No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
Application of Firewalls in the Egress Security Solution for Enterprise Campus Networks
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Egress Security Solution for Enterprise Campus Networks

Application of Firewalls in the Egress Security Solution for Enterprise Campus Networks

Introduction

This section describes how to deploy the firewall as an egress gateway for a large- or medium-sized enterprise network to protect the security of the enterprise network. It describes the most common scenarios and features of the firewall and provides reference for the administrator to plan and build the enterprise network.

This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

Introduction to Enterprise Campus Networks

An enterprise campus network is an intranet of an enterprise or organization. Its routing structure is managed by the enterprise or organization. The network interworks with the WAN and the data center. Partners, mobile employees, and guests access the enterprise intranet through the VPN, WAN or Internet.

An enterprise campus network is generally a non-profiting network with a high user density where large quantities of terminals and users concentrate in limited space. The major concerns of an enterprise campus network are availability, ease of use, ease of deployment, and ease of maintenance. Therefore, the topology of enterprise campus networks is mostly a star structure. The ring structure is not often used (ring structures are usually used in the MAN and backbone networks of carriers to save fiber resources).

Figure 1-1 shows the architecture of an enterprise network. For traffic originating from intranet users to the Internet, the traffic needs to pass through the Layer 3 aggregation switch, Layer 3 core switch, and gateway.

Enterprise employees are in different departments based on their business lines. The network must ensure normal Internet access for internal users and keep them secure from attacks. On this basis, Internet access privileges and traffic restrictions must also be defined for different departments. In addition, branch and travelling employees must be able to access the central network for business communication and resource sharing.

Figure 1-1 Networking of an enterprise network

  • Access layer

    The access layer is normally made up of Ethernet switches. It connects various terminals to the campus network. For some terminals, it may be necessary to add specific access devices, for example, APs for wireless access and IADs for POTS access.

  • Aggregation layer

    Traffic of the access devices and users converges at the aggregation layer and is then forwarded to the core layer. The aggregation layer increases the quantity of users who can access the core layer.

  • Core layer

    The core layer is responsible for the high-speed interworking of the entire campus network. Specific services are generally not deployed here. The core network must ensure high bandwidth efficiency and quick failure convergence.

  • Enterprise campus egress

    The enterprise campus egress is a border between the enterprise campus network and the public extranet. Internal users of the campus network are connected to the public network through an edge network. Extranet users (including customers, partners, branches, and remote users) also access the internal network through the edge network.

  • Data center

    The data center is the area where servers and application systems are deployed. The data center provides data and application services for internal and external users.

  • Network management center

    The network management center is the area where the network, servers, and applications systems are managed. It provides fault management, configuration management, performance management, and security management.

Application of FWs at the Egress of an Enterprise Campus Network

The FW generally serves as an egress gateway of an enterprise campus network. It provides the following features:

  • Hot standby

    To improve network availability, two FWs can be deployed at the egress of the enterprise campus network in hot standby mode. When the link of the active FW fails, traffic on the network is switched to the standby FW to ensure normal communication of the intranet and extranet.

  • NAT

    Because public IPv4 addresses are limited, private addresses are allocated for intranet use, and public addresses are normally not allocated. Therefore, when an internal user needs to access the Internet, address translation is required. The FW is deployed at the egress of the intranet to the Internet to provide NAT functions.

  • Security defense

    The FW provides attack defense to protect the enterprise network against external attacks.

  • Content security

    The FW provides intrusion prevention, antivirus, and URL filtering functions to ensure a green environment for the intranet.

  • Bandwidth management

    The FW provides bandwidth management. It identifies traffic based on the application or user and applies traffic-based control.

Solution Design

Typical Networking

For access to the Internet, the enterprise network environment is challenged by access control, security defense, and egress bandwidth management. The FW is deployed at the egress of the enterprise network to provide a solution and ensure normal service operation.

As shown in Figure 1-2, an enterprise leases two 10G links from two ISPs to provide broadband Internet access. The enterprise also deploys servers in the server area for access of intranet and extranet users.

Two FWs are deployed at the egress of the enterprise network to the Internet as gateways to connect the intranet and extranet and protect the security of the intranet. The upstream interfaces of the two FWs are connected to the two ISPs through aggregation switches; the downstream interfaces of the FWs are connected to the switches in the intranet and the server area through Layer 3 core switches.

Figure 1-2 Security networking for the egress of an enterprise network

An enterprise has many employees and business lines. The traffic on the enterprise network is varied. When the intranet of the enterprise is connected to the Internet, the following targets and challenges must be considered:

  1. The egress gateway must be highly available. Two devices should be deployed in hot standby mode to avoid single-point failure. When one device fails, the another takes over its work, ensuring that normal services are not interrupted.
  2. The enterprise leases two links from two ISPs. Therefore, the gateway must be able to identify traffic based on applications and distribute different types of traffic to the appropriate links to improve link efficiency and avoid network congestion.
  3. Enterprise employees are in different business lines, including R&D, marketing, production, and management. Therefore, access control policies are defined for the egress gateways based on users/departments and applications according to the business needs of the departments.
  4. To enable a large number of intranet users to access the Internet using public addresses, the egress gateway must be capable of translating private addresses to public addresses.
  5. User and department information is stored in the gateway to provide the organizational structure of the enterprise for reference of policies. AD servers are deployed in the server area to facilitate user-based network behavior control and network permission planning.
  6. Extranet users can access the web servers and FTP servers.
  7. The enterprise intranet faces unauthorized access and all kinds of attacks and intrusions from the Internet. Therefore, the egress gateway must be able to defend against viruses, worms, Trojan horses, and zombies to protect the security of the enterprise network. In addition, websites accessible by the enterprise employees must be controlled by filtering, prohibiting access to all adult and illegal websites.
  8. The egress gateway must be able to defend against SYN flood, UDP flood, and malformed packet attacks targeting at the intranet.
  9. The egress gateway must be capable of application-base traffic control to restrict traffic that takes up much network bandwidth (such as P2P traffic) and ensure normal operation of critical services. In addition, the egress gateway can provide differentiated bandwidth management based on users/departments.
  10. The network must ensure secure access to the ERP and email systems of the enterprise for travelling and home-based R&D employees. It should also ensure that travelling and home-based senior managers and marketing employees can complete their office work as if they are in the intranet.

Service Planning

Planning of Interfaces and Security Zones

As shown in the following figure, one firewall has five interfaces that are connected to different security zones. Therefore, the five interfaces need to be assigned to different security zones.

Figure 1-3 Security zones of interfaces of the FWs
  • GE1/0/1 is connected to the ISP1 link and assigned to the ISP1 zone. The ISP1 zone needs to be created, and its priority is 15.
  • GE1/0/2 is connected to the ISP2 link and assigned to the ISP2 zone. The ISP2 zone needs to be created, and its priority is 20.
  • GE1/0/3 and GE2/0/1 connected to the core router form Eth-Trunk1 and are assigned to the Heart zone. The Heart zone needs to be created, and its priority is 75.
  • GE1/0/4 is connected to the server area and assigned to the Trust zone. The Trust zone is a default security zone of the firewall. Its priority is 85.
  • As a mirroring interface (Layer 2 interface), GE1/0/5 functions as the interface for receiving mirrored AD authentication packets.

Hot Standby Planning

One ISP provides one link, and one link cannot be directly connected to two firewalls. Therefore, it is necessary to deploy an egress aggregation switch between the ISP and the firewalls. The egress aggregation switch can split one ISP link into two links and then connect the two links to the upstream interfaces of the two firewalls. OSPF runs between the firewalls and downstream core switches. The two firewalls are connected to the upstream interfaces of the two core switches.

To save public IP addresses, private IP addresses are planned for the upstream interfaces of the firewalls. However, the address of a VRRP group must be a public address allocated by the ISP to enable the communication with the ISP.

Table 1-1 Hot standby planning

Item

Data

Description

FW_A

Interface GE1/0/1

  • Security zone: ISP1
  • IP address: 1.1.1.2/24

Interface connecting FW_A to the upstream L2 switch. It is connected to ISP1 and assigned to the ISP1 security zone.

Interface GE1/0/2

  • Security zone: ISP2
  • IP address: 2.2.2.2/24

Interface connecting FW_A to the upstream L2 switch. It is connected to ISP2 and assigned to the ISP2 security zone.

Interface Eth-Trunk1

  • Security zone: Heart
  • IP address: 10.10.0.1/24

Heartbeat interface connected to FW_B. It is assigned to the Heart security zone.

Interface GE1/0/4

  • Security zone: Trust
  • IP address: 10.1.1.1/16

Interface connecting FW_A to the downstream L3 switch. It is assigned to the Trust security zone.

VRRP group 1

  • Interface: GE1/0/1
  • ID: 1
  • Virtual IP address: 1.1.1.1
  • State: master

VRRP group 1 on FW_A.

VRRP group 2

  • Interface: GE1/0/2
  • ID: 2
  • Virtual IP address: 2.2.2.1
  • State: master

VRRP group 2 on FW_A.

OSPF

  • Process ID: 100
  • Network segment: 1.1.1.0 0.0.0.255
  • Network segment: 10.1.0.0 0.0.0.255

OSPF on FW_A.

FW_B

Interface GE1/0/1

  • Security zone: ISP1
  • IP address: 1.1.1.3/24

Interface connecting FW_B to the upstream L2 switch. It is connected to ISP1 and assigned to the ISP1 security zone.

Interface GE1/0/2

  • Security zone: ISP2
  • IP address: 2.2.2.3/24

Interface connecting FW_B to the upstream L2 switch. It is connected to ISP2 and assigned to the ISP2 security zone.

Interface Eth-Trunk1

  • Security zone: Heart
  • IP address: 10.10.0.2/24

Heartbeat interface connected to FW_A. It is assigned to the Heart security zone.

Interface GE1/0/4

  • Security zone: Trust
  • IP address: 10.2.1.1/16

Interface connecting FW_B to the downstream L3 switch. It is assigned to the Trust security zone.

