No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Application of Firewalls in the Egress Security Solution for Broadcast and Television Networks
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Egress Security Solution for Broadcast and Television Networks

Application of Firewalls in the Egress Security Solution for Broadcast and Television Networks

Introduction

This section describes the planning and deployment of firewalls at the egress of a broadcast and television network. It also provides reference for tier-2 carriers.

This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

A broadcast and television network provides home broadcast and television services. It also leases links from ISPs to provide access services, such broadband Internet access and hosted servers. At the network egress, a firewall is usually deployed as an egress gateway to provide Internet access and security assurance.

Figure 1-1 Application of firewalls at the egress of a broadcast and television network

As shown in Figure 1-1, a firewall is deployed at the network egress to provide the following functions:

  • NAT: The firewall provides a source NAT function to translate the private IP address of a broadband user to a public IP address. It also functions as a NAT server to translate the private IP address of a hosted server to a public IP address for access of external users.
  • Intelligent uplink selection (multi-ISP): The firewall provides multiple uplink selection modes, such as destination IP address-based and application-based, using multiple ISP links to ensure the Internet access quality.
  • Security management: The firewall isolates security zones using security policies and provides security protection using such functions as intrusion prevention and Anti-DDoS.
  • Source tracing and audit: The firewall logs pre-NAT and post-NAT IP addresses and the online and offline activities of IM users for audit and source tracing.

Solution Design

Typical Networking

As shown in Figure 1-2, the broadcast and television network leases two links from two ISPs each to provide broadband Internet access for its MAN users. The broadcast and television network also deploys servers in the server area to provide hosted server services for intranet and extranet users.

Two firewalls are deployed at the Internet egress of the broadcast and television network for hot standby (active/standby backup). The upstream interfaces of the two firewalls are connected to the two ISPs through the egress aggregation switches. The downstream interfaces of the two firewalls are connected to the MAN through core routers and connected to the servers through the switch in the server area.

Figure 1-2 Typical networking of firewalls at the egress of a broadcast and television network

Specifically, the broadcast and television network has the following requirements on the egress firewalls:

  • Two firewalls are deployed in active/standby backup mode to improve network availability.
  • Source NAT is enabled on the firewalls to ensure that massive MAN users can access the Internet simultaneously.
  • To enhance the broadband Internet access experience of intranet users, the uplink selection should ensure that:
    • Traffic is sent to the ISP that owns the destination IP address. For example, traffic destined to a server of ISP 1 is forwarded by a link of ISP 1, and traffic destined to a server of ISP 2 is forwarded by a link of ISP 2.
    • Traffic destined to one ISP is distributed to the two links of the ISP based on weights for load balancing.
    • P2P traffic is routed to the lower-price and higher-bandwidth links of ISP 2.
  • Hosted servers can be accessed by extranet users for management operations.
  • DNS servers are also deployed inside the broadcast and television network to provide domain name resolution for the above servers. The broadcast and television network expects that a domain name can be resolved to an address that is allocated to a server by the serving ISP of an extranet user to increase the access speed.
  • The firewalls can protect the intranet against DDoS attacks and warn about intrusions of zombies, Trojan horses, and worms.
  • The firewalls can trace Internet access activities of intranet users for audit, including logging of pre-NAT and post-NAT addresses and the online and offline activities of IM users.

Service Planning

Equipment Planning

Table 1-1 lists the devices that may be used at the egress of a broadcast and television network. For differences, if any, of the USG9500 and USG6000, supplementary description is to be provided.

Table 1-1 Device planning for the egress of a broadcast and television network

Device

Recommended Plan 1

Recommended Plan 2

Firewall

High-end firewalls (USG9500): distributed, high-performance, high-availability, and scalable

Mid-range firewalls (USG6000): centralized and content security

Log server

eLog

eLog

Hot Standby Planning

One ISP access point cannot be directly connected to two firewalls. Therefore, it is necessary to deploy an egress aggregation switch between the ISP and the firewalls. The egress aggregation switch can split one ISP link into two links and then connect the two links to the upstream interfaces of the two firewalls. OSPF runs between the firewalls and their downstream routers. Typical hot standby networking is achieved with two firewalls connected to the upstream switches and downstream routers. In such networking, a VRRP group is configured on the upstream interface of a firewall, and a VGMP group is configured on the downstream interface to monitor service interfaces.

Figure 1-3 shows the hot standby networking, where the interfaces of the active and standby firewalls connected to one ISP access point are added to one VRRP group.

Figure 1-3 Hot standby networking

Multi-egress Uplink Selection Planning

The broadcast and television network leases links from different carriers. Multi-egress uplink selection is particularly important. The firewall provides abundant multi-egress functions to meet the requirement:

  • A DNS transparent proxy is used to process DNS requests of intranet users, thereby achieving load balancing among multiple ISPs.

    To access the Internet, an intranet user needs to first access a domain name, and the DNS server resolves the domain name to an IP address. However, because intranet PCs are generally all served by the DNS server of one ISP, the user can obtain the address of only one ISP. As a result, the subsequent ISP link selection is meaningless. The DNS transparent proxy function provided by the firewall overcomes this defect. Using specific rules, the firewall distributes DNS requests of intranet users to the DNS servers of different ISPs and thereby obtains the addresses of different ISPs. Load balancing by link weight ratio is carried out for DNS requests.

  • Multi-egress PBR is employed to achieve ISP link selection.

    Multiple outbound interfaces can be specified for PBR of the firewall, and load balancing among multiple outbound interfaces can be configured. For example, it is specified that traffic destined to addresses of ISP 1 be transmitted from the two outbound interfaces of ISP 1 and that the two outbound interfaces share load based on weights.

  • Application-based PBR is employed to direct P2P traffic to the links of ISP 2.
  • Health check is employed to check the reachability of links.

    The firewall checks the health status of the link from an outbound interface to a designated destination address to ensure that traffic is not routed to a faulty link.

Source NAT Planning

Source NAT is configured on the FW to allow intranet users to access the Internet using limited public IP addresses.

  • Address pool

    Configure two address pools corresponding to different ISPs based on the public IP addresses requested from the ISPs. Note that the public IP addresses of VRRP groups and disclosed public IP addresses of servers should be excluded from the address pools.

  • Network Address and Port Translation (NAPT)

    NAPT translates both IP addresses and ports. When a packet from an intranet user to the Internet arrives at the firewall, NAPT translates the source address of the packet into a public address and translates its source port into a random unwell-known port. In this way, one public address can be used by multiple intranet users, and a large number of users can access the Internet simultaneously.

  • NAT ALG: When a NAT-enabled firewall needs to forward multi-path protocol (such as FTP, SIP, H323, RTSP, and QQ) packets, the corresponding NAT ALG function must be enabled.

NAT Server Planning

The hosted server services of a broadcast and television network includes mainly website hosting, for example, the hosting of a school website, internal office network, or company portal website. Because the hosted servers are deployed in the internal DMZ, a NAT server function needs to be enabled on the firewall to translate the private address of a server into a public address. In addition, users of different ISPs should be provided with different public addresses.

If the DNS servers are deployed internally, smart DNS is needed to enable extranet users to obtain the most appropriate resolved addresses of servers. In other words, the address must belong to the serving ISP of the user.

Security Function Planning

By default, the FW denies all traffic. Therefore, it is necessary to define security policies to permit normal access traffic. For details, see the Data Planning below.

The egress gateway enables the communication between the broadcast and television network and the extranet. Therefore, it is necessary to configure security functions, including intrusion prevention (IPS) and attack defense.

The default IPS profile default is used to block detected intrusions. You can also use the profile ids to log attacks without blocking and then define a specific IPS profile according to the log.

User Tracing Planning

User tracing is completed through cooperation with the log server.

  1. The FW sends session logs to the log server. The log server records the original (pre-NAT) source IP address/port and destination IP address/port and the after-NAT source IP address/port and destination IP address/port.
  2. If a user submits an illegal post on an external network, the administrator traces the user on the log server from his/her public IP address to his/her private IP address.
  3. The administrator traces to specific user accounts through the authentication system inside a corporate network.

Data Planning

Data planning is based on the above service planning.

Item

FW_A

FW_B

Remarks

Interfaces and security zones

Eth-Trunk1

Member interfaces: GE1/0/1, GE1/0/6

Eth-Trunk1

Member interfaces: GE1/0/1, GE1/0/6

Plan public addresses for all public network interfaces and VRRP backup groups connected to the ISPs. Otherwise, the gateway cannot be designated.

Eth-Trunk2

Member interfaces: GE1/0/2, GE1/0/7

Eth-Trunk2

Member interfaces: GE1/0/2, GE1/0/7

Eth-Trunk1.1

IP address: 1.1.1.2/29

Security zone: isp1_1

Gateway: 1.1.1.6/29

VRRP backup group 1: 1.1.1.1/29

VGMP management group: Active

Eth-Trunk1.1

IP address: 1.1.1.3/29

Security zone: isp1_1

Gateway: 1.1.1.6/29

VRRP backup group 1: 1.1.1.1/29

VGMP management group: Standby

Eth-Trunk2.1

IP address: 2.2.2.2/29

Security zone: isp2_1

Gateway: 2.2.2.6/29

VRRP backup group 2: 2.2.2.1/29

VGMP management group: Active

Eth-Trunk2.1

IP address: 2.2.2.3/29

Security zone: isp2_1

Gateway: 2.2.2.6/29

VRRP backup group 2: 2.2.2.1/29

VGMP management group: Standby

Eth-Trunk1.2

IP address: 1.1.2.2/29

Security zone: isp1_2

Gateway: 1.1.2.6/29

VRRP backup group 3: 1.1.2.1/29

VGMP management group: Active

Eth-Trunk1.2

IP address: 1.1.2.3/29

Security zone: isp1_2

Gateway: 1.1.2.6/29

VRRP backup group 3: 1.1.2.1/29

VGMP management group: Standby

Eth-Trunk2.2

IP address: 2.2.3.2/29

Security zone: isp2_2

Gateway: 2.2.3.6/29

VRRP backup group 2: 2.2.3.1/29

VGMP management group: Active

Eth-Trunk2.2

IP address: 2.2.3.3/29

Security zone: isp2_2

Gateway: 2.2.3.6/29

VRRP backup group 2: 2.2.3.1/29

VGMP management group: Standby

Eth-Trunk0

Member interfaces: GE2/0/0, GE1/0/5

IP address: 10.0.7.1/24

Security zone: hrp

Eth-Trunk0

Member interfaces: GE2/0/0, GE1/0/5

IP address: 10.0.7.2/24

Security zone: hrp

Hot standby heartbeat interface.

GE1/0/3

IP address: 10.0.3.1/24

Security zone: Trust

GE1/0/3

IP address: 10.0.4.1/24

Security zone: Trust

Interface connecting the MAN.

GE1/0/4

IP address: 10.0.5.1/24

Security zone: DMZ

GE1/0/4

IP address: 10.0.6.1/24

Security zone: DMZ

Interface connecting the server area.

Security policy

trust_to_isp1

Source security zone: Trust

Destination security zone: isp1_1 and isp1_2

Action: permit

IPS profile: default

Allow intranet users to access ISP 1.

trust_to_isp2

Source security zone: Trust

Destination security zone: isp2_1 and isp2_2

Action: permit

IPS profile: default

Allow intranet users to access ISP 2.

isp1_to_http and isp2_to_http

Source security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Destination security zone: DMZ

Destination address: 10.0.10.10/24

Service: HTTP

Action: permit

IPS profile: default

Allow the ISPs to access the internal web server.

isp1_to_ftp and isp2_to_ftp

Source security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Destination security zone: DMZ

Destination address: 10.0.10.11/24

Service: FTP

Action: permit

IPS profile: default

Allow the ISPs to access the internal FTP server.

isp1_to_dns and isp2_to_dns

Source security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Destination security zone: DMZ

Destination address: 10.0.10.20/24

Service: dns

Action: permit

IPS profile: default

Allow the ISPs to access the internal DNS server.

local_to_eLog

Source security zone: local

Destination security zone: DMZ

Destination address: 10.0.10.30/24

Action: permit

Allow the firewall to access the internal log server.

local_to_trust

Source security zone: Local and Trust

Destination security zone: Local and Trust

Service: OSPF

Action: permit

Allow the firewall to exchange OSPF packets with the downstream router.

local_to_isp

Source security zone: local

Destination security zone: isp1_1, isp1_2, isp2_1, and isp2_2

Action: permit

Allow the firewall to access the external network to update its signature databases.

NOTE:

For versions earlier than USG6000&USG9500 V500R001C80: You need to configure required security policies on the FW to allow the FW to send health check probe packets to the destination device. For versions later than V500R001C80: Probe packets for health check are not subject to security policies and are permitted by default. Therefore, you do not need to configure security policies.

Source NAT

ISP1_1 address pool: 1.1.1.10-1.1.1.12

ISP1_2 address pool: 1.1.2.10-1.1.2.12

ISP2_1 address pool: 2.2.2.10-2.2.2.12

ISP2_2 address pool: 2.2.3.10-2.2.3.12

Mode: NAPT

NAT Server

Web server

Private IP address: 10.0.10.10

ISP1_1 public IP address: 1.1.1.15

ISP1_2 public IP address: 1.1.2.15

ISP2_1 public IP address: 2.2.2.15

ISP2_2 public IP address: 2.2.3.15

FTP server

Private IP address: 10.0.10.11

ISP1_1 public IP address: 1.1.1.16

ISP1_2 public IP address: 1.1.2.16

ISP2_1 public IP address: 2.2.2.16

ISP2_2 public IP address: 2.2.3.16

DNS server

Private IP address: 10.0.10.20

ISP1_1 public IP address: 1.1.1.17

ISP1_2 public IP address: 1.1.2.17

ISP2_1 public IP address: 2.2.2.17

ISP2_2 public IP address: 2.2.3.17

ISP1

Address file: isp1.csv

Carrier: isp1

Active DNS server: 1.1.1.222

Standby DNS server: 1.1.1.223

ISP2

Address file: isp2.csv

Carrier: isp2

Active DNS server: 2.2.2.222

Standby DNS server: 2.2.2.223

Precautions

  • License

    Licenses are required for IPS and smart DNS services. Smart DNS also requires loading of a content security component.

  • Hardware requirement

    For the USG9500, IPS, application-based PBR, and smart DNS require that the SPC-APPSEC-FW is in position. Otherwise, these functions are unavailable.

  • Before using the IPS function, you are advised to update the IPS signature database to the latest version.
  • Networking
    • To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That is, the member interfaces of the Eth-Trunk interface are on different LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk, it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.
    • When hot standby and intelligent uplink selection are used together, if the upstream switch runs VRRP, the upstream physical port of the firewall must be a public IP address in the same network segment as the address of the ISP router. Otherwise, the gateway of the port cannot be specified. The gateway command is mandatory for intelligent uplink selection and link health check.

      If the upstream device of the firewall is a router, this restriction does not apply.

  • Intelligent uplink selection
    • The firewall generates an equal-cost default route using the gateway command. The protocol is UNR, and the route priority is 70, which is lower than the priority (60) of a static route. When this command takes effect, you can no longer configure a multi-egress equal-cost static route manually.
    • Intelligent uplink selection cannot be used together with IP address spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP address spoofing defense or URPF is enabled, the firewall may drop packets.
  • Black-hole route

    The firewall allows a User Network Route (UNR) for addresses in the NAT address pool. The UNR functions the same as a black-hole route. It can prevent a routing loop and can also be advertised using dynamic routing protocols, such as OSPF. For the NAT server, if the protocol and port are specified, it is also necessary to configure a black-hole route with the destination address being a public address. With this black-hole route, packets from external sources destined to a public address but not matching any entry the server-map table are matched to the black-hole route and dropped directly to prevent a routing loop.

Solution Configuration

Configuring Interfaces and Security Zones

Context

Configure interfaces and security zones.

Figure 1-4 Interface IP addresses and security zones

Procedure

  1. Configure IP addresses for the interfaces of FW_A.

    <FW_A> system-view 
[FW_A] interface Eth-Trunk 1 
[FW_A-Eth-Trunk1] undo service-manage enable
[FW_A-Eth-Trunk1] description To-isp1 
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/6 
[FW_A-Eth-Trunk1] quit 
[FW_A] interface Eth-Trunk 2 
[FW_A-Eth-Trunk2] undo service-manage enable
[FW_A-Eth-Trunk2] description To-isp2 
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 1/0/2 
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 1/0/7 
[FW_A-Eth-Trunk2] quit 
[FW_A] interface Eth-Trunk 1.1 
[FW_A-Eth-Trunk1.1] description To-isp1-1 
[FW_A-Eth-Trunk1.1] vlan-type dot1q 11 
[FW_A-Eth-Trunk1.1] ip address 1.1.1.2 29 
[FW_A-Eth-Trunk1.1] quit 
[FW_A] interface Eth-Trunk 2.1 
[FW_A-Eth-Trunk2.1] description To-isp2-1 
[FW_A-Eth-Trunk2.1] vlan-type dot1q 21 
[FW_A-Eth-Trunk2.1] ip address 2.2.2.2 29 
[FW_A-Eth-Trunk2.1] quit 
[FW_A] interface Eth-Trunk 1.2 
[FW_A-Eth-Trunk1.2] description To-isp1-2 
[FW_A-Eth-Trunk1.2] vlan-type dot1q 12 
[FW_A-Eth-Trunk1.2] ip address 1.1.2.2 29 
[FW_A-Eth-Trunk1.2] quit 
[FW_A] interface Eth-Trunk 2.2 
[FW_A-Eth-Trunk2.2] description To-isp2-2 
[FW_A-Eth-Trunk2.2] vlan-type dot1q 22 
[FW_A-Eth-Trunk2.2] ip address 2.2.3.2 29 
[FW_A-Eth-Trunk2.2] quit 
[FW_A] interface GigabitEthernet 1/0/3 
[FW_A-GigabitEthernet1/0/3] undo service-manage enable
[FW_A-GigabitEthernet1/0/3] description To-router 
[FW_A-GigabitEthernet1/0/3] ip address 10.0.3.1 24 
[FW_A-GigabitEthernet1/0/3] quit 
[FW_A] interface GigabitEthernet 1/0/4 
[FW_A-GigabitEthernet1/0/4] undo service-manage enable
[FW_A-GigabitEthernet1/0/4] description To-server 
[FW_A-GigabitEthernet1/0/4] ip address 10.0.5.1 24 
[FW_A-GigabitEthernet1/0/4] quit 
[FW_A] interface Eth-Trunk 0 
[FW_A-Eth-Trunk0] undo service-manage enable
[FW_A-Eth-Trunk0] description Hrp-interface 
[FW_A-Eth-Trunk0] ip address 10.0.7.1 24 
[FW_A-Eth-Trunk0] quit 
[FW_A] interface GigabitEthernet 2/0/0 
[FW_A-GigabitEthernet2/0/0] undo service-manage enable
[FW_A-GigabitEthernet2/0/0] eth-trunk 0 
[FW_A-GigabitEthernet2/0/0] quit 
[FW_A] interface GigabitEthernet 1/0/5 
[FW_A-GigabitEthernet1/0/5] undo service-manage enable
[FW_A-GigabitEthernet1/0/5] eth-trunk 0 
[FW_A-GigabitEthernet1/0/5] quit

  2. Assign the FW_A interfaces to security zones.

    [FW_A] firewall zone name isp1_1 
[FW_A-zone-isp1_1] set priority 10 
[FW_A-zone-isp1_1] add interface Eth-Trunk 1.1 
[FW_A-zone-isp1_1] quit 
[FW_A] firewall zone name isp1_2 
[FW_A-zone-isp1_2] set priority 15 
[FW_A-zone-isp1_2] add interface Eth-Trunk 1.2 
[FW_A-zone-isp1_2] quit 
[FW_A] firewall zone name isp2_1 
[FW_A-zone-isp2_1] set priority 20 
[FW_A-zone-isp2_1] add interface Eth-Trunk 2.1 
[FW_A-zone-isp2] quit 
[FW_A] firewall zone name isp2_2 
[FW_A-zone-isp2_2] set priority 25 
[FW_A-zone-isp1_2] add interface Eth-Trunk 2.2 
[FW_A-zone-isp2] quit 
[FW_A] firewall zone trust 
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3 
[FW_A-zone-trust] quit 
[FW_A] firewall zone dmz 
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/4 
[FW_A-zone-dmz] quit 
[FW_A] firewall zone name hrp 
[FW_A-zone-hrp] set priority 75 
[FW_A-zone-hrp] add interface Eth-Trunk 0 
[FW_A-zone-hrp] quit

  3. Configure the IP addresses and security zones of FW_B interfaces according to the above procedure. The difference lies in the IP addresses of the interfaces.

Configuring Intelligent Uplink Selection and Routes

Procedure

  1. Enable the health check function of FW_A. Configure health check for the links of ISP 1 and ISP 2.

    The destination address is a real IP address on the Internet. Here, the ISP gateway address and DNS address are used.

    [FW_A] healthcheck enable 
[FW_A] healthcheck name isp1_health1 
[FW_A-healthcheck-isp1_health1] destination 1.1.1.6 interface Eth-Trunk1.1 protocol icmp 
[FW_A-healthcheck-isp1_health1] destination 1.1.1.222 interface Eth-Trunk1.1 protocol dns 
[FW_A-healthcheck-isp1_health1] quit 
[FW_A] healthcheck name isp1_health2 
[FW_A-healthcheck-isp1_health2] destination 1.1.2.6 interface Eth-Trunk1.2 protocol icmp 
[FW_A-healthcheck-isp1_health2] destination 1.1.1.222 interface Eth-Trunk1.2 protocol dns 
[FW_A-healthcheck-isp1_health2] quit 
[FW_A] healthcheck name isp2_health1 
[FW_A-healthcheck-isp2_health1] destination 2.2.2.6 interface Eth-Trunk2.1 protocol icmp 
[FW_A-healthcheck-isp2_health1] destination 2.2.2.222 interface Eth-Trunk2.1 protocol dns 
[FW_A-healthcheck-isp2_health1] quit 
[FW_A] healthcheck name isp2_health2 
[FW_A-healthcheck-isp2_health2] destination 2.2.3.6 interface Eth-Trunk2.2 protocol icmp 
[FW_A-healthcheck-isp2_health2] destination 2.2.2.222 interface Eth-Trunk2.2 protocol dns 
[FW_A-healthcheck-isp2_health2] quit

    The configuration of FW_B is the same as that of FW_A.

  2. Configure the gateway addresses and bandwidths for interfaces, and apply corresponding health check configurations.

    After health check is enabled on an interface, when the link including the interface fails, the bound route also fails.

    [FW_A] interface Eth-Trunk 1.1 
[FW_A-Eth-Trunk1.1] gateway 1.1.1.6 
[FW_A-Eth-Trunk1.1] bandwidth ingress 800000 
[FW_A-Eth-Trunk1.1] bandwidth egress 800000 
[FW_A-Eth-Trunk1.1] healthcheck isp1_health1 
[FW_A-Eth-Trunk1.1] quit 
[FW_A] interface Eth-Trunk1.2 
[FW_A-Eth-Trunk1.2] gateway 1.1.2.6 
[FW_A-Eth-Trunk1.2] bandwidth ingress 400000 
[FW_A-Eth-Trunk1.2] bandwidth egress 400000 
[FW_A-Eth-Trunk1.2] healthcheck isp1_health2 
[FW_A-Eth-Trunk1.2] quit 
[FW_A] interface Eth-Trunk2.1 
[FW_A-Eth-Trunk2.1] gateway 2.2.2.6 
[FW_A-Eth-Trunk2.1] bandwidth ingress 900000 
[FW_A-Eth-Trunk2.1] bandwidth egress 900000 
[FW_A-Eth-Trunk2.1] healthcheck isp2_health1 
[FW_A-Eth-Trunk2.1] quit 
[FW_A] interface Eth-Trunk2.2 
[FW_A-Eth-Trunk2.2] gateway 2.2.3.6 
[FW_A-Eth-Trunk2.2] bandwidth ingress 600000 
[FW_A-Eth-Trunk2.2] bandwidth egress 600000 
[FW_A-Eth-Trunk2.2] healthcheck isp2_health2 
[FW_A-Eth-Trunk2.2] quit

    The configuration of FW_B is the same as that of FW_A.

  3. Configure DNS transparent proxy.

    1. Configure DNS transparent proxy parameters. 
      [FW_A] dns-transparent-policy 
[FW_A-policy-dns] dns transparent-proxy enable 
[FW_A-policy-dns] dns server bind interface Eth-Trunk1.1 preferred 1.1.1.222 alternate 1.1.1.223 
[FW_A-policy-dns] dns server bind interface Eth-Trunk1.2 preferred 1.1.1.222 alternate 1.1.1.223 
[FW_A-policy-dns] dns server bind interface Eth-Trunk2.1 preferred 2.2.2.222 alternate 2.2.2.223 
[FW_A-policy-dns] dns server bind interface Eth-Trunk2.2 preferred 2.2.2.222 alternate 2.2.2.223 
[FW_A-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.1.222 
[FW_A-policy-dns] rule name dns_proxy 
[FW_A-policy-dns-rule-dns_proxy] action tpdns 
[FW_A-policy-dns-rule-dns_proxy] source-address 10.3.0.0 24 
[FW_A-policy-dns-rule-dns_proxy] quit 
[FW_A-policy-dns] quit

      The configuration of FW_B is the same as that of FW_A.

      You can use the dns transparent-proxy exclude domain command to set the domain name that does not require the DNS transparent proxy. Here, it is assumed that www.example.com is always resolved by the DNS server with the IP address 1.1.1.222 without using the DNS transparent proxy.

    2. Configure DNS-based PBR to enable load balancing for DNS requests based on link weights.
      [FW_A] policy-based-route 
[FW_A-policy-pbr] rule name dns_pbr 
[FW_A-policy-pbr-rule-dns_pbr] ingress-interface GigabitEthernet1/0/3 
[FW_A-policy-pbr-rule-dns_pbr] service dns 
[FW_A-policy-pbr-rule-dns_pbr] action pbr egress-interface multi-interface 
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk1.1 weight 2 
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk1.2 weight 1 
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk2.1 weight 3 
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk2.2 weight 2 
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] mode proportion-of-weight 
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] quit 
[FW_A-policy-pbr-rule-dns_pbr] quit

      The configuration of FW_B is the same as that of FW_A.

  4. Configure PBR intelligent uplink selection.

    1. Prepare the address files of ISP 1 and ISP 2, isp1.csv and isp2.csv.

    2. Upload the ISP address files to FW_A.
    3. Create the carrier name isp1 and isp2 for ISP 1 and ISP 2, and associate the ISP address files with the carriers. 
      [FW_A] isp name isp1 set filename isp1.csv 
[FW_A] isp name isp2 set filename isp2.csv

      After this configuration, the firewall automatically generates address sets named with the ISP names. An address set includes addresses of the corresponding ISP. You cannot modify addresses in the address set directly. To modify an address, you must re-upload the ISP address file. The ISP address sets can be referenced by PBR as a source address or destination address.

      The configuration of FW_B is the same as that of FW_A.

    4. Configure application-based PBR to route P2P traffic to ISP 2. 
      [FW_A] policy-based-route 
[FW_A-policy-pbr] rule name p2p_pbr 
[FW_A-policy-pbr-rule-p2p_pbr] ingress-interface GigabitEthernet1/0/3 
[FW_A-policy-pbr-rule-p2p_pbr] application app BT Thunder eDonkey_eMule 
[FW_A-policy-pbr-rule-p2p_pbr] action pbr egress-interface multi-interface 
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] add interface Eth-Trunk2.1 weight 3 
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] add interface Eth-Trunk2.2 weight 2 
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] mode proportion-of-weight 
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] quit 
[FW_A-policy-pbr-rule-p2p_pbr] quit

      The matching sequence of PBRs is based on the configuration sequence. Here, multiple PBRs are configured. You should configure DNS-based and P2P application-based PBRs before destination address-based PBRs. Otherwise, destination address-based PBR is first configured, and DNS-based and P2P application-based PBRs are not effective.

      The BT, Thunder, and eDonkey_eMule applications are configured. In practice, you may specify the applications as needed.

      The configuration of FW_B is the same as that of FW_A.

    5. Configure a PBR with the destination address being an ISP 1 address to route traffic destined to ISP 1 to an ISP 1 link.
      [FW_A-policy-pbr] rule name isp1_pbr 
[FW_A-policy-pbr-rule-isp1_pbr] ingress-interface GigabitEthernet1/0/3 
[FW_A-policy-pbr-rule-isp1_pbr] destination-address isp isp1 
[FW_A-policy-pbr-rule-isp1_pbr] action pbr egress-interface multi-interface 
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] add interface Eth-Trunk1.1 weight 2 
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] add interface Eth-Trunk1.2 weight 1 
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] mode proportion-of-weight 
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] quit 
[FW_A-policy-pbr-rule-isp1_pbr] quit

      The configuration of FW_B is the same as that of FW_A.

    6. Configure a PBR with the destination address being an ISP 2 address to route traffic destined to ISP 2 to an ISP 2 link. 
      [FW_A-policy-pbr] rule name isp2_pbr 
[FW_A-policy-pbr-rule-isp2_pbr] ingress-interface GigabitEthernet1/0/3 
[FW_A-policy-pbr-rule-isp2_pbr] destination-address isp isp2 
[FW_A-policy-pbr-rule-isp2_pbr] action pbr egress-interface multi-interface 
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] add interface Eth-Trunk2.1 weight 3 
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] add interface Eth-Trunk2.2 weight 2 
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] mode proportion-of-weight 
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] quit 
[FW_A-policy-pbr-rule-isp2_pbr] quit

      The configuration of FW_B is the same as that of FW_A.

  5. Configure OSPF.

    1. Configure OSPF on FW_A and advertise the network segment of the downstream interface. 
      [FW_A] ospf 1 
[FW_A-ospf-1] area 0 
[FW_A-ospf-1-area-0.0.0.0] network 10.0.3.0 0.0.0.255 
[FW_A-ospf-1-area-0.0.0.0] network 10.0.5.0 0.0.0.255 
[FW_A-ospf-1-area-0.0.0.0] quit 
[FW_A-ospf-1] quit
    2. Configure OSPF on FW_B and advertise the network segment of the downstream interface. 
      [FW_B] ospf 1 
[FW_B-ospf-1] area 0 
[FW_B-ospf-1-area-0.0.0.0] network 10.0.4.0 0.0.0.255 
[FW_B-ospf-1-area-0.0.0.0] network 10.0.6.0 0.0.0.255 
[FW_B-ospf-1-area-0.0.0.0] quit 
[FW_B-ospf-1] quit

Configuring Hot Standby

Context

Configure hot standby according to the figure below.

Figure 1-5 Hot standby

Procedure

  1. Configure a VRRP group on the upstream interface of FW_A, and set the VRRP group to an active state. 

    <FW_A> system-view 
[FW_A] interface Eth-Trunk 1.1 
[FW_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active 
[FW_A-Eth-Trunk1.1] quit 
[FW_A] interface Eth-Trunk 2.1 
[FW_A-Eth-Trunk2.1] vrrp vrid 2 virtual-ip 2.2.2.1 29 active 
[FW_A-Eth-Trunk2.1] quit 
[FW_A] interface Eth-Trunk 1.2 
[FW_A-Eth-Trunk1.2] vrrp vrid 3 virtual-ip 1.1.2.1 29 active 
[FW_A-Eth-Trunk1.2] quit 
[FW_A] interface Eth-Trunk 2.2 
[FW_A-Eth-Trunk2.2] vrrp vrid 4 virtual-ip 2.2.3.1 29 active 
[FW_A-Eth-Trunk2.2] quit

  2. Configure a VGMP group on FW_A to monitor downstream interfaces. 

    [FW_A] hrp track interface GigabitEthernet 1/0/3 
[FW_A] hrp track interface GigabitEthernet 1/0/4

  3. Enable on FW_A the function of adjusting OSPF costs according to the VGMP status. 

    [FW_A] hrp adjust ospf-cost enable

  4. Enable the preemption function on FW_A and set the preemption delay to 300s.

    [FW_A] hrp preempt delay 300

  5. Specify the heartbeat interface and enable hot standby on FW_A. 

    [FW_A] hrp interface Eth-Trunk0 remote 10.0.7.2 
[FW_A] hrp enable

  6. Configure hot standby on FW_B with reference to the above procedure. The difference is that the state of the VRRP group is set to standby and that the remote address of hrp interface is set to 10.0.7.1.
  7. Configure routers and switches.

    1. Configure OSPF and advertise the neighboring network segments on the routers. For the specific configuration command, see the related router documentation.
    2. Add three interfaces to one VLAN on the switches. For the specific configuration command, see the related router documentation.

Result

A hot-standby relationship has been established to back up most subsequent configurations. Therefore, in the subsequent steps, you only need to make configurations on the active FW_A (unless otherwise stated).

Configuring Source NAT

Procedure

  1. Configure NAT address pool pool_isp1_1 and specify the address pool type to be NAPT. 

    HRP_M[FW_A] nat address-group pool_isp1_1 
HRP_M[FW_A-address-group-pool_isp1_1] mode pat 
HRP_M[FW_A-address-group-pool_isp1_1] section 1.1.1.10 1.1.1.12 
HRP_M[FW_A-address-group-pool_isp1_1] route enable 
HRP_M[FW_A-address-group-pool_isp1_1] quit

    You can run the route enable command to generate a UNR for addresses in the NAT address pool. The UNR functions the same as a black-hole route. It can prevent a routing loop.

  2. Configure the NAT policy between the Trust and isp1_1 zones to translate source addresses of packets from the Trust zone to addresses in pool_isp1_1. 

    HRP_M[FW_A] nat-policy 
HRP_M[FW_A-policy-nat] rule name policy_nat1 
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone isp1_1 
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group pool_isp1_1 
HRP_M[FW_A-policy-nat-rule-policy_nat1] quit 
HRP_M[FW_A-policy-nat] quit

  3. Configure NAT address pool pool_isp1_2 and specify the address pool type to be NAPT.

    HRP_M[FW_A] nat address-group pool_isp1_2 
HRP_M[FW_A-address-group-pool_isp1_2] mode pat 
HRP_M[FW_A-address-group-pool_isp1_2] section 1.1.2.10 1.1.2.12 
HRP_M[FW_A-address-group-pool_isp1_2] route enable 
HRP_M[FW_A-address-group-pool_isp1_2] quit

  4. Configure the NAT policy between the Trust and isp1_2 zones to translate source addresses of packets from the Trust zone to addresses in pool_isp1_2. 

    HRP_M[FW_A] nat-policy 
HRP_M[FW_A-policy-nat] rule name policy_nat2 
HRP_M[FW_A-policy-nat-rule-policy_nat2] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat2] destination-zone isp1_2 
HRP_M[FW_A-policy-nat-rule-policy_nat2] action source-nat address-group pool_isp1_2 
HRP_M[FW_A-policy-nat-rule-policy_nat2] quit 
HRP_M[FW_A-policy-nat] quit

  5. Configure NAT address pool pool_isp2_1 and specify the address pool type to be NAPT. 

    HRP_M[FW_A] nat address-group pool_isp2_1 
HRP_M[FW_A-address-group-pool_isp2_1] mode pat 
HRP_M[FW_A-address-group-pool_isp2_1] section 2.2.2.10 2.2.2.12 
HRP_M[FW_A-address-group-pool_isp2_1] route enable 
HRP_M[FW_A-address-group-pool_isp2_1] quit

  6. Configure the NAT policy between the Trust and isp2_1 zones to translate source addresses of packets from the Trust zone to addresses in pool_isp2_1.

    HRP_M[FW_A] nat-policy 
HRP_M[FW_A-policy-nat] rule name policy_nat3 
HRP_M[FW_A-policy-nat-rule-policy_nat3] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat3] destination-zone isp2_1 
HRP_M[FW_A-policy-nat-rule-policy_nat3] action source-nat address-group pool_isp2_1 
HRP_M[FW_A-policy-nat-rule-policy_nat3] quit 
HRP_M[FW_A-policy-nat] quit

  7. Configure NAT address pool pool_isp2_2 and specify the address pool type to be NAPT.

    HRP_M[FW_A] nat address-group pool_isp2_2 
HRP_M[FW_A-address-group-pool_isp2_2] mode pat 
HRP_M[FW_A-address-group-pool_isp2_2] section 2.2.3.10 2.2.3.12 
HRP_M[FW_A-address-group-pool_isp2_2] route enable 
HRP_M[FW_A-address-group-pool_isp2_2] quit

  8. Configure the NAT policy between the Trust and isp2_2 zones to translate source addresses of packets from the Trust zone to addresses in pool_isp2_2.

    HRP_M[FW_A] nat-policy 
HRP_M[FW_A-policy-nat] rule name policy_nat4 
HRP_M[FW_A-policy-nat-rule-policy_nat4] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat4] destination-zone isp2_2 
HRP_M[FW_A-policy-nat-rule-policy_nat4] action source-nat address-group pool_isp2_2 
HRP_M[FW_A-policy-nat-rule-policy_nat4] quit 
HRP_M[FW_A-policy-nat] quit

  9. Configure NAT ALG.

    HRP_M[FW_A] detect ftp

    HRP_M[FW_A] detect sip

    HRP_M[FW_A] detect h323

    HRP_M[FW_A] detect rtsp

    HRP_M[FW_A] detect qq

Configuring the NAT Server and Smart DNS

Context

Smart DNS requires a content security group license. It also requires dynamic loading of the corresponding component.

For the USG9500, smart DNS requires that the SPC-APPSEC-FW is in position. Otherwise, the function is unavailable.

Procedure

  1. Configure the NAT server.

    1. Configure the NAT server function, mapping the private addresses of web servers to public addresses for access of users of ISP 1 and ISP 2. 
      HRP_M[FW_A] nat server policy_web1 zone isp1_1 protocol tcp global 1.1.1.15 8080 inside 10.0.10.10 www 
HRP_M[FW_A] nat server policy_web2 zone isp1_2 protocol tcp global 1.1.2.15 8080 inside 10.0.10.10 www 
HRP_M[FW_A] nat server policy_web3 zone isp2_1 protocol tcp global 2.2.2.15 8080 inside 10.0.10.10 www 
HRP_M[FW_A] nat server policy_web4 zone isp2_2 protocol tcp global 2.2.3.15 8080 inside 10.0.10.10 www
    2. Configure the NAT server function, mapping the private addresses of FTP servers to public addresses for access of users of ISP 1 and ISP 2. 
      HRP_M[FW_A] nat server policy_ftp1 zone isp1_1 protocol tcp global 1.1.1.16 ftp inside 10.0.10.11 ftp 
HRP_M[FW_A] nat server policy_ftp2 zone isp1_2 protocol tcp global 1.1.2.16 ftp inside 10.0.10.11 ftp 
HRP_M[FW_A] nat server policy_ftp3 zone isp2_1 protocol tcp global 2.2.2.16 ftp inside 10.0.10.11 ftp 
HRP_M[FW_A] nat server policy_ftp4 zone isp2_2 protocol tcp global 2.2.3.16 ftp inside 10.0.10.11 ftp
    3. Configure the NAT server function, mapping the private addresses of DNS servers to public addresses for access of users of ISP 1 and ISP 2. 
      HRP_M[FW_A] nat server policy_dns1 zone isp1_1 protocol tcp global 1.1.1.17 domain inside 10.0.10.20 domain 
HRP_M[FW_A] nat server policy_dns2 zone isp1_2 protocol tcp global 1.1.2.17 domain inside 10.0.10.20 domain 
HRP_M[FW_A] nat server policy_dns3 zone isp2_1 protocol tcp global 2.2.2.17 domain inside 10.0.10.20 domain 
HRP_M[FW_A] nat server policy_dns4 zone isp2_2 protocol tcp global 2.2.3.17 domain inside 10.0.10.20 domain

  2. Configure sticky load balancing.

    To enable sticky load balancing, configure IP addresses and gateway addresses for interfaces. IP addresses and gateway addresses have been completed in Configuring Interfaces and Security Zones and Configuring Intelligent Uplink Selection and Routes.

    Interface configuration does not support backup. Therefore, you need to configure sticky load balancing on both FW_A and FW_B.

    HRP_M[FW_A] interface Eth-Trunk 1.1 
HRP_M[FW_A-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6 
HRP_M[FW_A-Eth-Trunk1.1] quit 
HRP_M[FW_A] interface Eth-Trunk 2.1 
HRP_M[FW_A-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6 
HRP_M[FW_A-Eth-Trunk2.1] quit 
HRP_M[FW_A] interface Eth-Trunk 1.2 
HRP_M[FW_A-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6 
HRP_M[FW_A-Eth-Trunk1.2] quit 
HRP_M[FW_A] interface Eth-Trunk 2.2 
HRP_M[FW_A-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6 
HRP_M[FW_A-Eth-Trunk2.2] quit 
HRP_S[FW_B] interface Eth-Trunk 1.1 
HRP_S[FW_B-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6 
HRP_S[FW_B-Eth-Trunk1.1] quit 
HRP_S[FW_B] interface Eth-Trunk 2.1 
HRP_S[FW_B-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6 
HRP_S[FW_B-Eth-Trunk2.1] quit 
HRP_S[FW_B] interface Eth-Trunk 1.2 
HRP_S[FW_B-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6 
HRP_S[FW_B-Eth-Trunk1.2] quit 
HRP_S[FW_B] interface Eth-Trunk 2.2 
HRP_S[FW_B-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6 
HRP_S[FW_B-Eth-Trunk2.2] quit

  3. Configure smart DNS.

    DNS servers are deployed in the intranet and records the mapping between web and FTP servers and public IP addresses. When a user of an ISP requests to access an intranet server, smart DNS ensures that the address allocated by the ISP to the server is obtained and thereby increases the access speed. For example, when a user of ISP 1 requests to access the web server 10.0.10.10, the ISP 1 address 1.1.1.15 of the server can be obtained; when a user of ISP 2 requests to access the web server 10.0.10.10, the ISP 1 address 2.2.2.15 of the server can be obtained.

    HRP_M[FW_A] dns-smart enable 
HRP_M[FW_A] dns-smart group 1 type multi 
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 1.1 map 1.1.1.15 
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 2.1 map 2.2.2.15 
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 1.2 map 1.1.2.15 
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 2.2 map 2.2.3.15 
HRP_M[FW_A-dns-smart-group-1] quit 
HRP_M[FW_A] dns-smart group 2 type multi 
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 1.1 map 1.1.1.16 
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 2.1 map 2.2.2.16 
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 1.2 map 1.1.2.16 
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 2.2 map 2.2.3.16 
HRP_M[FW_A-dns-smart-group-2] quit

  4. Configure a black-hole route to the public address of the NAT server to prevent routing loops between the firewall and ISP routers.

    Route configuration does not support backup. Therefore, you need to configure black-hole routes on both FW_A and FW_B.

    HRP_M[FW_A] ip route-static 1.1.1.15 32 NULL 0 
HRP_M[FW_A] ip route-static 1.1.1.16 32 NULL 0 
HRP_M[FW_A] ip route-static 1.1.1.17 32 NULL 0 
HRP_M[FW_A] ip route-static 2.2.2.15 32 NULL 0 
HRP_M[FW_A] ip route-static 2.2.2.16 32 NULL 0 
HRP_M[FW_A] ip route-static 2.2.2.17 32 NULL 0 
HRP_M[FW_A] ip route-static 1.1.2.15 32 NULL 0 
HRP_M[FW_A] ip route-static 1.1.2.16 32 NULL 0 
HRP_M[FW_A] ip route-static 1.1.2.17 32 NULL 0 
HRP_M[FW_A] ip route-static 2.2.3.15 32 NULL 0 
HRP_M[FW_A] ip route-static 2.2.3.16 32 NULL 0 
HRP_M[FW_A] ip route-static 2.2.3.17 32 NULL 0 
HRP_S[FW_B] ip route-static 1.1.1.15 32 NULL 0 
HRP_S[FW_B] ip route-static 1.1.1.16 32 NULL 0 
HRP_S[FW_B] ip route-static 1.1.1.17 32 NULL 0 
HRP_S[FW_B] ip route-static 2.2.2.15 32 NULL 0 
HRP_S[FW_B] ip route-static 2.2.2.16 32 NULL 0 
HRP_S[FW_B] ip route-static 2.2.2.17 32 NULL 0 
HRP_S[FW_B] ip route-static 1.1.2.15 32 NULL 0 
HRP_S[FW_B] ip route-static 1.1.2.16 32 NULL 0 
HRP_S[FW_B] ip route-static 1.1.2.17 32 NULL 0 
HRP_S[FW_B] ip route-static 2.2.3.15 32 NULL 0 
HRP_S[FW_B] ip route-static 2.2.3.16 32 NULL 0 
HRP_S[FW_B] ip route-static 2.2.3.17 32 NULL 0

Configuring Security Policies and Security Protection

Procedure

  1. Configure the Trust-to-isp1 security policy, allowing intranet users to access the Internet through ISP 1 and enabling intrusion prevention.

    HRP_M[FW_A] security-policy 
HRP_M[FW_A-policy-security] rule name trust_to_isp1 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] source-zone trust 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] destination-zone isp1_1 isp1_2 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] profile ips default 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] action permit 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] quit

  2. Configure the Trust-to-isp2_1 and Trust-to-isp2_2 security policies, allowing intranet users to access the Internet through ISP 2 and enabling intrusion prevention.

    HRP_M[FW_A-policy-security] rule name trust_to_isp2 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] source-zone trust 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] destination-zone isp2_1 isp2_2 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] profile ips default 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] action permit 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] quit

  3. Configure the isp1_1-to-DMZ and isp1_2-to-DMZ security polices, allowing extranet users to access the web server, FTP server, and DNS server in the DMZ through the ISP 1 link and enabling intrusion prevention. 

    HRP_M[FW_A-policy-security] rule name isp1_to_http 
HRP_M[FW_A-policy-security-rule-isp1_to_http] source-zone isp1_1 isp1_2 
HRP_M[FW_A-policy-security-rule-isp1_to_http] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-isp1_to_http] destination-address 10.0.10.10 24 
HRP_M[FW_A-policy-security-rule-isp1_to_http] service http 
HRP_M[FW_A-policy-security-rule-isp1_to_http] profile ips default 
HRP_M[FW_A-policy-security-rule-isp1_to_http] action permit 
HRP_M[FW_A-policy-security-rule-isp1_to_http] quit 
HRP_M[FW_A-policy-security] rule name isp1_to_ftp 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] source-zone isp1_1 isp1_2 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] destination-address 10.0.10.11 24 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] service ftp 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] profile ips default 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] action permit 
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] quit 
HRP_M[FW_A-policy-security] rule name isp1_to_dns 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] source-zone isp1_1 isp1_2 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] destination-address 10.0.10.20 24 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] service dns 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] profile ips default 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] action permit 
HRP_M[FW_A-policy-security-rule-isp1_to_dns] quit

  4. Configure the isp2_1-to-DMZ and isp2_2-to-DMZ security policies, allowing extranet users to access the web server, FTP server, and DNS server in the DMZ through the ISP 2 link and enabling intrusion prevention. 

    HRP_M[FW_A-policy-security] rule name isp2_to_http 
HRP_M[FW_A-policy-security-rule-isp2_to_http] source-zone isp2_1 isp2_2 
HRP_M[FW_A-policy-security-rule-isp2_to_http] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-isp2_to_http] destination-address 10.0.10.10 24 
HRP_M[FW_A-policy-security-rule-isp2_to_http] service http 
HRP_M[FW_A-policy-security-rule-isp2_to_http] profile ips default 
HRP_M[FW_A-policy-security-rule-isp2_to_http] action permit 
HRP_M[FW_A-policy-security-rule-isp2_to_http] quit 
HRP_M[FW_A-policy-security] rule name isp2_to_ftp 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] source-zone isp2_1 isp2_2 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] destination-address 10.0.10.11 24 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] service ftp 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] profile ips default 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] action permit 
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] quit 
HRP_M[FW_A-policy-security] rule name isp1_to_dns 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] source-zone isp2_1 isp2_2 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] destination-address 10.0.10.20 24 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] service dns 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] profile ips default 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] action permit 
HRP_M[FW_A-policy-security-rule-isp2_to_dns] quit

  5. Configure the Trust-to-DMZ security policy, allowing intranet users to access the web server, FTP server, and DNS server in the DMZ zone and enabling intrusion prevention. 

    HRP_M[FW_A-policy-security] rule name trust_to_http 
HRP_M[FW_A-policy-security-rule-trust_to_http] source-zone trust 
HRP_M[FW_A-policy-security-rule-trust_to_http] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-trust_to_http] destination-address 10.0.10.10 24 
HRP_M[FW_A-policy-security-rule-trust_to_http] service http 
HRP_M[FW_A-policy-security-rule-trust_to_http] profile ips default 
HRP_M[FW_A-policy-security-rule-trust_to_http] action permit 
HRP_M[FW_A-policy-security-rule-trust_to_http] quit 
HRP_M[FW_A-policy-security] rule name trust_to_ftp 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] source-zone trust 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-address 10.0.10.11 24 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] service ftp 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] profile ips default 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] action permit 
HRP_M[FW_A-policy-security-rule-trust_to_ftp] quit 
HRP_M[FW_A-policy-security] rule name trust_to_dns 
HRP_M[FW_A-policy-security-rule-trust_to_dns] source-zone trust 
HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-address 10.0.10.20 24 
HRP_M[FW_A-policy-security-rule-trust_to_dns] service dns 
HRP_M[FW_A-policy-security-rule-trust_to_dns] profile ips default 
HRP_M[FW_A-policy-security-rule-trust_to_dns] action permit 
HRP_M[FW_A-policy-security-rule-trust_to_dns] quit

  6. Configure the Local-to-DMZ security policy, allowing the firewall to send logs to the log server. 

    HRP_M[FW_A-policy-security] rule name local_to_logcenter 
HRP_M[FW_A-policy-security-rule-local_to_logcenter] source-zone local 
HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-zone dmz 
HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-address 10.0.10.30 24 
HRP_M[FW_A-policy-security-rule-local_to_logcenter] action permit 
HRP_M[FW_A-policy-security-rule-local_to_logcenter] quit

  7. Configure the Local-to-isp1 and Local-to-isp2 security policy, allowing the FW to connect to the security center and update its signature databases. 

    HRP_M[FW_A-policy-security] rule name local_to_isp 
HRP_M[FW_A-policy-security-rule-local_to_isp] source-zone local 
HRP_M[FW_A-policy-security-rule-local_to_isp] destination-zone isp1_1 isp1_2 isp2_1 isp2_2 
HRP_M[FW_A-policy-security-rule-local_to_isp] action permit 
HRP_M[FW_A-policy-security-rule-local_to_isp] quit 
HRP_M[FW_A-policy-security] quit

    For versions earlier than USG6000&USG9500 V500R001C80: You need to configure required security policies on the FW to allow the FW to send health check probe packets to the destination device. For versions later than V500R001C80: Probe packets for health check are not subject to security policies and are permitted by default. Therefore, you do not need to configure security policies.

  8. Update the IPS signature database and service awareness signature database automatically.

    1. Make sure that the firewall has activated the license that supports the IPS signature database update server. 
      HRP_M[FW_A] display license 
IPS        : Enabled;   service expire time: 2015/06/12
    2. Configure the DNS server, allowing the firewall to access the security center using a domain name. 
      HRP_M[FW_A] dns resolve 
HRP_M[FW_A] dns server 1.1.1.222
    3. Configure automatic scheduled update of signature databases. 
      HRP_M[FW_A] update schedule ips-sdb enable 
HRP_M[FW_A] update schedule sa-sdb enable 
HRP_M[FW_A] update schedule ips-sdb daily 03:00 
HRP_M[FW_A] update schedule sa-sdb weekly Mon 03:00

  9. Configure attack defense. 

    HRP_M[FW_A] firewall defend land enable 
HRP_M[FW_A] firewall defend smurf enable 
HRP_M[FW_A] firewall defend fraggle enable 
HRP_M[FW_A] firewall defend ip-fragment enable 
HRP_M[FW_A] firewall defend tcp-flag enable 
HRP_M[FW_A] firewall defend winnuke enable 
HRP_M[FW_A] firewall defend source-route enable 
HRP_M[FW_A] firewall defend teardrop enable 
HRP_M[FW_A] firewall defend route-record enable 
HRP_M[FW_A] firewall defend time-stamp enable 
HRP_M[FW_A] firewall defend ping-of-death enable

Configuring User Tracing

Context

The firewall sends binary session logs and IM logs to the eLog. The eLog collects, stores, and analyzes the logs. The pre-NAT IP addresses and IM online and offline activities can be obtained from these logs to meet audit requirements.

Procedure

  1. Configure a log host on FW_A. 

    HRP_M[FW_A] firewall log host 1 10.0.10.30 9002 
HRP_M[FW_A] firewall log source 10.0.5.1 6000

  2. Enable session log in the security policies of FW_A. 

    HRP_M[FW_A] security-policy 
HRP_M[FW_A-policy-security] rule name trust_to_isp1 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] session logging 
HRP_M[FW_A-policy-security-rule-trust_to_isp1] quit 
HRP_M[FW_A-policy-security] rule name trust_to_isp2 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] session logging 
HRP_M[FW_A-policy-security-rule-trust_to_isp2] quit 
HRP_M[FW_A-policy-security] quit

  3. Enable IM log sending on FW_A. 

    HRP_M[FW_A] firewall log im enable

  4. Configure the source IP and port that FW_B uses to send logs to the log host. This configuration does not support backup. 

    HRP_S[FW_B] firewall log source 10.0.6.1 6000

  5. Configure SNMP V3 on FW_A. 

    HRP_M[FW_A] snmp-agent sys-info version v3 
HRP_M[FW_A] snmp-agent group v3 NMS1 privacy 
HRP_M[FW_A] snmp-agent usm-user v3 admin1 group NMS1 
HRP_M[FW_A] snmp-agent usm-user v3 admin1 authentication-mode md5 cipher Admin@123abcdefg1234567890abccba10 
HRP_M[FW_A] snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher Admin@123abcdefg1234567890abccba10

  6. Configure SNMP V3 on FW_B. This configuration does not support backup. 

    HRP_S[FW_B] snmp-agent sys-info version v3 
HRP_S[FW_B] snmp-agent group v3 NMS1 privacy 
HRP_S[FW_B] snmp-agent usm-user v3 admin1 group NMS1 
HRP_S[FW_B] snmp-agent usm-user v3 admin1 authentication-mode md5 cipher Admin@123abcdefg1234567890abccba10 
HRP_S[FW_B] snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher Admin@123abcdefg1234567890abccba10

  7. After eLog configuration is complete, choose Log Analysis > Session Analysis > IPv4 Session Log on the eLog to view session logs. Choose Log Analysis > Cyber Security Analysis > IM to view IM logs.

Viewing Traffic Statistics

Procedure

  1. Log in to the web UI.
  2. View the traffic history of an interface or the entire device.

  3. For the USG6000, if a hard disk is installed, you can also choose Monitoring > Report > Traffic Report to view traffic reports. You can query traffic histories by address or application.

Verification

  • Intranet users can access the Internet normally.
  • Extranet users can access intranet servers using public IP addresses.
  • The eLog can obtain session logs of the firewalls.
  • Run the shutdown command on GigabitEthernet 1/0/1 of the active firewall to simulate a link fault. The active/standby switchover is normal without services interrupted.

Configuration Scripts

FW_A

FW_B

 
#
sysname FW_A
#
hrp preempt delay 300
hrp enable
hrp interface Eth-Trunk0 remote 10.0.7.2
hrp track interface GigabitEthernet1/0/3
hrp track interface GigabitEthernet1/0/4
hrp adjust ospf-cost enable
#
firewall log im enable
firewall log host 1 10.0.10.30 9002
firewall log source 10.0.5.1 6000
#
firewall defend smurf enable
firewall defend land enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend winnuke enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend time-stamp enable
#
isp name isp1 set filename isp1.csv
isp name isp2 set filename isp2.csv
#
update schedule ips-sdb weekly Mon 03:00
update schedule sa-sdb daily 03:00
#
dns resolve
dns server 1.1.1.222
#
healthcheck enable
healthcheck name isp1_health1
destination 1.1.1.6 interface Eth-Trunk1.1 protocol icmp
destination 1.1.1.222 interface Eth-Trunk1.1 protocol dns
healthcheck name isp1_health2
destination 1.1.2.6 interface Eth-Trunk1.2 protocol icmp
destination 1.1.1.222 interface Eth-Trunk1.2 protocol dns
healthcheck name isp2_health1
destination 2.2.2.6 interface Eth-Trunk2.1 protocol icmp
destination 2.2.2.222 interface Eth-Trunk2.1 protocol dns
healthcheck name isp2_health2
destination 2.2.3.6 interface Eth-Trunk2.2 protocol icmp
destination 2.2.2.222 interface Eth-Trunk2.2 protocol dns
#
interface Eth-Trunk0
description Hrp-interface
ip address 10.0.7.1 255.255.255.0
undo service-manage enable
#
interface Eth-Trunk1
description To-isp1
undo service-manage enable
#
interface Eth-Trunk2
description To-isp2
undo service-manage enable
#
interface Eth-Trunk 1.1
description To-isp1-1
ip address 1.1.1.2 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.248 active
healthcheck isp1_health1
gateway 1.1.1.6
vlan-type dot1q 11
bandwidth ingress 800000
bandwidth egress 800000
redirect-reverse next-hop 1.1.1.6
#
interface Eth-Trunk 2.1
description To-isp2-1
ip address 2.2.2.2 255.255.255.248
vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.248 active
healthcheck isp2_health1
gateway 2.2.2.6
vlan-type dot1q 21
bandwidth ingress 900000
bandwidth egress 900000
redirect-reverse next-hop 2.2.2.6
#
interface Eth-Trunk 1.2
description To-isp1-2
ip address 1.1.2.2 255.255.255.248
vrrp vrid 3 virtual-ip 1.1.2.1 255.255.255.248 active
healthcheck isp1_health2
gateway 1.1.2.6
vlan-type dot1q 12
bandwidth ingress 400000
bandwidth egress 400000
redirect-reverse next-hop 1.1.2.6
#
interface Eth-Trunk 2.2
description To-isp2-2
ip address 2.2.3.2 255.255.255.248
vrrp vrid 4 virtual-ip 2.2.3.1 255.255.255.248 active
healthcheck isp2_health2
gateway 2.2.3.6
vlan-type dot1q 22
bandwidth ingress 600000
bandwidth egress 600000
redirect-reverse next-hop 2.2.3.6
#
interface GigabitEthernet 1/0/1
eth-trunk 1
undo service-manage enable
#
interface GigabitEthernet 1/0/2
eth-trunk 2
undo service-manage enable
#
interface GigabitEthernet 1/0/3
description To-router
ip address 10.0.3.1 255.255.255.0
undo service-manage enable
#
interface GigabitEthernet 1/0/4
description To-server
ip address 10.0.5.1 255.255.255.0
undo service-manage enable
#
interface GigabitEthernet 1/0/5
eth-trunk 0
undo service-manage enable
#
interface GigabitEthernet 1/0/6
eth-trunk 1
undo service-manage enable
#
interface GigabitEthernet 1/0/7
eth-trunk 2
undo service-manage enable
#
interface GigabitEthernet 2/0/0
eth-trunk 0
undo service-manage enable
#
firewall zone trust
set priority 85
add interface GigabitEthernet 1/0/3
#
firewall zone dmz
set priority 5
add interface GigabitEthernet 1/0/4
#
firewall zone name hrp id 4
set priority 75
add interface eth-trunk 0
#
firewall zone name isp1_1 id 5
set priority 10
add interface eth-trunk1.1
#
firewall zone name isp1_2 id 6
set priority 15
add interface eth-trunk1.2
#
firewall zone name isp2_1 id 7
set priority 20
add interface eth-trunk2.1
#
firewall zone name isp2_2 id 8
set priority 25
add interface eth-trunk2.2
#
detect ftp
detect sip
detect h323
detect rtsp
detect qq
#
ospf 1
area 0.0.0.0
network 10.0.3.0 0.0.0.255
network 10.0.5.0 0.0.0.255
#
ip route-static 1.1.1.15 255.255.255.255 NULL 0
ip route-static 1.1.1.16 255.255.255.255 NULL 0
ip route-static 1.1.1.17 255.255.255.255 NULL 0
ip route-static 2.2.2.15 255.255.255.255 NULL 0
ip route-static 2.2.2.16 255.255.255.255 NULL 0
ip route-static 2.2.2.17 255.255.255.255 NULL 0
ip route-static 1.1.2.15 255.255.255.255 NULL 0
ip route-static 1.1.2.16 255.255.255.255 NULL 0
ip route-static 1.1.2.17 255.255.255.255 NULL 0
ip route-static 2.2.3.15 255.255.255.255 NULL 0
ip route-static 2.2.3.16 255.255.255.255 NULL 0
ip route-static 2.2.3.17 255.255.255.255 NULL 0
#
snmp-agent
snmp-agent sys-info version v3
snmp-agent group v3 NMS1 privacy
snmp-agent usm-user v3 admin1 group NMS1
snmp-agent usm-user v3 admin1 authentication-mode md5 cipher %^%#Hkf(QMzGN$biX-NUpE14:e,9Bu,0E"3TL$@gV<.V%^%#
snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher %^%#77$d.slqmEO)"('y<g6/,h5z<:#v~!jab]@M$58J%^%
#
nat server policy_web1 0 zone isp1_1 protocol tcp global 1.1.1.15 8080 inside 10.0.10.10 www
nat server policy_web2 1 zone isp1_2 protocol tcp global 1.1.2.15 8080 inside 10.0.10.10 www
nat server policy_web3 2 zone isp2_1 protocol tcp global 2.2.2.15 8080 inside 10.0.10.10 www
nat server policy_web4 3 zone isp2_2 protocol tcp global 2.2.3.15 8080 inside 10.0.10.10 www
nat server policy_ftp1 4 zone isp1_1 protocol tcp global 1.1.1.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp2 5 zone isp1_2 protocol tcp global 1.1.2.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp3 6 zone isp2_1 protocol tcp global 2.2.2.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp4 7 zone isp2_2 protocol tcp global 2.2.3.16 ftp inside 10.0.10.11 ftp
nat server policy_dns1 8 zone isp1_1 protocol tcp global 1.1.1.17 domain inside 10.0.10.20 domain
nat server policy_dns2 9 zone isp1_2 protocol tcp global 1.1.2.17 domain inside 10.0.10.20 domain
nat server policy_dns3 10 zone isp2_1 protocol tcp global 2.2.2.17 domain inside 10.0.10.20 domain
nat server policy_dns4 11 zone isp2_2 protocol tcp global 2.2.3.17 domain inside 10.0.10.20 domain
#
dns-smart enable
#
dns-smart group 1 type multi
out-interface eth-trunk1.1 map 1.1.1.15
out-interface eth-trunk2.1 map 2.2.2.15
out-interface eth-trunk1.2 map 1.1.2.15
out-interface eth-trunk2.2 map 2.2.3.15
#
dns-smart group 2 type multi
out-interface eth-trunk1.1 map 1.1.1.16
out-interface eth-trunk2.1 map 2.2.2.16
out-interface eth-trunk1.2 map 1.1.2.16
out-interface eth-trunk2.2 map 2.2.3.16
#
nat address-group pool_isp1_1 1
mode pat
route enable
section 0 1.1.1.10 1.1.1.12
#
nat address-group pool_isp1_2 2
mode pat
route enable
section 0 1.1.2.10 1.1.2.12
#
nat address-group pool_isp2_1 3
mode pat
route enable
section 0 2.2.2.10 2.2.2.12
#
nat address-group pool_isp2_2 4
mode pat
route enable
section 0 2.2.3.10 2.2.3.12
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone isp1_1
action source-nat address-group pool_isp1_1
rule name policy_nat2
source-zone trust
destination-zone isp1_2
action source-nat address-group pool_isp1_2
rule name policy_nat3
source-zone trust
destination-zone isp2_1
action source-nat address-group pool_isp2_1
rule name policy_nat4
source-zone trust
destination-zone isp2_2
action source-nat address-group pool_isp2_2
#
security-policy
rule name trust_to_isp1
session logging
source-zone trust
destination-zone isp1_1 isp1_2
action permit
profile ips default
rule name trust_to_isp2
session logging
source-zone trust
destination-zone isp2_1 isp2_2
action permit
profile ips default
rule name isp1_to_http
source-zone isp1_1 isp1_2
destination-zone dmz
destination-address 10.0.10.10 24
service http
action permit
profile ips default
rule name isp1_to_ftp
source-zone isp1_1 isp1_2
destination-zone dmz
destination-address 10.0.10.11 24
service ftp
action permit
profile ips default
rule name isp1_to_dns
source-zone isp1_1 isp1_2
destination-zone dmz
destination-address 10.0.10.20 24
service dns
action permit
profile ips default
rule name isp2_to_http
source-zone isp2_1 isp2_2
destination-zone dmz
destination-address 10.0.10.10 24
service http
action permit
profile ips default
rule name isp2_to_ftp
source-zone isp2_1 isp2_2
destination-zone dmz
destination-address 10.0.10.11 24
service ftp
action permit
profile ips default
rule name isp2_to_dns
source-zone isp2_1 isp2_2
destination-zone dmz
destination-address 10.0.10.20 24
service dns
action permit
profile ips default
rule name trust_to_http
source-zone trust
destination-zone dmz
destination-address 10.0.10.10 24
service http
action permit
profile ips default
rule name trust_to_ftp
source-zone trust
destination-zone dmz
destination-address 10.0.10.11 24
service ftp
action permit
profile ips default
rule name trust_to_dns
source-zone trust
destination-zone dmz
destination-address 10.0.10.20 24
service dns
action permit
profile ips default
rule name local_to_logcenter
source-zone local
destination-zone dmz
destination-address 10.0.10.30 24
action permit

rule name local_to_isp
source-zone local
destination-zone isp1_1 isp1_2 isp2_1 isp2_2
service http ftp
action permit
#
policy-based-route
rule name dns_pbr
ingress-interface GigabitEthernet1/0/3
service dns
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk1.1 weight 2
add interface eth-trunk1.2 weight 1
add interface eth-trunk2.1 weight 3
add interface eth-trunk2.2 weight 2
rule name p2p_pbr
ingress-interface GigabitEthernet1/0/3
application app BT Thunder eDonkey_eMule
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk2.1 weight 3
add interface eth-trunk2.2 weight 2
rule name isp1_pbr
ingress-interface GigabitEthernet1/0/3
destination-address isp isp1
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk1.1 weight 2
add interface eth-trunk1.2 weight 1
rule name isp2_pbr
ingress-interface GigabitEthernet1/0/3
destination-address isp isp2
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk2.1 weight 3
add interface eth-trunk2.2 weight 2
#
dns-transparent-policy
dns transparent-proxy enable
dns server bind interface eth-trunk1.1 preferred 1.1.1.222 alternate 1.1.1.223
dns server bind interface eth-trunk1.2 preferred 1.1.1.222 alternate 1.1.1.223
dns server bind interface eth-trunk2.1 preferred 2.2.2.222 alternate 2.2.2.223
dns server bind interface eth-trunk2.2 preferred 2.2.2.222 alternate 2.2.2.223
dns transparent-proxy exclude domain www.example.com server preferred 1.1.1.222
#
rule name dns_proxy
source-address 10.3.0.0 24
action tpdns
#
return
 
#
sysname FW_B
#
hrp preempt delay 300
hrp enable
hrp interface Eth-Trunk0 remote 10.0.7.1
hrp track interface GigabitEthernet1/0/3
hrp track interface GigabitEthernet1/0/4
hrp adjust ospf-cost enable
#
firewall log im enable
firewall log host 1 10.0.10.30 9002
firewall log source 10.0.6.1 6000
#
firewall defend smurf enable
firewall defend land enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend winnuke enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend time-stamp enable
#
isp name isp1 set filename isp1.csv
isp name isp2 set filename isp2.csv
#
update schedule ips-sdb weekly Mon 03:00
update schedule sa-sdb daily 03:00
#
dns resolve
dns server 1.1.1.222
#
healthcheck enable
healthcheck name isp1_health1
destination 1.1.1.6 interface Eth-Trunk1.1 protocol icmp
destination 1.1.1.222 interface Eth-Trunk1.1 protocol dns
healthcheck name isp1_health2
destination 1.1.2.6 interface Eth-Trunk1.2 protocol icmp
destination 1.1.1.222 interface Eth-Trunk1.2 protocol dns
healthcheck name isp2_health1
destination 2.2.2.6 interface Eth-Trunk2.1 protocol icmp
destination 2.2.2.222 interface Eth-Trunk2.1 protocol dns
healthcheck name isp2_health2
destination 2.2.3.6 interface Eth-Trunk2.2 protocol icmp
destination 2.2.2.222 interface Eth-Trunk2.2 protocol dns
#
interface Eth-Trunk0
description Hrp-interface
ip address 10.0.7.2 255.255.255.0
undo service-manage enable
#
interface Eth-Trunk1
description To-isp1
undo service-manage enable
#
interface Eth-Trunk2
description To-isp2
undo service-manage enable
#
interface Eth-Trunk 1.1
description To-isp1-1
ip address 1.1.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.248 standby
healthcheck isp1_health1
gateway 1.1.1.6
vlan-type dot1q 11
bandwidth ingress 800000
bandwidth egress 800000
redirect-reverse next-hop 1.1.1.6
#
interface Eth-Trunk 2.1
description To-isp2-1
ip address 2.2.2.3 255.255.255.248
vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.248 standby
healthcheck isp2_health1
gateway 2.2.2.6
vlan-type dot1q 21
bandwidth ingress 900000
bandwidth egress 900000
redirect-reverse next-hop 2.2.2.6
#
interface Eth-Trunk 1.2
description To-isp1-2
ip address 1.1.2.3 255.255.255.248
vrrp vrid 3 virtual-ip 1.1.2.1 255.255.255.248 standby
healthcheck isp1_health2
gateway 1.1.2.6
vlan-type dot1q 12
bandwidth ingress 400000
bandwidth egress 400000
redirect-reverse next-hop 1.1.2.6
#
interface Eth-Trunk 2.2
description To-isp2-2
ip address 2.2.3.3 255.255.255.248
vrrp vrid 4 virtual-ip 2.2.3.1 255.255.255.248 standby
healthcheck isp2_health2
gateway 2.2.3.6
vlan-type dot1q 22
bandwidth ingress 600000
bandwidth egress 600000
redirect-reverse next-hop 2.2.3.6
#
interface GigabitEthernet 1/0/1
eth-trunk 1
undo service-manage enable
#
interface GigabitEthernet 1/0/2
eth-trunk 2
undo service-manage enable
#
interface GigabitEthernet 1/0/3
description To-router
ip address 10.0.4.1 255.255.255.0
undo service-manage enable
#
interface GigabitEthernet 1/0/4
description To-server
ip address 10.0.6.1 255.255.255.0
undo service-manage enable
#
interface GigabitEthernet 1/0/5
eth-trunk 0
undo service-manage enable
#
interface GigabitEthernet 1/0/6
eth-trunk 1
undo service-manage enable
#
interface GigabitEthernet 1/0/7
eth-trunk 2
undo service-manage enable
#
interface GigabitEthernet 2/0/0
eth-trunk 0
undo service-manage enable
#
firewall zone trust
set priority 85
add interface GigabitEthernet 1/0/3
#
firewall zone dmz
set priority 5
add interface GigabitEthernet 1/0/4
#
firewall zone name hrp id 4
set priority 75
add interface eth-trunk 0
#
firewall zone name isp1_1 id 5
set priority 10
add interface eth-trunk1.1
#
firewall zone name isp1_2 id 6
set priority 15
add interface eth-trunk1.2
#
firewall zone name isp2_1 id 7
set priority 20
add interface eth-trunk2.1
#
firewall zone name isp2_2 id 8
set priority 25
add interface eth-trunk2.2
#
detect ftp
detect sip
detect h323
detect rtsp
detect qq
#
ospf 1
area 0.0.0.0
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
#
ip route-static 1.1.1.15 255.255.255.255 NULL 0
ip route-static 1.1.1.16 255.255.255.255 NULL 0
ip route-static 1.1.1.17 255.255.255.255 NULL 0
ip route-static 2.2.2.15 255.255.255.255 NULL 0
ip route-static 2.2.2.16 255.255.255.255 NULL 0
ip route-static 2.2.2.17 255.255.255.255 NULL 0
ip route-static 1.1.2.15 255.255.255.255 NULL 0
ip route-static 1.1.2.16 255.255.255.255 NULL 0
ip route-static 1.1.2.17 255.255.255.255 NULL 0
ip route-static 2.2.3.15 255.255.255.255 NULL 0
ip route-static 2.2.3.16 255.255.255.255 NULL 0
ip route-static 2.2.3.17 255.255.255.255 NULL 0
#
snmp-agent
snmp-agent sys-info version v3
snmp-agent group v3 NMS1 privacy
snmp-agent usm-user v3 admin1 group NMS1
snmp-agent usm-user v3 admin1 authentication-mode md5 cipher %^%#Hkf(QMzGN$biX-NUpE14:e,9Bu,0E"3TL$@gV<.V%^%#
snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher %^%#77$d.slqmEO)"('y<g6/,h5z<:#v~!jab]@M$58J%^%
#
nat server policy_web1 0 zone isp1_1 protocol tcp global 1.1.1.15 8080 inside 10.0.10.10 www
nat server policy_web2 1 zone isp1_2 protocol tcp global 1.1.2.15 8080 inside 10.0.10.10 www
nat server policy_web3 2 zone isp2_1 protocol tcp global 2.2.2.15 8080 inside 10.0.10.10 www
nat server policy_web4 3 zone isp2_2 protocol tcp global 2.2.3.15 8080 inside 10.0.10.10 www
nat server policy_ftp1 4 zone isp1_1 protocol tcp global 1.1.1.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp2 5 zone isp1_2 protocol tcp global 1.1.2.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp3 6 zone isp2_1 protocol tcp global 2.2.2.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp4 7 zone isp2_2 protocol tcp global 2.2.3.16 ftp inside 10.0.10.11 ftp
nat server policy_dns1 8 zone isp1_1 protocol tcp global 1.1.1.17 domain inside 10.0.10.20 domain
nat server policy_dns2 9 zone isp1_2 protocol tcp global 1.1.2.17 domain inside 10.0.10.20 domain
nat server policy_dns3 10 zone isp2_1 protocol tcp global 2.2.2.17 domain inside 10.0.10.20 domain
nat server policy_dns4 11 zone isp2_2 protocol tcp global 2.2.3.17 domain inside 10.0.10.20 domain
#
dns-smart enable
#
dns-smart group 1 type multi
out-interface eth-trunk1.1 map 1.1.1.15
out-interface eth-trunk2.1 map 2.2.2.15
out-interface eth-trunk1.2 map 1.1.2.15
out-interface eth-trunk2.2 map 2.2.3.15
#
dns-smart group 2 type multi
out-interface eth-trunk1.1 map 1.1.1.16
out-interface eth-trunk2.1 map 2.2.2.16
out-interface eth-trunk1.2 map 1.1.2.16
out-interface eth-trunk2.2 map 2.2.3.16
#
nat address-group pool_isp1_1 1
mode pat
route enable
section 0 1.1.1.10 1.1.1.12
#
nat address-group pool_isp1_2 2
mode pat
route enable
section 0 1.1.2.10 1.1.2.12
#
nat address-group pool_isp2_1 3
mode pat
route enable
section 0 2.2.2.10 2.2.2.12
#
nat address-group pool_isp2_2 4
mode pat
route enable
section 0 2.2.3.10 2.2.3.12
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone isp1_1
action source-nat address-group pool_isp1_1
rule name policy_nat2
source-zone trust
destination-zone isp1_2
action source-nat address-group pool_isp1_2
rule name policy_nat3
source-zone trust
destination-zone isp2_1
action source-nat address-group pool_isp2_1
rule name policy_nat4
source-zone trust
destination-zone isp2_2
action source-nat address-group pool_isp2_2
#
security-policy
rule name trust_to_isp1
session logging
source-zone trust
destination-zone isp1_1 isp1_2
action permit
profile ips default
rule name trust_to_isp2
session logging
source-zone trust
destination-zone isp2_1 isp2_2
action permit
profile ips default
rule name isp1_to_http
source-zone isp1_1 isp1_2
destination-zone dmz
destination-address 10.0.10.10 24
service http
action permit
profile ips default
rule name isp1_to_ftp
source-zone isp1_1 isp1_2
destination-zone dmz
destination-address 10.0.10.11 24
service ftp
action permit
profile ips default
rule name isp1_to_dns
source-zone isp1_1 isp1_2
destination-zone dmz
destination-address 10.0.10.20 24
service dns
action permit
profile ips default
rule name isp2_to_http
source-zone isp2_1 isp2_2
destination-zone dmz
destination-address 10.0.10.10 24
service http
action permit
profile ips default
rule name isp2_to_ftp
source-zone isp2_1 isp2_2
destination-zone dmz
destination-address 10.0.10.11 24
service ftp
action permit
profile ips default
rule name isp2_to_dns
source-zone isp2_1 isp2_2
destination-zone dmz
destination-address 10.0.10.20 24
service dns
action permit
profile ips default
rule name trust_to_http
source-zone trust
destination-zone dmz
destination-address 10.0.10.10 24
service http
action permit
profile ips default
rule name trust_to_ftp
source-zone trust
destination-zone dmz
destination-address 10.0.10.11 24
service ftp
action permit
profile ips default
rule name trust_to_dns
source-zone trust
destination-zone dmz
destination-address 10.0.10.20 24
service dns
action permit
profile ips default
rule name local_to_logcenter
source-zone local
destination-zone dmz
destination-address 10.0.10.30 24
action permit
rule name local_to_isp
source-zone local
destination-zone isp1 isp2
service http ftp
action permit
#
policy-based-route
rule name dns_pbr
ingress-interface GigabitEthernet1/0/3
service dns
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk1.1 weight 2
add interface eth-trunk1.2 weight 1
add interface eth-trunk2.1 weight 3
add interface eth-trunk2.2 weight 2
rule name p2p_pbr
ingress-interface GigabitEthernet1/0/3
application app BT Thunder eDonkey_eMule
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk2.1 weight 3
add interface eth-trunk2.2 weight 2
rule name isp1_pbr
ingress-interface GigabitEthernet1/0/3
destination-address isp isp1
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk1.1 weight 2
add interface eth-trunk1.2 weight 1
rule name isp2_pbr
ingress-interface GigabitEthernet1/0/3
destination-address isp isp2
action pbr egress-interface multi-interface
mode proportion-of-weight
add interface eth-trunk2.1 weight 3
add interface eth-trunk2.2 weight 2
#
dns-transparent-policy
dns transparent-proxy enable
dns server bind interface eth-trunk1.1 preferred 1.1.1.222 alternate 1.1.1.223
dns server bind interface eth-trunk1.2 preferred 1.1.1.222 alternate 1.1.1.223
dns server bind interface eth-trunk2.1 preferred 2.2.2.222 alternate 2.2.2.223
dns server bind interface eth-trunk2.2 preferred 2.2.2.222 alternate 2.2.2.223
dns transparent-proxy exclude domain www.example.com server preferred 1.1.1.222
#
rule name dns_proxy
source-address 10.3.0.0 24
action tpdns
#
return

Conclusion and Suggestions

Conclusion

This case describes the networking and deployment of firewalls at the egress of a broadcast and television network. In practice, you can select functions to configure according to your requirements. This solution can be concluded as follows:

  • Hot standby network deployment is used. The upstream switches of the firewalls run VRRP, and the downstream routers of the firewalls run OSPF. In practice, the firewalls can connect to upstream routers running OSPF. Particularly, public addresses must be planned for upstream interfaces of the firewalls. Otherwise, you cannot specify the interface gateway.
  • Multi-egress intelligent uplink selection is an important requirement of a broadcast and television network. This requirement is met in the following means:
    • Outgoing traffic:

      The use of multi-egress PBR fulfills two requirements. Traffic destined to a specific ISP is forwarded by a link of this ISP, and traffic destined to one ISP is distributed to the multiple links of the ISP for load balancing.

    • Incoming traffic:

      The NAT server is configured to advertise different public IP addresses of a server to different ISPs. If the DNS server that provides domain name resolution for a server is deployed in the intranet, the firewalls also provide smart DNS to enable external users of an ISP to obtain the address allocated by the ISP to the server. This increases the access speed.

Other Configuration Suggestions

In this solution, the most common NAPT is used for address translation. In the case of large quantities of P2P traffic on the network, you can configure triplet NAT to reduce the OPEX of tier-2 carriers.

P2P applications, including file sharing, voice communication, and video, are all implemented by first obtaining the peer IP address and port from the server and then directly setting up a connection with the peer. In this case, NAPT and P2P applications are not well compatible to each other.

For example, intranet PC 1 first interacts with the extranet P2P server (login and authentication), the firewall performs NAPT on the packets from PC 1 to the P2P server, and the P2P server records the after-NAPT public address and port of PC 1. When PC 2 needs to download a file, the server sends the address and port of PC 1 to PC 2, and PC 2 then downloads the file from PC 1. However, the access of PC 2 to PC 1 cannot be matched to a session table. Therefore, the firewall denies the access, and PC 2 can only request the resource file from other hosts.

As a result, even if PC 1 and PC 2 are both in the intranet, PC 2 still has to request the resource file from an external host. When large quantities of internet users request P2P download, such traffic occupies much bandwidth of the carrier and wastes the traffic expenditure of tier-2 carriers. In addition, for inter-network access, the download experience of users is poor.

Triplet NAT can resolve this problem. No matter whether PC 1 used to access PC 2, so long as PC 2 can obtain the after-NAT address and port of PC1, PC 2 can initiate access to this address and port. Such packets are permitted even if a corresponding security policy is not defined on the firewall. P2P download can be implemented between two intranet PCs directly. This helps to reduce the traffic expenditure of tier-2 carriers.

The configuration of triplet NAT is not greatly different from that of NAPT. The only difference is that you need to specify the address pool type as full-cone. 

HRP_M[FW_A] nat address-group pool_isp1
HRP_M[FW_A-address-group-pool_isp1] mode full-cone global
HRP_M[FW_A-address-group-pool_isp1] section 1.1.1.10 1.1.1.12
HRP_M[FW_A-address-group-isp1] quit

For the USG9500, before configuring triplet NAT, you must make sure that the hash board selection mode is source address-based hash. The configuration command is as follows:

[FW] firewall hash-mode source-only

After the configuration, you need to restart the device to make the configuration take effect.

Translation
简体中文
Download
Updated: 2019-06-17

Document ID: EDOC1100087917

Views: 10702

Downloads: 172

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :