security policy between the local and hrpzone zones.

      [FW_A-policy-security] rule name local_hrpzone_outbound 
      [FW_A-policy-security-rule-local_hrpzone_outbound] source-zone local 
      [FW_A-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone 
      [FW_A-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24 
      [FW_A-policy-security-rule-local_hrpzone_outbound] action permit 
      [FW_A-policy-security-rule-local_hrpzone_outbound] quit 
      [FW_A-policy-security] rule name local_hrpzone_inbound 
      [FW_A-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone 
      [FW_A-policy-security-rule-local_hrpzone_inbound] destination-zone local 
      [FW_A-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24 
      [FW_A-policy-security-rule-local_untrust_inbound] action permit 
      [FW_A-policy-security-rule-local_untrust_inbound] quit

      # Configure the security policy between the trust and untrust zones, permitting GRE tunnel packets from the WAP side router to the GGSN/P-GW.

      [FW_A-policy-security] rule name trust_untrust_outbound1 
      [FW_A-policy-interzone-trust_untrust_outbound1] source-zone trust 
      [FW_A-policy-interzone-trust_untrust_outbound1] destination-zone untrust 
      [FW_A-policy-interzone-trust_untrust_outbound1] source-address 10.14.0.0 16 
      [FW_A-policy-interzone-trust_untrust_outbound1] destination-address 1.1.0.0 16 
      [FW_A-policy-interzone-trust_untrust_outbound1] action permit 
      [FW_A-policy-interzone-trust_untrust_outbound1] quit 
      [FW_A-policy-security] rule name trust_untrust_inbound1 
      [FW_A-policy-interzone-trust_untrust_inbound1] source-zone untrust 
      [FW_A-policy-interzone-trust_untrust_inbound1] destination-zone trust 
      [FW_A-policy-interzone-trust_untrust-inbound1] source-address 1.1.0.0 16 
      [FW_A-policy-interzone-trust_untrust_inbound1] destination-address 10.14.0.0 16 
      [FW_A-policy-interzone-trust_untrust_inbound1] action permit 
      [FW_A-policy-interzone-trust_untrust_inbound1] quit

      # Configure the security policy between the trust and untrust zones, permitting packets from mobile terminals to the Internet. All packets from the 10.14.0.0/16 network segment are matched. In practice, you can add rules as needed.

      [FW_A-policy-security] rule name trust_untrust_outbound2 
      [FW_A-policy-security-rule-trust_untrust_outbound2] source-zone trust 
      [FW_A-policy-security-rule-trust_untrust_outbound2] destination-zone untrust 
      [FW_A-policy-security-rule-trust_untrust_outbound2] source-address 10.14.0.0 16 
      [FW_A-policy-security-rule-trust_untrust_outbound2] action permit 
      [FW_A-policy-security-rule-trust_untrust_outbound2] quit
    2. Configure the security policies of FW_B.

      # Configure the security policy between the local and trust zones.

      [FW_B] security-policy 
      [FW_B-policy-security] rule name local_trust_outbound 
      [FW_B-policy-security-rule-local_trust_outbound] source-zone local  
      [FW_B-policy-security-rule-local_trust_outbound] destination-zone trust 
      [FW_B-policy-security-rule-local_trust_outbound] source-address 10.14.0.0 16 
      [FW_B-policy-security-rule-local_trust_outbound] action permit 
      [FW_B-policy-security-rule-local_trust_outbound] quit 
      [FW_B-policy-security]  rule name local_trust_inbound 
      [FW_B-policy-security-rule-local_trust_inbound] source-zone trust 
      [FW_B-policy-security-rule-local_trust_inbound] destination-zone local 
      [FW_B-policy-security-rule-local_trust_inbound] destination-address 10.14.0.0 16 
      [FW_B-policy-security-rule-local_trust_inbound] action permit 
      [FW_B-policy-security-rule-local_trust_inbound] quit

      # Configure the security policy between the local and untrust zones.

      [FW_B-policy-security] rule name local_untrust_outbound 
      [FW_B-policy-security-rule-local_untrust_outbound] source-zone local 
      [FW_B-policy-security-rule-local_untrust_outbound] destination-zone untrust 
      [FW_B-policy-security-rule-local_untrust_outbound] source-address 1.1.0.0 16 
      [FW_B-policy-security-rule-local_untrust_outbound] action permit 
      [FW_B-policy-security-rule-local_untrust_outbound] quit 
      [FW_B-policy-security] rule name local_untrust_inbound 
      [FW_B-policy-security-rule-local_untrust_inbound] source-zone untrust 
      [FW_B-policy-security-rule-local_untrust_inbound] destination-zone local 
      [FW_B-policy-security-rule-local_untrust_inbound] destination-address 1.1.0.0 16 
      [FW_B-policy-security-rule-local_untrust_inbound] action permit 
      [FW_B-policy-security-rule-local_untrust_inbound] quit

      # Configure the security policy between the local and hrpzone zones.

      [FW_B-policy-security] rule name local_hrpzone_outbound 
      [FW_B-policy-security-rule-local_hrpzone_outbound] source-zone local 
      [FW_B-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone 
      [FW_B-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24 
      [FW_B-policy-security-rule-local_hrpzone_outbound] action permit 
      [FW_B-policy-security-rule-local_hrpzone_outbound] quit 
      [FW_B-policy-security] rule name local_hrpzone_inbound 
      [FW_B-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone 
      [FW_B-policy-security-rule-local_hrpzone_inbound] destination-zone local 
      [FW_B-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24 
      [FW_B-policy-security-rule-local_untrust_inbound] action permit 
      [FW_B-policy-security-rule-local_untrust_inbound] quit

      # Configure the security policy between the trust and untrust zones, permitting GRE tunnel packets from the WAP side router to the GGSN/P-GW.

      [FW_B-policy-security] rule name trust_untrust_outbound1 
      [FW_B-policy-interzone-trust_untrust_outbound1] source-zone trust 
      [FW_B-policy-interzone-trust_untrust_outbound1] destination-zone untrust 
      [FW_B-policy-interzone-trust_untrust_outbound1] source-address 10.14.0.0 16 
      [FW_B-policy-interzone-trust_untrust_outbound1] destination-address 1.1.0.0 16 
      [FW_B-policy-interzone-trust_untrust_outbound1] action permit 
      [FW_B-policy-interzone-trust_untrust_outbound1] quit 
      [FW_B-policy-security] rule name trust_untrust_inbound1 
      [FW_B-policy-interzone-trust_untrust_inbound1] source-zone untrust 
      [FW_B-policy-interzone-trust_untrust_inbound1] destination-zone trust 
      [FW_B-policy-interzone-trust_untrust_inbound1] source-address 1.1.0.0 16 
      [FW_B-policy-interzone-trust_untrust_inbound1] destination-address 10.14.0.0 16 
      [FW_B-policy-interzone-trust_untrust_inbound1] action permit 
      [FW_B-policy-interzone-trust_untrust_inbound1] quit

      # Configure the security policy between the trust and untrust zones, permitting packets from mobile terminals to the Internet. All packets from the 10.14.0.0/16 network segment are matched. In practice, you can add rules as needed.

      [FW_B-policy-security] rule name trust_untrust_outbound2 
      [FW_B-policy-security-rule-trust_untrust_outbound2] source-zone trust 
      [FW_B-policy-security-rule-trust_untrust_outbound2] destination-zone untrust 
      [FW_B-policy-security-rule-trust_untrust_outbound2] source-address 10.14.0.0 16 
      [FW_B-policy-security-rule-trust_untrust_outbound2] action permit 
      [FW_B-policy-security-rule-trust_untrust_outbound2] quit

  3. Configure routes.

    NOTE:

    Specify different router IDs for the active and standby firewalls to support the OSPF process to prevent OSPF route flapping.

    1. Configure the OSPF routes of FW_A.

      # Configure routing policies to advertise only addresses in the NAT address pool but not VPN addresses when static routes are imported to the side of the FW_A connecting the backbone.

      [FW_A] ip ip-prefix natAddress permit 1.1.10.10 32  
      [FW_A] ip ip-prefix natAddress permit 1.1.10.11 32  
      [FW_A] ip ip-prefix natAddress permit 1.1.10.12 32  
      [FW_A] ip ip-prefix natAddress permit 1.1.10.13 32  
      [FW_A] ip ip-prefix natAddress permit 1.1.10.14 32  
      [FW_A] ip ip-prefix natAddress permit 1.1.10.15 32  
      [FW_A] route-policy PS_NAT permit node 10 
      [FW_A-route-policy] if-match ip-prefix natAddress 
      [FW_A-route-policy] quit 
      [FW_A] ospf 1 router-id 1.1.1.1 
      [FW_A-ospf-1] import-route static route-policy PS_NAT 
      [FW_A-ospf-1] area 0.0.0.0 
      [FW_A-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255 
      [FW_A-ospf-1-area-0.0.0.0] quit 
      [FW_A-ospf-1] quit

      # Configure route filtering policies for the side of the FW_A connecting the core network so as not to learn the default route.

      [FW_A] ip ip-prefix no-default deny 0.0.0.0 0 
      [FW_A] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32 
      [FW_A] ospf 2 router-id 10.14.1.1 
      [FW_A-ospf-2] filter-policy ip-prefix no-default import 
      [FW_A-ospf-2] default-route-advertise 
      [FW_A-ospf-2] area 0.0.0.0 
      [FW_A-ospf-2-area-0.0.0.0] network 10.14.1.0 0.0.0.255 
      [FW_A-ospf-2-area-0.0.0.0] quit 
      [FW_A-ospf-2] quit

      # Configure black-hole routes.

      [FW_A] ip route-static 1.1.10.10 32 NULL 0 
      [FW_A] ip route-static 1.1.10.11 32 NULL 0 
      [FW_A] ip route-static 1.1.10.12 32 NULL 0 
      [FW_A] ip route-static 1.1.10.13 32 NULL 0 
      [FW_A] ip route-static 1.1.10.14 32 NULL 0 
      [FW_A] ip route-static 1.1.10.15 32 NULL 0
    2. Configure the OSPF routes of FW_B.

      # Configure routing policies to advertise only addresses in the NAT address pool but not VPN addresses when static routes are imported to the side of the FW_B connecting the backbone.

      [FW_B] ip ip-prefix natAddress permit 1.1.10.10 32  
      [FW_B] ip ip-prefix natAddress permit 1.1.10.11 32  
      [FW_B] ip ip-prefix natAddress permit 1.1.10.12 32  
      [FW_B] ip ip-prefix natAddress permit 1.1.10.13 32  
      [FW_B] ip ip-prefix natAddress permit 1.1.10.14 32  
      [FW_B] ip ip-prefix natAddress permit 1.1.10.15 32  
      [FW_B] route-policy PS_NAT permit node 10 
      [FW_B-route-policy] if-match ip-prefix natAddress 
      [FW_B-route-policy] quit 
      [FW_B] ospf 1 router-id 1.1.2.1 
      [FW_B-ospf-1] import-route static route-policy PS_NAT 
      [FW_B-ospf-1] area 0.0.0.0 
      [FW_B-ospf-1-area-0.0.0.0] network 1.1.2.0 0.0.0.255 
      [FW_B-ospf-1-area-0.0.0.0] quit 
      [FW_B-ospf-1] quit

      # Configure route filtering policies for the side of the FW_B connecting the core network so as not to learn the default route.

      [FW_B] ip ip-prefix no-default deny 0.0.0.0 0 
      [FW_B] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32 
      [FW_B] ospf 2 router-id 10.14.2.1 
      [FW_B-ospf-2] filter-policy ip-prefix no-default import 
      [FW_B-ospf-2] default-route-advertise 
      [FW_B-ospf-2] area 0 
      [FW_B-ospf-2-area-0.0.0.0] network 10.14.2.0 0.0.0.255 
      [FW_B-ospf-2-area-0.0.0.0] quit 
      [FW_B-ospf-2] quit

      # Configure black-hole routes.

      [FW_B] ip route-static 1.1.10.10 32 NULL 0 
      [FW_B] ip route-static 1.1.10.11 32 NULL 0 
      [FW_B] ip route-static 1.1.10.12 32 NULL 0 
      [FW_B] ip route-static 1.1.10.13 32 NULL 0 
      [FW_B] ip route-static 1.1.10.14 32 NULL 0 
      [FW_B] ip route-static 1.1.10.15 32 NULL 0

  4. Complete the availability configuration.

    1. Configure a link group on FW_A and bind the upstream downstream interfaces of FW_A to the link group.
      [FW_A] interface Eth-Trunk 1 
      [FW_A-Eth-Trunk1] link-group 1 
      [FW_A] interface Eth-Trunk 2 
      [FW_A-Eth-Trunk2] link-group 1
    2. Complete the hot standby configuration of FW_A.

      # Configure HRP to track the interfaces connecting FW_A to the backbone and core networks.

      [FW_A] hrp track interface Eth-Trunk 1 
      [FW_A] hrp track interface Eth-Trunk 2

      # Enable OSPF cost adjustment based on the HRP state.

      [FW_A] hrp adjust ospf-cost enable

      # Configure the heartbeat interface.

      [FW_A] hrp interface Eth-Trunk 0 remote 192.168.3.2

      # Enable HRP.

      [FW_A] hrp enable

      # Set the preemption delay of the VGMP group to 300s.

      [FW_A] hrp preempt delay 300
    3. Complete the hot standby configuration of FW_B.

      # Configure HRP to track the upstream and downstream interfaces.

      [FW_B] hrp track interface Eth-Trunk 1 
      [FW_B] hrp track interface Eth-Trunk 2

      # Enable OSPF cost adjustment based on the HRP state.

      [FW_B] hrp adjust ospf-cost enable

      # Configure the heartbeat interface.

      [FW_B] hrp interface Eth-Trunk 0 remote 192.168.3.1

      # Enable HRP.

      [FW_B] hrp enable

      # Configure the current device as the standby device.

      [FW_B] hrp standby-device

  5. Configure NAT and ASPF.

    NOTE:

    After hot standby is enabled, the NAT and ASPF configuration of FW_A is automatically synchronized to FW_B.

    # Create the NAT address pool.

    1. Configure NAT for FW_A.
      HRP_M[FW_A] nat address-group addressgroup1 
      HRP_M[FW_A-address-group-addressgroup1] section 1.1.10.10 1.1.10.15 
      HRP_M[FW_A-address-group-addressgroup1] quit

      # Configure the NAT policy. The source addresses of all packets from the 10.14.0.0/16 network segment are translated. In practice, you can add rules as needed.

      HRP_M[FW_A] nat-policy 
      HRP_M[FW_A-policy-nat] rule name trust_untrust_outbound 
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-zone trust 
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] destination-zone untrust 
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-address 10.14.0.0 0.0.255.255 
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addressgroup1  
      HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] quit 
      HRP_M[FW_A-policy-nat] quit
    2. Configure ASPF for FW_A.
      HRP_M[FW_A] firewall interzone trust untrust 
      HRP_M[FW_A-interzone-trust-untrust] detect rtsp 
      HRP_M[FW_A-interzone-trust-untrust] detect ftp 
      HRP_M[FW_A-interzone-trust-untrust] detect pptp 
      HRP_M[FW_A-interzone-trust-untrust] quit

  6. Configure attack defense.

    NOTE:

    After hot standby is enabled, the attack defense configuration of FW_A is automatically synchronized to FW_B.

    Configure attack defense for FW_A.

    HRP_M[FW_A] firewall defend land enable 
    HRP_M[FW_A] firewall defend smurf enable 
    HRP_M[FW_A] firewall defend fraggle enable 
    HRP_M[FW_A] firewall defend ip-fragment enable 
    HRP_M[FW_A] firewall defend tcp-flag enable 
    HRP_M[FW_A] firewall defend winnuke enable 
    HRP_M[FW_A] firewall defend source-route enable 
    HRP_M[FW_A] firewall defend teardrop enable 
    HRP_M[FW_A] firewall defend route-record enable 
    HRP_M[FW_A] firewall defend time-stamp enable 
    HRP_M[FW_A] firewall defend ping-of-death enable

  7. Configure network management (SNMP).

    1. Configure network management (SNMP) on FW_A.

      # Configure the SNMP version of the FW. This step is optional. By default, the SNMP version is SNMPv3. Carry out this step if it is not SNMPv3.

      HRP_M[FW_A] snmp-agent sys-info version v3

      # Configure the SNMPv3 user group.

      HRP_M[FW_A] snmp-agent group v3 NMS1 privacy

      # Configure the SNMPv3 user.

      HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456

      # Configure the contact information.

      HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang

      # Configure the location information.

      HRP_M[FW_A] snmp-agent sys-info location Beijing

      # Configure the alarm function of SNMP on the FW.

      HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy private-netmanager 
      HRP_M[FW_A] snmp-agent trap enable  
      Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    2. Configure network management (SNMP) on FW_B.

      # Configure the SNMP version of the FW. This step is optional. By default, the SNMP version is SNMPv3. Carry out this step if it is not SNMPv3.

      HRP_S[FW_B] snmp-agent sys-info version v3

      # Configure the SNMPv3 user group.

      HRP_S[FW_B] snmp-agent group v3 NMS1 privacy

      # Configure the SNMPv3 user.

      HRP_S[FW_B] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456

      # Configure the contact information.

      HRP_S[FW_B] snmp-agent sys-info contact Mr.zhang

      # Configure the location information.

      HRP_S[FW_B] snmp-agent sys-info location Beijing

      # Configure the alarm function of SNMP on the FW.

      HRP_S[FW_B] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy private-netmanager 
      HRP_M[FW_B] snmp-agent trap enable  
      Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

  8. Configure the LogCenter.

    NOTE:

    For the configuration on the LogCenter log server, see the product manual of the LogCenter. Only the configuration on the FW is described.

    After hot standby is enabled, the LogCenter configuration of FW_A is automatically synchronized to FW_B. However, the source address and source port for log export need to be configured on FW_B.

    1. Configure FW_A.

      # Configure a log host. When the log format is syslog, the address of the log host is 2.2.2.2, and the host port must be 514.

      HRP_M[FW_A] firewall log host 1 2.2.2.2 514

      # Enable the session log function in the security policy as required. Configure this function depending on the actual situation.

      HRP_M[FW_A] security-policy 
      HRP_M[FW_A-policy-security] rule name trust_untrust 
      HRP_M[FW_A-policy-security-rule-trust_untrust] session logging 
      HRP_M[FW_A-policy-security-rule-trust_untrust] action permit 
      HRP_M[FW_A-policy-security-rule-trust_untrust] quit 
      HRP_M[FW_A-policy-security] quit

      Configure the log output format, concurrent mode, and source address/port (3.3.3.3/ 6000) of the logs.

      HRP_M[FW_A] firewall log session log-type syslog 
      HRP_M[FW_A] firewall log session multi-host-mode concurrent 
      HRP_M[FW_A] firewall log source 3.3.3.3 6000
    2. Configure FW_B.

      Configure the source address and source port for log export (3.3.3.4/6000).

      HRP_S[FW_B] firewall log source 3.3.3.4 6000

Verification

  1. Run the display hrp state command on FW_A to view the current HRP state. The following information indicates that HRP is successfully set up.
    HRP_M[FW_A] display hrp stateRole: active, peer: standby  
     Running priority: 46002, peer: 46002 
     Backup channel usage: 7% 
     Stable time: 0 days, 0 hours, 12 minutes
  2. Users can browse web pages and receive and send multimedia messages using mobile terminals.
  3. Users can roam normally with their mobile terminals.
  4. Run the shutdown command on GigabitEthernet2/0/0 of FW_A to simulate a link fault. The active/standby switchover is normal without services interrupted.

Configuration Scripts

Configuration script for FW_A:

#                                                                                
 sysname FW_A 
#                                                                                
info-center source default channel 2 log level warning                             
 info-center loghost 10.2.0.10                                                   
#                                                                                
 firewall log session log-type syslog                                            
 firewall log session multi-host-mode concurrent 
 firewall log source 3.3.3.3 6000 
 firewall log host 1 2.2.2.2 514                                               
#  
nat address-group 1 
 mode pat 
 status active  
 section 0 1.1.10.10 1.1.10.15                                                                                                   
#  
 hrp enable 
 hrp interface Eth-Trunk 0 remote 192.168.3.2                                   
 hrp adjust ospf-cost enable                                                     
 hrp preempt delay 300 
 hrp track interface Eth-Trunk 1 
 hrp track interface Eth-Trunk 2 
#                                                                                
 firewall defend land enable 
 firewall defend smurf enable 
 firewall defend fraggle enable 
 firewall defend ip-fragment enable 
 firewall defend tcp-flag enable 
 firewall defend winnuke enable 
 firewall defend source-route enable 
 firewall defend teardrop enable 
 firewall defend route-record enable 
 firewall defend time-stamp enable 
 firewall defend ping-of-death enable 
# 
interface Eth-Trunk0                                                             
 description To_FW_B 
 ip address 192.168.3.1 255.255.255.0   
 undo service-manage enable  
# 
interface Eth-Trunk1                                                             
 description To_Backbone 
 ip address 1.1.1.1 255.255.255.0   
 undo service-manage enable  
 link-group 1              
# 
interface Eth-Trunk2                                                         
 description To_GI 
 ip address 10.14.1.1 255.255.255.0      
 undo service-manage enable     
 link-group 1                                        
#                                                                                
interface GigabitEthernet2/0/0                                                   
 eth-trunk 0                                                                     
#                                                                                
interface GigabitEthernet2/0/1                                                   
 eth-trunk 0                                                                     
#                                                                                
interface GigabitEthernet2/0/2                                                   
 eth-trunk 1                                                                     
#                                                                                
interface GigabitEthernet2/0/3                                                   
 eth-trunk 1                                                                     
#                                                                                
interface GigabitEthernet2/0/4                                                   
 eth-trunk 2                                                                     
#                                                                                
interface GigabitEthernet2/0/5                                                   
 eth-trunk 2                                                                     
#                                                                                 
firewall zone trust                                                              
 set priority 85                                                                 
 add interface Eth-Trunk2                                             
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface Eth-Trunk1                                              
#                                                                                
firewall zone hrpzone                                                                
 set priority 65                                                                 
 add interface Eth-Trunk0                                                        
#                                                                                
firewall interzone trust untrust                                                                
 detect rtsp 
 detect ftp 
 detect pptp 
#                                                                                
security-policy  
 rule name local_trust_outbound  
  source-zone local  
  destination-zone trust  
  source-address 10.14.0.0 16  
  action permit  
 rule name local_trust_inbound  
  source-zone trust  
  destination-zone local  
  destination-address 10.14.0.0 16  
  action permit    
 rule name local_untrust_outbound  
  source-zone local  
  destination-zone untrust  
  source-address 1.1.0.0 16  
  action permit      
 rule name local_untrust_inbound  
  source-zone untrust  
  destination-zone local  
  destination-address 1.1.0.0 16  
  action permit   
 rule name local_hrpzone_outbound  
  source-zone local  
  destination-zone hrpzone  
  source-address 192.168.3.0 24  
  action permit      
 rule name local_hrpzone_inbound  
  source-zone hrpzone  
  destination-zone local  
  destination-address 192.168.3.0 24  
  action permit   
 rule name trust_untrust_outbound1  
  source-zone trust  
  destination-zone untrust  
  source-address 10.14.0.0 16  
  destination-address 1.1.0.0 16  
  action permit     
 rule name trust_untrust_inbound1  
  source-zone untrust  
  destination-zone trust  
  source-address 1.1.0.0 16 
  destination-address 10.14.0.0 16  
  action permit  
 rule name trust_untrust_outbound2  
  source-zone trust  
  destination-zone untrust  
  source-address 10.14.0.0 16  
  action permit     
 rule name trust_untrust  
  session logging  
  action permit   
#   
nat-policy 
 rule name trust_untrust_outbound 
  source-zone trust 
  destination-zone untrust 
  source-address 10.14.0.0 16 
  action source-nat address-group addressgroup1 
# 
ip ip-prefix natAddress permit 1.1.10.10 32  
ip ip-prefix natAddress permit 1.1.10.11 32  
ip ip-prefix natAddress permit 1.1.10.12 32  
ip ip-prefix natAddress permit 1.1.10.13 32  
ip ip-prefix natAddress permit 1.1.10.14 32  
ip ip-prefix natAddress permit 1.1.10.15 32  
ip ip-prefix no-default deny 0.0.0.0 0 
ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32 
# 
route-policy PS_NAT permit node 10 
 if-match ip-prefix natAddress 
# 
ospf 1 router-id 1.1.1.1   
 import-route static route-policy PS_NAT  
 area 0.0.0.0  
  network 1.1.1.0 0.0.0.255    
#    
ospf 2 router-id 10.14.1.1  
 default-route-advertise 
 filter-policy ip-prefix no-default import 
 area 0.0.0.0  
  network 10.14.1.0 0.0.0.255    
#    
 ip route-static 1.1.10.10 255.255.255.255 NULL0   
 ip route-static 1.1.10.11 255.255.255.255 NULL0   
 ip route-static 1.1.10.12 255.255.255.255 NULL0   
 ip route-static 1.1.10.13 255.255.255.255 NULL0    
 ip route-static 1.1.10.14 255.255.255.255 NULL0  
 ip route-static 1.1.10.15 255.255.255.255 NULL0    
#                                                                                
 snmp-agent                                                                      
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                              
 snmp-agent sys-info version v3                                                  
 snmp-agent sys-info contact Mr.zhang 
 snmp-agent sys-info location Beijing 
 snmp-agent group v3 NMS1 privacy                                             
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy  
 private-netmanager                  
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$  
 privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4 
#                                                                                
return

Configuration script for FW_B:

#                                                                                
 sysname FW_B 
#                                                                                
info-center source default channel 2 log level warning                             
 info-center loghost 10.2.0.10                                                   
#                                                                                
 firewall log session log-type syslog                                            
 firewall log session multi-host-mode concurrent 
 firewall log source 3.3.3.4 6000 
 firewall log host 1 2.2.2.2 514                                               
#  
nat address-group 1   
 mode pat  
 status active 
 section 0 1.1.10.10 1.1.10.15                                                                                                   
# 
 hrp enable 
 hrp standby-device 
 hrp interface Eth-Trunk 0 remote 192.168.3.1                                   
 hrp adjust ospf-cost enable                                                     
 hrp track interface Eth-Trunk 1 
 hrp track interface Eth-Trunk 2 
#                                                                                
 firewall defend land enable 
 firewall defend smurf enable 
 firewall defend fraggle enable 
 firewall defend ip-fragment enable 
 firewall defend tcp-flag enable 
 firewall defend winnuke enable 
 firewall defend source-route enable 
 firewall defend teardrop enable 
 firewall defend route-record enable 
 firewall defend time-stamp enable 
 firewall defend ping-of-death enable 
# 
interface Eth-Trunk0                                                             
 description To_FW_A 
 ip address 192.168.3.2 255.255.255.0    
 undo service-manage enable                                            
# 
interface Eth-Trunk1                                                             
 description To_Backbone 
 ip address 1.1.1.3 255.255.255.0    
 undo service-manage enable                                            
# 
interface Eth-Trunk2                                                                                                                        
 description To_GI 
 ip address 10.14.1.3 255.255.255.0     
 undo service-manage enable                                           
#                                                                                
interface GigabitEthernet2/0/0                                                   
 eth-trunk 0                                                                     
#                                                                                
interface GigabitEthernet2/0/1                                                   
 eth-trunk 0                                                                     
#                                                                                
interface GigabitEthernet2/0/2                                                   
 eth-trunk 1                                                                     
#                                                                                
interface GigabitEthernet2/0/3                                                   
 eth-trunk 1                                                                     
#                                                                                
interface GigabitEthernet2/0/4                                                   
 eth-trunk 2                                                                     
#                                                                                
interface GigabitEthernet2/0/5                                                   
 eth-trunk 2                                                                     
#                                                                                 
firewall zone trust                                                              
 set priority 85                                                                 
 add interface Eth-Trunk2                                            
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface Eth-Trunk1                                              
#                                                                                
firewall zone hrpzone                                                                
 set priority 65                                                                 
 add interface Eth-Trunk0                                                        
#                                                                                
firewall interzone trust untrust                                                                
 detect rtsp 
 detect ftp 
 detect pptp 
#   
security-policy 
 rule name local_trust_outbound  
  source-zone local  
  destination-zone trust 
  source-address 10.14.0.0 16 
  action permit     
 rule name local_trust_inbound  
  source-zone trust  
  destination-zone local  
  destination-address 10.14.0.0 16 
  action permit 
 rule name local_untrust_outbound  
  source-zone local  
  destination-zone untrust  
  source-address 1.1.0.0 16 
  action permit  
 rule name local_untrust_inbound  
  source-zone Untrust  
  destination-zone local  
  destination-address 1.1.0.0 16 
  action permit  
 rule name local_hrpzone_outbound  
  source-zone local  
  destination-zone hrpzone  
  source-address 192.168.3.0 24  
  action permit  
 rule name local_hrpzone_inbound  
  source-zone hrpzone  
  destination-zone local  
  destination-address 192.168.3.0 24  
  action permit  
 rule name trust_untrust_outbound1  
  source-zone trust  
  destination-zone untrust  
  source-address 10.14.0.0 16 
  destination-address 1.1.0.0 16  
  action permit     
 rule name trust_untrust_inbound1  
  source-zone Untrust  
  destination-zone trust  
  source-address 1.1.0.0 16  
  destination-address 10.14.0.0 16  
  action permit 
 rule name trust_untrust_outbound2  
  source-zone trust  
  destination-zone untrust  
  source-address 10.14.0.0 16  
  action permit  
 rule name trust_untrust  
  session logging  
  action permit     
#   
nat-policy 
 rule name trust_untrust_outbound 
  source-zone trust 
  destination-zone untrust 
  source-address 10.14.0.0 16 
  action source-nat address-group addressgroup1 
# 
ip ip-prefix natAddress permit 1.1.1.10 32  
ip ip-prefix natAddress permit 1.1.1.11 32  
ip ip-prefix natAddress permit 1.1.1.12 32  
ip ip-prefix natAddress permit 1.1.1.13 32  
ip ip-prefix natAddress permit 1.1.1.14 32  
ip ip-prefix natAddress permit 1.1.1.15 32  
ip ip-prefix no-default deny 0.0.0.0 0 
ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32 
# 
route-policy PS_NAT permit node 10 
 if-match ip-prefix natAddress 
# 
ospf 1 router-id 1.1.1.3   
 import-route static route-policy PS_NAT  
 area 0.0.0.0  
  network 1.1.2.0 0.0.0.255    
#    
ospf 2 router-id 10.14.1.3  
 default-route-advertise 
 filter-policy ip-prefix no-default import 
 area 0.0.0.0  
  network 10.15.1.0 0.0.0.255    
#                                                                                
 ip route-static 1.1.10.10 255.255.255.255 NULL0                             
 ip route-static 1.1.10.11 255.255.255.255 NULL0                             
 ip route-static 1.1.10.12 255.255.255.255 NULL0                             
 ip route-static 1.1.10.13 255.255.255.255 NULL0                             
 ip route-static 1.1.10.14 255.255.255.255 NULL0                             
 ip route-static 1.1.10.15 255.255.255.255 NULL0                             
#                                                                                
 snmp-agent                                                                      
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                              
 snmp-agent sys-info version v3                                                  
 snmp-agent sys-info contact Mr.zhang 
 snmp-agent sys-info location Beijing 
 snmp-agent group v3 NMS1 privacy                                             
 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy  
 private-netmanager                  
 snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ 
 privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4 
#                                                                                
return

Other Solutions

VRRP + OSPF (Active/Standby Backup)

Networking Diagram

As shown in Figure 1-5, the service interfaces of both firewalls work at Layer 3, connecting to the backbone through routers and to the GGSN/P-GW through Layer 2 switches. OSPF runs between the firewall and router, and VRRP is enabled on the interface connecting the firewall to the switch.

The two firewalls work in active/standby mode. Normally, traffic is forwarded by FW_A. When FW_A fails, traffic is forwarded by FW_B. This ensures that the services are not interrupted.

Figure 1-5 Active/standby backup with OSPF+VRRP running on the FW

Switchover upon Failure

  • When the link to the backbone fails, the priority of FW_A is lowered through the HRP track function configured on the interface to trigger an active/standby switchover. The active route is switched to FW_B that becomes the active device in the VRRP group, and thereby the traffic is switched over.
  • The upstream and downstream interfaces of the FW are bound to the same link group, and the HRP track function is configured to monitor these interfaces. The switchover mode in case of a fault in the link to the GGSN/P-GW is the same as that in case of a fault in the link to the backbone network.

Configuration Difference

Item

FW_A

FW_B

Interfaces

interface Eth-Trunk0

description TO-FW-B

ip address 192.168.3.1 255.255.255.240

#

interface Eth-Trunk1

ip address 1.1.1.1 255.255.255.0

#

interface Eth-Trunk2

description TO-GI

ip address 10.14.1.1 255.255.255.0

vrrp vrid 20 virtual-ip 10.14.1.3 active

#

interface Eth-Trunk0

description TO-FW-A

ip address 192.168.3.2 255.255.255.240

#

interface Eth-Trunk1

ip address 1.1.2.1 255.255.255.0

#

interface Eth-Trunk2

description TO-GI

ip address 10.14.1.2 255.255.255.0

vrrp vrid 20 virtual-ip 10.14.1.3 standby

#

Routes

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2//Configure a default route to the public network

ip route-static x.x.x.x x.x.x.x 10.14.1.5//Configure a route to the private addresses of mobile terminals to the Gi/SGi interface

ip route-static 0.0.0.0 0.0.0.0 1.1.2.2//Configure a default route to the public network

ip route-static x.x.x.x x.x.x.x 10.14.1.5//Configure a route to the private addresses of mobile terminals to the Gi/SGi interface

OSPF (Load Balancing)

Networking Diagram

As shown in Figure 1-6, the service interfaces of both firewalls work at Layer 3 and connect to both the backbone and GGSN/P-GW through routers. OSPF runs between the firewall and router.

The two firewalls work in active/standby mode. Normally, traffic is forwarded by FW_A. When FW_A fails, traffic is forwarded by FW_B. This ensures that the services are not interrupted.

Figure 1-6 OSPF (load sharing) networking

The two firewalls are expected to work in load balancing mode. Normally, FW_A and FW_B forward traffic together. When one firewall fails, the other firewall forwards all traffic. The services are not interrupted.

Switchover upon Failure

  • When FW_A fails, the OSPF route is switched to FW_B through hot standby so that the traffic is switched over.
  • When FW_B fails, the OSPF route is switched to FW_A through hot standby so that the traffic is switched over.

Configuration Difference

Item

FW_A

FW_B

Hot standby

hrp enable

hrp interface Eth-Trunk0 remote 192.168.3.2

hrp mirror session enable

hrp preempt delay 120

hrp adjust ospf-cost enable

hrp track interface Eth-Trunk1

hrp track interface Eth-Trunk2

hrp nat resource primary-group //Set the NAT port segment of the dual firewalls

hrp enable

hrp interface Eth-Trunk0 remote 192.168.3.1

hrp mirror session enable

hrp preempt delay 120

hrp adjust ospf-cost enable

hrp track interface Eth-Trunk1

hrp track interface Eth-Trunk2

hrp nat resource secondary-group //Set the NAT port segment of the dual firewalls

Translation
Download
Updated: 2019-06-17

Document ID: EDOC1100087916

Views: 388

Downloads: 24

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next