VRRP group 1

  • Interface: GE1/0/1
  • ID: 1
  • Virtual IP address: 1.1.1.1
  • State: slave

VRRP group 1 on FW_B.

VRRP group 2

  • Interface: GE1/0/2
  • ID: 2
  • Virtual IP address: 2.2.2.1
  • State: slave

VRRP group 2 on FW_B.

OSPF

  • Process ID: 100
  • Network segment: 2.2.2.0 0.0.0.255
  • Network segment: 10.2.0.0 0.0.0.255

OSPF on FW_B.

Multi-ISP Uplink Selection Planning

When the FW serves as the egress gateway and provides multiple outbound interfaces, the administrator must plan multi-ISP uplink selection. The matching order for multi-ISP uplink selection is PBRs, specific routes, and default routes. For the two ISP links leased by the enterprise for Internet access, ISP1 provides fast Internet access and stable bandwidth but at a higher price; ISP2 is cheap but provides slower access. The enterprise expects that traffic of different applications is forwarded through different links and that Internet traffic is carried over the link of the best transmission quality. Therefore, the global uplink selection policies in the present case include application-based PBR and link quality-based load balancing. Such multi-egress routing planning is as follows:

  • Application-based PBR

    P2P traffic and web video traffic use much bandwidth. Therefore, the two types of traffic are routed to specific links for forwarding. This is implemented through application-based PBR.

    PBRs pbr_1 and pbr_2 are created. All traffic related to the Intranet and services goes out from GE1/0/1 and is forwarded by ISP1 to the Internet. The intranet entertainment traffic, such as traffic of video and VoIP all goes out from GE1/0/2 and is forwarded by ISP2 to the Internet.

  • Intelligent uplink selection (link quality-based load balancing)

    Because the enterprise requests to use the link of the best transmission quality to carry Internet traffic, the intelligent uplink selection mode is set to link quality-based load balancing. The outbound interfaces of the FWs directly connected to ISP1 and ISP2 are set as the member interfaces for intelligent uplink selection.

User Authentication Planning

R&D employees and marketing employees can log in to the AD domain using their domain accounts and passwords and access network resources without further authentication. The user information of new employees may have been created in the AD server but not stored in the FW. Therefore, it is required that the user information be imported to the FW according to the organizational structure in the AD server after the users are authenticated.

  1. Configure the AD server on the FW, and ensure normal communication between the FW and AD server.
  2. Configure an authentication domain on the FW, setting the name of the authentication domain to the domain name on the AD server.
  3. Configure the server import policy on the FW to import the user information in the AD server to the FW.
  4. Configure the new user option of the authentication domain, and authenticated user that does not exist in the FW login as a temporary user.
  5. Configure SSO parameters on the FW, ensuring that the FW monitors the authentication result packet sent by the AD server to the user PC.

    In the present case, the authentication packet does not pass through the FW. Therefore, it is necessary to mirror the authentication result packet sent by the AD server to the user PC.

  6. Set the online user aging time to 480 minutes to avoid frequent sign-on authentication due to the aging of online connections during business hours (assuming 8 hours).
  7. Configure port mirroring on the switch to mirror the authentication packets to the FW.
Table 1-2 User authentication planning

Item

Data

Description

AD server
  • Name: auth_server_ad
  • IP address of the primary authentication server: 10.3.0.251
  • Port: 88
  • Device name of the primary authentication server: ad.cce.com
  • Base DN/Port DN: dc=cce, dc=com
  • LDAP port: 389
  • Administrator DN: cn=administrator, cn=users
  • Administrator password: Admin@123

Configure the AD server on the FW. This is to set the parameters used for communication between the FW and the AD server.

The parameters set here must be consistent with those set on the AD server.

Import policy
  • Name: policy_import
  • Server type: AD
  • Server name: auth_server_ad
  • Import type: import users and user groups locally
  • Destination group: /cce.com
  • Automatic synchronization with server: 120 minutes
  • Override the local user record when the current user already exists

Import user information from the AD server to the FW.

AD single-sign-on
  • AD single-sign-on: enable
  • Work mode: no-plug-in
  • Interface receiving mirrored authentication packets: GigabitEthernet 1/0/4
  • Parsed traffic: 10.3.0.251:88 (server IP address: authentication port)

Configure single-sign-on parameters on the FW to receive user sign-on information sent by the AD server.

Security Policy Planning

Different security policies are configured for different user groups to control the Internet permissions for users of different departments:

  • Senior managers can access the Internet freely.
  • Marketing employees can access the Internet but cannot play games or watch videos on the Internet.
  • R&D employees can access the Internet but cannot carry out entertainment activities, including games, IM chatting, video calls, voice calls, and access to social websites.

In addition, antivirus, IPS, and URL filtering profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and Botnet and filter websites.

Normally, you can just use the default antivirus and IPS profiles. Create a URL filtering profile, setting the URL filtering control level to "medium", which can restrict the access to all adult and illegal websites.

Table 1-3 Security policy planning

Item

Data

Description

Security policy for senior management
  • Name: policy_sec_management
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: management
  • Action: permit
  • Antivirus: default
  • IPS: default
  • URL filtering: profile_url

The security policy policy_sec_management allows senior managers to access the Internet freely.

Security policy 1 for marketing
  • Name: policy_sec_marketing_1
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: marketing
  • Application: Game and Media_Sharing
  • Action: deny

The security policy policy_sec_marketing_1 prohibits marketing employees from playing games through the Internet.

Game indicates game applications. Media_Sharing indicates media sharing.

Security policy 2 for marketing
  • Name: policy_sec_marketing_2
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: marketing
  • Action: permit
  • Antivirus: default
  • IPS: default
  • URL filtering: profile_url

The security policy policy_sec_marketing_2 allows marketing employees to access the Internet.

Security policy 1 for R&D
  • Name: policy_sec_research_1
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: research
  • Application: Entertainment
  • Action: deny

The security policy policy_sec_research_1 prohibits R&D employees from entertainment activities through the Internet.

Entertainment indicates entertainment applications.

Security policy 2 for R&D
  • Name: policy_sec_research_2
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • User: research
  • Action: permit
  • Antivirus: default
  • IPS: default
  • URL filtering: profile_url

The security policy policy_sec_research_2 allows R&D employees to access the Internet.

IPSec security policy 1
  • Name: policy_sec_ipsec_1
  • Source security zone: local, ISP1, and ISP2
  • Destination security zone: local, ISP1, and ISP2
  • Source address/region: 1.1.1.2/32 and 3.3.3.1/32
  • Destination address/region: 1.1.1.2/32 and 3.3.3.1/32
  • Action: permit

The security policy policy_sec_ipsec_1 allows setup of IPSec tunnels between NGFWs of the headquarters and branches.

IPSec security policy 2
  • Name: policy_sec_ipsec_2
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • Source address/region: 10.1.0.0/16
  • Destination address/region: 192.168.1.0/24
  • Action: permit
  • Antivirus: default
  • IPS: default

The security policy policy_sec_ipsec_2 allows headquarter employees to access branch employees through IPSec tunnels.

The source address/region is the network segment for the headquarter employees, and the destination address/region is the network segment for branch employees.

IPSec security policy 3
  • Name: policy_sec_ipsec_3
  • Source security zone: ISP1 and ISP2
  • Destination security zone: trust
  • Source address/region: 192.168.1.0/24
  • Action: permit
  • Antivirus: default
  • IPS: default

The security policy policy_sec_ipsec_3 allows branch employees to access headquarter employees through IPSec tunnels.

The source address/region is the network segment for branch employees.

Security policy 1 for L2TP over IPSec
  • Name: policy_sec_l2tp_ipsec_1
  • Source security zone: trust
  • Destination security zone: ISP1 and ISP2
  • Destination address/region: 10.1.1.1/16
  • Destination address/region: 10.1.1.2 -10.1.1.100
  • Action: permit

The security policy policy_sec_l2tp_ipsec_1 allows headquarter employees to access mobile employees.

The destination address is the network segment of the L2TP address pool.

Security policy 2 for L2TP over IPSec
  • Name: policy_sec_l2tp_ipsec_2
  • Source security zone: untrust
  • Destination security zone: trust
  • Source address/region: 10.1.1.2-10.1.1.100
  • Destination address/region: 10.1.1.1/16
  • Action: permit
  • Antivirus: default
  • IPS: default

The security policy policy_sec_l2tp_ipsec_2 allows mobile employees to access the enterprise intranet.

Security policy for server access of extranet users
  • Name: policy_sec_server
  • Source security zone: ISP1 and ISP2
  • Destination security zone: trust
  • Destination address/region: 10.2.0.10/32 and 10.2.0.11/32
  • Action: permit
  • Antivirus: default
  • IPS: default

The security policy policy_sec_server allows extranet users to access intranet servers of the enterprise network.

The destination address/region is the mirrored-to private IP address of a server.

NAT Planning

The enterprise has 500 employees but limited public IP addresses. To enable a large number of intranet users to access the Internet with the limited public addresses, it is necessary to deploy source NAT on the FW to translate the source addresses of packets from intranet users to the Internet from private addresses to public addresses.

In addition, the enterprise network provides web servers and FTP servers for public network users.

However, because the servers are deployed inside the enterprise network, it is necessary to configure server mapping to map the private IP address of a server to a public address.

Table 1-4 Data planning

Item

Data

Description

NAT policy for traffic to branches
  • Name: policy_nat_ipsec_01
  • Source security zone: trust
  • Destination security zone: ISP1
  • Destination address: 192.168.1.0/24
  • Action: no NAT

NAT is not performed for traffic to the branches (destination IP address: 192.168.1.0/24). This traffic is routed directly to the IPSec tunnel.
  • Name: policy_nat_ipsec_02
  • Source security zone: trust
  • Destination security zone: ISP2
  • Destination address: 192.168.1.0/24
  • Action: no NAT

NAT policy for traffic to the Internet

NAT policy

  • Name: policy_nat_internet_01
  • Source security zone: trust
  • Destination security zone: ISP1
  • Source address: addresses in the address pool
  • Address pool: 1

NAT is performed for traffic to the Internet. The source address is translated from a private IP address to a public IP address in the address pool.

The four IP addresses, 1.1.1.1 to 1.1.1.4, obtained from the carrier are used as addresses in the NAT address pool.

NAT policy

  • Name: policy_nat_internet_02
  • Source security zone: trust
  • Destination security zone: ISP2
  • Source address: addresses in the address pool
  • Address pool: 1

NAT address pool

  • Name: nataddr
  • IP address range: 1.1.1.1-1.1.1.4

Web server mapping policy
  • Name: policy_nat_web_01
  • Zone: ISP1
  • Public address: 1.1.1.5
  • Private address: 10.2.0.10
  • Public port: 8080
  • Private port: 80
  • Name: policy_nat_web_02
  • Zone: ISP2
  • Public address: 2.2.2.5
  • Private address: 10.2.0.10
  • Public port: 8080
  • Private port: 80

With this mapping, extranet users can access 1.1.1.5 and 2.2.2.6, and traffic to port 8080 can be routed to the intranet web server.

The private address of the web server is 10.2.0.10, and its private port number is 80.

FTP server mapping policy
  • Name: policy_nat_ftp_01
  • Zone: ISP1
  • Public address: 1.1.1.6
  • Private address: 10.2.0.11
  • Public port: 21
  • Private port: 21
  • Name: policy_nat_ftp_02
  • Zone: ISP2
  • Public address: 2.2.2.6
  • Private address: 10.2.0.11
  • Public port: 21
  • Private port: 21

With this mapping, extranet users can access 1.1.1.6 and 2.2.2.6, and traffic to port 21 can be routed to the intranet FTP server.

The private address of the FTP server is 10.2.0.811, and its private port number is 21.

Bandwidth Management Planning

The total bandwidth is 20 Gbit/s. To ensure bandwidth for normal work, it is necessary to configure a traffic policy that restricts P2P traffic. In addition, different traffic profiles and traffic policies are also needed for different intranet users.

  1. The maximum upstream bandwidth for P2P traffic between intranet users and the Internet is 2 Gbit/s, and the maximum downstream bandwidth is 6 Gbit/s, to avoid the consumption of large quantities of bandwidth resources.
  2. To ensure the normal operation of email and ERP applications during business hours, bandwidth for such traffic is at least 4 Gbit/s.
  3. For Internet access of senior managers, the minimum upstream and downstream bandwidth is 200 Mbit/s, and the maximum downstream bandwidth per user is 20 Mbit/s.
Table 1-5 Planning of traffic policies

Item

Data

Description

Traffic policy restricting P2P traffic

Traffic policy

  • Name: policy_bandwidth_p2p
  • Source security zone: trust
  • Destination security zone: ISP1, ISP2
  • Application: P2P online video and P2P file sharing
  • Action: limit
  • Traffic profile: profile_p2p

The P2P online video and P2P file sharing applications are selected, which are P2P media and P2P download.

Traffic profile

  • Name: profile_p2p
  • Restrict mode: upstream bandwidth and downstream bandwidth
  • Maximum upstream bandwidth: 2000 Mbit/s
  • Maximum downstream bandwidth: 6000 Mbit/s
  • Whole maximum connections: 10,000

Traffic policy ensuring major services

Traffic policy

  • Name: policy_bandwidth_email
  • Source security zone: trust
  • Destination security zone: ISP1, ISP2
  • Application: Outlook Web Access and LotusNotes
  • Time range: work_time
  • Action: restrict
  • Traffic profile: profile_email

The Outlook Web Access and LotusNotes applications are selected, which are email applications.

Traffic profile

  • Name: profile_email
  • Restrict mode: upstream bandwidth and downstream bandwidth
  • Guaranteed upstream bandwidth: 4000 Mbit/s
  • Guaranteed downstream bandwidth: 4000 Mbit/s

Traffic policy for senior management

Traffic policy

  • Name: policy_bandwidth_management
  • Source security zone: ISP1, ISP2
  • Destination security zone: trust
  • User: /management
  • Action: restrict
  • Traffic profile: profile_management

-

Traffic profile

  • Name: profile_management
  • Restrict mode: upstream bandwidth and downstream bandwidth
  • Guaranteed upstream bandwidth: 200 Mbit/s
  • Guaranteed downstream bandwidth: 200 Mbit/s
  • Maximum upstream bandwidth for one IP address: 2 Mbit/s
  • Maximum downstream bandwidth for one IP address: 2 Mbit/s

Attack Defense

Attack defense should be enabled on the FW for security defense. The recommended configuration is as follows:

firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable

IPSec Planning

For branch employees, to ensure their secure communication with the headquarter employees and ensure their access to the headquarter servers, IPSec VPN is needed. If there are not many branches, point-to-point IPSec VPN in IKE mode is recommended. In the case of many branches, point-to-multipoint IPSec VPN is recommended.

Table 1-6 IPSec policy planning

Item

Data

Description

IPSec policy for headquarter FW_A

IPSec policy

  • Scenario: point-to-point
  • Authentication mode: pre-shared key
  • Pre-shared key: Admin@123
  • Local ID: IP address
  • Peer ID: IP address
  • The headquarter and branch must have consistent pre-shared keys.
  • The peer gateway IP address is the IP address of the branch public interface.
  • The source address is the network segment of the headquarter intranet.
  • The destination address is the network segment of the branch intranet.
  • The default values of the parameters not in the data plan can be used. Any modification must be made at both ends to keep the configuration consistent.

IPSec policy for branch FW_C

IPSec policy

  • Scenario: point-to-point
  • Authentication mode: pre-shared key
  • Pre-shared key: Admin@123
  • Local ID: IP address
  • Peer ID: IP address
  • The headquarter and branch must have consistent pre-shared keys.
  • The peer gateway IP address is the IP address of the headquarter public interface.
  • The source address is the network segment of the branch intranet.
  • The destination address is the network segment of the headquarter intranet.
  • The destination address is the network segment of the branch intranet. Any modification must be made at both ends to keep the configuration consistent.

To ensure access of mobile and home-office employees to the enterprise network, L2TP over IPSec is needed.

Table 1-7 L2TP over IPSec planning

Item

Data

FW_A(LNS)

Port number: GigabitEthernet 1/0/1

IP address: 1.1.1.2/24

Security zone: ISP1

Port number: GigabitEthernet 1/0/4

IP address: 10.1.1.1/16

Security zone: Trust

Virtual-Template port

Port number: Virtual-Template 1

IP address: 10.11.1.1/24

L2TP configuration

Authentication mode: CHAP and PAP

Tunnel authentication: enable

Tunnel peer name: client1

Tunnel local name: lns

Tunnel password: Password@123

Address pool and user configuration

IP pool 1

Address range: 10.1.1.2 to 10.1.1.100

Name for user authentication: vpdnuser

Password for user authentication: Hello123

IPSec configuration

Use the LNS server's IP address: enable

Encapsulation mode: tunnel

Security protocol: ESP

ESP authentication algorithm: SHA-1

ESP encryption algorithm: AES-128

NAT traversal: enable

LAC

L2TP configuration

Authentication mode: CHAP

Tunnel name: client1

User configuration

Name for user authentication: vpdnuser

Password for user authentication: Hello123

IPSec configuration

Pre-shared key: Test!1234

Peer address: 1.1.1.2

Precautions

Intelligent Uplink Selection

For versions earlier than V500R001C30SPC600, global intelligent uplink selection and PBR intelligent uplink selection cannot be used together with IP address spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP address spoofing defense or URPF is enabled, the FW may drop packets.

Hot Standby

  • When hot standby runs together with IPSec, the upstream and downstream tunneling interfaces of the active and standby devices must be Layer 3 interfaces.
  • When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone.
  • IPSec policy configuration of the active firewall is automatically replicated to the standby firewall, but the configuration on interfaces is not replicated. Therefore, it is necessary to apply the replicated IPSec policy on the egress interface of the standby firewall.
  • If the local device is the initiator of an IPSec tunnel, the tunnel local ip-address command must be run to set the local address that initiates negotiation to the virtual IP address of the VRRP group.

Security and Applications

  • Intrusion prevention is available no matter whether the firewall is licensed. When no license is available, intrusion prevention can run by means of user-defined signatures.
  • When the license expires or is deactivated, the existing intrusion prevention signature database and user-defined signatures can still be used, but the signature database cannot be updated.
  • Update of the intrusion prevention signature database requires license support. After the license is loaded, the signature database needs to be loaded manually.
  • After the intrusion prevention signature database is updated, if an old predefined signature is not in the new signature database, all configuration related to the signature is not effective.
  • Update of the antivirus function and its signature database also requires license support. Before a license is loaded, the antivirus function can be configured but the configuration is not effective. After the license is loaded, the AV signature database needs to be loaded manually. Otherwise, the antivirus function cannot work normally. After the license expires, the antivirus function can continue functioning but the AV signature database cannot be updated. For better security protection, you are recommended to purchase a new license.
  • The AV signature database is updated frequently. To ensure an effective antivirus function, you are recommended to update the signature database periodically.
  • In IPv6 networking, no antivirus function is available for IMAP, SMTP, and POP3 services.
  • For files whose transfer is resumed from the last disconnected location, antivirus detection is not available.
  • In a networking environment where the paths for packets in two directions are different, the detection of network intrusions may be not effective, and no antivirus function is available for SMTP and POP3 services.
  • Predefined applications are dependent on the embedded application signature database of the system. Because new applications keep emerging, when a new application cannot be identified using the embedded application signature database, you are recommended to update the application signature database.

User and Authentication

Users are organized into multiple tree structures with an authentication domain being the top-level node. Note the following:

  • For a command referencing a user or security group in a non-default authentication domain to run, the command must carry "@authentication domain name". For example, "user1@test" represents the user user1 in the test authentication domain, secgroup1 represents the security group secgroup1 in the authentication domain test.
  • User related actions, including creating a user, moving a user, and importing a user from the server, are all based on one authentication domain. Inter-domain actions are not supported.

NAT Policies

  • When configuring the two source NAT mechanisms, NAT No-PAT and triplet NAT, do not set the address of a firewall interface to an address in the NAT address pool to avoid impact on access to the firewall itself.
  • When NAT and VPN functions work together, define precise matching conditions for NAT policies to ensure that NAT is not performed for packets requiring VPN encapsulation.

IPSec VPN

  • When the IPSec proposal is configured, the security protocol, authentication algorithm, encryption algorithm, and packet encapsulation must be exactly the same at both ends of the IPSec tunnel.
  • It is recommended that the MTU on the interface where an IPSec security policy group is applied be not smaller than 256 bytes. This is because the size of IP packets increases after IPSec processing and the increased part varies with the encapsulation mode, security protocol, authentication algorithm, and encryption algorithm (at most over 100 bytes). If the MTU is too small, large IP packets will be fragmented. When there are too many fragments, the peer device may have a problem in processing the received fragments.
  • When both IPSec and NAT are configured, NAT cannot be performed for IPSec traffic, and no-NAT is required.

Solution Configuration

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces.

    # Configure IP addresses for the interfaces of FW_A.

    <FW_A> system-view 
[FW_A] interface GigabitEthernet 1/0/1 
[FW_A-GigabitEthernet1/0/1] ip address 1.1.1.2 24 
[FW_A-GigabitEthernet1/0/1] gateway 1.1.1.254 
[FW_A-GigabitEthernet1/0/1] quit 
[FW_A] interface GigabitEthernet 1/0/2 
[FW_A-GigabitEthernet1/0/2] ip address 2.2.2.2 24 
[FW_A-GigabitEthernet1/0/2] gateway 2.2.2.254 
[FW_A-GigabitEthernet1/0/2] quit 
[FW_A] interface eth-trunk 1
[FW_A-Eth-Trunk1] ip address 10.10.0.1 24
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/3
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 2/0/1
[FW_A-Eth-Trunk1] quit 
[FW_A] interface GigabitEthernet 1/0/4 
[FW_A-GigabitEthernet1/0/4] ip address 10.1.1.1 16 
[FW_A-GigabitEthernet1/0/4] quit 
[FW_A] interface GigabitEthernet 1/0/5 
[FW_A-GigabitEthernet1/0/5] portswitch 
[FW_A-GigabitEthernet1/0/5] quit

    # Similarly, configure IP addresses of the interfaces of FW_B.

  2. Assign the interfaces to security zones.

    # Create the security zones ISP1, ISP2, and Heart on FW_A, and set their priorities to 15, 20, and 75 respectively.

    [FW_A] firewall zone name ISP1 
[FW_A-zone-ISP1] set priority 15 
[FW_A-zone-ISP1] quit 
[FW_A] firewall zone name ISP2 
[FW_A-zone-ISP2] set priority 20 
[FW_A-zone-ISP2] quit 
[FW_A] firewall zone name Heart 
[FW_A-zone-Heart] set priority 75 
[FW_A-zone-Heart] quit

    # Assign the interfaces of FW_A to the security zones.

    [FW_A] firewall zone ISP1 
[FW_A-zone-ISP1] add interface GigabitEthernet 1/0/1 
[FW_A-zone-ISP1] quit 
[FW_A] firewall zone ISP2 
[FW_A-zone-ISP2] add interface GigabitEthernet 1/0/2 
[FW_A-zone-ISP2] quit 
[FW_A] firewall zone Heart 
[FW_A-zone-Heart] add interface Eth-Trunk 1 
[FW_A-zone-Heart] quit 
[FW_A] firewall zone trust 
[FW_A-zone-trust] add interface GigabitEthernet 1/0/4 
[FW_A-zone-trust] add interface GigabitEthernet 1/0/5 
[FW_A-zone-trust] quit

    # Similarly, assign the interfaces of FW_B to the security zones.

  3. Configure default routes.

    # Configure the IP-links, checking whether the links provided by the ISPs are normal.

    [FW_A] ip-link check enable 
[FW_A] ip-link name ip_link_1 
[FW_A-iplink-ip_link_1] destination 1.1.1.254 interface GigabitEthernet1/0/1 
[FW_A-iplink-ip_link_1] quit 
[FW_A] ip-link name ip_link_2 
[FW_A-iplink-ip_link_2] destination 2.2.2.254 interface GigabitEthernet1/0/2 
[FW_A-iplink-ip_link_2] quit

    # Configure two default routes on FW_A, and set their next hops respectively to the access points of the two ISPs.

    [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1 
[FW_A] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2

    # Similarly, configure the IP-links and defaults routes on FW_B.

  4. Configure intelligent uplink selection.

    # Configure global intelligent uplink selection and set load balancing based on link quality.

    [FW_A] multi-interface 
[FW_A-multi-inter] mode priority-of-link-quality 
[FW_A-multi-inter] add interface GigabitEthernet1/0/1 
[FW_A-multi-inter] add interface GigabitEthernet1/0/2 
[FW_A-multi-inter] priority-of-link-quality protocol tcp-simple 
[FW_A-multi-inter] priority-of-link-quality parameter delay jitter loss 
[FW_A-multi-inter] priority-of-link-quality interval 3 times 5 
[FW_A-multi-inter] priority-of-link-quality table aging-time 60 
[FW_A-multi-inter] quit

    # Similarly, configure intelligent uplink selection on FW_B.

  5. Configure PBR.

    [FW_A] policy-based-route 
[FW_A-policy-pbr] rule name pbr_1 
[FW_A-policy-pbr-rule-pbr_1] description pbr_1 
[FW_A-policy-pbr-rule-pbr_1] source-zone trust 
[FW_A-policy-pbr-rule-pbr_1] application category Business_Systems 
[FW_A-policy-pbr-rule-pbr_1] track ip-link ip_link_1 
[FW_A-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.254 
[FW_A-policy-pbr-rule-pbr_1] quit 
[FW_A-policy-pbr] rule name pbr_2 
[FW_A-policy-pbr-rule-pbr_2] description pbr_2 
[FW_A-policy-pbr-rule-pbr_2] source-zone trust 
[FW_A-policy-pbr-rule-pbr_2] application category Entertainment sub-category VoIP 
[FW_A-policy-pbr-rule-pbr_2] application category Entertainment sub-category PeerCasting 
[FW_A-policy-pbr-rule-pbr_2] track ip-link ip_link_2 
[FW_A-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet 1/0/2 next-hop 2.2.2.254 
[FW_A-policy-pbr-rule-pbr_2] quit

    # Similarly, configure PBR on FW_B.

  6. Configure OSPF.

    # Configure OSPF on FW_A.

    [FW_A] router id 1.1.1.2 
[FW_A] ospf 100 
[FW_A-ospf-100] default-route-advertise 
[FW_A-ospf-100] area 0 
[FW_A-ospf-100-area-0.0.0.0] network 1.1.1.0 0.0.0.255 
[FW_A-ospf-100-area-0.0.0.0] network 10.1.0.0 0.0.255.255 
[FW_A-ospf-100-area-0.0.0.0] quit 
[FW_A-ospf-100] quit

    # Configure OSPF on FW_B.

    [FW_B] router id 2.2.2.3 
[FW_B] ospf 100 
[FW_B-ospf-100] default-route-advertise 
[FW_B-ospf-100] area 0 
[FW_B-ospf-100-area-0.0.0.0] network 2.2.2.0 0.0.0.255 
[FW_B-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.255.255 
[FW_B-ospf-100-area-0.0.0.0] quit 
[FW_B-ospf-100] quit

  7. Configure hot standby.

    # Configure VRRP groups on FW_A and set their states to Active.

    [FW_A] interface GigabitEthernet 1/0/1 
[FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active 
[FW_A-GigabitEthernet1/0/1] quit 
[FW_A] interface GigabitEthernet 1/0/2 
[FW_A-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 2.2.2.1 24 active 
[FW_A-GigabitEthernet1/0/2] quit

    # Specify the heartbeat interface on FW_A and enable hot standby.

    [FW_A] hrp interface Eth-Trunk 1 remote 10.10.0.2 
[FW_A] hrp enable

    # Configure VRRP groups on FW_B and set their states to Standby.

    [FW_B] interface GigabitEthernet 1/0/1 
[FW_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby 
[FW_B-GigabitEthernet1/0/1] quit 
[FW_B] interface GigabitEthernet 1/0/2 
[FW_B-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 2.2.2.1 24 standby 
[FW_B-GigabitEthernet1/0/2] quit

    # Specify the heartbeat interface on FW_B and enable hot standby.

    [FW_B] hrp interface Eth-Trunk 1 remote 10.10.0.1 
[FW_B] hrp enable

  8. Configure users, user groups, and their authentication.

    # Create groups and users for senior managers.

    HRP_M[FW_A] user-manage group /default/management 
HRP_M[FW_A-usergroup-/default/management] quit 
HRP_M[FW_A] user-manage user user_0001 
HRP_M[FW_A-localuser-user_0001] alias Tom 
HRP_M[FW_A-localuser-user_0001] parent-group /default/management 
HRP_M[FW_A-localuser-user_0001] password Admin@123 
HRP_M[FW_A-localuser-user_0001] quit

    # Similarly, create the groups marketing, research, and onbusiness, and create all users of every department/group according to the corporate organizational structure.

    # Configure the AD server.

    The parameters set here must be consistent with those set on the AD server.

    HRP_M[FW_A] ad-server template auth_server_ad 
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication 10.3.0.251 88 
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com 
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users Admin@123 
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication host-name ad.cce.com 
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication ldap-port 389 
HRP_M[FW_A-ad-auth_server_ad] ad-server user-filter sAMAccountName 
HRP_M[FW_A-ad-auth_server_ad] ad-server group-filter ou 
HRP_M[FW_A-ad-auth_server_ad] quit

    # Configure the authentication domain.

    HRP_M[FW_A] aaa 
HRP_M[FW_A-aaa] domain cce.com 
HRP_M[FW_A-aaa-domain-cce.com] service-type internetaccess 
HRP_M[FW_A-aaa-domain-cce.com] quit 
HRP_M[FW_A] quit

    # Configure the import-from-server policy, and import users.

    HRP_M[FW] user-manage import-policy policy_import from ad 
HRP_M[FW-import-policy_import] server template auth_server_ad 
HRP_M[FW-import-policy_import] server basedn dc=cce,dc=com 
HRP_M[FW-import-policy_import] destination-group /cce.com 
HRP_M[FW-import-policy_import] user-attribute sAMAccountName 
HRP_M[FW-import-policy_import] import-type user-group 
HRP_M[FW-import-policy_import] import-override enable 
HRP_M[FW-import-policy_import] quit 
HRP_M[FW] execute user-manage import-policy policy_import

    # Configure the new user option of the authentication domain.

    HRP_M[FW] aaa 
HRP_M[FW-aaa] domain cce.com 
HRP_M[FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import 
HRP_M[FW-aaa-domain-cce.com] quit 
HRP_M[FW-aaa] quit

    # Configure single-sign-on parameters of the AD server.

    HRP_M[FW] user-manage single-sign-on ad 
HRP_M[FW-sso-ad] mode no-plug-in 
HRP_M[FW-sso-ad] no-plug-in traffic server-ip 10.3.0.251 port 88 
HRP_M[FW-sso-ad] no-plug-in interface GigabitEthernet1/0/5 
HRP_M[FW-sso-ad] enable 
HRP_M[FW-sso-ad] quit

    # Configure the online user timeout time to 480 minutes.

    HRP_M[FW] user-manage online-user aging-time 480

  9. Configure security policies. After hot standby is enabled, the security policies of FW_A are automatically replicated to FW_B.

    # Configure URL filtering profile profile_url and set the URL filtering control level to medium.

    HRP_M[FW_A] profile type url-filter name profile_url 
HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined control-level medium 
HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined action allow 
HRP_M[FW_A-profile-url-filter-profile_url] quit

    # Configure security policies for senior managers.

    HRP_M<FW_A> system-view 
HRP_M[FW_A] security-policy 
HRP_M[FW_A-policy-security] rule name policy_sec_management 
HRP_M[FW_A-policy-security-rule-policy_sec_management] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_management] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_management] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_management] profile av default 
HRP_M[FW_A-policy-security-rule-policy_sec_management] profile ips default 
HRP_M[FW_A-policy-security-rule-policy_sec_management] profile url-filter profile_url 
HRP_M[FW_A-policy-security-rule-policy_sec_management] user user-group /default/management 
HRP_M[FW_A-policy-security-rule-policy_sec_management] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_management] quit 
HRP_M[FW_A-policy-security] quit

    # Configure security policies for marketing employees.

    HRP_M[FW_A-policy-security] rule name policy_sec_marketing_1 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-category Media_Sharing 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-category Game 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] action deny 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] quit 
HRP_M[FW_A-policy-security] rule name policy_sec_marketing_2 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile av default 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile ips default 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile url-filter profile_url 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] user user-group /default/marketing 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] quit

    # Configure security policies for R&D employees.

    HRP_M[FW_A-policy-security] rule name policy_sec_research_1 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] user user-group /default/research 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] application category Entertainment 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] action deny 
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] quit 
HRP_M[FW_A-policy-security] rule name policy_sec_research_2 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile av default 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile ips default 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile url-filter profile_url 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] user user-group /default/research 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] quit

    # Configure IPSec security policies.

    HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_1 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone local 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone local 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-address 1.1.1.2 32 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-address 3.3.3.1 32 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-address 1.1.1.2 32 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-address 3.3.3.1 32 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] quit 
HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_2 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] source-address 10.1.0.0 16 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-address 192.168.1.0 24 HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] profile av default 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] profile ips default 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] quit 
HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_3 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] destination-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-address 192.168.1.0 24 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] profile av default 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] profile ips default 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] quit

    # Configure L2TP over IPSec security policies.

    HRP_M[FW-policy-security] rule name policy_sec_l2tp_ipsec_1 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] source-zone trust 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-zone ISP1 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-zone ISP2 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] source-address 10.1.1.1 16 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-address range 10.1.1.2 10.1.1.100 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] action permit 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] quit 
HRP_M[FW-policy-security] rule name policy_sec_l2tp_ipsec_2 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] source-zone untrust 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] destination-zone trust 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] source-address range 10.1.1.2 10.1.1.100 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] destination-address 10.1.1.1 16 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] action permit 
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] quit

    # Configure security policies for the AD server.

    HRP_M[FW_A-policy-security] rule name local_policy_ad_01 
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] source-zone local 
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] destination-zone trust 
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] destination-address 10.3.0.251 32 
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] action permit 
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] quit 
HRP_M[FW_A-policy-security] rule name local_policy_ad_02 
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] source-zone trust 
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] destination-zone local 
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] source-address 10.3.0.251 32 
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] action permit 
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] quit

    # Configure the security policy that allows extranet users to access the intranet servers.

    HRP_M[FW_A-policy-security] rule name policy_sec_server 
HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP1 
HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP2 
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.10 32 
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.11 32 
HRP_M[FW_A-policy-security-rule-policy_sec_server] action permit 
HRP_M[FW_A-policy-security-rule-policy_sec_server] quit 
HRP_M[FW_A-policy-security] quit

  10. Configure NAT. After hot standby is enabled, the NAT policies of FW_A are automatically synchronized to FW_B.

    # Configure NAT address pool nataddr.

    HRP_M[FW_A] nat address-group nataddr 
HRP_M[FW_A-nat-address-group-nataddr] mode pat 
HRP_M[FW_A-nat-address-group-nataddr] section 0 1.1.1.1 1.1.1.4 
HRP_M[FW_A-nat-address-group-nataddr] route enable 
HRP_M[FW_A-nat-address-group-nataddr] quit

    # Configure the NAT policy for traffic to the Internet, policy_nat_internet_01 and policy_nat_internet_02.

    HRP_M[FW_A] nat-policy 
HRP_M[FW_A-policy-nat] rule name policy_nat_internet_01 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] destination-zone ISP1 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] action source-nat address-group nataddr 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] quit 
HRP_M[FW_A-policy-nat] rule name policy_nat_internet_02 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] destination-zone ISP2 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] action source-nat address-group nataddr 
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] quit

    # Configure NAT policies policy_nat_ipsec_01 and policy_nat_ipsec_02 for traffic to branches.

    HRP_M[FW_A-policy-nat] rule name policy_nat_ipsec_01 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] destination-zone ISP1 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] destination-address 192.168.1.0 24 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] action no-nat  
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] quit 
HRP_M[FW_A-policy-nat] rule name policy_nat_ipsec_02 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] destination-zone ISP2 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] destination-address 192.168.1.0 24 
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] action no-nat  
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] quit 
HRP_M[FW_A-policy-nat] quit

    # Configure the NAT server function.

    HRP_M[FW_A] nat server for_web_01 zone ISP1 protocol tcp global 1.1.1.5 8080 inside 10.2.0.10 www 
HRP_M[FW_A] nat server for_web_02 zone ISP2 protocol tcp global 2.2.2.5 8080 inside 10.2.0.10 www 
HRP_M[FW_A] nat server for_ftp_01 zone ISP1 protocol tcp global 1.1.1.6 ftp inside 10.2.0.11 ftp 
HRP_M[FW_A] nat server for_ftp_02 zone ISP2 protocol tcp global 2.2.2.6 ftp inside 10.2.0.11 ftp

    # Enable NAT ALG for FTP.

    HRP_M[FW_A] firewall interzone trust untrust 
HRP_M[FW_A-interzone-trust-untrust] detect ftp 
HRP_M[FW_A-interzone-trust-untrust] quit

  11. Configure attack defense. After hot standby is enabled, the attack defense configuration of FW_A is automatically synchronized to FW_B.

    HRP_M[FW_A] firewall defend land enable 
HRP_M[FW_A] firewall defend smurf enable 
HRP_M[FW_A] firewall defend fraggle enable 
HRP_M[FW_A] firewall defend winnuke enable 
HRP_M[FW_A] firewall defend source-route enable 
HRP_M[FW_A] firewall defend route-record enable 
HRP_M[FW_A] firewall defend time-stamp enable 
HRP_M[FW_A] firewall defend ping-of-death enable

  12. Configure traffic policies. After hot standby is enabled, the traffic policies of FW_A are automatically replicated to FW_B.

    # Configure the time range.

    HRP_M[FW_A] time-range work_time 
HRP_M[FW_A-time-range-work_time] period-range 09:00:00 to 18:00:00 working-day 
HRP_M[FW_A-time-range-work_time] quit

    # Configure the traffic profile that restricts P2P traffic, profile_p2p.

    HRP_M[FW_A] traffic-policy 
HRP_M[FW_A-policy-traffic] profile profile_p2p 
HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole upstream 2000000 
HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole downstream 6000000 
HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000 
HRP_M[FW_A-policy-traffic-profile-profile_p2p] quit

    # Configure the traffic policy that restricts P2P traffic, policy_bandwidth_p2p.

    HRP_M[FW_A-policy-traffic] rule name policy_bandwidth_p2p 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] source-zone trust 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] destination-zone ISP1 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] destination-zone ISP2 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] application category Entertainment sub-category PeerCasting 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] application category General_Internet sub-category FileShare_P2P 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] action qos profile profile_p2p 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] quit

    # Configure the traffic profile that guarantees the bandwidth for email and ERP applications.

    HRP_M[FW_A-policy-traffic] profile profile_email 
HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole upstream 4000000 
HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole downstream 4000000 
HRP_M[FW_A-policy-traffic-profile-profile_email] quit

    # Configure the traffic policy that guarantees the bandwidth for email and ERP applications.

    HRP_M[FW_A-policy-traffic] rule name policy_email 
HRP_M[FW_A-policy-traffic-rule-policy_email] source-zone trust 
HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP1 
HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP2 
HRP_M[FW_A-policy-traffic-rule-policy_email] application app LotusNotes OWA 
HRP_M[FW_A-policy-traffic-rule-policy_email] time-range work_time 
HRP_M[FW_A-policy-traffic-rule-policy_email] action qos profile profile_email 
HRP_M[FW_A-policy-traffic-rule-policy_email] quit

    # Configure the traffic profile for senior management.

    [FW] traffic-policy 
HRP_M[FW_A-policy-traffic] profile profile_management 
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth guaranteed-bandwidth whole upstream 200000 
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth guaranteed-bandwidth whole downstream 200000 
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth maximum-bandwidth per-ip upstream 20000 
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth maximum-bandwidth per-ip downstream 20000 
HRP_M[FW_A-policy-traffic-profile-profile_management] quit

    # Configure the traffic policy for senior management.

    HRP_M[FW_A-policy-traffic] rule name policy_bandwidth_management 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] source-zone ISP1 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] source-zone ISP2 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] destination-zone trust 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] user user-group /default/management 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] action qos profile profile_management 
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] quit

  13. Configure IPSec VPN. After hot standby is enabled, the IPSec VPN configuration of FW_A is automatically synchronized to FW_B.

    # Configure IPSec on FW_A at the headquarters.

    HRP_M[FW_A] acl 3000  
HRP_M[FW_A-acl-adv-3000] rule permit ip source 10.1.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255 
HRP_M[FW_A-acl-adv-3000] quit 
HRP_M[FW_A] ipsec proposal tran1 
HRP_M[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 
HRP_M[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
HRP_M[FW_A-ipsec-proposal-tran1] quit 
HRP_M[FW_A] ike proposal 10 
HRP_M[FW_A-ike-proposal-10] authentication-method pre-share 
HRP_M[FW_A-ike-proposal-10] prf hmac-sha1 
HRP_M[FW_A-ike-proposal-10] encryption-algorithm 3des 
HRP_M[FW_A-ike-proposal-10] dh group5 
HRP_M[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256 
HRP_M[FW_A-ike-proposal-10] quit 
HRP_M[FW_A] ike peer headquarters 
HRP_M[FW_A-ike-peer-headquarters] ike-proposal 10 
HRP_M[FW_A-ike-peer-headquarters] pre-shared-key Admin@123 
HRP_M[FW_A-ike-peer-headquarters] quit 
HRP_M[FW_A] ipsec policy-template temp 1 
HRP_M[FW_A-ipsec-policy-templet-temp-1] security acl 3000 
HRP_M[FW_A-ipsec-policy-templet-temp-1] proposal tran1 
HRP_M[FW_A-ipsec-policy-templet-temp-1] ike-peer headquarters 
HRP_M[FW_A-ipsec-policy-templet-temp-1] quit 
HRP_M[FW_A] ipsec policy policy1 1 isakmp template temp 
HRP_M[FW_A] interface GigabitEthernet 1/0/1 
HRP_M[FW_A-GigabitEthernet1/0/1] ipsec policy policy1 
HRP_M[FW_A-GigabitEthernet1/0/1] quit

    # Configure IPSec on FW_C of a branch.

    [FW_C] acl 3000  
[FW_C-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255 
[FW_C-acl-adv-3000] quit 
[FW_C] ipsec proposal tran1 
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha1 
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[FW_C-ipsec-proposal-tran1] quit 
[FW_C] ike proposal 10 
[FW_C-ike-proposal-10] authentication-method pre-share 
[FW_C-ike-proposal-10] prf hmac-sha1 
[FW_C-ike-proposal-10] encryption-algorithm 3des 
[FW_C-ike-proposal-10] dh group5 
[FW_C-ike-proposal-10] integrity-algorithm hmac-sha2-256 
[FW_C-ike-proposal-10] quit 
[FW_C] ike peer branch 
[FW_C-ike-peer-branch] ike-proposal 10 
[FW_C-ike-peer-branch] pre-shared-key Admin@123 
[FW_C-ike-peer-branch] remote-address 1.1.1.1 
[FW_C-ike-peer-branch] quit 
[FW_C] ipsec policy policy2 1 isakmp 
[FW_C-ipsec-policy-isakmp-policy2-1] security acl 3000 
[FW_C-ipsec-policy-isakmp-policy2-1] proposal tran1 
[FW_C-ipsec-policy-isakmp-policy2-1] ike-peer branch 
[FW_C-ipsec-policy-isakmp-policy2-1] quit 
[FW_C] interface GigabitEthernet 1/0/1 
[FW_C-GigabitEthernet1/0/1] ipsec policy policy2 
[FW_C-GigabitEthernet1/0/1] quit

  14. Configure L2TP over IPSec.

    # Enable L2TP.

    HRP_M[FW_A] l2tp enable

    # Configure L2TP access users and an authentication scheme.

    HRP_M[FW_A] ip pool pool1 
HRP_M[FW_A-ip-pool-pool1] section 1 10.1.1.2 10.1.1.100 
HRP_M[FW_A-ip-pool-pool1] quit 
HRP_M[FW_A] user-manage user vpdnuser 
HRP_M[FW_A-localuser-vpdnuser] password Hello123 
HRP_M[FW_A-localuser-vpdnuser] quit 
HRP_M[FW_A] aaa 
HRP_M[FW_A_aaa] authentication-scheme default  
HRP_M[FW_A_aaa-authen-default] authentication-mode local 
HRP_M[FW_A_aaa-authen-default] quit 
HRP_M[FW_A-aaa] service-scheme l2tp  
HRP_M[FW_A-aaa-service-l2tp] ip-pool pool1 
HRP_M[FW_A-aaa-service-l2tp] quit  
HRP_M[FW_A-aaa] domain net1 
HRP_M[FW_A-aaa-domain-net1] service-type internetaccess l2tp 
HRP_M[FW_A-aaa-domain-net1] authentication-scheme default 
HRP_M[FW_A-aaa-domain-net1] service-scheme l2tp

    # Configure the virtual interface template, and add it to a security zone.

    HRP_M[FW_A] interface Virtual-Template 1 
HRP_M[FW_A-Virtual-Template1] ppp authentication-mode chap pap 
HRP_M[FW_A-Virtual-Template1] ip address 10.11.1.1 255.255.255.0 
HRP_M[FW_A-Virtual-Template1] remote service-scheme l2tp 
HRP_M[FW_A-Virtual-Template1] quit 
HRP_M[FW_A] firewall zone untrust  
HRP_M[FW_A-zone-untrust] add interface Virtual-Template 1 
HRP_M[FW_A-zone-untrust] quit

    The IP address of the virtual interface must not be an address in the configured address pool or the address of any other interface. You can set any IP address except the mentioned ones.

    The service scheme for allocating the peer IP address must be consistent with that configured in the AAA domain. Otherwise, the LNS cannot allocate an address to the client.

    # Create an L2TP group, bind the virtual interface template, and configure tunnel authentication.

    HRP_M[FW_A] l2tp-group 1 
HRP_M[FW_A-l2tp1] allow l2tp virtual-template 1 remote client1 
HRP_M[FW_A-l2tp1] tunnel name lns 
HRP_M[FW_A-l2tp1] tunnel authentication 
HRP_M[FW_A-l2tp1] tunnel password cipher Password@123 
HRP_M[FW_A-l2tp1] quit

    # Similarly, configure L2TP over IPSec on FW_B.

    # Configure the client on the terminals of mobile employees.

    The L2TP client must be installed on the terminals of mobile employees. The client is connected to the Internet through dialup. The Secoway VPN Client is taken as an example.

    1. Open the Secoway VPN Client, select an existing connection, and click Properties.

      This step should be performed when the VPN Client is disconnected from the dialup connection.

      If no connection exists, click New to create a connection following the instructions.

    2. Configure the basic information in the Basic Settings tab and enable an IPSec security protocol.

      See Figure 1-4 for the parameter settings. Enable the IPSec security protocol, and set the login password to "Hello123" and the identity authentication word to "Test!1234".

      The IPSec identity authentication word set on the VPN Client must be consistent with the pre-shared key set on the LNS.

      Figure 1-4 Basic settings of the LAC

    3. If the user needs to access the Internet, select Allow Internet Access in the Basic Settings tab, and configure related routes in the Route Settings tab.
      Figure 1-5 Selecting Allow Internet Access

      Figure 1-6 Adding a route

    4. Set L2TP properties in the L2TP Settings tab.

      See Figure 1-7 for the parameter settings. The tunnel name is client1. The authentication mode is CHAP. Enable tunnel authentication, and set the tunnel authentication password to "Password@123".

      Figure 1-7 L2TP settings of the LAC

    5. Set the basic information of IPSec in the IPSec Settings tab. See Figure 1-8 for the parameter settings.

      When the VPN tunnel on the LNS side is L2TP over IPSec, the LNS does not perform tunnel authentication for the VPN Client. Therefore, it is not necessary to configure the L2TP Settings tab on the VPN Client.

      Figure 1-8 IPSec settings of the LAC

    6. Set the basic information of IKE in the IKE Settings tab. See Figure 1-9 for the parameter settings.
    Figure 1-9 IKE settings of the LAC

Verification

Procedure

  1. Run the display hrp state command on FW_A to view the current HRP state. The following information indicates that HRP is successfully set up. 

    HRP_M[FW_A] display hrp state 
 Role: active, peer: standby 
 Running priority: 46002, peer: 46002 
 Backup channel usage: 7% 
 Stable time: 0 days, 0 hours, 12 minutes

  2. Different users on the intranet and mobile employees can access the Internet as planned.
  3. Run the shutdown command on GigabitEthernet1/0/1 of FW_A to simulate a link fault. The active/standby switchover is normal without services interrupted.

Configuration Scripts

FW_A

FW_B

 
#
sysname FW_A
#
l2tp enable
# 
acl number 3000 
 rule permit ip source 10.1.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
# 
 hrp enable 
 hrp interface Eth-Trunk 1 remote 10.10.0.2 
 hrp track interface GigabitEthernet 1/0/1 
 hrp track interface GigabitEthernet 1/0/4 
# 
 time-range work_time
  period-range 09:00:00 to 18:00:00 working-day 
# 
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
# 
ike proposal 10 
  encryption-algorithm 3des    
  dh group5   
  authentication-method pre-share 
  integrity-algorithm hmac-sha2-256   
  prf hmac-sha1 
# 
ike peer headquarters
  pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%$%$ 
  ike-proposal 10 
# 
ipsec proposal tran1 
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-128    
# 
ipsec policy-template temp 1
 security acl 3000 
 ike-peer headquarter 
 proposal tran1 
# 
ipsec policy map1 1 isakmp template temp  
#  
l2tp-group 1
    allow l2tp virtual-template 1 remote client1
    tunnel name lns
    tunnel authentication
    tunnel password cipher %$%$f#c=(BljBC!s=)Xc*3*%$%$
#
interface Virtual-Template1
   ppp authentication-mode chap pap
   remote service-scheme l2tp
   ip address 10.11.1.1 255.255.255.0
# 
interface GigabitEthernet1/0/1 
 undo shutdown 
 ip address 1.1.1.2 255.255.255.0
 gateway 1.1.1.254  
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active   
 ipsec policy policy1
# 
interface GigabitEthernet1/0/2 
 undo shutdown 
 ip address 2.2.2.2 255.255.255.0 
 gateway 2.2.2.254 
 vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 active
# 
interface GigabitEthernet1/0/4 
 undo shutdown 
 ip address 10.1.1.1 255.255.0.0  
# 
interface GigabitEthernet1/0/5 
 portswitch 
# 
interface Eth-Trunk 1
 ip address 10.10.0.1 255.255.255.0
 trunkport GigabitEthernet 1/0/3
 trunkport GigabitEthernet 2/0/1
#
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet1/0/4 
 add interface GigabitEthernet1/0/5 
#
firewall zone untrust 
 set priority 5 
 add interface Virtual-Template1
# 
firewall zone ISP1 
 set priority 15 
 add interface GigabitEthernet1/0/1 
# 
firewall zone ISP2 
 set priority 20 
 add interface GigabitEthernet1/0/2 
# 
firewall zone Heart 
 set priority 75 
 add interface Eth-Trunk1 
#
router id 1.1.1.2
#   
ospf 100 
 default-route-advertise 
 area 0 
  network 1.1.1.0 0.0.0.255 
  network 10.1.0.0 0.0.0.255 
# 
ip-link check enable 
ip-link name ip_link_1 
 destination 1.1.1.254 interface GigabitEthernet1/0/1
ip-link name ip_link_2 
 destination 2.2.2.254 interface GigabitEthernet1/0/2
# 
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2
#  
 user-manage online-user aging-time 480 
 user-manage single-sign-on ad 
  mode no-plug-in 
  no-plug-in interface GigabitEthernet1/0/5 
  no-plug-in traffic server-ip 10.3.0.251 port 88 
  enable 
# 
user-manage user vpdnuser 
 password Hello123 
#             
ad-server template auth_server_ad 
 ad-server authentication 10.3.0.251 88 
 ad-server authentication base-dn dc=cce,dc=com 
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$ 
 ad-server authentication host-name ad.cce.com 
 ad-server authentication ldap-port 389 
 ad-server user-filter sAMAccountName 
 ad-server group-filter ou 
#             
 user-manage import-policy policy_import from ad 
 server template auth_server_ad   
 server basedn dc=cce,dc=com      
 destination-group /cce.com     
 user-attribute sAMAccountName    
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) 
 group-filter (|(objectclass=organizationalUnit)(ou=*)) 
 import-type user-group      
 import-override enable     
# 
ip pool pool1
 section 1 10.1.1.2 10.1.1.100
# 
aaa 
 authorization-scheme default 
  authentication-mode local
 service-scheme l2tp
  ip-pool pool1
domain net1 
  service-type internetaccess l2tp
  authentication-scheme default
  service-scheme l2tp 
# 
profile type url-filter name profile_url 
 category pre-defined control-level medium
 category pre-defined action allow
#  
nat address-group nataddr
 mode pat 
 route enable 
 section 0 1.1.1.1 1.1.1.4 
# 
 multi-interface 
  mode priority-of-link-quality 
  priority-of-link-quality parameter delay jitter loss 
  priority-of-link-quality protocol tcp-simple 
  priority-of-link-quality interval 3 times 5 
  priority-of-link-quality table aging-time 60 
  add interface GigabitEthernet1/0/1 
  add interface GigabitEthernet1/0/2 
# 
policy-based-route 
 rule name pbr_1 
  description pbr_1 
  source-zone trust 
  application category Business_Systems 
  track ip-link ip_link_1
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.254 
 rule name pbr_2 
  description pbr_2 
  source-zone trust 
  application category Entertainment sub-category VoIP 
  application category Entertainment sub-category PeerCasting 
  track ip-link ip_link_2
  action pbr egress-interface GigabitEthernet1/0/2 next-hop 2.2.2.254 
#   
security-policy    
  rule name policy_sec_management 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/management 
    profile av default 
    profile ips default 
    profile url-filter profile_url 
    action permit  
  rule name policy_sec_marketing_1 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/marketing 
    application category Entertainment sub-category Media_Sharing 
    application category Entertainment sub-category Game 
    action deny 
  rule name policy_sec_marketing_2 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/marketing 
    profile av default 
    profile ips default 
    profile url-filter profile_url 
    action permit  
  rule name policy_sec_research_1 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/research 
    application category Entertainment 
    action deny 
  rule name policy_sec_research_2 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/research 
    profile av default 
    profile ips default 
    profile url-filter profile_url 
    action permit  
  rule name policy_sec_manufacture 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/manufacture 
    action deny 
  rule name policy_sec_ipsec_1 
    source-zone local 
    source-zone ISP1 
    source-zone ISP2 
    destination-zone local 
    destination-zone ISP1 
    destination-zone ISP2 
    source-address 1.1.1.2 32 
    source-address 3.3.3.1 32 
    destination-address 1.1.1.2 32 
    destination-address 3.3.3.1 32 
    action permit 
  rule name policy_sec_ipsec_2 
    source-zone trust 
    destination-zone ISP1 
    destination-zone ISP2 
    source-address 10.1.0.0 16 
    destination-address 192.168.1.0 24 
    profile av default 
    profile ips default 
    action permit 
  rule name policy_sec_ipsec_3 
    source-zone ISP1 
    source-zone ISP2 
    destination-zone trust 
    source-address 192.168.1.0 24 
    profile av default 
    profile ips default 
    action permit 
 rule name policy_sec_l2tp_ipsec_1
    source-zone trust
    destination-zone ISP1 
    destination-zone ISP2 
    source-address 10.1.1.1 16 
    destination-address range 10.1.1.2 10.1.1.100    
    action permit 
 rule name policy_sec_l2tp_ipsec_2
    source-zone untrust
    destination-zone trust 
    source-address range 10.1.1.2 10.1.1.100
    destination-address 10.1.1.1 16    
    action permit
  rule name local_policy_ad_01 
    source-zone local 
    destination-zone trust 
    destination-address 10.3.0.251 32 
    action permit 
  rule name local_policy_ad_02 
    source-zone trust 
    destination-zone local 
    source-address 10.3.0.251 32 
    action permit 
  rule name policy_sec_server
    source-zone ISP1
    source-zone ISP2
    destination-zone trust 
    destination-address 10.2.0.10 32 
    destination-address 10.2.0.11 32 
    action permit 
#   
nat-policy   
  rule name policy_nat_internet_01 
    source-zone trust  
    destination-zone ISP1 
    action source-nat address-group nataddr
  rule name policy_nat_internet_02 
    source-zone trust  
    destination-zone ISP2 
    action source-nat address-group nataddr 
  rule name policy_nat_ipsec_01 
    source-zone trust  
    destination-zone ISP1 
    destination-address 192.168.1.0 24 
    action no-pat 
  rule name policy_nat_ipsec_02 
    source-zone trust  
    destination-zone ISP2 
    destination-address 192.168.1.0 24 
    action no-pat 
# 
traffic-policy       
 profile profile_p2p 
  bandwidth maximum-bandwidth whole upstream 2000000
  bandwidth connection-limit whole downstream 6000000
  bandwidth connection-limit whole both 10000
 profile profile_email 
  bandwidth guaranteed-bandwidth whole upstream 4000000
  bandwidth guaranteed-bandwidth whole downstream 4000000
 profile profile_management 
  bandwidth guaranteed-bandwidth whole upstream 200000
  bandwidth guaranteed-bandwidth whole downstream 200000
  bandwidth maximum-bandwidth per-ip upstream 20000
  bandwidth maximum-bandwidth per-ip downstream 20000
 rule name policy_bandwidth_p2p
  source-zone trust  
  destination-zone ISP1 
  destination-zone ISP2 
  application category Entertainment sub-category PeerCasting 
  application category General_Internet sub-category FileShare_P2P 
  action qos profile profile_p2p 
 rule name policy_email 
  source-zone trust 
  destination-zone ISP1 
  destination-zone ISP2 
  application app LotusNotes 
  application app OWA 
  time-range work_time 
  action qos profile profile_email 
 rule name policy_bandwidth_management
  source-zone ISP1 
  source-zone ISP2 
  destination-zone trust 
  user user-group /default/management 
  action qos profile profile_management  
# The following configurations are used to create users/groups. These configurations are stored in the database and are not contained in the configuration file. 
user-manage group /default/management 
user-manage group /default/marketing 
user-manage group /default/research 
user-manage user user_0001 
 alias Tom 
 parent-group /default/management 
 password ********* 
 undo multi-ip online enable
 
#
sysname FW_B
#  
l2tp enable
# 
acl number 3000 
 rule permit ip source 10.1.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 
# 
 hrp enable 
 hrp interface Eth-Trunk 1 remote 10.10.0.1 
 hrp track interface GigabitEthernet 1/0/1 
 hrp track interface GigabitEthernet 1/0/4 
# 
 time-range work_time
  period-range 09:00:00 to 18:00:00 working-day 
# 
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
# 
ike proposal 10 
  encryption-algorithm 3des    
  dh group5   
  authentication-method pre-share 
  integrity-algorithm hmac-sha2-256   
  prf hmac-sha1 
# 
ike peer headquarters
  pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%$%$ 
  ike-proposal 10 
# 
ipsec proposal tran1 
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-128    
# 
ipsec policy-template temp 1
 security acl 3000 
 ike-peer headquarter 
 proposal tran1 
# 
ipsec policy map1 1 isakmp template temp 
#  
l2tp-group 1
    allow l2tp virtual-template 1 remote client1
    tunnel name lns
    tunnel authentication
    tunnel password cipher %$%$f#c=(BljBC!s=)Xc*3*%$%$
#
interface Virtual-Template1
   ppp authentication-mode chap pap
   remote service-scheme l2tp
   ip address 10.11.1.1 255.255.255.0
# 
interface GigabitEthernet1/0/1 
 undo shutdown 
 ip address 1.1.1.3 255.255.255.0 
 gateway 1.1.1.254 
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby 
 ipsec policy policy1
# 
interface GigabitEthernet1/0/2 
 undo shutdown 
 ip address 2.2.2.1 255.255.255.0  
 gateway 2.2.2.254
 vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 standby
# 
interface GigabitEthernet1/0/4 
 undo shutdown 
 ip address 10.2.1.1 255.255.0.0  
# 
interface GigabitEthernet1/0/5 
 portswitch 
# 
interface Eth-Trunk 1
 ip address 10.10.0.2 255.255.255.0
 trunkport GigabitEthernet 1/0/3
 trunkport GigabitEthernet 2/0/1
#
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet1/0/4 
 add interface GigabitEthernet1/0/5 
#
firewall zone untrust 
 set priority 5 
 add interface Virtual-Template1
# 
firewall zone ISP1 
 set priority 15 
 add interface GigabitEthernet1/0/1 
# 
firewall zone ISP2 
 set priority 20 
 add interface GigabitEthernet1/0/2 
# 
firewall zone Heart 
 set priority 75 
 add interface Eth-Trunk1 
#
router id 2.2.2.3
#   
ospf 100 
 default-route-advertise 
 area 0 
  network 2.2.2.0 0.0.0.255 
  network 10.2.0.0 0.0.0.255 
# 
ip-link check enable 
ip-link name ip_link_1 
 destination 1.1.1.254 interface GigabitEthernet1/0/1
ip-link name ip_link_2 
 destination 2.2.2.254 interface GigabitEthernet1/0/2
# 
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2
#  
 user-manage online-user aging-time 480 
 user-manage single-sign-on ad 
  mode no-plug-in 
  no-plug-in interface GigabitEthernet1/0/5 
  no-plug-in traffic server-ip 10.3.0.251 port 88 
  enable 
# 
user-manage user vpdnuser 
 password Hello123 
#             
ad-server template auth_server_ad 
 ad-server authentication 10.3.0.251 88 
 ad-server authentication base-dn dc=cce,dc=com 
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$ 
 ad-server authentication host-name ad.cce.com 
 ad-server authentication ldap-port 389 
 ad-server user-filter sAMAccountName 
 ad-server group-filter ou 
#             
 user-manage import-policy policy_import from ad 
 server template auth_server_ad   
 server basedn dc=cce,dc=com      
 destination-group /cce.com     
 user-attribute sAMAccountName    
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) 
 group-filter (|(objectclass=organizationalUnit)(ou=*)) 
 import-type user-group      
 import-override enable     
# 
ip pool pool1
 section 1 10.1.1.2 10.1.1.100
# 
aaa 
 authorization-scheme default 
  authentication-mode local
 service-scheme l2tp
  ip-pool pool1
domain net1 
  service-type internetaccess l2tp
  authentication-scheme default
  service-scheme l2tp
# 
profile type url-filter name profile_url 
 category pre-defined control-level medium
 category pre-defined action allow
#  
nat address-group nataddr
 mode pat 
 route enable 
 section 0 1.1.1.1 1.1.1.4 
# 
 multi-interface 
  mode priority-of-link-quality 
  priority-of-link-quality parameter delay jitter loss 
  priority-of-link-quality protocol tcp-simple 
  priority-of-link-quality interval 3 times 5 
  priority-of-link-quality table aging-time 60 
  add interface GigabitEthernet1/0/1 
  add interface GigabitEthernet1/0/2 
# 
policy-based-route 
 rule name pbr_1 
  description pbr_1 
  source-zone trust 
  application category Business_Systems 
  track ip-link ip_link_1
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.254 
 rule name pbr_2 
  description pbr_2 
  source-zone trust 
  application category Entertainment sub-category VoIP 
  application category Entertainment sub-category PeerCasting 
  track ip-link ip_link_2
  action pbr egress-interface GigabitEthernet1/0/2 next-hop 2.2.2.254 
#   
security-policy    
  rule name policy_sec_management 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/management 
    profile av default 
    profile ips default 
    profile url-filter profile_url 
    action permit  
  rule name policy_sec_marketing_1 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/marketing 
    application category Entertainment sub-category Media_Sharing 
    application category Entertainment sub-category Game 
    action deny 
  rule name policy_sec_marketing_2 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/marketing 
    profile av default 
    profile ips default 
    profile url-filter profile_url 
    action permit  
  rule name policy_sec_research_1 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/research 
    application category Entertainment 
    action deny 
  rule name policy_sec_research_2 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/research 
    profile av default 
    profile ips default 
    profile url-filter profile_url 
    action permit  
  rule name policy_sec_manufacture 
    source-zone trust  
    destination-zone ISP1 
    destination-zone ISP2 
    user user-group /default/manufacture 
    action deny 
  rule name policy_sec_ipsec_1 
    source-zone local 
    source-zone ISP1 
    source-zone ISP2 
    destination-zone local 
    destination-zone ISP1 
    destination-zone ISP2 
    source-address 1.1.1.2 32 
    source-address 3.3.3.1 32 
    destination-address 1.1.1.2 32 
    destination-address 3.3.3.1 32 
    action permit 
  rule name policy_sec_ipsec_2 
    source-zone trust 
    destination-zone ISP1 
    destination-zone ISP2 
    source-address 10.1.0.0 16 
    destination-address 192.168.1.0 24 
    profile av default 
    profile ips default 
    action permit 
  rule name policy_sec_ipsec_3 
    source-zone ISP1 
    source-zone ISP2 
    destination-zone trust 
    source-address 192.168.1.0 24 
    profile av default 
    profile ips default 
    action permit 
 rule name policy_sec_l2tp_ipsec_1
    source-zone trust
    destination-zone ISP1 
    destination-zone ISP2 
    source-address 10.1.1.1 16 
    destination-address range 10.1.1.2 10.1.1.100    
    action permit 
 rule name policy_sec_l2tp_ipsec_2
    source-zone untrust
    destination-zone trust 
    source-address range 10.1.1.2 10.1.1.100
    destination-address 10.1.1.1 16    
    action permit
  rule name local_policy_ad_01 
    source-zone local 
    destination-zone trust 
    destination-address 10.3.0.251 32 
    action permit 
  rule name local_policy_ad_02 
    source-zone trust 
    destination-zone local 
    source-address 10.3.0.251 32 
    action permit 
 rule name policy_sec_server
    source-zone ISP1
    source-zone ISP2
    destination-zone trust 
    destination-address 10.2.0.10 32 
    destination-address 10.2.0.11 32 
    action permit 
#   
nat-policy   
  rule name policy_nat_internet_01 
    source-zone trust  
    destination-zone ISP1 
    action source-nat address-group nataddr 
  rule name policy_nat_internet_02 
    source-zone trust  
    destination-zone ISP2 
    action source-nat address-group nataddr 
  rule name policy_nat_ipsec_01 
    source-zone trust  
    destination-zone ISP1 
    destination-address 192.168.1.0 24 
    action no-pat 
  rule name policy_nat_ipsec_02 
    source-zone trust  
    destination-zone ISP2 
    destination-address 192.168.1.0 24 
    action no-pat 
# 
traffic-policy       
 profile profile_p2p 
  bandwidth maximum-bandwidth whole upstream 2000000
  bandwidth connection-limit whole downstream 6000000
  bandwidth connection-limit whole both 10000
 profile profile_email 
  bandwidth guaranteed-bandwidth whole upstream 4000000
  bandwidth guaranteed-bandwidth whole downstream 4000000
 profile profile_management 
  bandwidth guaranteed-bandwidth whole upstream 200000
  bandwidth guaranteed-bandwidth whole downstream 200000
  bandwidth maximum-bandwidth per-ip upstream 20000
  bandwidth maximum-bandwidth per-ip downstream 20000
 rule name policy_bandwidth_p2p
  source-zone trust  
  destination-zone ISP1 
  destination-zone ISP2 
  application category Entertainment sub-category PeerCasting 
  application category General_Internet sub-category FileShare_P2P 
  action qos profile profile_p2p 
 rule name policy_email 
  source-zone trust 
  destination-zone ISP1 
  destination-zone ISP2 
  application app LotusNotes 
  application app OWA 
  time-range work_time 
  action qos profile profile_email 
 rule name policy_bandwidth_management
  source-zone ISP1 
  source-zone ISP2 
  destination-zone trust 
  user user-group /default/management 
  action qos profile profile_management 
# The following configurations are used to create users/groups. These configurations are stored in the database and are not contained in the configuration file. 
user-manage group /default/management 
user-manage group /default/marketing 
user-manage group /default/research 
user-manage user user_0001 
 alias Tom 
 parent-group /default/management 
 password ********* 
 undo multi-ip online enable

Conclusion and Suggestions

  1. This section describes the typical application of firewalls at the egress of an enterprise campus network to the Internet. If you are facing the same scenario, this example will be a good reference.
  2. The typical hot standby networking is introduced, where the firewall is connected to an upstream switch and a downstream router. This section describes the typical application of hot standby.
  3. This solution demonstrates the multi-ISP uplink selection capabilities of the firewall that serves as a gateway. Such capabilities include global intelligent uplink selection and PBR intelligent uplink selection.
  4. The solution also embodies the application identification and control functions of the firewall. The firewall can identify ports and various applications and is capable of access control, PBR, and traffic control based on the applications.
Translation
简体中文
Download
Updated: 2019-06-17

Document ID: EDOC1100087918

Views: 5972

Downloads: 227

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :