How to Configure a Firewall: Deployment and Advanced Settings
- About This Document
- Understanding Firewall Fundamentals
- Completing the Initial Configuration
- Completing Other Advanced Configurations
- More Information
About This Document
This document is a guide for first-time user to operate a firewall. After reading this document, you will have a preliminary understanding of the firewall configuration process and complete the basic firewall configuration.
Is... |
Not... |
|---|---|
Getting started document |
Expert document |
Basic firewall configuration procedures |
Collection of all features |
Focusing on the firewall access to the Internet |
Covering all scenarios |
If you want to learn more about firewall configuration, read this document before reading product documentation.
This document is written based on the USG6000E. For other firewall products, you can also refer to this document.
Understanding Firewall Fundamentals
Before configuring a firewall, familiarize yourself with the basic working mechanism of the firewall.
What Is a Firewall?
A firewall is a network security device that is usually located at the network border. It isolates networks of different security levels and protects one network from attacks and intrusions from another network. This "isolation" is not one-size-fits-all. It is controlled isolation, allowing legitimate traffic to pass through the firewall and forbidding illegal traffic to pass through the firewall.
As shown in Figure 1-1, the firewall is located at the enterprise-to-Internet egress to ensure intranet security. You can specify rules on the firewall to allow PCs on the intranet 10.1.1.0/24 to access the Internet and forbid Internet users to access the intranet host with the IP address 192.168.1.2.
As shown above, firewalls are different from routers and switches. A router is used to connect different networks and ensure interconnection through routing protocols to make sure that packets are forwarded to destinations. A switch is usually used to set up a LAN to serve as an important hub for local area network communications. The switch quickly forwards packets through Layer 2/Layer 3 switching. A firewall is deployed at the network border to control the access to and from the network. Security protection is the core feature of a firewall. The essence of routers and switches is forwarding, and the essence of firewalls is control.
Firewalls control network traffic based on security zones and security policies, which will be described in the following sections.
Interfaces and Security Zones
As mentioned, firewalls are used to isolate networks of different security levels. A firewall identifies different networks by security zone. By assigning firewall interfaces to different security zones, the networks connected to the interfaces are classified into different security levels. Interfaces on the firewall must be added to security zones (except independent management interfaces on some models) to process traffic.
Security zones are designed to reduce network attack surfaces. Once security zones are defined, traffic cannot flow between security zones unless the administrator specifies valid access rules. To be specific, if a subnet is intruded, attackers can access only resources in a security zone corresponding to the subnet. Therefore, it is recommended that security zones be used for refined network partitioning.
Adding an interface to a security zone means that the network connected to the interface is added to the security zone, not the interface itself. Figure 1-2 shows the relationships between the interface, network, and security zone.
Security zones of firewalls are divided into security levels from 1 to 100. A larger number indicates a higher security level. The firewall provides four default security zones: trust, dmz, untrust, and local. Administrators can also customize security zones to implement fine-grained control. For example, an enterprise divides firewall security zones according to Figure 1-3. The intranet interface is added to the trust zone, the extranet interface is added to the untrust zone, and the server interface is added to the DMZ. In addition, a security zone named visitor is defined as a guest zone.
An interface can be added to only one security zone. Multiple interfaces can be added to a security zone.
As shown in the preceding figure, there is a special security zone named local. The maximum security level is 100. local indicates the firewall itself. No interface can be added to the local zone, but all interfaces on the firewall belong to the local zone. It can be considered that packets sent by the firewall originate from the local zone and those received (not forwarded) by the firewall are destined for the local zone.
In addition to physical interfaces, the firewall also supports logical interfaces, such as sub-interfaces, VLANIF interfaces, and tunnel interfaces, which also need to be added to security zones.
Security Policies
As mentioned above, a firewall controls traffic through rules, which are called security policies. Security policies are a basic concept and core function of firewalls. Firewalls provide security management and control capabilities through security policies.
As shown in Figure 1-4, a security policy consists of matching conditions, an action, and a content security profile. You can perform content security detection functions, such as antivirus and intrusion prevention, for allowed traffic.
Each preceding matching condition is optional in a security policy. Configured matching conditions are bitwise ANDed. That is, traffic is considered to match a security policy only when it matches all conditions in the security policy. If multiple values are configured in a matching condition, the values are bitwise ORed. That is, traffic matches the condition as long as it matches any value.
More specific matching conditions in a security policy will more accurately filter the traffic. You can use only the 5-tuple (source and destination IP addresses, source and destination ports, and protocol) as matching conditions. To configure security policies more accurately, you add more matching conditions, such as application and user identification.
Firewall-based security policies and local security policies
The traffic passing through a firewall, traffic sent by a firewall, and traffic received by a firewall are controlled by security policies. As shown in Figure 1-5, an intranet PC needs to log in to and manage the firewall through Telnet and access the Internet through the firewall. In this case, you need to configure security policies for the two types of traffic.
Type |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
Firewall-based security policy |
Allow PC to access Internet |
trust |
untrust |
10.1.1.2/24 |
any |
any |
permit |
Local security policy |
Allow PC to telnet firewall |
trust |
local |
10.1.1.2/24 |
10.1.1.1/24 |
telnet |
permit |
In particular, this section will describe local security policies, that is, security policies related to the local zone. In the preceding example, the PC in the Trust zone logs in to the firewall and configures a security policy for the Trust zone to access the local network. If the firewall proactively accesses objects in other security zones, for example, when the firewall reports logs to a log server or connects to a security center to update signature databases, you need to configure security policies from the local zone to other security zones. To identify to which zones the firewall and external networks belong, note that the firewall itself is in the local zone. Adding an interface to a security zone indicates that only the network connected to the interface belongs to this security zone.
Default security policy and security policy list
The firewall has a default security policy named default, which blocks all interzone traffic by default. The default policy is always at the end of a policy list and cannot be deleted.
By default, security policies created by users are displayed from top to bottom in ascending order by creation time, and the newest security policy is prior to the default security policy. After receiving traffic, the firewall matches the traffic against security policies from top to bottom. Once a security policy is matched successfully, the firewall stops matching and processes the traffic according to the action specified in the security policy. If none of the manually created security policies is matched, the default security policy is used.
Therefore, the order for listing security policies determines whether policies are matched against as expected. After a security policy is created, you need to manually adjust its position in the list.
The IP address of a server within the enterprise network is 10.1.1.1. Users in the office area on the network segment 10.2.1.0/24 are allowed to access the server. The security policy policy1 is configured. After running for a period of time, two temporary office PCs (10.2.1.1 and 10.2.1.2) are forbidden to access the server.
The newly configured security zone policy policy2 is located below policy1. Because the address range of policy1 contains the address range of policy2, policy2 cannot be matched.
No. |
Name |
Source IP address |
Destination address |
Action |
|---|---|---|---|---|
1 |
policy1 |
10.2.1.0/24 |
10.1.1.1 |
Permit |
2 |
policy2 |
10.2.1.1 10.2.1.2 |
10.1.1.1 |
Deny |
3 |
default |
any |
any |
Deny |
You need to manually move policy2 prior to policy1. After the adjustment, the security policies are as follows:
No. |
Name |
Source Address |
Destination Address |
Action |
|---|---|---|---|---|
1 |
policy2 |
10.2.1.1 10.2.1.2 |
10.1.1.1 |
Deny |
2 |
policy1 |
10.2.1.0/24 |
10.1.1.1 |
Permit |
3 |
default |
any |
any |
Deny |
Therefore, when configuring a security policy, ensure the specific-before-general sequence for security policies. If a new security policy is added, pay attention to the relationship between the new security policy and existing ones. If the sequence is not as expected, adjust it.
For details about how to configure security policies, see Huawei Firewall Security Policy Essentials.
Completing the Initial Configuration
When using a firewall for the first time, configure the firewall to access the Internet.
Factory Default Configurations
The following table lists the factory configurations of a firewall.
Item |
Value |
Remarks |
|---|---|---|
Management network interface |
Interface number: GE0/0/0 or MEth0/0/0 IP address: 192.168. 0.1/24 |
The number of the management network interface varies according to the model. For details, see the corresponding product documentation. |
Login mode |
Logging in to the management network interface through the web UI and console port |
You can configure another login mode as needed. |
Administrator account and password |
USG6000E V600R007C20 and later versions: There is no default administrator. When you log in to the USG6000E for the first time, the system prompts you to register an account online. Versions earlier than USG6000E V600R007C20: For default administrator accounts and passwords, see HUAWEI Security Products Default Usernames and Passwords. If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it. |
- |
Other service ports |
They work in Layer 3 mode and have no IP address assigned. |
- |
To restore factory configurations, choose System > Configuration File Management from the main menu on the web UI and click Restore Factory Settings.
Cabling
Connect the management network interface, internal network interface GE0/0/2, and external network interface GE0/0/3, as shown in the following figure. Connect the management PC to the device's management network interface for login through the web UI. If the CLI is used, for the first login, use a console cable to connect the management PC's console port to the device's management network interface.
Logging In to the Web UI
Context
The following browsers are supported for web UI-based login:
- Internet Explorer 10 or 11
- Firefox 62 or later
- Google Chrome 64 or later
Procedure
- Connect the network interface of the administrator PC to the network management interface (MEth0/0/0 or GE0/0/0) of the device through a network cable or a Layer 2 switch.
- Set the IP address of the administrator PC to an IP address in the range of 192.168.0.2 to 192.168.0.254
- Enter https://192.168.0.1:8443 in the address box of the browser
on the administrator PC.
After you enter the IP address for login, the browser displays an alarm indicating that the certificate is insecure. Click Continue.
- If you log in to the device for the first time, the page for creating
an administrator account is displayed. Enter the username, password,
and confirm password, and click Create.
The administrator created upon the first login has the system administrator rights and supports the web service type.
- The account is created successfully. In the dialog box that is displayed, click OK.
- On the login page, enter the created username and password to log
in to the device, and click Login.
When you log in to the web UI, the browser fails to verify the default certificate provided by the device, and a security alarm is displayed. On this page, click Download CA Certificate to download the certificate and double-click the certificate file to install it. No security alarm is displayed upon the next login.
- When a new account logs in to the system for the first time, the page for changing the initial password is displayed. Enter the current password, new password, and confirm password, and click OK.
- Access the login page again, enter the username and new password, and click Login.
Firewall Web UI
The web UI of the firewall uses the horizontal panel and vertical menu navigation mode. The following figure shows the layout of the web UI.
Follow-up Procedure
- Choose from the main menu to change the IP address of the network management interface. After the IP address is changed, you need to log in again.
- Choose from the main menu to create other administrators. The firewall allows administrators to bind different rights to different roles.
Configuring Layer 3 Access
A firewall works at Layer 3 by default and functions as the egress gateway to implement internal and external communication and protection. In this mode, the firewall forwards packets between network segments through routing protocols. Therefore, this access mode is also called routing mode.
When the firewall is deployed between the intranet and extranet, it is also responsible for translation between private IP addresses on the intranet and public IP addresses on the extranet, that is, the NAT function. Therefore, this access mode is also called NAT mode.
During initial access, you can use the quick wizard provided by the web UI to quickly connect the firewall to the Internet in one of the following enterprise-to-Internet access modes, before performing advanced configurations:
- Static IP: Select this access mode if you obtain a fixed IP address from a network service provider.
- PPPoE: Select this access mode if you obtain the username and password from a network service provider for dial-up.
- DHCP: Select this access mode if an IP address is automatically obtained from a network service provider.
After the quick wizard is executed, the basic configurations of the firewall are as follows:
- External network interface: Add the interface to the untrust zone and obtain a public IP address in an access mode selected by the administrator.
- Internal network interface: Add the interface to the trust zone and configure a private IP address for it. If the administrator has enabled the LAN DHCP service in the wizard, the DHCP server function is enabled on the internal network interface to assign IP addresses and DNS server addresses to LAN PCs.
The internal network interface allocates the DNS server's IP address of the firewall to the LAN PC. The firewall functions as the DNS proxy to receive DNS requests from the PC and then sends the requests to the DNS server.
- Source NAT: An easy IP source NAT policy is available. The source IP addresses of all traffic whose outbound interface is the external network interface are translated into the external network interface's IP address.
- Route: A default route exists and its outbound interface is the external network interface. This route is used to forward traffic to the Internet.
- Security policy: The security policy is not configured. You need to manually configure the security policy to allow LAN users to access the Internet.
Using the Layer 3 Internet Access Wizard: Static IP
Context
Item |
Value |
Remarks |
|---|---|---|
Extranet interface |
Interface number: GE0/0/3 IP address: 1.1.1.1/24 |
You need to obtain the parameters from a network service provider. |
Default gateway of a network service provider |
1.1.1.254 |
|
DNS server address |
IP address of the primary DNS server: 2.2.2.2 IP address of the secondary DNS server: 2.2.2.22 |
|
Internal network interface |
Interface number: GE0/0/2 IP address: 10.1.1.1/24 |
- |
Whether to enable the DHCP service to assign IP addresses to the LAN. |
Yes |
If the firewall functions as the gateway of the PC on the LAN, the firewall can automatically assign an IP address and a DNS server's IP address to the PC. |
Procedure
- Choose from the main menu.
- Click Next.
- Change the host name and administrator password as required, and click Next. If no modification is required, click Skip.
- Set the system time based on the location of the device and click Next.
- Set the Internet access mode to Static IP and click Next.
- Set Internet access parameters and click Next.
- Configure the LAN interfaces and click Next.
- Enable the DHCP service for the internal network
interface and use the default IP address range. Click Next.
When the firewall functions as the gateway of the PC on the LAN, you can use the internal network interface to assign IP addresses to the PC.
- Verify that the configuration information is correct and click Apply.
- The system displays a message indicating that the configuration is successful. Click Finish.
- Configuring a Basic Security Policy, allowing the intranet PC to access the Internet.
- Configure the LAN PC to automatically obtain the IP address and DNS server address. The configuration details are not provided.
Using the Layer 3 Internet Access Wizard: PPPoE
Context
Item |
Value |
Remarks |
|---|---|---|
Extranet interface |
Interface number: GE0/0/3 IP address: automatically obtained through PPPoE dial-up Dial-up username: pppoe1 Dial-up password: Admin@1234 |
You need to obtain the parameters from a network service provider. |
DNS server address |
Automatically obtained through PPPoE dial-up. |
|
Internal network interface |
Interface number: GE0/0/2 IP address: 10.1.1.1/24 |
- |
Whether to enable the DHCP service to assign IP addresses to the LAN. |
Yes |
If the firewall functions as the gateway of the PC on the LAN, the firewall can automatically assign an IP address and a DNS server's IP address to the PC. |
Procedure
- Choose from the main menu.
- Click Next.
- Change the host name and administrator password as required, and click Next. If no modification is required, click Skip.
- Set the system time based on the location of the device and click Next.
- Set Internet access mode to PPPoE and click Next.
- Set Internet access parameters and click Next.
- Configure the LAN interfaces and click Next.
- Enable the DHCP service for the internal network interface and use the default IP address range. Click Next.
When the firewall functions as the gateway of the PC on the LAN, you can use the internal network interface to assign IP addresses to the PC.
- Verify that the configuration information is correct and click Apply.
- The system displays a message indicating that the configuration is successful. Click Finish.
- Complete the task of Configuring a Basic Security Policy, allowing the intranet PC to access the Internet.
- Configure the LAN PC to automatically obtain the IP address and DNS server address. The configuration details are not provided.
Using the Layer 3 Internet Access Wizard: DHCP
Context
Item |
Value |
Remarks |
|---|---|---|
Extranet interface |
Interface number: GE0/0/3 IP address: automatically obtained through DHCP |
- |
DNS server address |
Automatically obtained through DHCP |
- |
Internal network interface |
Interface number: GE0/0/2 IP address: 10.1.1.1/24 |
- |
Whether to enable the DHCP service to assign IP addresses to the LAN. |
Yes |
If the firewall functions as the gateway of the PC on the LAN, the firewall can automatically assign an IP address and a DNS server's IP address to the PC. |
Procedure
- Choose from the main menu.
- Click Next.
- Change the host name and administrator password as required, and click Next. If no modification is required, click Skip.
- Set the system time based on the location of the device and click Next.
- Set the Internet access mode to DHCP and click Next.
- Set Internet access parameters and click Next.
- Configure the LAN interfaces and click Next.
- Enable the DHCP service for the internal network interface and use the default IP address range. Click Next.
When the firewall functions as the gateway of the PC on the LAN, you can use the internal network interface to assign IP addresses to the PC.
- Verify that the configuration information is correct and click Apply.
- The system displays a message indicating that the configuration is successful. Click Finish.
- Complete the task of Configuring a Basic Security Policy, allowing the intranet PC to access the Internet.
- Configure the LAN PC to automatically obtain the IP address and DNS server address. The configuration details are not provided.
Configuring Layer 2 Transparent Access
Context
Layer 2 transparent access means that the firewall uses two Layer 2 interfaces to access the network. Generally, the firewall is deployed inside the egress gateway. This access mode does not affect the original network structure and does not need to adjust the routes of upstream and downstream devices. Therefore, this access mode is also called transparent mode.
Layer 2 transparent access firewalls also have security protection capabilities and require security policies. Layer 2 interfaces do not support certain Layer 3 functions, such as routing. However, VLANIF interfaces can be used as Layer 3 interfaces.
The firewall does not need to switch the routing mode or transparent mode globally. Instead, the firewall switches the mode at the interface level. If the interface works at Layer 3, the interface can function as a Layer 3 gateway. When an interface works at Layer 2, Layer 2 transparent access can be implemented. Layer 2 access and Layer 3 access can coexist.
As shown in the following figure, the firewall is generally deployed inside the egress router. The firewall connects to a downstream switch and an upstream router. Depending on the networking, routers or Layer 3 switches may function as intranet user gateways.
In transparent firewall access networking, routers are generally used for source NAT, but firewalls also support source NAT. In the following figure, when the Layer 3 switch functions as the intranet user gateway, you can configure source NAT on the firewall.
Procedure
- Configure a Layer 2 interface.
- Configure GE0/0/2 to work in switching mode and add the interface
to a security zone.
Click OK and change the security zone of GE0/0/2 to trust in the interface list.
Set the connection type of the Layer 2 interface of the firewall to trunk or access based on the configuration of the switch connected to the firewall. A transparent access firewall is similar to a Layer 2 switch.
If the firewall interface is a trunk VLAN, you need to configure a sub-interface on the router to terminate the VLAN.
- Configure GE0/0/3 to work in switching mode and add the interface
to a security zone.
Click OK. In the interface list, change the security zone of GE0/0/3 to untrust.
- Configure GE0/0/2 to work in switching mode and add the interface
to a security zone.
- Configure a security policy to allow intranet
users to access the Internet.
- Create a security policy.
- Create a security policy.
- Configure VLANs, interfaces, and IP addresses for the switch and router.
- Optional: Configure source
NAT to translate the IP addresses of intranet users.
When the Layer 3 switch functions as the intranet user gateway, the firewall can be used as the source NAT.
- Click the Source Translation Address Pool tab and create an address pool. The address pool contains available
public IP addresses.
- Click the NAT Policy tab and create a
NAT policy.
- Click the Source Translation Address Pool tab and create an address pool. The address pool contains available
public IP addresses.
Follow-up Procedure
During transparent access, the administrator logs in to the firewall through the management port for the first time. If you need to use a service port to log in to the firewall or the firewall needs to access an external address, you need to configure an IP address for the VLANIF interface.
In this example, VLANIF10 is configured as follows. Note that the IP address of VLANIF10 must be on the same network segment as the IP addresses of the upstream and downstream devices on the firewall.
Establishing a Channel for the Firewall to Access External Services
Context
In Configuring Layer 3 Access and Configuring Layer 2 Transparent Access, various operations have been performed, including deploying the basic network for intranet PCs to access the Internet, updating signature database for the firewall, and activating the license online, which helps the firewall access external services on the Internet.
Procedure
- Ensure that the firewall provides a Layer 3 interface IP address to connect to the security center and license center.
Generally, the IP address of the public network interface is used for Layer 3 access. For Layer 2 transparent access, you need to configure a VLANIF interface, assign an IP address to the VLANIF interface, and add the VLANIF interface to a security zone. For details, see Follow-up Procedure of Layer 2 Transparent Access.
Ensure that the IP address is reachable to the Internet.
- Ensure that the DNS server has been configured on the firewall. Otherwise, the firewall cannot access external services through domain names.
Choose from the main menu to check whether a DNS server is configured. If not, add a DNS server.
- Optional: If the interface IP address is a private IP address, you also need to configure source NAT.
In Layer 2 transparent access, the firewall or egress router may perform NAT according to the network plan.
Choose and configure a NAT policy to translate interface IP addresses.
- Configure a security policy to allow the device to access the proxy server and DNS server.
Choose to allow traffic from the local security zone to the security zone where the Internet resides.
Allowed services are determined based on service requirements. For example, if the firewall is to access the DNS server, the firewall allows DNS traffic, and if the firewall is to update signature databases, the firewall allows HTTPS traffic.
Testing Network Connectivity
After the preceding configurations are complete, intranet PCs and firewalls can access the Internet. Perform the following operations to test the access to the Internet:
Test the access of an intranet PC to the Internet.
Enter a URL in the browser of the intranet PC to test whether the web page can be opened. If the web page fails to be opened, perform the following steps to rectify the fault:
- Choose from the main menu. In the interface list, check whether the internal and external network interfaces of the firewall are Up. If the external network interface is Down, check whether the configurations on the firewall are consistent with the parameters provided by a network service provider.
- Check whether the IP address and DNS server are correctly configured for the intranet PC. If the firewall is configured to assign IP addresses to the PC, run the ipconfig /all command in the CLI to check whether the PC can obtain an IP address and the DNS server's IP address through the firewall. If the PC cannot obtain an IP address, check the DHCP service configuration of the firewall.
- Log in to the web UI of the firewall, choose from the main menu, and click the Web Page Diagnosis tab. Enter the IP address and web page URL of the intranet PC, and click Diagnose. Rectify the fault according to diagnosis information.
Test the access of the firewall to the Internet.
Use the connectivity test function of a security center (isecurity.huawei.com) provided by the firewall web UI to test connectivity.
Choose from the main menu and click Server Connectivity Test. The check result page is displayed. If the connection fails, modify the connection as prompted.
Completing Other Advanced Configurations
After the initial configuration is complete, perform advanced configurations based on site requirements. This document provides an overview of advanced features that you may configure. For details, see the corresponding product documentation.
Configuring Other Interfaces and Security Zones
Context
In the initial configuration, only one intranet interface and one extranet interface are configured. If more zones are planned, such as the server zone and guest zone, you need to configure interfaces and security zones.
Procedure
- To customize a security zone based on the default security zone, choose to create a security zone.
You can add the interface to a security zone in this step or configure the security zone on the interface configuration page.
- Choose and configure IP addresses and security zones for other interfaces based on the network plan.
Generally, add interfaces connected to the service zone to the DMZ. Add internal and external interfaces to the Trust zone. Add the external interface to the Untrust zone. If a security zone is defined, add the corresponding interface to the security zone.
Access Management is used to control the protocol type used to access the firewall. For example, if you log in to the firewall through HTTPS or SSH, you need to enable the HTTPS and SSH. For example, if you need to ping the firewall interface to check connectivity, you need to enable the ping.
Configuring a Security Policy
Context
After configuring interfaces and security zones, configure security policies to allow traffic to pass through the firewall. In addition, the traffic allowed by the security policy does not indicate that there is no threat. You can reference the content security profile in the security policy to detect intrusions and viruses.
The security policy configured here is used for the online running of the firewall. After the firewall works properly, you need to adjust the security policy based on logs and service conditions to better protect the network security of the firewall. For details, see Huawei Firewall Security Policy Essentials.
The following security policy configuration is only an example. Configure the security policy based on the actual traffic mutual access requirements. Matching conditions should be as specific as possible, preventing the firewall from allowing unnecessary traffic.
Configuring NAT
Context
During the initial configuration, Quick Wizard automatically generates a source NAT policy that translates the source IP address of Internet access traffic to the IP address of the public network interface. You can use it directly or modify the configuration. If an enterprise has a server that can be accessed by extranet users, you need to configure NAT Server to map the private IP address of the server to a public IP address.
Procedure
- Configure source NAT.
Source NAT supports the following address translation methods:
- Address pool mode: If multiple public IP addresses are available, the address pool mode is typically used. In this mode, you need to create a NAT address pool to limit the range of public IP addresses that can be used.
- Outbound interface mode: also called easy IP that applies when only the IP address of the outbound interface connected to a public network is available. This mode translates intranet host addresses into the outbound interface IP address. This mode is useful when the outbound interface dynamically obtains an IP address.
- Optional: Choose from the main menu and configure a public IP address
pool.
- Choose from the main menu and configure
a source NAT policy.
Source NAT in address pool mode must reference an address pool. In outbound interface mode, source NAT directly translates the source address into the IP address of the outbound interface without specifying an address pool.
- Configure NAT Server (server mapping).
- Create a server mapping.
- Create a server mapping.
Activating a License
Context
Some advanced firewall services are under license control. If you need to use the advanced firewall services, activate the license first.
The firewall supports online license activation and manual license activation.
- For online activation, you do not need to import the license file. You only need to find the license in the delivery accessories, obtain the entitlement ID, and connect to the license center to activate the license. The prerequisite is Establishing a Channel for the Firewall to Access External Services so that the firewall can connect to the License Center.
- To manually activate a license file, you need to obtain and import the license file in advance.
The following describes only the procedure for activating a license. For details about how to apply for a license and license control items, see License Usage Guide.
The license control items in this section are for reference only.
Updating Signature Databases
Prerequisites
The task of Establishing a Channel for the Firewall to Access External Services has been performed.
You have purchased and activated the license for the signature database update service.
Context
The latest signature database identifies more applications, viruses, and threats, improving the security protection capability of the system.
You can update the signature databases in any of the following ways:
- Scheduled update: The device automatically connects to the security center at a specified time to update signature databases. Avoid peak hours. Otherwise, services will be adversely affected.
- Immediate update: The device immediately connects to the security center to update signature databases.
- Local update: Download a signature database file from isecurity.huawei.com and manually upload it to the device for update. This mode is applicable when the device cannot directly connect to the Internet.
You are advised to update signature databases on the firewall immediately when you use it for the first time and then configure a scheduled update so that the signature databases can be automatically updated in a timely manner.
Procedure
- Choose from the main menu.
- Click Upgrade Immediately corresponding to each signature database to update the signature database immediately.
- After the immediate update is complete, click Scheduled Update Time corresponding to each signature database to set the scheduled update time. You are advised to set this parameter to a time when the service traffic is light at night.
Configuring Advanced Services
Now, the firewall has been connected to the network and has basic security functions. Next, you can configure other advanced features. The following lists some common features. For details about how to configure them, see product documentation.
- Hot standby: Two firewalls are deployed for backup. If one firewall fails, the other firewall can quickly take over traffic of the faulty firewall, ensuring service traffic continuity.
- VPN: The firewall supports multiple types of VPNs, such as IPsec VPN, SSL VPN, L2TP VPN, and GRE, meeting branch interconnection and mobile office requirements.
- Intelligent uplink selection: When an enterprise accesses the Internet through multiple ISPs, the firewall provides dynamic and static intelligent uplink selection to adjust traffic distribution based on the traffic steering mode configured by an administrator to maximize link resource utilization.
- User authentication: A host dynamically obtains an IP address and multiple users log in to this host. IP address-based policy control cannot be performed on specific users. To address this issue, the firewall provides user authentication to control the rights of authenticated users.
- Content security: The basic security policy only controls whether to permit traffic. The firewall provides the content security function to deeply detect application-layer data based on the allowed traffic. Content security functions include intrusion prevention, antivirus, URL filtering, file filtering, content filtering, and mail filtering.
- Encrypted traffic detection: More application traffic is encrypted for transmission. You need to configure encrypted traffic detection to decrypt SSL traffic before performing content security detection.
- Bandwidth management: The bandwidth purchased by an enterprise is limited. Bandwidth management provides bandwidth limiting and bandwidth guarantee for key services to improve bandwidth utilization.
Configuring the Log Function to Continuously Monitor Traffic
Logging is critical for monitoring network security, service running status, and firewall running status. An administrator periodically analyzes logs and adjusts firewall configurations to ensure continuous network protection.
The firewall supports various log types, such as session logs, traffic logs, policy matching logs, threat logs, and system logs. Table 1-3 lists common log types. For more information, see the corresponding product documentation.
Log Type |
Description |
Configuration Notes |
|---|---|---|
Session log |
After packets are processed by a firewall, sessions are established. Session logs record connection information for fault locating and source tracing. Session logs can be output only to log hosts. |
|
Traffic log |
Traffic logs record information about traffic arriving at or passing through firewalls. Traffic logs help analyze network traffic composition and provide input for further adjustment of security policies. |
These types of logs are service logs, which can be viewed on the web UI or output to a log server. This section only describes how to view the information on the web UI.
|
Policy matching log |
Policy matching logs record information about traffic matching a security policy. You can learn about the traffic that matches the specified security policy based on the logs to check whether the security policy achieves the expected effect. |
|
Threat log |
Threat logs record information about intrusions, viruses, and DDoS attacks detected by firewalls, helping you understand threat events on the network. Based on threat logs, you can adjust firewall security protection configurations and isolate attack sources. |
|
System log |
System logs, also called syslog, are generated during system running to check whether the firewall is running properly. |
You can view system logs on the web UI, CLI, and log server. This section only describes how to view the information on the web UI.
|
More Information
Now, you have learned about the basic configuration process of the firewall. You can log in to technical support website to view the firewall documentation and browse the community to learn more about the product.
- Configuration guide and command reference: describes how to configure and maintain the firewall using the CLI.
- Security hardening reference and maintenance guide: describes how to perform security hardening on the firewall to prevent malicious logins and attacks.
- Typical configuration cases: describes configuration cases in common scenarios.
- Troubleshooting guide: provides accumulated practical troubleshooting experience.
- Case library and community: describes use cases and allow for interacting with more experts.
- About This Document
- Understanding Firewall Fundamentals
- Completing the Initial Configuration
- Completing Other Advanced Configurations
- More Information