No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
Application of Firewalls in the Security Solution for Financial Data Centers
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Security Solution for Financial Data Centers

Application of Firewalls in the Security Solution for Financial Data Centers

Introduction

This section describes the deployment and planning of firewalls in a financial data center network. It also provides reference for firewall deployment in the data centers of other trades.

This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

A data center carries the core services of an enterprise and stores massive service data. It provides critical resources to ensure the normal production and operation of the enterprise. Therefore, the security of the data center network is of particular importance.

Huawei financial data center solution is of multi-layer modular design. The modular design divides the data center network into multiple areas and ensures service isolation using firewalls. The multi-layer design means that the network includes a core layer, an aggregation layer, and an access layer so that the network is horizontally flexible and easily scalable.

To ensure the security of the data center network and its internal servers, it is usually necessary to deploy firewalls in the network to provide such functions as security isolation, access control, attack defense, and intrusion prevention.

As shown in Figure 1-1, firewalls are deployed at three locations in the financial data center solution: data center egress, intranet access area, and Internet egress. The firewalls provide different security protection functions.

Figure 1-1 Networking of the financial data center

Item

Description

Firewall at the data center egress
  • Uses refined security policies to accurately control users' access to the data center service area.
  • Provides security protection functions, such as IPS and attack defense, protecting the data center service area against Trojan horses, worms, and DDoS attacks.

Firewall in the intranet access area

Serves as an SACG to work with the Agile Controller to authenticate users who access the intranet locally or through private lines.

Firewall at the Internet egress
  • Provides user-defined security zones to distinguish between access users by credibility.
  • Uses refined security policies to accurately control users' access to the intranet.
  • Provides NAT.
  • Provides security protection functions, such as intrusion prevention and attack defense, protecting the intranet against Trojan horses, worms, and DDoS attacks.
  • Serves as the IPSec VPN gateway and SSL VPN gateway for secure VPN access of employees on the move, partners, and branches.

The following part describes the networking solutions and configuration methods of the firewalls.

Firewalls at the Data Center Egress

Typical Networking

Figure 1-2 shows the typical networking of firewalls at the data center egress.

  • Core switches SW1 and SW2 are stacked; aggregation switches SW3 and SW4 are stacked. Firewalls are located between core switches and aggregation switches. They work in Layer 3 hot standby mode.
  • VRRP is configured on the interfaces connecting the firewalls to the upstream and downstream devices. The firewalls use the VRRP virtual IP addresses to communicate with the upstream and downstream devices.
  • Static routes are configured on the firewalls to guide traffic forwarding.
Figure 1-2 Typical networking of firewalls at the data center egress

Service Planning

Firewall Interface Planning

Interface planning for FW-1

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-1

GE1/0/1

SW-1

GE1/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-1

GE1/0/2

SW-1

GE1/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-1

GE1/0/3

SW-3

GE1/1/0/1

Eth-Trunk 2, downstream service interface

4

FW-1

GE1/0/4

SW-3

GE1/1/0/2

Eth-Trunk 2, downstream service interface

5

FW-1

GE1/0/5

FW-2

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-1

GE1/0/6

FW-2

GE1/0/6

Eth-Trunk 0, heartbeat interface

Interface planning for FW-2

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-2

GE1/0/1

SW-2

GE2/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-2

GE1/0/2

SW-2

GE2/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-2

GE1/0/3

SW-4

GE2/1/0/1

Eth-Trunk 2, downstream service interface

4

FW-2

GE1/0/4

SW-4

GE2/1/0/2

Eth-Trunk 2, downstream service interface

5

FW-2

GE1/0/5

FW-1

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-2

GE1/0/6

FW-1

GE1/0/6

Eth-Trunk 0, heartbeat interface

Firewall IP Address Planning

No.

Local Device

Local Interface

Local IP Address

Peer Device

Peer Interface

Peer IP Address

1

FW-1

Eth-Trunk 1

10.6.1.2/29

VRID: 1

VIP: 10.6.1.1

SW-1

VLANIF1000

10.6.1.4/29

2

FW-1

Eth-Trunk 2

10.7.1.2/29

VRID: 2

VIP: 10.7.1.1

SW-3

VLANIF2000

10.7.1.4/29

3

FW-1

Eth-Trunk 0

11.11.11.1/24

FW-2

Eth-Trunk 0

11.11.11.2/24

4

FW-2

Eth-Trunk 1

10.6.1.3/29

VRID: 1

VIP: 10.6.1.1

SW-2

VLANIF1000

10.6.1.4/29

5

FW-2

Eth-Trunk 2

10.7.1.3/29

VRID: 2

VIP: 10.7.1.1

SW-4

VLANIF2000

10.7.1.4/29

6

FW-2

Eth-Trunk 0

11.11.11.2/24

FW-2

Eth-Trunk 0

11.11.11.1/24

Firewall Security Zone Planning

No.

Security Zone

Security Zone Priority

Included Interface

Remarks

1

untrust

5

Eth-Trunk 1

Upstream service interface

2

trust

100

Eth-trunk2

Downstream service interface

3

dmz

50

Eth-Trunk 0

Heartbeat interface

Firewall Security Policy Planning

Address group

No.

Address Group

Address

Remarks

1

remote_users

address 0 172.168.3.0 mask 24

SSL VPN access for employees on the move

2

partner

address 0 172.168.4.0 mask 24

Partner

3

branch1

address 0 10.8.1.0 mask 24

Branch 1

4

branch2

address 0 10.9.1.0 mask 24

Branch 2

5

server1

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

Server that employees on the move can access

6

server2

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

Server that the partner can access

7

server3

address 0 10.1.2.4 mask 32

address 1 10.1.2.5 mask 32

Server that branch 1 can access

8

server4

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

Server that branch 2 can access

User-defined services

No.

Service

Protocol/Port

Remarks

1

tcp_1414

service 0 protocol tcp destination-port 1414

Service for the partner to access the server

2

tcp_8888_9000

service 0 protocol tcp destination-port 8888

service 1 protocol tcp destination-port 9000

Service for branch 1 to access the server

Security policies

No.

Policy

Source Zone

Source Address

Destination Zone

Destination Address

Service

Action

1

remote_users_to_server1

untrust

remote_users

trust

server1

ftp,http

permit

2

partner_to_server2

untrust

partner

trust

server2

tcp_1414

permit

3

branch1_to_server3

untrust

branch1

trust

server3

tcp_8888_9000

permit

4

branch2_to_server4

untrust

branch2

trust

server4

ftp

permit

5

default

any

any

any

any

any

deny

default indicates the default security policy. If the traffic does not match the security policy, the traffic will match the default security policy (all conditions are any, and all actions are deny). If only the PCs at specified IP addresses are allowed to access servers, keep the default security policy and configure security policies to allow the access of such IP addresses.

Hot standby heartbeat packets are not controlled by security policies. Do not configure security policies for heartbeat packets.

Firewall Persistent Connections

Prolonging the session aging time of a protocol

No.

Protocol

Aging Time

1

tcp_1414

40000 seconds

Using the persistent connection function

No.

Policy

Aging Time

1

branch2_to_server4

480 hours

Of the two methods, prolonging the session aging time of a protocol is easier to configure. You can set specific conditions for the persistent connection function to keep persistent connections for specified traffic. The prolonged session aging time of a protocol is a global configuration and takes effect on all sessions of the protocol. As a result, sessions that do not need persistent connections cannot be aged, occupying session entry resources. Once session entry resources are exhausted, no services can be created.

Therefore, if you confirm that all sessions of a protocol require a long session aging time, you can prolong the session aging time of the protocol for persistent connections. Otherwise, use the persistent connection function.

The persistent connection function is valid only for TCP-based connections.

Firewall Route Planning

Static routes on firewalls

No.

Destination Address

Mask

Next Hop

Remarks

1

10.1.0.0

255.255.0.0

10.7.1.4

Route to data center service area 1

2

10.2.0.0

255.255.0.0

10.7.1.4

Route to data center service area 2

3

10.3.0.0

255.255.0.0

10.7.1.4

Route to data center service area 3

4

172.168.3.0

255.255.255.0

10.6.1.4

Route to SSL VPN access terminals of employees on the move

5

172.168.4.0

255.255.255.0

10.6.1.4

Route to the partner's network

6

10.8.1.0

255.255.255.0

10.6.1.4

Route to branch 1's network

7

10.9.1.0

255.255.255.0

10.6.1.4

Route to branch 2's network

Security Defense Planning

  • Attack defense planning

    To defend the internal network against network attacks, you need to configure attack defense on the firewalls.

    Normally, you are recommended to configure the defense against the following attacks:

    • Smurf attacks
    • Land attacks
    • Fraggle attacks
    • Ping of Death attacks
    • WinNuke attacks
    • IP packet with route record option attacks
    • IP packet with source route option attacks
    • IP packet with timestamp option attacks
    • SYN flood attacks
    • UDP flood attacks
    • ICMP flood attacks

      In practice, you can set a comparatively large value for the maximum rate of attack packets on interfaces for the preceding flood attacks, observe the attack traffic, and gradually change the rate to smaller values until a proper one (limiting the attack traffic but not affecting services).

  • IPS planning

    To prevent hackers, zombies, Trojan horses, and worms from intruding the internal network, you need to configure IPS on the firewalls.

The IPS may be deployed on the firewalls or deployed as an independent IPS device.

To configure the IPS functions, you reference an IPS profile when defining security policies. In the present case, the IPS profile is referenced in all the above planned security policies (except those for the local zone). This means that IPS detection is carried out for all traffic permitted by the security policies.

Generally, when the firewalls are initially deployed, you can select the default IPS profile default. After the firewalls are active for some time, the administrator can define a profile based on the network status. The IPS also supports the default profile ids, which means alarms are generated upon the detection of intrusions but the intrusions are not blocked. If high security is required, to reduce false positives reported by the IPS, you can select the ids profile.

Precautions

IPS

The IPS signature database must be the latest before the IPS function is configured.

Attack Defense

The attack defense configuration is the recommended standard configuration.

Policy Backup-based Acceleration Function

When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    # Configure IP addresses for the Eth-Trunk interfaces of FW-1.

    <sysname> system-view 
[sysname] sysname FW-1 
[FW-1] interface Eth-Trunk 1 
[FW-1-Eth-Trunk1] description Link_To_CoreSwitch_SW1 
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/2 
[FW-1-Eth-Trunk1] ip address 10.6.1.2 29 
[FW-1-Eth-Trunk1] quit 
[FW-1] interface Eth-Trunk 2 
[FW-1-Eth-Trunk2] description Link_To_Aggregation_SW3 
[FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/3 
[FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/4 
[FW-1-Eth-Trunk2] ip address 10.7.1.2 29 
[FW-1-Eth-Trunk2] quit 
[FW-1] interface Eth-Trunk 0 
[FW-1-Eth-Trunk0] description HRP_Interface 
[FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/5 
[FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/6 
[FW-1-Eth-Trunk0] ip address 11.11.11.1 24 
[FW-1-Eth-Trunk0] quit

    # Configure IP addresses for the Eth-Trunk interfaces of FW-2.

    <sysname> system-view 
[sysname] sysname FW-2 
[FW-2] interface Eth-Trunk 1 
[FW-2-Eth-Trunk1] description Link_To_CoreSwitch_SW2 
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/2 
[FW-2-Eth-Trunk1] ip address 10.6.1.3 29 
[FW-2-Eth-Trunk1] quit 
[FW-2] interface Eth-Trunk 2 
[FW-2-Eth-Trunk2] description Link_To_Aggregation_SW4 
[FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/3 
[FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/4 
[FW-2-Eth-Trunk2] ip address 10.7.1.3 29 
[FW-2-Eth-Trunk2] quit 
[FW-2] interface Eth-Trunk 0 
[FW-2-Eth-Trunk0] description HRP_Interface 
[FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/5 
[FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/6 
[FW-2-Eth-Trunk0] ip address 11.11.11.2 24 
[FW-2-Eth-Trunk0] quit

    # Assign the interfaces of FW-1 to appropriate security zones.

    [FW-1] firewall zone trust 
[FW-1-zone-trust] add interface Eth-Trunk 2 
[FW-1-zone-trust] quit 
[FW-1] firewall zone untrust 
[FW-1-zone-untrust] add interface Eth-Trunk 1 
[FW-1-zone-untrust] quit 
[FW-1] firewall zone dmz 
[FW-1-zone-dmz] add interface Eth-Trunk 0 
[FW-1-zone-dmz] quit

    # Assign the interfaces of FW-2 to appropriate security zones.

    [FW-2] firewall zone trust 
[FW-2-zone-trust] add interface Eth-Trunk 2 
[FW-2-zone-trust] quit 
[FW-2] firewall zone untrust 
[FW-2-zone-untrust] add interface Eth-Trunk 1 
[FW-2-zone-untrust] quit 
[FW-2] firewall zone dmz 
[FW-2-zone-dmz] add interface Eth-Trunk 0 
[FW-2-zone-dmz] quit

  2. Configure static routes.

    # On FW-1, configure a static route to the data center service area and set the next hop to the IP address of the aggregation switch.

    [FW-1] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4 
[FW-1] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4 
[FW-1] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

    # On FW-2, configure a static route to the data center service area and set the next hop to the IP address of the aggregation switch.

    [FW-2] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4 
[FW-2] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4 
[FW-2] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

    # On FW-1, configure static routes to the SSL VPN access terminal, branch, and partner network and set the next hop to the IP address of the core switch.

    [FW-1] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4 
[FW-1] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4 
[FW-1] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4 
[FW-1] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

    # On FW-2, configure static routes to the SSL VPN access terminal, branch, and partner network and set the next hop to the IP address of the core switch.

    [FW-2] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4 
[FW-2] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4 
[FW-2] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4 
[FW-2] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

  3. Configure hot standby.

    # Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-1, setting its state to Active.

    [FW-1] interface Eth-Trunk1 
[FW-1-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 active 
[FW-1-Eth-Trunk1] quit

    # Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-1, setting its state to Active.

    [FW-1] interface Eth-Trunk2 
[FW-1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 active 
[FW-1-Eth-Trunk2] quit

    # Designate Eth-Trunk 0 as the heartbeat interface of FW-1, and enable hot standby.

    [FW-1] hrp interface Eth-Trunk0 remote 11.11.1.2 
[FW-1] hrp enable

    # Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-2, setting its state to Standby.

    [FW-2] interface Eth-Trunk1 
[FW-2-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 standby 
[FW-2-Eth-Trunk1] quit

    # Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-2, setting its state to Standby.

    [FW-2] interface Eth-Trunk2 
[FW-2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 standby 
[FW-2-Eth-Trunk2] quit

    # Designate Eth-Trunk 0 as the heartbeat interface of FW-2, and enable hot standby.

    [FW-2] hrp interface Eth-Trunk0 remote 11.11.11.1 
[FW-2] hrp enable

  4. Configure security policies and IPS functions.

    After hot standby is configured, you only need to configure security policies and attack defense on the active device FW-1. The configuration on FW-1 is automatically backed up on FW-2.

    # Configure an address group on FW-1.

    HRP_M[FW-1] ip address-set remote_users type object 
HRP_M[FW-1-object-address-set-remote_users] address 0 172.168.3.0 mask 24 
HRP_M[FW-1-object-address-set-remote_users] description "for remote users" 
HRP_M[FW-1-object-address-set-remote_users] quit 
HRP_M[FW-1] ip address-set partner type object 
HRP_M[FW-1-object-address-set-partner] address 0 172.168.4.0 mask 24 
HRP_M[FW-1-object-address-set-partner] description "for partner" 
HRP_M[FW-1-object-address-set-partner] quit 
HRP_M[FW-1] ip address-set branch1 type object 
HRP_M[FW-1-object-address-set-branch1] address 0 10.8.1.0 mask 24 
HRP_M[FW-1-object-address-set-branch1] description "for branch1" 
HRP_M[FW-1-object-address-set-branch1] quit 
HRP_M[FW-1] ip address-set branch2 type object 
HRP_M[FW-1-object-address-set-branch2] address 0 10.9.1.0 mask 24 
HRP_M[FW-1-object-address-set-branch2] description "for branch2" 
HRP_M[FW-1-object-address-set-branch2] quit 
HRP_M[FW-1] ip address-set server1 type object 
HRP_M[FW-1-object-address-set-server1] address 0 10.1.1.10 mask 32 
HRP_M[FW-1-object-address-set-server1] address 1 10.1.1.11 mask 32 
HRP_M[FW-1-object-address-set-server1] description "for server1" 
HRP_M[FW-1-object-address-set-server1] quit 
HRP_M[FW-1] ip address-set server2 type object 
HRP_M[FW-1-object-address-set-server2] address 0 10.2.1.4 mask 32 
HRP_M[FW-1-object-address-set-server2] address 1 10.2.1.5 mask 32 
HRP_M[FW-1-object-address-set-server2] description "for server2" 
HRP_M[FW-1-object-address-set-server2] quit 
HRP_M[FW-1] ip address-set server3 type object 
HRP_M[FW-1-object-address-set-server3] address 0 10.1.2.4 mask 32 
HRP_M[FW-1-object-address-set-server3] address 1 10.1.2.5 mask 32 
HRP_M[FW-1-object-address-set-server3] description "for server3" 
HRP_M[FW-1-object-address-set-server3] quit 
HRP_M[FW-1] ip address-set server4 type object 
HRP_M[FW-1-object-address-set-server4] address 0 10.1.1.4 mask 32 
HRP_M[FW-1-object-address-set-server4] address 1 10.1.1.5 mask 32 
HRP_M[FW-1-object-address-set-server4] description "for server4" 
HRP_M[FW-1-object-address-set-server4] quit

    # Configure a service set on FW-1.

    HRP_M[FW-1] ip service-set tcp_1414 type object 
HRP_M[FW-1-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414 
HRP_M[FW-1-object-service-set-tcp_1414] quit 
HRP_M[FW-1] ip service-set tcp_8888_9000 type object 
HRP_M[FW-1-object-service-set-tcp_8888_9000] service 0 protocol tcp destination-port 8888 
HRP_M[FW-1-object-service-set-tcp_8888_9000] service 1 protocol tcp destination-port 9000 
HRP_M[FW-1-object-service-set-tcp_8888_9000] quit

    # Configure the security policy remote_users_to_server1 on FW-1 and reference the IPS profile. 

    HRP_M[FW-1] security-policy 
HRP_M[FW-1-policy-security] rule name remote_users_to_server1 
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-zone untrust  
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-zone trust  
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-address address-set remote_users  
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-address address-set server1  
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] service ftp http 
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] action permit 
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] profile ips default 
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] quit

    # Configure the security policy partner_to_server2 on FW-1 and reference the IPS profile. 

    HRP_M[FW-1-policy-security] rule name partner_to_server2 
HRP_M[FW-1-policy-security-rule-partner_to_server2] source-zone untrust  
HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-zone trust  
HRP_M[FW-1-policy-security-rule-partner_to_server2] source-address address-set partner  
HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-address address-set server2  
HRP_M[FW-1-policy-security-rule-partner_to_server2] service tcp_1414 
HRP_M[FW-1-policy-security-rule-partner_to_server2] action permit 
HRP_M[FW-1-policy-security-rule-partner_to_server2] profile ips default 
HRP_M[FW-1-policy-security-rule-partner_to_server2] quit

    # Configure the security policy branch1_to_server3 on FW-1 and reference the IPS profile. 

    HRP_M[FW-1-policy-security] rule name branch1_to_server3 
HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-zone untrust  
HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-zone trust  
HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-address address-set branch1  
HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-address address-set server3  
HRP_M[FW-1-policy-security-rule-branch1_to_server3] service tcp_8888_9000 
HRP_M[FW-1-policy-security-rule-branch1_to_server3] action permit 
HRP_M[FW-1-policy-security-rule-branch1_to_server3] profile ips default 
HRP_M[FW-1-policy-security-rule-branch1_to_server3] quit

    # Configure the security policy branch2_to_server4 on FW-1 and reference the IPS profile. 

    HRP_M[FW-1-policy-security] rule name branch2_to_server4 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-zone untrust  
HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-zone trust  
HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-address address-set branch2  
HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-address address-set server4  
HRP_M[FW-1-policy-security-rule-branch2_to_server4] service ftp 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] action permit 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] profile ips default 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit 
HRP_M[FW-1-policy-security] quit

  5. Configure persistent connections.

    # Change the session aging time to 40000 seconds for tcp_1414.

    HRP_M[FW-1] firewall session aging-time service-set tcp_1414 40000

    # Enable the persistent connection function in security policy branch2_to_server4 and change the aging time to 480 hours for connections matching this policy.

    HRP_M[FW-1] security-policy 
HRP_M[FW-1-policy-security] rule name branch2_to_server4 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link enable 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link aging-time 480 
HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit 
HRP_M[FW-1-policy-security] quit

  6. Configure attack defense.

    # Configure defense against single packet attacks on FW-1.

    HRP_M[FW-1] firewall defend land enable 
HRP_M[FW-1] firewall defend smurf enable 
HRP_M[FW-1] firewall defend fraggle enable 
HRP_M[FW-1] firewall defend ip-fragment enable 
HRP_M[FW-1] firewall defend tcp-flag enable 
HRP_M[FW-1] firewall defend winnuke enable 
HRP_M[FW-1] firewall defend source-route enable 
HRP_M[FW-1] firewall defend teardrop enable 
HRP_M[FW-1] firewall defend route-record enable 
HRP_M[FW-1] firewall defend time-stamp enable 
HRP_M[FW-1] firewall defend ping-of-death enable

  7. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-1] policy accelerate standby enable

Verification

  1. On FW-1 and FW-2, run the display hrp state verbose command to view the hot standby status. 
    HRP_M<FW-1> display hrp state verboseRole: active, peer: standby 
 Running priority: 45000, peer: 45000 
 Backup channel usage: 0.00% 
 Stable time: 0 days, 3 hours, 8 minutes 
 Last state change information: 2016-05-14 11:18:13 HRP core state changed, old_state = abnormal(active), new_state = normal, local_priority = 45000, peer_priority = 45000. 
 
 Configuration: 
 hello interval:              1000ms 
 preempt:                     60s 
 mirror configuration:        off 
 mirror session:              off 
 track trunk member:          on 
 auto-sync configuration:     on 
 auto-sync connection-status: on 
 adjust ospf-cost:            on 
 adjust ospfv3-cost:          on 
 adjust bgp-cost:             on 
 nat resource:                off 
 
 Detail information: 
                     Eth-Trunk1 vrrp vrid 1: active 
                     Eth-Trunk2 vrrp vrid 2: active 
                       GigabitEthernet1/0/1: up 
                       GigabitEthernet1/0/2: up 
                       GigabitEthernet1/0/3: up 
                       GigabitEthernet1/0/4: up 
                                  ospf-cost: +0 
                                ospfv3-cost: +0 
                                   bgp-cost: +0
HRP_S<FW-2> display hrp state verboseRole: standby, peer: active 
 Running priority: 45000, peer: 45000 
 Backup channel usage: 0.00% 
 Stable time: 0 days, 3 hours, 8 minutes 
 Last state change information: 2016-05-14 11:18:18 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000. 
 
 Configuration: 
 hello interval:              1000ms 
 preempt:                     60s 
 mirror configuration:        off 
 mirror session:              off 
 track trunk member:          on 
 auto-sync configuration:     on 
 auto-sync connection-status: on 
 adjust ospf-cost:            on 
 adjust ospfv3-cost:          on 
 adjust bgp-cost:             on 
 nat resource:                off 
 
 Detail information: 
                     Eth-Trunk1 vrrp vrid 1: standby 
                     Eth-Trunk2 vrrp vrid 2: standby 
                       GigabitEthernet1/0/1: up 
                       GigabitEthernet1/0/2: up 
                       GigabitEthernet1/0/3: up 
                       GigabitEthernet1/0/4: up 
                                  ospf-cost: +65500 
                                ospfv3-cost: +65500 
                                   bgp-cost: +100
  2. Test the active/standby switchover.

    Configure a PC in the untrust zone to constantly the server address and run the shutdown command on Eth-trunk1 of FW-1. Then check the status switchover of the FW and discarded ping packets. If the status switchover is normal, FW-2 switches to the active device and carries services. The command prompt of FW-2 is changed from HRP_S to HRP_M, and the command prompt of FW-1 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded. Run the undo shutdown command on Eth-trunk1 of FW-1 and check the status switchover of the FW and discarded ping packets. If the status switchover is normal, FW-1 switches to the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of FW-1 is changed from HRP_S to HRP_M, and the command prompt of FW-2 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

  3. Check the configuration and update of the IPS signature database.

    # Run the display update configuration command to check the update information of the IPS signature database.

    HRP_M<FW-1> display update configuration 
Update Configuration Information: 
------------------------------------------------------------
  Update Server               : sec.huawei.com  
  Update Port                 : 80
  Proxy State                 : disable   
  Proxy Server                : - 
  Proxy Port                  : - 
  Proxy User                  : - 
  Proxy Password              : - 
  IPS-SDB:                        
    Application Confirmation  : Disable  
    Schedule Update           : Enable
    Schedule Update Frequency : Daily 
    Schedule Update Time      : 02:30 
  AV-SDB:                 
    Application Confirmation  : Disable 
    Schedule Update           : Enable  
    Schedule Update Frequency : Daily   
    Schedule Update Time      : 02:30 
  SA-SDB:  
    Application Confirmation  : Disable 
    Schedule Update           : Enable   
    Schedule Update Frequency : Daily  
    Schedule Update Time      : 02:30 
  IP-REPUTATION:
    Application Confirmation  : Disable
    Schedule Update           : Enable  
    Schedule Update Frequency : Daily   
    Schedule Update Time      : 02:30   
  CNC:   
    Application Confirmation  : Disable  
    Schedule Update           : Enable   
    Schedule Update Frequency : Daily  
    Schedule Update Time      : 02:30   
------------------------------------------------------------

    # Run the display version ips-sdb command to check the configuration of the IPS signature database. 

    HRP_M<FW-1> display version ips-sdb 
IPS SDB Update Information List:                                                 
----------------------------------------------------------------                 
  Current Version:                                                               
    Signature Database Version    : 2016050703                                   
    Signature Database Size(byte) : 2659606                                      
    Update Time                   : 02:30:00 2016/05/08                          
    Issue Time of the Update File : 16:06:30 2016/05/07                          
                                                                                 
  Backup Version:                                                                
    Signature Database Version    :                                              
    Signature Database Size(byte) : 0                                            
    Update Time                   : 00:00:00 0000/00/00                          
    Issue Time of the Update File : 00:00:00 0000/00/00                          
----------------------------------------------------------------                 
IPS Engine Information List:                                                     
----------------------------------------------------------------                 
  Current Version:                                                               
    IPS Engine Version            : V200R002C00SPC060                            
    IPS Engine Size(byte)         : 3145728                                      
    Update Time                   : 02:30:00 2016/05/08                          
    Issue Time of the Update File : 16:06:30 2016/05/07                          
                                                                                 
  Backup Version:                                                                
    IPS Engine Version            :                                              
    IPS Engine Size(byte)         : 0                                            
    Update Time                   : 00:00:00 0000/00/00                          
    Issue Time of the Update File : 00:00:00 0000/00/00                          
----------------------------------------------------------------
  4. Verify the access permission of users in each security zone to the data center network.

    If the access control result conforms to the security policy planning in Service Planning, the configuration is successful.

Configuration Scripts

FW-1

FW-2

 
#
hrp enable
hrp interface Eth-Trunk0 remote 11.11.11.2
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
ip address-set remote_users type object
description "for remote users"
address 0 172.168.3.0 mask 24
#
ip address-set partner type object
description "for partner"
address 0 172.168.4.0 mask 24
#
ip address-set branch1 type object
description "for branch1"
address 0 10.8.1.0 mask 24
#
ip address-set branch2 type object
description "for branch2"
address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
description "for server1"
address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
description "for server2"
address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32
#
ip address-set server3 type object
description "for server3"
address 0 10.1.2.4 mask 32
address 1 10.1.2.5 mask 32
#
ip address-set server4 type object
description "for server4"
address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32
#
ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414
#
ip service-set tcp_8888_9000 type object
service 0 protocol tcp destination-port 8888
service 1 protocol tcp destination-port 9000
#
interface Eth-Trunk0
ip address 11.11.11.1 255.255.255.0
#
interface Eth-Trunk1
ip address 10.6.1.2 255.255.255.248
vrrp vrid 1 virtual-ip 10.6.1.1 active
#
interface Eth-Trunk2
ip address 10.7.1.2 255.255.255.248
vrrp vrid 2 virtual-ip 10.7.1.1 active
#
interface GigabitEthernet 1/0/1
eth-trunk 1
#
interface GigabitEthernet 1/0/2
eth-trunk 1
#
interface GigabitEthernet 1/0/3
eth-trunk 2
#
interface GigabitEthernet 1/0/4
eth-trunk 2
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
firewall zone trust
add interface Eth-Trunk2
#
firewall zone untrust
add interface Eth-Trunk1
#
firewall zone dmz
add interface Eth-Trunk0
#
ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
ip route-static 192.168.3.0 255.255.255.0 10.6.1.4
ip route-static 192.168.4.0 255.255.255.0 10.6.1.4
#
firewall session aging-time service-set tcp_1414 40000
#
security-policy
rule name remote_users_to_server1
source-zone untrust
destination-zone trust
source-address address-set remote_users
destination-address address-set server1
service http
service ftp
profile ips default
action permit
rule name partner_to_server2
source-zone untrust
destination-zone trust
source-address address-set partner
destination-address address-set server2
service tcp_1414
profile ips default
action permit
rule name branch1_to_server3
source-zone untrust
destination-zone trust
source-address address-set branch1
destination-address address-set server3
service tcp_8888_9000
profile ips default
action permit
rule name branch2_to_server4
source-zone untrust
destination-zone trust
source-address address-set branch2
destination-address address-set server4
service ftp
profile ips default
long-link enable
long-link aging-time 480
action permit
 
#
hrp enable
hrp interface Eth-Trunk0 remote 11.11.11.1
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
ip address-set remote_users type object
description "for remote users"
address 0 172.168.3.0 mask 24
#
ip address-set partner type object
description "for partner"
address 0 172.168.4.0 mask 24
#
ip address-set branch1 type object
description "for branch1"
address 0 10.8.1.0 mask 24
#
ip address-set branch2 type object
description "for branch2"
address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
description "for server1"
address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
description "for server2"
address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32
#
ip address-set server3 type object
description "for server3"
address 0 10.1.2.4 mask 32
address 1 10.1.2.5 mask 32
#
ip address-set server4 type object
description "for server4"
address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32
#
ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414
#
ip service-set tcp_8888_9000 type object
service 0 protocol tcp destination-port 8888
service 1 protocol tcp destination-port 9000
#
interface Eth-Trunk0
ip address 11.11.11.2 255.255.255.0
#
interface Eth-Trunk1
ip address 10.6.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 10.6.1.1 standby
#
interface Eth-Trunk2
ip address 10.7.1.3 255.255.255.248
vrrp vrid 2 virtual-ip 10.7.1.1 standby
#
interface GigabitEthernet 1/0/1
eth-trunk 1
#
interface GigabitEthernet 1/0/2
eth-trunk 1
#
interface GigabitEthernet 1/0/3
eth-trunk 2
#
interface GigabitEthernet 1/0/4
eth-trunk 2
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
firewall zone trust
add interface Eth-Trunk2
#
firewall zone untrust
add interface Eth-Trunk1
#
firewall zone dmz
add interface Eth-Trunk0
#
ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
ip route-static 192.168.3.0 255.255.255.0 10.6.1.4
ip route-static 192.168.4.0 255.255.255.0 10.6.1.4
#
firewall session aging-time service-set tcp_1414 40000
#
security-policy
rule name remote_users_to_server1
source-zone untrust
destination-zone trust
source-address address-set remote_users
destination-address address-set server1
service http
service ftp
profile ips default
action permit
rule name partner_to_server2
source-zone untrust
destination-zone trust
source-address address-set partner
destination-address address-set server2
service tcp_1414
profile ips default
action permit
rule name branch1_to_server3
source-zone untrust
destination-zone trust
source-address address-set branch1
destination-address address-set server3
service tcp_8888_9000
profile ips default
action permit
rule name branch2_to_server4
source-zone untrust
destination-zone trust
source-address address-set branch2
destination-address address-set server4
service ftp
profile ips default
long-link enable
long-link aging-time 480
action permit

Firewalls in the Intranet Access Area

Typical Networking

As shown in Figure 1-3, firewalls are attached to core switches as the hardware SACGs of the Agile Controller. When users in branch 1 access the data center service area, the firewalls work with the Agile Controller to control user access as follows:

  • To ensure the security of the service system and prevent external users or insecure terminal hosts from accessing the service system, only the users who have passed the identify authentication and terminal security check are allowed to access the service system.
  • The service system is the core network resource, and employees are allowed to access the system only in working hours.
  • The solution deployment has the minimum impact on the current network. The service first principle is applied to the entire network to ensure service continuity in the case that the access control system fails.

The data center network is logically divided into the pre-authentication domain, isolation domain, and post-authentication domain:

  • The pre-authentication domain is accessible to unauthenticated terminal hosts, and comprises the DNS, external authentication source, SC, and SM.
  • The isolation domain is accessible to terminal hosts that pass the identity authentication but not the security authentication, and comprises the patch server and anti-virus server.
  • The post-authentication domain is accessible for terminal hosts that have passed identity and security authentication. In this case, this domain is the data center service area.
Figure 1-3 Typical networking of firewalls in the intranet access area

Service Planning

Firewall Interface Planning

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-3

GE1/0/1

SW-1

GE1/1/0/3

Upstream service interface

2

FW-3

GE1/0/2

SW-1

GE1/1/0/4

Downstream service interface

3

FW-4

GE1/0/1

SW-2

GE2/1/0/3

Upstream service interface

4

FW-4

GE1/0/2

SW-2

GE2/1/0/4

Downstream service interface

5

FW-3

GE1/0/3

FW-4

GE1/0/3

Heartbeat interface

6

FW-4

GE1/0/3

FW-3

GE1/0/3

Heartbeat interface

Firewall IP Address Planning

No.

Local Device

Local Interface

Local IP Address

Peer Device

Peer Interface

Peer IP Address

1

FW-3

GE1/0/1

10.4.1.2/29

VRID: 1

VIP: 10.4.1.1

SW-1

VLANIF101

10.4.1.4/29

2

FW-3

GE1/0/2

10.5.1.2/29

VRID: 2

VIP: 10.5.1.1

SW-1

VLANIF102

10.5.1.4/29

3

FW-3

GE1/0/3

10.10.10.1/24

FW-4

GE1/0/3

10.10.10.2/24

4

FW-4

GE1/0/1

10.4.1.3/29

VRID: 1

VIP: 10.4.1.1

SW-2

VLANIF101

10.4.1.4/29

5

FW-4

GE1/0/2

10.5.1.3/29

VRID: 2

VIP: 10.5.1.1

SW-2

VLANIF102

10.5.1.4/29

6

FW-4

GE1/0/3

10.10.10.2/24

FW-1

GE1/0/3

10.10.10.1/24

Firewall Security Zone Planning

No.

Security Zone

Security Zone Priority

Included Interface

Remarks

1

untrust

5

GE1/0/2

Downstream service interface

2

trust

100

GE1/0/1

Upstream service interface

3

dmz

50

GE1/0/3

Heartbeat interface

Firewall Security Policy Planning

No.

Policy

Source Zone

Source Address

Destination Zone

Destination Address

Action

1

sc_to_sacg

trust

any

local

any

permit

2

sacg_to_client

local

any

untrust

any

permit

Firewall Route Planning

Static routes on firewalls

No.

Destination Address

Mask

Next Hop

Remarks

1

0.0.0.0

0.0.0.0

10.4.1.4

Route that guides traffic back to the switch

Agile Controller Data Planning

Item

Data

Remarks

Service Controller 1

IP address: 192.168.1.2/24

Port: 3288

Shared key: TSM_Security

The port and shared key configured on the FW must be consistent with those configured on the Service Controller.

If an unauthenticated terminal user attempts to access the Web server in the post-authentication domain in the case that the Web push function is configured on the FW, the FW pushes the Web authentication page to the terminal user, facilitating terminal user's identity authentication on the web page.

Service Controller 2

IP address: 192.168.1.3/24

Port: 3288

Shared key: TSM_Security

Same as Service Controller 1.

Service Manager

Login address: https://192.168.1.2:8443

User name: admin

Password: Admin@123

The Service Manager and Service Controller 1 are installed on the same server. You need to log in to the Service Manager to configure the Agile Controller.

Network segment on which the terminal user resides

10.8.1.0/24

Network segment of users in branch 1.

Post-authentication domain

10.1.1.4

10.1.1.5

Add the servers in the data center service area to the post-authentication domain and apply user accounts in branch 1.

Isolation domain

Patch server: 192.168.2.3

Antivirus server: 192.168.2.5

Add the patch server and antivirus server to the isolation domain and apply user accounts in branch 1.

Pre-authentication domain

DNS server: 192.168.3.3

Service Controller 1: 192.168.1.2

Service Controller 2: 192.168.1.3

Add the DNS server and Service Controllers to the pre-authentication domain.

Agile Controller User Data Planning

User Name

User IP Address

User Group

Role ID

Role Name

lee

10.8.1.3

ROOT\development

1

DefaultDeny

This role is prohibited from accessing all services.

6

Permit_1

This role is allowed to access the service system.

255

Last

This role is allowed to access the pre-authentication domain.

Precautions

The firewall stateful inspection function must be disabled.

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    # # Configure IP addresses for the interfaces of FW-3.

    <sysname> system-view 
[sysname] sysname FW-3 
[FW-3] interface GigabitEthernet 1/0/1 
[FW-3-GigabitEthernet1/0/1] description SACG1_To_Coreswitch1_GE1/1/0/3 
[FW-3-GigabitEthernet1/0/1] ip address 10.4.1.2 29 
[FW-3-GigabitEthernet1/0/1] quit 
[FW-3] interface GigabitEthernet 1/0/2 
[FW-3-GigabitEthernet1/0/2] description SACG1_To_Coreswitch1_GE1/1/0/4 
[FW-3-GigabitEthernet1/0/2] ip address 10.5.1.2 29 
[FW-3-GigabitEthernet1/0/2] quit 
[FW-3] interface GigabitEthernet 1/0/3 
[FW-3-GigabitEthernet1/0/3] description hrp_interface 
[FW-3-GigabitEthernet1/0/3] ip address 10.10.10.1 24 
[FW-3-GigabitEthernet1/0/3] quit

    # # Configure IP addresses for the interfaces of FW-4.

    <sysname> system-view 
[sysname] sysname FW-4 
[FW-4] interface GigabitEthernet 1/0/1 
[FW-4-GigabitEthernet1/0/1] description SACG2_To_Coreswitch2_GE2/1/0/3 
[FW-4-GigabitEthernet1/0/1] ip address 10.4.1.3 29 
[FW-4-GigabitEthernet1/0/1] quit 
[FW-4] interface GigabitEthernet 1/0/2 
[FW-4-GigabitEthernet1/0/2] description SACG2_To_Coreswitch2_GE2/1/0/4 
[FW-4-GigabitEthernet1/0/2] ip address 10.5.1.3 29 
[FW-4-GigabitEthernet1/0/2] quit 
[FW-4] interface GigabitEthernet 1/0/3 
[FW-4-GigabitEthernet1/0/3] description hrp_interface 
[FW-4-GigabitEthernet1/0/3] ip address 10.10.10.2 24 
[FW-4-GigabitEthernet1/0/3] quit

    # Assign the interfaces of FW-3 to appropriate security zones.

    [FW-3] firewall zone trust 
[FW-3-zone-trust] add interface GigabitEthernet 1/0/1 
[FW-3-zone-trust] quit 
[FW-3] firewall zone untrust 
[FW-3-zone-untrust] add interface GigabitEthernet 1/0/2 
[FW-3-zone-untrust] quit 
[FW-3] firewall zone dmz 
[FW-3-zone-dmz] add interface GigabitEthernet 1/0/3 
[FW-3-zone-dmz] quit

    # Assign the interfaces of FW-4 to appropriate security zones.

    [FW-4] firewall zone trust 
[FW-4-zone-trust] add interface GigabitEthernet 1/0/1 
[FW-4-zone-trust] quit 
[FW-4] firewall zone untrust 
[FW-4-zone-untrust] add interface GigabitEthernet 1/0/2 
[FW-4-zone-untrust] quit 
[FW-4] firewall zone dmz 
[FW-4-zone-dmz] add interface GigabitEthernet 1/0/3 
[FW-4-zone-dmz] quit

  2. Configure static routes.

    # On FW-3, configure a static route to guide traffic back to the core switch.

    [FW-3] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

    # On FW-4, configure a static route to guide traffic back to the core switch.

    [FW-4] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

  3. Configure link-group.

    # On FW-3, configure link-group 1 and add upstream and downstream service interfaces to the link-group.

    [FW-3] interface GigabitEthernet 1/0/1 
[FW-3-GigabitEthernet1/0/1] link-group 1 
[FW-3-GigabitEthernet1/0/1] quit 
[FW-3] interface GigabitEthernet 1/0/2 
[FW-3-GigabitEthernet1/0/2] link-group 1 
[FW-3-GigabitEthernet1/0/2] quit

    # On FW-4, configure link-group 1 and add upstream and downstream service interfaces to the link-group.

    [FW-4] interface GigabitEthernet 1/0/1 
[FW-4-GigabitEthernet1/0/1] link-group 1 
[FW-4-GigabitEthernet1/0/1] quit 
[FW-4] interface GigabitEthernet 1/0/2 
[FW-4-GigabitEthernet1/0/2] link-group 1 
[FW-4-GigabitEthernet1/0/2] quit

  4. Configure hot standby.

    # Configure VRRP group 1 on the upstream interface GE1/0/1 of FW-3, setting its state to Active.

    [FW-3] interface GigabitEthernet 1/0/1 
[FW-3-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 active 
[FW-3-GigabitEthernet1/0/1] quit

    # Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-3, setting its state to Active.

    [FW-3] interface GigabitEthernet 1/0/2 
[FW-3-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 active 
[FW-3-GigabitEthernet1/0/2] quit

    # Designate GE1/0/3 as the heartbeat interface of FW-3, and enable hot standby.

    [FW-3] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2 
[FW-3] hrp enable

    # Configure VRRP group 1 on the downstream interface GE1/0/1 of FW-4, setting its state to standby.

    [FW-4] interface GigabitEthernet 1/0/1 
[FW-4-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 standby 
[FW-4-GigabitEthernet1/0/1] quit

    # Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-4, setting its state to standby.

    [FW-4] interface GigabitEthernet 1/0/2 
[FW-4-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 standby 
[FW-4-GigabitEthernet1/0/2] quit

    # Designate GE1/0/3 as the heartbeat interface of FW-4, and enable hot standby.

    [FW-4] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1 
[FW-4] hrp enable

    After hot standby is configured, you only need to configure security policies and SACG on the active device FW-3. The configuration on FW-3 is automatically backed up on FW-4.

  5. Disable the stateful inspection function.

    HRP_M[FW-3] undo firewall session link-state check

  6. Configure security policies.

    # Configure a Local-Trust security policy to allow the communication between the FW and Service Controller.

    HRP_M[FW-3] security-policy 
HRP_M[FW-3-security-policy] rule name sc_to_sacg 
HRP_M[FW-3-security-policy-sc_to_sacg] source-zone trust local 
HRP_M[FW-3-security-policy-sc_to_sacg] destination-zone local trust 
HRP_M[FW-3-security-policy-sc_to_sacg] action permit 
HRP_M[FW-3-security-policy-sc_to_sacg] quit

    # Configure the policy for the Local-Untrust interzone. In this way, the FW can push the web-based authentication page to the user.

    HRP_M[FW-3-security-policy] rule name sacg_to_client 
HRP_M[FW-3-security-policy-sacg_to_client] source-zone local 
HRP_M[FW-3-security-policy-sacg_to_client] destination-zone untrust 
HRP_M[FW-3-security-policy-sacg_to_client] action permit 
HRP_M[FW-3-security-policy-sacg_to_client] quit 
HRP_M[FW-3-security-policy] quit

  7. Configure the interworking with the Agile Controller.

    # Enter the view of configuring the FW to interwork with the Agile Controller, and specify the number of the default ACL rule group.

    If ACLs 3099 to 3999 are in use, delete them before configuring the interworking with the Agile Controller. Otherwise, conflicts occur when the FW generates ACL rules.

    HRP_M[FW-3] right-manager server-group 
HRP_M[FW-3-rightm] default acl 3099

    # Add the Service Controller to the FW. Then the FW can interwork with the Service Controller. Because two Service Controllers are deployed, you must run the server ip command twice to add the two Service Controllers.

    The port and shared key in the server ip command must be the same as those on the Service Controller. Otherwise, the FW cannot interwork with the Service Controller, and the SACG interworking function is unavailable.

    HRP_M[FW-3-rightm] server ip 192.168.1.2 port 3288 shared-key TSM_Security 
HRP_M[FW-3-rightm] server ip 192.168.1.3 port 3288 shared-key TSM_Security

    # Configure Web authentication. If an unauthenticated terminal user attempts to access the network, the FW automatically pushes the Web authentication page to the terminal user. Therefore, the terminal user can be authenticated on the web page.

    HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.2:8084/auth 
HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.3:8084/auth

    # Configure the local IP address used by the FW for communicating with the Service Controller.

    The configuration cannot be backed up. You must configure it on both FWs. Set the IP address of the standby FW to 10.4.1.3.

    HRP_M[FW-3-rightm] local ip 10.4.1.2

    # Enable the server group so that the FW connects to the Service Controller immediately and sends the interworking request. After the connection succeeds, the FW can receive the roles and rules delivered by the Agile Controller.

    HRP_M[FW-3-rightm] right-manager server-group enable

    # Configure an emergency channel, and set the minimum number of Service Controllers to 1. In doing so, when at least one Service Controller connects to the FW successfully, the FW implements Agile Controller detection normally. If the FW cannot connect to any Service Controller, the FW enables the emergency channel to allow all users to access the controlled network. As a result, terminal users can access the network even if the Service Controller fails.

    HRP_M[FW-3-rightm] right-manager server-group active-minimum 1 
HRP_M[FW-3-rightm] right-manager status-detect enable 
HRP_M[FW-3-rightm] quit

    # Apply ACL 3099 to the outbound direction of Trust-Untrust interzone. Then terminal users can communicate with the server in the pre-authentication domain normally, and the permit rule of the emergency channel can be correctly delivered to the Trust-Untrust interzone.

    HRP_M[FW-3] firewall interzone trust untrust 
HRP_M[FW-3-interzone-trust-untrust] apply packet-filter right-manager inbound 
HRP_M[FW-3-interzone-trust-untrust] quit

  8. Configure the core switches. This part uses the CE12800 as an example to describe the configuration for interworking between the switch and FW.

    # Configure the interfaces and VLANs of core switches.

    [~CSS] vlan batch 101 to 102          
[*CSS] interface gigabitethernet 1/1/0/3 
[*CSS-GigabitEthernet1/1/0/3] description To_SACG1_GE1/0/1 
[*CSS-GigabitEthernet1/1/0/3] port link-type access 
[*CSS-GigabitEthernet1/1/0/3] port default vlan 101   
[*CSS-GigabitEthernet1/1/0/3] quit          
[*CSS] interface gigabitethernet 1/1/0/4                 
[*CSS-GigabitEthernet1/1/0/4] description To_SACG1_GE1/0/2 
[*CSS-GigabitEthernet1/1/0/4] port link-type access
[*CSS-GigabitEthernet1/1/0/4] port default vlan 102   
[*CSS-GigabitEthernet1/1/0/4] quit     
[*CSS] interface gigabitethernet 2/1/0/3                 
[*CSS-GigabitEthernet2/1/0/3] description To_SACG2_GE1/0/1 
[*CSS-GigabitEthernet2/1/0/3] port link-type access  
[*CSS-GigabitEthernet2/1/0/3] port default vlan 101   
[*CSS-GigabitEthernet2/1/0/3] quit          
[*CSS] interface gigabitethernet 2/1/0/4                 
[*CSS-GigabitEthernet2/1/0/4] description To_SACG2_GE1/0/2 
[*CSS-GigabitEthernet2/1/0/4] port link-type access 
[*CSS-GigabitEthernet2/1/0/4] port default vlan 102   
[*CSS-GigabitEthernet2/1/0/4] quit     
[*CSS] interface vlanif 101 
[*CSS-Vlanif101] ip address 10.4.1.4 29 
[*CSS-Vlanif101] quit                       
[*CSS] interface vlanif 102 
[*CSS-Vlanif102] ip address 10.5.1.4 29 
[*CSS-Vlanif102] quit   
[*CSS] commit

    # Configure PBR.

    [~CSS] acl 3001   
[*CSS-acl4-advance-3001] rule 5 permit ip source 10.8.1.0 24   
[*CSS-acl4-advance-3001] quit 
[~CSS] traffic classifier c1   
[*CSS-classifier-c1] if-match acl 3001   
[*CSS-classifier-c1] quit 
[~CSS] traffic behavior b1   
[*CSS-behavior-b1] redirect nexthop 10.5.1.1   
[*CSS-behavior-b1] quit 
[~CSS] traffic policy p1   
[*CSS-trafficpolicy-p1] classifier c1 behavior b1 precedence 5   
[*CSS-trafficpolicy-p1] quit 
[~CSS] interface eth-trunk 2  //Eth-Trunk 2 connects the core switch to branch 1. 
[*CSS-Eth-Trunk2] traffic-policy p1 inbound  
[*CSS-Eth-Trunk2] quit 
[*CSS] commit

  9. Configure the Agile Controller.

    1. Configure the firewall to function as the hardware SACG.
      1. Choose Policy > Permission Control > Hardware SACG > Hardware SACG Config.
      2. Click Add on the Hardware SACG tab.

      If NAT is configured to implement address translation between end users and the SC, set the IP address range (Start IP Address and End IP Address) to the range of translated IP addresses for end users but not the real IP addresses of terminals. Otherwise, end users cannot go online on the SACG.

    2. Configure the pre-authentication domain, isolation domain, and post-authentication domain.
      1. Click Add on the Pre-Authentication Domain tab.

        Add the IP addresses of the other servers in the pre-authentication to the pre-authentication domain.

      2. Click Add on the Controlled Domain tab to add the isolation domain resources to a protected domain.

        Repeat the preceding step to add the post-authentication resources to the protected domain.

      3. Click Add on the Isolation Domain tab to set the resource that end users can access.

      4. Click Add on the Post-Authentication Domain tab to set the post-authentication resource that end users can access only in working hours, that is the post_work resource.

        Add the resource that end users cannot access in non-working hours to the post-authentication domain according to the preceding steps.

    3. Configure and apply an SACG policy group to an account/user group or IP address segment.
      1. Configure a time segment to allow employees to access the service system only in working hours.
        1. Choose Policy > Permission Control > Policy Element > Schedule.
      2. Click Add.

      3. Click OK.
      4. Configure an SACG policy group.
        1. Choose Policy > Permission Control > Hardware SACG > Hardware SACG Policy Group.
      5. Click Add.

      6. Click OK.
      7. Apply the SACG policy group to an account/user group or IP address segment. In this example, the SACG policy group is applied to a user group.

    The SACG policy group is applied to an account, user group, and IP address segment in descending order of matched priorities.

    Click next to SACG policy to apply the SACG policy to the specified user group.

Verification

  1. If a user successfully passes authentication and terminal security check, the user can access the service system in working hours but not in non-working hours.
  2. If a severe violation occurs, the terminal host cannot access a network and a message is displayed indicating that repair is required. The terminal host can access to the network after the repair.
  3. View the state of the Agile Controller.

    # View the state of the Agile Controller on the active FW.

    HRP_M<FW-3> display right-manager server-group 
 Server group state  :  Enable 
 Server number :     2
 Server ip address        Port        State       Master
 192.168.1.2              3288        active        Y
 192.168.1.3              3288        active        N

    active indicates that the status of the connection between the Agile Controller and FW is normal.

    # View the state of the Agile Controller on the standby FW.

    HRP_S<FW-4> display right-manager server-group
 Server group state  :  Enable
 Server number :     2
 Server ip address        Port        State       Master 
 192.168.1.2              3288        active        Y  
 192.168.1.3              3288        active        N
  4. After the branch user logs in, you can view the user login information on both FWs. The following part shows the display right-manager online-users command output on the active FW.
    HRP_M<FW-3> display right-manager online-users  
  User name    : lee 
  Ip address   : 10.8.1.3 
  ServerIp     : 192.168.1.2 
  Login time   : 10:14:11 2016/05/06 ( Hour:Minute:Second Year/Month/Day) 
----------------------------------------- 
  Role id      Rolename 
     1          DefaultDeny   
     6          Permit_1   
   255          Last   
-----------------------------------------

    Run the display right-manager role-info command to view the mappings between roles and ACLs.

    HRP_M<FW-3> display right-manager role-info 
 All Role count:8  
 Role  ID      ACL number      Role name 
------------------------------------------------------------------------------ 
 Role   0      3099            default 
 Role   1      3100            DefaultDeny 
 Role   2      3101            DefaultPermit 
 Role   3      3102            Deny___0 
 Role   4      3103            Permit_0 
------------------------------------------------------------------------------ 
 Role   5      3104            Deny___1 
 Role   6      3105            Permit_1Role 255      3354            Last

    Run the display acl acl-number command to view ACLs 3100, 3105, and 3354.

    HRP_M<FW-3> display acl 3100 
Advanced ACL  3100, 1 rule     //Default deny rule, used when Control mode in the isolation and post-authentication domains is selected as Permits access to only controlled domain resources in the list.
Acl's step is 1 
 rule 1 deny ip (0 times matched) 
HRP_M<FW-3> display acl 3105 
Advanced ACL  3105, 1 rule     //Permit the access to the post-authentication domain.
Acl's step is 1 
 rule 1 permit ip destination 10.1.1.4 0 (0 times matched) 
 rule 2 permit ip destination 10.1.1.5 0 (0 times matched) 
HRP_M<FW-3> display acl 3354 
Advanced ACL  3354, 3 rules     //Permit the access to the pre-authentication domain.
Acl's step is 1 
 rule 1 permit ip destination 192.168.1.2 0 (0 times matched) 
 rule 2 permit ip destination 192.168.1.3 0 (0 times matched) 
 rule 3 permit ip destination 192.168.3.3 0 (0 times matched)

    From the previous information, account lee corresponds to roles 1, 6, and 255, and the matching sequence is from top to bottom. The role-ACL relationship indicates the ACL rules for the three roles.

    Role 255 is allowed to access the pre-authentication domain, role 6 is allowed to access the service system, and role 1 is prohibited from accessing all services.

    In conclusion, account lee is allowed to access only the pre-authentication domain and the service system in the post-authentication domain.

  5. Choose Resource > User > Online User on the Agile Controller to check user login information.

Configuration Scripts

FW-3

FW-4

 
#
hrp enable
hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2
#
undo firewall session link-state check
#
interface GigabitEthernet 1/0/1
description SACG1_To_Coreswitch1_GE1/1/0/3
ip address 10.4.1.2 255.255.255.248
vrrp vrid 1 virtual-ip 10.4.1.1 active
link-group 1
#
interface GigabitEthernet 1/0/2
description SACG1_To_Coreswitch1_GE1/1/0/4
ip address 10.5.1.2 255.255.255.248
vrrp vrid 2 virtual-ip 10.5.1.1 active
link-group 1
#
interface GigabitEthernet 1/0/3
description hrp_interface
ip address 10.10.10.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone untrust
add interface GigabitEthernet 1/0/2
#
firewall zone dmz
add interface GigabitEthernet 1/0/3
#
firewall interzone trust untrust
apply packet-filter right-manager inbound
#
ip route-static 0.0.0.0 0.0.0.0 10.4.1.4
#
firewall session aging-time service-set tcp_1414 40000
#
right-manager server-group
default acl 3099
server ip 192.168.1.2 port 3288 shared-key %$%$FxDAFSd(Y*Ku3%4+"%$%$
server ip 192.168.1.3 port 3288 shared-key %ef<f%7FxDAFSd(Y*Ku3%><dfe%&%$
integrity-check enable
right-manager server-group enable
right-manager status-detect enable
local ip 10.4.1.2
right-manager authentication url http://192.168.1.2:8084/auth
right-manager authentication url http://192.168.1.3:8084/auth
#
security-policy
rule name sc_to_sacg
source-zone trust
source-zone local
destination-zone local
destination-zone trust
action permit
rule name sacg_to_client
source-zone local
destination-zone untrust
action permit
 
#
hrp enable
hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1
#
undo firewall session link-state check
#
interface GigabitEthernet 1/0/1
description SACG2_To_Coreswitch2_GE2/1/0/3
ip address 10.4.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 10.4.1.1 standby
link-group 1
#
interface GigabitEthernet 1/0/2
description SACG2_To_Coreswitch2_GE2/1/0/4
ip address 10.5.1.3 255.255.255.248
vrrp vrid 2 virtual-ip 10.5.1.1 standby
link-group 1
#
interface GigabitEthernet 1/0/3
description hrp_interface
ip address 10.10.10.2 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone untrust
add interface GigabitEthernet 1/0/2
#
firewall zone dmz
add interface GigabitEthernet 1/0/3
#
firewall interzone trust untrust
apply packet-filter right-manager inbound
#
ip route-static 0.0.0.0 0.0.0.0 10.4.1.4
#
firewall session aging-time service-set tcp_1414 40000
#
right-manager server-group
default acl 3099
server ip 192.168.1.2 port 3288 shared-key %$%$FxDAFSd(Y*Ku3%4+"%$%$
server ip 192.168.1.3 port 3288 shared-key %ef<f%7FxDAFSd(Y*Ku3%><dfe%&%$
integrity-check enable
right-manager server-group enable
right-manager status-detect enable
local ip 10.4.1.3
right-manager authentication url http://192.168.1.2:8084/auth
right-manager authentication url http://192.168.1.3:8084/auth
#
security-policy
rule name sc_to_sacg
source-zone trust
source-zone local
destination-zone local
destination-zone trust
action permit
rule name sacg_to_client
source-zone local
destination-zone untrust
action permit

Firewalls at the Internet Egress

Typical Networking

Figure 1-4 shows the typical networking of firewalls at the Internet egress.

  • Core switches SW1 and SW2 are stacked. Egress aggregation switches SW7 and SW8 are stacked. Firewalls are located between core switches and egress aggregation switches. They work in Layer 3 active/standby hot standby mode.
  • VRRP is configured on the interfaces connecting the firewalls to the upstream and downstream devices. The firewalls use the VRRP virtual IP addresses to communicate with the upstream and downstream devices.
  • Employees on the move and firewalls establish SSL VPN connections with the firewalls for secure access to the intranet.
  • A firewall is deployed at the Internet egress of a branch, which establishes an IPSec VPN connection with the firewall at the Internet egress of the headquarters. Data is transmitted between the branch and data center over the IPSec VPN.
  • Some servers in the DMZ are pre-service servers that need to provide services for Internet users. Therefore, the firewalls at the Internet egress must have NAT Server configured to map the servers' private IP addresses to public IP addresses.
Figure 1-4 Typical networking of firewalls at the Internet egress

Service Planning

Firewall Interface Planning

Interface planning for FW-5

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-5

GE1/0/1

SW-5

GE1/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-5

GE1/0/2

SW-5

GE1/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-5

GE1/0/3

SW-1

GE1/1/0/5

Eth-Trunk 2, downstream service interface

4

FW-5

GE1/0/4

SW-1

GE1/1/0/6

Eth-Trunk 2, downstream service interface

5

FW-5

GE1/0/5

FW-6

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-5

GE1/0/6

FW-6

GE1/0/6

Eth-Trunk 0, heartbeat interface

Interface planning for FW-6

No.

Local Device

Local Interface

Peer Device

Peer Interface

Remarks

1

FW-6

GE1/0/1

SW-6

GE2/1/0/1

Eth-Trunk 1, upstream service interface

2

FW-6

GE1/0/2

SW-6

GE2/1/0/2

Eth-Trunk 1, upstream service interface

3

FW-6

GE1/0/3

SW-2

GE2/1/0/5

Eth-Trunk 2, downstream service interface

4

FW-6

GE1/0/4

SW-2

GE2/1/0/6

Eth-Trunk 2, downstream service interface

5

FW-6

GE1/0/5

FW-5

GE1/0/5

Eth-Trunk 0, heartbeat interface

6

FW-6

GE1/0/6

FW-5

GE1/0/6

Eth-Trunk 0, heartbeat interface

Firewall IP Address Planning

No.

Local Device

Local Interface

VLAN ID

Local IP Address

Peer Device

Remarks

1

FW-5

Eth-Trunk1.1

10

172.6.1.2/29

VRID: 1

VIP: 1.1.1.1/29

SW-5

SSL VPN gateway for employees on the move

2

FW-5

Eth-Trunk1.2

20

172.6.2.2/29

VRID: 2

VIP: 1.1.2.1/29

SW-5

IPSec gateway

3

FW-5

Eth-Trunk1.3

30

172.6.3.2/29

VRID: 3

VIP: 1.1.3.1/29

SW-5

Access gateway for Internet users

4

FW-5

Eth-Trunk1.4

40

172.6.4.2/29

VRID: 4

VIP: 1.1.4.1/29

SW-5

SSL VPN gateway for the partner

5

FW-5

Eth-Trunk2.1

103

172.7.1.2/29

VRID: 5

VIP: 172.7.1.1

SW-1

Data center service area

6

FW-5

Eth-Trunk2.2

104

172.7.2.2/29

VRID: 6

VIP: 172.7.2.1

SW-1

DMZ

7

FW-5

Eth-Trunk0

-

12.12.12.1/24

FW-6

-

8

FW-6

Eth-Trunk1.1

10

172.6.1.3/29

VRID: 1

VIP: 1.1.1.1/29

SW-6

SSL VPN gateway for employees on the move

9

FW-6

Eth-Trunk1.2

20

172.6.2.3/29

VRID: 2

VIP: 1.1.2.1/29

SW-6

IPSec gateway

10

FW-6

Eth-Trunk1.3

30

172.6.3.3/29

VRID: 3

VIP: 1.1.3.1/29

SW-6

Access gateway for Internet users

11

FW-6

Eth-Trunk1.4

40

172.6.4.3/29

VRID: 4

VIP: 1.1.4.1/29

SW-6

SSL VPN gateway for the partner

11

FW-6

Eth-Trunk2.1

103

172.7.1.3/29

VRID: 5

VIP: 172.7.1.1

SW-2

Data center service area

11

FW-6

Eth-Trunk2.2

104

172.7.2.3/29

VRID: 6

VIP: 172.7.2.1

SW-2

DMZ

12

FW-6

Eth-Trunk0

-

12.12.12.2/24

FW-6

-

Firewall Security Zone Planning

No.

Security Zone

Security Zone Priority

Included Interface

Remarks

1

zone1

45

Eth-Trunk1.1

Employees on the move

2

zone2

40

Eth-Trunk1.2

Branch 2

3

zone3

10

Eth-Trunk1.3

Internet users

4

zone4

30

Eth-Trunk1.4

Partner

4

hrp

85

Eth-Trunk0

Heartbeat interface

5

trust

100

Eth-Trunk2.1

Data center service area

6

dmz

50

Eth-Trunk2.2

DMZ

Firewall Security Policy Planning

Address group

No.

Address Group

Address

Remarks

1

remote_users

address 0 172.168.3.0 mask 24

SSL VPN access for employees on the move

2

partner

address 0 172.168.4.0 mask 24

Partner

3

branch2

address 0 10.9.1.0 mask 24

Branch 2

4

server1

address 0 10.1.1.10 mask 32

address 1 10.1.1.11 mask 32

Server that employees on the move can access

5

server2

address 0 10.2.1.4 mask 32

address 1 10.2.1.5 mask 32

Server that the partner can access

6

server4

address 0 10.1.1.4 mask 32

address 1 10.1.1.5 mask 32

Server that branch 2 can access

7

server5

address 0 192.168.4.2 mask 32

address 1 192.168.4.3 mask 32

address 2 192.168.4.4 mask 32

address 3 192.168.4.5 mask 32

Server that Internet users can access

8

ad_server

address 0 192.168.5.4 mask 32

address 1 192.168.5.5 mask 32

AD authentication server that authenticates SSL VPN access users

User-defined services

No.

Service

Protocol/Port

Remarks

1

tcp_1414

service 0 protocol tcp destination-port 1414

Service for the partner to access the server

Security policies

No.

Policy

Source Zone

Source Address

Destination Zone

Destination Address

Service

Action

1

remote_users_to_server1

zone1

remote_users

trust

server1

ftp,http

permit

2

partner_to_server2

zone4

partner

trust

server2

tcp_1414

permit

4

branch2_to_server4

zone2

branch2

trust

server4

ftp

permit

5

internet_to_server5

zone3

any

dmz

server5

https,http

permit

6

ipsec

zone2,local

1.1.2.1/32, 2.2.2.2/32 (IP address of the IPSec gateway of branch 2)

local,zone2

1.1.2.1/32, 2.2.2.2/32 (IP address of the IPSec gateway of branch 2)

any

permit

7

ssl_vpn

zone1,zone4

any

local

1.1.1.1/32,1.1.4.1/32

any

permit

8

to_ad_server

local

any

dmz

ad_server

any

permit

8

default

any

any

any

any

any

deny

default indicates the default security policy. If the traffic does not match the security policy, the traffic will match the default security policy (all conditions are any, and all actions are deny). If only the PCs at specified IP addresses are allowed to access servers, keep the default security policy and configure security policies to allow the access of such IP addresses.

Hot standby heartbeat packets are not controlled by security policies. Do not configure security policies for heartbeat packets.

Firewall Persistent Connections

Prolonging the session aging time of a protocol

No.

Protocol

Aging Time

1

tcp_1414

40000 seconds

Using the persistent connection function

No.

Policy

Aging Time

1

branch2_to_server4

480 hours

Of the two methods, prolonging the session aging time of a protocol is easier to configure. You can set specific conditions for the persistent connection function to keep persistent connections for specified traffic. The prolonged session aging time of a protocol is a global configuration and takes effect on all sessions of the protocol. As a result, sessions that do not need persistent connections cannot be aged, occupying session entry resources. Once session entry resources are exhausted, no services can be created.

Therefore, if you confirm that all sessions of a protocol require a long session aging time, you can prolong the session aging time of the protocol for persistent connections. Otherwise, use the persistent connection function.

The persistent connection function is valid only for TCP-based connections.

Firewall NAT Planning

NAT Server

No.

Name

Protocol

Public IP Address

Public Port

Private IP Address

Private Port

1

https_server1

tcp

1.1.3.2

4433

192.168.4.2

443

2

https_server2

tcp

1.1.3.3

4433

192.168.4.3

443

3

https_server1

tcp

1.1.3.4

8000

192.168.4.4

80

4

https_server2

tcp

1.1.3.5

8000

192.168.4.5

80

Firewall Route Planning

Static routes on firewalls

No.

Destination Address

Mask

Next Hop

Remarks

1

10.1.0.0

255.255.0.0

172.7.1.4

Route to data center service area 1

2

10.2.0.0

255.255.0.0

172.7.1.4

Route to data center service area 2

3

10.3.0.0

255.255.0.0

172.7.1.4

Route to data center service area 3

4

192.168.0.0

255.255.0.0

172.7.1.4

Route to the DMZ

4

172.168.3.0

255.255.255.0

1.1.1.2

Route to SSL VPN access terminals of employees on the move

5

172.168.4.0

255.255.255.0

1.1.4.2

Route to the partner's network

7

10.9.1.0

255.255.255.0

1.1.2.2

Route to branch 2's network

8

0.0.0.0

0.0.0.0

1.1.3.2

Default route to the Internet

IPSec Data Planning

VPN Gateway Location

IPSec Policy Creation Mode

Local Address

Peer Address

Authentication Mode

Pre-shared Key

Local ID

Peer ID

HQ

Policy template

-

-

Pre-shared key

Test!1234

IP address

IP address

Branch

ISAKMP mode

2.2.2.2

1.1.2.1

Pre-shared key

Test!1234

IP address

IP address

SSL VPN Data Planning

The SSL VPN configuration is almost the same for employees on the move and partners. The SSL VPN configuration for employees on the move is used as an example.

Item

Data

Virtual gateway

Name: example

IP address: 1.1.1.1

Domain name: www.example.com

Maximum number of users: 150

Maximum number of online users: 100

AD server

Primary server IP address: 192.168.5.4

Secondary server IP address: 192.168.5.5

Web proxy resource

Name: resource1; link: http://10.1.1.10

Name: resource2; link: http://10.1.1.11

Network extension

Network extension address pool: 172.168.3.2-172.168.3.254

Routing mode: manual

Intranet subnet accessible to network extension users: 10.1.1.0/24

Security Defense Planning

  • Attack defense planning

    To defend the internal network against network attacks, you need to configure attack defense on the firewalls.

    Normally, you are recommended to configure the defense against the following attacks:

    • Smurf attacks
    • Land attacks
    • Fraggle attacks
    • Ping of Death attacks
    • WinNuke attacks
    • IP packet with route record option attacks
    • IP packet with source route option attacks
    • IP packet with timestamp option attacks
    • SYN flood attacks
    • UDP flood attacks
    • ICMP flood attacks

      In practice, you can set a comparatively large value for the maximum rate of attack packets on interfaces for the preceding flood attacks, observe the attack traffic, and gradually change the rate to smaller values until a proper one (limiting the attack traffic but not affecting services).

  • IPS planning

    To prevent hackers, zombies, Trojan horses, and worms from intruding the internal network, you need to configure IPS on the firewalls.

The IPS may be deployed on the firewalls or deployed as an independent IPS device.

To configure the IPS functions, you reference an IPS profile when defining security policies. In the present case, the IPS profile is referenced in all the above planned security policies (except those for the local zone). This means that IPS detection is carried out for all traffic permitted by the security policies.

Generally, when the firewalls are initially deployed, you can select the default IPS profile default. After the firewalls are active for some time, the administrator can define a profile based on the network status. The IPS also supports the default profile ids, which means alarms are generated upon the detection of intrusions but the intrusions are not blocked. If high security is required, to reduce false positives reported by the IPS, you can select the ids profile.

Precautions

IPS

The IPS signature database must be the latest before the IPS function is configured.

Attack Defense

The attack defense configuration is the recommended standard configuration.

Policy Backup-based Acceleration Function

When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

Configuration Procedure

Configuring Interfaces, Security Zones, and Routes

Procedure
  1. Configure IP addresses for the interfaces of FW-5.

    <sysname> system-view 
[sysname] sysname FW-5 
[FW-5] interface Eth-trunk 1 
[FW-5-Eth-Trunk1] description Link_To_SW5 
[FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/1 
[FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/2 
[FW-5-Eth-Trunk1] quit 
[FW-5] interface Eth-trunk 1.1 
[FW-5-Eth-Trunk1.1] vlan-type dot1q 10 
[FW-5-Eth-Trunk1.1] ip address 172.6.1.2 29 
[FW-5-Eth-Trunk1.1] quit 
[FW-5] interface Eth-trunk 1.2 
[FW-5-Eth-Trunk1.2] vlan-type dot1q 20 
[FW-5-Eth-Trunk1.2] ip address 172.6.2.2 29 
[FW-5-Eth-Trunk1.2] quit 
[FW-5] interface Eth-trunk 1.3 
[FW-5-Eth-Trunk1.3] vlan-type dot1q 30 
[FW-5-Eth-Trunk1.3] ip address 172.6.3.2 29 
[FW-5-Eth-Trunk1.3] quit 
[FW-5] interface Eth-trunk 1.4 
[FW-5-Eth-Trunk1.4] vlan-type dot1q 40 
[FW-5-Eth-Trunk1.4] ip address 172.6.4.2 29 
[FW-5-Eth-Trunk1.4] quit 
[FW-5] interface Eth-trunk 2 
[FW-5-Eth-Trunk2] description Link_To_SW1 
[FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/3 
[FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/4 
[FW-5-Eth-Trunk2] quit 
[FW-5] interface Eth-trunk 2.1 
[FW-5-Eth-Trunk2.1] vlan-type dot1q 103 
[FW-5-Eth-Trunk2.1] ip address 172.7.1.2 29 
[FW-5-Eth-Trunk2.1] quit 
[FW-5] interface Eth-trunk 2.2 
[FW-5-Eth-Trunk2.2] vlan-type dot1q 104 
[FW-5-Eth-Trunk2.2] ip address 172.7.2.2 29 
[FW-5-Eth-Trunk2.2] quit 
[FW-5] interface Eth-trunk 0 
[FW-5-Eth-Trunk0] description HRP_Interface 
[FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/5 
[FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/6 
[FW-5-Eth-Trunk0] ip address 12.12.12.1 24 
[FW-5-Eth-Trunk0] quit

  2. Assign the interfaces of FW-5 to appropriate security zones.

    [FW-5] firewall zone name zone1 
[FW-5-zone-zone1] set priority 45 
[FW-5-zone-zone1] add interface Eth-trunk1.1 
[FW-5-zone-zone1] quit 
[FW-5] firewall zone name zone2 
[FW-5-zone-zone2] set priority 40 
[FW-5-zone-zone2] add interface Eth-trunk1.2 
[FW-5-zone-zone2] quit 
[FW-5] firewall zone name zone3 
[FW-5-zone-zone3] set priority 10 
[FW-5-zone-zone3] add interface Eth-trunk1.3 
[FW-5-zone-zone3] quit 
[FW-5] firewall zone name zone4 
[FW-5-zone-zone4] set priority 30 
[FW-5-zone-zone4] add interface Eth-trunk1.4 
[FW-5-zone-zone4] quit 
[FW-5] firewall zone trust 
[FW-5-zone-trust] add interface Eth-trunk2.1 
[FW-5-zone-trust] quit 
[FW-5] firewall zone dmz 
[FW-5-zone-dmz] add interface Eth-trunk2.2 
[FW-5-zone-dmz] quit 
[FW-5] firewall zone name hrp 
[FW-5-zone-hrp] set priority 85 
[FW-5-zone-hrp] add interface Eth-trunk0 
[FW-5-zone-hrp] quit

  3. Configure static routes on FW-5.

    # On FW-5, configure a static route to the data center service area and set the next hop to the IP address of the core switch.

    [FW-5] ip route-static 10.1.0.0 255.255.0.0 172.7.1.4 
[FW-5] ip route-static 10.2.0.0 255.255.0.0 172.7.1.4 
[FW-5] ip route-static 10.3.0.0 255.255.0.0 172.7.1.4

    # On FW-5, configure static routes to the SSL VPN access terminal, branch, partner network, and Internet and set the next hop to the IP address of the ISP router.

    [FW-5] ip route-static 172.168.3.0 255.255.255.0 1.1.1.2 
[FW-5] ip route-static 172.168.4.0 255.255.255.0 1.1.4.2 
[FW-5] ip route-static 10.9.1.0 255.255.255.0 1.1.2.2 
[FW-5] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

  4. Configure the IP addresses, security zones, and routes of FW-6 interfaces according to the above procedure. The difference lies in the IP addresses of the interfaces.

Configuring Hot Standby

Procedure
  1. Configure VRRP group on the interfaces of FW-5, setting its state to Active. 

    <FW-5> system-view 
[FW-5] interface Eth-Trunk1.1 
[FW-5-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active 
[FW-5-Eth-Trunk1.1] quit 
[FW-5] interface Eth-Trunk1.2 
[FW-5-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 active 
[FW-5-Eth-Trunk1.2] quit 
[FW-5] interface Eth-Trunk1.3 
[FW-5-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 active 
[FW-5-Eth-Trunk1.3] quit 
[FW-5] interface Eth-Trunk1.4 
[FW-5-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 active 
[FW-5-Eth-Trunk1.4] quit 
[FW-5] interface Eth-Trunk2.1 
[FW-5-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 active 
[FW-5-Eth-Trunk2.1] quit 
[FW-5] interface Eth-Trunk2.2 
[FW-5-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 active 
[FW-5-Eth-Trunk2.2] quit

  2. Designate Eth-Trunk 0 as the heartbeat interface of FW-5, and enable hot standby. 

    [FW-5] hrp interface Eth-Trunk0 remote 12.12.12.2 
[FW-5] hrp enable

  3. Configure VRRP group on the interfaces of FW-6, setting its state to Standby.

    <FW-6> system-view 
[FW-6] interface Eth-Trunk1.1 
[FW-6-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 standby 
[FW-6-Eth-Trunk1.1] quit 
[FW-6] interface Eth-Trunk1.2 
[FW-6-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 standby 
[FW-6-Eth-Trunk1.2] quit 
[FW-6] interface Eth-Trunk1.3 
[FW-6-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 standby 
[FW-6-Eth-Trunk1.3] quit 
[FW-6] interface Eth-Trunk1.4 
[FW-6-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 standby 
[FW-6-Eth-Trunk1.4] quit 
[FW-6] interface Eth-Trunk2.1 
[FW-6-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 standby 
[FW-6-Eth-Trunk2.1] quit 
[FW-6] interface Eth-Trunk2.2 
[FW-6-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 standby 
[FW-6-Eth-Trunk2.2] quit

  4. Designate Eth-Trunk 0 as the heartbeat interface of FW-6, and enable hot standby. 

    [FW-6] hrp interface Eth-Trunk0 remote 12.12.12.1 
[FW-6] hrp enable

Result

A hot-standby relationship has been established to back up most subsequent configurations. Therefore, in the subsequent steps, you only need to make configurations on the active FW-5 (unless otherwise stated).

Configuring the NAT Server

Procedure
  1. Configure NAT Server to map the pre-service servers' private IP addresses to public IP addresses.

    HRP_M[FW-5] nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443 
HRP_M[FW-5] nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443 
HRP_M[FW-5] nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80 
HRP_M[FW-5] nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

  2. Configure a black-hole route to the public address of the NAT server to prevent routing loops between the firewall and ISP routers.

    Route configuration does not support backup. Therefore, you need to configure black-hole routes on both FW-5 and FW-6.

    HRP_M[FW-5] ip route-static 1.1.3.2 32 NULL 0 
HRP_M[FW-5] ip route-static 1.1.3.3 32 NULL 0 
HRP_M[FW-5] ip route-static 1.1.3.4 32 NULL 0 
HRP_M[FW-5] ip route-static 1.1.3.5 32 NULL 0     
HRP_S[FW-6] ip route-static 1.1.3.2 32 NULL 0 
HRP_S[FW-6] ip route-static 1.1.3.3 32 NULL 0 
HRP_S[FW-6] ip route-static 1.1.3.4 32 NULL 0 
HRP_S[FW-6] ip route-static 1.1.3.5 32 NULL 0

Configuring Security Policies and Security Protection

Procedure
  1. Configure security policies and IPS functions.

    # Configure an address group on FW-5.

    HRP_M[FW-5] ip address-set remote_users type object 
HRP_M[FW-5-object-address-set-remote_users] address 0 172.168.3.0 mask 24 
HRP_M[FW-5-object-address-set-remote_users] description "for remote users" 
HRP_M[FW-5-object-address-set-remote_users] quit 
HRP_M[FW-5] ip address-set partner type object 
HRP_M[FW-5-object-address-set-partner] address 0 172.168.4.0 mask 24 
HRP_M[FW-5-object-address-set-partner] description "for partner" 
HRP_M[FW-5-object-address-set-partner] quit 
HRP_M[FW-5] ip address-set branch2 type object 
HRP_M[FW-5-object-address-set-branch2] address 0 10.9.1.0 mask 24 
HRP_M[FW-5-object-address-set-branch2] description "for branch2" 
HRP_M[FW-5-object-address-set-branch2] quit 
HRP_M[FW-5] ip address-set server1 type object 
HRP_M[FW-5-object-address-set-server1] address 0 10.1.1.10 mask 32 
HRP_M[FW-5-object-address-set-server1] address 1 10.1.1.11 mask 32 
HRP_M[FW-5-object-address-set-server1] description "for server1" 
HRP_M[FW-5-object-address-set-server1] quit 
HRP_M[FW-5] ip address-set server2 type object 
HRP_M[FW-5-object-address-set-server2] address 0 10.2.1.4 mask 32 
HRP_M[FW-5-object-address-set-server2] address 1 10.2.1.5 mask 32 
HRP_M[FW-5-object-address-set-server2] description "for server2" 
HRP_M[FW-5-object-address-set-server2] quit 
HRP_M[FW-5] ip address-set server4 type object 
HRP_M[FW-5-object-address-set-server4] address 0 10.1.1.4 mask 32 
HRP_M[FW-5-object-address-set-server4] address 1 10.1.1.5 mask 32 
HRP_M[FW-5-object-address-set-server4] description "for server4" 
HRP_M[FW-5-object-address-set-server4] quit 
HRP_M[FW-5] ip address-set server5 type object 
HRP_M[FW-5-object-address-set-server5] address 0 192.168.4.2 mask 32 
HRP_M[FW-5-object-address-set-server5] address 1 192.168.4.3 mask 32 
HRP_M[FW-5-object-address-set-server5] address 2 192.168.4.4 mask 32 
HRP_M[FW-5-object-address-set-server5] address 3 192.168.4.5 mask 32 
HRP_M[FW-5-object-address-set-server5] description "for server5" 
HRP_M[FW-5-object-address-set-server5] quit 
HRP_M[FW-5] ip address-set ad_server type object 
HRP_M[FW-5-object-address-set-ad_server] address 0 192.168.5.4 mask 32 
HRP_M[FW-5-object-address-set-ad_server] address 1 192.168.5.5 mask 32 
HRP_M[FW-5-object-address-set-ad_server] description "for ad_server" 
HRP_M[FW-5-object-address-set-ad_server] quit

    # Configure a service set on FW-5.

    HRP_M[FW-5] ip service-set tcp_1414 type object 
HRP_M[FW-5-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414 
HRP_M[FW-5-object-service-set-tcp_1414] quit

    # Configure the security policy remote_users_to_server1 on FW-5 and reference the IPS profile. 

    HRP_M[FW-5] security-policy 
HRP_M[FW-5-policy-security] rule name remote_users_to_server1 
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-zone zone1  
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-zone trust  
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-address address-set remote_users  
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-address address-set server1  
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] service ftp http 
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] action permit 
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] profile ips default 
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] quit

    # Configure the security policy partner_to_server2 on FW-5 and reference the IPS profile. 

    HRP_M[FW-5-policy-security] rule name partner_to_server2 
HRP_M[FW-5-policy-security-rule-partner_to_server2] source-zone zone4  
HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-zone trust  
HRP_M[FW-5-policy-security-rule-partner_to_server2] source-address address-set partner  
HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-address address-set server2  
HRP_M[FW-5-policy-security-rule-partner_to_server2] service tcp_1414 
HRP_M[FW-5-policy-security-rule-partner_to_server2] action permit 
HRP_M[FW-5-policy-security-rule-partner_to_server2] profile ips default 
HRP_M[FW-5-policy-security-rule-partner_to_server2] quit

    # Configure the security policy branch2_to_server4 on FW-5 and reference the IPS profile. 

    HRP_M[FW-5-policy-security] rule name branch2_to_server4 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-zone zone2  
HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-zone trust  
HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-address address-set branch2  
HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-address address-set server4  
HRP_M[FW-5-policy-security-rule-branch2_to_server4] service ftp 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] action permit 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] profile ips default 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit

    # Configure the security policy internet_to_server5 on FW-5 and reference the IPS profile. 

    HRP_M[FW-5-policy-security] rule name internet_to_server5 
HRP_M[FW-5-policy-security-rule-internet_to_server5] source-zone zone3  
HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-zone dmz  
HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-address address-set server5  
HRP_M[FW-5-policy-security-rule-internet_to_server5] service https http 
HRP_M[FW-5-policy-security-rule-internet_to_server5] action permit 
HRP_M[FW-5-policy-security-rule-internet_to_server5] profile ips default 
HRP_M[FW-5-policy-security-rule-internet_to_server5] quit

    # Configure the security policy remote_users_to_server1 on FW-5. 

    HRP_M[FW-5-policy-security] rule name ipsec 
HRP_M[FW-5-policy-security-rule-ipsec] source-zone zone2 local  
HRP_M[FW-5-policy-security-rule-ipsec] destination-zone zone2 local  
HRP_M[FW-5-policy-security-rule-ipsec] source-address 1.1.2.1 32  
HRP_M[FW-5-policy-security-rule-ipsec] source-address 2.2.2.2 32  
HRP_M[FW-5-policy-security-rule-ipsec] destination-address 1.1.2.1 32 
HRP_M[FW-5-policy-security-rule-ipsec] destination-address 2.2.2.2 32 
HRP_M[FW-5-policy-security-rule-ipsec] action permit 
HRP_M[FW-5-policy-security-rule-ipsec] quit

    # Configure the security policy ssl_vpn on FW-5. 

    HRP_M[FW-5-policy-security] rule name ssl_vpn 
HRP_M[FW-5-policy-security-rule-ssl_vpn] source-zone zone1 zone4  
HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-zone local  
HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.1.1 32 
HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.4.1 32 
HRP_M[FW-5-policy-security-rule-ssl_vpn] action permit 
HRP_M[FW-5-policy-security-rule-ssl_vpn] quit

    # Configure the security policy to_ad_server on FW-5. 

    HRP_M[FW-5-policy-security] rule name to_ad_server 
HRP_M[FW-5-policy-security-rule-to_ad_server] source-zone local  
HRP_M[FW-5-policy-security-rule-to_ad_server] destination-zone dmz  
HRP_M[FW-5-policy-security-rule-to_ad_server] destination-address address-set ad_server 
HRP_M[FW-5-policy-security-rule-to_ad_server] action permit 
HRP_M[FW-5-policy-security-rule-to_ad_server] quit 
HRP_M[FW-5-policy-security] quit

  2. Configure persistent connections.

    # Change the session aging time to 40000 seconds for tcp_1414.

    HRP_M[FW-5] firewall session aging-time service-set tcp_1414 40000

    # Enable the persistent connection function in security policy branch2_to_server4 and change the aging time to 480 hours for connections matching this policy.

    HRP_M[FW-5] security-policy 
HRP_M[FW-5-policy-security] rule name branch2_to_server4 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link enable 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link aging-time 480 
HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit 
HRP_M[FW-5-policy-security] quit

  3. Configure attack defense.

    # Configure defense against single packet attacks on FW-5.

    HRP_M[FW-5] firewall defend land enable 
HRP_M[FW-5] firewall defend smurf enable 
HRP_M[FW-5] firewall defend fraggle enable 
HRP_M[FW-5] firewall defend ip-fragment enable 
HRP_M[FW-5] firewall defend tcp-flag enable 
HRP_M[FW-5] firewall defend winnuke enable 
HRP_M[FW-5] firewall defend source-route enable 
HRP_M[FW-5] firewall defend teardrop enable 
HRP_M[FW-5] firewall defend route-record enable 
HRP_M[FW-5] firewall defend time-stamp enable 
HRP_M[FW-5] firewall defend ping-of-death enable

  4. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-5] policy accelerate standby enable

Configuring IPSec VPN

Procedure
  1. Configure an IPSec policy on FW-5 and apply the policy to the corresponding interface.

    1. Define data flows to be protected. Configure advanced ACL 3000 to permit the users on network segment 10.1.1.0/24 to access network segment 10.9.1.0/24.
      HRP_M<FW-5> system-view 
HRP_M[FW-5] acl 3000 
HRP_M[FW-5-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255 
HRP_M[FW-5-acl-adv-3000] quit
    2. Configure an IPSec proposal using the default parameters. You do not need to set default parameters.
      HRP_M[FW-5] ipsec proposal tran1 
HRP_M[FW-5-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
HRP_M[FW-5-ipsec-proposal-tran1] esp encryption-algorithm aes-256 
HRP_M[FW-5-ipsec-proposal-tran1] quit
    3. Configure an IKE proposal using the default parameters. You do not need to set default parameters.
      HRP_M[FW-5] ike proposal 10 
HRP_M[FW-5-ike-proposal-10] authentication-method pre-share 
HRP_M[FW-5-ike-proposal-10] prf hmac-sha2-256 
HRP_M[FW-5-ike-proposal-10] encryption-algorithm aes-256 
HRP_M[FW-5-ike-proposal-10] dh group2 
HRP_M[FW-5-ike-proposal-10] integrity-algorithm hmac-sha2-256   
HRP_M[FW-5-ike-proposal-10] quit
    4. Configure an IKE peer.
      HRP_M[FW-5] ike peer b 
HRP_M[FW-5-ike-peer-b] ike-proposal 10 
HRP_M[FW-5-ike-peer-b] pre-shared-key Test!1234 
HRP_M[FW-5-ike-peer-b] quit
    5. Configure an IPSec policy. 
      HRP_M[FW-5] ipsec policy-template policy1 1 
HRP_M[FW-5-ipsec-policy-templet-policy1-1] security acl 3000 
HRP_M[FW-5-ipsec-policy-templet-policy1-1] proposal tran1 
HRP_M[FW-5-ipsec-policy-templet-policy1-1] ike-peer b 
HRP_M[FW-5-ipsec-policy-templet-policy1-1] quit 
HRP_M[FW-5] ipsec policy map1 10 isakmp template policy1
    6. Apply IPSec policy map1 to Eth-Trunk1.2. 
      HRP_M[FW-5] interface Eth-Trunk1.2 
HRP_M[FW-5-Eth-Trunk1.2] ipsec policy map1 
HRP_M[FW-5-Eth-Trunk1.2] quit

  2. Configure an IPSec policy on the FW of branch and apply the policy to the corresponding interface.

    1. Configure advanced ACL 3000 to permit the users on network segment 10.9.1.0/24 to access network segment 10.1.1.0/24. 
      <FW-branch> system-view 
[FW-branch] acl 3000 
[FW-branch-acl-adv-3000] rule 5 permit ip source 10.9.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
[FW-branch-acl-adv-3000] quit
    2. Configure an IPSec proposal using the default parameters. 
      [FW-branch] ipsec proposal tran1 
[FW-branch-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
[FW-branch-ipsec-proposal-tran1] esp encryption-algorithm aes-256 
[FW-branch-ipsec-proposal-tran1] quit
    3. Configure an IKE proposal using the default parameters. 
      [FW-branch] ike proposal 10 
[FW-branch-ike-proposal-10] authentication-method pre-share 
[FW-branch-ike-proposal-10] prf hmac-sha2-256 
[FW-branch-ike-proposal-10] encryption-algorithm aes-256 
[FW-branch-ike-proposal-10] dh group2 
[FW-branch-ike-proposal-10] integrity-algorithm hmac-sha2-256   
[FW-branch-ike-proposal-10] quit
    4. Configure an IKE peer. 
      [FW-branch] ike peer a  
[FW-branch-ike-peer-a] ike-proposal 10  
[FW-branch-ike-peer-a] remote-address 1.1.2.1  
[FW-branch-ike-peer-a] pre-shared-key Test!1234  
[FW-branch-ike-peer-a] quit
    5. Configure an IPSec policy. 
      [FW-branch] ipsec policy map1 10 isakmp  
[FW-branch-ipsec-policy-isakmp-map1-10] security acl 3000  
[FW-branch-ipsec-policy-isakmp-map1-10] proposal tran1  
[FW-branch-ipsec-policy-isakmp-map1-10] ike-peer a  
[FW-branch-ipsec-policy-isakmp-map1-10] quit
    6. Apply IPSec policy group map1 to the interface. In this example, the WAN interface is GE1/0/1 for the branch.
      [FW-branch] interface GigabitEthernet 1/0/1  
[FW-branch-GigabitEthernet1/0/1] ipsec policy map1 
[FW-branch-GigabitEthernet1/0/1] quit

Configuring SSL VPN

Procedure
  1. Set parameters for interconnection between the FW and AD server.

    The parameter settings on the FW must be consistent with those on the AD server.

    HRP_M[FW-5] ad-server template ad_server    
HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.4 88 
HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.5 88 secondary 
HRP_M[FW-5-ad-ad_server] ad-server authentication base-dn dc=cce,dc=com 
HRP_M[FW-5-ad-ad_server] ad-server authentication manager cn=administrator,cn=users Admin@123 Admin@123 
HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server.cce.com 
HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server2.cce.com secondary 
HRP_M[FW-5-ad-ad_server] ad-server authentication ldap-port 389       
HRP_M[FW-5-ad-ad_server] ad-server user-filter sAMAccountName          
HRP_M[FW-5-ad-ad_server] ad-server group-filter ou

    If you are unfamiliar with the AD server and cannot provide the server name, Base DN, or filter field values, you can use the AD Explorer or LDAP Browser software to connect to the AD server to query the attribute values. The AD Explorer is used as an example. The AD server attributes and mappings between the server attributes and parameters on the FW are as follows.

    # Test the connectivity between the FW and AD server.

    HRP_M[FW-5-ad-ad_server] test-aaa user_0001 Admin@123 ad-template ad_server 
 Info: Server detection succeeded. 
HRP_M[FW-5-ad-ad_server] quit

    The user name and password used for the test must be the same as those on the AD server.

  2. Configure an authentication domain.

    When the FW uses AD or LDAP authentication, the authentication domain name configured on the FW must be the same as that configured on the authentication server. In this example, the domain name on the AD server is cce.com. Therefore, the authentication domain name must be set to cce.com on the FW.

    HRP_M[FW-5] aaa 
HRP_M[FW-5-aaa] authentication-scheme ad 
HRP_M[FW-5-aaa-authen-ad] authentication-mode ad 
HRP_M[FW-5-aaa-authen-ad] quit 
HRP_M[FW-5-aaa] domain cce.com 
HRP_M[FW-5-aaa-domain-cce.com] service-type ssl-vpn  
HRP_M[FW-5-aaa-domain-cce.com] authentication-scheme ad 
HRP_M[FW-5-aaa-domain-cce.com] ad-server ad_server  
HRP_M[FW-5-aaa-domain-cce.com] reference user current-domain 
HRP_M[FW-5-aaa-domain-cce.com] quit 
HRP_M[FW-5-aaa] quit

  3. Configure a policy to import user information from the AD server to the FW.

    HRP_M[FW-5] user-manage import-policy ad_server from ad  
HRP_M[FW-5-import-ad_server] server template ad_server 
HRP_M[FW-5-import-ad_server] server basedn dc=cce,dc=com 
HRP_M[FW-5-import-ad_server] server searchdn ou=remoteusers,dc=cce,dc=com 
HRP_M[FW-5-import-ad_server] destination-group /cce.com 
HRP_M[FW-5-import-ad_server] user-attribute sAMAccountName 
HRP_M[FW-5-import-ad_server] import-type all          
HRP_M[FW-5-import-ad_server] import-override enable  
HRP_M[FW-5-import-ad_server] sync-mode incremental schedule interval 120 
HRP_M[FW-5-import-ad_server] sync-mode full schedule daily 01:00 
HRP_M[FW-5-import-ad_server] quit
    • If you need to import user groups only, set import-type to group and set the new user option in 5 to new-user add-temporary group /cce.com auto-import ad_server. Authenticated users use the permissions of their owning groups.
    • The user and user group filtering conditions in this example use the default values (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)). To change them, run the user-filter and group-filter commands.

  4. Execute the import policy to import users to the FW.

    HRP_M[FW-5] execute user-manage import-policy ad_server 
 Now importing user, security group and user-group information from remote server...successfully.

    After the import succeeds, you can run the display user-manage user verbose command to view information about the imported users.

  5. Set the new user option for the authentication domain on the FW.

    HRP_M[FW-5] aaa 
HRP_M[FW-5-aaa] domain cce.com 
HRP_M[FW-5-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import ad_server 
HRP_M[FW-5-aaa-domain-cce.com] quit 
HRP_M[FW-5-aaa] quit

  6. Configure an SSL VPN virtual gateway.

    # Create an SSL VPN virtual gateway.

    HRP_M[FW-5] v-gateway example 1.1.1.1 private www.example.com 
HRP_M[FW-5-example] quit

    # Configure the maximum number of users and maximum number of concurrent users allowed by the virtual gateway.

    HRP_M[FW-5] v-gateway example max-user 150 
HRP_M[FW-5] v-gateway example cur-max-user 100

    # Bind the virtual gateway to the authentication domain.

    HRP_M[FW-5] v-gateway example authentication-domain cce.com

    If the virtual gateway is bound to an authentication domain, the user name entered for a login should not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the string following the at sign (@) as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain cce.com, you should enter user_0001, not user_0001@cce.com, as the user name.

  7. Configure the web proxy function.

    # Enable the web proxy function.

    HRP_M[FW-5] v-gateway example 
HRP_M[FW-5-example] service 
HRP_M[FW-5-example-service] web-proxy enable

    # Add web proxy resources Webmail and ERP.

    HRP_M[FW-5-example-service] web-proxy proxy-resource resource1 http://10.1.1.10 show-link 
HRP_M[FW-5-example-service] web-proxy proxy-resource resource2 http://10.1.1.11 show-link

  8. Configure the network extension function.

    # Enable the network extension function.

    HRP_M[FW-5-example-service] network-extension enable

    # Configure the network extension address pool.

    HRP_M[FW-5-example-service] network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0

    # Set the network extension routing mode to manual.

    HRP_M[FW-5-example-service] network-extension mode manual

    # Configure the intranet subnet accessible to network extension users.

    HRP_M[FW-5-example-service] network-extension manual-route 10.1.1.0 255.255.255.0 
HRP_M[FW-5-example-service] quit

  9. Configure SSL VPN role authorization/users.

    # Add user group remoteusers to the virtual gateway.

    HRP_M[FW-5-example] vpndb 
HRP_M[FW-5-example-vpndb] group /cce.com/remoteusers 
HRP_M[FW-5-example-vpndb] quit

    # Create role remoteusers.

    HRP_M[FW-5-example] role 
HRP_M[FW-5-example-role] role remoteusers

    # Bind the role to corresponding user group.

    HRP_M[FW-5-example-role] role remoteusers group /cce.com/remoteusers

    # Configure functions for the roles. Enable web proxy and network extension for role remoteusers.

    HRP_M[FW-5-example-role] role remoteusers web-proxy network-extension enable

    # Associate the roles with web proxy resources.

    HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1 
HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1 
HRP_M[FW-5-example-role] quit 
HRP_M[FW-5-example] quit

Verification

  • Employees on the move and partners can establish SSL VPN tunnels with the firewalls at the Internet egress and can access resource servers in the data center.
  • The firewalls at branch egresses and the firewalls at the Internet egress can establish IPSec VPN tunnels. The branches can access resource servers in the data center.
  • Internet users can access the pre-service servers in the DMZ.
  • Run the shutdown command on a service interface of the active firewall to simulate a link fault. The active/standby switchover is performed without interrupting services.

Configuration Scripts

Configuration scripts of interfaces, routes, and hot standby

FW-5

FW-6

 
#
hrp enable
hrp interface Eth-Trunk0 remote 12.12.12.2
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
#
interface Eth-Trunk0
ip address 12.12.12.1 255.255.255.0
#
interface Eth-Trunk1
description Link_To_SW5
#
interface Eth-trunk 2
description Link_To_SW1
#
interface Eth-Trunk1.1
vlan-type dot1q 10
ip address 172.6.1.2 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 active
#
interface Eth-Trunk1.2
vlan-type dot1q 20
ip address 172.6.2.2 255.255.255.248
vrrp vrid 2 virtual-ip 1.1.2.1 active
#
interface Eth-Trunk1.3
vlan-type dot1q 30
ip address 172.6.3.2 255.255.255.248
vrrp vrid 3 virtual-ip 1.1.3.1 active
#
interface Eth-Trunk1.4
vlan-type dot1q 40
ip address 172.6.4.2 255.255.255.248
vrrp vrid 4 virtual-ip 1.1.4.1 active
#
interface Eth-Trunk2.1
vlan-type dot1q 103
ip address 172.7.1.2 255.255.255.248
vrrp vrid 5 virtual-ip 172.7.1.1 active
#
interface Eth-Trunk2.2
vlan-type dot1q 104
ip address 172.7.2.2 255.255.255.248
vrrp vrid 6 virtual-ip 172.7.2.1 active
#
interface GigabitEthernet 1/0/1
eth-trunk 1
#
interface GigabitEthernet 1/0/2
eth-trunk 1
#
interface GigabitEthernet 1/0/3
eth-trunk 2
#
interface GigabitEthernet 1/0/4
eth-trunk 2
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
firewall zone trust
add interface Eth-Trunk2.1
#
firewall zone dmz
add interface Eth-Trunk2.2
#
firewall zone hrp
set priority 85
add interface Eth-Trunk0
#
firewall zone name zone1
set priority 45
add interface Eth-Trunk1.1
#
firewall zone name zone2
set priority 40
add interface Eth-Trunk1.2
#
firewall zone name zone3
set priority 10
add interface Eth-Trunk1.3
#
firewall zone name zone4
set priority 30
add interface Eth-Trunk1.4
#
ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
ip route-static 10.3.0.0 255.255.0.0 172.7.1.4
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
ip route-static 1.1.3.2 32 NULL 0
ip route-static 1.1.3.3 32 NULL 0
ip route-static 1.1.3.4 32 NULL 0
ip route-static 1.1.3.5 32 NULL 0
 
#
hrp enable
hrp interface Eth-Trunk0 remote 12.12.12.1
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
#
interface Eth-Trunk0
ip address 12.12.12.2 255.255.255.0
#
interface Eth-Trunk1
description Link_To_SW6
#
interface Eth-trunk 2
description Link_To_SW2
#
interface Eth-Trunk1.1
vlan-type dot1q 10
ip address 172.6.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 standby
#
interface Eth-Trunk1.2
vlan-type dot1q 20
ip address 172.6.2.3 255.255.255.248
vrrp vrid 2 virtual-ip 1.1.2.1 standby
#
interface Eth-Trunk1.3
vlan-type dot1q 30
ip address 172.6.3.3 255.255.255.248
vrrp vrid 3 virtual-ip 1.1.3.1 standby
#
interface Eth-Trunk1.4
vlan-type dot1q 40
ip address 172.6.4.3 255.255.255.248
vrrp vrid 4 virtual-ip 1.1.4.1 standby
#
interface Eth-Trunk2.1
vlan-type dot1q 103
ip address 172.7.1.3 255.255.255.248
vrrp vrid 5 virtual-ip 172.7.1.1 standby
#
interface Eth-Trunk2.2
vlan-type dot1q 104
ip address 172.7.2.3 255.255.255.248
vrrp vrid 6 virtual-ip 172.7.2.1 standby
#
interface GigabitEthernet 1/0/1
eth-trunk 1
#
interface GigabitEthernet 1/0/2
eth-trunk 1
#
interface GigabitEthernet 1/0/3
eth-trunk 2
#
interface GigabitEthernet 1/0/4
eth-trunk 2
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
interface GigabitEthernet 1/0/5
eth-trunk 0
#
firewall zone trust
add interface Eth-Trunk2.1
#
firewall zone dmz
add interface Eth-Trunk2.2
#
firewall zone hrp
set priority 85
add interface Eth-Trunk0
#
firewall zone name zone1
set priority 45
add interface Eth-Trunk1.1
#
firewall zone name zone2
set priority 40
add interface Eth-Trunk1.2
#
firewall zone name zone3
set priority 10
add interface Eth-Trunk1.3
#
firewall zone name zone4
set priority 30
add interface Eth-Trunk1.4
#
ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
ip route-static 10.3.0.0 255.255.0.0 172.7.1.4
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
ip route-static 1.1.3.2 32 NULL 0
ip route-static 1.1.3.3 32 NULL 0
ip route-static 1.1.3.4 32 NULL 0
ip route-static 1.1.3.5 32 NULL 0

Configuration scripts of NAT Server

FW-5

FW-6

 
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
 
#
nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

Configuration scripts of security policies and attack defense

FW-5

FW-6

 
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
ip address-set remote_users type object
description "for remote users"
address 0 172.168.3.0 mask 24
#
ip address-set partner type object
description "for partner"
address 0 172.168.4.0 mask 24
#
ip address-set branch2 type object
description "for branch2"
address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
description "for server1"
address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
description "for server2"
address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32
#
ip address-set server4 type object
description "for server4"
address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32
#
ip address-set server5 type object
description "for server5"
address 0 192.168.4.2 mask 32
address 1 192.168.4.3 mask 32
address 2 192.168.4.4 mask 32
address 3 192.168.4.5 mask 32
#
ip address-set ad_server type object
description "for ad_server"
address 0 192.168.5.4 mask 32
address 1 192.168.5.5 mask 32
#
ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414
#
firewall session aging-time service-set tcp_1414 40000
#
security-policy
rule name remote_users_to_server1
source-zone zone1
destination-zone trust
source-address address-set remote_users
destination-address address-set server1
service http
service ftp
profile ips default
action permit
rule name partner_to_server2
source-zone zone4
destination-zone trust
source-address address-set partner
destination-address address-set server2
service tcp_1414
profile ips default
action permit
rule name branch2_to_server4
source-zone zone2
destination-zone trust
source-address address-set branch2
destination-address address-set server4
service ftp
profile ips default
long-link enable
long-link aging-time 480
action permit
rule name internet_to_server5
source-zone zone3
destination-zone dmz
destination-address address-set server5
service http
service https
profile ips default
action permit
rule name ipsec
source-zone zone2
source-zone local
destination-zone zone2
destination-zone local
source-address 1.1.2.1 32
source-address 2.2.2.2 32
destination-address 1.1.2.1 32
destination-address 2.2.2.2 32
action permit
rule name ssl_vpn
source-zone zone1
source-zone zone4
destination-zone local
destination-address 1.1.1.1 32
destination-address 1.1.4.1 32
action permit
rule name to_ad_server
source-zone local
destination-zone dmz
destination-address address-set ad_server
action permit
 
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
ip address-set remote_users type object
description "for remote users"
address 0 172.168.3.0 mask 24
#
ip address-set partner type object
description "for partner"
address 0 172.168.4.0 mask 24
#
ip address-set branch2 type object
description "for branch2"
address 0 10.9.1.0 mask 24
#
ip address-set server1 type object
description "for server1"
address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32
#
ip address-set server2 type object
description "for server2"
address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32
#
ip address-set server4 type object
description "for server4"
address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32
#
ip address-set server5 type object
description "for server5"
address 0 192.168.4.2 mask 32
address 1 192.168.4.3 mask 32
address 2 192.168.4.4 mask 32
address 3 192.168.4.5 mask 32
#
ip address-set ad_server type object
description "for ad_server"
address 0 192.168.5.4 mask 32
address 1 192.168.5.5 mask 32
#
ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414
#
firewall session aging-time service-set tcp_1414 40000
#
security-policy
rule name remote_users_to_server1
source-zone zone1
destination-zone trust
source-address address-set remote_users
destination-address address-set server1
service http
service ftp
profile ips default
action permit
rule name partner_to_server2
source-zone zone4
destination-zone trust
source-address address-set partner
destination-address address-set server2
service tcp_1414
profile ips default
action permit
rule name branch2_to_server4
source-zone zone2
destination-zone trust
source-address address-set branch2
destination-address address-set server4
service ftp
profile ips default
long-link enable
long-link aging-time 480
action permit
rule name internet_to_server5
source-zone zone3
destination-zone dmz
destination-address address-set server5
service http
service https
profile ips default
action permit
rule name ipsec
source-zone zone2
source-zone local
destination-zone zone2
destination-zone local
source-address 1.1.2.1 32
source-address 2.2.2.2 32
destination-address 1.1.2.1 32
destination-address 2.2.2.2 32
action permit
rule name ssl_vpn
source-zone zone1
source-zone zone4
destination-zone local
destination-address 1.1.1.1 32
destination-address 1.1.4.1 32
action permit
rule name to_ad_server
source-zone local
destination-zone dmz
destination-address address-set ad_server
action permit

Configuration scripts of IPSec VPN

FW-5

FW-6

 
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 10
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer b
pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@
ike-proposal 10
remote-address 1.1.5.1
#
ipsec policy-template policy1 1
security acl 3000
ike-peer b
proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface Eth-Trunk1.2
ip address 1.1.3.1 255.255.255.0
ipsec policy map1
 
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 10
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer b
pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@
ike-proposal 10
remote-address 1.1.5.1
#
ipsec policy-template policy1 1
security acl 3000
ike-peer b
proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface Eth-Trunk1.2
ip address 1.1.3.1 255.255.255.0
ipsec policy map1

Configuration scripts of SSL VPN

FW-5

FW-6

 
#
ad-server template ad_server
ad-server authentication 192.168.5.4 88
ad-server authentication 192.168.5.5 88 secondary
ad-server authentication base-dn dc=cce,dc=com
ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
ad-server authentication host-name info-server2.cce.com secondary
ad-server authentication host-name info-server.cce.com
ad-server authentication ldap-port 389
ad-server user-filter sAMAccountName
ad-server group-filter ou
#
user-manage import-policy ad_server from ad
server template ad_server
server basedn dc=cce,dc=com
server searchdn ou=remoteusers,dc=cce,dc=com
destination-group /cce.com
user-attribute sAMAccountName
user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
group-filter (|(objectclass=organizationalUnit)(ou=*))
import-type all
import-override enable
sync-mode incremental schedule interval 120
sync-mode full schedule daily 01:00
#
aaa
authentication-scheme ad
authentication-mode ad
#
domain cce.com
authentication-scheme ad
ad-server ad_server
service-type ssl-vpn
reference user current-domain
new-user add-temporary group /cce.com auto-import ad_server
#
v-gateway example 1.1.1.1 private www.example.com
v-gateway example authentication-domain cce.com
v-gateway example max-user 150
v-gateway example cur-max-user 100
#
v-gateway example
service
web-proxy enable
web-proxy web-link enable
web-proxy proxy-resource resource1 http://10.1.1.10 show-link
web-proxy proxy-resource resource2 http://10.1.1.11 show-link
network-extension enable
network-extension keep-alive enable
network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0
network-extension mode manual
network-extension manual-route 10.1.1.0 255.255.255.0
role
role remoteusers condition all
role remoteusers network-extension enable
role remoteusers web-proxy enable
role remoteusers web-proxy resource resource1
role remoteusers web-proxy resource resource2

# The following configuration is one-time operation and is not saved in the configuration file.
execute user-manage import-policy ad_server
# The following configuration is saved in the database, not displayed in the configuration file.
v-gateway example
vpndb
group /cce.com/remoteusers
role
role director group /cce.com/remoteusers
 
#
ad-server template ad_server
ad-server authentication 192.168.5.4 88
ad-server authentication 192.168.5.5 88 secondary
ad-server authentication base-dn dc=cce,dc=com
ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
ad-server authentication host-name info-server2.cce.com secondary
ad-server authentication host-name info-server.cce.com
ad-server authentication ldap-port 389
ad-server user-filter sAMAccountName
ad-server group-filter ou
#
user-manage import-policy ad_server from ad
server template ad_server
server basedn dc=cce,dc=com
server searchdn ou=remoteusers,dc=cce,dc=com
destination-group /cce.com
user-attribute sAMAccountName
user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
group-filter (|(objectclass=organizationalUnit)(ou=*))
import-type all
import-override enable
sync-mode incremental schedule interval 120
sync-mode full schedule daily 01:00
#
aaa
authentication-scheme ad
authentication-mode ad
#
domain cce.com
authentication-scheme ad
ad-server ad_server
service-type ssl-vpn
reference user current-domain
new-user add-temporary group /cce.com auto-import ad_server
#
v-gateway example 1.1.1.1 private www.example.com
v-gateway example authentication-domain cce.com
v-gateway example max-user 150
v-gateway example cur-max-user 100
#
v-gateway example
service
web-proxy enable
web-proxy web-link enable
web-proxy proxy-resource resource1 http://10.1.1.10 show-link
web-proxy proxy-resource resource2 http://10.1.1.11 show-link
network-extension enable
network-extension keep-alive enable
network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0
network-extension mode manual
network-extension manual-route 10.1.1.0 255.255.255.0
role
role remoteusers condition all
role remoteusers network-extension enable
role remoteusers web-proxy enable
role remoteusers web-proxy resource resource1
role remoteusers web-proxy resource resource2

# The following configuration is one-time operation and is not saved in the configuration file.
execute user-manage import-policy ad_server
# The following configuration is saved in the database, not displayed in the configuration file.
v-gateway example
vpndb
group /cce.com/remoteusers
role
role director group /cce.com/remoteusers

Conclusion and Suggestions

This section describes the typical application of firewalls in a finance data center. It takes the application of firewalls in the data center of a bank as an example.

This section details the security policy planning and network deployment planning of firewalls in the data center.

The procedure of security planning is as follows:

  1. Analyze and determine the security levels of services and users of the network areas.
  2. Determine the inter-zone access privileges based on the security levels of services and users and the specific requirements of the enterprise.
  3. Convert the planning of access control to the planning of firewall security policies.
Translation
简体中文
Download
Updated: 2019-06-17

Document ID: EDOC1100087921

Views: 4768

Downloads: 184

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :