No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Application of Firewalls in the Security Solution for Financial Data Centers

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Security Solution for Financial Data Centers

Application of Firewalls in the Security Solution for Financial Data Centers

Introduction

This section describes the deployment and planning of firewalls in a financial data center network. It also provides reference for firewall deployment in the data centers of other trades.

This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

A data center carries the core services of an enterprise and stores massive service data. It provides critical resources to ensure the normal production and operation of the enterprise. Therefore, the security of the data center network is of particular importance.

Huawei financial data center solution is of multi-layer modular design. The modular design divides the data center network into multiple areas and ensures service isolation using firewalls. The multi-layer design means that the network includes a core layer, an aggregation layer, and an access layer so that the network is horizontally flexible and easily scalable.

To ensure the security of the data center network and its internal servers, it is usually necessary to deploy firewalls in the network to provide such functions as security isolation, access control, attack defense, and intrusion prevention.

As shown in Figure 1-1, firewalls are deployed at three locations in the financial data center solution: data center egress, intranet access area, and Internet egress. The firewalls provide different security protection functions.

Figure 1-1 Networking of the financial data center

Item

Description

Firewall at the data center egress

  • Uses refined security policies to accurately control users' access to the data center service area.
  • Provides security protection functions, such as IPS and attack defense, protecting the data center service area against Trojan horses, worms, and DDoS attacks.

Firewall in the intranet access area

Serves as an SACG to work with the Agile Controller to authenticate users who access the intranet locally or through private lines.

Firewall at the Internet egress

  • Provides user-defined security zones to distinguish between access users by credibility.
  • Uses refined security policies to accurately control users' access to the intranet.
  • Provides NAT.
  • Provides security protection functions, such as intrusion prevention and attack defense, protecting the intranet against Trojan horses, worms, and DDoS attacks.
  • Serves as the IPSec VPN gateway and SSL VPN gateway for secure VPN access of employees on the move, partners, and branches.

The following part describes the networking solutions and configuration methods of the firewalls.

Firewalls at the Data Center Egress

Typical Networking

Figure 1-2 shows the typical networking of firewalls at the data center egress.

  • Core switches SW1 and SW2 are stacked; aggregation switches SW3 and SW4 are stacked. Firewalls are located between core switches and aggregation switches. They work in Layer 3 hot standby mode.
  • VRRP is configured on the interfaces connecting the firewalls to the upstream and downstream devices. The firewalls use the VRRP virtual IP addresses to communicate with the upstream and downstream devices.
  • Static routes are configured on the firewalls to guide traffic forwarding.
Figure 1-2 Typical networking of firewalls at the data center egress

Service Planning

Firewall Interface Planning

Interface planning for FW-1

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-1

GE1/0/1

SW-1

GE1/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-1

GE1/0/2

SW-1

GE1/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-1

GE1/0/3

SW-3

GE1/1/0/1

Eth-Trunk 2, downstream service interface

4

FW-1

GE1/0/4

SW-3

GE1/1/0/2

Eth-Trunk 2, downstream service interface

5

FW-1

GE1/0/5

FW-2

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-1

GE1/0/6

FW-2

GE1/0/6

Eth-Trunk 0, heartbeat interface

Interface planning for FW-2

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-2

GE1/0/1

SW-2

GE2/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-2

GE1/0/2

SW-2

GE2/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-2

GE1/0/3

SW-4

GE2/1/0/1

Eth-Trunk 2, downstream service interface

4

FW-2

GE1/0/4

SW-4

GE2/1/0/2

Eth-Trunk 2, downstream service interface

5

FW-2

GE1/0/5

FW-1

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-2

GE1/0/6

FW-1

GE1/0/6

Eth-Trunk 0, heartbeat interface

Firewall IP Address Planning

No.

Local Device

Local Interface

Local IP Address

Peer Device

Peer Interface

Peer IP Address

1

FW-1

Eth-Trunk 1

10.6.1.2/29

VRID: 1

VIP: 10.6.1.1

SW-1

VLANIF1000

10.6.1.4/29

2

FW-1

Eth-Trunk 2

10.7.1.2/29

VRID: 2

VIP: 10.7.1.1

SW-3

VLANIF2000

10.7.1.4/29

3

FW-1

Eth-Trunk 0

11.11.11.1/24

FW-2

Eth-Trunk 0

11.11.11.2/24

4

FW-2

Eth-Trunk 1

10.6.1.3/29

VRID: 1

VIP: 10.6.1.1

SW-2

VLANIF1000

10.6.1.4/29

5

FW-2

Eth-Trunk 2

10.7.1.3/29

VRID: 2

VIP: 10.7.1.1

SW-4

VLANIF2000

10.7.1.4/29

6

FW-2

Eth-Trunk 0

11.11.11.2/24

FW-2

Eth-Trunk 0

11.11.11.1/24

Firewall Security Zone Planning

No.

Security Zone

Security Zone Priority

Included Interface

Remarks

1

untrust

5

Eth-Trunk 1

Upstream service interface

2

trust

100

Eth-trunk2

Downstream service interface

3

dmz

50

Eth-Trunk 0

Heartbeat interface

Firewall Security Policy Planning

Address group

No.

Address Group

Address

Remarks

1

remote_users

address 0 172.168.3.0 mask 24

SSL VPN access for employees on the move

2

partner

address 0 172.168.4.0 mask 24

Partner

3

branch1

address 0 10.8.1.0 mask 24

Branch 1

4

branch2

address 0 10.9.1.0 mask 24

Branch 2

5

server1

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

Server that employees on the move can access

6

server2

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

Server that the partner can access

7

server3

address 0 10.1.2.4 mask 32

address 1 10.1.2.5 mask 32

Server that branch 1 can access

8

server4

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

Server that branch 2 can access

User-defined services

No.

Service

Protocol/Port

Remarks

1

tcp_1414

service 0 protocol tcp destination-port 1414

Service for the partner to access the server

2

tcp_8888_9000

service 0 protocol tcp destination-port 8888

service 1 protocol tcp destination-port 9000

Service for branch 1 to access the server

Security policies

No.

Policy

Source Zone

Source Address

Destination Zone

Destination Address

Service

Action

1

remote_users_to_server1

untrust

remote_users

trust

server1

ftp,http

permit

2

partner_to_server2

untrust

partner

trust

server2

tcp_1414

permit

3

branch1_to_server3

untrust

branch1

trust

server3

tcp_8888_9000

permit

4

branch2_to_server4

untrust

branch2

trust

server4

ftp

permit

5

default

any

any

any

any

any

deny

NOTE:

default indicates the default security policy. If the traffic does not match the security policy, the traffic will match the default security policy (all conditions are any, and all actions are deny). If only the PCs at specified IP addresses are allowed to access servers, keep the default security policy and configure security policies to allow the access of such IP addresses.

Hot standby heartbeat packets are not controlled by security policies. Do not configure security policies for heartbeat packets.

Firewall Persistent Connections

Prolonging the session aging time of a protocol

No.

Protocol

Aging Time

1

tcp_1414

40000 seconds

Using the persistent connection function

No.

Policy

Aging Time

1

branch2_to_server4

480 hours

NOTE:

Of the two methods, prolonging the session aging time of a protocol is easier to configure. You can set specific conditions for the persistent connection function to keep persistent connections for specified traffic. The prolonged session aging time of a protocol is a global configuration and takes effect on all sessions of the protocol. As a result, sessions that do not need persistent connections cannot be aged, occupying session entry resources. Once session entry resources are exhausted, no services can be created.

Therefore, if you confirm that all sessions of a protocol require a long session aging time, you can prolong the session aging time of the protocol for persistent connections. Otherwise, use the persistent connection function.

The persistent connection function is valid only for TCP-based connections.

Firewall Route Planning

Static routes on firewalls

No.

Destination Address

Mask

Next Hop

Remarks

1

10.1.0.0

255.255.0.0

10.7.1.4

Route to data center service area 1

2

10.2.0.0

255.255.0.0

10.7.1.4

Route to data center service area 2

3

10.3.0.0

255.255.0.0

10.7.1.4

Route to data center service area 3

4

172.168.3.0

255.255.255.0

10.6.1.4

Route to SSL VPN access terminals of employees on the move

5

172.168.4.0

255.255.255.0

10.6.1.4

Route to the partner's network

6

10.8.1.0

255.255.255.0

10.6.1.4

Route to branch 1's network

7

10.9.1.0

255.255.255.0

10.6.1.4

Route to branch 2's network

Security Defense Planning

  • Attack defense planning

    To defend the internal network against network attacks, you need to configure attack defense on the firewalls.

    Normally, you are recommended to configure the defense against the following attacks:

    • Smurf attacks
    • Land attacks
    • Fraggle attacks
    • Ping of Death attacks
    • WinNuke attacks
    • IP packet with route record option attacks
    • IP packet with source route option attacks
    • IP packet with timestamp option attacks
    • SYN flood attacks
    • UDP flood attacks
    • ICMP flood attacks

      In practice, you can set a comparatively large value for the maximum rate of attack packets on interfaces for the preceding flood attacks, observe the attack traffic, and gradually change the rate to smaller values until a proper one (limiting the attack traffic but not affecting services).

  • IPS planning

    To prevent hackers, zombies, Trojan horses, and worms from intruding the internal network, you need to configure IPS on the firewalls.

NOTE:

The IPS may be deployed on the firewalls or deployed as an independent IPS device.

To configure the IPS functions, you reference an IPS profile when defining security policies. In the present case, the IPS profile is referenced in all the above planned security policies (except those for the local zone). This means that IPS detection is carried out for all traffic permitted by the security policies.

Generally, when the firewalls are initially deployed, you can select the default IPS profile default. After the firewalls are active for some time, the administrator can define a profile based on the network status. The IPS also supports the default profile ids, which means alarms are generated upon the detection of intrusions but the intrusions are not blocked. If high security is required, to reduce false positives reported by the IPS, you can select the ids profile.

Precautions

IPS

The IPS signature database must be the latest before the IPS function is configured.

Attack Defense

The attack defense configuration is the recommended standard configuration.

Policy Backup-based Acceleration Function

When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    # Configure IP addresses for the Eth-Trunk interfaces of FW-1.

    <sysname> system-view 
    [sysname] sysname FW-1 
    [FW-1] interface Eth-Trunk 1 
    [FW-1-Eth-Trunk1] description Link_To_CoreSwitch_SW1 
    [FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
    [FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/2 
    [FW-1-Eth-Trunk1] ip address 10.6.1.2 29 
    [FW-1-Eth-Trunk1] quit 
    [FW-1] interface Eth-Trunk 2 
    [FW-1-Eth-Trunk2] description Link_To_Aggregation_SW3 
    [FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/3 
    [FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/4 
    [FW-1-Eth-Trunk2] ip address 10.7.1.2 29 
    [FW-1-Eth-Trunk2] quit 
    [FW-1] interface Eth-Trunk 0 
    [FW-1-Eth-Trunk0] description HRP_Interface 
    [FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/5 
    [FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/6 
    [FW-1-Eth-Trunk0] ip address 11.11.11.1 24 
    [FW-1-Eth-Trunk0] quit

    # Configure IP addresses for the Eth-Trunk interfaces of FW-2.

    <sysname> system-view 
    [sysname] sysname FW-2 
    [FW-2] interface Eth-Trunk 1 
    [FW-2-Eth-Trunk1] description Link_To_CoreSwitch_SW2 
    [FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
    [FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/2 
    [FW-2-Eth-Trunk1] ip address 10.6.1.3 29 
    [FW-2-Eth-Trunk1] quit 
    [FW-2] interface Eth-Trunk 2 
    [FW-2-Eth-Trunk2] description Link_To_Aggregation_SW4 
    [FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/3 
    [FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/4 
    [FW-2-Eth-Trunk2] ip address 10.7.1.3 29 
    [FW-2-Eth-Trunk2] quit 
    [FW-2] interface Eth-Trunk 0 
    [FW-2-Eth-Trunk0] description HRP_Interface 
    [FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/5 
    [FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/6 
    [FW-2-Eth-Trunk0] ip address 11.11.11.2 24 
    [FW-2-Eth-Trunk0] quit

    # Assign the interfaces of FW-1 to appropriate security zones.

    [FW-1] firewall zone trust 
    [FW-1-zone-trust] add interface Eth-Trunk 2 
    [FW-1-zone-trust] quit 
    [FW-1] firewall zone untrust 
    [FW-1-zone-untrust] add interface Eth-Trunk 1 
    [FW-1-zone-untrust] quit 
    [FW-1] firewall zone dmz 
    [FW-1-zone-dmz] add interface Eth-Trunk 0 
    [FW-1-zone-dmz] quit

    # Assign the interfaces of FW-2 to appropriate security zones.

    [FW-2] firewall zone trust 
    [FW-2-zone-trust] add interface Eth-Trunk 2 
    [FW-2-zone-trust] quit 
    [FW-2] firewall zone untrust 
    [FW-2-zone-untrust] add interface Eth-Trunk 1 
    [FW-2-zone-untrust] quit 
    [FW-2] firewall zone dmz 
    [FW-2-zone-dmz] add interface Eth-Trunk 0 
    [FW-2-zone-dmz] quit

  2. Configure static routes.

    # On FW-1, configure a static route to the data center service area and set the next hop to the IP address of the aggregation switch.

    [FW-1] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4 
    [FW-1] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4 
    [FW-1] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

    # On FW-2, configure a static route to the data center service area and set the next hop to the IP address of the aggregation switch.

    [FW-2] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4 
    [FW-2] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4 
    [FW-2] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

    # On FW-1, configure static routes to the SSL VPN access terminal, branch, and partner network and set the next hop to the IP address of the core switch.

    [FW-1] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4 
    [FW-1] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4 
    [FW-1] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4 
    [FW-1] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

    # On FW-2, configure static routes to the SSL VPN access terminal, branch, and partner network and set the next hop to the IP address of the core switch.

    [FW-2] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4 
    [FW-2] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4 
    [FW-2] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4 
    [FW-2] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

  3. Configure hot standby.

    # Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-1, setting its state to Active.

    [FW-1] interface Eth-Trunk1 
    [FW-1-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 active 
    [FW-1-Eth-Trunk1] quit

    # Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-1, setting its state to Active.

    [FW-1] interface Eth-Trunk2 
    [FW-1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 active 
    [FW-1-Eth-Trunk2] quit

    # Designate Eth-Trunk 0 as the heartbeat interface of FW-1, and enable hot standby.

    [FW-1] hrp interface Eth-Trunk0 remote 11.11.1.2 
    [FW-1] hrp enable

    # Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-2, setting its state to Standby.

    [FW-2] interface Eth-Trunk1 
    [FW-2-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 standby 
    [FW-2-Eth-Trunk1] quit

    # Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-2, setting its state to Standby.

    [FW-2] interface Eth-Trunk2 
    [FW-2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 standby 
    [FW-2-Eth-Trunk2] quit

    # Designate Eth-Trunk 0 as the heartbeat interface of FW-2, and enable hot standby.

    [FW-2] hrp interface Eth-Trunk0 remote 11.11.11.1 
    [FW-2] hrp enable

  4. Configure security policies and IPS functions.

    NOTE:

    After hot standby is configured, you only need to configure security policies and attack defense on the active device FW-1. The configuration on FW-1 is automatically backed up on FW-2.

    # Configure an address group on FW-1.

    HRP_M[FW-1] ip address-set remote_users type object 
    HRP_M[FW-1-object-address-set-remote_users] address 0 172.168.3.0 mask 24 
    HRP_M[FW-1-object-address-set-remote_users] description "for remote users" 
    HRP_M[FW-1-object-address-set-remote_users] quit 
    HRP_M[FW-1] ip address-set partner type object 
    HRP_M[FW-1-object-address-set-partner] address 0 172.168.4.0 mask 24 
    HRP_M[FW-1-object-address-set-partner] description "for partner" 
    HRP_M[FW-1-object-address-set-partner] quit 
    HRP_M[FW-1] ip address-set branch1 type object 
    HRP_M[FW-1-object-address-set-branch1] address 0 10.8.1.0 mask 24 
    HRP_M[FW-1-object-address-set-branch1] description "for branch1" 
    HRP_M[FW-1-object-address-set-branch1] quit 
    HRP_M[FW-1] ip address-set branch2 type object 
    HRP_M[FW-1-object-address-set-branch2] address 0 10.9.1.0 mask 24 
    HRP_M[FW-1-object-address-set-branch2] description "for branch2" 
    HRP_M[FW-1-object-address-set-branch2] quit 
    HRP_M[FW-1] ip address-set server1 type object 
    HRP_M[FW-1-object-address-set-server1] address 0 10.1.1.10 mask 32 
    HRP_M[FW-1-object-address-set-server1] address 1 10.1.1.11 mask 32 
    HRP_M[FW-1-object-address-set-server1] description "for server1" 
    HRP_M[FW-1-object-address-set-server1] quit 
    HRP_M[FW-1] ip address-set server2 type object 
    HRP_M[FW-1-object-address-set-server2] address 0 10.2.1.4 mask 32 
    HRP_M[FW-1-object-address-set-server2] address 1 10.2.1.5 mask 32 
    HRP_M[FW-1-object-address-set-server2] description "for server2" 
    HRP_M[FW-1-object-address-set-server2] quit 
    HRP_M[FW-1] ip address-set server3 type object 
    HRP_M[FW-1-object-address-set-server3] address 0 10.1.2.4 mask 32 
    HRP_M[FW-1-object-address-set-server3] address 1 10.1.2.5 mask 32 
    HRP_M[FW-1-object-address-set-server3] description "for server3" 
    HRP_M[FW-1-object-address-set-server3] quit 
    HRP_M[FW-1] ip address-set server4 type object 
    HRP_M[FW-1-object-address-set-server4] address 0 10.1.1.4 mask 32 
    HRP_M[FW-1-object-address-set-server4] address 1 10.1.1.5 mask 32 
    HRP_M[FW-1-object-address-set-server4] description "for server4" 
    HRP_M[FW-1-object-address-set-server4] quit

    # Configure a service set on FW-1.

    HRP_M[FW-1] ip service-set tcp_1414 type object 
    HRP_M[FW-1-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414 
    HRP_M[FW-1-object-service-set-tcp_1414] quit 
    HRP_M[FW-1] ip service-set tcp_8888_9000 type object 
    HRP_M[FW-1-object-service-set-tcp_8888_9000] service 0 protocol tcp destination-port 8888 
    HRP_M[FW-1-object-service-set-tcp_8888_9000] service 1 protocol tcp destination-port 9000 
    HRP_M[FW-1-object-service-set-tcp_8888_9000] quit

    # Configure the security policy remote_users_to_server1 on FW-1 and reference the IPS profile.

    HRP_M[FW-1] security-policy 
    HRP_M[FW-1-policy-security] rule name remote_users_to_server1 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-zone untrust  
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-zone trust  
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-address address-set remote_users  
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-address address-set server1  
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] service ftp http 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] action permit 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] profile ips default 
    HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] quit

    # Configure the security policy partner_to_server2 on FW-1 and reference the IPS profile.

    HRP_M[FW-1-policy-security] rule name partner_to_server2 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] source-zone untrust  
    HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-zone trust  
    HRP_M[FW-1-policy-security-rule-partner_to_server2] source-address address-set partner  
    HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-address address-set server2  
    HRP_M[FW-1-policy-security-rule-partner_to_server2] service tcp_1414 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] action permit 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] profile ips default 
    HRP_M[FW-1-policy-security-rule-partner_to_server2] quit

    # Configure the security policy branch1_to_server3 on FW-1 and reference the IPS profile.

    HRP_M[FW-1-policy-security] rule name branch1_to_server3 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-zone untrust  
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-zone trust  
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-address address-set branch1  
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-address address-set server3  
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] service tcp_8888_9000 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] action permit 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] profile ips default 
    HRP_M[FW-1-policy-security-rule-branch1_to_server3] quit

    # Configure the security policy branch2_to_server4 on FW-1 and reference the IPS profile.

    HRP_M[FW-1-policy-security] rule name branch2_to_server4 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-zone untrust  
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-zone trust  
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-address address-set branch2  
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-address address-set server4  
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] service ftp 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] action permit 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] profile ips default 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit 
    HRP_M[FW-1-policy-security] quit

  5. Configure persistent connections.

    # Change the session aging time to 40000 seconds for tcp_1414.

    HRP_M[FW-1] firewall session aging-time service-set tcp_1414 40000

    # Enable the persistent connection function in security policy branch2_to_server4 and change the aging time to 480 hours for connections matching this policy.

    HRP_M[FW-1] security-policy 
    HRP_M[FW-1-policy-security] rule name branch2_to_server4 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link enable 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link aging-time 480 
    HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit 
    HRP_M[FW-1-policy-security] quit

  6. Configure attack defense.

    # Configure defense against single packet attacks on FW-1.

    HRP_M[FW-1] firewall defend land enable 
    HRP_M[FW-1] firewall defend smurf enable 
    HRP_M[FW-1] firewall defend fraggle enable 
    HRP_M[FW-1] firewall defend ip-fragment enable 
    HRP_M[FW-1] firewall defend tcp-flag enable 
    HRP_M[FW-1] firewall defend winnuke enable 
    HRP_M[FW-1] firewall defend source-route enable 
    HRP_M[FW-1] firewall defend teardrop enable 
    HRP_M[FW-1] firewall defend route-record enable 
    HRP_M[FW-1] firewall defend time-stamp enable 
    HRP_M[FW-1] firewall defend ping-of-death enable

  7. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-1] policy accelerate standby enable

Verification

  1. On FW-1 and FW-2, run the display hrp state verbose command to view the hot standby status.
    HRP_M<FW-1> display hrp state verboseRole: active, peer: standby 
     Running priority: 45000, peer: 45000 
     Backup channel usage: 0.00% 
     Stable time: 0 days, 3 hours, 8 minutes 
     Last state change information: 2016-05-14 11:18:13 HRP core state changed, old_state = abnormal(active), new_state = normal, local_priority = 45000, peer_priority = 45000. 
     
     Configuration: 
     hello interval:              1000ms 
     preempt:                     60s 
     mirror configuration:        off 
     mirror session:              off 
     track trunk member:          on 
     auto-sync configuration:     on 
     auto-sync connection-status: on 
     adjust ospf-cost:            on 
     adjust ospfv3-cost:          on 
     adjust bgp-cost:             on 
     nat resource:                off 
     
     Detail information: 
                         Eth-Trunk1 vrrp vrid 1: active 
                         Eth-Trunk2 vrrp vrid 2: active 
                           GigabitEthernet1/0/1: up 
                           GigabitEthernet1/0/2: up 
                           GigabitEthernet1/0/3: up 
                           GigabitEthernet1/0/4: up 
                                      ospf-cost: +0 
                                    ospfv3-cost: +0 
                                       bgp-cost: +0
    HRP_S<FW-2> display hrp state verboseRole: standby, peer: active 
     Running priority: 45000, peer: 45000 
     Backup channel usage: 0.00% 
     Stable time: 0 days, 3 hours, 8 minutes 
     Last state change information: 2016-05-14 11:18:18 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000. 
     
     Configuration: 
     hello interval:              1000ms 
     preempt:                     60s 
     mirror configuration:        off 
     mirror session:              off 
     track trunk member:          on 
     auto-sync configuration:     on 
     auto-sync connection-status: on 
     adjust ospf-cost:            on 
     adjust ospfv3-cost:          on 
     adjust bgp-cost:             on 
     nat resource:                off 
     
     Detail information: 
                         Eth-Trunk1 vrrp vrid 1: standby 
                         Eth-Trunk2 vrrp vrid 2: standby 
                           GigabitEthernet1/0/1: up 
                           GigabitEthernet1/0/2: up 
                           GigabitEthernet1/0/3: up 
                           GigabitEthernet1/0/4: up 
                                      ospf-cost: +65500 
                                    ospfv3-cost: +65500 
                                       bgp-cost: +100
  2. Test the active/standby switchover.

    Configure a PC in the untrust zone to constantly the server address and run the shutdown command on Eth-trunk1 of FW-1. Then check the status switchover of the FW and discarded ping packets. If the status switchover is normal, FW-2 switches to the active device and carries services. The command prompt of FW-2 is changed from HRP_S to HRP_M, and the command prompt of FW-1 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded. Run the undo shutdown command on Eth-trunk1 of FW-1 and check the status switchover of the FW and discarded ping packets. If the status switchover is normal, FW-1 switches to the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of FW-1 is changed from HRP_S to HRP_M, and the command prompt of FW-2 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

  3. Check the configuration and update of the IPS signature database.

    # Run the display update configuration command to check the update information of the IPS signature database.

    HRP_M<FW-1> display update configuration 
    Update Configuration Information:                                                
    ------------------------------------------------------------                     
      Update Server               : sec.huawei.com                                   
      Update Port                 : 80                                               
      Proxy State                 : disable                                          
      Proxy Server                : -                                                
      Proxy Port                  : -                                                
      Proxy User                  : -                                                
      Proxy Password              : -                                                
      IPS-SDB:                                                                       
        Application Confirmation  : Disable                                          
        Schedule Update           : Enable                                           
        Schedule Update Frequency : Daily                                            
        Schedule Update Time      : 02:30                                            
      AV-SDB:                 
        Application Confirmation  : Disable                                          
        Schedule Update           : Enable                                           
        Schedule Update Frequency : Daily                                            
        Schedule Update Time      : 02:30                                            
      SA-SDB:                                                                        
        Application Confirmation  : Disable                                          
        Schedule Update           : Enable                                           
        Schedule Update Frequency : Daily                                            
        Schedule Update Time      : 02:30                                            
      IP-REPUTATION:                                                             
        Application Confirmation  : Disable                                          
        Schedule Update           : Enable                                           
        Schedule Update Frequency : Daily                                            
        Schedule Update Time      : 02:30                                            
      CNC:                                                                           
        Application Confirmation  : Disable                                          
        Schedule Update           : Enable                                           
        Schedule Update Frequency : Daily                                            
        Schedule Update Time      : 02:30                                            
    ------------------------------------------------------------                    

    # Run the display version ips-sdb command to check the configuration of the IPS signature database.

    HRP_M<FW-1> display version ips-sdb 
    IPS SDB Update Information List:                                                 
    ----------------------------------------------------------------                 
      Current Version:                                                               
        Signature Database Version    : 2016050703                                   
        Signature Database Size(byte) : 2659606                                      
        Update Time                   : 02:30:00 2016/05/08                          
        Issue Time of the Update File : 16:06:30 2016/05/07                          
                                                                                     
      Backup Version:                                                                
        Signature Database Version    :                                              
        Signature Database Size(byte) : 0                                            
        Update Time                   : 00:00:00 0000/00/00                          
        Issue Time of the Update File : 00:00:00 0000/00/00                          
    ----------------------------------------------------------------                 
    IPS Engine Information List:                                                     
    ----------------------------------------------------------------                 
      Current Version:                                                               
        IPS Engine Version            : V200R002C00SPC060                            
        IPS Engine Size(byte)         : 3145728                                      
        Update Time                   : 02:30:00 2016/05/08                          
        Issue Time of the Update File : 16:06:30 2016/05/07                          
                                                                                     
      Backup Version:                                                                
        IPS Engine Version            :                                              
        IPS Engine Size(byte)         : 0                                            
        Update Time                   : 00:00:00 0000/00/00                          
        Issue Time of the Update File : 00:00:00 0000/00/00                          
    ----------------------------------------------------------------                     
  4. Verify the access permission of users in each security zone to the data center network.

    If the access control result conforms to the security policy planning in Service Planning, the configuration is successful.

Configuration Scripts

FW-1

FW-2

#

hrp enable

hrp interface Eth-Trunk0 remote 11.11.11.2

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

ip address-set remote_users type object

description "for remote users"

address 0 172.168.3.0 mask 24

#

ip address-set partner type object

description "for partner"

address 0 172.168.4.0 mask 24

#

ip address-set branch1 type object

description "for branch1"

address 0 10.8.1.0 mask 24

#

ip address-set branch2 type object

description "for branch2"

address 0 10.9.1.0 mask 24

#

ip address-set server1 type object

description "for server1"

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

#

ip address-set server2 type object

description "for server2"

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

#

ip address-set server3 type object

description "for server3"

address 0 10.1.2.4 mask 32

address 1 10.1.2.5 mask 32

#

ip address-set server4 type object

description "for server4"

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

#

ip service-set tcp_1414 type object

service 0 protocol tcp destination-port 1414

#

ip service-set tcp_8888_9000 type object

service 0 protocol tcp destination-port 8888

service 1 protocol tcp destination-port 9000

#

interface Eth-Trunk0

ip address 11.11.11.1 255.255.255.0

#

interface Eth-Trunk1

ip address 10.6.1.2 255.255.255.248

vrrp vrid 1 virtual-ip 10.6.1.1 active

#

interface Eth-Trunk2

ip address 10.7.1.2 255.255.255.248

vrrp vrid 2 virtual-ip 10.7.1.1 active

#

interface GigabitEthernet 1/0/1

eth-trunk 1

#

interface GigabitEthernet 1/0/2

eth-trunk 1

#

interface GigabitEthernet 1/0/3

eth-trunk 2

#

interface GigabitEthernet 1/0/4

eth-trunk 2

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

firewall zone trust

add interface Eth-Trunk2

#

firewall zone untrust

add interface Eth-Trunk1

#

firewall zone dmz

add interface Eth-Trunk0

#

ip route-static 10.1.0.0 255.255.0.0 10.7.1.4

ip route-static 10.2.0.0 255.255.0.0 10.7.1.4

ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

ip route-static 10.8.1.0 255.255.255.0 10.6.1.4

ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

ip route-static 192.168.3.0 255.255.255.0 10.6.1.4

ip route-static 192.168.4.0 255.255.255.0 10.6.1.4

#

firewall session aging-time service-set tcp_1414 40000

#

security-policy

rule name remote_users_to_server1

source-zone untrust

destination-zone trust

source-address address-set remote_users

destination-address address-set server1

service http

service ftp

profile ips default

action permit

rule name partner_to_server2

source-zone untrust

destination-zone trust

source-address address-set partner

destination-address address-set server2

service tcp_1414

profile ips default

action permit

rule name branch1_to_server3

source-zone untrust

destination-zone trust

source-address address-set branch1

destination-address address-set server3

service tcp_8888_9000

profile ips default

action permit

rule name branch2_to_server4

source-zone untrust

destination-zone trust

source-address address-set branch2

destination-address address-set server4

service ftp

profile ips default

long-link enable

long-link aging-time 480

action permit

#

hrp enable

hrp interface Eth-Trunk0 remote 11.11.11.1

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

ip address-set remote_users type object

description "for remote users"

address 0 172.168.3.0 mask 24

#

ip address-set partner type object

description "for partner"

address 0 172.168.4.0 mask 24

#

ip address-set branch1 type object

description "for branch1"

address 0 10.8.1.0 mask 24

#

ip address-set branch2 type object

description "for branch2"

address 0 10.9.1.0 mask 24

#

ip address-set server1 type object

description "for server1"

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

#

ip address-set server2 type object

description "for server2"

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

#

ip address-set server3 type object

description "for server3"

address 0 10.1.2.4 mask 32

address 1 10.1.2.5 mask 32

#

ip address-set server4 type object

description "for server4"

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

#

ip service-set tcp_1414 type object

service 0 protocol tcp destination-port 1414

#

ip service-set tcp_8888_9000 type object

service 0 protocol tcp destination-port 8888

service 1 protocol tcp destination-port 9000

#

interface Eth-Trunk0

ip address 11.11.11.2 255.255.255.0

#

interface Eth-Trunk1

ip address 10.6.1.3 255.255.255.248

vrrp vrid 1 virtual-ip 10.6.1.1 standby

#

interface Eth-Trunk2

ip address 10.7.1.3 255.255.255.248

vrrp vrid 2 virtual-ip 10.7.1.1 standby

#

interface GigabitEthernet 1/0/1

eth-trunk 1

#

interface GigabitEthernet 1/0/2

eth-trunk 1

#

interface GigabitEthernet 1/0/3

eth-trunk 2

#

interface GigabitEthernet 1/0/4

eth-trunk 2

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

firewall zone trust

add interface Eth-Trunk2

#

firewall zone untrust

add interface Eth-Trunk1

#

firewall zone dmz

add interface Eth-Trunk0

#

ip route-static 10.1.0.0 255.255.0.0 10.7.1.4

ip route-static 10.2.0.0 255.255.0.0 10.7.1.4

ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

ip route-static 10.8.1.0 255.255.255.0 10.6.1.4

ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

ip route-static 192.168.3.0 255.255.255.0 10.6.1.4

ip route-static 192.168.4.0 255.255.255.0 10.6.1.4

#

firewall session aging-time service-set tcp_1414 40000

#

security-policy

rule name remote_users_to_server1

source-zone untrust

destination-zone trust

source-address address-set remote_users

destination-address address-set server1

service http

service ftp

profile ips default

action permit

rule name partner_to_server2

source-zone untrust

destination-zone trust

source-address address-set partner

destination-address address-set server2

service tcp_1414

profile ips default

action permit

rule name branch1_to_server3

source-zone untrust

destination-zone trust

source-address address-set branch1

destination-address address-set server3

service tcp_8888_9000

profile ips default

action permit

rule name branch2_to_server4

source-zone untrust

destination-zone trust

source-address address-set branch2

destination-address address-set server4

service ftp

profile ips default

long-link enable

long-link aging-time 480

action permit

Firewalls in the Intranet Access Area

Typical Networking

As shown in Figure 1-3, firewalls are attached to core switches as the hardware SACGs of the Agile Controller. When users in branch 1 access the data center service area, the firewalls work with the Agile Controller to control user access as follows:

  • To ensure the security of the service system and prevent external users or insecure terminal hosts from accessing the service system, only the users who have passed the identify authentication and terminal security check are allowed to access the service system.
  • The service system is the core network resource, and employees are allowed to access the system only in working hours.
  • The solution deployment has the minimum impact on the current network. The service first principle is applied to the entire network to ensure service continuity in the case that the access control system fails.

The data center network is logically divided into the pre-authentication domain, isolation domain, and post-authentication domain:

  • The pre-authentication domain is accessible to unauthenticated terminal hosts, and comprises the DNS, external authentication source, SC, and SM.
  • The isolation domain is accessible to terminal hosts that pass the identity authentication but not the security authentication, and comprises the patch server and anti-virus server.
  • The post-authentication domain is accessible for terminal hosts that have passed identity and security authentication. In this case, this domain is the data center service area.
Figure 1-3 Typical networking of firewalls in the intranet access area

Service Planning

Firewall Interface Planning

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-3

GE1/0/1

SW-1

GE1/1/0/3

Upstream service interface

2

FW-3

GE1/0/2

SW-1

GE1/1/0/4

Downstream service interface

3

FW-4

GE1/0/1

SW-2

GE2/1/0/3

Upstream service interface

4

FW-4

GE1/0/2

SW-2

GE2/1/0/4

Downstream service interface

5

FW-3

GE1/0/3

FW-4

GE1/0/3

Heartbeat interface

6

FW-4

GE1/0/3

FW-3

GE1/0/3

Heartbeat interface

Firewall IP Address Planning

No.

Local Device

Local Interface

Local IP Address

Peer Device

Peer Interface

Peer IP Address

1

FW-3

GE1/0/1

10.4.1.2/29

VRID: 1

VIP: 10.4.1.1

SW-1

VLANIF101

10.4.1.4/29

2

FW-3

GE1/0/2

10.5.1.2/29

VRID: 2

VIP: 10.5.1.1

SW-1

VLANIF102

10.5.1.4/29

3

FW-3

GE1/0/3

10.10.10.1/24

FW-4

GE1/0/3

10.10.10.2/24

4

FW-4

GE1/0/1

10.4.1.3/29

VRID: 1

VIP: 10.4.1.1

SW-2

VLANIF101

10.4.1.4/29

5

FW-4

GE1/0/2

10.5.1.3/29

VRID: 2

VIP: 10.5.1.1

SW-2

VLANIF102

10.5.1.4/29

6

FW-4

GE1/0/3

10.10.10.2/24

FW-1

GE1/0/3

10.10.10.1/24

Firewall Security Zone Planning

No.

Security Zone

Security Zone Priority

Included Interface

Remarks

1

untrust

5

GE1/0/2

Downstream service interface

2

trust

100

GE1/0/1

Upstream service interface

3

dmz

50

GE1/0/3

Heartbeat interface

Firewall Security Policy Planning

No.

Policy

Source Zone

Source Address

Destination Zone

Destination Address

Action

1

sc_to_sacg

trust

any

local

any

permit

2

sacg_to_client

local

any

untrust

any

permit

Firewall Route Planning

Static routes on firewalls

No.

Destination Address

Mask

Next Hop

Remarks

1

0.0.0.0

0.0.0.0

10.4.1.4

Route that guides traffic back to the switch

Agile Controller Data Planning

Item

Data

Remarks

Service Controller 1

IP address: 192.168.1.2/24

Port: 3288

Shared key: TSM_Security

The port and shared key configured on the FW must be consistent with those configured on the Service Controller.

If an unauthenticated terminal user attempts to access the Web server in the post-authentication domain in the case that the Web push function is configured on the FW, the FW pushes the Web authentication page to the terminal user, facilitating terminal user's identity authentication on the web page.

Service Controller 2

IP address: 192.168.1.3/24

Port: 3288

Shared key: TSM_Security

Same as Service Controller 1.

Service Manager

Login address: https://192.168.1.2:8443

User name: admin

Password: Admin@123

The Service Manager and Service Controller 1 are installed on the same server. You need to log in to the Service Manager to configure the Agile Controller.

Network segment on which the terminal user resides

10.8.1.0/24

Network segment of users in branch 1.

Post-authentication domain

10.1.1.4

10.1.1.5

Add the servers in the data center service area to the post-authentication domain and apply user accounts in branch 1.

Isolation domain

Patch server: 192.168.2.3

Antivirus server: 192.168.2.5

Add the patch server and antivirus server to the isolation domain and apply user accounts in branch 1.

Pre-authentication domain

DNS server: 192.168.3.3

Service Controller 1: 192.168.1.2

Service Controller 2: 192.168.1.3

Add the DNS server and Service Controllers to the pre-authentication domain.

Agile Controller User Data Planning

User Name

User IP Address

User Group

Role ID

Role Name

lee

10.8.1.3

ROOT\development

1

DefaultDeny

This role is prohibited from accessing all services.

6

Permit_1

This role is allowed to access the service system.

255

Last

This role is allowed to access the pre-authentication domain.

Precautions

The firewall stateful inspection function must be disabled.

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    # # Configure IP addresses for the interfaces of FW-3.

    <sysname> system-view 
    [sysname] sysname FW-3 
    [FW-3] interface GigabitEthernet 1/0/1 
    [FW-3-GigabitEthernet1/0/1] description SACG1_To_Coreswitch1_GE1/1/0/3 
    [FW-3-GigabitEthernet1/0/1] ip address 10.4.1.2 29 
    [FW-3-GigabitEthernet1/0/1] quit 
    [FW-3] interface GigabitEthernet 1/0/2 
    [FW-3-GigabitEthernet1/0/2] description SACG1_To_Coreswitch1_GE1/1/0/4 
    [FW-3-GigabitEthernet1/0/2] ip address 10.5.1.2 29 
    [FW-3-GigabitEthernet1/0/2] quit 
    [FW-3] interface GigabitEthernet 1/0/3 
    [FW-3-GigabitEthernet1/0/3] description hrp_interface 
    [FW-3-GigabitEthernet1/0/3] ip address 10.10.10.1 24 
    [FW-3-GigabitEthernet1/0/3] quit

    # # Configure IP addresses for the interfaces of FW-4.

    <sysname> system-view 
    [sysname] sysname FW-4 
    [FW-4] interface GigabitEthernet 1/0/1 
    [FW-4-GigabitEthernet1/0/1] description SACG2_To_Coreswitch2_GE2/1/0/3 
    [FW-4-GigabitEthernet1/0/1] ip address 10.4.1.3 29 
    [FW-4-GigabitEthernet1/0/1] quit 
    [FW-4] interface GigabitEthernet 1/0/2 
    [FW-4-GigabitEthernet1/0/2] description SACG2_To_Coreswitch2_GE2/1/0/4 
    [FW-4-GigabitEthernet1/0/2] ip address 10.5.1.3 29 
    [FW-4-GigabitEthernet1/0/2] quit 
    [FW-4] interface GigabitEthernet 1/0/3 
    [FW-4-GigabitEthernet1/0/3] description hrp_interface 
    [FW-4-GigabitEthernet1/0/3] ip address 10.10.10.2 24 
    [FW-4-GigabitEthernet1/0/3] quit

    # Assign the interfaces of FW-3 to appropriate security zones.

    [FW-3] firewall zone trust 
    [FW-3-zone-trust] add interface GigabitEthernet 1/0/1 
    [FW-3-zone-trust] quit 
    [FW-3] firewall zone untrust 
    [FW-3-zone-untrust] add interface GigabitEthernet 1/0/2 
    [FW-3-zone-untrust] quit 
    [FW-3] firewall zone dmz 
    [FW-3-zone-dmz] add interface GigabitEthernet 1/0/3 
    [FW-3-zone-dmz] quit

    # Assign the interfaces of FW-4 to appropriate security zones.

    [FW-4] firewall zone trust 
    [FW-4-zone-trust] add interface GigabitEthernet 1/0/1 
    [FW-4-zone-trust] quit 
    [FW-4] firewall zone untrust 
    [FW-4-zone-untrust] add interface GigabitEthernet 1/0/2 
    [FW-4-zone-untrust] quit 
    [FW-4] firewall zone dmz 
    [FW-4-zone-dmz] add interface GigabitEthernet 1/0/3 
    [FW-4-zone-dmz] quit

  2. Configure static routes.

    # On FW-3, configure a static route to guide traffic back to the core switch.

    [FW-3] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

    # On FW-4, configure a static route to guide traffic back to the core switch.

    [FW-4] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

  3. Configure link-group.

    # On FW-3, configure link-group 1 and add upstream and downstream service interfaces to the link-group.

    [FW-3] interface GigabitEthernet 1/0/1 
    [FW-3-GigabitEthernet1/0/1] link-group 1 
    [FW-3-GigabitEthernet1/0/1] quit 
    [FW-3] interface GigabitEthernet 1/0/2 
    [FW-3-GigabitEthernet1/0/2] link-group 1 
    [FW-3-GigabitEthernet1/0/2] quit

    # On FW-4, configure link-group 1 and add upstream and downstream service interfaces to the link-group.

    [FW-4] interface GigabitEthernet 1/0/1 
    [FW-4-GigabitEthernet1/0/1] link-group 1 
    [FW-4-GigabitEthernet1/0/1] quit 
    [FW-4] interface GigabitEthernet 1/0/2 
    [FW-4-GigabitEthernet1/0/2] link-group 1 
    [FW-4-GigabitEthernet1/0/2] quit

  4. Configure hot standby.

    # Configure VRRP group 1 on the upstream interface GE1/0/1 of FW-3, setting its state to Active.

    [FW-3] interface GigabitEthernet 1/0/1 
    [FW-3-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 active 
    [FW-3-GigabitEthernet1/0/1] quit

    # Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-3, setting its state to Active.

    [FW-3] interface GigabitEthernet 1/0/2 
    [FW-3-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 active 
    [FW-3-GigabitEthernet1/0/2] quit

    # Designate GE1/0/3 as the heartbeat interface of FW-3, and enable hot standby.

    [FW-3] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2 
    [FW-3] hrp enable

    # Configure VRRP group 1 on the upstream interface GE1/0/1 of FW-4, setting its state to Active.

    [FW-4] interface GigabitEthernet 1/0/1 
    [FW-4-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 standby 
    [FW-4-GigabitEthernet1/0/1] quit

    # Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-4, setting its state to Active.

    [FW-4] interface GigabitEthernet 1/0/2 
    [FW-4-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 standby 
    [FW-4-GigabitEthernet1/0/2] quit

    # Designate GE1/0/3 as the heartbeat interface of FW-4, and enable hot standby.

    [FW-4] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1 
    [FW-4] hrp enable
    NOTE:

    After hot standby is configured, you only need to configure security policies and SACG on the active device FW-3. The configuration on FW-3 is automatically backed up on FW-4.

  5. Disable the stateful inspection function.

    HRP_M[FW-3] undo firewall session link-state check

  6. Configure security policies.

    # Configure a Local-Trust security policy to allow the communication between the FW and Service Controller.

    HRP_M[FW-3] security-policy 
    HRP_M[FW-3-security-policy] rule name sc_to_sacg 
    HRP_M[FW-3-security-policy-sc_to_sacg] source-zone trust local 
    HRP_M[FW-3-security-policy-sc_to_sacg] destination-zone local trust 
    HRP_M[FW-3-security-policy-sc_to_sacg] action permit 
    HRP_M[FW-3-security-policy-sc_to_sacg] quit

    # Configure the policy for the Local-Trust interzone. In this way, the FW can push the web-based authentication page to the user.

    HRP_M[FW-3-security-policy] rule name sacg_to_client 
    HRP_M[FW-3-security-policy-sacg_to_client] source-zone local 
    HRP_M[FW-3-security-policy-sacg_to_client] destination-zone untrust 
    HRP_M[FW-3-security-policy-sacg_to_client] action permit 
    HRP_M[FW-3-security-policy-sacg_to_client] quit 
    HRP_M[FW-3-security-policy] quit

  7. Configure the interworking with the Agile Controller.

    # Enter the view of configuring the FW to interwork with the Agile Controller, and specify the number of the default ACL rule group.

    NOTE:

    If ACLs 3099 to 3999 are in use, delete them before configuring the interworking with the Agile Controller. Otherwise, conflicts occur when the FW generates ACL rules.

    HRP_M[FW-3] right-manager server-group 
    HRP_M[FW-3-rightm] default acl 3099

    # Add the Service Controller to the FW. Then the FW can interwork with the Service Controller. Because two Service Controllers are deployed, you must run the server ip command twice to add the two Service Controllers.

    NOTE:

    The port and shared key in the server ip command must be the same as those on the Service Controller. Otherwise, the FW cannot interwork with the Service Controller, and the SACG interworking function is unavailable.

    HRP_M[FW-3-rightm] server ip 192.168.1.2 port 3288 shared-key TSM_Security 
    HRP_M[FW-3-rightm] server ip 192.168.1.3 port 3288 shared-key TSM_Security

    # Configure Web authentication. If an unauthenticated terminal user attempts to access the network, the FW automatically pushes the Web authentication page to the terminal user. Therefore, the terminal user can be authenticated on the web page.

    HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.2:8084/auth 
    HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.3:8084/auth

    # Configure the local IP address used by the FW for communicating with the Service Controller.

    NOTE:

    The configuration cannot be backed up. You must configure it on both FWs. Set the IP address of the standby FW to 10.4.1.3.

    HRP_M[FW-3-rightm] local ip 10.4.1.2

    # Enable the server group so that the FW connects to the Service Controller immediately and sends the interworking request. After the connection succeeds, the FW can receive the roles and rules delivered by the Agile Controller.

    HRP_M[FW-3-rightm] right-manager server-group enable

    # Configure an emergency channel, and set the minimum number of Service Controllers to 1. In doing so, when at least one Service Controller connects to the FW successfully, the FW implements Agile Controller detection normally. If the FW cannot connect to any Service Controller, the FW enables the emergency channel to allow all users to access the controlled network. As a result, terminal users can access the network even if the Service Controller fails.

    HRP_M[FW-3-rightm] right-manager server-group active-minimum 1 
    HRP_M[FW-3-rightm] right-manager status-detect enable 
    HRP_M[FW-3-rightm] quit

    # Apply ACL 3099 to the outbound direction of Trust-Untrust interzone. Then terminal users can communicate with the server in the pre-authentication domain normally, and the permit rule of the emergency channel can be correctly delivered to the Trust-Untrust interzone.

    HRP_M[FW-3] firewall interzone trust untrust 
    HRP_M[FW-3-interzone-trust-untrust] apply packet-filter right-manager inbound 
    HRP_M[FW-3-interzone-trust-untrust] quit

  8. Configure the core switches. This part uses the CE12800 as an example to describe the configuration for interworking between the switch and FW.

    # Configure the interfaces and VLANs of core switches.

    [~CSS] vlan batch 101 to 102          
    [*CSS] interface gigabitethernet 1/1/0/3                 
    [*CSS-GigabitEthernet1/1/0/3] description To_SACG1_GE1/0/1 
    [*CSS-GigabitEthernet1/1/0/3] port link-type access                       
    [*CSS-GigabitEthernet1/1/0/3] port default vlan 101   
    [*CSS-GigabitEthernet1/1/0/3] quit          
    [*CSS] interface gigabitethernet 1/1/0/4                 
    [*CSS-GigabitEthernet1/1/0/4] description To_SACG1_GE1/0/2 
    [*CSS-GigabitEthernet1/1/0/4] port link-type access                       
    [*CSS-GigabitEthernet1/1/0/4] port default vlan 102   
    [*CSS-GigabitEthernet1/1/0/4] quit     
    [*CSS] interface gigabitethernet 2/1/0/3                 
    [*CSS-GigabitEthernet2/1/0/3] description To_SACG2_GE1/0/1 
    [*CSS-GigabitEthernet2/1/0/3] port link-type access                       
    [*CSS-GigabitEthernet2/1/0/3] port default vlan 101   
    [*CSS-GigabitEthernet2/1/0/3] quit          
    [*CSS] interface gigabitethernet 2/1/0/4                 
    [*CSS-GigabitEthernet2/1/0/4] description To_SACG2_GE1/0/2 
    [*CSS-GigabitEthernet2/1/0/4] port link-type access                       
    [*CSS-GigabitEthernet2/1/0/4] port default vlan 102   
    [*CSS-GigabitEthernet2/1/0/4] quit     
    [*CSS] interface vlanif 101 
    [*CSS-Vlanif101] ip address 10.4.1.4 29 
    [*CSS-Vlanif101] quit                       
    [*CSS] interface vlanif 102 
    [*CSS-Vlanif102] ip address 10.5.1.4 29 
    [*CSS-Vlanif102] quit   
    [*CSS] commit

    # Configure PBR.

    [~CSS] acl 3001   
    [*CSS-acl4-advance-3001] rule 5 permit ip source 10.8.1.0 24   
    [*CSS-acl4-advance-3001] quit 
    [~CSS] traffic classifier c1   
    [*CSS-classifier-c1] if-match acl 3001   
    [*CSS-classifier-c1] quit 
    [~CSS] traffic behavior b1   
    [*CSS-behavior-b1] redirect nexthop 10.5.1.1   
    [*CSS-behavior-b1] quit 
    [~CSS] traffic policy p1   
    [*CSS-trafficpolicy-p1] classifier c1 behavior b1 precedence 5   
    [*CSS-trafficpolicy-p1] quit 
    [~CSS] interface eth-trunk 2  //Eth-Trunk 2 connects the core switch to branch 1. 
    [*CSS-Eth-Trunk2] traffic-policy p1 inbound  
    [*CSS-Eth-Trunk2] quit 
    [*CSS] commit

  9. Configure the Agile Controller.

    1. Configure the firewall to function as the hardware SACG.
      1. Choose Policy > Permission Control > Hardware SACG > Hardware SACG Config.
      2. Click Add on the Hardware SACG tab.

      NOTE:

      If NAT is configured to implement address translation between end users and the SC, set the IP address range (Start IP Address and End IP Address) to the range of translated IP addresses for end users but not the real IP addresses of terminals. Otherwise, end users cannot go online on the SACG.

    2. Configure the pre-authentication domain, isolation domain, and post-authentication domain.
      1. Click Add on the Pre-Authentication Domain tab.

        Add the IP addresses of the other servers in the pre-authentication to the pre-authentication domain.

      2. Click Add on the Controlled Domain tab to add the isolation domain resources to a protected domain.

        Repeat the preceding step to add the post-authentication resources to the protected domain.

      3. Click Add on the Isolation Domain tab to set the resource that end users can access.

      4. Click Add on the Post-Authentication Domain tab to set the post-authentication resource that end users can access only in working hours, that is the post_work resource.

        Add the resource that end users cannot access in non-working hours to the post-authentication domain according to the preceding steps.

    3. Configure and apply an SACG policy group to an account/user group or IP address segment.
      1. Configure a time segment to allow employees to access the service system only in working hours.
        1. Choose Policy > Permission Control > Policy Element > Schedule.
      2. Click Add.

      3. Click OK.
      4. Configure an SACG policy group.
        1. Choose Policy > Permission Control > Hardware SACG > Hardware SACG Policy Group.
      5. Click Add.

      6. Click OK.
      7. Apply the SACG policy group to an account/user group or IP address segment. In this example, the SACG policy group is applied to a user group.
    NOTE:

    The SACG policy group is applied to an account, user group, and IP address segment in descending order of matched priorities.

    Click next to SACG policy to apply the SACG policy to the specified user group.

Verification

  1. If a user successfully passes authentication and terminal security check, the user can access the service system in working hours but not in non-working hours.
  2. If a severe violation occurs, the terminal host cannot access a network and a message is displayed indicating that repair is required. The terminal host can access to the network after the repair.
  3. View the state of the Agile Controller.

    # View the state of the Agile Controller on the active FW.

    HRP_M<FW-3> display right-manager server-group                  
     Server group state  :  Enable                                                         
     Server number :     2                                                           
     Server ip address        Port        State       Master                         
     192.168.1.2              3288        active        Y                       
     192.168.1.3              3288        active        N                           

    active indicates that the status of the connection between the Agile Controller and FW is normal.

    # View the state of the Agile Controller on the standby FW.

    HRP_S<FW-4> display right-manager server-group                  
     Server group state  :  Enable                                                         
     Server number :     2                                                           
     Server ip address        Port        State       Master                         
     192.168.1.2              3288        active        Y                       
     192.168.1.3              3288        active        N                           
  4. After the branch user logs in, you can view the user login information on both FWs. The following part shows the display right-manager online-users command output on the active FW.
    HRP_M<FW-3> display right-manager online-users  
      User name    : lee 
      Ip address   : 10.8.1.3 
      ServerIp     : 192.168.1.2 
      Login time   : 10:14:11 2016/05/06 ( Hour:Minute:Second Year/Month/Day) 
    ----------------------------------------- 
      Role id      Rolename 
         1          DefaultDeny   
         6          Permit_1   
       255          Last   
    -----------------------------------------

    Run the display right-manager role-info command to view the mappings between roles and ACLs.

    HRP_M<FW-3> display right-manager role-info 
     All Role count:8  
     Role  ID      ACL number      Role name 
    ------------------------------------------------------------------------------ 
     Role   0      3099            default 
     Role   1      3100            DefaultDeny 
     Role   2      3101            DefaultPermit 
     Role   3      3102            Deny___0 
     Role   4      3103            Permit_0 
    ------------------------------------------------------------------------------ 
     Role   5      3104            Deny___1 
     Role   6      3105            Permit_1Role 255      3354            Last

    Run the display acl acl-number command to view ACLs 3100, 3105, and 3354.

    HRP_M<FW-3> display acl 3100 
    Advanced ACL  3100, 1 rule     //Default deny rule, used when Control mode in the isolation and post-authentication domains is selected as Permits access to only controlled domain resources in the list.
    Acl's step is 1 
     rule 1 deny ip (0 times matched) 
    HRP_M<FW-3> display acl 3105 
    Advanced ACL  3105, 1 rule     //Permit the access to the post-authentication domain.
    Acl's step is 1 
     rule 1 permit ip destination 10.1.1.4 0 (0 times matched) 
     rule 2 permit ip destination 10.1.1.5 0 (0 times matched) 
    HRP_M<FW-3> display acl 3354 
    Advanced ACL  3354, 3 rules     //Permit the access to the pre-authentication domain.
    Acl's step is 1 
     rule 1 permit ip destination 192.168.1.2 0 (0 times matched) 
     rule 2 permit ip destination 192.168.1.3 0 (0 times matched) 
     rule 3 permit ip destination 192.168.3.3 0 (0 times matched)     

    From the previous information, account lee corresponds to roles 1, 6, and 255, and the matching sequence is from top to bottom. The role-ACL relationship indicates the ACL rules for the three roles.

    Role 255 is allowed to access the pre-authentication domain, role 6 is allowed to access the service system, and role 1 is prohibited from accessing all services.

    In conclusion, account lee is allowed to access only the pre-authentication domain and the service system in the post-authentication domain.

  5. Choose Resource > User > Online User on the Agile Controller to check user login information.

Configuration Scripts

FW-3

FW-4

#

hrp enable

hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2

#

undo firewall session link-state check

#

interface GigabitEthernet 1/0/1

description SACG1_To_Coreswitch1_GE1/1/0/3

ip address 10.4.1.2 255.255.255.248

vrrp vrid 1 virtual-ip 10.4.1.1 active

link-group 1

#

interface GigabitEthernet 1/0/2

description SACG1_To_Coreswitch1_GE1/1/0/4

ip address 10.5.1.2 255.255.255.248

vrrp vrid 2 virtual-ip 10.5.1.1 active

link-group 1

#

interface GigabitEthernet 1/0/3

description hrp_interface

ip address 10.10.10.1 255.255.255.0

#

firewall zone trust

add interface GigabitEthernet 1/0/1

#

firewall zone untrust

add interface GigabitEthernet 1/0/2

#

firewall zone dmz

add interface GigabitEthernet 1/0/3

#

firewall interzone trust untrust

apply packet-filter right-manager inbound

#

ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

#

firewall session aging-time service-set tcp_1414 40000

#

right-manager server-group

default acl 3099

server ip 192.168.1.2 port 3288 shared-key %$%$FxDAFSd(Y*Ku3%4+"%$%$

server ip 192.168.1.3 port 3288 shared-key %ef<f%7FxDAFSd(Y*Ku3%><dfe%&%$

integrity-check enable

right-manager server-group enable

right-manager status-detect enable

local ip 10.4.1.2

right-manager authentication url http://192.168.1.2:8084/auth

right-manager authentication url http://192.168.1.3:8084/auth

#

security-policy

rule name sc_to_sacg

source-zone trust

source-zone local

destination-zone local

destination-zone trust

action permit

rule name sacg_to_client

source-zone local

destination-zone untrust

action permit

#

hrp enable

hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1

#

undo firewall session link-state check

#

interface GigabitEthernet 1/0/1

description SACG2_To_Coreswitch2_GE2/1/0/3

ip address 10.4.1.3 255.255.255.248

vrrp vrid 1 virtual-ip 10.4.1.1 standby

link-group 1

#

interface GigabitEthernet 1/0/2

description SACG2_To_Coreswitch2_GE2/1/0/4

ip address 10.5.1.3 255.255.255.248

vrrp vrid 2 virtual-ip 10.5.1.1 standby

link-group 1

#

interface GigabitEthernet 1/0/3

description hrp_interface

ip address 10.10.10.2 255.255.255.0

#

firewall zone trust

add interface GigabitEthernet 1/0/1

#

firewall zone untrust

add interface GigabitEthernet 1/0/2

#

firewall zone dmz

add interface GigabitEthernet 1/0/3

#

firewall interzone trust untrust

apply packet-filter right-manager inbound

#

ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

#

firewall session aging-time service-set tcp_1414 40000

#

right-manager server-group

default acl 3099

server ip 192.168.1.2 port 3288 shared-key %$%$FxDAFSd(Y*Ku3%4+"%$%$

server ip 192.168.1.3 port 3288 shared-key %ef<f%7FxDAFSd(Y*Ku3%><dfe%&%$

integrity-check enable

right-manager server-group enable

right-manager status-detect enable

local ip 10.4.1.3

right-manager authentication url http://192.168.1.2:8084/auth

right-manager authentication url http://192.168.1.3:8084/auth

#

security-policy

rule name sc_to_sacg

source-zone trust

source-zone local

destination-zone local

destination-zone trust

action permit

rule name sacg_to_client

source-zone local

destination-zone untrust

action permit

Firewalls at the Internet Egress

Typical Networking

Figure 1-4 shows the typical networking of firewalls at the Internet egress.

  • Core switches SW1 and SW2 are stacked. Egress aggregation switches SW7 and SW8 are stacked. Firewalls are located between core switches and egress aggregation switches. They work in Layer 3 active/standby hot standby mode.
  • VRRP is configured on the interfaces connecting the firewalls to the upstream and downstream devices. The firewalls use the VRRP virtual IP addresses to communicate with the upstream and downstream devices.
  • Employees on the move and firewalls establish SSL VPN connections with the firewalls for secure access to the intranet.
  • A firewall is deployed at the Internet egress of a branch, which establishes an IPSec VPN connection with the firewall at the Internet egress of the headquarters. Data is transmitted between the branch and data center over the IPSec VPN.
  • Some servers in the DMZ are pre-service servers that need to provide services for Internet users. Therefore, the firewalls at the Internet egress must have NAT Server configured to map the servers' private IP addresses to public IP addresses.
Figure 1-4 Typical networking of firewalls at the Internet egress

Service Planning

Firewall Interface Planning

Interface planning for FW-5

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-5

GE1/0/1

SW-5

GE1/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-5

GE1/0/2

SW-5

GE1/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-5

GE1/0/3

SW-1

GE1/1/0/5

Eth-Trunk 2, downstream service interface

4

FW-5

GE1/0/4

SW-1

GE1/1/0/6

Eth-Trunk 2, downstream service interface

5

FW-5

GE1/0/5

FW-6

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-5

GE1/0/6

FW-6

GE1/0/6

Eth-Trunk 0, heartbeat interface

Interface planning for FW-6

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-6

GE1/0/1

SW-6

GE2/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-6

GE1/0/2

SW-6

GE2/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-6

GE1/0/3

SW-2

GE2/1/0/5

Eth-Trunk 2, downstream service interface

4

FW-6

GE1/0/4

SW-2

GE2/1/0/6

Eth-Trunk 2, downstream service interface

5

FW-6

GE1/0/5

FW-5

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-6

GE1/0/6

FW-5

GE1/0/6

Eth-Trunk 0, heartbeat interface

Firewall IP Address Planning

No.

Local Device

Local Interface

VLAN ID

Local IP Address

Peer Device

Remarks

1

FW-5

Eth-Trunk1.1

10

172.6.1.2/29

VRID: 1

VIP: 1.1.1.1/29

SW-5

SSL VPN gateway for employees on the move

2

FW-5

Eth-Trunk1.2

20

172.6.2.2/29

VRID: 2

VIP: 1.1.2.1/29

SW-5

IPSec gateway

3

FW-5

Eth-Trunk1.3

30

172.6.3.2/29

VRID: 3

VIP: 1.1.3.1/29

SW-5

Access gateway for Internet users

4

FW-5

Eth-Trunk1.4

40

172.6.4.2/29

VRID: 4

VIP: 1.1.4.1/29

SW-5

SSL VPN gateway for the partner

5

FW-5

Eth-Trunk2.1

103

172.7.1.2/29

VRID: 5

VIP: 172.7.1.1

SW-1

Data center service area

6

FW-5

Eth-Trunk2.2

104

172.7.2.2/29

VRID: 6

VIP: 172.7.2.1

SW-1

DMZ

7

FW-5

Eth-Trunk0

-

12.12.12.1/24

FW-6

-

8

FW-6

Eth-Trunk1.1

10

172.6.1.3/29

VRID: 1

VIP: 1.1.1.1/29

SW-6

SSL VPN gateway for employees on the move

9

FW-6

Eth-Trunk1.2

20

172.6.2.3/29

VRID: 2

VIP: 1.1.2.1/29

SW-6

IPSec gateway

10

FW-6

Eth-Trunk1.3

30

172.6.3.3/29

VRID: 3

VIP: 1.1.3.1/29

SW-6

Access gateway for Internet users

11

FW-6

Eth-Trunk1.4

40

172.6.4.3/29

VRID: 4

VIP: 1.1.4.1/29

SW-6

SSL VPN gateway for the partner

11

FW-6

Eth-Trunk2.1

103

172.7.1.3/29

VRID: 5

VIP: 172.7.1.1

SW-2

Data center service area

11

FW-6

Eth-Trunk2.2

104

172.7.2.3/29

VRID: 6

VIP: 172.7.2.1

SW-2

DMZ

12

FW-6

Eth-Trunk0

-

12.12.12.2/24

FW-6

-

Firewall Security Zone Planning

No.

Security Zone

Security Zone Priority

Included Interface

Remarks

1

zone1

45

Eth-Trunk1.1

Employees on the move

2

zone2

40

Eth-Trunk1.2

Branch 2

3

zone3

10

Eth-Trunk1.3

Internet users

4

zone4

30

Eth-Trunk1.4

Partner

4

hrp

85

Eth-Trunk0

Heartbeat interface

5

trust

100

Eth-Trunk2.1

Data center service area

6

dmz

50

Eth-Trunk2.2

DMZ

Firewall Security Policy Planning

Address group

No.

Address Group

Address

Remarks

1

remote_users

address 0 172.168.3.0 mask 24

SSL VPN access for employees on the move

2

partner

address 0 172.168.4.0 mask 24

Partner

3

branch2

address 0 10.9.1.0 mask 24

Branch 2

4

server1

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

Server that employees on the move can access

5

server2

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

Server that the partner can access

6

server4

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

Server that branch 2 can access

7

server5

address 0 192.168.4.2 mask 32

address 1 192.168.4.3 mask 32

address 2 192.168.4.4 mask 32

address 3 192.168.4.5 mask 32

Server that Internet users can access

8

ad_server

address 0 192.168.5.4 mask 32

address 1 192.168.5.5 mask 32

AD authentication server that authenticates SSL VPN access users

User-defined services

No.

Service

Protocol/Port

Remarks

1

tcp_1414

service 0 protocol tcp destination-port 1414

Service for the partner to access the server

Security policies

No.

Policy

Source Zone

Source Address

Destination Zone

Destination Address

Service

Action

1

remote_users_to_server1

zone1

remote_users

trust

server1

ftp,http

permit

2

partner_to_server2

zone4

partner

trust

server2

tcp_1414

permit

4

branch2_to_server4

zone2

branch2

trust

server4

ftp

permit

5

internet_to_server5

zone3

any

dmz

server5

https,http

permit

6

ipsec

zone2,local

1.1.2.1/32, 2.2.2.2/32 (IP address of the IPSec gateway of branch 2)

local,zone2

1.1.2.1/32, 2.2.2.2/32 (IP address of the IPSec gateway of branch 2)

any

permit

7

ssl_vpn

zone1,zone4

any

local

1.1.1.1/32,1.1.4.1/32

any

permit

8

to_ad_server

local

any

dmz

ad_server

any

permit

8

default

any

any

any

any

any

deny

NOTE:

default indicates the default security policy. If the traffic does not match the security policy, the traffic will match the default security policy (all conditions are any, and all actions are deny). If only the PCs at specified IP addresses are allowed to access servers, keep the default security policy and configure security policies to allow the access of such IP addresses.

Hot standby heartbeat packets are not controlled by security policies. Do not configure security policies for heartbeat packets.

Firewall Persistent Connections

Prolonging the session aging time of a protocol

No.

Protocol

Aging Time

1

tcp_1414

40000 seconds

Using the persistent connection function

No.

Policy

Aging Time

1

branch2_to_server4

480 hours

NOTE:

Of the two methods, prolonging the session aging time of a protocol is easier to configure. You can set specific conditions for the persistent connection function to keep persistent connections for specified traffic. The prolonged session aging time of a protocol is a global configuration and takes effect on all sessions of the protocol. As a result, sessions that do not need persistent connections cannot be aged, occupying session entry resources. Once session entry resources are exhausted, no services can be created.

Therefore, if you confirm that all sessions of a protocol require a long session aging time, you can prolong the session aging time of the protocol for persistent connections. Otherwise, use the persistent connection function.

The persistent connection function is valid only for TCP-based connections.

Firewall NAT Planning

NAT Server

No.

Name

Protocol

Public IP Address

Public Port

Private IP Address

Private Port

1

https_server1

tcp

1.1.3.2

4433

192.168.4.2

443

2

https_server2

tcp

1.1.3.3

4433

192.168.4.3

443

3

https_server1

tcp

1.1.3.4

8000

192.168.4.4

80

4

https_server2

tcp

1.1.3.5

8000

192.168.4.5

80

Firewall Route Planning

Static routes on firewalls

No.

Destination Address

Mask

Next Hop

Remarks

1

10.1.0.0

255.255.0.0

172.7.1.4

Route to data center service area 1

2

10.2.0.0

255.255.0.0

172.7.1.4

Route to data center service area 2

3

10.3.0.0

255.255.0.0

172.7.1.4

Route to data center service area 3

4

192.168.0.0

255.255.0.0

172.7.1.4

Route to the DMZ

4

172.168.3.0

255.255.255.0

1.1.1.2

Route to SSL VPN access terminals of employees on the move

5

172.168.4.0

255.255.255.0

1.1.4.2

Route to the partner's network

7

10.9.1.0

255.255.255.0

1.1.2.2

Route to branch 2's network

8

0.0.0.0

0.0.0.0

1.1.3.2

Default route to the Internet

IPSec Data Planning

VPN Gateway Location

IPSec Policy Creation Mode

Local Address

Peer Address

Authentication Mode

Pre-shared Key

Local ID

Peer ID

HQ

Policy template

-

-

Pre-shared key

Test!1234

IP address

IP address

Branch

ISAKMP mode

2.2.2.2

1.1.2.1

Pre-shared key

Test!1234

IP address

IP address

SSL VPN Data Planning

The SSL VPN configuration is almost the same for employees on the move and partners. The SSL VPN configuration for employees on the move is used as an example.

Item

Data

Virtual gateway

Name: example

IP address: 1.1.1.1

Domain name: www.example.com

Maximum number of users: 150

Maximum number of online users: 100

AD server

Primary server IP address: 192.168.5.4

Secondary server IP address: 192.168.5.5

Web proxy resource

Name: resource1; link: http://10.1.1.10

Name: resource2; link: http://10.1.1.11

Network extension

Network extension address pool: 172.168.3.2-172.168.3.254

Routing mode: manual

Intranet subnet accessible to network extension users: 10.1.1.0/24

Security Defense Planning

  • Attack defense planning

    To defend the internal network against network attacks, you need to configure attack defense on the firewalls.

    Normally, you are recommended to configure the defense against the following attacks:

    • Smurf attacks
    • Land attacks
    • Fraggle attacks
    • Ping of Death attacks
    • WinNuke attacks
    • IP packet with route record option attacks
    • IP packet with source route option attacks
    • IP packet with timestamp option attacks
    • SYN flood attacks
    • UDP flood attacks
    • ICMP flood attacks

      In practice, you can set a comparatively large value for the maximum rate of attack packets on interfaces for the preceding flood attacks, observe the attack traffic, and gradually change the rate to smaller values until a proper one (limiting the attack traffic but not affecting services).

  • IPS planning

    To prevent hackers, zombies, Trojan horses, and worms from intruding the internal network, you need to configure IPS on the firewalls.

NOTE:

The IPS may be deployed on the firewalls or deployed as an independent IPS device.

To configure the IPS functions, you reference an IPS profile when defining security policies. In the present case, the IPS profile is referenced in all the above planned security policies (except those for the local zone). This means that IPS detection is carried out for all traffic permitted by the security policies.

Generally, when the firewalls are initially deployed, you can select the default IPS profile default. After the firewalls are active for some time, the administrator can define a profile based on the network status. The IPS also supports the default profile ids, which means alarms are generated upon the detection of intrusions but the intrusions are not blocked. If high security is required, to reduce false positives reported by the IPS, you can select the ids profile.

Precautions

IPS

The IPS signature database must be the latest before the IPS function is configured.

Attack Defense

The attack defense configuration is the recommended standard configuration.

Policy Backup-based Acceleration Function

When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

Configuration Procedure

Configuring Interfaces, Security Zones, and Routes

Procedure
  1. Configure IP addresses for the interfaces of FW-5.

    <sysname> system-view 
    [sysname] sysname FW-5 
    [FW-5] interface Eth-trunk 1 
    [FW-5-Eth-Trunk1] description Link_To_SW5 
    [FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
    [FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/2 
    [FW-5-Eth-Trunk1] quit 
    [FW-5] interface Eth-trunk 1.1 
    [FW-5-Eth-Trunk1.1] vlan-type dot1q 10 
    [FW-5-Eth-Trunk1.1] ip address 172.6.1.2 29 
    [FW-5-Eth-Trunk1.1] quit 
    [FW-5] interface Eth-trunk 1.2 
    [FW-5-Eth-Trunk1.2] vlan-type dot1q 20 
    [FW-5-Eth-Trunk1.2] ip address 172.6.2.2 29 
    [FW-5-Eth-Trunk1.2] quit 
    [FW-5] interface Eth-trunk 1.3 
    [FW-5-Eth-Trunk1.3] vlan-type dot1q 30 
    [FW-5-Eth-Trunk1.3] ip address 172.6.3.2 29 
    [FW-5-Eth-Trunk1.3] quit 
    [FW-5] interface Eth-trunk 1.4 
    [FW-5-Eth-Trunk1.4] vlan-type dot1q 40 
    [FW-5-Eth-Trunk1.4] ip address 172.6.4.2 29 
    [FW-5-Eth-Trunk1.4] quit 
    [FW-5] interface Eth-trunk 2 
    [FW-5-Eth-Trunk2] description Link_To_SW1 
    [FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/3 
    [FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/4 
    [FW-5-Eth-Trunk2] quit 
    [FW-5] interface Eth-trunk 2.1 
    [FW-5-Eth-Trunk2.1] vlan-type dot1q 103 
    [FW-5-Eth-Trunk2.1] ip address 172.7.1.2 29 
    [FW-5-Eth-Trunk2.1] quit 
    [FW-5] interface Eth-trunk 2.2 
    [FW-5-Eth-Trunk2.2] vlan-type dot1q 104 
    [FW-5-Eth-Trunk2.2] ip address 172.7.2.2 29 
    [FW-5-Eth-Trunk2.2] quit 
    [FW-5] interface Eth-trunk 0 
    [FW-5-Eth-Trunk0] description HRP_Interface 
    [FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/5 
    [FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/6 
    [FW-5-Eth-Trunk0] ip address 12.12.12.1 24 
    [FW-5-Eth-Trunk0] quit

  2. Assign the interfaces of FW-5 to appropriate security zones.

    [FW-5] firewall zone name zone1 
    [FW-5-zone-zone1] set priority 45 
    [FW-5-zone-zone1] add interface Eth-trunk1.1 
    [FW-5-zone-zone1] quit 
    [FW-5] firewall zone name zone2 
    [FW-5-zone-zone2] set priority 40 
    [FW-5-zone-zone2] add interface Eth-trunk1.2 
    [FW-5-zone-zone2] quit 
    [FW-5] firewall zone name zone3 
    [FW-5-zone-zone3] set priority 10 
    [FW-5-zone-zone3] add interface Eth-trunk1.3 
    [FW-5-zone-zone3] quit 
    [FW-5] firewall zone name zone4 
    [FW-5-zone-zone4] set priority 30 
    [FW-5-zone-zone4] add interface Eth-trunk1.4 
    [FW-5-zone-zone4] quit 
    [FW-5] firewall zone trust 
    [FW-5-zone-trust] add interface Eth-trunk2.1 
    [FW-5-zone-trust] quit 
    [FW-5] firewall zone dmz 
    [FW-5-zone-dmz] add interface Eth-trunk2.2 
    [FW-5-zone-dmz] quit 
    [FW-5] firewall zone name hrp 
    [FW-5-zone-hrp] set priority 85 
    [FW-5-zone-hrp] add interface Eth-trunk0 
    [FW-5-zone-hrp] quit

  3. Configure static routes on FW-5.

    # On FW-5, configure a static route to the data center service area and set the next hop to the IP address of the core switch.

    [FW-5] ip route-static 10.1.0.0 255.255.0.0 172.7.1.4 
    [FW-5] ip route-static 10.2.0.0 255.255.0.0 172.7.1.4 
    [FW-5] ip route-static 10.3.0.0 255.255.0.0 172.7.1.4

    # On FW-5, configure static routes to the SSL VPN access terminal, branch, partner network, and Internet and set the next hop to the IP address of the ISP router.

    [FW-5] ip route-static 172.168.3.0 255.255.255.0 1.1.1.2 
    [FW-5] ip route-static 172.168.4.0 255.255.255.0 1.1.4.2 
    [FW-5] ip route-static 10.9.1.0 255.255.255.0 1.1.2.2 
    [FW-5] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

  4. Configure the IP addresses, security zones, and routes of FW-6 interfaces according to the above procedure. The difference lies in the IP addresses of the interfaces.

Configuring Hot Standby

Procedure
  1. Configure VRRP group on the interfaces of FW-5, setting its state to Active.

    <FW-5> system-view 
    [FW-5] interface Eth-Trunk1.1 
    [FW-5-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active 
    [FW-5-Eth-Trunk1.1] quit 
    [FW-5] interface Eth-Trunk1.2 
    [FW-5-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 active 
    [FW-5-Eth-Trunk1.2] quit 
    [FW-5] interface Eth-Trunk1.3 
    [FW-5-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 active 
    [FW-5-Eth-Trunk1.3] quit 
    [FW-5] interface Eth-Trunk1.4 
    [FW-5-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 active 
    [FW-5-Eth-Trunk1.4] quit 
    [FW-5] interface Eth-Trunk2.1 
    [FW-5-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 active 
    [FW-5-Eth-Trunk2.1] quit 
    [FW-5] interface Eth-Trunk2.2 
    [FW-5-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 active 
    [FW-5-Eth-Trunk2.2] quit

  2. Designate Eth-Trunk 0 as the heartbeat interface of FW-5, and enable hot standby.

    [FW-5] hrp interface Eth-Trunk0 remote 12.12.12.2 
    [FW-5] hrp enable

  3. Configure VRRP group on the interfaces of FW-6, setting its state to Standby.

    <FW-6> system-view 
    [FW-6] interface Eth-Trunk1.1 
    [FW-6-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 standby 
    [FW-6-Eth-Trunk1.1] quit 
    [FW-6] interface Eth-Trunk1.2 
    [FW-6-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 standby 
    [FW-6-Eth-Trunk1.2] quit 
    [FW-6] interface Eth-Trunk1.3 
    [FW-6-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 standby 
    [FW-6-Eth-Trunk1.3] quit 
    [FW-6] interface Eth-Trunk1.4 
    [FW-6-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 standby 
    [FW-6-Eth-Trunk1.4] quit 
    [FW-6] interface Eth-Trunk2.1 
    [FW-6-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 standby 
    [FW-6-Eth-Trunk2.1] quit 
    [FW-6] interface Eth-Trunk2.2 
    [FW-6-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 standby 
    [FW-6-Eth-Trunk2.2] quit

  4. Designate Eth-Trunk 0 as the heartbeat interface of FW-6, and enable hot standby.

    [FW-6] hrp interface Eth-Trunk0 remote 12.12.12.1 
    [FW-6] hrp enable

Result

A hot-standby relationship has been established to back up most subsequent configurations. Therefore, in the subsequent steps, you only need to make configurations on the active FW-5 (unless otherwise stated).

Configuring the NAT Server

Procedure
  1. Configure NAT Server to map the pre-service servers' private IP addresses to public IP addresses.

    HRP_M[FW-5] nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443 
    HRP_M[FW-5] nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443 
    HRP_M[FW-5] nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80 
    HRP_M[FW-5] nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

  2. Configure a black-hole route to the public address of the NAT server to prevent routing loops between the firewall and ISP routers.

    Route configuration does not support backup. Therefore, you need to configure black-hole routes on both FW-5 and FW-6.

    HRP_M[FW-5] ip route-static 1.1.3.2 32 NULL 0 
    HRP_M[FW-5] ip route-static 1.1.3.3 32 NULL 0 
    HRP_M[FW-5] ip route-static 1.1.3.4 32 NULL 0 
    HRP_M[FW-5] ip route-static 1.1.3.5 32 NULL 0     
    HRP_S[FW-6] ip route-static 1.1.3.2 32 NULL 0 
    HRP_S[FW-6] ip route-static 1.1.3.3 32 NULL 0 
    HRP_S[FW-6] ip route-static 1.1.3.4 32 NULL 0 
    HRP_S[FW-6] ip route-static 1.1.3.5 32 NULL 0

Configuring Security Policies and Security Protection

Procedure
  1. Configure security policies and IPS functions.

    # Configure an address group on FW-5.

    HRP_M[FW-5] ip address-set remote_users type object 
    HRP_M[FW-5-object-address-set-remote_users] address 0 172.168.3.0 mask 24 
    HRP_M[FW-5-object-address-set-remote_users] description "for remote users" 
    HRP_M[FW-5-object-address-set-remote_users] quit 
    HRP_M[FW-5] ip address-set partner type object 
    HRP_M[FW-5-object-address-set-partner] address 0 172.168.4.0 mask 24 
    HRP_M[FW-5-object-address-set-partner] description "for partner" 
    HRP_M[FW-5-object-address-set-partner] quit 
    HRP_M[FW-5] ip address-set branch2 type object 
    HRP_M[FW-5-object-address-set-branch2] address 0 10.9.1.0 mask 24 
    HRP_M[FW-5-object-address-set-branch2] description "for branch2" 
    HRP_M[FW-5-object-address-set-branch2] quit 
    HRP_M[FW-5] ip address-set server1 type object 
    HRP_M[FW-5-object-address-set-server1] address 0 10.1.1.10 mask 32 
    HRP_M[FW-5-object-address-set-server1] address 1 10.1.1.11 mask 32 
    HRP_M[FW-5-object-address-set-server1] description "for server1" 
    HRP_M[FW-5-object-address-set-server1] quit 
    HRP_M[FW-5] ip address-set server2 type object 
    HRP_M[FW-5-object-address-set-server2] address 0 10.2.1.4 mask 32 
    HRP_M[FW-5-object-address-set-server2] address 1 10.2.1.5 mask 32 
    HRP_M[FW-5-object-address-set-server2] description "for server2" 
    HRP_M[FW-5-object-address-set-server2] quit 
    HRP_M[FW-5] ip address-set server4 type object 
    HRP_M[FW-5-object-address-set-server4] address 0 10.1.1.4 mask 32 
    HRP_M[FW-5-object-address-set-server4] address 1 10.1.1.5 mask 32 
    HRP_M[FW-5-object-address-set-server4] description "for server4" 
    HRP_M[FW-5-object-address-set-server4] quit 
    HRP_M[FW-5] ip address-set server5 type object 
    HRP_M[FW-5-object-address-set-server5] address 0 192.168.4.2 mask 32 
    HRP_M[FW-5-object-address-set-server5] address 1 192.168.4.3 mask 32 
    HRP_M[FW-5-object-address-set-server5] address 2 192.168.4.4 mask 32 
    HRP_M[FW-5-object-address-set-server5] address 3 192.168.4.5 mask 32 
    HRP_M[FW-5-object-address-set-server5] description "for server5" 
    HRP_M[FW-5-object-address-set-server5] quit 
    HRP_M[FW-5] ip address-set ad_server type object 
    HRP_M[FW-5-object-address-set-ad_server] address 0 192.168.5.4 mask 32 
    HRP_M[FW-5-object-address-set-ad_server] address 1 192.168.5.5 mask 32 
    HRP_M[FW-5-object-address-set-ad_server] description "for ad_server" 
    HRP_M[FW-5-object-address-set-ad_server] quit

    # Configure a service set on FW-5.

    HRP_M[FW-5] ip service-set tcp_1414 type object 
    HRP_M[FW-5-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414 
    HRP_M[FW-5-object-service-set-tcp_1414] quit

    # Configure the security policy remote_users_to_server1 on FW-5 and reference the IPS profile.

    HRP_M[FW-5] security-policy 
    HRP_M[FW-5-policy-security] rule name remote_users_to_server1 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-zone zone1  
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-zone trust  
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-address address-set remote_users  
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-address address-set server1  
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] service ftp http 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] action permit 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] profile ips default 
    HRP_M[FW-5-policy-security-rule-remote_users_to_server1] quit

    # Configure the security policy partner_to_server2 on FW-5 and reference the IPS profile.

    HRP_M[FW-5-policy-security] rule name partner_to_server2 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] source-zone zone4  
    HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-zone trust  
    HRP_M[FW-5-policy-security-rule-partner_to_server2] source-address address-set partner  
    HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-address address-set server2  
    HRP_M[FW-5-policy-security-rule-partner_to_server2] service tcp_1414 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] action permit 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] profile ips default 
    HRP_M[FW-5-policy-security-rule-partner_to_server2] quit

    # Configure the security policy branch2_to_server4 on FW-5 and reference the IPS profile.

    HRP_M[FW-5-policy-security] rule name branch2_to_server4 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-zone zone2  
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-zone trust  
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-address address-set branch2  
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-address address-set server4  
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] service ftp 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] action permit 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] profile ips default 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit

    # Configure the security policy internet_to_server5 on FW-5 and reference the IPS profile.

    HRP_M[FW-5-policy-security] rule name internet_to_server5 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] source-zone zone3  
    HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-zone dmz  
    HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-address address-set server5  
    HRP_M[FW-5-policy-security-rule-internet_to_server5] service https http 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] action permit 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] profile ips default 
    HRP_M[FW-5-policy-security-rule-internet_to_server5] quit

    # Configure the security policy remote_users_to_server1 on FW-5.

    HRP_M[FW-5-policy-security] rule name ipsec 
    HRP_M[FW-5-policy-security-rule-ipsec] source-zone zone2 local  
    HRP_M[FW-5-policy-security-rule-ipsec] destination-zone zone2 local  
    HRP_M[FW-5-policy-security-rule-ipsec] source-address 1.1.2.1 32  
    HRP_M[FW-5-policy-security-rule-ipsec] source-address 2.2.2.2 32  
    HRP_M[FW-5-policy-security-rule-ipsec] destination-address 1.1.2.1 32 
    HRP_M[FW-5-policy-security-rule-ipsec] destination-address 2.2.2.2 32 
    HRP_M[FW-5-policy-security-rule-ipsec] action permit 
    HRP_M[FW-5-policy-security-rule-ipsec] quit

    # Configure the security policy ssl_vpn on FW-5.

    HRP_M[FW-5-policy-security] rule name ssl_vpn 
    HRP_M[FW-5-policy-security-rule-ssl_vpn] source-zone zone1 zone4  
    HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-zone local  
    HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.1.1 32 
    HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.4.1 32 
    HRP_M[FW-5-policy-security-rule-ssl_vpn] action permit 
    HRP_M[FW-5-policy-security-rule-ssl_vpn] quit

    # Configure the security policy to_ad_server on FW-5.

    HRP_M[FW-5-policy-security] rule name to_ad_server 
    HRP_M[FW-5-policy-security-rule-to_ad_server] source-zone local  
    HRP_M[FW-5-policy-security-rule-to_ad_server] destination-zone dmz  
    HRP_M[FW-5-policy-security-rule-to_ad_server] destination-address address-set ad_server 
    HRP_M[FW-5-policy-security-rule-to_ad_server] action permit 
    HRP_M[FW-5-policy-security-rule-to_ad_server] quit 
    HRP_M[FW-5-policy-security] quit

  2. Configure persistent connections.

    # Change the session aging time to 40000 seconds for tcp_1414.

    HRP_M[FW-5] firewall session aging-time service-set tcp_1414 40000

    # Enable the persistent connection function in security policy branch2_to_server4 and change the aging time to 480 hours for connections matching this policy.

    HRP_M[FW-5] security-policy 
    HRP_M[FW-5-policy-security] rule name branch2_to_server4 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link enable 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link aging-time 480 
    HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit 
    HRP_M[FW-5-policy-security] quit

  3. Configure attack defense.

    # Configure defense against single packet attacks on FW-5.

    HRP_M[FW-5] firewall defend land enable 
    HRP_M[FW-5] firewall defend smurf enable 
    HRP_M[FW-5] firewall defend fraggle enable 
    HRP_M[FW-5] firewall defend ip-fragment enable 
    HRP_M[FW-5] firewall defend tcp-flag enable 
    HRP_M[FW-5] firewall defend winnuke enable 
    HRP_M[FW-5] firewall defend source-route enable 
    HRP_M[FW-5] firewall defend teardrop enable 
    HRP_M[FW-5] firewall defend route-record enable 
    HRP_M[FW-5] firewall defend time-stamp enable 
    HRP_M[FW-5] firewall defend ping-of-death enable

  4. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-5] policy accelerate standby enable

Configuring IPSec VPN

Procedure
  1. Configure an IPSec policy on FW-5 and apply the policy to the corresponding interface.

    1. Define data flows to be protected. Configure advanced ACL 3000 to permit the users on network segment 10.1.1.0/24 to access network segment 10.9.1.0/24.
      HRP_M<FW-5> system-view 
      HRP_M[FW-5] acl 3000 
      HRP_M[FW-5-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255 
      HRP_M[FW-5-acl-adv-3000] quit
    2. Configure an IPSec proposal using the default parameters. You do not need to set default parameters.
      HRP_M[FW-5] ipsec proposal tran1 
      HRP_M[FW-5-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
      HRP_M[FW-5-ipsec-proposal-tran1] esp encryption-algorithm aes-256 
      HRP_M[FW-5-ipsec-proposal-tran1] quit
    3. Configure an IKE proposal using the default parameters. You do not need to set default parameters.
      HRP_M[FW-5] ike proposal 10 
      HRP_M[FW-5-ike-proposal-10] authentication-method pre-share 
      HRP_M[FW-5-ike-proposal-10] prf hmac-sha2-256 
      HRP_M[FW-5-ike-proposal-10] encryption-algorithm aes-256 
      HRP_M[FW-5-ike-proposal-10] dh group2 
      HRP_M[FW-5-ike-proposal-10] integrity-algorithm hmac-sha2-256   
      HRP_M[FW-5-ike-proposal-10] quit
    4. Configure an IKE peer.
      HRP_M[FW-5] ike peer b 
      HRP_M[FW-5-ike-peer-b] ike-proposal 10 
      HRP_M[FW-5-ike-peer-b] pre-shared-key Test!1234 
      HRP_M[FW-5-ike-peer-b] quit
    5. Configure an IPSec policy.
      HRP_M[FW-5] ipsec policy-template policy1 1 
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] security acl 3000 
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] proposal tran1 
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] ike-peer b 
      HRP_M[FW-5-ipsec-policy-templet-policy1-1] quit 
      HRP_M[FW-5] ipsec policy map1 10 isakmp template policy1
    6. Apply IPSec policy map1 to Eth-Trunk1.2.
      HRP_M[FW-5] interface Eth-Trunk1.2 
      HRP_M[FW-5-Eth-Trunk1.2] ipsec policy map1 
      HRP_M[FW-5-Eth-Trunk1.2] quit

  2. Configure an IPSec policy on the FW of branch and apply the policy to the corresponding interface.

    1. Configure advanced ACL 3000 to permit the users on network segment 10.9.1.0/24 to access network segment 10.1.1.0/24.
      <FW-branch> system-view 
      [FW-branch] acl 3000 
      [FW-branch-acl-adv-3000] rule 5 permit ip source 10.9.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
      [FW-branch-acl-adv-3000] quit
    2. Configure an IPSec proposal using the default parameters.
      [FW-branch] ipsec proposal tran1 
      [FW-branch-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
      [FW-branch-ipsec-proposal-tran1] esp encryption-algorithm aes-256 
      [FW-branch-ipsec-proposal-tran1] quit
    3. Configure an IKE proposal using the default parameters.
      [FW-branch] ike proposal 10 
      [FW-branch-ike-proposal-10] authentication-method pre-share 
      [FW-branch-ike-proposal-10] prf hmac-sha2-256 
      [FW-branch-ike-proposal-10] encryption-algorithm aes-256 
      [FW-branch-ike-proposal-10] dh group2 
      [FW-branch-ike-proposal-10] integrity-algorithm hmac-sha2-256   
      [FW-branch-ike-proposal-10] quit
    4. Configure an IKE peer.
      [FW-branch] ike peer a  
      [FW-branch-ike-peer-a] ike-proposal 10  
      [FW-branch-ike-peer-a] remote-address 1.1.2.1  
      [FW-branch-ike-peer-a] pre-shared-key Test!1234  
      [FW-branch-ike-peer-a] quit
    5. Configure an IPSec policy.
      [FW-branch] ipsec policy map1 10 isakmp  
      [FW-branch-ipsec-policy-isakmp-map1-10] security acl 3000  
      [FW-branch-ipsec-policy-isakmp-map1-10] proposal tran1  
      [FW-branch-ipsec-policy-isakmp-map1-10] ike-peer a  
      [FW-branch-ipsec-policy-isakmp-map1-10] quit
    6. Apply IPSec policy group map1 to the interface. In this example, the WAN interface is GE1/0/1 for the branch.
      [FW-branch] interface GigabitEthernet 1/0/1  
      [FW-branch-GigabitEthernet1/0/1] ipsec policy map1 
      [FW-branch-GigabitEthernet1/0/1] quit

Configuring SSL VPN

Procedure
  1. Set parameters for interconnection between the FW and AD server.

    The parameter settings on the FW must be consistent with those on the AD server.

    HRP_M[FW-5] ad-server template ad_server    
    HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.4 88 
    HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.5 88 secondary 
    HRP_M[FW-5-ad-ad_server] ad-server authentication base-dn dc=cce,dc=com 
    HRP_M[FW-5-ad-ad_server] ad-server authentication manager cn=administrator,cn=users Admin@123 Admin@123 
    HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server.cce.com 
    HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server2.cce.com secondary 
    HRP_M[FW-5-ad-ad_server] ad-server authentication ldap-port 389       
    HRP_M[FW-5-ad-ad_server] ad-server user-filter sAMAccountName          
    HRP_M[FW-5-ad-ad_server] ad-server group-filter ou

    If you are unfamiliar with the AD server and cannot provide the server name, Base DN, or filter field values, you can use the AD Explorer or LDAP Browser software to connect to the AD server to query the attribute values. The AD Explorer is used as an example. The AD server attributes and mappings between the server attributes and parameters on the FW are as follows.

    # Test the connectivity between the FW and AD server.

    HRP_M[FW-5-ad-ad_server] test-aaa user_0001 Admin@123 ad-template ad_server 
     Info: Server detection succeeded. 
    HRP_M[FW-5-ad-ad_server] quit
    NOTE:

    The user name and password used for the test must be the same as those on the AD server.

  2. Configure an authentication domain.

    NOTE:

    When the FW uses AD or LDAP authentication, the authentication domain name configured on the FW must be the same as that configured on the authentication server. In this example, the domain name on the AD server is cce.com. Therefore, the authentication domain name must be set to cce.com on the FW.

    HRP_M[FW-5] aaa 
    HRP_M[FW-5-aaa] authentication-scheme ad 
    HRP_M[FW-5-aaa-authen-ad] authentication-mode ad 
    HRP_M[FW-5-aaa-authen-ad] quit 
    HRP_M[FW-5-aaa] domain cce.com 
    HRP_M[FW-5-aaa-domain-cce.com] service-type ssl-vpn  
    HRP_M[FW-5-aaa-domain-cce.com] authentication-scheme ad 
    HRP_M[FW-5-aaa-domain-cce.com] ad-server ad_server  
    HRP_M[FW-5-aaa-domain-cce.com] reference user current-domain 
    HRP_M[FW-5-aaa-domain-cce.com] quit 
    HRP_M[FW-5-aaa] quit

  3. Configure a policy to import user information from the AD server to the FW.

    HRP_M[FW-5] user-manage import-policy ad_server from ad  
    HRP_M[FW-5-import-ad_server] server template ad_server 
    HRP_M[FW-5-import-ad_server] server basedn dc=cce,dc=com 
    HRP_M[FW-5-import-ad_server] server searchdn ou=remoteusers,dc=cce,dc=com 
    HRP_M[FW-5-import-ad_server] destination-group /cce.com 
    HRP_M[FW-5-import-ad_server] user-attribute sAMAccountName 
    HRP_M[FW-5-import-ad_server] import-type all          
    HRP_M[FW-5-import-ad_server] import-override enable  
    HRP_M[FW-5-import-ad_server] sync-mode incremental schedule interval 120 
    HRP_M[FW-5-import-ad_server] sync-mode full schedule daily 01:00 
    HRP_M[FW-5-import-ad_server] quit
    NOTE:
    • If you need to import user groups only, set import-type to group and set the new user option in 5 to new-user add-temporary group /cce.com auto-import ad_server. Authenticated users use the permissions of their owning groups.
    • The user and user group filtering conditions in this example use the default values (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)). To change them, run the user-filter and group-filter commands.

  4. Execute the import policy to import users to the FW.

    HRP_M[FW-5] execute user-manage import-policy ad_server 
     Now importing user, security group and user-group information from remote server...successfully.

    After the import succeeds, you can run the display user-manage user verbose command to view information about the imported users.

  5. Set the new user option for the authentication domain on the FW.

    HRP_M[FW-5] aaa 
    HRP_M[FW-5-aaa] domain cce.com 
    HRP_M[FW-5-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import ad_server 
    HRP_M[FW-5-aaa-domain-cce.com] quit 
    HRP_M[FW-5-aaa] quit

  6. Configure an SSL VPN virtual gateway.

    # Create an SSL VPN virtual gateway.

    HRP_M[FW-5] v-gateway example 1.1.1.1 private www.example.com 
    HRP_M[FW-5-example] quit

    # Configure the maximum number of users and maximum number of concurrent users allowed by the virtual gateway.

    HRP_M[FW-5] v-gateway example max-user 150 
    HRP_M[FW-5] v-gateway example cur-max-user 100

    # Bind the virtual gateway to the authentication domain.

    HRP_M[FW-5] v-gateway example authentication-domain cce.com
    NOTE:

    If the virtual gateway is bound to an authentication domain, the user name entered for a login should not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the string following the at sign (@) as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain cce.com, you should enter user_0001, not user_0001@cce.com, as the user name.

  7. Configure the web proxy function.

    # Enable the web proxy function.

    HRP_M[FW-5] v-gateway example 
    HRP_M[FW-5-example] service 
    HRP_M[FW-5-example-service] web-proxy enable

    # Add web proxy resources Webmail and ERP.

    HRP_M[FW-5-example-service] web-proxy proxy-resource resource1 http://10.1.1.10 show-link 
    HRP_M[FW-5-example-service] web-proxy proxy-resource resource2 http://10.1.1.11 show-link

  8. Configure the network extension function.

    # Enable the network extension function.

    HRP_M[FW-5-example-service] network-extension enable

    # Configure the network extension address pool.

    HRP_M[FW-5-example-service] network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0

    # Set the network extension routing mode to manual.

    HRP_M[FW-5-example-service] network-extension mode manual

    # Configure the intranet subnet accessible to network extension users.

    HRP_M[FW-5-example-service] network-extension manual-route 10.1.1.0 255.255.255.0 
    HRP_M[FW-5-example-service] quit

  9. Configure SSL VPN role authorization/users.

    # Add user group remoteusers to the virtual gateway.

    HRP_M[FW-5-example] vpndb 
    HRP_M[FW-5-example-vpndb] group /cce.com/remoteusers 
    HRP_M[FW-5-example-vpndb] quit

    # Create role remoteusers.

    HRP_M[FW-5-example] role 
    HRP_M[FW-5-example-role] role remoteusers

    # Bind the role to corresponding user group.

    HRP_M[FW-5-example-role] role remoteusers group /cce.com/remoteusers

    # Configure functions for the roles. Enable web proxy and network extension for role remoteusers.

    HRP_M[FW-5-example-role] role remoteusers web-proxy network-extension enable

    # Associate the roles with web proxy resources.

    HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1 
    HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1 
    HRP_M[FW-5-example-role] quit 
    HRP_M[FW-5-example] quit

Verification

  • Employees on the move and partners can establish SSL VPN tunnels with the firewalls at the Internet egress and can access resource servers in the data center.
  • The firewalls at branch egresses and the firewalls at the Internet egress can establish IPSec VPN tunnels. The branches can access resource servers in the data center.
  • Internet users can access the pre-service servers in the DMZ.
  • Run the shutdown command on a service interface of the active firewall to simulate a link fault. The active/standby switchover is performed without interrupting services.

Configuration Scripts

Configuration scripts of interfaces, routes, and hot standby

FW-5

FW-6

#

hrp enable

hrp interface Eth-Trunk0 remote 12.12.12.2

#

nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443

nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443

nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80

nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

#

interface Eth-Trunk0

ip address 12.12.12.1 255.255.255.0

#

interface Eth-Trunk1

description Link_To_SW5

#

interface Eth-trunk 2

description Link_To_SW1

#

interface Eth-Trunk1.1

vlan-type dot1q 10

ip address 172.6.1.2 255.255.255.248

vrrp vrid 1 virtual-ip 1.1.1.1 active

#

interface Eth-Trunk1.2

vlan-type dot1q 20

ip address 172.6.2.2 255.255.255.248

vrrp vrid 2 virtual-ip 1.1.2.1 active

#

interface Eth-Trunk1.3

vlan-type dot1q 30

ip address 172.6.3.2 255.255.255.248

vrrp vrid 3 virtual-ip 1.1.3.1 active

#

interface Eth-Trunk1.4

vlan-type dot1q 40

ip address 172.6.4.2 255.255.255.248

vrrp vrid 4 virtual-ip 1.1.4.1 active

#

interface Eth-Trunk2.1

vlan-type dot1q 103

ip address 172.7.1.2 255.255.255.248

vrrp vrid 5 virtual-ip 172.7.1.1 active

#

interface Eth-Trunk2.2

vlan-type dot1q 104

ip address 172.7.2.2 255.255.255.248

vrrp vrid 6 virtual-ip 172.7.2.1 active

#

interface GigabitEthernet 1/0/1

eth-trunk 1

#

interface GigabitEthernet 1/0/2

eth-trunk 1

#

interface GigabitEthernet 1/0/3

eth-trunk 2

#

interface GigabitEthernet 1/0/4

eth-trunk 2

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

firewall zone trust

add interface Eth-Trunk2.1

#

firewall zone dmz

add interface Eth-Trunk2.2

#

firewall zone hrp

set priority 85

add interface Eth-Trunk0

#

firewall zone name zone1

set priority 45

add interface Eth-Trunk1.1

#

firewall zone name zone2

set priority 40

add interface Eth-Trunk1.2

#

firewall zone name zone3

set priority 10

add interface Eth-Trunk1.3

#

firewall zone name zone4

set priority 30

add interface Eth-Trunk1.4

#

ip route-static 10.1.0.0 255.255.0.0 172.7.1.4

ip route-static 10.2.0.0 255.255.0.0 172.7.1.4

ip route-static 10.3.0.0 255.255.0.0 172.7.1.4

ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

ip route-static 10.9.1.0 255.255.255.0 1.1.2.2

ip route-static 172.168.3.0 255.255.255.0 1.1.1.2

ip route-static 172.168.4.0 255.255.255.0 1.1.4.2

ip route-static 1.1.3.2 32 NULL 0

ip route-static 1.1.3.3 32 NULL 0

ip route-static 1.1.3.4 32 NULL 0

ip route-static 1.1.3.5 32 NULL 0

#

hrp enable

hrp interface Eth-Trunk0 remote 12.12.12.1

#

nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443

nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443

nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80

nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

#

interface Eth-Trunk0

ip address 12.12.12.2 255.255.255.0

#

interface Eth-Trunk1

description Link_To_SW6

#

interface Eth-trunk 2

description Link_To_SW2

#

interface Eth-Trunk1.1

vlan-type dot1q 10

ip address 172.6.1.3 255.255.255.248

vrrp vrid 1 virtual-ip 1.1.1.1 standby

#

interface Eth-Trunk1.2

vlan-type dot1q 20

ip address 172.6.2.3 255.255.255.248

vrrp vrid 2 virtual-ip 1.1.2.1 standby

#

interface Eth-Trunk1.3

vlan-type dot1q 30

ip address 172.6.3.3 255.255.255.248

vrrp vrid 3 virtual-ip 1.1.3.1 standby

#

interface Eth-Trunk1.4

vlan-type dot1q 40

ip address 172.6.4.3 255.255.255.248

vrrp vrid 4 virtual-ip 1.1.4.1 standby

#

interface Eth-Trunk2.1

vlan-type dot1q 103

ip address 172.7.1.3 255.255.255.248

vrrp vrid 5 virtual-ip 172.7.1.1 standby

#

interface Eth-Trunk2.2

vlan-type dot1q 104

ip address 172.7.2.3 255.255.255.248

vrrp vrid 6 virtual-ip 172.7.2.1 standby

#

interface GigabitEthernet 1/0/1

eth-trunk 1

#

interface GigabitEthernet 1/0/2

eth-trunk 1

#

interface GigabitEthernet 1/0/3

eth-trunk 2

#

interface GigabitEthernet 1/0/4

eth-trunk 2

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

interface GigabitEthernet 1/0/5

eth-trunk 0

#

firewall zone trust

add interface Eth-Trunk2.1

#

firewall zone dmz

add interface Eth-Trunk2.2

#

firewall zone hrp

set priority 85

add interface Eth-Trunk0

#

firewall zone name zone1

set priority 45

add interface Eth-Trunk1.1

#

firewall zone name zone2

set priority 40

add interface Eth-Trunk1.2

#

firewall zone name zone3

set priority 10

add interface Eth-Trunk1.3

#

firewall zone name zone4

set priority 30

add interface Eth-Trunk1.4

#

ip route-static 10.1.0.0 255.255.0.0 172.7.1.4

ip route-static 10.2.0.0 255.255.0.0 172.7.1.4

ip route-static 10.3.0.0 255.255.0.0 172.7.1.4

ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

ip route-static 10.9.1.0 255.255.255.0 1.1.2.2

ip route-static 172.168.3.0 255.255.255.0 1.1.1.2

ip route-static 172.168.4.0 255.255.255.0 1.1.4.2

ip route-static 1.1.3.2 32 NULL 0

ip route-static 1.1.3.3 32 NULL 0

ip route-static 1.1.3.4 32 NULL 0

ip route-static 1.1.3.5 32 NULL 0

Configuration scripts of NAT Server

FW-5

FW-6

#

nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443

nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443

nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80

nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

#

nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443

nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443

nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80

nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

Configuration scripts of security policies and attack defense

FW-5

FW-6

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

ip address-set remote_users type object

description "for remote users"

address 0 172.168.3.0 mask 24

#

ip address-set partner type object

description "for partner"

address 0 172.168.4.0 mask 24

#

ip address-set branch2 type object

description "for branch2"

address 0 10.9.1.0 mask 24

#

ip address-set server1 type object

description "for server1"

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

#

ip address-set server2 type object

description "for server2"

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

#

ip address-set server4 type object

description "for server4"

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

#

ip address-set server5 type object

description "for server5"

address 0 192.168.4.2 mask 32

address 1 192.168.4.3 mask 32

address 2 192.168.4.4 mask 32

address 3 192.168.4.5 mask 32

#

ip address-set ad_server type object

description "for ad_server"

address 0 192.168.5.4 mask 32

address 1 192.168.5.5 mask 32

#

ip service-set tcp_1414 type object

service 0 protocol tcp destination-port 1414

#

firewall session aging-time service-set tcp_1414 40000

#

security-policy

rule name remote_users_to_server1

source-zone zone1

destination-zone trust

source-address address-set remote_users

destination-address address-set server1

service http

service ftp

profile ips default

action permit

rule name partner_to_server2

source-zone zone4

destination-zone trust

source-address address-set partner

destination-address address-set server2

service tcp_1414

profile ips default

action permit

rule name branch2_to_server4

source-zone zone2

destination-zone trust

source-address address-set branch2

destination-address address-set server4

service ftp

profile ips default

long-link enable

long-link aging-time 480

action permit

rule name internet_to_server5

source-zone zone3

destination-zone dmz

destination-address address-set server5

service http

service https

profile ips default

action permit

rule name ipsec

source-zone zone2

source-zone local

destination-zone zone2

destination-zone local

source-address 1.1.2.1 32

source-address 2.2.2.2 32

destination-address 1.1.2.1 32

destination-address 2.2.2.2 32

action permit

rule name ssl_vpn

source-zone zone1

source-zone zone4

destination-zone local

destination-address 1.1.1.1 32

destination-address 1.1.4.1 32

action permit

rule name to_ad_server

source-zone local

destination-zone dmz

destination-address address-set ad_server

action permit

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

ip address-set remote_users type object

description "for remote users"

address 0 172.168.3.0 mask 24

#

ip address-set partner type object

description "for partner"

address 0 172.168.4.0 mask 24

#

ip address-set branch2 type object

description "for branch2"

address 0 10.9.1.0 mask 24

#

ip address-set server1 type object

description "for server1"

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

#

ip address-set server2 type object

description "for server2"

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

#

ip address-set server4 type object

description "for server4"

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

#

ip address-set server5 type object

description "for server5"

address 0 192.168.4.2 mask 32

address 1 192.168.4.3 mask 32

address 2 192.168.4.4 mask 32

address 3 192.168.4.5 mask 32

#

ip address-set ad_server type object

description "for ad_server"

address 0 192.168.5.4 mask 32

address 1 192.168.5.5 mask 32

#

ip service-set tcp_1414 type object

service 0 protocol tcp destination-port 1414

#

firewall session aging-time service-set tcp_1414 40000

#

security-policy

rule name remote_users_to_server1

source-zone zone1

destination-zone trust

source-address address-set remote_users

destination-address address-set server1

service http

service ftp

profile ips default

action permit

rule name partner_to_server2

source-zone zone4

destination-zone trust

source-address address-set partner

destination-address address-set server2

service tcp_1414

profile ips default

action permit

rule name branch2_to_server4

source-zone zone2

destination-zone trust

source-address address-set branch2

destination-address address-set server4

service ftp

profile ips default

long-link enable

long-link aging-time 480

action permit

rule name internet_to_server5

source-zone zone3

destination-zone dmz

destination-address address-set server5

service http

service https

profile ips default

action permit

rule name ipsec

source-zone zone2

source-zone local

destination-zone zone2

destination-zone local

source-address 1.1.2.1 32

source-address 2.2.2.2 32

destination-address 1.1.2.1 32

destination-address 2.2.2.2 32

action permit

rule name ssl_vpn

source-zone zone1

source-zone zone4

destination-zone local

destination-address 1.1.1.1 32

destination-address 1.1.4.1 32

action permit

rule name to_ad_server

source-zone local

destination-zone dmz

destination-address address-set ad_server

action permit

Configuration scripts of IPSec VPN

FW-5

FW-6

#

acl number 3000

rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255

#

ipsec proposal tran1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

#

ike proposal 10

encryption-algorithm aes-256

dh group2

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer b

pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@

ike-proposal 10

remote-address 1.1.5.1

#

ipsec policy-template policy1 1

security acl 3000

ike-peer b

proposal tran1

#

ipsec policy map1 10 isakmp template policy1

#

interface Eth-Trunk1.2

ip address 1.1.3.1 255.255.255.0

ipsec policy map1

#

acl number 3000

rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255

#

ipsec proposal tran1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

#

ike proposal 10

encryption-algorithm aes-256

dh group2

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer b

pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@

ike-proposal 10

remote-address 1.1.5.1

#

ipsec policy-template policy1 1

security acl 3000

ike-peer b

proposal tran1

#

ipsec policy map1 10 isakmp template policy1

#

interface Eth-Trunk1.2

ip address 1.1.3.1 255.255.255.0

ipsec policy map1

Configuration scripts of SSL VPN

FW-5

FW-6

#

ad-server template ad_server

ad-server authentication 192.168.5.4 88

ad-server authentication 192.168.5.5 88 secondary

ad-server authentication base-dn dc=cce,dc=com

ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$

ad-server authentication host-name info-server2.cce.com secondary

ad-server authentication host-name info-server.cce.com

ad-server authentication ldap-port 389

ad-server user-filter sAMAccountName

ad-server group-filter ou

#

user-manage import-policy ad_server from ad

server template ad_server

server basedn dc=cce,dc=com

server searchdn ou=remoteusers,dc=cce,dc=com

destination-group /cce.com

user-attribute sAMAccountName

user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))

group-filter (|(objectclass=organizationalUnit)(ou=*))

import-type all

import-override enable

sync-mode incremental schedule interval 120

sync-mode full schedule daily 01:00

#

aaa

authentication-scheme ad

authentication-mode ad

#

domain cce.com

authentication-scheme ad

ad-server ad_server

service-type ssl-vpn

reference user current-domain

new-user add-temporary group /cce.com auto-import ad_server

#

v-gateway example 1.1.1.1 private www.example.com

v-gateway example authentication-domain cce.com

v-gateway example max-user 150

v-gateway example cur-max-user 100

#

v-gateway example

service

web-proxy enable

web-proxy web-link enable

web-proxy proxy-resource resource1 http://10.1.1.10 show-link

web-proxy proxy-resource resource2 http://10.1.1.11 show-link

network-extension enable

network-extension keep-alive enable

network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0

network-extension mode manual

network-extension manual-route 10.1.1.0 255.255.255.0

role

role remoteusers condition all

role remoteusers network-extension enable

role remoteusers web-proxy enable

role remoteusers web-proxy resource resource1

role remoteusers web-proxy resource resource2

# The following configuration is one-time operation and is not saved in the configuration file.

execute user-manage import-policy ad_server

# The following configuration is saved in the database, not displayed in the configuration file.

v-gateway example

vpndb

group /cce.com/remoteusers

role

role director group /cce.com/remoteusers

#

ad-server template ad_server

ad-server authentication 192.168.5.4 88

ad-server authentication 192.168.5.5 88 secondary

ad-server authentication base-dn dc=cce,dc=com

ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$

ad-server authentication host-name info-server2.cce.com secondary

ad-server authentication host-name info-server.cce.com

ad-server authentication ldap-port 389

ad-server user-filter sAMAccountName

ad-server group-filter ou

#

user-manage import-policy ad_server from ad

server template ad_server

server basedn dc=cce,dc=com

server searchdn ou=remoteusers,dc=cce,dc=com

destination-group /cce.com

user-attribute sAMAccountName

user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))

group-filter (|(objectclass=organizationalUnit)(ou=*))

import-type all

import-override enable

sync-mode incremental schedule interval 120

sync-mode full schedule daily 01:00

#

aaa

authentication-scheme ad

authentication-mode ad

#

domain cce.com

authentication-scheme ad

ad-server ad_server

service-type ssl-vpn

reference user current-domain

new-user add-temporary group /cce.com auto-import ad_server

#

v-gateway example 1.1.1.1 private www.example.com

v-gateway example authentication-domain cce.com

v-gateway example max-user 150

v-gateway example cur-max-user 100

#

v-gateway example

service

web-proxy enable

web-proxy web-link enable

web-proxy proxy-resource resource1 http://10.1.1.10 show-link

web-proxy proxy-resource resource2 http://10.1.1.11 show-link

network-extension enable

network-extension keep-alive enable

network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0

network-extension mode manual

network-extension manual-route 10.1.1.0 255.255.255.0

role

role remoteusers condition all

role remoteusers network-extension enable

role remoteusers web-proxy enable

role remoteusers web-proxy resource resource1

role remoteusers web-proxy resource resource2

# The following configuration is one-time operation and is not saved in the configuration file.

execute user-manage import-policy ad_server

# The following configuration is saved in the database, not displayed in the configuration file.

v-gateway example

vpndb

group /cce.com/remoteusers

role

role director group /cce.com/remoteusers

Conclusion and Suggestions

This section describes the typical application of firewalls in a finance data center. It takes the application of firewalls in the data center of a bank as an example.

This section details the security policy planning and network deployment planning of firewalls in the data center.

The procedure of security planning is as follows:

  1. Analyze and determine the security levels of services and users of the network areas.
  2. Determine the inter-zone access privileges based on the security levels of services and users and the specific requirements of the enterprise.
  3. Convert the planning of access control to the planning of firewall security policies.
Translation
Download
Updated: 2019-06-17

Document ID: EDOC1100087921

Views: 212

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next