0% found this document useful (0 votes)
37 views680 pages

HUAWEI Firewall Comprehensive Configuration Examples

The document provides comprehensive configuration examples for HUAWEI firewalls, specifically for the USG and Eudemon series. It is intended for administrators with Ethernet knowledge and network management experience, detailing application scenarios, configuration methods, and security considerations. The document also includes information on encryption algorithms, personal data usage, and feature declarations relevant to firewall operations.

Uploaded by

Herve ngeleka
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
37 views680 pages

HUAWEI Firewall Comprehensive Configuration Examples

The document provides comprehensive configuration examples for HUAWEI firewalls, specifically for the USG and Eudemon series. It is intended for administrators with Ethernet knowledge and network management experience, detailing application scenarios, configuration methods, and security considerations. The document also includes information on encryption algorithms, personal data usage, and feature declarations relevant to firewall operations.

Uploaded by

Herve ngeleka
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 680

HUAWEI Firewall

Comprehensive Configuration
Examples

Issue 02
Date 2019-08-30

HUAWEI TECHNOLOGIES CO., LTD.


Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: https://e.huawei.com

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. i


HUAWEI Firewall
Comprehensive Configuration Examples About This Document

About This Document

Related Version
The following table lists the product versions related to this document.

Product Name Version

USG6000 V500R005C00 and later versions

USG9500 V500R005C00 and later versions

USG6000E V600R006C00 and later versions

Eudemon200E-N V500R005C00 and later versions

Eudemon1000E-N V500R005C00 and later versions

Eudemon8000E-X V500R005C00 and later versions

Eudemon200E-G V600R006C00 and later versions

Eudemon1000E-G V600R006C00 and later versions

Unless otherwise specified, USG and Eudemon series listed in this table are
referred to as the FW hereinafter.

Intended Audience
This document describes the application scenarios and configuration methods in
typical projects of the FW. This document does not cover all scenarios. You can
adapt the examples to your conditions.
This document is intended for administrators who configure and manage FWs.
The administrators must have good Ethernet knowledge and network
management experience.

Content Conventions
The purchased products, services and features are stipulated by the contract made
between Huawei Technologies Co., Ltd. and the customer. All or part of the

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. ii


HUAWEI Firewall
Comprehensive Configuration Examples About This Document

products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all
statements, information, and recommendations in this document are provided "AS
IS" without warranties, guarantees or representations of any kind, either express
or implied.
The information in this document is subject to change without notice. Every effort
has been made in the preparation of this document to ensure accuracy of the
contents, but all statements, information, and recommendations in this document
do not constitute a warranty of any kind, express or implied.
The screenshots in this document are for reference only. The settings are subject to
the actual GUI.

Encryption Algorithm Declaration


Currently, the device uses the following encryption algorithms: DES, 3DES, AES,
RSA, SHA1, SHA2, and MD5. The encryption algorithm depends on the applicable
scenario. Use the recommended encryption algorithm; otherwise, security defense
requirements may be not met.
● The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in
digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If
protocols allowed, using more secure encryption algorithms, such as AES/RSA
(RSA-2048 or higher)/SHA2/HMAC-SHA2, is recommended.
● For the symmetrical encryption algorithm, use AES with the key of 128 bits or
more.
● For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits
or more.
● For the hash algorithm, use SHA2 with the key of 256 bits or more.
● For the HMAC algorithm, use HMAC-SHA2.
● SHA2 is irreversible encryption algorithm. The irreversible encryption
algorithm must be used for the administrator password.

Personal Data Declaration


Some personal data may be obtained or used during operation or fault location of
your purchased products, services, features. Huawei Technologies Co., Ltd. alone is
unable to collect or save the content of users' communications. It is suggested
that you activate the user data-related functions based on the applicable laws and
regulations in terms of purpose and scope of usage. You are obligated to take
considerable measures to ensure that the content of users' communications is fully
protected when the content is being used and saved.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. iii


HUAWEI Firewall
Comprehensive Configuration Examples About This Document

Feature Usage Declaration


The IPSec VPN and SSL VPN functions are not provided in versions shipped to
Russia in accordance with Russian laws.

● The features such as antivirus, IPS, file blocking, data filtering, application
behavior control, mail filtering, url session logs and URL filtering may involve
the collection of users' communication contents such as the browsed websites
and transmitted files. You are advised to clear unnecessary sensitive
information in a timely manner.
● Antivirus and IPS support attack evidence collection to analyze data packets
for viruses or intrusions. However, the attack evidence collection process may
involve the collection of user's communication content. The device provides
dedicated audit administrators to obtain collected attack evidence. Other
administrators do not have such permissions. Please keep the audit
administrator account safe and clear the attack evidence collection history in
time.
● The audit function is used to record online behaviors, including the collection
or storage of browsed web pages, BBS or microblog posts, HTTP/FTP file
transfer, email receiving and sending, and QQ login and logout. The device
provides dedicated audit administrators to configure audit policies and view
audit logs. Other administrators do not have such permissions. Please keep
the audit administrator account safe.
● Port mirroring and NetStream are vital to fault diagnosis and traffic statistics
and analysis, but may involve the collection of user's communication content.
The product provides permission control over such functions. You are advised
to clear traffic records after fault diagnosis and traffic analysis.
● The quintuple packet capture function can capture the whole packet content,
which may cause the disclosure of users' personal data. When using this
function, you must comply with related national laws and regulations and
take sufficient measures to protect users' personal data. For example, the
technical support personnel cannot perform packet capture without prior
consent of customers; in addition, they must delete captured packets
immediately after the fault locating is complete. Huawei will not bear any
legal obligations or liabilities for the security events (such as personal data
leaks) that are not caused by Huawei's misconduct.
● Data feedback function (user experience plan) may involve transferring or
processing users' communication contents or personal data. Huawei
Technologies Co., Ltd. alone is unable to transfer or process the content of
users' communications and personal data. It is suggested that you activate
the user data-related functions based on the applicable laws and regulations
in terms of purpose and scope of usage.
● The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS.
Using FTP, TFTP or SFTPv1 has potential security risks. SFTPv2 or FTPS is
recommended.
● Telnet and STelnetv1&v2 can be used to log in to the device. Using Telnet or
STelnetv1 has potential security risks. STelnetv2 is recommended.
● SNMPv1&v2c&v3 can be used to manage network elements. Using
SNMPv1&v2c has potential security risks. SNMPv3 is recommended.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. iv


HUAWEI Firewall
Comprehensive Configuration Examples About This Document

MAC Address and IP Address Usage Declaration


For purposes of introducing features and giving configuration examples, the MAC
addresses and public IP addresses of real devices are used in this document. Unless
otherwise specified, these addressees are used as examples only.

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk which, if


not avoided, will result in death or serious injury.

Indicates a hazard with a medium level of risk


which, if not avoided, could result in death or
serious injury.

Indicates a hazard with a low level of risk which, if


not avoided, could result in minor or moderate
injury.

Indicates a potentially hazardous situation which, if


45:/)+ not avoided, could result in equipment damage,
data loss, performance deterioration, or
unanticipated results.
NOTICE is used to address practices not related to
personal injury.

Supplements the important information in the main


text.
NOTE is used to address information not related to
personal injury, equipment damage, and
environment deterioration.

Command Conventions
The command conventions that may be found in this document are defined as
follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. v


HUAWEI Firewall
Comprehensive Configuration Examples About This Document

Convention Description

[] Items (keywords or arguments) in brackets [ ] are


optional.

{ x | y | ... } Optional items are grouped in braces and separated


by vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and


separated by vertical bars. One item is selected or
no item is selected.

{ x | y | ... } * Optional items are grouped in braces and separated


by vertical bars. A minimum of one item or a
maximum of all items can be selected.

[ x | y | ... ] * Optional items are grouped in brackets and


separated by vertical bars. Several items or no item
can be selected.

&<1-n> The parameter before the & sign can be repeated 1


to n times.

# A line starting with the # sign is comments.

GUI Conventions
The GUI conventions that may be found in this document are defined as follows.

Convention Description

Boldface Buttons, menus, parameters, tabs, window, and


dialog titles are in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by


the ">" signs. For example, choose File > Create >
Folder.

Update History
Updates between document issues are cumulative. Therefore, the latest document
issue contains all updates made in previous issues.

Updates in Issue 02 (2019-08-30)


Second commercial release.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. vi


HUAWEI Firewall
Comprehensive Configuration Examples About This Document

Updates in Issue 01 (2019-01-10)


Initial commercial release.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. vii


HUAWEI Firewall
Comprehensive Configuration Examples Contents

Contents

About This Document................................................................................................................ ii


1 Application of Firewalls in the Campus Egress Security Solution............................... 1
1.1 Introduction............................................................................................................................................................................... 1
1.2 Solution Overview................................................................................................................................................................... 1
1.3 Solution 1: IP Address-based Policy Control.................................................................................................................. 2
1.3.1 Typical Networking............................................................................................................................................................. 2
1.3.2 Service Planning................................................................................................................................................................... 5
1.3.3 Precautions.......................................................................................................................................................................... 27
1.3.4 Configuration Procedure................................................................................................................................................. 28
1.3.5 Verification........................................................................................................................................................................... 39
1.3.6 Configuration Scripts........................................................................................................................................................ 41
1.4 Solution 2: Use-based Policy Control............................................................................................................................. 47
1.4.1 Typical Networking........................................................................................................................................................... 47
1.4.2 Service Planning................................................................................................................................................................. 50
1.4.3 Precautions.......................................................................................................................................................................... 76
1.4.4 Configuration Procedure................................................................................................................................................. 77
1.4.5 Verification........................................................................................................................................................................... 89
1.4.6 Configuration Scripts........................................................................................................................................................ 92
1.5 Conclusion and Suggestions............................................................................................................................................. 99

2 Application of Firewalls in the Egress Security Solution for Broadcast and


Television Networks...............................................................................................................100
2.1 Introduction.......................................................................................................................................................................... 100
2.2 Solution Overview.............................................................................................................................................................. 100
2.3 Solution Design................................................................................................................................................................... 101
2.3.1 Typical Networking......................................................................................................................................................... 102
2.3.2 Service Planning.............................................................................................................................................................. 103
2.4 Precautions........................................................................................................................................................................... 110
2.5 Solution Configuration..................................................................................................................................................... 111
2.5.1 Configuring Interfaces and Security Zones............................................................................................................ 112
2.5.2 Configuring Intelligent Uplink Selection and Routes......................................................................................... 114
2.5.3 Configuring Hot Standby..............................................................................................................................................118
2.5.4 Configuring Source NAT............................................................................................................................................... 119
2.5.5 Configuring the NAT Server and Smart DNS........................................................................................................ 121

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. viii


HUAWEI Firewall
Comprehensive Configuration Examples Contents

2.5.6 Configuring Security Policies and Security Protection........................................................................................123


2.5.7 Configuring User Tracing.............................................................................................................................................. 125
2.5.8 Viewing Traffic Statistics.............................................................................................................................................. 126
2.5.9 Verification........................................................................................................................................................................ 127
2.5.10 Configuration Scripts................................................................................................................................................... 128
2.6 Conclusion and Suggestions........................................................................................................................................... 134

3 Application of Firewalls in the Security Solution for Financial Data Centers......136


3.1 Introduction.......................................................................................................................................................................... 136
3.2 Solution Overview.............................................................................................................................................................. 136
3.3 Firewalls at the Data Center Egress............................................................................................................................. 138
3.3.1 Typical Networking......................................................................................................................................................... 138
3.3.2 Service Planning.............................................................................................................................................................. 139
3.3.3 Precautions........................................................................................................................................................................ 145
3.3.4 Configuration Procedure...............................................................................................................................................146
3.3.5 Verification........................................................................................................................................................................ 150
3.3.6 Configuration Scripts..................................................................................................................................................... 153
3.4 Firewalls in the Intranet Access Area...........................................................................................................................155
3.4.1 Typical Networking......................................................................................................................................................... 155
3.4.2 Service Planning.............................................................................................................................................................. 156
3.4.3 Precautions........................................................................................................................................................................ 160
3.4.4 Configuration Procedure...............................................................................................................................................160
3.4.5 Verification........................................................................................................................................................................ 169
3.4.6 Configuration Scripts..................................................................................................................................................... 172
3.5 Firewalls at the Internet Egress..................................................................................................................................... 173
3.5.1 Typical Networking......................................................................................................................................................... 173
3.5.2 Service Planning.............................................................................................................................................................. 174
3.5.3 Precautions........................................................................................................................................................................ 184
3.5.4 Configuration Procedure...............................................................................................................................................184
3.5.4.1 Configuring Interfaces, Security Zones, and Routes........................................................................................ 184
3.5.4.2 Configuring Hot Standby.......................................................................................................................................... 186
3.5.4.3 Configuring the NAT Server..................................................................................................................................... 187
3.5.4.4 Configuring Security Policies and Security Protection.................................................................................... 187
3.5.4.5 Configuring IPSec VPN...............................................................................................................................................190
3.5.4.6 Configuring SSL VPN.................................................................................................................................................. 191
3.5.5 Verification........................................................................................................................................................................ 194
3.5.6 Configuration Scripts..................................................................................................................................................... 195
3.6 Conclusion and Suggestions........................................................................................................................................... 202

4 Application of Firewalls in the Security Solution for Cloud Computing Networks


.................................................................................................................................................... 203
4.1 Introduction.......................................................................................................................................................................... 203
4.2 Solution Overview.............................................................................................................................................................. 203
4.3 Solution 1: Firewall Serving as Gateway.................................................................................................................... 205

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. ix


HUAWEI Firewall
Comprehensive Configuration Examples Contents

4.3.1 Typical Networking......................................................................................................................................................... 206


4.3.2 Service Planning.............................................................................................................................................................. 207
4.3.3 Precautions........................................................................................................................................................................ 222
4.3.4 Configuration Procedure...............................................................................................................................................223
4.3.5 Verification........................................................................................................................................................................ 230
4.3.6 Configuration Scripts..................................................................................................................................................... 231
4.4 Solution 2: Switch Serving as Gateway.......................................................................................................................234
4.4.1 Typical Networking......................................................................................................................................................... 234
4.4.2 Service Planning.............................................................................................................................................................. 236
4.4.3 Precautions........................................................................................................................................................................ 250
4.4.4 Configuration Procedure...............................................................................................................................................251
4.4.5 Verification........................................................................................................................................................................ 258
4.4.6 Configuration Scripts..................................................................................................................................................... 259
4.5 Conclusion and Suggestions........................................................................................................................................... 262

5 Application of Firewalls in the Egress Security Solution for Enterprise Campus


Networks.................................................................................................................................. 263
5.1 Introduction.......................................................................................................................................................................... 263
5.2 Solution Overview.............................................................................................................................................................. 263
5.3 Solution Design................................................................................................................................................................... 266
5.3.1 Typical Networking......................................................................................................................................................... 266
5.3.2 Service Planning.............................................................................................................................................................. 268
5.4 Precautions........................................................................................................................................................................... 286
5.5 Solution Configuration..................................................................................................................................................... 288
5.5.1 Configuration Procedure...............................................................................................................................................288
5.5.2 Verification........................................................................................................................................................................ 303
5.5.3 Configuration Scripts..................................................................................................................................................... 304
5.6 Conclusion and Suggestions........................................................................................................................................... 310

6 Application of the Firewalls in the SCG Carrier Scenario..........................................311


6.1 Introduction.......................................................................................................................................................................... 311
6.2 Solution Overview.............................................................................................................................................................. 311
6.3 Solution Design................................................................................................................................................................... 312
6.3.1 Typical Networking......................................................................................................................................................... 312
6.3.2 Service Planning.............................................................................................................................................................. 316
6.3.2.1 Interfaces and Security Zones................................................................................................................................. 316
6.3.2.2 Availability......................................................................................................................................................................319
6.3.2.3 GRE Tunnels................................................................................................................................................................... 320
6.3.2.4 Security Policies............................................................................................................................................................ 321
6.3.2.5 NAT................................................................................................................................................................................... 322
6.3.2.6 Routes.............................................................................................................................................................................. 323
6.3.2.7 Others.............................................................................................................................................................................. 326
6.4 Precautions........................................................................................................................................................................... 327
6.5 Solution Configuration..................................................................................................................................................... 327

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. x


HUAWEI Firewall
Comprehensive Configuration Examples Contents

6.5.1 Procedure........................................................................................................................................................................... 327


6.5.1.1 Configuring Interfaces and Security Zones......................................................................................................... 328
6.5.1.2 Configuring Availability............................................................................................................................................. 332
6.5.1.3 Configuring GRE Tunnels.......................................................................................................................................... 335
6.5.1.4 Configuring Security Policies................................................................................................................................... 336
6.5.1.5 Configuring NAT.......................................................................................................................................................... 337
6.5.1.6 Configuring Routes..................................................................................................................................................... 338
6.5.1.7 Others.............................................................................................................................................................................. 340
6.5.2 Verification........................................................................................................................................................................ 342
6.5.3 Configuration Scripts..................................................................................................................................................... 344

7 Application of Firewalls in the Core Network PS Domain........................................ 347


7.1 Introduction.......................................................................................................................................................................... 347
7.2 Solution Overview.............................................................................................................................................................. 347
7.3 Solution Design................................................................................................................................................................... 349
7.3.1 Typical Networking......................................................................................................................................................... 349
7.3.2 Service Planning.............................................................................................................................................................. 353
7.4 Precautions........................................................................................................................................................................... 359
7.5 Solution Configuration..................................................................................................................................................... 361
7.5.1 Configuration Procedure...............................................................................................................................................361
7.5.2 Verification........................................................................................................................................................................ 369
7.5.3 Configuration Scripts..................................................................................................................................................... 370
7.6 Other Solutions................................................................................................................................................................... 372
7.6.1 VRRP + OSPF (Active/Standby Backup).................................................................................................................. 373
7.6.2 OSPF (Load Balancing)................................................................................................................................................. 374

8 Application of Firewalls in the CGN Solution.............................................................. 377


8.1 Introduction.......................................................................................................................................................................... 377
8.2 Solution Overview.............................................................................................................................................................. 377
8.3 Scheme 1: 6RD+NAT444.................................................................................................................................................. 383
8.3.1 Typical Networking.........................................................................................................................................................384
8.3.2 Service Planning.............................................................................................................................................................. 386
8.3.3 Precautions........................................................................................................................................................................ 393
8.3.4 Configuration Flow......................................................................................................................................................... 393
8.3.5 Configuration Procedure...............................................................................................................................................477
8.3.6 Verification........................................................................................................................................................................ 481
8.3.7 Configuration Scripts..................................................................................................................................................... 483
8.4 Scheme 2: Dual Stack+NAT444+NAT64..................................................................................................................... 486
8.4.1 Typical Networking.........................................................................................................................................................486
8.4.2 Service Planning.............................................................................................................................................................. 489
8.4.3 Precautions........................................................................................................................................................................ 496
8.4.4 Configuration Flow......................................................................................................................................................... 496
8.4.5 Configuration Procedure...............................................................................................................................................543
8.4.6 Verification........................................................................................................................................................................ 546

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. xi


HUAWEI Firewall
Comprehensive Configuration Examples Contents

8.4.7 Configuration Scripts..................................................................................................................................................... 549


8.5 Scheme 3: DS-Lite+NAT64.............................................................................................................................................. 551
8.5.1 Typical Networking......................................................................................................................................................... 551
8.5.2 Service Planning.............................................................................................................................................................. 554
8.5.3 Precautions........................................................................................................................................................................ 560
8.5.4 Configuration Flow......................................................................................................................................................... 560
8.5.5 Configuration Procedure...............................................................................................................................................631
8.5.6 Verification........................................................................................................................................................................ 634
8.5.7 Configuration Scripts..................................................................................................................................................... 636
8.6 Conclusion and Suggestions........................................................................................................................................... 639

9 Application of Firewalls in the LTE IPSec Solution..................................................... 640


9.1 Introduction.......................................................................................................................................................................... 640
9.2 Solution Overview.............................................................................................................................................................. 640
9.3 Solution Design................................................................................................................................................................... 642
9.3.1 Networking Requirements........................................................................................................................................... 642
9.3.2 Service Planning.............................................................................................................................................................. 644
9.3.2.1 IPSec Service Planning............................................................................................................................................... 644
9.3.2.2 Availability Planning................................................................................................................................................... 645
9.3.2.3 Data Planning............................................................................................................................................................... 646
9.3.2.4 Route Planning............................................................................................................................................................. 650
9.4 Precautions........................................................................................................................................................................... 652
9.5 Solution Configuration..................................................................................................................................................... 653
9.5.1 Configuring Interfaces and Security Zones............................................................................................................ 653
9.5.2 Configuring Hot Standby..............................................................................................................................................655
9.5.3 Configuring IPSec............................................................................................................................................................ 656
9.5.4 Configuring Security Policies....................................................................................................................................... 659
9.5.5 Configuring the Interworking with Servers............................................................................................................ 660
9.5.6 Verification........................................................................................................................................................................ 660
9.5.7 Configuration Scripts..................................................................................................................................................... 662
9.6 Availability Solution........................................................................................................................................................... 665

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. xii


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

1 Application of Firewalls in the Campus


Egress Security Solution

1.1 Introduction
This section describes the application of firewalls in the campus egress security
solution. Based on the main issues faced by campus security and network access
management requirements of the campus, the section provides two typical
applications that meet most campus network security solution deployment
requirements.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.

1.2 Solution Overview


As the rapid growth of education informatization and the gradual improvement of
campus network construction, teachers and students are facing increasingly
serious security issues of the campus network while enjoying rich network
resources. These security issues affect the teaching, management, and scientific
research activities of the campus. Constructing a secure campus network with a
high access speed has become the urgent problems for campus managers.
The network layer to the application layer of the campus network face different
security threat:
● Network border protection: The campus generally has multiple egresses, the
link bandwidth is higher, and the network structure is complex. The spread of
viruses and worms has become the most notorious threat to the campus.
More and more remote network access brings great challenges to the campus
security.
● Content security defense: Network intrusion behaviors cannot be detected
and blocked in a timely manner. URL access control is required to control the
online behaviors of users. Improper network messages and contents need to
be prevented to minimize their negative impact on society.
As a high-performance next generation firewall (NGFW), the FW can be deployed
on the egress of the campus network to reduce security threats and help

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 1


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

implement effective network management. Besides security isolation and routine


attack defense, the FW provides multiple advanced application security
capabilities, such as attack defense, IPS, antivirus, and online behavior auditing. It
provides application-layer protection while implementing border protection.
As shown in Figure 1-1, the FW is deployed on the egress of the campus network
as a security gateway to provide security isolation and protection for access
between the intranet and extranet. The FW provides not only IP address-based
security policies and network access control but also user-based access control and
source tracking of user behaviors. The FW allows the network administrator to
select the most effective management and control policies and reduces the
security maintenance workload.

Figure 1-1 Application of the FW on a campus network

1.3 Solution 1: IP Address-based Policy Control

1.3.1 Typical Networking


As shown in Figure 1-2, the FW is deployed on the egress of the campus network
as a security gateway. It provides bandwidth services for users in the campus and
server access services for users outside the campus. Because the campus network
is gradually developed phase by phase, the egress links have uneven bandwidth.
The bandwidth of the link to the education network is 1G, the bandwidth of the
three links to ISP1 network is 200M, 1G, and 200M respectively, and the
bandwidth of the two links to ISP2 network is both 1G.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 2


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Figure 1-2 Typical networking of IP address-based policy control

The campus network is mainly used for learning and working. Therefore, in
addition to ensuring the security of intranet users and servers, the egress needs to
properly allocate bandwidth resources and implement load balancing for network
traffic to improve the access experience of intranet and extranet users. The main
requirements of the campus network are as follows:
● Load balancing
– The ISP links must be fully used to ensure the network access experience
of intranet users. The campus wants the traffic destined to a specific ISP
network to be preferentially forwarded by the outbound interface
corresponding to the ISP. For example, traffic destined for the education
traffic is preferentially forwarded by GE 1/0/1, and the traffic destined to
ISP2 network is preferentially forwarded by GE 1/0/5 or GE 1/0/6. The
links to the same ISP network can implement traffic load balancing by
link bandwidth or weight ratio. To improve the forwarding reliability and
prevent packet loss caused by an overburdened link, link backup is
required among the links.
– The LSP links have different transmission quality. The link to the
education network and the links to ISP2 network have high quality and
can forward service traffic that has high requirement on the delay, such
as the traffic of the distance education system. The links to ISP1 network
has poor quality and can forward bandwidth-consuming and small-value
service traffic, such as P2P traffic. Considering the cost, the traffic
destined to the servers of other campuses, network access traffic of users
in the library, and traffic matching default routes are forwarded over the
link to the education network.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 3


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

– The users on the campus automatically obtain the same DNS server
address. Therefore, the traffic of the users is forwarded over the same ISP
link. The campus wants to make full use of other link resources and
requests to distribute some DNS request packets to other ISP links. Only
changing the outbound interface of packets cannot resolve the issue that
subsequent network access traffic is forwarded over one link. Therefore,
DNS request packets need to be forwarded to the DNS servers of
different ISP networks. Then the resolved addresses belong to different
ISP networks.
– A DNS server is deployed on the campus network to provide domain
name resolution services. When users on different ISP networks access
the campus network, they can use the resolved address that belongs to
the same ISP as the users for access, improving the access quality.
– The traffic destined to the server in the library is heavy, and thereby two
servers are required for traffic load balancing.
● Address translation
– Users on the campus network require public IP addresses to access the
Internet.
– The servers, such as library servers, portal servers, and DNS servers, on
the campus network use public IP addresses to provide services for
intranet and extranet users.
● Security defense
– Assign network devices to different zones based on their locations,
implement security isolation for interzone traffic, and control the
permissions on mutual zone access. For example, allow users on the
campus to access extranet resources, and allow extranet users to access
only a specific port of an intranet server.
– Common DDoS attacks (such as SYN flood attacks) and single-packet
attacks (such as Land attacks) are effectively defended against.
– Network intrusion behaviors are blocked and alerted.
● Bandwidth management and control
Due to limited bandwidth resources, the campus requests to limit the
bandwidth percentage of P2P traffic as well as the bandwidth of each user's
P2P traffic. Common P2P traffic is generated by download software (Thunder,
eMule, BT, Ares, and Vuze), music software (Kugou Music, kugou, and
SoulSeek), or video websites or software (Baidu player, QiYi, and SHPlayer).
● Source tracing and auditing
– To prevent the improper online behavior of users on the campus from
harming the reputation of the campus, perform source tracing for the
improper behavior and restore the improper behavior. The online
behavior of users on the campus need to be audited for subsequent
investigation and analysis. The behavior to be audited includes URL
access records, BBS posts and microblogs, HTTP upload and download,
and FTP upload and download.
– Log servers are deployed on the campus. Attack defense and intrusion
detection logs as well as pre-NAT and post-NAT IP addresses can be
viewed on the log servers.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 4


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

1.3.2 Service Planning


The FW can meet all requirements of the campus network. This section describes
the functions of the FW and provides service planning based on the networking.

Basic Network Configuration and Access Control Configuration


The FW sets security zones and implements security isolation for these zones. It
controls the permissions on mutual zone access by using security policies.

Users on the campus network in the Trust zone with the highest security level. The
users can proactively access all the zones. Servers are also in the Trust zone and
can access only extranets under the control of security policies, but not other
devices in the Trust zone. The security zone is created for each ISP to separately
control the policies between two zones. The devices on each ISP network can
access the server area. In addition, ASPF needs to be enabled to ensure normal
communication between zones through multi-channel protocols, such as FTP.

Table 1-1 Planning for basic network configuration

Item Data Description

GE1/ ● IP address: 1.1.1.1/30 The interface connecting the FW


0/1 ● Security zone: edu_zone to the education network is
(priority value 20) assigned to user-defined security
zone edu_zone. The priority of a
● Gateway address: 1.1.1.2 user-defined security zone can be
● Sticky load balancing: enabled set as required.
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 5


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

GE1/ ● IP address: 2.2.2.1/30 The interface connecting the FW


0/2 ● Security zone: isp1_zone1 to ISP1 network is assigned to
(priority value 30) user-defined security zone
isp1_zone1.
● Gateway address: 2.2.2.2
● Sticky load balancing: enabled
● Bandwidth: 200 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 2.2.3.1/30 The interface connecting the FW


0/3 ● Security zone: isp1_zone2 to ISP1 network is assigned to
(priority value 40) user-defined security zone
isp1_zone2.
● Gateway address: 2.2.3.2
● Sticky load balancing: enabled
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 2.2.4.1/30 The interface connecting the FW


0/4 ● Security zone: isp1_zone3 to ISP1 network is assigned to
(priority value 50) user-defined security zone
isp1_zone3.
● Gateway address: 2.2.4.2
● Sticky load balancing: enabled
● Bandwidth: 200 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 3.3.3.1/30 The interface connecting the FW


0/5 ● Security zone: isp2_zone1 to ISP2 network is assigned to
(priority value 60) user-defined security zone
isp2_zone1.
● Gateway address: 3.3.3.2
● Sticky load balancing: enabled
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 3.3.4.1/30 The interface connecting the FW


0/6 ● Security zone: isp2_zone2 to ISP2 network is assigned to
(priority value 70) user-defined security zone
isp2_zone2.
● Gateway address: 3.3.4.2
● Sticky load balancing: enabled
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 6


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

GE1/ ● IP address: 10.2.0.1/24 The interface connecting the FW


0/7 ● Security zone: Trust to the campus network is assigned
to the Trust zone. Users and
servers on the campus are in the
Trust zone.

Table 1-2 Planning for access control configuration


Item Data Description

securi ● Security policy name: Users on the campus can access


ty user_inside devices in any security zone.
policy ● Source security zone: Trust By default, devices in the same
for security zone cannot access each
users ● Action: permit
other. A security policy must be
on configured to specify the source or
the destination security zone. For
camp example, if the source and
us destination security zones are the
Trust zone, the devices in the Trust
zone can access each other. If the
source security zone is the Trust
zone and the destination security
zone is any, the devices in the
Trust zone can access any security
zone. If the source security zone is
any and the destination security
zone is Trust, devices in any
security zone can access the Trust
zone.

Securi ● Security policy name: Users outside the campus can


ty user_outside access the server area, but not any
policy ● Source security zone: edu_zone, devices in the Trust zone.
for isp1_zone1, isp1_zone2,
extra isp1_zone3, isp2_zone1 and
net isp2_zone2
users
● Destination IP address:
10.1.10.0/24
● Action: permit

Securi ● Security policy name: The FW is allowed to send log


ty local_to_any information to the log server and
policy ● Source security zone: Local upgrade center.
for
the ● Destination security zone: Any
log ● Action: permit
server

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 7


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Intrusion Prevention
Intrusion prevention needs to be enabled on the FW to alert or block the intrusion
of Botnets, Trojan horses, and worms. To better identify intrusion behavior, the FW
needs to periodically update the intrusion prevent signature database through the
security center (sec.huawei.com).

Table 1-3 Planning for intrusion prevention configuration


Item Data Description

Intrus ● Security policy name: Intrusion prevention is required


ion user_inside when devices in the Trust zone
preve ● Intrusion prevention profile: access extranets. The security
ntion default policies reference the default
for intrusion prevention profile
extra default.
nets

Intrus ● Security policy name: Intrusion prevention is required


ion user_outside when extranet users access devices
preve ● Intrusion prevention profile: in the server area. The security
ntion default policy references the default
for intrusion prevention profile
the default.
server
area

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 8


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Intrus ● URL of the update center: The intrusion prevention signature


ion sec.huawei.com database needs to be updated
preve ● DNS server address: 10.1.10.30 frequently to improve the security
ntion defense capability of devices. To
signat ● Update mode: scheduled reduce the workload of the
ure ● Update frequency: every day administrator, configure the device
datab ● Update time: 02:30 to update the database in a
ase scheduled manner when the
updat network traffic is light.
e

DNS Transparent Proxy


DNS transparent proxy can change the destination address of a DNS request
packet, implementing DNS server redirection. In this case, DNS transparent proxy
works together with PBR intelligent uplink selection to enable DNS request
packets to be forwarded based on the link bandwidth ratio. The resolved server
addresses belong to different IPS networks, and therefore subsequent access
traffic will be distributed to different ISP links.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 9


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-4 Planning for DNS transparent proxy configuration


Item Data Description

Serve ● GE1/0/1: The FW prefers the primary DNS


rs to – Primary DNS server: server address to replace the
which 1.1.22.22 destination address in a received
interf DNS request packet. It uses the
aces – Secondary DNS server: secondary DNS server address to
are 1.1.23.23 replace the destination address in
boun ● GE1/0/2: a received DNS request packet
d – Primary DNS server: only when the primary DNS server
2.2.22.22 is in the Down state.
– Secondary DNS server:
2.2.23.23
● GE1/0/3:
– Primary DNS server:
2.2.24.24
– Secondary DNS server:
2.2.25.25
● GE1/0/4:
– Primary DNS server:
2.2.26.26
– Secondary DNS server:
2.2.27.27
● GE1/0/5:
– Primary DNS server:
3.3.22.22
– Secondary DNS server:
3.3.23.23
● GE1/0/6:
– Primary DNS server:
3.3.24.24
– Secondary DNS server:
3.3.25.25

Dom ● Domain name exception: DNS transparent proxy is not


ain www.example.com carried out for the domain name
name ● DNS server: 1.1.25.25 exception. The administrator can
excep specify a DNS server to resolve the
tion domain name exception.

DNS dns_trans_rule: The DNS transparent proxy policy


trans ● Source IP address: any defines which DNS request packets
paren require DNS transparent proxy. In
t ● Destination IP address: any this case, all DNS request packets
proxy ● Action: tpdns (indicating that except those carrying a domain
policy DNS transparent proxy is name exception require DNS
implemented) transparent proxy.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 10


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Policy pbr_dns_trans: The policy-based route must be


- ● Source security zone: Trust placed in the front of the other
based ones. The route is matched with
routin ● Service: DNS and DNS-TCP DNS request packets by the service
g ● Intelligent uplink selection type (DNS service that uses TCP or
mode: load balancing by link UDP). Load balancing by link
bandwidth bandwidth is carried out for
● Outbound interfaces involved in matching DNS request packets.
intelligent uplink selection After users on the campus obtain
resolved addresses, the service
– GE1/0/1 packets sent by the users will be
– GE1/0/2 matched with PBRs.
– GE1/0/3
– GE1/0/4
– GE1/0/5
– GE1/0/6

Intelligent Uplink Selection


To meet the traffic forwarding requirements of the campus network egress, you
can enable intelligent uplink selection on the FW. Then the FW can forward traffic
by ISP based on the ISP address set. To meet the forwarding requirement of some
special traffic, use single-ISP PBR to forward the traffic from a fixed outbound
interface. Use a link with better quality to forward the traffic that does not match
any item in the ISP address set.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 11


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-5 Planning for intelligent uplink selection configuration


Item Data Description

Single ● other_edu_server: The priority of the PBRs is higher


-ISP – Source security zone: Trust than that of specific routes and
PBR default routes. Therefore, special
– Source address: 10.1.0.0/16 traffic can be forwarded using
– Destination address: PBRs.
other_edu_server_address Single-ISP PBR and multi-LSP PBR
– Outbound interface: GE1/0/1 have the same priority. However,
– Next-hop address: 1.1.1.2 the PBR configured before another
is ranked ahead of the later
● lib_internet: configured one. You can adjust the
– Source security zone: Trust sequence of PBRs based on service
– Source address: 10.1.50.0/22 requirements and matching
conditions. Generally, the PBR with
– Outbound interface: GE1/0/1
strict matching conditions is
– Next-hop address: 1.1.1.2 ranked ahead of the PBR with
loose matching conditions. The
PBR matching special traffic is
ranked ahead of the PBRs that
match common traffic.

ISP ● Address set of the education Before configuring ISP address


addre network: sets, the administrator needs to
ss set – ISP name: edu_address write the IP addresses of each ISP
network into different ISP address
– ISP address file name: files and import the files into the
edu_address.csv FW. To modify the content of an
● ISP1 address set: ISP address file, export the file,
– ISP name: isp1_address modify it, and import it to the FW.
– ISP address file name: The following figure shows the
isp1_address.csv requirements on filling in ISP
address files.
● ISP2 address set:
– ISP name: isp2_address
– ISP address file name:
isp2_address.csv
● Address set of other campuses'
servers:
– ISP name:
other_edu_server_address
– ISP address file name:
other_edu_server_address.csv

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 12


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Multi ● pbr_edu: After the destination addresses of


-ISP – Source security zone: Trust PBRs are configured as an ISP
PBR address set, the FW will use a
– Source address: 10.1.0.0/16 specific ISP link to forward traffic
– Destination address: that matches all matching
edu_address conditions of a PBR. If the same
– Intelligent uplink selection ISP has multiple links, the FW will
mode: active/standby use a random link to forward
backup by link priority traffic. If the traffic is heavy, the
proportion of traffic forwarded by
– Outbound interfaces each link is approximately equal to
involved in intelligent uplink the link bandwidth ratio,
selection and their priorities indicating that load balancing by
– GE1/0/1: priority value 8 link bandwidth is carried out. After
– GE1/0/2: priority value 5 links with higher priorities are
overloaded, ISP links with lower
– GE1/0/3: priority value 5
priorities will be used for traffic
– GE1/0/4: priority value 5 forwarding.
– GE1/0/5: priority value 1 For example, if traffic matches all
– GE1/0/6: priority value 1 matching condition of PBR
pbr_isp1, the destination address
● pbr_isp1:
of the traffic belongs to ISP1
– Source security zone: Trust network. The three outbound
– Source address: 10.1.0.0/16 interfaces, GE1/0/2, GE1/0/3, and
– Destination address: GE1/0/4, connected to ISP1
isp1_address network have the highest priority.
Therefore, the FW randomly
– Intelligent uplink selection selects an interface from the three
mode: active/standby interfaces for traffic forwarding. If
backup by link priority GE1/0/2, GE1/0/3, and GE1/0/4
– Outbound interfaces are all overloaded and new traffic
involved in intelligent uplink still matches pbr_isp1, traffic for
selection and their priorities which a session is created will be
– GE1/0/1: priority value 5 forwarded through the original
outbound interface, but new
– GE1/0/2: priority value 8 traffic will not be forwarded
– GE1/0/3: priority value 8 through any of the three
– GE1/0/4: priority value 8 interfaces, but through GE1/0/1
with the second highest priority.
– GE1/0/5: priority value 1 After GE1/0/1 is overloaded, new
– GE1/0/6: priority value 1 traffic will be forwarded through
● pbr_isp2: GE1/0/5 and GE1/0/6 with the
third highest priority. If all links
– Source security zone: Trust
are overloaded, the FW will
– Source address: 10.1.0.0/16 forward traffic to the links based
– Destination address: on the actual bandwidth ratio, not
isp2_address by link priority.
– Intelligent uplink selection Because the distance education
mode: active/standby system software is not included in
backup by link priority the application signature database

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 13


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

– Outbound interfaces of the FW, the administrator needs


involved in intelligent uplink to create user-defined application
selection and their priorities UD_dis_edu_sys_app based on
– GE1/0/1: priority value 5 application features and set it as a
matching condition of a PBR.
– GE1/0/2: priority value 1
The link with the best quality can
– GE1/0/3: priority value 1 be selected through pbr_rest to
– GE1/0/4: priority value 1 forward traffic that does not
– GE1/0/5: priority value 8 match any item in the ISP address
set, ensuring user experience.
– GE1/0/6: priority value 8
● p2p_traffic:
– Source security zone: Trust
– Application: P2P online video
and P2P file sharing
– Intelligent uplink selection
mode: load balancing by link
bandwidth
– Outbound interfaces
involved in intelligent uplink
selection:
– GE1/0/2
– GE1/0/3
– GE1/0/4
● dis_edu_sys:
– Source security zone: Trust
– Application:
UD_dis_edu_sys_app
– Intelligent uplink selection
mode: load balancing by link
bandwidth
– Outbound interfaces
involved in intelligent uplink
selection
– GE1/0/1
– GE1/0/5
– GE1/0/6
● pbr_rest:
– Source security zone: Trust
– Intelligent uplink selection
mode: load balancing by link
quality
– Detection mode: TCP (simple
detection)

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 14


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

– Detection interval: 3s
– Detection times: 5
– Quality detection
parameters:
– Packet loss ratio
– Delay
– Jitter
– Outbound interfaces
involved in intelligent uplink
selection:
– GE1/0/1
– GE1/0/2
– GE1/0/3
– GE1/0/4
– GE1/0/5
– GE1/0/6

Server Load Balancing


The two servers in the library function as one high-performance and high-
reliability virtual server. For users, there is only one server. To improve user
experience, the virtual server publishes the public IP addresses of multiple ISP
networks.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 15


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-6 Planning for server load balancing configuration


Item Data Description

Serve ● Load balancing algorithm: The virtual server IP address is a


rs in round robin algorithm public IP address, and the real
the ● Virtual server vs1: server IP address is a private IP
librar address.
y – VIP corresponding to the
education network: After server load balancing is
1.1.111.111 configured, the FW will
automatically generate a black-
– VIP corresponding to ISP1 hole route for the virtual server IP
network: 2.2.112.112 address to prevent routing loops.
– VIP corresponding to ISP2 After you delete the virtual server
network: 3.3.113.113 IP address or cancel the binding
● Real server group grp1: between the virtual server and real
server group, the black-hole route
– rserver 1: 10.1.10.10 will be automatically deleted.
– rserver 2: 10.1.10.11

Smart DNS
When a private DNS server exists, the FW that has smart DNS enabled
intelligently replies to DNS requests from different ISPs, so that the server address
obtained by a user is in the same ISP network as the user.
For example, a school has a DNS server, which stores the portal server domain
name (www.example.com) and the public IP address 1.1.15.15 assigned by the
education network. Smart DNS is enabled on the FW's GE1/0/2. The mapped
address is the ISP1-assigned public IP address 2.2.15.15.
When an education network user accesses the portal server address, as GE1/0/1
does not have the smart DNS function enabled, the user obtains the public IP
address 1.1.15.15 assigned by the education network as the portal server address.
When an ISP1 user accesses the portal server address, the DNS server replies a
DNS response message to the user. After the FW's GE1/0/2 receives the message,
the FW replaces the original public IP address 1.1.15.15 assigned by the education
network with the ISP1-assigned address 2.2.15.15. After the user receives the
message, he or she communicates with 2.2.15.15. Certainly, a NAT Server map
must be configured on the FW to associate the private portal server address
10.1.10.20 with 2.2.15.15. In this manner, ISP1 users can use 2.2.15.15 to
communicate with the portal server.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 16


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-7 Planning of smart DNS configuration


Item Data Description

Portal ● Original server IP address: The original server IP address is


server 1.1.15.15 the public IP address of the
● Outbound interfaces and education network, and therefore
mapped IP addresses: it is unnecessary to configure
smart DNS mappings for the
– GE1/0/2: 2.2.15.15 outbound interface corresponding
– GE1/0/3: 2.2.16.16 to the education network.
– GE1/0/4: 2.2.17.17
– GE1/0/5: 3.3.15.15
– GE1/0/6: 3.3.16.16

Serve ● Original server IP address: -


rs in 1.1.101.101
the ● Outbound interfaces and
librar mapped IP addresses:
y
– GE1/0/2: 2.2.102.102
– GE1/0/3: 2.2.103.103
– GE1/0/4: 2.2.104.104
– GE1/0/5: 3.3.102.102
– GE1/0/6: 3.3.103.103

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 17


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

NAT
● NAT Server
To ensure the users on each ISP network can access intranet servers, the NAT
server function is required on the FW to translate the private addresses of
servers into public IP addresses.

Table 1-8 Planning for NAT server configuration

Item Data Description

Portal ● Private IP address: 10.1.10.20 The NAT server can map multiple
server ● Public IP address: public IP addresses to the same
private IP address based on the
– For the education network: security zone.
1.1.15.15
– For ISP1 network: 2.2.15.15,
2.2.16.16, and 2.2.17.17
– For ISP2 network: 3.3.15.15
and 3.3.16.16

DNS ● Private IP address: 10.1.10.30 -


server ● Public IP address:
– For the education network:
1.1.101.101
– For ISP1 network:
2.2.102.102, 2.2.103.103, and
2.2.104.104
– For ISP2 network:
3.3.102.102 and 3.3.103.103

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 18


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

● Source NAT
To enable a large number of intranet users to make full use of limited public
IP addresses for access, source NAT needs to be configured on the FW to
translate the private IP addresses in packets into public IP addresses.

Table 1-9 Planning for source NAT configuration


Item Data Description

Educa edu_nat_policy: The source IP addresses in the


tion ● Address pool: packets sent by intranet users to
netw edu_nat_address_pool access the education network are
ork translated into the public IP
– Address segment: 1.1.30.31 address of the education network.
to 1.1.30.33
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
edu_zone

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 19


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

ISP1 isp1_nat_policy1: The source IP addresses in the


NAT ● Address pool: packets sent by intranet users to
policy isp1_nat_address_pool1 access ISP1 network are translated
into the public IP address of ISP1
– Address segment: network.
2.2.5.1-2.2.5.3
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
isp1_zone1
isp1_nat_policy2:
● Address pool:
isp1_nat_address_pool2
– Address segment:
2.2.6.1-2.2.6.3
– NAT mode: PAT
– Source address: 10.1.0.0/16
– Source security zone: Trust
– Destination security zone:
isp1_zone2
isp1_nat_policy3:
● Address pool:
isp1_nat_address_pool3
– Address segment:
2.2.7.1-2.2.7.3
– NAT mode: PAT
– Source address: 10.1.0.0/16
– Source security zone: Trust
– Destination security zone:
isp1_zone3

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 20


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

ISP2 isp2_nat_policy1: The source IP addresses in the


NAT ● Address pool: packets sent by intranet users to
policy isp2_nat_address_pool1 access ISP2 network are translated
into the public IP address of ISP2
– Address segment: network.
3.3.1.1-3.3.1.3
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
isp2_zone1
isp2_nat_policy2:
● Address pool:
isp2_nat_address_pool2
– Address segment:
3.3.2.1-3.3.2.3
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
isp2_zone2

Sourc inner_nat_policy: Source address translation is


e ● Address pool: required when an intranet user
NAT edu_nat_address_pool (Trust zone) wants to access an
in the intranet zone (Trust zone) through
same – Address segment: 1.1.30.31 a public address.
securi to 1.1.30.33
ty – NAT mode: PAT
zone ● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone: Trust

● NAT ALG
If the FW that has NAT enabled needs to forward packets of a multichannel
protocol, such as FTP, the NAT ALG function of the protocol needs to be
enabled to ensure correct address translation for the multichannel protocol
packets. In this case, the NAT ALG functions of FTP, QQ, and RTSP are
enabled.

Attack Defense
Attack defense can detect multiple types of network attacks, such as DDoS attack
and single-packet attacks. This function protects the intranet against malicious
attacks.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 21


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-10 Planning for attack defense configuration


Item Data Description

Anti- ● DDoS attack type: SYN Flood For the above flood attacks, the
DDoS ● Interface: GE1/0/2, GE1/0/3, recommended maximum packet
GE1/0/4, GE1/0/5, and GE1/0/6 rate for GE attacks is 16,000 pps.
In this case, the interfaces are all
● Alarm-threshold rate: 24000 GE interfaces. The final interface
threshold is 24000 pps, which is
the test result. Configure a large
threshold and adjust it according
to the test until it falls into the
normal range. A suitable threshold
helps defend against attacks
without affecting normal services.

Single ● Land attack defense If there are no special network


- ● Smurf attack defense security requirements, enable the
packe function in this case to defend
t ● Fraggle attack defense against single-packet attacks.
attac ● WinNuke attack defense
k ● IP packet with source route
defen option attack defense
se
● IP packet with route record
option attack defense
● IP packet with timestamp
option attack defense
● Ping of Death attack defense

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 22


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Audit Policy
The FW supports the audit function to record the Internet access behavior defined
in the audit policy for future audit and analysis.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 23


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-11 Planning for audit policy configuration


Item Data Description

Audit ● Source security zone: Trust The campus network


policy ● Destination security zone: administrator can record the HTTP
edu_zone, isp1_zone1, and FTP behaviors of intranet
isp1_zone2, users who access the extranet for
isp1_zone3isp2_zone1, and subsequent auditing.
isp2_zone2
● Action: audit
● Audit profile:
trust_to_internet_audit
– HTTP behavior audit:
– URL access: Record all URLs.
– BBS post: Record the content
of the posts to the BBS.
– Content of microblogs:
record
– File upload through HTTP:
record
– File download through
HTTP: record
– FTP behavior audit:
– File upload through FTP:
record
– File download through FTP:
record

Bandwidth Management
As P2P traffic uses a lot of bandwidth resources, the campus requests to limit the
bandwidth used by P2P traffic over each ISP1 link and implement bandwidth
limiting for P2P traffic per IP address. Bandwidth management can implement
global/per-IP/per-user traffic limiting for a specific type of traffic.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 24


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-12 Planning for bandwidth management configuration


Item Data Description

Traffi Traffic profile: isp1_p2p_profile_01 Traffic policies define specific


c ● Traffic limiting mode: setting bandwidth resources and
limiti the total of upstream and determine which traffic that
ng for downstream bandwidth bandwidth management applies
P2P to. After a traffic policy references
traffic ● Maximum total bandwidth for a traffic profile, the traffic that
over global traffic limiting: 100M matches the traffic policy can use
the ● Maximum total bandwidth for only the bandwidth resources
link per-IP address traffic limiting: defined by the traffic profile.
wher 500K
e Traffic policy: isp1_p2p_01
GE1/
0/2 ● Inbound interface: GE1/0/7
reside ● Outbound interface: GE1/0/2
s ● Application: P2P online video
and P2P file sharing
● Action: limit
● Traffic profile:
isp1_p2p_profile_01

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 25


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Traffi Traffic profile: isp1_p2p_profile_02 -


c ● Traffic limiting mode: setting
limiti the total of upstream and
ng for downstream bandwidth
P2P
traffic ● Maximum bandwidth for global
over traffic limiting: 300M
the ● Maximum total bandwidth for
link per-IP address traffic limiting:
wher 1M
e Traffic policy: isp1_p2p_02
GE1/
0/3 ● Inbound interface: GE1/0/7
reside ● Outbound interface: GE1/0/3
s ● Application: P2P online video
and P2P file sharing
● Action: limit
● Traffic profile:
isp1_p2p_profile_02

Traffi Traffic profile: isp1_p2p_profile_03 -


c ● Traffic limiting mode: setting
limiti the total of upstream and
ng for downstream bandwidth
P2P
traffic ● Maximum bandwidth for global
over traffic limiting: 700M
the ● Maximum total bandwidth for
link per-IP address traffic limiting:
wher 2M
e Traffic policy: isp1_p2p_03
GE1/
0/4 ● Inbound interface: GE1/0/7
reside ● Outbound interface: GE1/0/4
s ● Application: P2P online video
and P2P file sharing
● Action: limit
● Traffic profile:
isp1_p2p_profile_03

Log serverDevices
The log server can collect, query, and display logs. After the FW is used together
with the log server, you can view the session logs (sent by the FW) on the log
server, including session logs before and after NAT. With these logs, you can view
NAT-related address information. On the log server, you can also view the IPS and
attack defense logs sent by the FW. With these logs, you can query attacks and
intrusions on the network.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 26


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-13 Planning for interconnected NMS device configuration

Item Data Description

Log ● IP address: 10.1.10.30 -


server ● System log type: IPS and attack
defense logs

SNM ● SNMP version: V3 -


P ● SNMPv3 user group:
– Name: inside_snmp
– Authentication and
encryption mode: privacy
(both authentication and
encryption)
● Trap:
– Authentication password of
an SNMPv3 user: Test@123
– Encryption password of an
SNMPv3 user: Test@123

NAT Enable Record Session Log for the NAT tracing allows you to view
tracin following security policies: pre-NAT and post-NAT address
g ● user_inside information. After the session log
function is enabled in the security
● user_outside policy view, the FW sends the logs
on the sessions matching the
security policy to the log host. You
can view the log information
through the log server to which
the log host is connected. Some
session logs include pre-NAT and
post-NAT address information.

1.3.3 Precautions

Precautions
● Whether the ISP address set includes all required IP addresses affects the
implementation of intelligent uplink selection and smart DNS. Therefore,
update the ISP address database regularly from the security center platform
(isecurity.huawei.com).
● In a multi-egress scenario, PBR intelligent uplink selection cannot be used
together with the IP spoofing attack defense or Unicast Reverse Path
Forwarding (URPF) function. If the IP spoofing attack defense or URPF
function is enabled, the FW may discard packets.
● A license is required to use smart DNS. In addition, smart DNS is available
only after required components are loaded through the dynamic loading
function.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 27


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

● The virtual server IP address used in server load balancing cannot be the
same as any of the following ones:
– Public IP address of the NAT server (global IP address)
– IP addresses in the NAT address pool
– Gateway IP address
– Interface IP addresses of the FW
● The real server IP address used in server load balancing cannot be the same
as any of the following ones:
– Virtual server IP address
– Public IP address of the NAT server (global IP address)
– Internal server IP address of the NAT server (inside IP)
● After you configure server load balancing, configure IP addresses for real
servers, but not the IP address of the virtual server, when configuring security
policies and the routing function.
● After you configure the NAT address pool and NAT server, configure black-
hole routes to addresses in the address pool and the public address of the
NAT server to prevent routing loops.
● Only the audit administrator can configure the audit function and view audit
logs.
● You can view and export audit logs on the web UI only from the device that
has an available disk installed.
● On networks with different forward and return packet paths, the audit log
contents may be incomplete.

1.3.4 Configuration Procedure


Procedure
Step 1 Configure interfaces and security zones and configure a gateway address,
bandwidth, and overload protection threshold for outbound interfaces involved in
intelligent uplink selection.
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] description connect_to_edu
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252
[FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2
[FW-GigabitEthernet1/0/1] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] description connect_to_isp1
[FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252
[FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2
[FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/2] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] description connect_to_isp1
[FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252
[FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2
[FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] quit
[FW] interface GigabitEthernet 1/0/4

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 28


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-GigabitEthernet1/0/4] description connect_to_isp1


[FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252
[FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2
[FW-GigabitEthernet1/0/4] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/4] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/4] quit
[FW] interface GigabitEthernet 1/0/5
[FW-GigabitEthernet1/0/5] description connect_to_isp2
[FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252
[FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2
[FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] quit
[FW] interface GigabitEthernet 1/0/6
[FW-GigabitEthernet1/0/6] description connect_to_isp2
[FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252
[FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2
[FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] quit
[FW] interface GigabitEthernet 1/0/7
[FW-GigabitEthernet1/0/7] description connect_to_campus
[FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0
[FW-GigabitEthernet1/0/7] quit

Step 2 Configure a security policy.


1. Create a security zone for each of the education network, ISP1 network, and
ISP2 network and assign interfaces to the security zone.
[FW] firewall zone name edu_zone
[FW-zone-edu_zone] set priority 20
[FW-zone-edu_zone] add interface GigabitEthernet 1/0/1
[FW-zone-edu_zone] quit
[FW] firewall zone name isp1_zone1
[FW-zone-isp1_zone1] set priority 30
[FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2
[FW-zone-isp1_zone1] quit
[FW] firewall zone name isp1_zone2
[FW-zone-isp1_zone2] set priority 40
[FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3
[FW-zone-isp1_zone2] quit
[FW] firewall zone name isp1_zone3
[FW-zone-isp1_zone3] set priority 50
[FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4
[FW-zone-isp1_zone3] quit
[FW] firewall zone name isp2_zone1
[FW-zone-isp2_zone1] set priority 60
[FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5
[FW-zone-isp2_zone1] quit
[FW] firewall zone name isp2_zone2
[FW-zone-isp2_zone2] set priority 70
[FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6
[FW-zone-isp2_zone2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/7
[FW-zone-trust] quit

2. Configure interzone security policies to control access between zones.


Reference the default intrusion prevention profile in the security policies and
configure intrusion prevention.
[FW] security-policy
[FW-policy-security] rule name user_inside
[FW-policy-security-rule-user_inside] source-zone trust
[FW-policy-security-rule-user_inside] action permit
[FW-policy-security-rule-user_inside] profile ips default
[FW-policy-security-rule-user_inside] quit
[FW-policy-security] rule name user_outside
[FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3
isp2_zone1 isp2_zone2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 29


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24


[FW-policy-security-rule-user_outside] action permit
[FW-policy-security-rule-user_outside] profile ips default
[FW-policy-security-rule-user_outside] quit
[FW-policy-security] rule name local_to_any
[FW-policy-security-rule-local_to_any] source-zone local
[FW-policy-security-rule-local_to_any] destination-zone any
[FW-policy-security-rule-local_to_any] action permit
[FW-policy-security-rule-local_to_any] quit
[FW-policy-security] quit

3. Configure the scheduled update function for the intrusion prevention


function.

A license is available for updating the signature database, and the license is activated on
the device.

1. Configure an update center.


[FW] update server domain sec.huawei.com

2. The device can access the update server directly or through a proxy server. In
this example, the device can directly access the update server.
[FW] dns resolve
[FW] dns server 10.1.10.30

3. Configure the scheduled update function and set the scheduled update time.
[FW] update schedule ips-sdb enable
[FW] update schedule sa-sdb enable
[FW] update schedule ips-sdb daily 02:30
[FW] update schedule sa-sdb daily 02:30

Step 3 Configure IP-link to detect whether the status of each LSP is normal.

The IP-link configuration commands on the USG6000 and USG9500 are different. The
USG6000 is used in this example for illustration.
[FW] ip-link check enable
[FW] ip-link name edu_ip_link
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
[FW-iplink-edu_ip_link] quit
[FW] ip-link name isp1_ip_link
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
[FW-iplink-isp1_ip_link] quit
[FW] ip-link name isp2_ip_link
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
[FW-iplink-isp2_ip_link] quit

Step 4 Configure routes.


Contact the administrator to configure the routes except the routes required in
this example.
# Configure a static route whose destination address belongs to the network
segment of the intranet and next-hop address is the address of the intranet switch
so that extranet traffic can reach the intranet.
[FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2

Step 5 Configure DNS transparent proxy.


# Configure the IP address of each interface bound to the DNS server.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 30


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW] dns-transparent-policy
[FW-policy-dns] dns transparent-proxy enable
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25

# Configure a domain name exception.


[FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25

# Configure a DNS transparent proxy policy.


[FW-policy-dns] rule name dns_trans_rule
[FW-policy-dns-rule-dns_trans_rule] action tpdns
[FW-policy-dns-rule-dns_trans_rule] quit
[FW-policy-dns] quit

# Configure PBR intelligent uplink selection to load balance DNS request packets
to each link.
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_dns_trans
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
[FW-policy-pbr-rule-pbr_dns_trans] quit
[FW-policy-pbr] quit

Step 6 Configure intelligent uplink selection.


# Configure ISP address sets.
1. Upload ISP address files to the FW through SFTP.
2. Create an ISP name for each of the education network, ISP1 network, and
ISP2 network and associate it with the corresponding ISP address file.
[FW] isp name edu_address set filename edu_address.csv
[FW] isp name isp1_address set filename isp1_address.csv
[FW] isp name isp2_address set filename isp2_address.csv
[FW] isp name other_edu_server_address set filename other_edu_server_address.csv

# Create an application corresponding to the distance education system software


and reference the application in the PBR so that traffic generated by the distance
education system software is forwarded over the education network and ISP2
links.

Ensure that the FW has the route configuration that guides the transmission of the traffic
generated by the distance education system even if PBR is unavailable.
[FW] sa
[FW-sa] user-defined-application name UD_dis_edu_sys_app
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems sub-category
Enterprise_Application
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 31


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1


[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit
[FW-sa] quit
[FW] policy-based-route
[FW-policy-pbr] rule name dis_edu_sys
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit
[FW-policy-pbr-rule-dis_edu_sys] quit

# Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.

Ensure that the FW has the route configuration that guides P2P traffic transmission even if
PBR is unavailable.
[FW-policy-pbr] rule name p2p_traffic
[FW-policy-pbr-rule-p2p_traffic] source-zone trust
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
[FW-policy-pbr-rule-p2p_traffic] quit

# Configure single-ISP PBR.


1. Configure the traffic destined for servers of other campuses and the network
access traffic of users in the library to be forwarded over the link to the
education network.
[FW-policy-pbr] rule name other_edu_server
[FW-policy-pbr-rule-other_edu_server] source-zone trust
[FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16
[FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop
1.1.1.2
[FW-policy-pbr-rule-other_edu_server] quit
[FW-policy-pbr] rule name lib_internet
[FW-policy-pbr-rule-lib_internet] source-zone trust
[FW-policy-pbr-rule-lib_internet] source-address 10.1.50.0 22
[FW-policy-pbr-rule-lib_internet] action pbr egress-interface GigabitEthernet 1/0/1 next-hop
1.1.1.2
[FW-policy-pbr-rule-lib_internet] quit

# Configure destination address-based PBR intelligent uplink selection.


1. Prefer the link to the education network to forward traffic destined for an
address in the address set of the education network.
[FW-policy-pbr] rule name pbr_edu
[FW-policy-pbr-rule-pbr_edu] source-zone trust
[FW-policy-pbr-rule-pbr_edu] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_edu] destination-address isp edu_address
[FW-policy-pbr-rule-pbr_edu] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_edu-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/1 priority 8
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/2 priority 5

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 32


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/3 priority 5


[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/4 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_edu-multi-inter] quit
[FW-policy-pbr-rule-pbr_edu] quit

2. Prefer ISP1 links to forward traffic destined for an address in the address set
of ISP1 network.
[FW-policy-pbr] rule name pbr_isp1
[FW-policy-pbr-rule-pbr_isp1] source-zone trust
[FW-policy-pbr-rule-pbr_isp1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp1] destination-address isp isp1_address
[FW-policy-pbr-rule-pbr_isp1] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp1-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/2 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/3 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/4 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp1] quit

3. Prefer ISP2 links to forward traffic destined for an address in the address set
of ISP2 network.
[FW-policy-pbr] rule name pbr_isp2
[FW-policy-pbr-rule-pbr_isp2] source-zone trust
[FW-policy-pbr-rule-pbr_isp2] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp2] destination-address isp isp2_address
[FW-policy-pbr-rule-pbr_isp2] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp2-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/2 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/3 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/4 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/5 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/6 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp2] quit

# Select the link with the highest quality through PBR pbr_rest to forward the
traffic that does not match any ISP address set.
[FW-policy-pbr] rule name pbr_rest
[FW-policy-pbr-rule-pbr_rest] source-zone trust
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit
[FW-policy-pbr-rule-pbr_rest] quit
[FW-policy-pbr] quit

Step 7 Configure server load balancing.

# Enable server load balancing.


[FW] slb enable

# Configure a load balancing algorithm.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 33


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW] slb
[FW-slb] group 1 grp1
[FW-slb-group-1] metric roundrobin

# Add real servers to the real server group.


[FW-slb-group-1] rserver 1 rip 10.1.10.10
[FW-slb-group-1] rserver 2 rip 10.1.10.11
[FW-slb-group-1] quit

# Configure a virtual server IP address.


[FW-slb] vserver 1 vs1
[FW-slb-vserver-1] vip 1 1.1.111.111
[FW-slb-vserver-1] vip 2 2.2.112.112
[FW-slb-vserver-1] vip 3 3.3.113.113

# Associate the virtual server with the real server group.


[FW-slb-vserver-1] group grp1
[FW-slb-vserver-1] quit
[FW-slb] quit

Step 8 Configure smart DNS.

# Enable smart DNS.


[FW] dns-smart enable

# Create a smart DNS group and configure smart DNS mappings in the group.
[FW] dns-smart group 1 type single
[FW-dns-smart-group-1] real-server-ip 1.1.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16
[FW-dns-smart-group-1] quit
[FW] dns-smart group 2 type single
[FW-dns-smart-group-2] real-server-ip 1.1.101.101
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103
[FW-dns-smart-group-2] quit

Step 9 Configure the security zone-based NAT server function so that users on different
ISP networks can use corresponding public IP addresses to access intranet servers.

# Configure the NAT server function for the Portal server.


[FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse

# Configure the NAT server function for the DNS server.


[FW] nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
[FW] nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
[FW] nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
[FW] nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
[FW] nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
[FW] nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 34


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

# Configure a black-hole route to the public address of the NAT server to prevent
routing loops.
[FW] ip route-static 1.1.15.15 32 NULL 0
[FW] ip route-static 2.2.15.15 32 NULL 0
[FW] ip route-static 2.2.16.16 32 NULL 0
[FW] ip route-static 2.2.17.17 32 NULL 0
[FW] ip route-static 3.3.15.15 32 NULL 0
[FW] ip route-static 3.3.16.16 32 NULL 0
[FW] ip route-static 1.1.101.101 32 NULL 0
[FW] ip route-static 2.2.102.102 32 NULL 0
[FW] ip route-static 2.2.103.103 32 NULL 0
[FW] ip route-static 2.2.104.104 32 NULL 0
[FW] ip route-static 3.3.102.102 32 NULL 0
[FW] ip route-static 3.3.103.103 32 NULL 0

Step 10 Configure source NAT.


# Configure source NAT for traffic destined for the education network. The
address in the address pool is the public address of the education network.
[FW] nat address-group edu_nat_address_pool
[FW-address-group-edu_nat_address_pool] mode pat
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33
[FW-address-group-edu_nat_address_pool] quit
[FW] nat-policy
[FW-policy-nat] rule name edu_nat_policy
[FW-policy-nat-rule-edu_nat_policy] source-zone trust
[FW-policy-nat-rule-edu_nat_policy] destination-zone edu_zone
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-edu_nat_policy] quit
[FW-policy-nat] quit

# Configure the intrazone NAT, so that users can access the intranet server
through the public address.
[FW] nat-policy
[FW-policy-nat] rule name inner_nat_policy
[FW-policy-nat-rule-inner_nat_policy] source-zone trust
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-inner_nat_policy] quit
[FW-policy-nat] quit

# Configure source NAT for traffic destined for ISP1 network. The address in the
address pool is the public address of ISP1 network.
[FW] nat address-group isp1_nat_address_pool1
[FW-address-group-isp1_nat_address_pool1] mode pat
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
[FW-address-group-isp1_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy1
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
[FW-policy-nat-rule-isp1_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool2
[FW-address-group-isp1_nat_address_pool2] mode pat
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
[FW-address-group-isp1_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy2
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 35


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16


[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2
[FW-policy-nat-rule-isp1_nat_policy2] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool3
[FW-address-group-isp1_nat_address_pool3] mode pat
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3
[FW-address-group-isp1_nat_address_pool3] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy3
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3
[FW-policy-nat-rule-isp1_nat_policy3] quit
[FW-policy-nat] quit

# Configure source NAT for traffic destined for ISP2 network. The address in the
address pool is the public address of ISP2 network.
[FW] nat address-group isp2_nat_address_pool1
[FW-address-group-isp2_nat_address_pool1] mode pat
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
[FW-address-group-isp2_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy1
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
[FW-policy-nat-rule-isp2_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp2_nat_address_pool2
[FW-address-group-isp2_nat_address_pool2] mode pat
[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3
[FW-address-group-isp2_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy2
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2
[FW-policy-nat-rule-isp2_nat_policy2] quit
[FW-policy-nat] quit

# Configure black-hole routes to public addresses of the NAT address pool to


prevent routing loops.
[FW] ip route-static 1.1.30.31 32 NULL 0
[FW] ip route-static 1.1.30.32 32 NULL 0
[FW] ip route-static 1.1.30.33 32 NULL 0
[FW] ip route-static 2.2.5.1 32 NULL 0
[FW] ip route-static 2.2.5.2 32 NULL 0
[FW] ip route-static 2.2.5.3 32 NULL 0
[FW] ip route-static 2.2.6.1 32 NULL 0
[FW] ip route-static 2.2.6.2 32 NULL 0
[FW] ip route-static 2.2.6.3 32 NULL 0
[FW] ip route-static 2.2.7.1 32 NULL 0
[FW] ip route-static 2.2.7.2 32 NULL 0
[FW] ip route-static 2.2.7.3 32 NULL 0
[FW] ip route-static 3.3.1.1 32 NULL 0
[FW] ip route-static 3.3.1.2 32 NULL 0
[FW] ip route-static 3.3.1.3 32 NULL 0
[FW] ip route-static 3.3.2.1 32 NULL 0
[FW] ip route-static 3.3.2.2 32 NULL 0
[FW] ip route-static 3.3.2.3 32 NULL 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 36


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Step 11 Configure NAT ALG between the Trust zone and other security zones. In this
example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT
ALG, enable ASPF.
[FW] firewall interzone trust edu_zone
[FW-interzone-trust-edu_zone] detect ftp
[FW-interzone-trust-edu_zone] detect qq
[FW-interzone-trust-edu_zone] detect rtsp
[FW-interzone-trust-edu_zone] quit
[FW] firewall interzone trust isp1_zone1
[FW-interzone-trust-isp1_zone1] detect ftp
[FW-interzone-trust-isp1_zone1] detect qq
[FW-interzone-trust-isp1_zone1] detect rtsp
[FW-interzone-trust-isp1_zone1] quit
[FW] firewall interzone trust isp1_zone2
[FW-interzone-trust-isp1_zone2] detect ftp
[FW-interzone-trust-isp1_zone2] detect qq
[FW-interzone-trust-isp1_zone2] detect rtsp
[FW-interzone-trust-isp1_zone2] quit
[FW] firewall interzone trust isp1_zone3
[FW-interzone-trust-isp1_zone3] detect ftp
[FW-interzone-trust-isp1_zone3] detect qq
[FW-interzone-trust-isp1_zone3] detect rtsp
[FW-interzone-trust-isp1_zone3] quit
[FW] firewall interzone trust isp2_zone1
[FW-interzone-trust-isp2_zone1] detect ftp
[FW-interzone-trust-isp2_zone1] detect qq
[FW-interzone-trust-isp2_zone1] detect rtsp
[FW-interzone-trust-isp2_zone1] quit
[FW] firewall interzone trust isp2_zone2
[FW-interzone-trust-isp2_zone2] detect ftp
[FW-interzone-trust-isp2_zone2] detect qq
[FW-interzone-trust-isp2_zone2] detect rtsp
[FW-interzone-trust-isp2_zone2] quit

Step 12 Configure attack defense.


[FW] firewall defend land enable
[FW] firewall defend smurf enable
[FW] firewall defend fraggle enable
[FW] firewall defend ip-fragment enable
[FW] firewall defend tcp-flag enable
[FW] firewall defend winnuke enable
[FW] firewall defend source-route enable
[FW] firewall defend teardrop enable
[FW] firewall defend route-record enable
[FW] firewall defend time-stamp enable
[FW] firewall defend ping-of-death enable

Step 13 Configure an audit profile and reference it in an audit policy.


[FW] profile type audit name trust_to_internet_audit
[FW-profile-audit-trust_to_internet_audit] http-audit url all
[FW-profile-audit-trust_to_internet_audit] http-audit bbs-content
[FW-profile-audit-trust_to_internet_audit] http-audit micro-blog
[FW-profile-audit-trust_to_internet_audit] http-audit file direction both
[FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both
[FW-profile-audit-trust_to_internet_audit] quit
[FW] audit-policy
[FW-policy-audit] rule name trust_to_internet_audit_policy
[FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust
[FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2
isp1_zone3 isp2_zone1 isp2_zone2
[FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit
[FW-policy-audit-rule-trust_to_internet_audit_policy] quit
[FW-policy-audit] quit

Step 14 Configure bandwidth management.

# Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 37


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW] traffic-policy
[FW-policy-traffic] profile isp1_p2p_profile_01
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-ip both 500
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit
[FW-policy-traffic] rule name isp1_p2p_01
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
[FW-policy-traffic-rule-isp1_p2p_01] quit

# Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.
[FW-policy-traffic] profile isp1_p2p_profile_02
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-ip both 1000
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit
[FW-policy-traffic] rule name isp1_p2p_02
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
[FW-policy-traffic-rule-isp1_p2p_02] quit

# Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.
[FW-policy-traffic] profile isp1_p2p_profile_03
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-ip both 2000
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit
[FW-policy-traffic] rule name isp1_p2p_03
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4
[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03
[FW-policy-traffic-rule-isp1_p2p_03] quit
[FW-policy-traffic] quit

Step 15 Configure system log sending and NAT tracing to view logs on the eSight.
# Configure the function of sending system logs to a log host at 10.1.10.30 (in this
example, IPS and attack defense logs are sent).
[FW] info-center enable
[FW] engine log ips enable
[FW] info-center source IPS channel loghost log level emergencies
[FW] info-center source ANTIATTACK channel loghost
[FW] info-center loghost 10.1.10.30

# Configure the session log function.


[FW] security-policy
[FW-policy-security] rule name trust_edu_zone
[FW-policy-security-rule-trust_edu_zone] source-zone trust
[FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone
[FW-policy-security-rule-trust_edu_zone] action permit
[FW-policy-security-rule-trust_edu_zone] session logging
[FW-policy-security-rule-trust_edu_zone] quit
[FW-policy-security] rule name trust_isp1_zone
[FW-policy-security-rule-trust_isp1_zone] source-zone trust
[FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3
[FW-policy-security-rule-trust_isp1_zone] action permit
[FW-policy-security-rule-trust_isp1_zone] session logging
[FW-policy-security-rule-trust_isp1_zone] quit
[FW-policy-security] rule name trust_isp2_zone
[FW-policy-security-rule-trust_isp2_zone] source-zone trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 38


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2


[FW-policy-security-rule-trust_isp2_zone] action permit
[FW-policy-security-rule-trust_isp2_zone] session logging
[FW-policy-security-rule-trust_isp2_zone] quit
[FW-policy-security] quit

Step 16 Configure SNMP and ensure that the SNMP parameters on the eSight are
consistent with those on the FW.
[FW] snmp-agent sys-info version v3
[FW] snmp-agent group v3 inside_snmp privacy
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123

After completing the configuration on the eSight, choose Log Analysis > Session
Analysis > IPv4 Session Query to view session logs.

----End

1.3.5 Verification
1. When users on the campus access the extranet, the traffic destined to the
education network is forwarded by GE1/0/1, the traffic destined to ISP1
network is forwarded by GE1/0/2, and the traffic destined to ISP2 network is
forwarded by GE1/0/3.
2. The traffic destined to servers of other campuses and the network access
traffic of users in the library are forwarded by GE1/0/1.
3. Check the configuration and update of the IPS signature database.
# Run the display update configuration command to check the update
information of the IPS signature database.
[sysname] display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 80
Proxy State : disable
Proxy Server :-
Proxy Port :-
Proxy User :-
Proxy Password :-
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 39


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Schedule Update Frequency : Daily


Schedule Update Time : 02:30
------------------------------------------------------------

# Run the display version ips-sdb command to check the configuration of


the IPS signature database.
[sysname] display version ips-sdb
IPS SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2015041503
Signature Database Size(byte) : 2659606
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 16:06:30 2015/04/15

Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 10:51:45 2015/05/20

Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------

4. Run the display firewall server-map command to check server-map entries


generated by server load balancing.
[sysname] display firewall server-map slb
Current Total Server-map : 3
Type: SLB, ANY -> 3.3.113.113[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 2.2.112.112[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 1.1.111.111[grp1/1], Zone:---, protocol:---
Vpn: public -> public

5. Run the display firewall server-map command to check server-map entries


generated by the NAT server function.
[sysname] display firewall server-map nat-server
Current Total Server-map : 12
Type: Nat Server, ANY -> 1.1.15.15[10.1.10.20], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.15.15[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.16.16[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.17.17[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.15.15[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.16.16[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 1.1.101.101[10.1.10.30], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.102.102[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.103.103[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 40


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Type: Nat Server, ANY -> 2.2.104.104[10.1.10.30], Zone: isp1_zone , protocol:---


Vpn: public -> public
Type: Nat Server, ANY -> 3.3.102.102[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.103.103[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server Reverse, 10.1.10.20[3.3.16.16] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[3.3.15.15] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.17.17] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.16.16] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.15.15] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[1.1.15.15] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.103.103] -> ANY, Zone: isp2_zone , protocol:--- Vpn: public
-> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.102.102] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.104.104] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.103.103] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.102.102] -> ANY, Zone: isp1_zone , protocol:--- Vpn: public
-> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[1.1.101.101] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1

6. Check session logs on the eSight.

1.3.6 Configuration Scripts


#
sysname FW
#
info-center loghost 10.1.10.30 514
#
nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse
#
dns resolve
dns server 10.1.10.30
dns transparent-proxy server 10.1.0.50
#
dns-transparent-policy
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
dns server bind interface GigabitEthernet1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
dns server bind interface GigabitEthernet1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
dns server bind interface GigabitEthernet1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
dns server bind interface GigabitEthernet1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
dns server bind interface GigabitEthernet1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
#
firewall defend land enable
firewall defend smurf enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 41


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

firewall defend fraggle enable


firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
ip-link name edu_ip_link
destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
ip-link name isp1_ip_link
destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
ip-link name isp2_ip_link
destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
#
dns-smart enable
#
update schedule ips-sdb daily 02:30
update schedule sa-sdb daily 02:30
#
interface GigabitEthernet1/0/1
description connect_to_edu
ip address 1.1.1.1 255.255.255.252
reverse-route nexthop 1.1.1.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/2
description connect_to_isp1
ip address 2.2.2.1 255.255.255.252
reverse-route nexthop 2.2.2.2
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
#
interface GigabitEthernet1/0/3
description connect_to_isp1
ip address 2.2.3.1 255.255.255.252
reverse-route nexthop 2.2.3.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/4
description connect_to_isp1
ip address 2.2.4.1 255.255.255.252
reverse-route nexthop 2.2.4.2
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
#
interface GigabitEthernet1/0/5
description connect_to_isp2
ip address 3.3.3.1 255.255.255.252
reverse-route nexthop 3.3.3.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/6
description connect_to_isp2
ip address 3.3.4.1 255.255.255.252
reverse-route nexthop 3.3.4.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/7
description connect_to_campus

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 42


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

ip address 10.2.0.1 255.255.255.0


#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/7
#
firewall zone name edu_zone
set priority 20
add interface GigabitEthernet1/0/1
#
firewall zone name isp1_zone1
set priority 30
add interface GigabitEthernet1/0/2
#
firewall zone name isp1_zone2
set priority 40
add interface GigabitEthernet1/0/3
#
firewall zone name isp1_zone3
set priority 50
add interface GigabitEthernet1/0/4
#
firewall zone name isp2_zone1
set priority 60
add interface GigabitEthernet1/0/5
#
firewall zone name isp2_zone2
set priority 70
add interface GigabitEthernet1/0/6
#
firewall interzone trust edu_zone
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp1_zone1
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp1_zone2
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp1_zone3
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp2_zone1
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp2_zone2
detect ftp
detect rtsp
detect qq
#
ip route-static 1.1.15.15 255.255.255.255 NULL0
ip route-static 1.1.30.31 255.255.255.255 NULL0
ip route-static 1.1.30.32 255.255.255.255 NULL0
ip route-static 1.1.30.33 255.255.255.255 NULL0
ip route-static 1.1.101.101 255.255.255.255 NULL0
ip route-static 2.2.5.1 255.255.255.255 NULL0
ip route-static 2.2.5.2 255.255.255.255 NULL0
ip route-static 2.2.5.3 255.255.255.255 NULL0
ip route-static 2.2.6.1 255.255.255.255 NULL0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 43


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

ip route-static 2.2.6.2 255.255.255.255 NULL0


ip route-static 2.2.6.3 255.255.255.255 NULL0
ip route-static 2.2.7.1 255.255.255.255 NULL0
ip route-static 2.2.7.2 255.255.255.255 NULL0
ip route-static 2.2.7.3 255.255.255.255 NULL0
ip route-static 2.2.15.15 255.255.255.255 NULL0
ip route-static 2.2.16.16 255.255.255.255 NULL0
ip route-static 2.2.17.17 255.255.255.255 NULL0
ip route-static 2.2.102.102 255.255.255.255 NULL0
ip route-static 2.2.103.103 255.255.255.255 NULL0
ip route-static 2.2.104.104 255.255.255.255 NULL0
ip route-static 3.3.1.1 255.255.255.255 NULL0
ip route-static 3.3.1.2 255.255.255.255 NULL0
ip route-static 3.3.1.3 255.255.255.255 NULL0
ip route-static 3.3.2.1 255.255.255.255 NULL0
ip route-static 3.3.2.2 255.255.255.255 NULL0
ip route-static 3.3.2.3 255.255.255.255 NULL0
ip route-static 3.3.15.15 255.255.255.255 NULL0
ip route-static 3.3.16.16 255.255.255.255 NULL0
ip route-static 3.3.102.102 255.255.255.255 NULL0
ip route-static 3.3.103.103 255.255.255.255 NULL0
ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
#
snmp-agent sys-info version v3
snmp-agent group v3 inside_snmp privacy
snmp-agent usm-user v3 snmp_user group inside_snmp
snmp-agent usm-user v3 snmp_user authentication-mode sha cipher %$%$jQlL6J6-$X05<;Csj**]uVn>IEUb,
9<3.%$%$
snmp-agent usm-user v3 user-name privacy-mode aes256 cipher %$%$jQlL6J6-$X05<;Csj**]uVn>IEUb,
9<3.%$%$
#
isp name edu_address
isp name edu_address set filename edu_address.csv
isp name isp1_address
isp name isp1_address set filename isp1_address.csv
isp name isp2_address
isp name isp2_address set filename isp2_address.csv
isp name other_edu_server_address
isp name other_edu_server_address set filename other_edu_server_address.csv
#
slb
rserver 1 rip 10.1.10.10 weight 32 healthchk
rserver 2 rip 10.1.10.11 weight 32 healthchk
group grp1
metric roundrobin
addrserver 1
addrserver 2
vserver vs1 vip 1.1.111.111 group grp1
#
sa
#
sa
user-defined-application name UD_dis_edu_sys_app
category Business_Systems sub-category Enterprise_Application
data-model client-server
rule name 1
ip-address 2.2.50.50 32
port 5000
#
nat address-group edu_nat_address_pool
section 0 1.1.30.31 1.1.30.33
nat address-group isp1_nat_address_pool1
section 0 2.2.5.1 2.2.5.3
nat address-group isp1_nat_address_pool2
section 0 2.2.6.1 2.2.6.3
nat address-group isp1_nat_address_pool3
section 0 2.2.7.1 2.2.7.3
nat address-group isp2_nat_address_pool1
section 0 3.3.1.1 3.3.1.3

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 44


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

nat address-group isp2_nat_address_pool2


section 0 3.3.2.1 3.3.2.3
#
dns-smart group 1 type single
real-server-ip 1.1.15.15
out-interface GigabitEthernet1/0/2 map 2.2.15.15
out-interface GigabitEthernet1/0/3 map 2.2.16.16
out-interface GigabitEthernet1/0/4 map 2.2.17.17
out-interface GigabitEthernet1/0/5 map 3.3.15.15
out-interface GigabitEthernet1/0/6 map 3.3.16.16
#
dns-smart group 2 type single
real-server-ip 1.1.101.101
out-interface GigabitEthernet1/0/2 map 2.2.102.102
out-interface GigabitEthernet1/0/3 map 2.2.103.103
out-interface GigabitEthernet1/0/4 map 2.2.104.104
out-interface GigabitEthernet1/0/5 map 3.3.102.102
out-interface GigabitEthernet1/0/6 map 3.3.103.103
#
security-policy
rule name user_inside
source-zone trust
profile ips default
action permit
rule name user_outside
source-zone edu_zone
source-zone isp1_zone1
source-zone isp1_zone2
source-zone isp1_zone3
source-zone isp2_zone1
source-zone isp2_zone2
destination-address 10.1.10.0 mask 255.255.255.0
profile ips default
action permit
rule name local_to_any
source-zone local
destination-zone any
action permit
#
traffic-policy
profile isp1_p2p_profile_01
bandwidth total maximum-bandwidth 100000
bandwidth ip-car total maximum-bandwidth per-ip 500
profile isp1_p2p_profile_02
bandwidth total maximum-bandwidth 300000
bandwidth ip-car total maximum-bandwidth per-ip 1000
profile isp1_p2p_profile_03
bandwidth total maximum-bandwidth 700000
bandwidth ip-car total maximum-bandwidth per-ip 2000
rule name isp1_p2p_01
ingress-interface GigabitEthernet1/0/7
egress-interface GigabitEthernet1/0/2
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_01
rule name isp1_p2p_02
ingress-interface GigabitEthernet1/0/7
egress-interface GigabitEthernet1/0/3
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_02
rule name isp1_p2p_03
ingress-interface GigabitEthernet1/0/7
egress-interface GigabitEthernet1/0/4
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_03
#
policy-based-route

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 45


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

rule name pbr_dns_trans


source-zone trust
service dns
service dns-tcp
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode proportion-of-bandwidth
rule name dis_edu_sys
source-zone trust
application app UD_dis_edu_sys_app
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode proportion-of-bandwidth
rule name p2p_traffic
source-zone trust
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
mode proportion-of-bandwidth
rule name other_edu_server
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp other_edu_server_address
action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
rule name lib_internet
source-zone trust
source-address 10.1.48.0 mask 255.255.252.0
action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
rule name pbr_edu
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp edu_address
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1 priority 8
add interface GigabitEthernet1/0/2 priority 5
add interface GigabitEthernet1/0/3 priority 5
add interface GigabitEthernet1/0/4 priority 5
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode priority-of-userdefine
rule name pbr_isp1
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp isp1_address
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1 priority 5
add interface GigabitEthernet1/0/2 priority 8
add interface GigabitEthernet1/0/3 priority 8
add interface GigabitEthernet1/0/4 priority 8
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode priority-of-userdefine
rule name pbr_isp2
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp isp2_address
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1 priority 5
add interface GigabitEthernet1/0/2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 46


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

add interface GigabitEthernet1/0/3


add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5 priority 8
add interface GigabitEthernet1/0/6 priority 8
mode priority-of-userdefine
rule name pbr_rest
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode priority-of-link-quality
priority-of-link-quality parameter delay jitter loss
#
nat-policy
rule name inner_nat_policy
source-zone trust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group edu_nat_address_pool
rule name edu_nat_policy
source-zone trust
destination-zone edu_zone
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group edu_nat_address_pool
rule name isp1_nat_policy1
source-zone trust
destination-zone isp1_zone1
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp1_nat_address_pool1
rule name isp1_nat_policy2
source-zone trust
destination-zone isp1_zone2
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp1_nat_address_pool2
rule name isp1_nat_policy3
source-zone trust
destination-zone isp1_zone3
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp1_nat_address_pool3
rule name isp2_nat_policy1
source-zone trust
destination-zone isp2_zone1
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp2_nat_address_pool1
rule name isp2_nat_policy2
source-zone trust
destination-zone isp2_zone2
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp2_nat_address_pool2
#
return

1.4 Solution 2: Use-based Policy Control


1.4.1 Typical Networking
As shown in Figure 1-3, the FW is deployed on the egress of the campus network
as a security gateway. It provides bandwidth services for users in the campus and
server access services for users outside the campus. A RADIUS server is deployed
on the campus network and stores user/user group and password information. To

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 47


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

access network resources through the BRAS, users must be authenticated by the
RADIUS server. According to the existing organization structure, the administrator
can create users/user groups or use a file to import users/user groups in batches
on the FW and then control the access behavior of the users/user groups through
policies. To improve the reliability of the network egress, the campus leases 1G
links from ISP1 and ISP2 and 10G links from the education network.

Figure 1-3 Networking of user-based policy control

The campus network is mainly used for learning and working. Therefore, in
addition to ensuring the security of intranet users and servers, the egress needs to
properly allocate bandwidth resources and implement load balancing for network
traffic to improve the access experience of intranet and extranet users. The main
requirements of the campus network are as follows:
● User and authentication
– Users access the Internet through the BRAS after being authenticated by
the RADIUS server. Users do not need to be authenticated by the FW
after being authenticated by the RADIUS server.
– The Internet access users on the campus are classified into teachers, users
who access the Internet from the library, users who access the Internet
from the public area, users with monthly package of 20 Yuan, and users

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 48


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

with monthly package of 50 Yuan. The administrator wants to control


network permissions by users. The FW needs to store required user
information to be referenced by security policies.
– New users on the RADIUS server are allowed to access network resources
even through their information does not exist on the FW.
● Load balancing
– The FW can control the network access permissions of users by user
attribute and select ISP links for traffic forwarding based on the
difference between user attributes. For example, the traffic of teachers
and users with monthly package of 50 Yuan can be forwarded over
multiple ISP links based on the destination address of the traffic; the
traffic of users with monthly package of 20 Yuan and users that access
the network from the library is forwarded only over the link to the
education network; the traffic of users who access the network from the
public area is preferentially forwarded over the link to the education
network. If the link to the education network is overloaded, the traffic
can be forwarded over other ISP links.
– The LSP links have different transmission quality. The link to the
education network and the links to ISP2 network have high quality and
can forward service traffic that has high requirement on the delay, such
as the traffic of the distance education system. The links to ISP1 network
has poor quality and can forward bandwidth-consuming and small-value
service traffic, such as P2P traffic. Considering the cost, the traffic
destined to the servers of other campuses, network access traffic of users
in the library, and traffic matching default routes are forwarded over the
link to the education network.
– The users on the campus automatically obtain the same DNS server
address. Therefore, the traffic of the users is forwarded over the same ISP
link. The campus wants to make full use of other link resources and
requests to distribute some DNS request packets to other ISP links. Only
changing the outbound interface of packets cannot resolve the issue that
subsequent network access traffic is forwarded over one link. Therefore,
DNS request packets need to be forwarded to the DNS servers of
different ISP networks. Then the resolved addresses belong to different
ISP networks.
– A DNS server is deployed on the campus network to provide domain
name resolution services. When users on different ISP networks access
the campus network, they can use the resolved address that belongs to
the same ISP as the users for access, improving the access quality.
– The traffic destined to the server in the library is heavy, and thereby two
servers are required for traffic load balancing.
● Address translation
– Users on the campus network require public IP addresses to access the
Internet.
– The servers, such as library servers, portal servers, and DNS servers, on
the campus network use public IP addresses to provide services for
intranet and extranet users.
● Security defense
– Assign network devices to different zones based on their locations,
implement security isolation for interzone traffic, and control the

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 49


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

permissions on mutual zone access. For example, allow users on the


campus to access extranet resources, and allow extranet users to access
only a specific port of an intranet server.
– The network can defend against common DDoS attacks (such as SYN
flood attacks) and single-packet attacks (such as Land attacks).
– Network intrusion behaviors are blocked and alerted.
● Bandwidth management and control
Due to limited bandwidth resources, the campus requests to limit the
bandwidth percentage of P2P traffic as well as the bandwidth of each user's
P2P traffic. Teachers and users with monthly package of 50 Yuan are assigned
2M bandwidth for P2P traffic, and other users are assigned 500K bandwidth
for P2P traffic. Common P2P traffic is generated by download software
(Thunder, eMule, BT, Ares, and Vuze), music software (Kugou Music, kugou,
and SoulSeek), or video websites or software (Baidu player, QiYi, and
SHPlayer).
● Source tracing and auditing
– To prevent the improper online behavior of users on the campus from
harming the reputation of the campus, perform source tracing for the
improper behavior and restore the improper behavior. The online
behavior of users on the campus needs to be audited for subsequent
investigation and analysis. The behavior to be audited includes URL
access records, BBS posts and microblogs, HTTP upload and download,
and FTP upload and download.
– Log server devices are deployed on the campus. Attack defense and
intrusion detection logs as well as pre-NAT and post-NAT IP addresses
can be viewed on the log server.

1.4.2 Service Planning


The FW can meet all requirements of the campus network. This section describes
the functions of the FW and provides service planning based on the networking.

Basic Network Configuration and Access Control Configuration


The FW sets security zones and implements security isolation for these zones. It
controls the permissions on mutual zone access by using security policies.
Users on the campus network in the Trust zone with the highest security level. The
users can proactively access all the zones. Servers are also in the Trust zone and
can access only extranets under the control of security policies, but not other
devices in the Trust zone. A security zone is created for each ISP to separately
control the policies between two zones. The devices on each ISP network can
access the server area. In addition, ASPF needs to be enabled to ensure normal
communication between zones through multichannel protocols, such as FTP.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 50


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-14 Planning for basic network configuration


Item Data Description

GE1/ ● IP address: 1.1.1.1/30 The interface connecting the FW


0/1 ● Security zone: edu_zone to the education network is
(priority value 20) assigned to user-defined security
zone edu_zone. The priority of a
● Gateway address: 1.1.1.2 user-defined security zone can be
● Sticky load balancing: enabled set as required.
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 2.2.2.1/30 The interface connecting the FW


0/2 ● Security zone: isp1_zone1 to ISP1 network is assigned to
(priority value 30) user-defined security zone
isp1_zone1.
● Gateway address: 2.2.2.2
● Sticky load balancing: enabled
● Bandwidth: 200 Mbit/s
● Overload protection threshold:
90%

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 51


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

GE1/ ● IP address: 2.2.3.1/30 The interface connecting the FW


0/3 ● Security zone: isp1_zone2 to ISP1 network is assigned to
(priority value 40) user-defined security zone
isp1_zone2.
● Gateway address: 2.2.3.2
● Sticky load balancing: enabled
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 2.2.4.1/30 The interface connecting the FW


0/4 ● Security zone: isp1_zone3 to ISP1 network is assigned to
(priority value 50) user-defined security zone
isp1_zone3.
● Gateway address: 2.2.4.2
● Sticky load balancing: enabled
● Bandwidth: 200 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 3.3.3.1/30 The interface connecting the FW


0/5 ● Security zone: isp2_zone1 to ISP2 network is assigned to
(priority value 60) user-defined security zone
isp2_zone1.
● Gateway address: 3.3.3.2
● Sticky load balancing: enabled
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 3.3.4.1/30 The interface connecting the FW


0/6 ● Security zone: isp2_zone2 to ISP2 network is assigned to
(priority value 70) user-defined security zone
isp2_zone2.
● Gateway address: 3.3.4.2
● Sticky load balancing: enabled
● Bandwidth: 1000 Mbit/s
● Overload protection threshold:
90%

GE1/ ● IP address: 10.2.0.1/24 The interface connecting the FW


0/7 ● Security zone: Trust to the campus network is assigned
to the Trust zone. Users on the
campus and servers are in the
Trust zone.

GE1/ ● IP address: 10.2.1.1/30 The interface connecting the FW


0/8 ● Security zone: DMZ to the RADIUS server is assigned
to the DMZ.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 52


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-15 Planning for access control configuration


Item Data Description

securi ● Security policy name: Users on the campus can access


ty user_inside devices in any security zone.
policy ● Source security zone: Trust By default, devices in the same
for security zone cannot access each
users ● Action: permit
other. A security policy must be
on configured to specify the source or
the destination security zone. For
camp example, if the source and
us destination security zones are the
Trust zone, the devices in the Trust
zone can access each other. If the
source security zone is the Trust
zone and the destination security
zone is any, the devices in the
Trust zone can access any security
zone. If the source security zone is
any and the destination security
zone is Trust, devices in any
security zone can access the Trust
zone.

Securi ● Security policy name: Users outside the campus can


ty user_outside access the server area, but not any
policy ● Source security zone: edu_zone, devices in the Trust zone.
for isp1_zone1, isp1_zone2,
extra isp1_zone3, isp2_zone1 and
net isp2_zone2
users
● Destination IP address:
10.1.10.0/24
● Action: permit

Securi ● Security policy name: The FW is allowed to send log


ty local_to_any information to the log server and
policy ● Source security zone: Local update center.
for
the ● Destination security zone: Any
log ● Action: permit
server

Intrusion Prevention
Intrusion prevention needs to be enabled on the FW to alert or block the intrusion
of Botnets, Trojan horses, and worms. To better identify intrusion behavior, the FW
needs to periodically update the intrusion prevent signature database through the
security center (sec.huawei.com).

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 53


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-16 Planning for intrusion prevention configuration


Item Data Description

Intrus ● Security policy name: Intrusion prevention is required


ion user_inside when devices in the Trust zone
preve ● Intrusion prevention profile: access extranets. The security
ntion default policies reference the default
for intrusion prevention profile
extra default.
nets

Intrus ● Security policy name: Intrusion prevention is required


ion user_outside when extranet users access devices
preve ● Intrusion prevention profile: in the server area. The security
ntion default policy references the default
for intrusion prevention profile
the default.
server
area

Intrus ● URL of the update center: The intrusion prevention signature


ion sec.huawei.com database needs to be updated
preve ● DNS server address: 10.1.10.30 frequently to improve the security
ntion defense capability of devices. To
signat ● Update mode: scheduled reduce the workload of the
ure ● Update frequency: every day administrator, configure the device
datab ● Update time: 02:30 to update the database in a
ase scheduled manner when the
updat network traffic is light.
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 54


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

DNS Transparent Proxy


DNS transparent proxy can change the destination address of a DNS request
packet, implementing DNS server redirection. In this case, DNS transparent proxy
works together with PBR intelligent uplink selection to enable DNS request
packets to be forwarded based on the link bandwidth ratio. The resolved server
addresses belong to different IPS networks, and therefore subsequent access
traffic will be distributed to different ISP links.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 55


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-17 Planning for DNS transparent proxy configuration


Item Data Description

Serve ● GE1/0/1: The FW prefers the primary DNS


rs to – Primary DNS server: server address to replace the
which 1.1.22.22 destination address in a received
interf DNS request packet. It uses the
aces – Secondary DNS server: secondary DNS server address to
are 1.1.23.23 replace the destination address in
boun ● GE1/0/2: a received DNS request packet
d – Primary DNS server: only when the primary DNS server
2.2.22.22 is in the Down state.
– Secondary DNS server:
2.2.23.23
● GE1/0/3:
– Primary DNS server:
2.2.24.24
– Secondary DNS server:
2.2.25.25
● GE1/0/4:
– Primary DNS server:
2.2.26.26
– Secondary DNS server:
2.2.27.27
● GE1/0/5:
– Primary DNS server:
3.3.22.22
– Secondary DNS server:
3.3.23.23
● GE1/0/6:
– Primary DNS server:
3.3.24.24
– Secondary DNS server:
3.3.25.25

Dom ● Domain name exception: DNS transparent proxy is not


ain www.example.com carried out for the domain name
name ● DNS server: 1.1.25.25 exception. The administrator can
excep specify a DNS server to resolve the
tion domain name exception.

DNS dns_trans_rule: The DNS transparent proxy policy


trans ● Source IP address: any defines which DNS request packets
paren require DNS transparent proxy. In
t ● Destination IP address: any this case, all DNS request packets
proxy ● Action: tpdns (indicating that except those carrying a domain
policy DNS transparent proxy is name exception require DNS
implemented) transparent proxy.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 56


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Policy pbr_dns_trans: The policy-based route must be


- ● Source security zone: Trust placed in the front of the other
based ones. The route is matched with
routin ● Service: DNS and DNS-TCP DNS request packets by the service
g ● Intelligent uplink selection type (DNS service that uses TCP or
mode: load balancing by link UDP). Load balancing by link
bandwidth bandwidth is carried out for
● Outbound interfaces involved in matching DNS request packets.
intelligent uplink selection: After users on the campus obtain
resolved addresses, the service
– GE1/0/1 packets sent by the users will be
– GE1/0/2 matched with PBRs.
– GE1/0/3
– GE1/0/4
– GE1/0/5
– GE1/0/6

User and authentication


To enable users to be automatically authenticated by the FW after they are
authenticated by the RADIUS server, configure RADIUS SSO to trigger user
authentication on the FW.
To implement RADIUS SSO, the FW needs to parse the RADIUS accounting packets
exchanged between the BRAS and RADIUS server to obtain user-IP address
mappings. In this case, the packets exchanged between the BRAS and RADIUS
server pass through the FW, and the authentication policy configured on the FW
does not authenticate these packets but ensures that these packets are permitted
by the FW.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 57


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-18 Planning for user and authentication configuration


Item Data Description

CSV ● User groups: Fill the user information stored on


file – User group to which the RADIUS server in the CSV file
teachers belong: /default/ template according to the
teacher specified format and import the
CSV file into the FW to create
– User group to which users users and user groups in batches.
with monthly package of 50
Yuan belong: /default/50user Because information on new
network access user may not be
– User group to which users synchronized to the FW in time,
with monthly package of 20 create a temporary user group /
Yuan belong: /default/20user default/newuser so that these
– User group to which users users can normally access network
accessing the network from resources.
the library belong: /
default/lib
– User group to which users
accessing the network from
the public network belong: /
default/public_user
– User group to which new
network access users
belong: /default/newuser
● Multiple users cannot share the
same account for network
access.

RADI ● RADIUS SSO: enabled Set SSO parameters on the FW for


US ● Working mode: in-line the FW to parse received RADIUS
SSO accounting packets to obtain user-
● Interface for receiving IP address mappings.
accounting packets:
GigabitEthernet 1/0/7
● Parsed traffic: 10.2.1.2:1813 (IP
address of the RADIUS server:
IP address of the accounting
interface)

Securi ● Security policy name: Configure a security policy


ty policy_sec_radius between the Trust zone (users and
policy ● Source security zone: Trust BRAS server) and DMZ (RADIUS
server) for users to get
● Destination security zone: DMZ authenticated by the RADIUS
● Destination IP address: server.
10.2.1.0/24
● Action: permit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 58


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Intelligent Uplink Selection


The FW deployed between the BRAS and RADIUS server can parse exchanged
authentication packets to obtain user/user group-IP address mappings.
To meet the traffic forwarding requirement of the campus network egress, deploy
the PBR intelligent uplink selection on the FW based on user/user group
information. To meet the forwarding requirement of some special traffic, use
single-ISP PBR to forward the traffic from a fixed outbound interface. Use a link
with better quality to forward the traffic that does not match any item in the ISP
address set.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 59


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-19 Planning for intelligent uplink selection configuration


Item Data Description

Single ● p2p_traffic: The priority of policy-based routes


-ISP – Source security zone: Trust is higher than that of specific
PBR routes and default routes.
– Application: P2P online video Therefore, special traffic can be
and P2P file sharing forwarded using policy-based
– Intelligent uplink selection routes.
mode: load balancing by link Single-ISP PBR and multi-LSP PBR
bandwidth have the same priority. However,
– Outbound interfaces the PBR rule configured before
involved in intelligent uplink another is ranked ahead of the
selection: later configured one. You can
– GE1/0/2 adjust the sequence of PBR rules
based on service requirements and
– GE1/0/3 matching conditions. Generally,
– GE1/0/4 the PBR with strict matching
● dis_edu_sys: conditions is ranked ahead of the
PBR with loose matching
– Source security zone: Trust
conditions. The PBR matching
– Application: special traffic is ranked ahead of
UD_dis_edu_sys_app the PBRs that match common
– Intelligent uplink selection traffic.
mode: load balancing by link Because the distance education
bandwidth system software is not included in
– Outbound interfaces the application signature database
involved in intelligent uplink of the FW, the administrator needs
selection: to create user-defined application
UD_dis_edu_sys_app based on
– GE1/0/1
application features and set it as a
– GE1/0/5 matching condition of a PBR.
– GE1/0/6
● other_edu_server:
– Source security zone: Trust
– Source address: 10.1.0.0/16
– Destination address:
other_edu_server_address
– Outbound interface: GE1/0/1
– Next-hop address: 1.1.1.2
● pbr_edu_lib_20user:
– Source security zone: Trust
– User: /default/lib and /
default/20user
– Outbound interface: GE1/0/1
– Next-hop address: 1.1.1.2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 60


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

ISP ● Address set of the education Before configuring ISP address


addre network: sets, the administrator needs to
ss set – ISP name: edu_address write the IP addresses of each ISP
network into different ISP address
– ISP address file name: files and import the files into the
edu_address.csv FW. To modify the content of an
● ISP1 address set: ISP address file, export the file,
– ISP name: isp1_address modify it, and import it to the FW.
– ISP address file name: The following figure shows the
isp1_address.csv descriptions and requirements on
filling in ISP address files.
● ISP2 address set:
– ISP name: isp2_address
– ISP address file name:
isp2_address.csv
● Address set of other campuses'
servers:
– ISP name:
other_edu_server_address
– ISP address file name:
other_edu_server_address.csv

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 61


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Multi ● pbr_edu_teacher_50user: After the destination addresses of


-ISP – Source security zone: Trust PBRs are configured as an ISP
PBR address set, the FW will use a
– Destination address: specific ISP link to forward traffic
edu_address that matches all matching
– User: /default/teacher and / conditions of a PBR. If the same
default/50user ISP has multiple links, the FW will
– Intelligent uplink selection use a random link to forward
mode: active/standby traffic. If the traffic is heavy, the
backup by link priority proportion of traffic forwarded by
each link is approximately equal to
– Outbound interfaces the link bandwidth ratio,
involved in intelligent uplink indicating that load balancing by
selection and their priorities link bandwidth is carried out. After
– GE1/0/1: priority value 8 links with higher priorities are
– GE1/0/2: priority value 5 overloaded, ISP links with lower
priorities will be used for traffic
– GE1/0/3: priority value 5 forwarding.
– GE1/0/4: priority value 5 pbr_isp1_teacher_50user is used
– GE1/0/5: priority value 1 as an example to illustrate PBR
– GE1/0/6: priority value 1 intelligent uplink selection. The
destination address of the PBR is
● pbr_isp1_teacher_50user: configured as ISP1 address set,
– Source security zone: Trust and users are classified into
– Destination address: teachers and users with monthly
isp1_address package of 50 Yuan. If traffic
matches all matching conditions
– User: /default/teacher and / of the PRB, the destination address
default/50user of the traffic belongs to ISP1
– Intelligent uplink selection network. The three outbound
mode: active/standby interfaces, GE1/0/2, GE1/0/3, and
backup by link priority GE1/0/4, connected to ISP1
– Outbound interfaces network have the highest priority.
involved in intelligent uplink Therefore, the FW randomly
selection and their priorities selects an interface from the three
interfaces for traffic forwarding. If
– GE1/0/1: priority value 5 GE1/0/2, GE1/0/3, and GE1/0/4
– GE1/0/2: priority value 8 are all overloaded and new traffic
– GE1/0/3: priority value 8 still matches
pbr_isp1_teacher_50user, traffic
– GE1/0/4: priority value 8 for which a session is created will
– GE1/0/5: priority value 1 be forwarded through the original
– GE1/0/6: priority value 1 outbound interface, but new
traffic will not be forwarded
● pbr_isp2_teacher_50user: through any of the three
– Source security zone: Trust interfaces, but through GE1/0/1
– Destination address: with the second highest priority.
isp2_address After GE1/0/1 is overloaded, new
traffic will be forwarded through
– User: /default/teacher and / GE1/0/5 and GE1/0/6 with the
default/50user

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 62


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

– Intelligent uplink selection third highest priority. If all links


mode: active/standby are overloaded, the FW will
backup by link priority forward traffic to the links based
– Outbound interfaces on the actual bandwidth ratio, not
involved in intelligent uplink by link priority.
selection and their priorities The link with the best quality can
– GE1/0/1: priority value 5 be selected through pbr_rest to
forward traffic that does not
– GE1/0/2: priority value 1 match any item in the ISP address
– GE1/0/3: priority value 1 set, ensuring user experience.
– GE1/0/4: priority value 1
– GE1/0/5: priority value 8
– GE1/0/6: priority value 8
● pbr_public_user:
– Source security zone: Trust
– User: /default/public_user
– Intelligent uplink selection
mode: active/standby
backup by link priority
– Outbound interfaces
involved in intelligent uplink
selection and their priorities
– GE1/0/1: priority value 8
– GE1/0/2: priority value 5
– GE1/0/3: priority value 5
– GE1/0/4: priority value 5
– GE1/0/5: priority value 1
– GE1/0/6: priority value 1
● pbr_rest:
– Source security zone: Trust
– Intelligent uplink selection
mode: load balancing by link
quality
– Detection mode: TCP (simple
detection)
– Detection interval: 3s
– Detection times: 5
– Quality detection
parameters:
– Packet loss ratio
– Delay
– Jitter

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 63


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

– Outbound interfaces
involved in intelligent uplink
selection:
– GE1/0/1
– GE1/0/2
– GE1/0/3
– GE1/0/4
– GE1/0/5
– GE1/0/6

Server Load Balancing


The two servers in the library function as one high-performance and high-
reliability virtual server. For users, there is only one server. To improve user
experience, the virtual server publishes the public IP addresses of multiple ISP
networks.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 64


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-20 Planning for server load balancing configuration


Item Data Description

Serve ● Load balancing algorithm: The virtual server IP address is a


rs in round robin algorithm public IP address, and the real
the ● Virtual server vs1: server IP address is a private IP
librar address.
y – VIP corresponding to the
education network: After server load balancing is
1.1.111.111 configured, the FW will
automatically generate a black-
– VIP corresponding to ISP1 hole route for the virtual server IP
network: 2.2.112.112 address to prevent routing loops.
– VIP corresponding to ISP2 After you delete the virtual server
network: 3.3.113.113 IP address or cancel the binding
● Real server group grp1: between the virtual server and real
server group, the black-hole route
– rserver 1: 10.1.10.10 will be automatically deleted.
– rserver 2: 10.1.10.11

Smart DNS
When a private DNS server exists, the FW that has smart DNS enabled
intelligently replies to DNS requests from different ISPs, so that the server address
obtained by a user is in the same ISP network as the user.
For example, a school has a DNS server, which stores the portal server domain
name (www.example.com) and the public IP address 1.1.15.15 assigned by the
education network. Smart DNS is enabled on the FW's GE1/0/2. The mapped
address is the ISP1-assigned public IP address 2.2.15.15.
When an education network user accesses the portal server address, as GE1/0/1
does not have the smart DNS function enabled, the user obtains the public IP
address 1.1.15.15 assigned by the education network as the portal server address.
When an ISP1 user accesses the portal server address, the DNS server replies a
DNS response message to the user. After the FW's GE1/0/2 receives the message,
the FW replaces the original public IP address 1.1.15.15 assigned by the education
network with the ISP1-assigned address 2.2.15.15. After the user receives the
message, he or she communicates with 2.2.15.15. Certainly, a NAT Server map
must be configured on the FW to associate the private portal server address
10.1.10.20 with 2.2.15.15. In this manner, ISP1 users can use 2.2.15.15 to
communicate with the portal server.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 65


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-21 Planning of smart DNS configuration


Item Data Description

Portal ● Original server IP address: The original server IP address is


server 1.1.15.15 the public IP address of the
● Outbound interfaces and education network, and therefore
mapped IP addresses: it is unnecessary to configure
smart DNS mappings for the
– GE1/0/2: 2.2.15.15 outbound interface corresponding
– GE1/0/3: 2.2.16.16 to the education network.
– GE1/0/4: 2.2.17.17
– GE1/0/5: 3.3.15.15
– GE1/0/6: 3.3.16.16

Serve ● Original server IP address: -


rs in 1.1.101.101
the ● Outbound interfaces and
librar mapped IP addresses:
y
– GE1/0/2: 2.2.102.102
– GE1/0/3: 2.2.103.103
– GE1/0/4: 2.2.104.104
– GE1/0/5: 3.3.102.102
– GE1/0/6: 3.3.103.103

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 66


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

NAT
● NAT Server
To ensure the users on each ISP network can access intranet servers, the NAT
server function is required on the FW to translate the private addresses of
servers into public IP addresses.

Table 1-22 Planning for NAT server configuration

Item Data Description

Portal ● Private IP address: 10.1.10.20 The NAT server can map multiple
server ● Public IP address: public IP addresses to the same
private IP address based on the
– For the education network: security zone.
1.1.15.15
– For ISP1 network: 2.2.15.15,
2.2.16.16, and 2.2.17.17
– For ISP2 network: 3.3.15.15
and 3.3.16.16

DNS ● Private IP address: 10.1.10.30 -


server ● Public IP address:
– For the education network:
1.1.101.101
– For ISP1 network:
2.2.102.102, 2.2.103.103, and
2.2.104.104
– For ISP2 network:
3.3.102.102 and 3.3.103.103

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 67


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

● Source NAT
To enable a large number of intranet users to make full use of limited public
IP addresses for access, source NAT needs to be configured on the FW to
translate the private IP addresses in packets into public IP addresses.

Table 1-23 Planning for source NAT configuration


Item Data Description

Educa edu_nat_policy: The source IP addresses in the


tion ● Address pool: packets sent by intranet users to
netw edu_nat_address_pool access the education network are
ork translated into the public IP
– Address segment: 1.1.30.31 address of the education network.
to 1.1.30.33
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 68


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

ISP1 isp1_nat_policy1: The source IP addresses in the


NAT ● Address pool: packets sent by intranet users to
policy isp1_nat_address_pool1 access ISP1 network are translated
into the public IP address of ISP1
– Address segment: network.
2.2.5.1-2.2.5.3
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
isp1_zone1
isp1_nat_policy2:
● Address pool:
isp1_nat_address_pool2
– Address segment:
2.2.6.1-2.2.6.3
– NAT mode: PAT
– Source address: 10.1.0.0/16
– Source security zone: Trust
– Destination security zone:
isp1_zone2
isp1_nat_policy3:
● Address pool:
isp1_nat_address_pool3
– Address segment:
2.2.7.1-2.2.7.3
– NAT mode: PAT
– Source address: 10.1.0.0/16
– Source security zone: Trust
– Destination security zone:
isp1_zone3

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 69


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

ISP2 isp2_nat_policy1: The source IP addresses in the


NAT ● Address pool: packets sent by intranet users to
policy isp2_nat_address_pool1 access ISP2 network are translated
into the public IP address of ISP2
– Address segment: network.
3.3.1.1-3.3.1.3
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
isp2_zone1
isp2_nat_policy2:
● Address pool:
isp2_nat_address_pool2
– Address segment:
3.3.2.1-3.3.2.3
– NAT mode: PAT
● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone:
isp2_zone2

Sourc inner_nat_policy: Source address translation is


e ● Address pool: required when an intranet user
NAT edu_nat_address_pool (Trust zone) wants to access an
in the intranet zone (Trust zone) through
same – Address segment: 1.1.30.31 a public address.
securi to 1.1.30.33
ty – NAT mode: PAT
zone ● Source address: 10.1.0.0/16
● Source security zone: Trust
● Destination security zone: Trust

● NAT ALG
If the FW that has NAT enabled needs to forward packets of a multichannel
protocol, such as FTP, the NAT ALG function of the protocol needs to be
enabled to ensure correct address translation for the multichannel protocol
packets. In this case, the NAT ALG functions of FTP, QQ, and RTSP are
enabled.

Attack Defense
Attack defense can detect multiple types of network attacks, such as DDoS attack
and single-packet attacks. This function protects the intranet against malicious
attacks.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 70


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-24 Planning for attack defense configuration


Item Data Description

Anti- ● DDoS attack type: SYN Flood For the above flood attacks, the
DDoS ● Interface: GE1/0/2, GE1/0/3, recommended maximum packet
GE1/0/4, GE1/0/5, and GE1/0/6 rate for GE attacks is 16,000 pps.
In this case, the interfaces are all
● Alarm-threshold rate: 24000 GE interfaces. The final interface
threshold is 24000 pps, which is
the test result. Configure a large
threshold and adjust it according
to the test until it falls into the
normal range. A suitable threshold
helps defend against attacks
without affecting normal services.

Single ● Land attack defense If there are no special network


- ● Smurf attack defense security requirements, enable the
packe function in this case to defend
t ● Fraggle attack defense against single-packet attacks.
attac ● WinNuke attack defense
k ● IP packet with source route
defen option attack defense
se
● IP packet with route record
option attack defense
● IP packet with timestamp
option attack defense
● Ping of Death attack defense

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 71


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Audit Policy
The FW supports the audit function to record the Internet access behavior defined
in the audit policy for future audit and analysis.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 72


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-25 Planning for audit policy configuration


Item Data Description

Audit ● Source security zone: Trust The campus network


Policy ● Destination security zone: administrator can record the HTTP
edu_zone, isp1_zone1, and FTP behaviors of intranet
isp1_zone2, isp1_zone3, users who access the extranet for
isp2_zone1, and isp2_zone2 subsequent auditing.
● Action: audit
● Audit profile:
trust_to_internet_audit
– HTTP behavior audit:
– URL access: Record all URLs.
– BBS post: Record the content
of the posts to the BBS.
– Content of microblogs:
record
– File upload through HTTP:
record
– File download through
HTTP: record
– FTP behavior audit:
– File upload through FTP:
record
– File download through FTP:
record

Bandwidth Management
As P2P traffic uses a lot of bandwidth resources, the campus requests to limit the
bandwidth used by P2P traffic over each ISP1 link and implement bandwidth
limiting for P2P traffic per IP address. Bandwidth management can implement
global/per-IP/per-user traffic limiting for a specific type of traffic.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 73


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-26 Planning for bandwidth management configuration


Item Data Description

Traffi Traffic profile: isp1_p2p_profile_01 Traffic policies define specific


c ● Traffic limiting mode: setting bandwidth resources and
limiti the total of upstream and determine which traffic that
ng for downstream bandwidth bandwidth management applies
P2P to. After a traffic policy references
traffic ● Maximum bandwidth for global a traffic profile, the traffic that
over traffic limiting: 100M matches the traffic policy can use
the ● Maximum total bandwidth for only the bandwidth resources
link per-IP address traffic limiting: defined by the traffic profile.
wher 500K
e Traffic policy: isp1_p2p_01
GE1/
0/2 ● Inbound interface: GE1/0/7
reside ● Outbound interface: GE1/0/2
s ● Application: P2P online video
and P2P file sharing
● Action: limit
● Traffic profile:
isp1_p2p_profile_01

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 74


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Item Data Description

Traffi Traffic profile: isp1_p2p_profile_02 -


c ● Traffic limiting mode: setting
limiti the total of upstream and
ng for downstream bandwidth
P2P
traffic ● Maximum bandwidth for global
over traffic limiting: 300M
the ● Maximum total bandwidth for
link per-IP address traffic limiting:
wher 1M
e Traffic policy: isp1_p2p_02
GE1/
0/3 ● Inbound interface: GE1/0/7
reside ● Outbound interface: GE1/0/3
s ● Application: P2P online video
and P2P file sharing
● Action: limit
● Traffic profile:
isp1_p2p_profile_02

Traffi Traffic profile: isp1_p2p_profile_03 -


c ● Traffic limiting mode: setting
limiti the total of upstream and
ng for downstream bandwidth
P2P
traffic ● Maximum bandwidth for global
over traffic limiting: 700M
the ● Maximum total bandwidth for
link per-IP address traffic limiting:
wher 2M
e Traffic policy: isp1_p2p_03
GE1/
0/4 ● Inbound interface: GE1/0/7
reside ● Outbound interface: GE1/0/4
s ● Application: P2P online video
and P2P file sharing
● Action: limit
● Traffic profile:
isp1_p2p_profile_03

Log server Devices


The log server can collect, query, and display logs. After the FW is interconnected
with the log server, you can view the session logs (sent by the FW) on the log
server, including session logs before and after NAT. With these logs, you can view
NAT-related address information. On the log server, you can also view the IPS and
attack defense logs sent by the FW. With these logs, you can query attacks and
intrusions on the network.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 75


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Table 1-27 Planning for interconnected NMS device configuration


Item Data Description

Log ● IP address: 10.1.10.30 -


server ● System log type: IPS and attack
defense logs

SNM ● SNMP version: V3 -


P ● SNMPv3 user group:
– Name: inside_snmp
– Authentication and
encryption mode: privacy
(both authentication and
encryption)
● Trap:
– Authentication password of
an SNMPv3 user: Test@123
– Encryption password of an
SNMPv3 user: Test@123
– Target host:

NAT Enable Record Session Log for the NAT tracing allows you to view
tracin following security policies: pre-NAT and post-NAT address
g ● user_inside information. After the session log
function is enabled in the security
● user_outside policy view, the NGFW sends the
logs on the sessions matching the
security policy to the log host. You
can view the log information
through the log server to which
the log host is connected. Some
session logs include pre-NAT and
post-NAT address information.

1.4.3 Precautions
Precautions
● Whether the ISP address set includes all required IP addresses affects the
implementation of intelligent uplink selection and smart DNS. Therefore,
update the ISP address database regularly from the security center platform
(isecurity.huawei.com).
● In a multi-egress scenario, PBR intelligent uplink selection cannot be used
together with the IP spoofing attack defense or Unicast Reverse Path
Forwarding (URPF) function. If the IP spoofing attack defense or URPF
function is enabled, the FW may discard packets.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 76


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

● A license is required to use smart DNS. In addition, smart DNS is available


only after required components are loaded through the dynamic loading
function.
● The virtual server IP address used in server load balancing cannot be the
same as any of the following ones:
– Public IP address of the NAT server (global IP address)
– IP addresses in the NAT address pool
– Gateway IP address
– Interface IP addresses of the FW
● The real server IP address used in server load balancing cannot be the same
as any of the following ones:
– Virtual server IP address
– Public IP address of the NAT server (global IP address)
– Internal server IP address of the NAT server (inside IP)
● After you configure server load balancing, configure IP addresses for real
servers, but not the IP address of the virtual server, when configuring security
policies and the routing function.
● After you configure the NAT address pool and NAT server, configure black-
hole routes to addresses in the address pool and the public address of the
NAT server to prevent routing loops.
● Only the audit administrator can configure the audit function and view audit
logs.
● You can view and export audit logs on the web UI only from the device that
has an available disk installed.
● On networks with different forward and return packet paths, the audit log
contents may be incomplete.

1.4.4 Configuration Procedure


Procedure
Step 1 Configure interfaces and security zones and configure a gateway address,
bandwidth, and overload protection threshold for outbound interfaces involved in
intelligent uplink selection.
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] description connect_to_edu
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252
[FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2
[FW-GigabitEthernet1/0/1] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] description connect_to_isp1
[FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252
[FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2
[FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/2] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] description connect_to_isp1
[FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252
[FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 77


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90


[FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] quit
[FW] interface GigabitEthernet 1/0/4
[FW-GigabitEthernet1/0/4] description connect_to_isp1
[FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252
[FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2
[FW-GigabitEthernet1/0/4] bandwidth ingress 2000000 threshold 90
[FW-GigabitEthernet1/0/4] bandwidth egress 2000000 threshold 90
[FW-GigabitEthernet1/0/4] quit
[FW] interface GigabitEthernet 1/0/5
[FW-GigabitEthernet1/0/5] description connect_to_isp2
[FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252
[FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2
[FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] quit
[FW] interface GigabitEthernet 1/0/6
[FW-GigabitEthernet1/0/6] description connect_to_isp2
[FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252
[FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2
[FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] quit
[FW] interface GigabitEthernet 1/0/7
[FW-GigabitEthernet1/0/7] description connect_to_campus
[FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0
[FW-GigabitEthernet1/0/7] quit
[FW] interface GigabitEthernet 1/0/8
[FW-GigabitEthernet1/0/8] description connect_to_radius
[FW-GigabitEthernet1/0/8] ip address 10.2.1.1 255.255.255.252
[FW-GigabitEthernet1/0/8] quit

Step 2 Configure a security policy.


1. Create a security zone for each of the education network, ISP1 network, and
ISP2 network and assign interfaces to the security zone.
[FW] firewall zone name edu_zone
[FW-zone-edu_zone] set priority 20
[FW-zone-edu_zone] add interface GigabitEthernet 1/0/1
[FW-zone-edu_zone] quit
[FW] firewall zone name isp1_zone1
[FW-zone-isp1_zone1] set priority 30
[FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2
[FW-zone-isp1_zone1] quit
[FW] firewall zone name isp1_zone2
[FW-zone-isp1_zone2] set priority 40
[FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3
[FW-zone-isp1_zone2] quit
[FW] firewall zone name isp1_zone3
[FW-zone-isp1_zone3] set priority 50
[FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4
[FW-zone-isp1_zone3] quit
[FW] firewall zone name isp2_zone1
[FW-zone-isp2_zone1] set priority 60
[FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5
[FW-zone-isp2_zone1] quit
[FW] firewall zone name isp2_zone2
[FW-zone-isp2_zone2] set priority 70
[FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6
[FW-zone-isp2_zone2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/7
[FW-zone-trust] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 1/0/8
[FW-zone-dmz] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 78


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

2. Configure interzone security policies to control access between zones.


Reference the default intrusion prevention profile in the security policies and
configure intrusion prevention.
[FW] security-policy
[FW-policy-security] rule name user_inside
[FW-policy-security-rule-user_inside] source-zone trust
[FW-policy-security-rule-user_inside] action permit
[FW-policy-security-rule-user_inside] profile ips default
[FW-policy-security-rule-user_inside] quit
[FW-policy-security] rule name user_outside
[FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3
isp2_zone1 isp2_zone2
[FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24
[FW-policy-security-rule-user_outside] action permit
[FW-policy-security-rule-user_outside] profile ips default
[FW-policy-security-rule-user_outside] quit
[FW-policy-security] rule name local_to_any
[FW-policy-security-rule-local_to_any] source-zone local
[FW-policy-security-rule-local_to_any] destination-zone any
[FW-policy-security-rule-local_to_any] action permit
[FW-policy-security-rule-local_to_any] quit
[FW-policy-security] quit

3. Configure the scheduled update function for the intrusion prevention


function.

A license is available for updating the signature database, and the license is activated on
the device.

1. Configure an update center.


[FW] update server domain sec.huawei.com

2. The device can access the update server directly or through a proxy server. In
this example, the device can directly access the update server.
[FW] dns resolve
[FW] dns server 10.1.10.30

3. Configure the scheduled update function and set the scheduled update time.
[FW] update schedule ips-sdb enable
[FW] update schedule sa-sdb enable
[FW] update schedule ips-sdb daily 02:30
[FW] update schedule sa-sdb daily 02:30

Step 3 Configure IP-link to detect whether the status of each ISP is normal.

The IP-link configuration commands on the USG6000 and USG9500 are different. The
USG6000 is used in this example for illustration.
[FW] ip-link check enable
[FW] ip-link name edu_ip_link
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
[FW-iplink-edu_ip_link] quit
[FW] ip-link name isp1_ip_link
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
[FW-iplink-isp1_ip_link] quit
[FW] ip-link name isp2_ip_link
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
[FW-iplink-isp2_ip_link] quit

Step 4 Configure routes.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 79


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Contact the administrator to configure the routes except the routes required in
this example.
# Configure a static route whose destination address belongs to the network
segment of the intranet and next-hop address is the address of the intranet switch
so that extranet traffic can reach the intranet.
[FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2

Step 5 Configure users and authentication.


# Use a CSV file to import users/user groups.
1. Fill the user information stored on the RADIUS server in the CSV file template
according to the specified format.
Read the comments in the CSV file template before filling in the CSV file
template. The following figure shows how to fill in required user information.

2. Upload the CSV file to the FW through SFTP.


3. Import the CSV file named demo.csv.
[FW] user-manage user-import demo.csv auto-create-group override

# Create a user group for new users.


[FW] user-manage group /default/newuser
[FW-usergroup-/default/newuser] quit

# Configure RADIUS SSO parameters.


[FW] user-manage single-sign-on radius
[FW-sso-radius] enable
[FW-sso-radius] mode in-path
[FW-sso-radius] interface GigabitEthernet 1/0/7
[FW-sso-radius] traffic server-ip 10.2.1.2 port 1813
[FW-sso-radius] quit

# Set new user options in the default authentication domain.


[FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] new-user add-temporary group /default/newuser
[FW-aaa-domain-default] quit
[FW-aaa] quit

# Set the online user timeout duration to 480 minutes.


[FW] user-manage online-user aging-time 480

Step 6 Configure DNS transparent proxy.


# Configure the IP address of each interface bound to the DNS server.
[FW] dns-transparent-policy
[FW-policy-dns] dns transparent-proxy enable
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 80


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

# Configure a domain name exception.


[FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25

# Configure a DNS transparent proxy policy.


[FW-policy-dns] rule name dns_trans_rule
[FW-policy-dns-rule-dns_trans_rule] action tpdns
[FW-policy-dns-rule-dns_trans_rule] quit
[FW-policy-dns] quit

# Configure PBR intelligent uplink selection to load balance DNS request packets
to each link.
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_dns_trans
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
[FW-policy-pbr-rule-pbr_dns_trans] quit
[FW-policy-pbr] quit

Step 7 Configure intelligent uplink selection.


# Configure ISP address sets.
1. Upload ISP address files to the FW through SFTP.
2. Create an ISP name for each of the education network, ISP1 network, and
ISP2 network and associate it with the corresponding ISP address file.
[FW] isp name edu_address
[FW] isp name edu_address set filename edu_address.csv
[FW] isp name isp1_address
[FW] isp name isp1_address set filename isp1_address.csv
[FW] isp name isp2_address
[FW] isp name isp2_address set filename isp2_address.csv
[FW] isp name other_edu_server_address
[FW] isp name other_edu_server_address set filename other_edu_server_address.csv

# Create an application corresponding to the distance education system software


and reference the application in the PBR so that traffic generated by the distance
education system software is forwarded over the education network and ISP2
links.

Ensure that the FW has the route configuration that guides the transmission of the traffic
generated by the distance education system even if PBR is unavailable.
[FW] sa
[FW-sa] user-defined-application name UD_dis_edu_sys_app
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications
[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit
[FW-sa] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 81


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW] policy-based-route
[FW-policy-pbr] rule name dis_edu_sys
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit
[FW-policy-pbr-rule-dis_edu_sys] quit

# Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.

Ensure that the FW has the route configuration that guides P2P traffic transmission even if
PBR is unavailable.
[FW-policy-pbr] rule name p2p_traffic
[FW-policy-pbr-rule-p2p_traffic] source-zone trust
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
[FW-policy-pbr-rule-p2p_traffic] quit

# Configure single-ISP PBR.


1. Configure the traffic destined for servers of other campuses to be forwarded
over the link to the education network.
[FW-policy-pbr] rule name other_edu_server
[FW-policy-pbr-rule-other_edu_server] source-zone trust
[FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16
[FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop
1.1.1.2
[FW-policy-pbr-rule-other_edu_server] quit
2. Configure the traffic of users with monthly package of 20 Yuan and users who
access network resources from the library to be forwarded over the link to the
education network.
[FW-policy-pbr] rule name other_edu_server
[FW-policy-pbr-rule-other_edu_server] source-zone trust
[FW-policy-pbr-rule-other_edu_server] user user-group /default/lib
[FW-policy-pbr-rule-other_edu_server] user user-group /default/20user
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop
1.1.1.2
[FW-policy-pbr-rule-other_edu_server] quit

# Configure destination address-based PBR intelligent uplink selection for teachers


and users with monthly package of 50 Yuan.
1. Prefer the link to the education network to forward traffic destined for an
address in the address set of the education network.
[FW-policy-pbr] rule name pbr_edu_teacher_50user
[FW-policy-pbr-rule-pbr_edu_teacher_50user] source-zone trust
[FW-policy-pbr-rule-pbr_edu_teacher_50user] destination-address isp edu_address
[FW-policy-pbr-rule-pbr_edu_teacher_50user] user user-group /default/teacher
[FW-policy-pbr-rule-pbr_edu_teacher_50user] user user-group /default/50user
[FW-policy-pbr-rule-pbr_edu_teacher_50user] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/1
priority 8

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 82


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/2


priority 5
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/3
priority 5
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/4
priority 5
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/5
priority 1
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/6
priority 1
[FW-policy-pbr-rule-pbr_edu_teacher_50user-multi-inter] quit
[FW-policy-pbr-rule-pbr_edu_teacher_50user] quit
2. Prefer ISP1 links to forward traffic destined for an address in the address set
of ISP1 network.
[FW-policy-pbr] rule name pbr_isp1_teacher_50user
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] source-zone trust
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] destination-address isp isp1_address
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] user user-group /default/teacher
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] user user-group /default/50user
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/1
priority 5
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/2
priority 8
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/3
priority 8
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/4
priority 8
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/5
priority 1
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/6
priority 1
[FW-policy-pbr-rule-pbr_isp1_teacher_50user-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp1_teacher_50user] quit
3. Prefer ISP2 links to forward traffic destined for an address in the address set
of ISP2 network.
[FW-policy-pbr] rule name pbr_isp2_teacher_50user
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] source-zone trust
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] destination-address isp isp2_address
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] user user-group /default/teacher
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] user user-group /default/50user
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/1
priority 5
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/2
priority 1
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/3
priority 1
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/4
priority 1
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/5
priority 8
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] add interface GigabitEthernet 1/0/6
priority 8
[FW-policy-pbr-rule-pbr_isp2_teacher_50user-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp2_teacher_50user] quit

# Configure the traffic of users who access network resources from the public area
to be preferentially forwarded over the link to the education network.
[FW-policy-pbr] rule name pbr_public_user
[FW-policy-pbr-rule-pbr_public_user] source-zone trust
[FW-policy-pbr-rule-pbr_public_user] user user-group /default/public_user
[FW-policy-pbr-rule-pbr_public_user] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_public_user-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/1 priority 8

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 83


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/2 priority 5


[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/3 priority 5
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/4 priority 5
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_public_user-multi-inter] quit
[FW-policy-pbr-rule-pbr_public_user] quit

# Select the link with the highest quality through PBR pbr_rest to forward the
traffic that does not match any ISP address set.
[FW-policy-pbr] rule name pbr_rest
[FW-policy-pbr-rule-pbr_rest] source-zone trust
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit
[FW-policy-pbr-rule-pbr_rest] quit
[FW-policy-pbr] quit

Step 8 Configure server load balancing.


# Enable server load balancing.
[FW] slb enable

# Configure a load balancing algorithm.


[FW] slb
[FW-slb] group 1 grp1
[FW-slb-group-1] metric roundrobin

# Add real servers to the real server group.


[FW-slb-group-1] rserver 1 rip 10.1.10.10
[FW-slb-group-1] rserver 2 rip 10.1.10.11
[FW-slb-group-1] quit

# Configure a virtual server IP address.


[FW] vserver 1 vs1
[FW-slb-vserver-1] vip 1 1.1.111.111
[FW-slb-vserver-1] vip 2 2.2.112.112
[FW-slb-vserver-1] vip 3 3.3.113.113

# Associate the virtual server with the real server group.


[FW-slb-vserver-1] group grp1
[FW-slb-vserver-1] quit
[FW-slb] quit

Step 9 Configure smart DNS.


# Enable smart DNS.
[FW] dns-smart enable

# Create a smart DNS group and configure smart DNS mappings in the group.
[FW] dns-smart group 1 type single
[FW-dns-smart-group-1] real-server-ip 1.1.15.15

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 84


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15


[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16
[FW-dns-smart-group-1] quit
[FW] dns-smart group 2 type single
[FW-dns-smart-group-2] real-server-ip 1.1.101.101
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103
[FW-dns-smart-group-2] quit

Step 10 Configure the security zone-based NAT server function so that users on different
ISP networks can use corresponding public IP addresses to access intranet servers.

# Configure the NAT server function for the Portal server.


[FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse

# Configure the NAT server function for the DNS server.


[FW] nat server portal_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse

# Configure a black-hole route to the public address of the NAT server to prevent
routing loops.
[FW] ip route-static 1.1.15.15 32 NULL 0
[FW] ip route-static 2.2.15.15 32 NULL 0
[FW] ip route-static 2.2.16.16 32 NULL 0
[FW] ip route-static 2.2.17.17 32 NULL 0
[FW] ip route-static 3.3.15.15 32 NULL 0
[FW] ip route-static 3.3.16.16 32 NULL 0
[FW] ip route-static 1.1.101.101 32 NULL 0
[FW] ip route-static 2.2.102.102 32 NULL 0
[FW] ip route-static 2.2.103.103 32 NULL 0
[FW] ip route-static 2.2.104.104 32 NULL 0
[FW] ip route-static 3.3.102.102 32 NULL 0
[FW] ip route-static 3.3.103.103 32 NULL 0

Step 11 Configure source NAT.

# Configure source NAT for traffic destined for the education network. The
address in the address pool is the public address of the education network.
[FW] nat address-group edu_nat_address_pool
[FW-address-group-edu_nat_address_pool] mode pat
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33
[FW-address-group-edu_nat_address_pool] quit
[FW] nat-policy
[FW-policy-nat] rule name edu_nat_policy
[FW-policy-nat-rule-edu_nat_policy] source-zone trust
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-edu_nat_policy] quit
[FW-policy-nat] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 85


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

# Configure the intrazone NAT, so that users can access the intranet server
through the public address.
[FW] nat-policy
[FW-policy-nat] rule name inner_nat_policy
[FW-policy-nat-rule-inner_nat_policy] source-zone trust
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-inner_nat_policy] quit
[FW-policy-nat] quit

# Configure source NAT for traffic destined for ISP1 network. The address in the
address pool is the public address of ISP1 network.
[FW] nat address-group isp1_nat_address_pool1
[FW-address-group-isp1_nat_address_pool1] mode pat
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
[FW-address-group-isp1_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy1
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
[FW-policy-nat-rule-isp1_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool2
[FW-address-group-isp1_nat_address_pool2] mode pat
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
[FW-address-group-isp1_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy2
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2
[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2
[FW-policy-nat-rule-isp1_nat_policy2] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool3
[FW-address-group-isp1_nat_address_pool3] mode pat
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3
[FW-address-group-isp1_nat_address_pool3] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy3
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3
[FW-policy-nat-rule-isp1_nat_policy3] quit
[FW-policy-nat] quit

# Configure source NAT for traffic destined for ISP2 network. The address in the
address pool is the public address of ISP2 network.
[FW] nat address-group isp2_nat_address_pool1
[FW-address-group-isp2_nat_address_pool1] mode pat
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
[FW-address-group-isp2_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy1
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
[FW-policy-nat-rule-isp2_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp2_nat_address_pool2
[FW-address-group-isp2_nat_address_pool2] mode pat

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 86


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3


[FW-address-group-isp2_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy2
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2
[FW-policy-nat-rule-isp2_nat_policy2] quit
[FW-policy-nat] quit

# Configure black-hole routes to public addresses of the NAT address pool to


prevent routing loops.
[FW] ip route-static 1.1.30.31 32 NULL 0
[FW] ip route-static 1.1.30.32 32 NULL 0
[FW] ip route-static 1.1.30.33 32 NULL 0
[FW] ip route-static 2.2.5.1 32 NULL 0
[FW] ip route-static 2.2.5.2 32 NULL 0
[FW] ip route-static 2.2.5.3 32 NULL 0
[FW] ip route-static 2.2.6.1 32 NULL 0
[FW] ip route-static 2.2.6.2 32 NULL 0
[FW] ip route-static 2.2.6.3 32 NULL 0
[FW] ip route-static 2.2.7.1 32 NULL 0
[FW] ip route-static 2.2.7.2 32 NULL 0
[FW] ip route-static 2.2.7.3 32 NULL 0
[FW] ip route-static 3.3.1.1 32 NULL 0
[FW] ip route-static 3.3.1.2 32 NULL 0
[FW] ip route-static 3.3.1.3 32 NULL 0
[FW] ip route-static 3.3.2.1 32 NULL 0
[FW] ip route-static 3.3.2.2 32 NULL 0
[FW] ip route-static 3.3.2.3 32 NULL 0

Step 12 Configure NAT ALG between the Trust zone and other security zones. In this
example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT
ALG, enable ASPF.
[FW] firewall interzone trust edu_zone
[FW-interzone-trust-edu_zone] detect ftp
[FW-interzone-trust-edu_zone] detect qq
[FW-interzone-trust-edu_zone] detect rtsp
[FW-interzone-trust-edu_zone] quit
[FW] firewall interzone trust isp1_zone1
[FW-interzone-trust-isp1_zone1] detect ftp
[FW-interzone-trust-isp1_zone1] detect qq
[FW-interzone-trust-isp1_zone1] detect rtsp
[FW-interzone-trust-isp1_zone1] quit
[FW] firewall interzone trust isp1_zone2
[FW-interzone-trust-isp1_zone2] detect ftp
[FW-interzone-trust-isp1_zone2] detect qq
[FW-interzone-trust-isp1_zone2] detect rtsp
[FW-interzone-trust-isp1_zone2] quit
[FW] firewall interzone trust isp1_zone3
[FW-interzone-trust-isp1_zone3] detect ftp
[FW-interzone-trust-isp1_zone3] detect qq
[FW-interzone-trust-isp1_zone3] detect rtsp
[FW-interzone-trust-isp1_zone3] quit
[FW] firewall interzone trust isp2_zone1
[FW-interzone-trust-isp2_zone1] detect ftp
[FW-interzone-trust-isp2_zone1] detect qq
[FW-interzone-trust-isp2_zone1] detect rtsp
[FW-interzone-trust-isp2_zone1] quit
[FW] firewall interzone trust isp2_zone2
[FW-interzone-trust-isp2_zone2] detect ftp
[FW-interzone-trust-isp2_zone2] detect qq
[FW-interzone-trust-isp2_zone2] detect rtsp
[FW-interzone-trust-isp2_zone2] quit

Step 13 Configure attack defense.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 87


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW] firewall defend land enable


[FW] firewall defend smurf enable
[FW] firewall defend fraggle enable
[FW] firewall defend ip-fragment enable
[FW] firewall defend tcp-flag enable
[FW] firewall defend winnuke enable
[FW] firewall defend source-route enable
[FW] firewall defend teardrop enable
[FW] firewall defend route-record enable
[FW] firewall defend time-stamp enable
[FW] firewall defend ping-of-death enable

Step 14 Configure an audit profile and reference it in an audit policy.


[FW] profile type audit name trust_to_internet_audit
[FW-profile-audit-trust_to_internet_audit] http-audit url all
[FW-profile-audit-trust_to_internet_audit] http-audit bbs-content
[FW-profile-audit-trust_to_internet_audit] http-audit micro-blog
[FW-profile-audit-trust_to_internet_audit] http-audit file direction both
[FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both
[FW-profile-audit-trust_to_internet_audit] quit
[FW] audit-policy
[FW-policy-audit] rule name trust_to_internet_audit_policy
[FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust
[FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2
isp1_zone3 isp2_zone1 isp2_zone2
[FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit
[FW-policy-audit-rule-trust_to_internet_audit_policy] quit
[FW-policy-audit] quit

Step 15 Configure bandwidth management.

# Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.
[FW] traffic-policy
[FW-policy-traffic] profile isp1_p2p_profile_01
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-user both 500
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit
[FW-policy-traffic] rule name isp1_p2p_01
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
[FW-policy-traffic-rule-isp1_p2p_01] quit

# Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.
[FW-policy-traffic] profile isp1_p2p_profile_02
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-user both 1000
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit
[FW-policy-traffic] rule name isp1_p2p_02
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
[FW-policy-traffic-rule-isp1_p2p_02] quit

# Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.
[FW-policy-traffic] profile isp1_p2p_profile_03
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-user both 2000
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit
[FW-policy-traffic] rule name isp1_p2p_03
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 88


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting


[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03
[FW-policy-traffic-rule-isp1_p2p_03] quit
[FW-policy-traffic] quit

Step 16 Configure system log and NAT tracing to view logs on the eSight.

# Configure the function of sending system logs to a log host at 10.1.10.30 (in this
example, IPS and attack defense logs are sent).
[FW] info-center enable
[FW] engine log ips enable
[FW] info-center source IPS channel loghost log level emergencies
[FW] info-center source ANTIATTACK channel loghost
[FW] info-center loghost 10.1.10.30

# Configure the session log function.


[FW] security-policy
[FW-policy-security] rule name trust_edu_zone
[FW-policy-security-rule-trust_edu_zone] source-zone trust
[FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone
[FW-policy-security-rule-trust_edu_zone] action permit
[FW-policy-security-rule-trust_edu_zone] session logging
[FW-policy-security-rule-trust_edu_zone] quit
[FW-policy-security] rule name trust_isp1_zone
[FW-policy-security-rule-trust_isp1_zone] source-zone trust
[FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3
[FW-policy-security-rule-trust_isp1_zone] action permit
[FW-policy-security-rule-trust_isp1_zone] session logging
[FW-policy-security-rule-trust_isp1_zone] quit
[FW-policy-security] rule name trust_isp2_zone
[FW-policy-security-rule-trust_isp2_zone] source-zone trust
[FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2
[FW-policy-security-rule-trust_isp2_zone] action permit
[FW-policy-security-rule-trust_isp2_zone] session logging
[FW-policy-security-rule-trust_isp2_zone] quit
[FW-policy-security] quit

Step 17 Configure SNMP and ensure that the SNMP parameters on the eSight are
consistent with those on the FW.
[FW] snmp-agent sys-info version v3
[FW] snmp-agent group v3 inside_snmp privacy
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123

After completing the configuration on the eSight, choose Log Analysis > Session
Analysis > IPv4 Session Query to view session logs.

----End

1.4.5 Verification
1. When teachers and users with monthly package of 50 Yuan access the
extranet, the traffic destined to the education network is forwarded by
GE1/0/1, the traffic destined to ISP1 network is forwarded by GE1/0/2,
GE1/0/3, or GE1/0/4, and the traffic destined to ISP2 network is forwarded by
GE1/0/5 or GE1/0/6.
2. The traffic of the distance education system is forwarded over the link to the
education network or ISP2 link, P2P traffic is forwarded over ISP1 link, and
the traffic of users with monthly package of 20 Yuan and users who access

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 89


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

network resources from the library is forwarded over the link to the education
network.
3. Check the configuration and update of the IPS signature database.
# Run the display update configuration command to check the update
information of the IPS signature database.
[sysname] display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 80
Proxy State : disable
Proxy Server :-
Proxy Port :-
Proxy User :-
Proxy Password :-
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
------------------------------------------------------------
# Run the display version ips-sdb command to check the configuration of
the IPS signature database.
[sysname] display version ips-sdb
IPS SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2015041503
Signature Database Size(byte) : 2659606
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 16:06:30 2015/04/15

Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 10:51:45 2015/05/20

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 90


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
4. Run the display firewall server-map command to check server-map entries
generated by server load balancing.
[sysname] display firewall server-map slb
Current Total Server-map : 3
Type: SLB, ANY -> 3.3.113.113[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 2.2.112.112[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 1.1.111.111[grp1/1], Zone:---, protocol:---
Vpn: public -> public
5. Run the display firewall server-map command to check server-map entries
generated by the NAT server function.
[sysname] display firewall server-map nat-server
Current Total Server-map : 12
Type: Nat Server, ANY -> 1.1.15.15[10.1.10.20], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.15.15[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.16.16[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.17.17[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.15.15[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.16.16[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 1.1.101.101[10.1.10.30], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.102.102[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.103.103[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.104.104[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.102.102[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.103.103[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server Reverse, 10.1.10.20[3.3.16.16] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[3.3.15.15] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.17.17] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.16.16] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.15.15] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[1.1.15.15] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.103.103] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.102.102] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.104.104] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.103.103] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.102.102] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[1.1.101.101] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 91


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

6. Check session logs on the eSight.

1.4.6 Configuration Scripts


#
sysname FW
#
info-center enable
engine log ips enable
info-center source IPS channel loghost log level emergencies
info-center source ANTIATTACK channel loghost
info-center loghost 10.1.10.30
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
isp name edu_address set filename edu_address.csv
isp name isp1_address set filename isp1_address.csv
isp name isp2_address set filename isp2_address.csv
isp name other_edu_server_address set filename other_edu_server_address.csv
#
slb enable
#
user-manage online-user aging-time 480
user-manage single-sign-on radius
enable
mode in-path
interface GigabitEthernet1/0/7
traffic server-ip 10.2.1.2 port 1813
#
update schedule ips-sdb enable
update schedule ips-sdb daily 02:30
update server domain sec.huawei.com
#
dns resolve
dns server 10.1.10.30
#
ip-link check enable
ip-link name edu_ip_link
destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
ip-link name isp1_ip_link
destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
ip-link name isp2_ip_link
destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
#
dns-smart enable
#
aaa
domain default
new-user add-temporary group /default/newuser
#
interface GigabitEthernet1/0/1
description connect_to_edu
ip address 1.1.1.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 1.1.1.2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 92


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

#
interface GigabitEthernet1/0/2
description connect_to_isp1
ip address 2.2.2.1 255.255.255.252
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
redirect-reverse next-hop 2.2.2.2
#
interface GigabitEthernet1/0/3
description connect_to_isp1
ip address 2.2.3.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 2.2.3.2
#
interface GigabitEthernet1/0/4
description connect_to_isp1
ip address 2.2.4.1 255.255.255.252
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
redirect-reverse next-hop 2.2.4.2
#
interface GigabitEthernet1/0/5
description connect_to_isp2
ip address 3.3.3.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 3.3.3.2
#
interface GigabitEthernet1/0/6
description connect_to_isp2
ip address 3.3.4.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 3.3.4.2
#
interface GigabitEthernet1/0/7
description connect_to_campus
ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet1/0/8
description connect_to_radius
ip address 10.2.1.1 255.255.255.252
#
firewall zone name edu_zone
set priority 20
add interface GigabitEthernet1/0/1
#
firewall zone name isp1_zone1
set priority 30
add interface GigabitEthernet1/0/2
#
firewall zone name isp1_zone2
set priority 40
add interface GigabitEthernet1/0/3
#
firewall zone name isp1_zone3
set priority 50
add interface GigabitEthernet1/0/4
#
firewall zone name isp2_zone1
set priority 60
add interface GigabitEthernet1/0/5
#
firewall zone name isp2_zone2
set priority 70
add interface GigabitEthernet1/0/6
#
firewall zone trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 93


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

add interface GigabitEthernet1/0/7


#
firewall zone dmz
add interface GigabitEthernet1/0/8
#
firewall interzone trust edu_zone
detect ftp
detect qq
detect rtsp
firewall interzone trust isp1_zone1
detect ftp
detect qq
detect rtsp
firewall interzone trust isp1_zone2
detect ftp
detect qq
detect rtsp
firewall interzone trust isp1_zone3
detect ftp
detect qq
detect rtsp
firewall interzone trust isp2_zone1
detect ftp
detect qq
detect rtsp
firewall interzone trust isp2_zone2
detect ftp
detect qq
detect rtsp
#
dns-smart group 1 type single
real-server-ip 1.1.15.15
out-interface GigabitEthernet 1/0/2 map 2.2.15.15
out-interface GigabitEthernet 1/0/3 map 2.2.16.16
out-interface GigabitEthernet 1/0/4 map 2.2.17.17
out-interface GigabitEthernet 1/0/5 map 3.3.15.15
out-interface GigabitEthernet 1/0/6 map 3.3.16.16
dns-smart group 2 type single
real-server-ip 1.1.101.101
out-interface GigabitEthernet 1/0/2 map 2.2.102.102
out-interface GigabitEthernet 1/0/3 map 2.2.103.103
out-interface GigabitEthernet 1/0/4 map 2.2.104.104
out-interface GigabitEthernet 1/0/5 map 3.3.102.102
out-interface GigabitEthernet 1/0/6 map 3.3.103.103
#
ip route-static 1.1.15.15 32 NULL 0
ip route-static 2.2.15.15 32 NULL 0
ip route-static 2.2.16.16 32 NULL 0
ip route-static 2.2.17.17 32 NULL 0
ip route-static 3.3.15.15 32 NULL 0
ip route-static 3.3.16.16 32 NULL 0
ip route-static 1.1.101.101 32 NULL 0
ip route-static 2.2.102.102 32 NULL 0
ip route-static 2.2.103.103 32 NULL 0
ip route-static 2.2.104.104 32 NULL 0
ip route-static 3.3.102.102 32 NULL 0
ip route-static 3.3.103.103 32 NULL 0
ip route-static 1.1.30.31 32 NULL 0
ip route-static 1.1.30.32 32 NULL 0
ip route-static 1.1.30.33 32 NULL 0
ip route-static 2.2.5.1 32 NULL 0
ip route-static 2.2.5.2 32 NULL 0
ip route-static 2.2.5.3 32 NULL 0
ip route-static 2.2.6.1 32 NULL 0
ip route-static 2.2.6.2 32 NULL 0
ip route-static 2.2.6.3 32 NULL 0
ip route-static 2.2.7.1 32 NULL 0
ip route-static 2.2.7.2 32 NULL 0
ip route-static 2.2.7.3 32 NULL 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 94


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

ip route-static 3.3.1.1 32 NULL 0


ip route-static 3.3.1.2 32 NULL 0
ip route-static 3.3.1.3 32 NULL 0
ip route-static 3.3.2.1 32 NULL 0
ip route-static 3.3.2.2 32 NULL 0
ip route-static 3.3.2.3 32 NULL 0
ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
#
snmp-agent sys-info version v3
snmp-agent group v3 inside_snmp privacy
snmp-agent usm-user v3 snmp_user group inside_snmp
snmp-agent usm-user v3 snmp_user authentication-mode sha cipher %$%$k)>GV7woERAFb8XL]i9!F[RI\\D(-
#s.c$S;ZC3[MPc"qaXS%$%$
snmp-agent usm-user v3 user-name privacy-mode aes256 cipher %$%$k)>GV7woERAFb8XL]i9!F[RI\\D(-#s.c
$S;ZC3[MPc"qaXS%$%$
#
profile type audit name trust_to_internet_audit
http-audit url all
http-audit bbs-content
http-audit micro-blog
http-audit file direction both
ftp-audit file direction both
#
nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
nat server portal_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
nat server portal_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
nat server portal_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
nat server portal_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
nat server portal_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
nat server portal_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse
#
sa
user-defined-application name UD_dis_edu_sys_app
category Business_Systems
data-model client-server
label Encrypted-Communications Business-Applications
rule name 1
ip-address 2.2.50.50 32
port 5000
#
nat address-group edu_nat_address_pool
mode pat
section 0 1.1.30.31 1.1.30.33
nat address-group isp1_nat_address_pool1
mode pat
section 0 2.2.5.1 2.2.5.3
nat address-group isp1_nat_address_pool2
mode pat
section 0 2.2.6.1 2.2.6.3
nat address-group isp1_nat_address_pool3
mode pat
section 0 2.2.7.1 2.2.7.3
nat address-group isp2_nat_address_pool1
mode pat
section 0 3.3.1.1 3.3.1.3
nat address-group isp2_nat_address_pool2
mode pat
section 0 3.3.2.1 3.3.2.3
#
slb
group 1 grp1
metric roundrobin
rserver 1 rip 10.1.10.10
rserver 2 rip 10.1.10.11

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 95


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

vserver 1 vs1
vip 1 1.1.111.111
vip 2 2.2.112.112
vip 3 3.3.113.113
group grp1
#
security-policy
rule name user_inside
source-zone trust
profile ips default
action permit
rule name user_outside
source-zone edu_zone
source-zone isp1_zone1
source-zone isp1_zone2
source-zone isp1_zone3
source-zone isp2_zone1
source-zone isp2_zone2
destination-address 10.1.10.0 mask 255.255.255.0
profile ips default
action permit
rule name local_to_any
source-zone local
destination-zone any
action permit
#
traffic-policy
profile isp1_p2p_profile_01
bandwidth maximum-bandwidth whole both 100000
bandwidth maximum-bandwidth per-ip both 500
profile isp1_p2p_profile_02
bandwidth maximum-bandwidth whole both 300000
bandwidth maximum-bandwidth per-ip both 1000
profile isp1_p2p_profile_03
bandwidth maximum-bandwidth whole both 700000
bandwidth maximum-bandwidth per-ip both 2000
rule name isp1_p2p_01
ingress-interface GigabitEthernet 1/0/7
egress-interface GigabitEthernet 1/0/2
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_01
rule name isp1_p2p_02
ingress-interface GigabitEthernet 1/0/7
egress-interface GigabitEthernet 1/0/3
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_02
rule name isp1_p2p_03
ingress-interface GigabitEthernet 1/0/7
egress-interface GigabitEthernet 1/0/4
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_03
#
policy-based-route
rule name pbr_dns_trans
source-zone trust
service dns
service dns-tcp
action pbr egress-interface multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/3
add interface GigabitEthernet 1/0/4
add interface GigabitEthernet 1/0/5
add interface GigabitEthernet 1/0/6
rule name dis_edu_sys

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 96


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

source-zone trust
application app UD_dis_edu_sys_app
action pbr egress-interface multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/5
add interface GigabitEthernet 1/0/6
rule name p2p_traffic
source-zone trust
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action pbr egress-interface multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/3
add interface GigabitEthernet 1/0/4
rule name pbr_edu
source-zone trust
source-address 10.1.0.0 16
destination-address isp edu_address
action pbr egress-interface multi-interface
mode priority-of-userdefine
add interface GigabitEthernet 1/0/1 priority 8
add interface GigabitEthernet 1/0/2 priority 5
add interface GigabitEthernet 1/0/3 priority 5
add interface GigabitEthernet 1/0/4 priority 5
add interface GigabitEthernet 1/0/5 priority 1
add interface GigabitEthernet 1/0/6 priority 1
rule name pbr_isp1
source-zone trust
source-address 10.1.0.0 16
destination-address isp isp1_address
action pbr egress-interface multi-interface
mode priority-of-userdefine
add interface GigabitEthernet 1/0/1 priority 5
add interface GigabitEthernet 1/0/2 priority 8
add interface GigabitEthernet 1/0/3 priority 8
add interface GigabitEthernet 1/0/4 priority 8
add interface GigabitEthernet 1/0/5 priority 1
add interface GigabitEthernet 1/0/6 priority 1
rule name pbr_isp2
source-zone trust
source-address 10.1.0.0 16
destination-address isp isp2_address
action pbr egress-interface multi-interface
mode priority-of-userdefine
add interface GigabitEthernet 1/0/1 priority 5
add interface GigabitEthernet 1/0/2 priority 1
add interface GigabitEthernet 1/0/3 priority 1
add interface GigabitEthernet 1/0/4 priority 1
add interface GigabitEthernet 1/0/5 priority 8
add interface GigabitEthernet 1/0/6 priority 8
rule name pbr_rest
source-zone trust
source-address 10.1.0.0 16
action pbr egress-interface multi-interface
mode priority-of-link-quality
priority-of-link-quality parameter delay jitter loss
priority-of-link-quality protocol tcp-simple
priority-of-link-quality interval 3 times 5
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/3
add interface GigabitEthernet 1/0/4
add interface GigabitEthernet 1/0/5
add interface GigabitEthernet 1/0/6
rule name other_edu_server
source-zone trust
source-address 10.1.0.0 16

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 97


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

destination-address isp other_edu_server_address


action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
rule name lib_internet
source-zone trust
source-address 10.1.50.0 22
action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
#
nat-policy
rule name inner_nat_policy
source-zone trust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group edu_nat_address_pool
rule name edu_nat_policy
source-zone trust
source-address 10.1.0.0 16
source-address 10.50.1.0 24
action source-nat address-group edu_nat_address_pool
rule name isp1_nat_policy1
source-zone trust
destination-zone isp1_zone1
source-address 10.1.0.0 16
action source-nat address-group isp1_nat_address_pool1
rule name isp1_nat_policy2
source-zone trust
destination-zone isp1_zone2
source-address 10.1.0.0 16
action source-nat address-group isp1_nat_address_pool2
rule name isp1_nat_policy3
source-zone trust
destination-zone isp1_zone3
source-address 10.1.0.0 16
action source-nat address-group isp1_nat_address_pool3
rule name isp2_nat_policy1
source-zone trust
destination-zone isp2_zone1
source-address 10.1.0.0 16
action source-nat address-group isp2_nat_address_pool1
rule name isp2_nat_policy2
source-zone trust
destination-zone isp2_zone2
source-address 10.1.0.0 16
#
audit-policy
rule name trust_to_internet_audit_policy
source-zone trust
destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
action audit profile trust_to_internet_audit
#
dns-transparent-policy
dns transparent-proxy enable
dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
#
rule name dns_trans_rule
action tpdns
#
return
# The following configuration takes effect only one time and is not saved into the configuration file.
user-manage user-import demo.csv auto-create-group override
user-manage group /default/newuser

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 98


HUAWEI Firewall 1 Application of Firewalls in the Campus Egress
Comprehensive Configuration Examples Security Solution

1.5 Conclusion and Suggestions


This case has important reference value. You can deploy only required functions
during actual firewall deployment. This solution can be concluded as follows:
● This case demonstrates multiple classical features of the firewall, including
security policies, NAT, ASPF, attack defense, IPS and bandwidth management
(application-based bandwidth limiting and per-IP/per-user bandwidth
limiting).
● This case shows the capabilities of the firewall that acts as an egress gateway.
Uplink selection is one of the most important features of the gateway. In this
case, the PBR, intelligent uplink selection, DNS transparent proxy, smart DNS,
and server load balancing provided by the firewall can meet the increasing
complex link selection, improving the bandwidth utilization and user
experience. Compared with a router that acts a gateway, the firewall that acts
as a gateway has more powerful NAT and security defense capabilities.
● This case also shows the NAT tracing function of the firewall. The firewall
that has an audit policy configured sends session logs to the NMS. The
administrator can view pre-NAT and post-NAT IP addresses on the NMS. NAT
tracing helps audit user online behavior.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 99


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2 Application of Firewalls in the Egress


Security Solution for Broadcast and
Television Networks

2.1 Introduction
This section describes the planning and deployment of firewalls at the egress of a
broadcast and television network. It also provides reference for tier-2 carriers.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.

2.2 Solution Overview


A broadcast and television network provides home broadcast and television
services. It also leases links from ISPs to provide access services, such broadband
Internet access and hosted servers. At the network egress, a firewall is usually
deployed as an egress gateway to provide Internet access and security assurance.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 100


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Figure 2-1 Application of firewalls at the egress of a broadcast and television


network

As shown in Figure 2-1, a firewall is deployed at the network egress to provide


the following functions:
● NAT: The firewall provides a source NAT function to translate the private IP
address of a broadband user to a public IP address. It also functions as a NAT
server to translate the private IP address of a hosted server to a public IP
address for access of external users.
● Intelligent uplink selection (multi-ISP): The firewall provides multiple uplink
selection modes, such as destination IP address-based and application-based,
using multiple ISP links to ensure the Internet access quality.
● Security management: The firewall isolates security zones using security
policies and provides security protection using such functions as intrusion
prevention and Anti-DDoS.
● Source tracing and audit: The firewall logs pre-NAT and post-NAT IP
addresses and the online and offline activities of IM users for audit and source
tracing.

2.3 Solution Design

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 101


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2.3.1 Typical Networking


As shown in Figure 2-2, the broadcast and television network leases two links
from two ISPs each to provide broadband Internet access for its MAN users. The
broadcast and television network also deploys servers in the server area to provide
hosted server services for intranet and extranet users.

Two firewalls are deployed at the Internet egress of the broadcast and television
network for hot standby (active/standby backup). The upstream interfaces of the
two firewalls are connected to the two ISPs through the egress aggregation
switches. The downstream interfaces of the two firewalls are connected to the
MAN through core routers and connected to the servers through the switch in the
server area.

Figure 2-2 Typical networking of firewalls at the egress of a broadcast and


television network

Specifically, the broadcast and television network has the following requirements
on the egress firewalls:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 102


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

● Two firewalls are deployed in active/standby backup mode to improve


network availability.
● Source NAT is enabled on the firewalls to ensure that massive MAN users can
access the Internet simultaneously.
● To enhance the broadband Internet access experience of intranet users, the
uplink selection should ensure that:
– Traffic is sent to the ISP that owns the destination IP address. For
example, traffic destined to a server of ISP 1 is forwarded by a link of ISP
1, and traffic destined to a server of ISP 2 is forwarded by a link of ISP 2.
– Traffic destined to one ISP is distributed to the two links of the ISP based
on weights for load balancing.
– P2P traffic is routed to the lower-price and higher-bandwidth links of ISP
2.
● Hosted servers can be accessed by extranet users for management operations.
● DNS servers are also deployed inside the broadcast and television network to
provide domain name resolution for the above servers. The broadcast and
television network expects that a domain name can be resolved to an address
that is allocated to a server by the serving ISP of an extranet user to increase
the access speed.
● The firewalls can protect the intranet against DDoS attacks and warn about
intrusions of zombies, Trojan horses, and worms.
● The firewalls can trace Internet access activities of intranet users for audit,
including logging of pre-NAT and post-NAT addresses and the online and
offline activities of IM users.

2.3.2 Service Planning


Equipment Planning
Table 2-1 lists the devices that may be used at the egress of a broadcast and
television network. For differences, if any, of the USG9500 and USG6000,
supplementary description is to be provided.

Table 2-1 Device planning for the egress of a broadcast and television network
Device Recommended Plan 1 Recommended Plan 2

Firewall High-end firewalls Mid-range firewalls


(USG9500): distributed, (USG6000): centralized
high-performance, high- and content security
availability, and scalable

Log server eLog eLog

Hot Standby Planning


One ISP access point cannot be directly connected to two firewalls. Therefore, it is
necessary to deploy an egress aggregation switch between the ISP and the
firewalls. The egress aggregation switch can split one ISP link into two links and

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 103


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

then connect the two links to the upstream interfaces of the two firewalls. OSPF
runs between the firewalls and their downstream routers. Typical hot standby
networking is achieved with two firewalls connected to the upstream switches and
downstream routers. In such networking, a VRRP group is configured on the
upstream interface of a firewall, and a VGMP group is configured on the
downstream interface to monitor service interfaces.
Figure 2-3 shows the hot standby networking, where the interfaces of the active
and standby firewalls connected to one ISP access point are added to one VRRP
group.

Figure 2-3 Hot standby networking

Multi-egress Uplink Selection Planning


The broadcast and television network leases links from different carriers. Multi-
egress uplink selection is particularly important. The firewall provides abundant
multi-egress functions to meet the requirement:
● A DNS transparent proxy is used to process DNS requests of intranet users,
thereby achieving load balancing among multiple ISPs.
To access the Internet, an intranet user needs to first access a domain name,
and the DNS server resolves the domain name to an IP address. However,
because intranet PCs are generally all served by the DNS server of one ISP, the
user can obtain the address of only one ISP. As a result, the subsequent ISP
link selection is meaningless. The DNS transparent proxy function provided by
the firewall overcomes this defect. Using specific rules, the firewall distributes
DNS requests of intranet users to the DNS servers of different ISPs and
thereby obtains the addresses of different ISPs. Load balancing by link weight
ratio is carried out for DNS requests.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 104


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

● Multi-egress PBR is employed to achieve ISP link selection.


Multiple outbound interfaces can be specified for PBR of the firewall, and
load balancing among multiple outbound interfaces can be configured. For
example, it is specified that traffic destined to addresses of ISP 1 be
transmitted from the two outbound interfaces of ISP 1 and that the two
outbound interfaces share load based on weights.
● Application-based PBR is employed to direct P2P traffic to the links of ISP 2.
● Health check is employed to check the reachability of links.
The firewall checks the health status of the link from an outbound interface
to a designated destination address to ensure that traffic is not routed to a
faulty link.

Source NAT Planning


Source NAT is configured on the FW to allow intranet users to access the Internet
using limited public IP addresses.

● Address pool
Configure two address pools corresponding to different ISPs based on the
public IP addresses requested from the ISPs. Note that the public IP addresses
of VRRP groups and disclosed public IP addresses of servers should be
excluded from the address pools.
● Network Address and Port Translation (NAPT)
NAPT translates both IP addresses and ports. When a packet from an intranet
user to the Internet arrives at the firewall, NAPT translates the source address
of the packet into a public address and translates its source port into a
random unwell-known port. In this way, one public address can be used by
multiple intranet users, and a large number of users can access the Internet
simultaneously.
● NAT ALG: When a NAT-enabled firewall needs to forward multi-path protocol
(such as FTP, SIP, H323, RTSP, and QQ) packets, the corresponding NAT ALG
function must be enabled.

NAT Server Planning


The hosted server services of a broadcast and television network includes mainly
website hosting, for example, the hosting of a school website, internal office
network, or company portal website. Because the hosted servers are deployed in
the internal DMZ, a NAT server function needs to be enabled on the firewall to
translate the private address of a server into a public address. In addition, users of
different ISPs should be provided with different public addresses.

If the DNS servers are deployed internally, smart DNS is needed to enable extranet
users to obtain the most appropriate resolved addresses of servers. In other words,
the address must belong to the serving ISP of the user.

Security Function Planning


By default, the FW denies all traffic. Therefore, it is necessary to define security
policies to permit normal access traffic. For details, see the Data Planning below.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 105


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

The egress gateway enables the communication between the broadcast and
television network and the extranet. Therefore, it is necessary to configure security
functions, including intrusion prevention (IPS) and attack defense.
The default IPS profile default is used to block detected intrusions. You can also
use the profile ids to log attacks without blocking and then define a specific IPS
profile according to the log.

User Tracing Planning


User tracing is completed through cooperation with the log server.
1. The FW sends session logs to the log server. The log server records the
original (pre-NAT) source IP address/port and destination IP address/port and
the after-NAT source IP address/port and destination IP address/port.
2. If a user submits an illegal post on an external network, the administrator
traces the user on the log server from his/her public IP address to his/her
private IP address.
3. The administrator traces to specific user accounts through the authentication
system inside a corporate network.

Data Planning
Data planning is based on the above service planning.

Item FW_A FW_B Remarks

Interfaces Eth-Trunk1 Eth-Trunk1 Plan public


and security Member interfaces: Member interfaces: addresses for all
zones GE1/0/1, GE1/0/6 GE1/0/1, GE1/0/6 public network
interfaces and VRRP
Eth-Trunk2 Eth-Trunk2 backup groups
Member interfaces: Member interfaces: connected to the
GE1/0/2, GE1/0/7 GE1/0/2, GE1/0/7 ISPs. Otherwise, the
gateway cannot be
Eth-Trunk1.1 Eth-Trunk1.1 designated.
IP address: IP address:
1.1.1.2/29 1.1.1.3/29
Security zone: Security zone:
isp1_1 isp1_1
Gateway: 1.1.1.6/29 Gateway: 1.1.1.6/29
VRRP backup group VRRP backup group
1: 1.1.1.1/29 1: 1.1.1.1/29
VGMP management VGMP management
group: Active group: Standby

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 106


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Item FW_A FW_B Remarks

Eth-Trunk2.1 Eth-Trunk2.1
IP address: IP address:
2.2.2.2/29 2.2.2.3/29
Security zone: Security zone:
isp2_1 isp2_1
Gateway: 2.2.2.6/29 Gateway: 2.2.2.6/29
VRRP backup group VRRP backup group
2: 2.2.2.1/29 2: 2.2.2.1/29
VGMP management VGMP management
group: Active group: Standby

Eth-Trunk1.2 Eth-Trunk1.2
IP address: IP address:
1.1.2.2/29 1.1.2.3/29
Security zone: Security zone:
isp1_2 isp1_2
Gateway: 1.1.2.6/29 Gateway: 1.1.2.6/29
VRRP backup group VRRP backup group
3: 1.1.2.1/29 3: 1.1.2.1/29
VGMP management VGMP management
group: Active group: Standby

Eth-Trunk2.2 Eth-Trunk2.2
IP address: IP address:
2.2.3.2/29 2.2.3.3/29
Security zone: Security zone:
isp2_2 isp2_2
Gateway: 2.2.3.6/29 Gateway: 2.2.3.6/29
VRRP backup group VRRP backup group
2: 2.2.3.1/29 2: 2.2.3.1/29
VGMP management VGMP management
group: Active group: Standby

Eth-Trunk0 Eth-Trunk0 Hot standby


Member interfaces: Member interfaces: heartbeat interface.
GE2/0/0, GE1/0/5 GE2/0/0, GE1/0/5
IP address: IP address:
10.0.7.1/24 10.0.7.2/24
Security zone: hrp Security zone: hrp

GE1/0/3 GE1/0/3 Interface connecting


IP address: IP address: the MAN.
10.0.3.1/24 10.0.4.1/24
Security zone: Trust Security zone: Trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 107


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Item FW_A FW_B Remarks

GE1/0/4 GE1/0/4 Interface connecting


IP address: IP address: the server area.
10.0.5.1/24 10.0.6.1/24
Security zone: DMZ Security zone: DMZ

Security trust_to_isp1 Allow intranet users


policy Source security zone: Trust to access ISP 1.
Destination security zone: isp1_1 and
isp1_2
Action: permit
IPS profile: default

trust_to_isp2 Allow intranet users


Source security zone: Trust to access ISP 2.
Destination security zone: isp2_1 and
isp2_2
Action: permit
IPS profile: default

isp1_to_http and isp2_to_http Allow the ISPs to


Source security zone: isp1_1, isp1_2, isp2_1, access the internal
and isp2_2 web server.
Destination security zone: DMZ
Destination address: 10.0.10.10/24
Service: HTTP
Action: permit
IPS profile: default

isp1_to_ftp and isp2_to_ftp Allow the ISPs to


Source security zone: isp1_1, isp1_2, isp2_1, access the internal
and isp2_2 FTP server.
Destination security zone: DMZ
Destination address: 10.0.10.11/24
Service: FTP
Action: permit
IPS profile: default

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 108


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Item FW_A FW_B Remarks

isp1_to_dns and isp2_to_dns Allow the ISPs to


Source security zone: isp1_1, isp1_2, isp2_1, access the internal
and isp2_2 DNS server.
Destination security zone: DMZ
Destination address: 10.0.10.20/24
Service: dns
Action: permit
IPS profile: default

local_to_eLog Allow the firewall to


Source security zone: local access the internal
log server.
Destination security zone: DMZ
Destination address: 10.0.10.30/24
Action: permit

local_to_trust Allow the firewall to


Source security zone: Local and Trust exchange OSPF
packets with the
Destination security zone: Local and Trust downstream router.
Service: OSPF
Action: permit

local_to_isp Allow the firewall to


Source security zone: local access the external
network to update
Destination security zone: isp1_1, isp1_2, its signature
isp2_1, and isp2_2 databases.
Action: permit NOTE
For versions earlier
than
USG6000&USG9500
V500R001C80: You
need to configure
required security
policies on the FW to
allow the FW to send
health check probe
packets to the
destination device.
For versions later
than V500R001C80:
Probe packets for
health check are not
subject to security
policies and are
permitted by default.
Therefore, you do not
need to configure
security policies.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 109


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Item FW_A FW_B Remarks

Source NAT ISP1_1 address pool: 1.1.1.10-1.1.1.12 –


ISP1_2 address pool: 1.1.2.10-1.1.2.12
ISP2_1 address pool: 2.2.2.10-2.2.2.12
ISP2_2 address pool: 2.2.3.10-2.2.3.12
Mode: NAPT

NAT Server Web server –


Private IP address: 10.0.10.10
ISP1_1 public IP address: 1.1.1.15
ISP1_2 public IP address: 1.1.2.15
ISP2_1 public IP address: 2.2.2.15
ISP2_2 public IP address: 2.2.3.15

FTP server
Private IP address: 10.0.10.11
ISP1_1 public IP address: 1.1.1.16
ISP1_2 public IP address: 1.1.2.16
ISP2_1 public IP address: 2.2.2.16
ISP2_2 public IP address: 2.2.3.16

DNS server
Private IP address: 10.0.10.20
ISP1_1 public IP address: 1.1.1.17
ISP1_2 public IP address: 1.1.2.17
ISP2_1 public IP address: 2.2.2.17
ISP2_2 public IP address: 2.2.3.17

ISP1 Address file: isp1.csv –


Carrier: isp1
Active DNS server: 1.1.1.222
Standby DNS server: 1.1.1.223

ISP2 Address file: isp2.csv –


Carrier: isp2
Active DNS server: 2.2.2.222
Standby DNS server: 2.2.2.223

2.4 Precautions
● License
Licenses are required for IPS and smart DNS services. Smart DNS also requires
loading of a content security component.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 110


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

● Hardware requirement
For the USG9500, IPS, application-based PBR, and smart DNS require that the
SPC-APPSEC-FW is in position. Otherwise, these functions are unavailable.
● Before using the IPS function, you are advised to update the IPS signature
database to the latest version.
● Networking
– To prevent communication failures between active and standby firewalls
due to heartbeat interface faults, using an Eth-Trunk interface as the
heartbeat interface is recommended. For devices on which multiple NICs
can be installed (for the support situation, see the hardware guide), an
inter-board Eth-Trunk interface is required. That is, the member interfaces
of the Eth-Trunk interface are on different LPUs. The inter-board Eth-
Trunk improves reliability and increases bandwidth. For devices that do
not support interface expansion or inter-board Eth-Trunk, it is possible
that a faulty LPU may cause all HRP backup channels to be unavailable
and compromise services.
– When hot standby and intelligent uplink selection are used together, if
the upstream switch runs VRRP, the upstream physical port of the firewall
must be a public IP address in the same network segment as the address
of the ISP router. Otherwise, the gateway of the port cannot be specified.
The gateway command is mandatory for intelligent uplink selection and
link health check.
If the upstream device of the firewall is a router, this restriction does not
apply.
● Intelligent uplink selection
– The firewall generates an equal-cost default route using the gateway
command. The protocol is UNR, and the route priority is 70, which is
lower than the priority (60) of a static route. When this command takes
effect, you can no longer configure a multi-egress equal-cost static route
manually.
– Intelligent uplink selection cannot be used together with IP address
spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP
address spoofing defense or URPF is enabled, the firewall may drop
packets.
● Black-hole route
The firewall allows a User Network Route (UNR) for addresses in the NAT
address pool. The UNR functions the same as a black-hole route. It can
prevent a routing loop and can also be advertised using dynamic routing
protocols, such as OSPF. For the NAT server, if the protocol and port are
specified, it is also necessary to configure a black-hole route with the
destination address being a public address. With this black-hole route, packets
from external sources destined to a public address but not matching any entry
the server-map table are matched to the black-hole route and dropped
directly to prevent a routing loop.

2.5 Solution Configuration

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 111


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2.5.1 Configuring Interfaces and Security Zones


Context
Configure interfaces and security zones.

Figure 2-4 Interface IP addresses and security zones

Procedure
Step 1 Configure IP addresses for the interfaces of FW_A.
<FW_A> system-view
[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] undo service-manage enable
[FW_A-Eth-Trunk1] description To-isp1
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/6
[FW_A-Eth-Trunk1] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] undo service-manage enable
[FW_A-Eth-Trunk2] description To-isp2
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 1/0/2
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 1/0/7
[FW_A-Eth-Trunk2] quit
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] description To-isp1-1
[FW_A-Eth-Trunk1.1] vlan-type dot1q 11
[FW_A-Eth-Trunk1.1] ip address 1.1.1.2 29
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] description To-isp2-1
[FW_A-Eth-Trunk2.1] vlan-type dot1q 21
[FW_A-Eth-Trunk2.1] ip address 2.2.2.2 29

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 112


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

[FW_A-Eth-Trunk2.1] quit
[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] description To-isp1-2
[FW_A-Eth-Trunk1.2] vlan-type dot1q 12
[FW_A-Eth-Trunk1.2] ip address 1.1.2.2 29
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk 2.2
[FW_A-Eth-Trunk2.2] description To-isp2-2
[FW_A-Eth-Trunk2.2] vlan-type dot1q 22
[FW_A-Eth-Trunk2.2] ip address 2.2.3.2 29
[FW_A-Eth-Trunk2.2] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] undo service-manage enable
[FW_A-GigabitEthernet1/0/3] description To-router
[FW_A-GigabitEthernet1/0/3] ip address 10.0.3.1 24
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] undo service-manage enable
[FW_A-GigabitEthernet1/0/4] description To-server
[FW_A-GigabitEthernet1/0/4] ip address 10.0.5.1 24
[FW_A-GigabitEthernet1/0/4] quit
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] undo service-manage enable
[FW_A-Eth-Trunk0] description Hrp-interface
[FW_A-Eth-Trunk0] ip address 10.0.7.1 24
[FW_A-Eth-Trunk0] quit
[FW_A] interface GigabitEthernet 2/0/0
[FW_A-GigabitEthernet2/0/0] undo service-manage enable
[FW_A-GigabitEthernet2/0/0] eth-trunk 0
[FW_A-GigabitEthernet2/0/0] quit
[FW_A] interface GigabitEthernet 1/0/5
[FW_A-GigabitEthernet1/0/5] undo service-manage enable
[FW_A-GigabitEthernet1/0/5] eth-trunk 0
[FW_A-GigabitEthernet1/0/5] quit

Step 2 Assign the FW_A interfaces to security zones.


[FW_A] firewall zone name isp1_1
[FW_A-zone-isp1_1] set priority 10
[FW_A-zone-isp1_1] add interface Eth-Trunk 1.1
[FW_A-zone-isp1_1] quit
[FW_A] firewall zone name isp1_2
[FW_A-zone-isp1_2] set priority 15
[FW_A-zone-isp1_2] add interface Eth-Trunk 1.2
[FW_A-zone-isp1_2] quit
[FW_A] firewall zone name isp2_1
[FW_A-zone-isp2_1] set priority 20
[FW_A-zone-isp2_1] add interface Eth-Trunk 2.1
[FW_A-zone-isp2] quit
[FW_A] firewall zone name isp2_2
[FW_A-zone-isp2_2] set priority 25
[FW_A-zone-isp1_2] add interface Eth-Trunk 2.2
[FW_A-zone-isp2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/4
[FW_A-zone-dmz] quit
[FW_A] firewall zone name hrp
[FW_A-zone-hrp] set priority 75
[FW_A-zone-hrp] add interface Eth-Trunk 0
[FW_A-zone-hrp] quit

Step 3 Configure the IP addresses and security zones of FW_B interfaces according to the
above procedure. The difference lies in the IP addresses of the interfaces.

----End

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 113


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2.5.2 Configuring Intelligent Uplink Selection and Routes

Procedure
Step 1 Enable the health check function of FW_A. Configure health check for the links of
ISP 1 and ISP 2.

The destination address is a real IP address on the Internet. Here, the ISP gateway
address and DNS address are used.
[FW_A] healthcheck enable
[FW_A] healthcheck name isp1_health1
[FW_A-healthcheck-isp1_health1] destination 1.1.1.6 interface Eth-Trunk1.1 protocol icmp
[FW_A-healthcheck-isp1_health1] destination 1.1.1.222 interface Eth-Trunk1.1 protocol dns
[FW_A-healthcheck-isp1_health1] quit
[FW_A] healthcheck name isp1_health2
[FW_A-healthcheck-isp1_health2] destination 1.1.2.6 interface Eth-Trunk1.2 protocol icmp
[FW_A-healthcheck-isp1_health2] destination 1.1.1.222 interface Eth-Trunk1.2 protocol dns
[FW_A-healthcheck-isp1_health2] quit
[FW_A] healthcheck name isp2_health1
[FW_A-healthcheck-isp2_health1] destination 2.2.2.6 interface Eth-Trunk2.1 protocol icmp
[FW_A-healthcheck-isp2_health1] destination 2.2.2.222 interface Eth-Trunk2.1 protocol dns
[FW_A-healthcheck-isp2_health1] quit
[FW_A] healthcheck name isp2_health2
[FW_A-healthcheck-isp2_health2] destination 2.2.3.6 interface Eth-Trunk2.2 protocol icmp
[FW_A-healthcheck-isp2_health2] destination 2.2.2.222 interface Eth-Trunk2.2 protocol dns
[FW_A-healthcheck-isp2_health2] quit

The configuration of FW_B is the same as that of FW_A.

Step 2 Configure the gateway addresses and bandwidths for interfaces, and apply
corresponding health check configurations.

After health check is enabled on an interface, when the link including the interface
fails, the bound route also fails.
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] gateway 1.1.1.6
[FW_A-Eth-Trunk1.1] bandwidth ingress 800000
[FW_A-Eth-Trunk1.1] bandwidth egress 800000
[FW_A-Eth-Trunk1.1] healthcheck isp1_health1
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk1.2
[FW_A-Eth-Trunk1.2] gateway 1.1.2.6
[FW_A-Eth-Trunk1.2] bandwidth ingress 400000
[FW_A-Eth-Trunk1.2] bandwidth egress 400000
[FW_A-Eth-Trunk1.2] healthcheck isp1_health2
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk2.1
[FW_A-Eth-Trunk2.1] gateway 2.2.2.6
[FW_A-Eth-Trunk2.1] bandwidth ingress 900000
[FW_A-Eth-Trunk2.1] bandwidth egress 900000
[FW_A-Eth-Trunk2.1] healthcheck isp2_health1
[FW_A-Eth-Trunk2.1] quit
[FW_A] interface Eth-Trunk2.2
[FW_A-Eth-Trunk2.2] gateway 2.2.3.6
[FW_A-Eth-Trunk2.2] bandwidth ingress 600000
[FW_A-Eth-Trunk2.2] bandwidth egress 600000
[FW_A-Eth-Trunk2.2] healthcheck isp2_health2
[FW_A-Eth-Trunk2.2] quit

The configuration of FW_B is the same as that of FW_A.

Step 3 Configure DNS transparent proxy.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 114


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

1. Configure DNS transparent proxy parameters.


[FW_A] dns-transparent-policy
[FW_A-policy-dns] dns transparent-proxy enable
[FW_A-policy-dns] dns server bind interface Eth-Trunk1.1 preferred 1.1.1.222 alternate 1.1.1.223
[FW_A-policy-dns] dns server bind interface Eth-Trunk1.2 preferred 1.1.1.222 alternate 1.1.1.223
[FW_A-policy-dns] dns server bind interface Eth-Trunk2.1 preferred 2.2.2.222 alternate 2.2.2.223
[FW_A-policy-dns] dns server bind interface Eth-Trunk2.2 preferred 2.2.2.222 alternate 2.2.2.223
[FW_A-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred
1.1.1.222
[FW_A-policy-dns] rule name dns_proxy
[FW_A-policy-dns-rule-dns_proxy] action tpdns
[FW_A-policy-dns-rule-dns_proxy] source-address 10.3.0.0 24
[FW_A-policy-dns-rule-dns_proxy] quit
[FW_A-policy-dns] quit

The configuration of FW_B is the same as that of FW_A.


You can use the dns transparent-proxy exclude domain command to set the
domain name that does not require the DNS transparent proxy. Here, it is
assumed that www.example.com is always resolved by the DNS server with
the IP address 1.1.1.222 without using the DNS transparent proxy.
2. Configure DNS-based PBR to enable load balancing for DNS requests based
on link weights.
[FW_A] policy-based-route
[FW_A-policy-pbr] rule name dns_pbr
[FW_A-policy-pbr-rule-dns_pbr] ingress-interface GigabitEthernet1/0/3
[FW_A-policy-pbr-rule-dns_pbr] service dns
[FW_A-policy-pbr-rule-dns_pbr] action pbr egress-interface multi-interface
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk1.1 weight 2
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk1.2 weight 1
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk2.1 weight 3
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] add interface Eth-Trunk2.2 weight 2
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] mode proportion-of-weight
[FW_A-policy-pbr-rule-dns_pbr-multi-inter] quit
[FW_A-policy-pbr-rule-dns_pbr] quit

The configuration of FW_B is the same as that of FW_A.


Step 4 Configure PBR intelligent uplink selection.
1. Prepare the address files of ISP 1 and ISP 2, isp1.csv and isp2.csv.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 115


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2. Upload the ISP address files to FW_A.


3. Create the carrier name isp1 and isp2 for ISP 1 and ISP 2, and associate the
ISP address files with the carriers.
[FW_A] isp name isp1 set filename isp1.csv
[FW_A] isp name isp2 set filename isp2.csv

After this configuration, the firewall automatically generates address sets


named with the ISP names. An address set includes addresses of the
corresponding ISP. You cannot modify addresses in the address set directly. To
modify an address, you must re-upload the ISP address file. The ISP address
sets can be referenced by PBR as a source address or destination address.
The configuration of FW_B is the same as that of FW_A.
4. Configure application-based PBR to route P2P traffic to ISP 2.
[FW_A] policy-based-route
[FW_A-policy-pbr] rule name p2p_pbr
[FW_A-policy-pbr-rule-p2p_pbr] ingress-interface GigabitEthernet1/0/3
[FW_A-policy-pbr-rule-p2p_pbr] application app BT Thunder eDonkey_eMule
[FW_A-policy-pbr-rule-p2p_pbr] action pbr egress-interface multi-interface
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] add interface Eth-Trunk2.1 weight 3
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] add interface Eth-Trunk2.2 weight 2
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] mode proportion-of-weight
[FW_A-policy-pbr-rule-p2p_pbr-multi-inter] quit
[FW_A-policy-pbr-rule-p2p_pbr] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 116


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

The matching sequence of PBRs is based on the configuration sequence. Here,


multiple PBRs are configured. You should configure DNS-based and P2P application-
based PBRs before destination address-based PBRs. Otherwise, destination address-
based PBR is first configured, and DNS-based and P2P application-based PBRs are not
effective.
The BT, Thunder, and eDonkey_eMule applications are configured. In practice, you may
specify the applications as needed.
The configuration of FW_B is the same as that of FW_A.
5. Configure a PBR with the destination address being an ISP 1 address to route
traffic destined to ISP 1 to an ISP 1 link.
[FW_A-policy-pbr] rule name isp1_pbr
[FW_A-policy-pbr-rule-isp1_pbr] ingress-interface GigabitEthernet1/0/3
[FW_A-policy-pbr-rule-isp1_pbr] destination-address isp isp1
[FW_A-policy-pbr-rule-isp1_pbr] action pbr egress-interface multi-interface
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] add interface Eth-Trunk1.1 weight 2
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] add interface Eth-Trunk1.2 weight 1
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] mode proportion-of-weight
[FW_A-policy-pbr-rule-isp1_pbr-multi-inter] quit
[FW_A-policy-pbr-rule-isp1_pbr] quit

The configuration of FW_B is the same as that of FW_A.


6. Configure a PBR with the destination address being an ISP 2 address to route
traffic destined to ISP 2 to an ISP 2 link.
[FW_A-policy-pbr] rule name isp2_pbr
[FW_A-policy-pbr-rule-isp2_pbr] ingress-interface GigabitEthernet1/0/3
[FW_A-policy-pbr-rule-isp2_pbr] destination-address isp isp2
[FW_A-policy-pbr-rule-isp2_pbr] action pbr egress-interface multi-interface
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] add interface Eth-Trunk2.1 weight 3
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] add interface Eth-Trunk2.2 weight 2
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] mode proportion-of-weight
[FW_A-policy-pbr-rule-isp2_pbr-multi-inter] quit
[FW_A-policy-pbr-rule-isp2_pbr] quit

The configuration of FW_B is the same as that of FW_A.


Step 5 Configure OSPF.
1. Configure OSPF on FW_A and advertise the network segment of the
downstream interface.
[FW_A] ospf 1
[FW_A-ospf-1] area 0
[FW_A-ospf-1-area-0.0.0.0] network 10.0.3.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] network 10.0.5.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] quit
[FW_A-ospf-1] quit

2. Configure OSPF on FW_B and advertise the network segment of the


downstream interface.
[FW_B] ospf 1
[FW_B-ospf-1] area 0
[FW_B-ospf-1-area-0.0.0.0] network 10.0.4.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] network 10.0.6.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] quit
[FW_B-ospf-1] quit

----End

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 117


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2.5.3 Configuring Hot Standby


Context
Configure hot standby according to the figure below.

Figure 2-5 Hot standby

Procedure
Step 1 Configure a VRRP group on the upstream interface of FW_A, and set the VRRP
group to an active state.
<FW_A> system-view
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] vrrp vrid 2 virtual-ip 2.2.2.1 29 active
[FW_A-Eth-Trunk2.1] quit
[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] vrrp vrid 3 virtual-ip 1.1.2.1 29 active
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk 2.2
[FW_A-Eth-Trunk2.2] vrrp vrid 4 virtual-ip 2.2.3.1 29 active
[FW_A-Eth-Trunk2.2] quit

Step 2 Configure a VGMP group on FW_A to monitor downstream interfaces.


[FW_A] hrp track interface GigabitEthernet 1/0/3
[FW_A] hrp track interface GigabitEthernet 1/0/4

Step 3 Enable on FW_A the function of adjusting OSPF costs according to the VGMP
status.
[FW_A] hrp adjust ospf-cost enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 118


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Step 4 Enable the preemption function on FW_A and set the preemption delay to 300s.
[FW_A] hrp preempt delay 300

Step 5 Specify the heartbeat interface and enable hot standby on FW_A.
[FW_A] hrp interface Eth-Trunk0 remote 10.0.7.2
[FW_A] hrp enable

Step 6 Configure hot standby on FW_B with reference to the above procedure. The
difference is that the state of the VRRP group is set to standby and that the
remote address of hrp interface is set to 10.0.7.1.
Step 7 Configure routers and switches.
1. Configure OSPF and advertise the neighboring network segments on the
routers. For the specific configuration command, see the related router
documentation.
2. Add three interfaces to one VLAN on the switches. For the specific
configuration command, see the related router documentation.

----End

Result
A hot-standby relationship has been established to back up most subsequent
configurations. Therefore, in the subsequent steps, you only need to make
configurations on the active FW_A (unless otherwise stated).

2.5.4 Configuring Source NAT


Procedure
Step 1 Configure NAT address pool pool_isp1_1 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp1_1
HRP_M[FW_A-address-group-pool_isp1_1] mode pat
HRP_M[FW_A-address-group-pool_isp1_1] section 1.1.1.10 1.1.1.12
HRP_M[FW_A-address-group-pool_isp1_1] route enable
HRP_M[FW_A-address-group-pool_isp1_1] quit

You can run the route enable command to generate a UNR for addresses in the NAT
address pool. The UNR functions the same as a black-hole route. It can prevent a routing
loop.

Step 2 Configure the NAT policy between the Trust and isp1_1 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp1_1.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone isp1_1
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group pool_isp1_1
HRP_M[FW_A-policy-nat-rule-policy_nat1] quit
HRP_M[FW_A-policy-nat] quit

Step 3 Configure NAT address pool pool_isp1_2 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp1_2
HRP_M[FW_A-address-group-pool_isp1_2] mode pat

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 119


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

HRP_M[FW_A-address-group-pool_isp1_2] section 1.1.2.10 1.1.2.12


HRP_M[FW_A-address-group-pool_isp1_2] route enable
HRP_M[FW_A-address-group-pool_isp1_2] quit

Step 4 Configure the NAT policy between the Trust and isp1_2 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp1_2.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat2
HRP_M[FW_A-policy-nat-rule-policy_nat2] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat2] destination-zone isp1_2
HRP_M[FW_A-policy-nat-rule-policy_nat2] action source-nat address-group pool_isp1_2
HRP_M[FW_A-policy-nat-rule-policy_nat2] quit
HRP_M[FW_A-policy-nat] quit

Step 5 Configure NAT address pool pool_isp2_1 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp2_1
HRP_M[FW_A-address-group-pool_isp2_1] mode pat
HRP_M[FW_A-address-group-pool_isp2_1] section 2.2.2.10 2.2.2.12
HRP_M[FW_A-address-group-pool_isp2_1] route enable
HRP_M[FW_A-address-group-pool_isp2_1] quit

Step 6 Configure the NAT policy between the Trust and isp2_1 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp2_1.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat3
HRP_M[FW_A-policy-nat-rule-policy_nat3] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat3] destination-zone isp2_1
HRP_M[FW_A-policy-nat-rule-policy_nat3] action source-nat address-group pool_isp2_1
HRP_M[FW_A-policy-nat-rule-policy_nat3] quit
HRP_M[FW_A-policy-nat] quit

Step 7 Configure NAT address pool pool_isp2_2 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp2_2
HRP_M[FW_A-address-group-pool_isp2_2] mode pat
HRP_M[FW_A-address-group-pool_isp2_2] section 2.2.3.10 2.2.3.12
HRP_M[FW_A-address-group-pool_isp2_2] route enable
HRP_M[FW_A-address-group-pool_isp2_2] quit

Step 8 Configure the NAT policy between the Trust and isp2_2 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp2_2.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat4
HRP_M[FW_A-policy-nat-rule-policy_nat4] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat4] destination-zone isp2_2
HRP_M[FW_A-policy-nat-rule-policy_nat4] action source-nat address-group pool_isp2_2
HRP_M[FW_A-policy-nat-rule-policy_nat4] quit
HRP_M[FW_A-policy-nat] quit

Step 9 Configure NAT ALG.

HRP_M[FW_A] detect ftp

HRP_M[FW_A] detect sip

HRP_M[FW_A] detect h323

HRP_M[FW_A] detect rtsp

HRP_M[FW_A] detect qq

----End

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 120


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2.5.5 Configuring the NAT Server and Smart DNS


Context

Smart DNS requires a content security group license. It also requires dynamic loading of the
corresponding component.
For the USG9500, smart DNS requires that the SPC-APPSEC-FW is in position. Otherwise,
the function is unavailable.

Procedure
Step 1 Configure the NAT server.
1. Configure the NAT server function, mapping the private addresses of web
servers to public addresses for access of users of ISP 1 and ISP 2.
HRP_M[FW_A] nat server policy_web1 zone isp1_1 protocol tcp global 1.1.1.15 8080 inside
10.0.10.10 www
HRP_M[FW_A] nat server policy_web2 zone isp1_2 protocol tcp global 1.1.2.15 8080 inside
10.0.10.10 www
HRP_M[FW_A] nat server policy_web3 zone isp2_1 protocol tcp global 2.2.2.15 8080 inside
10.0.10.10 www
HRP_M[FW_A] nat server policy_web4 zone isp2_2 protocol tcp global 2.2.3.15 8080 inside
10.0.10.10 www

2. Configure the NAT server function, mapping the private addresses of FTP
servers to public addresses for access of users of ISP 1 and ISP 2.
HRP_M[FW_A] nat server policy_ftp1 zone isp1_1 protocol tcp global 1.1.1.16 ftp inside
10.0.10.11 ftp
HRP_M[FW_A] nat server policy_ftp2 zone isp1_2 protocol tcp global 1.1.2.16 ftp inside
10.0.10.11 ftp
HRP_M[FW_A] nat server policy_ftp3 zone isp2_1 protocol tcp global 2.2.2.16 ftp inside
10.0.10.11 ftp
HRP_M[FW_A] nat server policy_ftp4 zone isp2_2 protocol tcp global 2.2.3.16 ftp inside
10.0.10.11 ftp

3. Configure the NAT server function, mapping the private addresses of DNS
servers to public addresses for access of users of ISP 1 and ISP 2.
HRP_M[FW_A] nat server policy_dns1 zone isp1_1 protocol tcp global 1.1.1.17 domain inside
10.0.10.20 domain
HRP_M[FW_A] nat server policy_dns2 zone isp1_2 protocol tcp global 1.1.2.17 domain inside
10.0.10.20 domain
HRP_M[FW_A] nat server policy_dns3 zone isp2_1 protocol tcp global 2.2.2.17 domain inside
10.0.10.20 domain
HRP_M[FW_A] nat server policy_dns4 zone isp2_2 protocol tcp global 2.2.3.17 domain inside
10.0.10.20 domain

Step 2 Configure sticky load balancing.

To enable sticky load balancing, configure IP addresses and gateway addresses for
interfaces. IP addresses and gateway addresses have been completed in 2.5.1 Configuring
Interfaces and Security Zones and 2.5.2 Configuring Intelligent Uplink Selection and
Routes.
Interface configuration does not support backup. Therefore, you need to configure sticky
load balancing on both FW_A and FW_B.
HRP_M[FW_A] interface Eth-Trunk 1.1
HRP_M[FW_A-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6
HRP_M[FW_A-Eth-Trunk1.1] quit
HRP_M[FW_A] interface Eth-Trunk 2.1
HRP_M[FW_A-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 121


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

HRP_M[FW_A-Eth-Trunk2.1] quit
HRP_M[FW_A] interface Eth-Trunk 1.2
HRP_M[FW_A-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6
HRP_M[FW_A-Eth-Trunk1.2] quit
HRP_M[FW_A] interface Eth-Trunk 2.2
HRP_M[FW_A-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6
HRP_M[FW_A-Eth-Trunk2.2] quit
HRP_S[FW_B] interface Eth-Trunk 1.1
HRP_S[FW_B-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6
HRP_S[FW_B-Eth-Trunk1.1] quit
HRP_S[FW_B] interface Eth-Trunk 2.1
HRP_S[FW_B-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6
HRP_S[FW_B-Eth-Trunk2.1] quit
HRP_S[FW_B] interface Eth-Trunk 1.2
HRP_S[FW_B-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6
HRP_S[FW_B-Eth-Trunk1.2] quit
HRP_S[FW_B] interface Eth-Trunk 2.2
HRP_S[FW_B-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6
HRP_S[FW_B-Eth-Trunk2.2] quit

Step 3 Configure smart DNS.


DNS servers are deployed in the intranet and records the mapping between web
and FTP servers and public IP addresses. When a user of an ISP requests to access
an intranet server, smart DNS ensures that the address allocated by the ISP to the
server is obtained and thereby increases the access speed. For example, when a
user of ISP 1 requests to access the web server 10.0.10.10, the ISP 1 address
1.1.1.15 of the server can be obtained; when a user of ISP 2 requests to access the
web server 10.0.10.10, the ISP 1 address 2.2.2.15 of the server can be obtained.
HRP_M[FW_A] dns-smart enable
HRP_M[FW_A] dns-smart group 1 type multi
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 1.1 map 1.1.1.15
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 2.1 map 2.2.2.15
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 1.2 map 1.1.2.15
HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 2.2 map 2.2.3.15
HRP_M[FW_A-dns-smart-group-1] quit
HRP_M[FW_A] dns-smart group 2 type multi
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 1.1 map 1.1.1.16
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 2.1 map 2.2.2.16
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 1.2 map 1.1.2.16
HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 2.2 map 2.2.3.16
HRP_M[FW_A-dns-smart-group-2] quit

Step 4 Configure a black-hole route to the public address of the NAT server to prevent
routing loops between the firewall and ISP routers.
Route configuration does not support backup. Therefore, you need to configure
black-hole routes on both FW_A and FW_B.
HRP_M[FW_A] ip route-static 1.1.1.15 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.1.16 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.1.17 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.2.15 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.2.16 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.2.17 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.2.15 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.2.16 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.2.17 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.3.15 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.3.16 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.3.17 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.1.15 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.1.16 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.1.17 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.2.15 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.2.16 32 NULL 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 122


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

HRP_S[FW_B] ip route-static 2.2.2.17 32 NULL 0


HRP_S[FW_B] ip route-static 1.1.2.15 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.2.16 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.2.17 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.3.15 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.3.16 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.3.17 32 NULL 0

----End

2.5.6 Configuring Security Policies and Security Protection


Procedure
Step 1 Configure the Trust-to-isp1 security policy, allowing intranet users to access the
Internet through ISP 1 and enabling intrusion prevention.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_isp1
HRP_M[FW_A-policy-security-rule-trust_to_isp1] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_isp1] destination-zone isp1_1 isp1_2
HRP_M[FW_A-policy-security-rule-trust_to_isp1] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_isp1] action permit
HRP_M[FW_A-policy-security-rule-trust_to_isp1] quit

Step 2 Configure the Trust-to-isp2_1 and Trust-to-isp2_2 security policies, allowing


intranet users to access the Internet through ISP 2 and enabling intrusion
prevention.
HRP_M[FW_A-policy-security] rule name trust_to_isp2
HRP_M[FW_A-policy-security-rule-trust_to_isp2] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_isp2] destination-zone isp2_1 isp2_2
HRP_M[FW_A-policy-security-rule-trust_to_isp2] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_isp2] action permit
HRP_M[FW_A-policy-security-rule-trust_to_isp2] quit

Step 3 Configure the isp1_1-to-DMZ and isp1_2-to-DMZ security polices, allowing


extranet users to access the web server, FTP server, and DNS server in the DMZ
through the ISP 1 link and enabling intrusion prevention.
HRP_M[FW_A-policy-security] rule name isp1_to_http
HRP_M[FW_A-policy-security-rule-isp1_to_http] source-zone isp1_1 isp1_2
HRP_M[FW_A-policy-security-rule-isp1_to_http] destination-zone dmz
HRP_M[FW_A-policy-security-rule-isp1_to_http] destination-address 10.0.10.10 24
HRP_M[FW_A-policy-security-rule-isp1_to_http] service http
HRP_M[FW_A-policy-security-rule-isp1_to_http] profile ips default
HRP_M[FW_A-policy-security-rule-isp1_to_http] action permit
HRP_M[FW_A-policy-security-rule-isp1_to_http] quit
HRP_M[FW_A-policy-security] rule name isp1_to_ftp
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] source-zone isp1_1 isp1_2
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] destination-zone dmz
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] destination-address 10.0.10.11 24
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] service ftp
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] profile ips default
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] action permit
HRP_M[FW_A-policy-security-rule-isp1_to_ftp] quit
HRP_M[FW_A-policy-security] rule name isp1_to_dns
HRP_M[FW_A-policy-security-rule-isp1_to_dns] source-zone isp1_1 isp1_2
HRP_M[FW_A-policy-security-rule-isp1_to_dns] destination-zone dmz
HRP_M[FW_A-policy-security-rule-isp1_to_dns] destination-address 10.0.10.20 24
HRP_M[FW_A-policy-security-rule-isp1_to_dns] service dns
HRP_M[FW_A-policy-security-rule-isp1_to_dns] profile ips default
HRP_M[FW_A-policy-security-rule-isp1_to_dns] action permit
HRP_M[FW_A-policy-security-rule-isp1_to_dns] quit

Step 4 Configure the isp2_1-to-DMZ and isp2_2-to-DMZ security policies, allowing


extranet users to access the web server, FTP server, and DNS server in the DMZ
through the ISP 2 link and enabling intrusion prevention.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 123


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

HRP_M[FW_A-policy-security] rule name isp2_to_http


HRP_M[FW_A-policy-security-rule-isp2_to_http] source-zone isp2_1 isp2_2
HRP_M[FW_A-policy-security-rule-isp2_to_http] destination-zone dmz
HRP_M[FW_A-policy-security-rule-isp2_to_http] destination-address 10.0.10.10 24
HRP_M[FW_A-policy-security-rule-isp2_to_http] service http
HRP_M[FW_A-policy-security-rule-isp2_to_http] profile ips default
HRP_M[FW_A-policy-security-rule-isp2_to_http] action permit
HRP_M[FW_A-policy-security-rule-isp2_to_http] quit
HRP_M[FW_A-policy-security] rule name isp2_to_ftp
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] source-zone isp2_1 isp2_2
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] destination-zone dmz
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] destination-address 10.0.10.11 24
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] service ftp
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] profile ips default
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] action permit
HRP_M[FW_A-policy-security-rule-isp2_to_ftp] quit
HRP_M[FW_A-policy-security] rule name isp1_to_dns
HRP_M[FW_A-policy-security-rule-isp2_to_dns] source-zone isp2_1 isp2_2
HRP_M[FW_A-policy-security-rule-isp2_to_dns] destination-zone dmz
HRP_M[FW_A-policy-security-rule-isp2_to_dns] destination-address 10.0.10.20 24
HRP_M[FW_A-policy-security-rule-isp2_to_dns] service dns
HRP_M[FW_A-policy-security-rule-isp2_to_dns] profile ips default
HRP_M[FW_A-policy-security-rule-isp2_to_dns] action permit
HRP_M[FW_A-policy-security-rule-isp2_to_dns] quit

Step 5 Configure the Trust-to-DMZ security policy, allowing intranet users to access the
web server, FTP server, and DNS server in the DMZ zone and enabling intrusion
prevention.
HRP_M[FW_A-policy-security] rule name trust_to_http
HRP_M[FW_A-policy-security-rule-trust_to_http] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_http] destination-zone dmz
HRP_M[FW_A-policy-security-rule-trust_to_http] destination-address 10.0.10.10 24
HRP_M[FW_A-policy-security-rule-trust_to_http] service http
HRP_M[FW_A-policy-security-rule-trust_to_http] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_http] action permit
HRP_M[FW_A-policy-security-rule-trust_to_http] quit
HRP_M[FW_A-policy-security] rule name trust_to_ftp
HRP_M[FW_A-policy-security-rule-trust_to_ftp] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-zone dmz
HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-address 10.0.10.11 24
HRP_M[FW_A-policy-security-rule-trust_to_ftp] service ftp
HRP_M[FW_A-policy-security-rule-trust_to_ftp] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_ftp] action permit
HRP_M[FW_A-policy-security-rule-trust_to_ftp] quit
HRP_M[FW_A-policy-security] rule name trust_to_dns
HRP_M[FW_A-policy-security-rule-trust_to_dns] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-zone dmz
HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-address 10.0.10.20 24
HRP_M[FW_A-policy-security-rule-trust_to_dns] service dns
HRP_M[FW_A-policy-security-rule-trust_to_dns] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_dns] action permit
HRP_M[FW_A-policy-security-rule-trust_to_dns] quit

Step 6 Configure the Local-to-DMZ security policy, allowing the firewall to send logs to
the log server.
HRP_M[FW_A-policy-security] rule name local_to_logcenter
HRP_M[FW_A-policy-security-rule-local_to_logcenter] source-zone local
HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-zone dmz
HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-address 10.0.10.30 24
HRP_M[FW_A-policy-security-rule-local_to_logcenter] action permit
HRP_M[FW_A-policy-security-rule-local_to_logcenter] quit

Step 7 Configure the Local-to-isp1 and Local-to-isp2 security policy, allowing the FW to
connect to the security center and update its signature databases.
HRP_M[FW_A-policy-security] rule name local_to_isp
HRP_M[FW_A-policy-security-rule-local_to_isp] source-zone local
HRP_M[FW_A-policy-security-rule-local_to_isp] destination-zone isp1_1 isp1_2 isp2_1 isp2_2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 124


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

HRP_M[FW_A-policy-security-rule-local_to_isp] action permit


HRP_M[FW_A-policy-security-rule-local_to_isp] quit
HRP_M[FW_A-policy-security] quit

For versions earlier than USG6000&USG9500 V500R001C80: You need to configure required
security policies on the FW to allow the FW to send health check probe packets to the
destination device. For versions later than V500R001C80: Probe packets for health check are
not subject to security policies and are permitted by default. Therefore, you do not need to
configure security policies.

Step 8 Update the IPS signature database and service awareness signature database
automatically.
1. Make sure that the firewall has activated the license that supports the IPS
signature database update server.
HRP_M[FW_A] display license
IPS : Enabled; service expire time: 2015/06/12

2. Configure the DNS server, allowing the firewall to access the security center
using a domain name.
HRP_M[FW_A] dns resolve
HRP_M[FW_A] dns server 1.1.1.222

3. Configure automatic scheduled update of signature databases.


HRP_M[FW_A] update schedule ips-sdb enable
HRP_M[FW_A] update schedule sa-sdb enable
HRP_M[FW_A] update schedule ips-sdb daily 03:00
HRP_M[FW_A] update schedule sa-sdb weekly Mon 03:00

Step 9 Configure attack defense.


HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend ip-fragment enable
HRP_M[FW_A] firewall defend tcp-flag enable
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable
HRP_M[FW_A] firewall defend teardrop enable
HRP_M[FW_A] firewall defend route-record enable
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable

----End

2.5.7 Configuring User Tracing


Context
The firewall sends binary session logs and IM logs to the eLog. The eLog collects,
stores, and analyzes the logs. The pre-NAT IP addresses and IM online and offline
activities can be obtained from these logs to meet audit requirements.

Procedure
Step 1 Configure a log host on FW_A.
HRP_M[FW_A] firewall log host 1 10.0.10.30 9002
HRP_M[FW_A] firewall log source 10.0.5.1 6000

Step 2 Enable session log in the security policies of FW_A.


HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_isp1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 125


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

HRP_M[FW_A-policy-security-rule-trust_to_isp1] session logging


HRP_M[FW_A-policy-security-rule-trust_to_isp1] quit
HRP_M[FW_A-policy-security] rule name trust_to_isp2
HRP_M[FW_A-policy-security-rule-trust_to_isp2] session logging
HRP_M[FW_A-policy-security-rule-trust_to_isp2] quit
HRP_M[FW_A-policy-security] quit

Step 3 Enable IM log sending on FW_A.


HRP_M[FW_A] firewall log im enable

Step 4 Configure the source IP and port that FW_B uses to send logs to the log host. This
configuration does not support backup.
HRP_S[FW_B] firewall log source 10.0.6.1 6000

Step 5 Configure SNMP V3 on FW_A.


HRP_M[FW_A] snmp-agent sys-info version v3
HRP_M[FW_A] snmp-agent group v3 NMS1 privacy
HRP_M[FW_A] snmp-agent usm-user v3 admin1 group NMS1
HRP_M[FW_A] snmp-agent usm-user v3 admin1 authentication-mode md5 cipher
Admin@123abcdefg1234567890abccba10
HRP_M[FW_A] snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher
Admin@123abcdefg1234567890abccba10

Step 6 Configure SNMP V3 on FW_B. This configuration does not support backup.
HRP_S[FW_B] snmp-agent sys-info version v3
HRP_S[FW_B] snmp-agent group v3 NMS1 privacy
HRP_S[FW_B] snmp-agent usm-user v3 admin1 group NMS1
HRP_S[FW_B] snmp-agent usm-user v3 admin1 authentication-mode md5 cipher
Admin@123abcdefg1234567890abccba10
HRP_S[FW_B] snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher
Admin@123abcdefg1234567890abccba10

Step 7 After eLog configuration is complete, choose Log Analysis > Session Analysis >
IPv4 Session Log on the eLog to view session logs. Choose Log Analysis > Cyber
Security Analysis > IM to view IM logs.

----End

2.5.8 Viewing Traffic Statistics


Procedure
Step 1 Log in to the web UI.
Step 2 View the traffic history of an interface or the entire device.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 126


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

Step 3 For the USG6000, if a hard disk is installed, you can also choose Monitoring >
Report > Traffic Report to view traffic reports. You can query traffic histories by
address or application.

----End

2.5.9 Verification
● Intranet users can access the Internet normally.
● Extranet users can access intranet servers using public IP addresses.
● The eLog can obtain session logs of the firewalls.
● Run the shutdown command on GigabitEthernet 1/0/1 of the active firewall
to simulate a link fault. The active/standby switchover is normal without
services interrupted.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 127


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

2.5.10 Configuration Scripts


FW_A FW_B
# #
sysname FW_A sysname FW_B
# #
hrp preempt delay 300 hrp preempt delay 300
hrp enable hrp enable
hrp interface Eth-Trunk0 remote 10.0.7.2 hrp interface Eth-Trunk0 remote 10.0.7.1
hrp track interface GigabitEthernet1/0/3 hrp track interface GigabitEthernet1/0/3
hrp track interface GigabitEthernet1/0/4 hrp track interface GigabitEthernet1/0/4
hrp adjust ospf-cost enable hrp adjust ospf-cost enable
# #
firewall log im enable firewall log im enable
firewall log host 1 10.0.10.30 9002 firewall log host 1 10.0.10.30 9002
firewall log source 10.0.5.1 6000 firewall log source 10.0.6.1 6000
# #
firewall defend smurf enable firewall defend smurf enable
firewall defend land enable firewall defend land enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend route-record enable firewall defend route-record enable
firewall defend source-route enable firewall defend source-route enable
firewall defend time-stamp enable firewall defend time-stamp enable
# #
isp name isp1 set filename isp1.csv isp name isp1 set filename isp1.csv
isp name isp2 set filename isp2.csv isp name isp2 set filename isp2.csv
# #
update schedule ips-sdb weekly Mon 03:00 update schedule ips-sdb weekly Mon 03:00
update schedule sa-sdb daily 03:00 update schedule sa-sdb daily 03:00
# #
dns resolve dns resolve
dns server 1.1.1.222 dns server 1.1.1.222
# #
healthcheck enable healthcheck enable
healthcheck name isp1_health1 healthcheck name isp1_health1
destination 1.1.1.6 interface Eth-Trunk1.1 protocol destination 1.1.1.6 interface Eth-Trunk1.1 protocol
icmp icmp
destination 1.1.1.222 interface Eth-Trunk1.1 destination 1.1.1.222 interface Eth-Trunk1.1
protocol dns protocol dns
healthcheck name isp1_health2 healthcheck name isp1_health2
destination 1.1.2.6 interface Eth-Trunk1.2 protocol destination 1.1.2.6 interface Eth-Trunk1.2 protocol
icmp icmp
destination 1.1.1.222 interface Eth-Trunk1.2 destination 1.1.1.222 interface Eth-Trunk1.2
protocol dns protocol dns
healthcheck name isp2_health1 healthcheck name isp2_health1
destination 2.2.2.6 interface Eth-Trunk2.1 protocol destination 2.2.2.6 interface Eth-Trunk2.1 protocol
icmp icmp
destination 2.2.2.222 interface Eth-Trunk2.1 destination 2.2.2.222 interface Eth-Trunk2.1
protocol dns protocol dns
healthcheck name isp2_health2 healthcheck name isp2_health2
destination 2.2.3.6 interface Eth-Trunk2.2 protocol destination 2.2.3.6 interface Eth-Trunk2.2 protocol
icmp icmp
destination 2.2.2.222 interface Eth-Trunk2.2 destination 2.2.2.222 interface Eth-Trunk2.2
protocol dns protocol dns
# #
interface Eth-Trunk0 interface Eth-Trunk0
description Hrp-interface description Hrp-interface
ip address 10.0.7.1 255.255.255.0 ip address 10.0.7.2 255.255.255.0
undo service-manage enable undo service-manage enable
# #
interface Eth-Trunk1 interface Eth-Trunk1
description To-isp1 description To-isp1
undo service-manage enable undo service-manage enable
# #
interface Eth-Trunk2 interface Eth-Trunk2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 128


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

FW_A FW_B
description To-isp2 description To-isp2
undo service-manage enable undo service-manage enable
# #
interface Eth-Trunk 1.1 interface Eth-Trunk 1.1
description To-isp1-1 description To-isp1-1
ip address 1.1.1.2 255.255.255.248 ip address 1.1.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.248 active vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.248
healthcheck isp1_health1 standby
gateway 1.1.1.6 healthcheck isp1_health1
vlan-type dot1q 11 gateway 1.1.1.6
bandwidth ingress 800000 vlan-type dot1q 11
bandwidth egress 800000 bandwidth ingress 800000
redirect-reverse next-hop 1.1.1.6 bandwidth egress 800000
# redirect-reverse next-hop 1.1.1.6
interface Eth-Trunk 2.1 #
description To-isp2-1 interface Eth-Trunk 2.1
ip address 2.2.2.2 255.255.255.248 description To-isp2-1
vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.248 active ip address 2.2.2.3 255.255.255.248
healthcheck isp2_health1 vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.248
gateway 2.2.2.6 standby
vlan-type dot1q 21 healthcheck isp2_health1
bandwidth ingress 900000 gateway 2.2.2.6
bandwidth egress 900000 vlan-type dot1q 21
redirect-reverse next-hop 2.2.2.6 bandwidth ingress 900000
# bandwidth egress 900000
interface Eth-Trunk 1.2 redirect-reverse next-hop 2.2.2.6
description To-isp1-2 #
ip address 1.1.2.2 255.255.255.248 interface Eth-Trunk 1.2
vrrp vrid 3 virtual-ip 1.1.2.1 255.255.255.248 active description To-isp1-2
healthcheck isp1_health2 ip address 1.1.2.3 255.255.255.248
gateway 1.1.2.6 vrrp vrid 3 virtual-ip 1.1.2.1 255.255.255.248
vlan-type dot1q 12 standby
bandwidth ingress 400000 healthcheck isp1_health2
bandwidth egress 400000 gateway 1.1.2.6
redirect-reverse next-hop 1.1.2.6 vlan-type dot1q 12
# bandwidth ingress 400000
interface Eth-Trunk 2.2 bandwidth egress 400000
description To-isp2-2 redirect-reverse next-hop 1.1.2.6
ip address 2.2.3.2 255.255.255.248 #
vrrp vrid 4 virtual-ip 2.2.3.1 255.255.255.248 active interface Eth-Trunk 2.2
healthcheck isp2_health2 description To-isp2-2
gateway 2.2.3.6 ip address 2.2.3.3 255.255.255.248
vlan-type dot1q 22 vrrp vrid 4 virtual-ip 2.2.3.1 255.255.255.248
bandwidth ingress 600000 standby
bandwidth egress 600000 healthcheck isp2_health2
redirect-reverse next-hop 2.2.3.6 gateway 2.2.3.6
# vlan-type dot1q 22
interface GigabitEthernet 1/0/1 bandwidth ingress 600000
eth-trunk 1 bandwidth egress 600000
undo service-manage enable redirect-reverse next-hop 2.2.3.6
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/1
eth-trunk 2 eth-trunk 1
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/2
description To-router eth-trunk 2
ip address 10.0.3.1 255.255.255.0 undo service-manage enable
undo service-manage enable #
# interface GigabitEthernet 1/0/3
interface GigabitEthernet 1/0/4 description To-router
description To-server ip address 10.0.4.1 255.255.255.0
ip address 10.0.5.1 255.255.255.0 undo service-manage enable
undo service-manage enable #
# interface GigabitEthernet 1/0/4
interface GigabitEthernet 1/0/5 description To-server

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 129


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

FW_A FW_B
eth-trunk 0 ip address 10.0.6.1 255.255.255.0
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 1/0/6 interface GigabitEthernet 1/0/5
eth-trunk 1 eth-trunk 0
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/6
eth-trunk 2 eth-trunk 1
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 2/0/0 interface GigabitEthernet 1/0/7
eth-trunk 0 eth-trunk 2
undo service-manage enable undo service-manage enable
# #
firewall zone trust interface GigabitEthernet 2/0/0
set priority 85 eth-trunk 0
add interface GigabitEthernet 1/0/3 undo service-manage enable
# #
firewall zone dmz firewall zone trust
set priority 5 set priority 85
add interface GigabitEthernet 1/0/4 add interface GigabitEthernet 1/0/3
# #
firewall zone name hrp id 4 firewall zone dmz
set priority 75 set priority 5
add interface eth-trunk 0 add interface GigabitEthernet 1/0/4
# #
firewall zone name isp1_1 id 5 firewall zone name hrp id 4
set priority 10 set priority 75
add interface eth-trunk1.1 add interface eth-trunk 0
# #
firewall zone name isp1_2 id 6 firewall zone name isp1_1 id 5
set priority 15 set priority 10
add interface eth-trunk1.2 add interface eth-trunk1.1
# #
firewall zone name isp2_1 id 7 firewall zone name isp1_2 id 6
set priority 20 set priority 15
add interface eth-trunk2.1 add interface eth-trunk1.2
# #
firewall zone name isp2_2 id 8 firewall zone name isp2_1 id 7
set priority 25 set priority 20
add interface eth-trunk2.2 add interface eth-trunk2.1
# #
detect ftp firewall zone name isp2_2 id 8
detect sip set priority 25
detect h323 add interface eth-trunk2.2
detect rtsp #
detect qq detect ftp
# detect sip
ospf 1 detect h323
area 0.0.0.0 detect rtsp
network 10.0.3.0 0.0.0.255 detect qq
network 10.0.5.0 0.0.0.255 #
# ospf 1
ip route-static 1.1.1.15 255.255.255.255 NULL 0 area 0.0.0.0
ip route-static 1.1.1.16 255.255.255.255 NULL 0 network 10.0.4.0 0.0.0.255
ip route-static 1.1.1.17 255.255.255.255 NULL 0 network 10.0.6.0 0.0.0.255
ip route-static 2.2.2.15 255.255.255.255 NULL 0 #
ip route-static 2.2.2.16 255.255.255.255 NULL 0 ip route-static 1.1.1.15 255.255.255.255 NULL 0
ip route-static 2.2.2.17 255.255.255.255 NULL 0 ip route-static 1.1.1.16 255.255.255.255 NULL 0
ip route-static 1.1.2.15 255.255.255.255 NULL 0 ip route-static 1.1.1.17 255.255.255.255 NULL 0
ip route-static 1.1.2.16 255.255.255.255 NULL 0 ip route-static 2.2.2.15 255.255.255.255 NULL 0
ip route-static 1.1.2.17 255.255.255.255 NULL 0 ip route-static 2.2.2.16 255.255.255.255 NULL 0
ip route-static 2.2.3.15 255.255.255.255 NULL 0 ip route-static 2.2.2.17 255.255.255.255 NULL 0
ip route-static 2.2.3.16 255.255.255.255 NULL 0 ip route-static 1.1.2.15 255.255.255.255 NULL 0
ip route-static 2.2.3.17 255.255.255.255 NULL 0 ip route-static 1.1.2.16 255.255.255.255 NULL 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 130


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

FW_A FW_B
# ip route-static 1.1.2.17 255.255.255.255 NULL 0
snmp-agent ip route-static 2.2.3.15 255.255.255.255 NULL 0
snmp-agent sys-info version v3 ip route-static 2.2.3.16 255.255.255.255 NULL 0
snmp-agent group v3 NMS1 privacy ip route-static 2.2.3.17 255.255.255.255 NULL 0
snmp-agent usm-user v3 admin1 group NMS1 #
snmp-agent usm-user v3 admin1 authentication- snmp-agent
mode md5 cipher %^%#Hkf(QMzGN$biX- snmp-agent sys-info version v3
NUpE14:e,9Bu,0E"3TL$@gV<.V%^%# snmp-agent group v3 NMS1 privacy
snmp-agent usm-user v3 admin1 privacy-mode snmp-agent usm-user v3 admin1 group NMS1
aes256 cipher %^ snmp-agent usm-user v3 admin1 authentication-
%#77$d.slqmEO)"('y<g6/,h5z<:#v~!jab]@M$58J%^ mode md5 cipher %^%#Hkf(QMzGN$biX-
% NUpE14:e,9Bu,0E"3TL$@gV<.V%^%#
# snmp-agent usm-user v3 admin1 privacy-mode
nat server policy_web1 0 zone isp1_1 protocol tcp aes256 cipher %^
global 1.1.1.15 8080 inside 10.0.10.10 www %#77$d.slqmEO)"('y<g6/,h5z<:#v~!jab]@M$58J%^
nat server policy_web2 1 zone isp1_2 protocol tcp %
global 1.1.2.15 8080 inside 10.0.10.10 www #
nat server policy_web3 2 zone isp2_1 protocol tcp nat server policy_web1 0 zone isp1_1 protocol tcp
global 2.2.2.15 8080 inside 10.0.10.10 www global 1.1.1.15 8080 inside 10.0.10.10 www
nat server policy_web4 3 zone isp2_2 protocol tcp nat server policy_web2 1 zone isp1_2 protocol tcp
global 2.2.3.15 8080 inside 10.0.10.10 www global 1.1.2.15 8080 inside 10.0.10.10 www
nat server policy_ftp1 4 zone isp1_1 protocol tcp nat server policy_web3 2 zone isp2_1 protocol tcp
global 1.1.1.16 ftp inside 10.0.10.11 ftp global 2.2.2.15 8080 inside 10.0.10.10 www
nat server policy_ftp2 5 zone isp1_2 protocol tcp nat server policy_web4 3 zone isp2_2 protocol tcp
global 1.1.2.16 ftp inside 10.0.10.11 ftp global 2.2.3.15 8080 inside 10.0.10.10 www
nat server policy_ftp3 6 zone isp2_1 protocol tcp nat server policy_ftp1 4 zone isp1_1 protocol tcp
global 2.2.2.16 ftp inside 10.0.10.11 ftp global 1.1.1.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp4 7 zone isp2_2 protocol tcp nat server policy_ftp2 5 zone isp1_2 protocol tcp
global 2.2.3.16 ftp inside 10.0.10.11 ftp global 1.1.2.16 ftp inside 10.0.10.11 ftp
nat server policy_dns1 8 zone isp1_1 protocol tcp nat server policy_ftp3 6 zone isp2_1 protocol tcp
global 1.1.1.17 domain inside 10.0.10.20 domain global 2.2.2.16 ftp inside 10.0.10.11 ftp
nat server policy_dns2 9 zone isp1_2 protocol tcp nat server policy_ftp4 7 zone isp2_2 protocol tcp
global 1.1.2.17 domain inside 10.0.10.20 domain global 2.2.3.16 ftp inside 10.0.10.11 ftp
nat server policy_dns3 10 zone isp2_1 protocol tcp nat server policy_dns1 8 zone isp1_1 protocol tcp
global 2.2.2.17 domain inside 10.0.10.20 domain global 1.1.1.17 domain inside 10.0.10.20 domain
nat server policy_dns4 11 zone isp2_2 protocol tcp nat server policy_dns2 9 zone isp1_2 protocol tcp
global 2.2.3.17 domain inside 10.0.10.20 domain global 1.1.2.17 domain inside 10.0.10.20 domain
# nat server policy_dns3 10 zone isp2_1 protocol tcp
dns-smart enable global 2.2.2.17 domain inside 10.0.10.20 domain
# nat server policy_dns4 11 zone isp2_2 protocol tcp
dns-smart group 1 type multi global 2.2.3.17 domain inside 10.0.10.20 domain
out-interface eth-trunk1.1 map 1.1.1.15 #
out-interface eth-trunk2.1 map 2.2.2.15 dns-smart enable
out-interface eth-trunk1.2 map 1.1.2.15 #
out-interface eth-trunk2.2 map 2.2.3.15 dns-smart group 1 type multi
# out-interface eth-trunk1.1 map 1.1.1.15
dns-smart group 2 type multi out-interface eth-trunk2.1 map 2.2.2.15
out-interface eth-trunk1.1 map 1.1.1.16 out-interface eth-trunk1.2 map 1.1.2.15
out-interface eth-trunk2.1 map 2.2.2.16 out-interface eth-trunk2.2 map 2.2.3.15
out-interface eth-trunk1.2 map 1.1.2.16 #
out-interface eth-trunk2.2 map 2.2.3.16 dns-smart group 2 type multi
# out-interface eth-trunk1.1 map 1.1.1.16
nat address-group pool_isp1_1 1 out-interface eth-trunk2.1 map 2.2.2.16
mode pat out-interface eth-trunk1.2 map 1.1.2.16
route enable out-interface eth-trunk2.2 map 2.2.3.16
section 0 1.1.1.10 1.1.1.12 #
# nat address-group pool_isp1_1 1
nat address-group pool_isp1_2 2 mode pat
mode pat route enable
route enable section 0 1.1.1.10 1.1.1.12
section 0 1.1.2.10 1.1.2.12 #
# nat address-group pool_isp1_2 2
nat address-group pool_isp2_1 3 mode pat
mode pat route enable
route enable section 0 1.1.2.10 1.1.2.12
section 0 2.2.2.10 2.2.2.12 #

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 131


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

FW_A FW_B
# nat address-group pool_isp2_1 3
nat address-group pool_isp2_2 4 mode pat
mode pat route enable
route enable section 0 2.2.2.10 2.2.2.12
section 0 2.2.3.10 2.2.3.12 #
# nat address-group pool_isp2_2 4
nat-policy mode pat
rule name policy_nat1 route enable
source-zone trust section 0 2.2.3.10 2.2.3.12
destination-zone isp1_1 #
action source-nat address-group pool_isp1_1 nat-policy
rule name policy_nat2 rule name policy_nat1
source-zone trust source-zone trust
destination-zone isp1_2 destination-zone isp1_1
action source-nat address-group pool_isp1_2 action source-nat address-group pool_isp1_1
rule name policy_nat3 rule name policy_nat2
source-zone trust source-zone trust
destination-zone isp2_1 destination-zone isp1_2
action source-nat address-group pool_isp2_1 action source-nat address-group pool_isp1_2
rule name policy_nat4 rule name policy_nat3
source-zone trust source-zone trust
destination-zone isp2_2 destination-zone isp2_1
action source-nat address-group pool_isp2_2 action source-nat address-group pool_isp2_1
# rule name policy_nat4
security-policy source-zone trust
rule name trust_to_isp1 destination-zone isp2_2
session logging action source-nat address-group pool_isp2_2
source-zone trust #
destination-zone isp1_1 isp1_2 security-policy
action permit rule name trust_to_isp1
profile ips default session logging
rule name trust_to_isp2 source-zone trust
session logging destination-zone isp1_1 isp1_2
source-zone trust action permit
destination-zone isp2_1 isp2_2 profile ips default
action permit rule name trust_to_isp2
profile ips default session logging
rule name isp1_to_http source-zone trust
source-zone isp1_1 isp1_2 destination-zone isp2_1 isp2_2
destination-zone dmz action permit
destination-address 10.0.10.10 24 profile ips default
service http rule name isp1_to_http
action permit source-zone isp1_1 isp1_2
profile ips default destination-zone dmz
rule name isp1_to_ftp destination-address 10.0.10.10 24
source-zone isp1_1 isp1_2 service http
destination-zone dmz action permit
destination-address 10.0.10.11 24 profile ips default
service ftp rule name isp1_to_ftp
action permit source-zone isp1_1 isp1_2
profile ips default destination-zone dmz
rule name isp1_to_dns destination-address 10.0.10.11 24
source-zone isp1_1 isp1_2 service ftp
destination-zone dmz action permit
destination-address 10.0.10.20 24 profile ips default
service dns rule name isp1_to_dns
action permit source-zone isp1_1 isp1_2
profile ips default destination-zone dmz
rule name isp2_to_http destination-address 10.0.10.20 24
source-zone isp2_1 isp2_2 service dns
destination-zone dmz action permit
destination-address 10.0.10.10 24 profile ips default
service http rule name isp2_to_http
action permit source-zone isp2_1 isp2_2
profile ips default destination-zone dmz
rule name isp2_to_ftp destination-address 10.0.10.10 24

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 132


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

FW_A FW_B
source-zone isp2_1 isp2_2 service http
destination-zone dmz action permit
destination-address 10.0.10.11 24 profile ips default
service ftp rule name isp2_to_ftp
action permit source-zone isp2_1 isp2_2
profile ips default destination-zone dmz
rule name isp2_to_dns destination-address 10.0.10.11 24
source-zone isp2_1 isp2_2 service ftp
destination-zone dmz action permit
destination-address 10.0.10.20 24 profile ips default
service dns rule name isp2_to_dns
action permit source-zone isp2_1 isp2_2
profile ips default destination-zone dmz
rule name trust_to_http destination-address 10.0.10.20 24
source-zone trust service dns
destination-zone dmz action permit
destination-address 10.0.10.10 24 profile ips default
service http rule name trust_to_http
action permit source-zone trust
profile ips default destination-zone dmz
rule name trust_to_ftp destination-address 10.0.10.10 24
source-zone trust service http
destination-zone dmz action permit
destination-address 10.0.10.11 24 profile ips default
service ftp rule name trust_to_ftp
action permit source-zone trust
profile ips default destination-zone dmz
rule name trust_to_dns destination-address 10.0.10.11 24
source-zone trust service ftp
destination-zone dmz action permit
destination-address 10.0.10.20 24 profile ips default
service dns rule name trust_to_dns
action permit source-zone trust
profile ips default destination-zone dmz
rule name local_to_logcenter destination-address 10.0.10.20 24
source-zone local service dns
destination-zone dmz action permit
destination-address 10.0.10.30 24 profile ips default
action permit rule name local_to_logcenter
source-zone local
rule name local_to_isp destination-zone dmz
source-zone local destination-address 10.0.10.30 24
destination-zone isp1_1 isp1_2 isp2_1 isp2_2 action permit
service http ftp rule name local_to_isp
action permit source-zone local
# destination-zone isp1 isp2
policy-based-route service http ftp
rule name dns_pbr action permit
ingress-interface GigabitEthernet1/0/3 #
service dns policy-based-route
action pbr egress-interface multi-interface rule name dns_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk1.1 weight 2 service dns
add interface eth-trunk1.2 weight 1 action pbr egress-interface multi-interface
add interface eth-trunk2.1 weight 3 mode proportion-of-weight
add interface eth-trunk2.2 weight 2 add interface eth-trunk1.1 weight 2
rule name p2p_pbr add interface eth-trunk1.2 weight 1
ingress-interface GigabitEthernet1/0/3 add interface eth-trunk2.1 weight 3
application app BT Thunder eDonkey_eMule add interface eth-trunk2.2 weight 2
action pbr egress-interface multi-interface rule name p2p_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk2.1 weight 3 application app BT Thunder eDonkey_eMule
add interface eth-trunk2.2 weight 2 action pbr egress-interface multi-interface
rule name isp1_pbr mode proportion-of-weight
ingress-interface GigabitEthernet1/0/3 add interface eth-trunk2.1 weight 3
destination-address isp isp1 add interface eth-trunk2.2 weight 2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 133


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

FW_A FW_B
action pbr egress-interface multi-interface rule name isp1_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk1.1 weight 2 destination-address isp isp1
add interface eth-trunk1.2 weight 1 action pbr egress-interface multi-interface
rule name isp2_pbr mode proportion-of-weight
ingress-interface GigabitEthernet1/0/3 add interface eth-trunk1.1 weight 2
destination-address isp isp2 add interface eth-trunk1.2 weight 1
action pbr egress-interface multi-interface rule name isp2_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk2.1 weight 3 destination-address isp isp2
add interface eth-trunk2.2 weight 2 action pbr egress-interface multi-interface
# mode proportion-of-weight
dns-transparent-policy add interface eth-trunk2.1 weight 3
dns transparent-proxy enable add interface eth-trunk2.2 weight 2
dns server bind interface eth-trunk1.1 preferred #
1.1.1.222 alternate 1.1.1.223 dns-transparent-policy
dns server bind interface eth-trunk1.2 preferred dns transparent-proxy enable
1.1.1.222 alternate 1.1.1.223 dns server bind interface eth-trunk1.1 preferred
dns server bind interface eth-trunk2.1 preferred 1.1.1.222 alternate 1.1.1.223
2.2.2.222 alternate 2.2.2.223 dns server bind interface eth-trunk1.2 preferred
dns server bind interface eth-trunk2.2 preferred 1.1.1.222 alternate 1.1.1.223
2.2.2.222 alternate 2.2.2.223 dns server bind interface eth-trunk2.1 preferred
dns transparent-proxy exclude domain 2.2.2.222 alternate 2.2.2.223
www.example.com server preferred 1.1.1.222 dns server bind interface eth-trunk2.2 preferred
# 2.2.2.222 alternate 2.2.2.223
rule name dns_proxy dns transparent-proxy exclude domain
source-address 10.3.0.0 24 www.example.com server preferred 1.1.1.222
action tpdns #
# rule name dns_proxy
return source-address 10.3.0.0 24
action tpdns
#
return

2.6 Conclusion and Suggestions


Conclusion
This case describes the networking and deployment of firewalls at the egress of a
broadcast and television network. In practice, you can select functions to configure
according to your requirements. This solution can be concluded as follows:

● Hot standby network deployment is used. The upstream switches of the


firewalls run VRRP, and the downstream routers of the firewalls run OSPF. In
practice, the firewalls can connect to upstream routers running OSPF.
Particularly, public addresses must be planned for upstream interfaces of the
firewalls. Otherwise, you cannot specify the interface gateway.
● Multi-egress intelligent uplink selection is an important requirement of a
broadcast and television network. This requirement is met in the following
means:
– Outgoing traffic:
The use of multi-egress PBR fulfills two requirements. Traffic destined to
a specific ISP is forwarded by a link of this ISP, and traffic destined to one
ISP is distributed to the multiple links of the ISP for load balancing.
– Incoming traffic:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 134


HUAWEI Firewall 2 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Broadcast and Television Networks

The NAT server is configured to advertise different public IP addresses of


a server to different ISPs. If the DNS server that provides domain name
resolution for a server is deployed in the intranet, the firewalls also
provide smart DNS to enable external users of an ISP to obtain the
address allocated by the ISP to the server. This increases the access speed.

Other Configuration Suggestions


In this solution, the most common NAPT is used for address translation. In the
case of large quantities of P2P traffic on the network, you can configure triplet
NAT to reduce the OPEX of tier-2 carriers.
P2P applications, including file sharing, voice communication, and video, are all
implemented by first obtaining the peer IP address and port from the server and
then directly setting up a connection with the peer. In this case, NAPT and P2P
applications are not well compatible to each other.
For example, intranet PC 1 first interacts with the extranet P2P server (login and
authentication), the firewall performs NAPT on the packets from PC 1 to the P2P
server, and the P2P server records the after-NAPT public address and port of PC 1.
When PC 2 needs to download a file, the server sends the address and port of PC
1 to PC 2, and PC 2 then downloads the file from PC 1. However, the access of PC
2 to PC 1 cannot be matched to a session table. Therefore, the firewall denies the
access, and PC 2 can only request the resource file from other hosts.
As a result, even if PC 1 and PC 2 are both in the intranet, PC 2 still has to request
the resource file from an external host. When large quantities of internet users
request P2P download, such traffic occupies much bandwidth of the carrier and
wastes the traffic expenditure of tier-2 carriers. In addition, for inter-network
access, the download experience of users is poor.
Triplet NAT can resolve this problem. No matter whether PC 1 used to access PC 2,
so long as PC 2 can obtain the after-NAT address and port of PC1, PC 2 can
initiate access to this address and port. Such packets are permitted even if a
corresponding security policy is not defined on the firewall. P2P download can be
implemented between two intranet PCs directly. This helps to reduce the traffic
expenditure of tier-2 carriers.
The configuration of triplet NAT is not greatly different from that of NAPT. The
only difference is that you need to specify the address pool type as full-cone.
HRP_M[FW_A] nat address-group pool_isp1
HRP_M[FW_A-address-group-pool_isp1] mode full-cone global
HRP_M[FW_A-address-group-pool_isp1] section 1.1.1.10 1.1.1.12
HRP_M[FW_A-address-group-isp1] quit

For the USG9500, before configuring triplet NAT, you must make sure that the hash board
selection mode is source address-based hash. The configuration command is as follows:
[FW] firewall hash-mode source-only
After the configuration, you need to restart the device to make the configuration take
effect.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 135


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

3 Application of Firewalls in the Security


Solution for Financial Data Centers

3.1 Introduction
This section describes the deployment and planning of firewalls in a financial data
center network. It also provides reference for firewall deployment in the data
centers of other trades.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.

3.2 Solution Overview


A data center carries the core services of an enterprise and stores massive service
data. It provides critical resources to ensure the normal production and operation
of the enterprise. Therefore, the security of the data center network is of particular
importance.
Huawei financial data center solution is of multi-layer modular design. The
modular design divides the data center network into multiple areas and ensures
service isolation using firewalls. The multi-layer design means that the network
includes a core layer, an aggregation layer, and an access layer so that the
network is horizontally flexible and easily scalable.
To ensure the security of the data center network and its internal servers, it is
usually necessary to deploy firewalls in the network to provide such functions as
security isolation, access control, attack defense, and intrusion prevention.
As shown in Figure 3-1, firewalls are deployed at three locations in the financial
data center solution: data center egress, intranet access area, and Internet egress.
The firewalls provide different security protection functions.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 136


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Figure 3-1 Networking of the financial data center

Item Description

Firewall at the data center ● Uses refined security policies to accurately


egress control users' access to the data center
service area.
● Provides security protection functions, such
as IPS and attack defense, protecting the
data center service area against Trojan
horses, worms, and DDoS attacks.

Firewall in the intranet access Serves as an SACG to work with the Agile
area Controller to authenticate users who access the
intranet locally or through private lines.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 137


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Item Description

Firewall at the Internet egress ● Provides user-defined security zones to


distinguish between access users by
credibility.
● Uses refined security policies to accurately
control users' access to the intranet.
● Provides NAT.
● Provides security protection functions, such
as intrusion prevention and attack defense,
protecting the intranet against Trojan
horses, worms, and DDoS attacks.
● Serves as the IPSec VPN gateway and SSL
VPN gateway for secure VPN access of
employees on the move, partners, and
branches.

The following part describes the networking solutions and configuration methods
of the firewalls.

3.3 Firewalls at the Data Center Egress

3.3.1 Typical Networking


Figure 3-2 shows the typical networking of firewalls at the data center egress.
● Core switches SW1 and SW2 are stacked; aggregation switches SW3 and SW4
are stacked. Firewalls are located between core switches and aggregation
switches. They work in Layer 3 hot standby mode.
● VRRP is configured on the interfaces connecting the firewalls to the upstream
and downstream devices. The firewalls use the VRRP virtual IP addresses to
communicate with the upstream and downstream devices.
● Static routes are configured on the firewalls to guide traffic forwarding.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 138


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Figure 3-2 Typical networking of firewalls at the data center egress

3.3.2 Service Planning

Firewall Interface Planning


Interface planning for FW-1

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

1 FW-1 GE1/0/1 SW-1 GE1/1/0/1 Eth-Trunk 1,


upstream
service
interface

2 FW-1 GE1/0/2 SW-1 GE1/1/0/2 Eth-Trunk 1,


upstream
service
interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 139


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

3 FW-1 GE1/0/3 SW-3 GE1/1/0/1 Eth-Trunk 2,


downstream
service
interface

4 FW-1 GE1/0/4 SW-3 GE1/1/0/2 Eth-Trunk 2,


downstream
service
interface

5 FW-1 GE1/0/5 FW-2 GE1/0/5 Eth-Trunk 0,


heartbeat
interface

6 FW-1 GE1/0/6 FW-2 GE1/0/6 Eth-Trunk 0,


heartbeat
interface

Interface planning for FW-2

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

1 FW-2 GE1/0/1 SW-2 GE2/1/0/1 Eth-Trunk 1,


upstream
service
interface

2 FW-2 GE1/0/2 SW-2 GE2/1/0/2 Eth-Trunk 1,


upstream
service
interface

3 FW-2 GE1/0/3 SW-4 GE2/1/0/1 Eth-Trunk 2,


downstream
service
interface

4 FW-2 GE1/0/4 SW-4 GE2/1/0/2 Eth-Trunk 2,


downstream
service
interface

5 FW-2 GE1/0/5 FW-1 GE1/0/5 Eth-Trunk 0,


heartbeat
interface

6 FW-2 GE1/0/6 FW-1 GE1/0/6 Eth-Trunk 0,


heartbeat
interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 140


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Firewall IP Address Planning


N Local Local Local IP Peer Peer Peer IP
o. Device Interface Address Device Interface Address

1 FW-1 Eth-Trunk 10.6.1.2/2 SW-1 VLANIF10 10.6.1.4/2


1 9 00 9
VRID: 1
VIP:
10.6.1.1

2 FW-1 Eth-Trunk 10.7.1.2/2 SW-3 VLANIF20 10.7.1.4/2


2 9 00 9
VRID: 2
VIP:
10.7.1.1

3 FW-1 Eth-Trunk 11.11.11.1 FW-2 Eth-Trunk 11.11.11.2


0 /24 0 /24

4 FW-2 Eth-Trunk 10.6.1.3/2 SW-2 VLANIF10 10.6.1.4/2


1 9 00 9
VRID: 1
VIP:
10.6.1.1

5 FW-2 Eth-Trunk 10.7.1.3/2 SW-4 VLANIF20 10.7.1.4/2


2 9 00 9
VRID: 2
VIP:
10.7.1.1

6 FW-2 Eth-Trunk 11.11.11.2 FW-2 Eth-Trunk 11.11.11.1


0 /24 0 /24

Firewall Security Zone Planning


No. Security Zone Security Zone Included Remarks
Priority Interface

1 untrust 5 Eth-Trunk 1 Upstream


service interface

2 trust 100 Eth-trunk2 Downstream


service interface

3 dmz 50 Eth-Trunk 0 Heartbeat


interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 141


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Firewall Security Policy Planning


Address group

No. Address Group Address Remarks

1 remote_users address 0 172.168.3.0 SSL VPN access for


mask 24 employees on the
move

2 partner address 0 172.168.4.0 Partner


mask 24

3 branch1 address 0 10.8.1.0 Branch 1


mask 24

4 branch2 address 0 10.9.1.0 Branch 2


mask 24

5 server1 address 0 10.1.1.10 Server that employees


mask 32 on the move can
address 1 10.1.1.11 access
mask 32

6 server2 address 0 10.2.1.4 Server that the


mask 32 partner can access
address 1 10.2.1.5
mask 32

7 server3 address 0 10.1.2.4 Server that branch 1


mask 32 can access
address 1 10.1.2.5
mask 32

8 server4 address 0 10.1.1.4 Server that branch 2


mask 32 can access
address 1 10.1.1.5
mask 32

User-defined services

No. Service Protocol/Port Remarks

1 tcp_1414 service 0 protocol tcp Service for the partner


destination-port 1414 to access the server

2 tcp_8888_9000 service 0 protocol tcp Service for branch 1 to


destination-port 8888 access the server
service 1 protocol tcp
destination-port 9000

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 142


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Security policies

N Policy Source Source Destinat Destinat Service Action


o Zone Address ion ion
. Zone Address

1 remote_ untrust remote_ trust server1 ftp,http permit


users_to users
_server1

2 partner_ untrust partner trust server2 tcp_1414 permit


to_server
2

3 branch1_ untrust branch1 trust server3 tcp_8888 permit


to_server _9000
3

4 branch2_ untrust branch2 trust server4 ftp permit


to_server
4

5 default any any any any any deny

default indicates the default security policy. If the traffic does not match the security policy,
the traffic will match the default security policy (all conditions are any, and all actions are
deny). If only the PCs at specified IP addresses are allowed to access servers, keep the
default security policy and configure security policies to allow the access of such IP
addresses.
Hot standby heartbeat packets are not controlled by security policies. Do not configure
security policies for heartbeat packets.

Firewall Persistent Connections


Prolonging the session aging time of a protocol

No. Protocol Aging Time

1 tcp_1414 40000 seconds

Using the persistent connection function

No. Policy Aging Time

1 branch2_to_server4 480 hours

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 143


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Of the two methods, prolonging the session aging time of a protocol is easier to configure.
You can set specific conditions for the persistent connection function to keep persistent
connections for specified traffic. The prolonged session aging time of a protocol is a global
configuration and takes effect on all sessions of the protocol. As a result, sessions that do
not need persistent connections cannot be aged, occupying session entry resources. Once
session entry resources are exhausted, no services can be created.
Therefore, if you confirm that all sessions of a protocol require a long session aging time,
you can prolong the session aging time of the protocol for persistent connections.
Otherwise, use the persistent connection function.
The persistent connection function is valid only for TCP-based connections.

Firewall Route Planning


Static routes on firewalls

No. Destination Mask Next Hop Remarks


Address

1 10.1.0.0 255.255.0.0 10.7.1.4 Route to data


center service
area 1

2 10.2.0.0 255.255.0.0 10.7.1.4 Route to data


center service
area 2

3 10.3.0.0 255.255.0.0 10.7.1.4 Route to data


center service
area 3

4 172.168.3.0 255.255.255.0 10.6.1.4 Route to SSL


VPN access
terminals of
employees on
the move

5 172.168.4.0 255.255.255.0 10.6.1.4 Route to the


partner's
network

6 10.8.1.0 255.255.255.0 10.6.1.4 Route to branch


1's network

7 10.9.1.0 255.255.255.0 10.6.1.4 Route to branch


2's network

Security Defense Planning


● Attack defense planning
To defend the internal network against network attacks, you need to
configure attack defense on the firewalls.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 144


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Normally, you are recommended to configure the defense against the


following attacks:
– Smurf attacks
– Land attacks
– Fraggle attacks
– Ping of Death attacks
– WinNuke attacks
– IP packet with route record option attacks
– IP packet with source route option attacks
– IP packet with timestamp option attacks
– SYN flood attacks
– UDP flood attacks
– ICMP flood attacks
In practice, you can set a comparatively large value for the maximum rate
of attack packets on interfaces for the preceding flood attacks, observe
the attack traffic, and gradually change the rate to smaller values until a
proper one (limiting the attack traffic but not affecting services).
● IPS planning
To prevent hackers, zombies, Trojan horses, and worms from intruding the
internal network, you need to configure IPS on the firewalls.

The IPS may be deployed on the firewalls or deployed as an independent IPS device.

To configure the IPS functions, you reference an IPS profile when defining security
policies. In the present case, the IPS profile is referenced in all the above planned
security policies (except those for the local zone). This means that IPS detection is
carried out for all traffic permitted by the security policies.

Generally, when the firewalls are initially deployed, you can select the default IPS
profile default. After the firewalls are active for some time, the administrator can
define a profile based on the network status. The IPS also supports the default
profile ids, which means alarms are generated upon the detection of intrusions
but the intrusions are not blocked. If high security is required, to reduce false
positives reported by the IPS, you can select the ids profile.

3.3.3 Precautions

IPS
The IPS signature database must be the latest before the IPS function is
configured.

Attack Defense
The attack defense configuration is the recommended standard configuration.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 145


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Policy Backup-based Acceleration Function


When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.

3.3.4 Configuration Procedure


Procedure
Step 1 Configure IP addresses for interfaces and assign the interfaces to security zones.
# Configure IP addresses for the Eth-Trunk interfaces of FW-1.
<sysname> system-view
[sysname] sysname FW-1
[FW-1] interface Eth-Trunk 1
[FW-1-Eth-Trunk1] description Link_To_CoreSwitch_SW1
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
[FW-1-Eth-Trunk1] ip address 10.6.1.2 29
[FW-1-Eth-Trunk1] quit
[FW-1] interface Eth-Trunk 2
[FW-1-Eth-Trunk2] description Link_To_Aggregation_SW3
[FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/3
[FW-1-Eth-Trunk2] trunkport GigabitEthernet 1/0/4
[FW-1-Eth-Trunk2] ip address 10.7.1.2 29
[FW-1-Eth-Trunk2] quit
[FW-1] interface Eth-Trunk 0
[FW-1-Eth-Trunk0] description HRP_Interface
[FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/5
[FW-1-Eth-Trunk0] trunkport GigabitEthernet 1/0/6
[FW-1-Eth-Trunk0] ip address 11.11.11.1 24
[FW-1-Eth-Trunk0] quit

# Configure IP addresses for the Eth-Trunk interfaces of FW-2.


<sysname> system-view
[sysname] sysname FW-2
[FW-2] interface Eth-Trunk 1
[FW-2-Eth-Trunk1] description Link_To_CoreSwitch_SW2
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
[FW-2-Eth-Trunk1] ip address 10.6.1.3 29
[FW-2-Eth-Trunk1] quit
[FW-2] interface Eth-Trunk 2
[FW-2-Eth-Trunk2] description Link_To_Aggregation_SW4
[FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/3
[FW-2-Eth-Trunk2] trunkport GigabitEthernet 1/0/4
[FW-2-Eth-Trunk2] ip address 10.7.1.3 29
[FW-2-Eth-Trunk2] quit
[FW-2] interface Eth-Trunk 0
[FW-2-Eth-Trunk0] description HRP_Interface
[FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/5
[FW-2-Eth-Trunk0] trunkport GigabitEthernet 1/0/6
[FW-2-Eth-Trunk0] ip address 11.11.11.2 24
[FW-2-Eth-Trunk0] quit

# Assign the interfaces of FW-1 to appropriate security zones.


[FW-1] firewall zone trust
[FW-1-zone-trust] add interface Eth-Trunk 2
[FW-1-zone-trust] quit
[FW-1] firewall zone untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 146


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

[FW-1-zone-untrust] add interface Eth-Trunk 1


[FW-1-zone-untrust] quit
[FW-1] firewall zone dmz
[FW-1-zone-dmz] add interface Eth-Trunk 0
[FW-1-zone-dmz] quit

# Assign the interfaces of FW-2 to appropriate security zones.


[FW-2] firewall zone trust
[FW-2-zone-trust] add interface Eth-Trunk 2
[FW-2-zone-trust] quit
[FW-2] firewall zone untrust
[FW-2-zone-untrust] add interface Eth-Trunk 1
[FW-2-zone-untrust] quit
[FW-2] firewall zone dmz
[FW-2-zone-dmz] add interface Eth-Trunk 0
[FW-2-zone-dmz] quit

Step 2 Configure static routes.


# On FW-1, configure a static route to the data center service area and set the
next hop to the IP address of the aggregation switch.
[FW-1] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
[FW-1] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
[FW-1] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

# On FW-2, configure a static route to the data center service area and set the
next hop to the IP address of the aggregation switch.
[FW-2] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
[FW-2] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
[FW-2] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4

# On FW-1, configure static routes to the SSL VPN access terminal, branch, and
partner network and set the next hop to the IP address of the core switch.
[FW-1] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4
[FW-1] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4
[FW-1] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
[FW-1] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

# On FW-2, configure static routes to the SSL VPN access terminal, branch, and
partner network and set the next hop to the IP address of the core switch.
[FW-2] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4
[FW-2] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4
[FW-2] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
[FW-2] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4

Step 3 Configure hot standby.


# Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-1, setting
its state to Active.
[FW-1] interface Eth-Trunk1
[FW-1-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 active
[FW-1-Eth-Trunk1] quit

# Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-1,


setting its state to Active.
[FW-1] interface Eth-Trunk2
[FW-1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 active
[FW-1-Eth-Trunk2] quit

# Designate Eth-Trunk 0 as the heartbeat interface of FW-1, and enable hot


standby.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 147


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

[FW-1] hrp interface Eth-Trunk0 remote 11.11.1.2


[FW-1] hrp enable

# Configure VRRP group 1 on the upstream interface Eth-Trunk1 of FW-2, setting


its state to Standby.
[FW-2] interface Eth-Trunk1
[FW-2-Eth-Trunk1] vrrp vrid 1 virtual-ip 10.6.1.1 standby
[FW-2-Eth-Trunk1] quit

# Configure VRRP group 2 on the downstream interface Eth-Trunk2 of FW-2,


setting its state to Standby.
[FW-2] interface Eth-Trunk2
[FW-2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.7.1.1 standby
[FW-2-Eth-Trunk2] quit

# Designate Eth-Trunk 0 as the heartbeat interface of FW-2, and enable hot


standby.
[FW-2] hrp interface Eth-Trunk0 remote 11.11.11.1
[FW-2] hrp enable

Step 4 Configure security policies and IPS functions.

After hot standby is configured, you only need to configure security policies and attack
defense on the active device FW-1. The configuration on FW-1 is automatically backed up
on FW-2.

# Configure an address group on FW-1.


HRP_M[FW-1] ip address-set remote_users type object
HRP_M[FW-1-object-address-set-remote_users] address 0 172.168.3.0 mask 24
HRP_M[FW-1-object-address-set-remote_users] description "for remote users"
HRP_M[FW-1-object-address-set-remote_users] quit
HRP_M[FW-1] ip address-set partner type object
HRP_M[FW-1-object-address-set-partner] address 0 172.168.4.0 mask 24
HRP_M[FW-1-object-address-set-partner] description "for partner"
HRP_M[FW-1-object-address-set-partner] quit
HRP_M[FW-1] ip address-set branch1 type object
HRP_M[FW-1-object-address-set-branch1] address 0 10.8.1.0 mask 24
HRP_M[FW-1-object-address-set-branch1] description "for branch1"
HRP_M[FW-1-object-address-set-branch1] quit
HRP_M[FW-1] ip address-set branch2 type object
HRP_M[FW-1-object-address-set-branch2] address 0 10.9.1.0 mask 24
HRP_M[FW-1-object-address-set-branch2] description "for branch2"
HRP_M[FW-1-object-address-set-branch2] quit
HRP_M[FW-1] ip address-set server1 type object
HRP_M[FW-1-object-address-set-server1] address 0 10.1.1.10 mask 32
HRP_M[FW-1-object-address-set-server1] address 1 10.1.1.11 mask 32
HRP_M[FW-1-object-address-set-server1] description "for server1"
HRP_M[FW-1-object-address-set-server1] quit
HRP_M[FW-1] ip address-set server2 type object
HRP_M[FW-1-object-address-set-server2] address 0 10.2.1.4 mask 32
HRP_M[FW-1-object-address-set-server2] address 1 10.2.1.5 mask 32
HRP_M[FW-1-object-address-set-server2] description "for server2"
HRP_M[FW-1-object-address-set-server2] quit
HRP_M[FW-1] ip address-set server3 type object
HRP_M[FW-1-object-address-set-server3] address 0 10.1.2.4 mask 32
HRP_M[FW-1-object-address-set-server3] address 1 10.1.2.5 mask 32
HRP_M[FW-1-object-address-set-server3] description "for server3"
HRP_M[FW-1-object-address-set-server3] quit
HRP_M[FW-1] ip address-set server4 type object
HRP_M[FW-1-object-address-set-server4] address 0 10.1.1.4 mask 32
HRP_M[FW-1-object-address-set-server4] address 1 10.1.1.5 mask 32
HRP_M[FW-1-object-address-set-server4] description "for server4"
HRP_M[FW-1-object-address-set-server4] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 148


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

# Configure a service set on FW-1.


HRP_M[FW-1] ip service-set tcp_1414 type object
HRP_M[FW-1-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414
HRP_M[FW-1-object-service-set-tcp_1414] quit
HRP_M[FW-1] ip service-set tcp_8888_9000 type object
HRP_M[FW-1-object-service-set-tcp_8888_9000] service 0 protocol tcp destination-port 8888
HRP_M[FW-1-object-service-set-tcp_8888_9000] service 1 protocol tcp destination-port 9000
HRP_M[FW-1-object-service-set-tcp_8888_9000] quit

# Configure the security policy remote_users_to_server1 on FW-1 and reference


the IPS profile.
HRP_M[FW-1] security-policy
HRP_M[FW-1-policy-security] rule name remote_users_to_server1
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-zone untrust
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-zone trust
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] source-address address-set remote_users
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] destination-address address-set server1
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] service ftp http
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] action permit
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] profile ips default
HRP_M[FW-1-policy-security-rule-to_remote_users_to_server1] quit

# Configure the security policy partner_to_server2 on FW-1 and reference the IPS
profile.
HRP_M[FW-1-policy-security] rule name partner_to_server2
HRP_M[FW-1-policy-security-rule-partner_to_server2] source-zone untrust
HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-zone trust
HRP_M[FW-1-policy-security-rule-partner_to_server2] source-address address-set partner
HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-address address-set server2
HRP_M[FW-1-policy-security-rule-partner_to_server2] service tcp_1414
HRP_M[FW-1-policy-security-rule-partner_to_server2] action permit
HRP_M[FW-1-policy-security-rule-partner_to_server2] profile ips default
HRP_M[FW-1-policy-security-rule-partner_to_server2] quit

# Configure the security policy branch1_to_server3 on FW-1 and reference the IPS
profile.
HRP_M[FW-1-policy-security] rule name branch1_to_server3
HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-zone untrust
HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-zone trust
HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-address address-set branch1
HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-address address-set server3
HRP_M[FW-1-policy-security-rule-branch1_to_server3] service tcp_8888_9000
HRP_M[FW-1-policy-security-rule-branch1_to_server3] action permit
HRP_M[FW-1-policy-security-rule-branch1_to_server3] profile ips default
HRP_M[FW-1-policy-security-rule-branch1_to_server3] quit

# Configure the security policy branch2_to_server4 on FW-1 and reference the IPS
profile.
HRP_M[FW-1-policy-security] rule name branch2_to_server4
HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-zone untrust
HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-zone trust
HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-address address-set branch2
HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-address address-set server4
HRP_M[FW-1-policy-security-rule-branch2_to_server4] service ftp
HRP_M[FW-1-policy-security-rule-branch2_to_server4] action permit
HRP_M[FW-1-policy-security-rule-branch2_to_server4] profile ips default
HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit
HRP_M[FW-1-policy-security] quit

Step 5 Configure persistent connections.


# Change the session aging time to 40000 seconds for tcp_1414.
HRP_M[FW-1] firewall session aging-time service-set tcp_1414 40000

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 149


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

# Enable the persistent connection function in security policy branch2_to_server4


and change the aging time to 480 hours for connections matching this policy.
HRP_M[FW-1] security-policy
HRP_M[FW-1-policy-security] rule name branch2_to_server4
HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link enable
HRP_M[FW-1-policy-security-rule-branch2_to_server4] long-link aging-time 480
HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit
HRP_M[FW-1-policy-security] quit

Step 6 Configure attack defense.


# Configure defense against single packet attacks on FW-1.
HRP_M[FW-1] firewall defend land enable
HRP_M[FW-1] firewall defend smurf enable
HRP_M[FW-1] firewall defend fraggle enable
HRP_M[FW-1] firewall defend ip-fragment enable
HRP_M[FW-1] firewall defend tcp-flag enable
HRP_M[FW-1] firewall defend winnuke enable
HRP_M[FW-1] firewall defend source-route enable
HRP_M[FW-1] firewall defend teardrop enable
HRP_M[FW-1] firewall defend route-record enable
HRP_M[FW-1] firewall defend time-stamp enable
HRP_M[FW-1] firewall defend ping-of-death enable

Step 7 Configure policy backup-based acceleration function.


When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.
HRP_M[FW-1] policy accelerate standby enable

----End

3.3.5 Verification
1. On FW-1 and FW-2, run the display hrp state verbose command to view the
hot standby status.
HRP_M<FW-1> display hrp state verboseRole: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 3 hours, 8 minutes
Last state change information: 2016-05-14 11:18:13 HRP core state changed, old_state =
abnormal(active), new_state = normal, local_priority = 45000, peer_priority = 45000.

Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off

Detail information:
Eth-Trunk1 vrrp vrid 1: active
Eth-Trunk2 vrrp vrid 2: active
GigabitEthernet1/0/1: up

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 150


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

GigabitEthernet1/0/2: up
GigabitEthernet1/0/3: up
GigabitEthernet1/0/4: up
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
HRP_S<FW-2> display hrp state verboseRole: standby, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 3 hours, 8 minutes
Last state change information: 2016-05-14 11:18:18 HRP core state changed, old_state =
abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.

Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off

Detail information:
Eth-Trunk1 vrrp vrid 1: standby
Eth-Trunk2 vrrp vrid 2: standby
GigabitEthernet1/0/1: up
GigabitEthernet1/0/2: up
GigabitEthernet1/0/3: up
GigabitEthernet1/0/4: up
ospf-cost: +65500
ospfv3-cost: +65500
bgp-cost: +100

2. Test the active/standby switchover.


Configure a PC in the untrust zone to constantly the server address and run
the shutdown command on Eth-trunk1 of FW-1. Then check the status
switchover of the FW and discarded ping packets. If the status switchover is
normal, FW-2 switches to the active device and carries services. The command
prompt of FW-2 is changed from HRP_S to HRP_M, and the command prompt
of FW-1 is changed from HRP_M to HRP_S. No or several ping packets (1 to 3
packets, depending on actual network environments) are discarded. Run the
undo shutdown command on Eth-trunk1 of FW-1 and check the status
switchover of the FW and discarded ping packets. If the status switchover is
normal, FW-1 switches to the active device and starts to carry service after
the preemption delay (60s by default) expires. The command prompt of FW-1
is changed from HRP_S to HRP_M, and the command prompt of FW-2 is
changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets,
depending on actual network environments) are discarded.
3. Check the configuration and update of the IPS signature database.
# Run the display update configuration command to check the update
information of the IPS signature database.
HRP_M<FW-1> display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 80
Proxy State : disable
Proxy Server :-
Proxy Port :-

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 151


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Proxy User :-
Proxy Password :-
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
------------------------------------------------------------

# Run the display version ips-sdb command to check the configuration of


the IPS signature database.
HRP_M<FW-1> display version ips-sdb
IPS SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2016050703
Signature Database Size(byte) : 2659606
Update Time : 02:30:00 2016/05/08
Issue Time of the Update File : 16:06:30 2016/05/07

Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 02:30:00 2016/05/08
Issue Time of the Update File : 16:06:30 2016/05/07

Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------

4. Verify the access permission of users in each security zone to the data center
network.
If the access control result conforms to the security policy planning in Service
Planning, the configuration is successful.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 152


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

3.3.6 Configuration Scripts


FW-1 FW-2
# #
hrp enable hrp enable
hrp interface Eth-Trunk0 remote 11.11.11.2 hrp interface Eth-Trunk0 remote 11.11.11.1
# #
firewall defend land enable firewall defend land enable
firewall defend smurf enable firewall defend smurf enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ip-fragment enable firewall defend ip-fragment enable
firewall defend tcp-flag enable firewall defend tcp-flag enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend source-route enable firewall defend source-route enable
firewall defend teardrop enable firewall defend teardrop enable
firewall defend route-record enable firewall defend route-record enable
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
# #
ip address-set remote_users type object ip address-set remote_users type object
description "for remote users" description "for remote users"
address 0 172.168.3.0 mask 24 address 0 172.168.3.0 mask 24
# #
ip address-set partner type object ip address-set partner type object
description "for partner" description "for partner"
address 0 172.168.4.0 mask 24 address 0 172.168.4.0 mask 24
# #
ip address-set branch1 type object ip address-set branch1 type object
description "for branch1" description "for branch1"
address 0 10.8.1.0 mask 24 address 0 10.8.1.0 mask 24
# #
ip address-set branch2 type object ip address-set branch2 type object
description "for branch2" description "for branch2"
address 0 10.9.1.0 mask 24 address 0 10.9.1.0 mask 24
# #
ip address-set server1 type object ip address-set server1 type object
description "for server1" description "for server1"
address 0 10.1.1.10 mask 32 address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32 address 1 10.1.1.11 mask 32
# #
ip address-set server2 type object ip address-set server2 type object
description "for server2" description "for server2"
address 0 10.2.1.4 mask 32 address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32 address 1 10.2.1.5 mask 32
# #
ip address-set server3 type object ip address-set server3 type object
description "for server3" description "for server3"
address 0 10.1.2.4 mask 32 address 0 10.1.2.4 mask 32
address 1 10.1.2.5 mask 32 address 1 10.1.2.5 mask 32
# #
ip address-set server4 type object ip address-set server4 type object
description "for server4" description "for server4"
address 0 10.1.1.4 mask 32 address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32 address 1 10.1.1.5 mask 32
# #
ip service-set tcp_1414 type object ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414 service 0 protocol tcp destination-port 1414
# #
ip service-set tcp_8888_9000 type object ip service-set tcp_8888_9000 type object
service 0 protocol tcp destination-port 8888 service 0 protocol tcp destination-port 8888
service 1 protocol tcp destination-port 9000 service 1 protocol tcp destination-port 9000
# #
interface Eth-Trunk0 interface Eth-Trunk0
ip address 11.11.11.1 255.255.255.0 ip address 11.11.11.2 255.255.255.0
# #
interface Eth-Trunk1 interface Eth-Trunk1
ip address 10.6.1.2 255.255.255.248 ip address 10.6.1.3 255.255.255.248

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 153


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-1 FW-2
vrrp vrid 1 virtual-ip 10.6.1.1 active vrrp vrid 1 virtual-ip 10.6.1.1 standby
# #
interface Eth-Trunk2 interface Eth-Trunk2
ip address 10.7.1.2 255.255.255.248 ip address 10.7.1.3 255.255.255.248
vrrp vrid 2 virtual-ip 10.7.1.1 active vrrp vrid 2 virtual-ip 10.7.1.1 standby
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/4 interface GigabitEthernet 1/0/4
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
# #
firewall zone trust firewall zone trust
add interface Eth-Trunk2 add interface Eth-Trunk2
# #
firewall zone untrust firewall zone untrust
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
firewall zone dmz firewall zone dmz
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
ip route-static 10.1.0.0 255.255.0.0 10.7.1.4 ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
ip route-static 10.2.0.0 255.255.0.0 10.7.1.4 ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
ip route-static 10.3.0.0 255.255.0.0 10.7.1.4 ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
ip route-static 10.8.1.0 255.255.255.0 10.6.1.4 ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
ip route-static 10.9.1.0 255.255.255.0 10.6.1.4 ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
ip route-static 192.168.3.0 255.255.255.0 10.6.1.4 ip route-static 192.168.3.0 255.255.255.0 10.6.1.4
ip route-static 192.168.4.0 255.255.255.0 10.6.1.4 ip route-static 192.168.4.0 255.255.255.0 10.6.1.4
# #
firewall session aging-time service-set tcp_1414 firewall session aging-time service-set tcp_1414
40000 40000
# #
security-policy security-policy
rule name remote_users_to_server1 rule name remote_users_to_server1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set remote_users source-address address-set remote_users
destination-address address-set server1 destination-address address-set server1
service http service http
service ftp service ftp
profile ips default profile ips default
action permit action permit
rule name partner_to_server2 rule name partner_to_server2
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set partner source-address address-set partner
destination-address address-set server2 destination-address address-set server2
service tcp_1414 service tcp_1414
profile ips default profile ips default
action permit action permit
rule name branch1_to_server3 rule name branch1_to_server3
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set branch1 source-address address-set branch1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 154


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-1 FW-2
destination-address address-set server3 destination-address address-set server3
service tcp_8888_9000 service tcp_8888_9000
profile ips default profile ips default
action permit action permit
rule name branch2_to_server4 rule name branch2_to_server4
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set branch2 source-address address-set branch2
destination-address address-set server4 destination-address address-set server4
service ftp service ftp
profile ips default profile ips default
long-link enable long-link enable
long-link aging-time 480 long-link aging-time 480
action permit action permit

3.4 Firewalls in the Intranet Access Area

3.4.1 Typical Networking


As shown in Figure 3-3, firewalls are attached to core switches as the hardware
SACGs of the Agile Controller. When users in branch 1 access the data center
service area, the firewalls work with the Agile Controller to control user access as
follows:
● To ensure the security of the service system and prevent external users or
insecure terminal hosts from accessing the service system, only the users who
have passed the identify authentication and terminal security check are
allowed to access the service system.
● The service system is the core network resource, and employees are allowed
to access the system only in working hours.
● The solution deployment has the minimum impact on the current network.
The service first principle is applied to the entire network to ensure service
continuity in the case that the access control system fails.
The data center network is logically divided into the pre-authentication domain,
isolation domain, and post-authentication domain:
● The pre-authentication domain is accessible to unauthenticated terminal
hosts, and comprises the DNS, external authentication source, SC, and SM.
● The isolation domain is accessible to terminal hosts that pass the identity
authentication but not the security authentication, and comprises the patch
server and anti-virus server.
● The post-authentication domain is accessible for terminal hosts that have
passed identity and security authentication. In this case, this domain is the
data center service area.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 155


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Figure 3-3 Typical networking of firewalls in the intranet access area

3.4.2 Service Planning


Firewall Interface Planning
N Local Device Local Peer Device Peer Remarks
o. Interface Interface

1 FW-3 GE1/0/1 SW-1 GE1/1/0/3 Upstream


service
interface

2 FW-3 GE1/0/2 SW-1 GE1/1/0/4 Downstream


service
interface

3 FW-4 GE1/0/1 SW-2 GE2/1/0/3 Upstream


service
interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 156


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

4 FW-4 GE1/0/2 SW-2 GE2/1/0/4 Downstream


service
interface

5 FW-3 GE1/0/3 FW-4 GE1/0/3 Heartbeat


interface

6 FW-4 GE1/0/3 FW-3 GE1/0/3 Heartbeat


interface

Firewall IP Address Planning


N Local Local Local IP Peer Peer Peer IP
o. Device Interface Address Device Interface Address

1 FW-3 GE1/0/1 10.4.1.2/2 SW-1 VLANIF10 10.4.1.4/2


9 1 9
VRID: 1
VIP:
10.4.1.1

2 FW-3 GE1/0/2 10.5.1.2/2 SW-1 VLANIF10 10.5.1.4/2


9 2 9
VRID: 2
VIP:
10.5.1.1

3 FW-3 GE1/0/3 10.10.10.1 FW-4 GE1/0/3 10.10.10.2


/24 /24

4 FW-4 GE1/0/1 10.4.1.3/2 SW-2 VLANIF10 10.4.1.4/2


9 1 9
VRID: 1
VIP:
10.4.1.1

5 FW-4 GE1/0/2 10.5.1.3/2 SW-2 VLANIF10 10.5.1.4/2


9 2 9
VRID: 2
VIP:
10.5.1.1

6 FW-4 GE1/0/3 10.10.10.2 FW-1 GE1/0/3 10.10.10.1


/24 /24

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 157


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Firewall Security Zone Planning


No. Security Zone Security Zone Included Remarks
Priority Interface

1 untrust 5 GE1/0/2 Downstream


service interface

2 trust 100 GE1/0/1 Upstream


service interface

3 dmz 50 GE1/0/3 Heartbeat


interface

Firewall Security Policy Planning


N Policy Source Source Destinati Destinati Action
o. Zone Address on Zone on
Address

1 sc_to_sacg trust any local any permit

2 sacg_to_cli local any untrust any permit


ent

Firewall Route Planning


Static routes on firewalls

No. Destination Mask Next Hop Remarks


Address

1 0.0.0.0 0.0.0.0 10.4.1.4 Route that


guides traffic
back to the
switch

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 158


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Agile Controller Data Planning


Item Data Remarks

Service IP address: The port and shared key configured on the


Controlle 192.168.1.2/24 FW must be consistent with those
r1 Port: 3288 configured on the Service Controller.
Shared key: If an unauthenticated terminal user
TSM_Security attempts to access the Web server in the
post-authentication domain in the case
that the Web push function is configured
on the FW, the FW pushes the Web
authentication page to the terminal user,
facilitating terminal user's identity
authentication on the web page.

Service IP address: Same as Service Controller 1.


Controlle 192.168.1.3/24
r2 Port: 3288
Shared key:
TSM_Security

Service Login address: https:// The Service Manager and Service


Manager 192.168.1.2:8443 Controller 1 are installed on the same
User name: admin server. You need to log in to the Service
Manager to configure the Agile Controller.
Password: Admin@123

Network 10.8.1.0/24 Network segment of users in branch 1.


segment
on which
the
terminal
user
resides

Post- 10.1.1.4 Add the servers in the data center service


authentic 10.1.1.5 area to the post-authentication domain
ation and apply user accounts in branch 1.
domain

Isolation Patch server: Add the patch server and antivirus server
domain 192.168.2.3 to the isolation domain and apply user
Antivirus server: accounts in branch 1.
192.168.2.5

Pre- DNS server: Add the DNS server and Service Controllers
authentic 192.168.3.3 to the pre-authentication domain.
ation Service Controller 1:
domain 192.168.1.2
Service Controller 2:
192.168.1.3

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 159


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Agile Controller User Data Planning


User Name User IP User Group Role ID Role Name
Address

lee 10.8.1.3 ROOT 1 DefaultDeny


\development This role is
prohibited
from
accessing all
services.

6 Permit_1
This role is
allowed to
access the
service
system.

255 Last
This role is
allowed to
access the
pre-
authenticatio
n domain.

3.4.3 Precautions
The firewall stateful inspection function must be disabled.

3.4.4 Configuration Procedure


Procedure
Step 1 Configure IP addresses for interfaces and assign the interfaces to security zones.
# # Configure IP addresses for the interfaces of FW-3.
<sysname> system-view
[sysname] sysname FW-3
[FW-3] interface GigabitEthernet 1/0/1
[FW-3-GigabitEthernet1/0/1] description SACG1_To_Coreswitch1_GE1/1/0/3
[FW-3-GigabitEthernet1/0/1] ip address 10.4.1.2 29
[FW-3-GigabitEthernet1/0/1] quit
[FW-3] interface GigabitEthernet 1/0/2
[FW-3-GigabitEthernet1/0/2] description SACG1_To_Coreswitch1_GE1/1/0/4
[FW-3-GigabitEthernet1/0/2] ip address 10.5.1.2 29
[FW-3-GigabitEthernet1/0/2] quit
[FW-3] interface GigabitEthernet 1/0/3
[FW-3-GigabitEthernet1/0/3] description hrp_interface
[FW-3-GigabitEthernet1/0/3] ip address 10.10.10.1 24
[FW-3-GigabitEthernet1/0/3] quit

# # Configure IP addresses for the interfaces of FW-4.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 160


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

<sysname> system-view
[sysname] sysname FW-4
[FW-4] interface GigabitEthernet 1/0/1
[FW-4-GigabitEthernet1/0/1] description SACG2_To_Coreswitch2_GE2/1/0/3
[FW-4-GigabitEthernet1/0/1] ip address 10.4.1.3 29
[FW-4-GigabitEthernet1/0/1] quit
[FW-4] interface GigabitEthernet 1/0/2
[FW-4-GigabitEthernet1/0/2] description SACG2_To_Coreswitch2_GE2/1/0/4
[FW-4-GigabitEthernet1/0/2] ip address 10.5.1.3 29
[FW-4-GigabitEthernet1/0/2] quit
[FW-4] interface GigabitEthernet 1/0/3
[FW-4-GigabitEthernet1/0/3] description hrp_interface
[FW-4-GigabitEthernet1/0/3] ip address 10.10.10.2 24
[FW-4-GigabitEthernet1/0/3] quit

# Assign the interfaces of FW-3 to appropriate security zones.


[FW-3] firewall zone trust
[FW-3-zone-trust] add interface GigabitEthernet 1/0/1
[FW-3-zone-trust] quit
[FW-3] firewall zone untrust
[FW-3-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-3-zone-untrust] quit
[FW-3] firewall zone dmz
[FW-3-zone-dmz] add interface GigabitEthernet 1/0/3
[FW-3-zone-dmz] quit

# Assign the interfaces of FW-4 to appropriate security zones.


[FW-4] firewall zone trust
[FW-4-zone-trust] add interface GigabitEthernet 1/0/1
[FW-4-zone-trust] quit
[FW-4] firewall zone untrust
[FW-4-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-4-zone-untrust] quit
[FW-4] firewall zone dmz
[FW-4-zone-dmz] add interface GigabitEthernet 1/0/3
[FW-4-zone-dmz] quit

Step 2 Configure static routes.


# On FW-3, configure a static route to guide traffic back to the core switch.
[FW-3] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

# On FW-4, configure a static route to guide traffic back to the core switch.
[FW-4] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

Step 3 Configure link-group.


# On FW-3, configure link-group 1 and add upstream and downstream service
interfaces to the link-group.
[FW-3] interface GigabitEthernet 1/0/1
[FW-3-GigabitEthernet1/0/1] link-group 1
[FW-3-GigabitEthernet1/0/1] quit
[FW-3] interface GigabitEthernet 1/0/2
[FW-3-GigabitEthernet1/0/2] link-group 1
[FW-3-GigabitEthernet1/0/2] quit

# On FW-4, configure link-group 1 and add upstream and downstream service


interfaces to the link-group.
[FW-4] interface GigabitEthernet 1/0/1
[FW-4-GigabitEthernet1/0/1] link-group 1
[FW-4-GigabitEthernet1/0/1] quit
[FW-4] interface GigabitEthernet 1/0/2
[FW-4-GigabitEthernet1/0/2] link-group 1
[FW-4-GigabitEthernet1/0/2] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 161


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Step 4 Configure hot standby.


# Configure VRRP group 1 on the upstream interface GE1/0/1 of FW-3, setting its
state to Active.
[FW-3] interface GigabitEthernet 1/0/1
[FW-3-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 active
[FW-3-GigabitEthernet1/0/1] quit

# Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-3, setting


its state to Active.
[FW-3] interface GigabitEthernet 1/0/2
[FW-3-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 active
[FW-3-GigabitEthernet1/0/2] quit

# Designate GE1/0/3 as the heartbeat interface of FW-3, and enable hot standby.
[FW-3] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2
[FW-3] hrp enable

# Configure VRRP group 1 on the downstream interface GE1/0/1 of FW-4, setting


its state to standby.
[FW-4] interface GigabitEthernet 1/0/1
[FW-4-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 standby
[FW-4-GigabitEthernet1/0/1] quit

# Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-4, setting


its state to standby.
[FW-4] interface GigabitEthernet 1/0/2
[FW-4-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 standby
[FW-4-GigabitEthernet1/0/2] quit

# Designate GE1/0/3 as the heartbeat interface of FW-4, and enable hot standby.
[FW-4] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1
[FW-4] hrp enable

After hot standby is configured, you only need to configure security policies and SACG on
the active device FW-3. The configuration on FW-3 is automatically backed up on FW-4.

Step 5 Disable the stateful inspection function.


HRP_M[FW-3] undo firewall session link-state check

Step 6 Configure security policies.


# Configure a Local-Trust security policy to allow the communication between the
FW and Service Controller.
HRP_M[FW-3] security-policy
HRP_M[FW-3-security-policy] rule name sc_to_sacg
HRP_M[FW-3-security-policy-sc_to_sacg] source-zone trust local
HRP_M[FW-3-security-policy-sc_to_sacg] destination-zone local trust
HRP_M[FW-3-security-policy-sc_to_sacg] action permit
HRP_M[FW-3-security-policy-sc_to_sacg] quit

# Configure the policy for the Local-Untrust interzone. In this way, the FW can
push the web-based authentication page to the user.
HRP_M[FW-3-security-policy] rule name sacg_to_client
HRP_M[FW-3-security-policy-sacg_to_client] source-zone local
HRP_M[FW-3-security-policy-sacg_to_client] destination-zone untrust
HRP_M[FW-3-security-policy-sacg_to_client] action permit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 162


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

HRP_M[FW-3-security-policy-sacg_to_client] quit
HRP_M[FW-3-security-policy] quit

Step 7 Configure the interworking with the Agile Controller.

# Enter the view of configuring the FW to interwork with the Agile Controller, and
specify the number of the default ACL rule group.

If ACLs 3099 to 3999 are in use, delete them before configuring the interworking with the
Agile Controller. Otherwise, conflicts occur when the FW generates ACL rules.
HRP_M[FW-3] right-manager server-group
HRP_M[FW-3-rightm] default acl 3099

# Add the Service Controller to the FW. Then the FW can interwork with the
Service Controller. Because two Service Controllers are deployed, you must run the
server ip command twice to add the two Service Controllers.

The port and shared key in the server ip command must be the same as those on the
Service Controller. Otherwise, the FW cannot interwork with the Service Controller, and the
SACG interworking function is unavailable.
HRP_M[FW-3-rightm] server ip 192.168.1.2 port 3288 shared-key TSM_Security
HRP_M[FW-3-rightm] server ip 192.168.1.3 port 3288 shared-key TSM_Security

# Configure Web authentication. If an unauthenticated terminal user attempts to


access the network, the FW automatically pushes the Web authentication page to
the terminal user. Therefore, the terminal user can be authenticated on the web
page.
HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.2:8084/auth
HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.3:8084/auth

# Configure the local IP address used by the FW for communicating with the
Service Controller.

The configuration cannot be backed up. You must configure it on both FWs. Set the IP
address of the standby FW to 10.4.1.3.
HRP_M[FW-3-rightm] local ip 10.4.1.2

# Enable the server group so that the FW connects to the Service Controller
immediately and sends the interworking request. After the connection succeeds,
the FW can receive the roles and rules delivered by the Agile Controller.
HRP_M[FW-3-rightm] right-manager server-group enable

# Configure an emergency channel, and set the minimum number of Service


Controllers to 1. In doing so, when at least one Service Controller connects to the
FW successfully, the FW implements Agile Controller detection normally. If the FW
cannot connect to any Service Controller, the FW enables the emergency channel
to allow all users to access the controlled network. As a result, terminal users can
access the network even if the Service Controller fails.
HRP_M[FW-3-rightm] right-manager server-group active-minimum 1
HRP_M[FW-3-rightm] right-manager status-detect enable
HRP_M[FW-3-rightm] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 163


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

# Apply ACL 3099 to the outbound direction of Trust-Untrust interzone. Then


terminal users can communicate with the server in the pre-authentication domain
normally, and the permit rule of the emergency channel can be correctly delivered
to the Trust-Untrust interzone.
HRP_M[FW-3] firewall interzone trust untrust
HRP_M[FW-3-interzone-trust-untrust] apply packet-filter right-manager inbound
HRP_M[FW-3-interzone-trust-untrust] quit

Step 8 Configure the core switches. This part uses the CE12800 as an example to describe
the configuration for interworking between the switch and FW.
# Configure the interfaces and VLANs of core switches.
[~CSS] vlan batch 101 to 102
[*CSS] interface gigabitethernet 1/1/0/3
[*CSS-GigabitEthernet1/1/0/3] description To_SACG1_GE1/0/1
[*CSS-GigabitEthernet1/1/0/3] port link-type access
[*CSS-GigabitEthernet1/1/0/3] port default vlan 101
[*CSS-GigabitEthernet1/1/0/3] quit
[*CSS] interface gigabitethernet 1/1/0/4
[*CSS-GigabitEthernet1/1/0/4] description To_SACG1_GE1/0/2
[*CSS-GigabitEthernet1/1/0/4] port link-type access
[*CSS-GigabitEthernet1/1/0/4] port default vlan 102
[*CSS-GigabitEthernet1/1/0/4] quit
[*CSS] interface gigabitethernet 2/1/0/3
[*CSS-GigabitEthernet2/1/0/3] description To_SACG2_GE1/0/1
[*CSS-GigabitEthernet2/1/0/3] port link-type access
[*CSS-GigabitEthernet2/1/0/3] port default vlan 101
[*CSS-GigabitEthernet2/1/0/3] quit
[*CSS] interface gigabitethernet 2/1/0/4
[*CSS-GigabitEthernet2/1/0/4] description To_SACG2_GE1/0/2
[*CSS-GigabitEthernet2/1/0/4] port link-type access
[*CSS-GigabitEthernet2/1/0/4] port default vlan 102
[*CSS-GigabitEthernet2/1/0/4] quit
[*CSS] interface vlanif 101
[*CSS-Vlanif101] ip address 10.4.1.4 29
[*CSS-Vlanif101] quit
[*CSS] interface vlanif 102
[*CSS-Vlanif102] ip address 10.5.1.4 29
[*CSS-Vlanif102] quit
[*CSS] commit

# Configure PBR.
[~CSS] acl 3001
[*CSS-acl4-advance-3001] rule 5 permit ip source 10.8.1.0 24
[*CSS-acl4-advance-3001] quit
[~CSS] traffic classifier c1
[*CSS-classifier-c1] if-match acl 3001
[*CSS-classifier-c1] quit
[~CSS] traffic behavior b1
[*CSS-behavior-b1] redirect nexthop 10.5.1.1
[*CSS-behavior-b1] quit
[~CSS] traffic policy p1
[*CSS-trafficpolicy-p1] classifier c1 behavior b1 precedence 5
[*CSS-trafficpolicy-p1] quit
[~CSS] interface eth-trunk 2 //Eth-Trunk 2 connects the core switch to branch 1.
[*CSS-Eth-Trunk2] traffic-policy p1 inbound
[*CSS-Eth-Trunk2] quit
[*CSS] commit

Step 9 Configure the Agile Controller.


1. Configure the firewall to function as the hardware SACG.
a. Choose Policy > Permission Control > Hardware SACG > Hardware
SACG Config.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 164


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

b. Click Add on the Hardware SACG tab.

If NAT is configured to implement address translation between end users and the SC,
set the IP address range (Start IP Address and End IP Address) to the range of
translated IP addresses for end users but not the real IP addresses of terminals.
Otherwise, end users cannot go online on the SACG.
2. Configure the pre-authentication domain, isolation domain, and post-
authentication domain.
a. Click Add on the Pre-Authentication Domain tab.

Add the IP addresses of the other servers in the pre-authentication to the


pre-authentication domain.
b. Click Add on the Controlled Domain tab to add the isolation domain
resources to a protected domain.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 165


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Repeat the preceding step to add the post-authentication resources to


the protected domain.

c. Click Add on the Isolation Domain tab to set the resource that end users
can access.

d. Click Add on the Post-Authentication Domain tab to set the post-


authentication resource that end users can access only in working hours,
that is the post_work resource.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 166


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Add the resource that end users cannot access in non-working hours to
the post-authentication domain according to the preceding steps.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 167


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

3. Configure and apply an SACG policy group to an account/user group or IP


address segment.
a. Configure a time segment to allow employees to access the service
system only in working hours.
i. Choose Policy > Permission Control > Policy Element > Schedule.
b. Click Add.

c. Click OK.
d. Configure an SACG policy group.
i. Choose Policy > Permission Control > Hardware SACG > Hardware
SACG Policy Group.
e. Click Add.

f. Click OK.
g. Apply the SACG policy group to an account/user group or IP address
segment. In this example, the SACG policy group is applied to a user
group.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 168


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

The SACG policy group is applied to an account, user group, and IP address segment in
descending order of matched priorities.

Click next to SACG policy to apply the SACG policy to the specified user group.

----End

3.4.5 Verification
1. If a user successfully passes authentication and terminal security check, the
user can access the service system in working hours but not in non-working
hours.
2. If a severe violation occurs, the terminal host cannot access a network and a
message is displayed indicating that repair is required. The terminal host can
access to the network after the repair.
3. View the state of the Agile Controller.
# View the state of the Agile Controller on the active FW.
HRP_M<FW-3> display right-manager server-group
Server group state : Enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 169


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Server number : 2
Server ip address Port State Master
192.168.1.2 3288 active Y
192.168.1.3 3288 active N

active indicates that the status of the connection between the Agile
Controller and FW is normal.
# View the state of the Agile Controller on the standby FW.
HRP_S<FW-4> display right-manager server-group
Server group state : Enable
Server number : 2
Server ip address Port State Master
192.168.1.2 3288 active Y
192.168.1.3 3288 active N

4. After the branch user logs in, you can view the user login information on both
FWs. The following part shows the display right-manager online-users
command output on the active FW.
HRP_M<FW-3> display right-manager online-users
User name : lee
Ip address : 10.8.1.3
ServerIp : 192.168.1.2
Login time : 10:14:11 2016/05/06 ( Hour:Minute:Second Year/Month/Day)
-----------------------------------------
Role id Rolename
1 DefaultDeny
6 Permit_1
255 Last
-----------------------------------------

Run the display right-manager role-info command to view the mappings


between roles and ACLs.
HRP_M<FW-3> display right-manager role-info
All Role count:8
Role ID ACL number Role name
------------------------------------------------------------------------------
Role 0 3099 default
Role 1 3100 DefaultDeny
Role 2 3101 DefaultPermit
Role 3 3102 Deny___0
Role 4 3103 Permit_0
------------------------------------------------------------------------------
Role 5 3104 Deny___1
Role 6 3105 Permit_1Role 255 3354 Last

Run the display acl acl-number command to view ACLs 3100, 3105, and
3354.
HRP_M<FW-3> display acl 3100
Advanced ACL 3100, 1 rule //Default deny rule, used when Control mode in the isolation and post-
authentication domains is selected as Permits access to only controlled domain resources in the list.
Acl's step is 1
rule 1 deny ip (0 times matched)
HRP_M<FW-3> display acl 3105
Advanced ACL 3105, 1 rule //Permit the access to the post-authentication domain.
Acl's step is 1
rule 1 permit ip destination 10.1.1.4 0 (0 times matched)
rule 2 permit ip destination 10.1.1.5 0 (0 times matched)
HRP_M<FW-3> display acl 3354
Advanced ACL 3354, 3 rules //Permit the access to the pre-authentication domain.
Acl's step is 1
rule 1 permit ip destination 192.168.1.2 0 (0 times matched)
rule 2 permit ip destination 192.168.1.3 0 (0 times matched)
rule 3 permit ip destination 192.168.3.3 0 (0 times matched)

From the previous information, account lee corresponds to roles 1, 6, and 255,
and the matching sequence is from top to bottom. The role-ACL relationship
indicates the ACL rules for the three roles.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 170


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Role 255 is allowed to access the pre-authentication domain, role 6 is allowed


to access the service system, and role 1 is prohibited from accessing all
services.
In conclusion, account lee is allowed to access only the pre-authentication
domain and the service system in the post-authentication domain.
5. Choose Resource > User > Online User on the Agile Controller to check user
login information.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 171


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

3.4.6 Configuration Scripts


FW-3 FW-4
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/3 remote hrp interface GigabitEthernet 1/0/3 remote
10.10.10.2 10.10.10.1
# #
undo firewall session link-state check undo firewall session link-state check
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
description SACG1_To_Coreswitch1_GE1/1/0/3 description SACG2_To_Coreswitch2_GE2/1/0/3
ip address 10.4.1.2 255.255.255.248 ip address 10.4.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 10.4.1.1 active vrrp vrid 1 virtual-ip 10.4.1.1 standby
link-group 1 link-group 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
description SACG1_To_Coreswitch1_GE1/1/0/4 description SACG2_To_Coreswitch2_GE2/1/0/4
ip address 10.5.1.2 255.255.255.248 ip address 10.5.1.3 255.255.255.248
vrrp vrid 2 virtual-ip 10.5.1.1 active vrrp vrid 2 virtual-ip 10.5.1.1 standby
link-group 1 link-group 1
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
description hrp_interface description hrp_interface
ip address 10.10.10.1 255.255.255.0 ip address 10.10.10.2 255.255.255.0
# #
firewall zone trust firewall zone trust
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone untrust firewall zone untrust
add interface GigabitEthernet 1/0/2 add interface GigabitEthernet 1/0/2
# #
firewall zone dmz firewall zone dmz
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall interzone trust untrust firewall interzone trust untrust
apply packet-filter right-manager inbound apply packet-filter right-manager inbound
# #
ip route-static 0.0.0.0 0.0.0.0 10.4.1.4 ip route-static 0.0.0.0 0.0.0.0 10.4.1.4
# #
firewall session aging-time service-set tcp_1414 firewall session aging-time service-set tcp_1414
40000 40000
# #
right-manager server-group right-manager server-group
default acl 3099 default acl 3099
server ip 192.168.1.2 port 3288 shared-key %$% server ip 192.168.1.2 port 3288 shared-key %$%
$FxDAFSd(Y*Ku3%4+"%$%$ $FxDAFSd(Y*Ku3%4+"%$%$
server ip 192.168.1.3 port 3288 shared-key %ef<f server ip 192.168.1.3 port 3288 shared-key %ef<f
%7FxDAFSd(Y*Ku3%><dfe%&%$ %7FxDAFSd(Y*Ku3%><dfe%&%$
integrity-check enable integrity-check enable
right-manager server-group enable right-manager server-group enable
right-manager status-detect enable right-manager status-detect enable
local ip 10.4.1.2 local ip 10.4.1.3
right-manager authentication url http:// right-manager authentication url http://
192.168.1.2:8084/auth 192.168.1.2:8084/auth
right-manager authentication url http:// right-manager authentication url http://
192.168.1.3:8084/auth 192.168.1.3:8084/auth
# #
security-policy security-policy
rule name sc_to_sacg rule name sc_to_sacg
source-zone trust source-zone trust
source-zone local source-zone local
destination-zone local destination-zone local
destination-zone trust destination-zone trust
action permit action permit
rule name sacg_to_client rule name sacg_to_client
source-zone local source-zone local

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 172


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-3 FW-4
destination-zone untrust destination-zone untrust
action permit action permit

3.5 Firewalls at the Internet Egress

3.5.1 Typical Networking


Figure 3-4 shows the typical networking of firewalls at the Internet egress.
● Core switches SW1 and SW2 are stacked. Egress aggregation switches SW7
and SW8 are stacked. Firewalls are located between core switches and egress
aggregation switches. They work in Layer 3 active/standby hot standby mode.
● VRRP is configured on the interfaces connecting the firewalls to the upstream
and downstream devices. The firewalls use the VRRP virtual IP addresses to
communicate with the upstream and downstream devices.
● Employees on the move and firewalls establish SSL VPN connections with the
firewalls for secure access to the intranet.
● A firewall is deployed at the Internet egress of a branch, which establishes an
IPSec VPN connection with the firewall at the Internet egress of the
headquarters. Data is transmitted between the branch and data center over
the IPSec VPN.
● Some servers in the DMZ are pre-service servers that need to provide services
for Internet users. Therefore, the firewalls at the Internet egress must have
NAT Server configured to map the servers' private IP addresses to public IP
addresses.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 173


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Figure 3-4 Typical networking of firewalls at the Internet egress

3.5.2 Service Planning


Firewall Interface Planning
Interface planning for FW-5

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

1 FW-5 GE1/0/1 SW-5 GE1/1/0/1 Eth-Trunk 1,


upstream
service
interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 174


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

2 FW-5 GE1/0/2 SW-5 GE1/1/0/2 Eth-Trunk 1,


upstream
service
interface

3 FW-5 GE1/0/3 SW-1 GE1/1/0/5 Eth-Trunk 2,


downstream
service
interface

4 FW-5 GE1/0/4 SW-1 GE1/1/0/6 Eth-Trunk 2,


downstream
service
interface

5 FW-5 GE1/0/5 FW-6 GE1/0/5 Eth-Trunk 0,


heartbeat
interface

6 FW-5 GE1/0/6 FW-6 GE1/0/6 Eth-Trunk 0,


heartbeat
interface

Interface planning for FW-6

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

1 FW-6 GE1/0/1 SW-6 GE2/1/0/1 Eth-Trunk 1,


upstream
service
interface

2 FW-6 GE1/0/2 SW-6 GE2/1/0/2 Eth-Trunk 1,


upstream
service
interface

3 FW-6 GE1/0/3 SW-2 GE2/1/0/5 Eth-Trunk 2,


downstream
service
interface

4 FW-6 GE1/0/4 SW-2 GE2/1/0/6 Eth-Trunk 2,


downstream
service
interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 175


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

N Local Device Local Peer Device Peer Remarks


o. Interface Interface

5 FW-6 GE1/0/5 FW-5 GE1/0/5 Eth-Trunk 0,


heartbeat
interface

6 FW-6 GE1/0/6 FW-5 GE1/0/6 Eth-Trunk 0,


heartbeat
interface

Firewall IP Address Planning


N Local Local VLAN ID Local IP Peer Remarks
o. Device Interface Address Device

1 FW-5 Eth- 10 172.6.1.2/ SW-5 SSL VPN


Trunk1.1 29 gateway
VRID: 1 for
employees
VIP: on the
1.1.1.1/29 move

2 FW-5 Eth- 20 172.6.2.2/ SW-5 IPSec


Trunk1.2 29 gateway
VRID: 2
VIP:
1.1.2.1/29

3 FW-5 Eth- 30 172.6.3.2/ SW-5 Access


Trunk1.3 29 gateway
VRID: 3 for
Internet
VIP: users
1.1.3.1/29

4 FW-5 Eth- 40 172.6.4.2/ SW-5 SSL VPN


Trunk1.4 29 gateway
VRID: 4 for the
partner
VIP:
1.1.4.1/29

5 FW-5 Eth- 103 172.7.1.2/ SW-1 Data


Trunk2.1 29 center
VRID: 5 service
area
VIP:
172.7.1.1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 176


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

N Local Local VLAN ID Local IP Peer Remarks


o. Device Interface Address Device

6 FW-5 Eth- 104 172.7.2.2/ SW-1 DMZ


Trunk2.2 29
VRID: 6
VIP:
172.7.2.1

7 FW-5 Eth-Trunk0 - 12.12.12.1 FW-6 -


/24

8 FW-6 Eth- 10 172.6.1.3/ SW-6 SSL VPN


Trunk1.1 29 gateway
VRID: 1 for
employees
VIP: on the
1.1.1.1/29 move

9 FW-6 Eth- 20 172.6.2.3/ SW-6 IPSec


Trunk1.2 29 gateway
VRID: 2
VIP:
1.1.2.1/29

1 FW-6 Eth- 30 172.6.3.3/ SW-6 Access


0 Trunk1.3 29 gateway
VRID: 3 for
Internet
VIP: users
1.1.3.1/29

1 FW-6 Eth- 40 172.6.4.3/ SW-6 SSL VPN


1 Trunk1.4 29 gateway
VRID: 4 for the
partner
VIP:
1.1.4.1/29

1 FW-6 Eth- 103 172.7.1.3/ SW-2 Data


1 Trunk2.1 29 center
VRID: 5 service
area
VIP:
172.7.1.1

1 FW-6 Eth- 104 172.7.2.3/ SW-2 DMZ


1 Trunk2.2 29
VRID: 6
VIP:
172.7.2.1

1 FW-6 Eth-Trunk0 - 12.12.12.2 FW-6 -


2 /24

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 177


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Firewall Security Zone Planning


No. Security Zone Security Zone Included Remarks
Priority Interface

1 zone1 45 Eth-Trunk1.1 Employees on


the move

2 zone2 40 Eth-Trunk1.2 Branch 2

3 zone3 10 Eth-Trunk1.3 Internet users

4 zone4 30 Eth-Trunk1.4 Partner

4 hrp 85 Eth-Trunk0 Heartbeat


interface

5 trust 100 Eth-Trunk2.1 Data center


service area

6 dmz 50 Eth-Trunk2.2 DMZ

Firewall Security Policy Planning


Address group

No. Address Group Address Remarks

1 remote_users address 0 172.168.3.0 SSL VPN access for


mask 24 employees on the
move

2 partner address 0 172.168.4.0 Partner


mask 24

3 branch2 address 0 10.9.1.0 Branch 2


mask 24

4 server1 address 0 10.1.1.10 Server that employees


mask 32 on the move can
address 1 10.1.1.11 access
mask 32

5 server2 address 0 10.2.1.4 Server that the


mask 32 partner can access
address 1 10.2.1.5
mask 32

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 178


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

No. Address Group Address Remarks

6 server4 address 0 10.1.1.4 Server that branch 2


mask 32 can access
address 1 10.1.1.5
mask 32

7 server5 address 0 192.168.4.2 Server that Internet


mask 32 users can access
address 1 192.168.4.3
mask 32
address 2 192.168.4.4
mask 32
address 3 192.168.4.5
mask 32

8 ad_server address 0 192.168.5.4 AD authentication


mask 32 server that
address 1 192.168.5.5 authenticates SSL VPN
mask 32 access users

User-defined services

No. Service Protocol/Port Remarks

1 tcp_1414 service 0 protocol tcp Service for the partner


destination-port 1414 to access the server

Security policies

N Policy Source Source Destinat Destinat Service Action


o Zone Address ion ion
. Zone Address

1 remote_ zone1 remote_ trust server1 ftp,http permit


users_to users
_server1

2 partner_ zone4 partner trust server2 tcp_1414 permit


to_server
2

4 branch2_ zone2 branch2 trust server4 ftp permit


to_server
4

5 internet_ zone3 any dmz server5 https,htt permit


to_server p
5

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 179


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

N Policy Source Source Destinat Destinat Service Action


o Zone Address ion ion
. Zone Address

6 ipsec zone2,lo 1.1.2.1/3 local,zon 1.1.2.1/3 any permit


cal 2, e2 2,
2.2.2.2/3 2.2.2.2/3
2 (IP 2 (IP
address address
of the of the
IPSec IPSec
gateway gateway
of of
branch branch
2) 2)

7 ssl_vpn zone1,zo any local 1.1.1.1/3 any permit


ne4 2,1.1.4.1/
32

8 to_ad_se local any dmz ad_serve any permit


rver r

8 default any any any any any deny

default indicates the default security policy. If the traffic does not match the security policy,
the traffic will match the default security policy (all conditions are any, and all actions are
deny). If only the PCs at specified IP addresses are allowed to access servers, keep the
default security policy and configure security policies to allow the access of such IP
addresses.
Hot standby heartbeat packets are not controlled by security policies. Do not configure
security policies for heartbeat packets.

Firewall Persistent Connections


Prolonging the session aging time of a protocol

No. Protocol Aging Time

1 tcp_1414 40000 seconds

Using the persistent connection function

No. Policy Aging Time

1 branch2_to_server4 480 hours

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 180


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Of the two methods, prolonging the session aging time of a protocol is easier to configure.
You can set specific conditions for the persistent connection function to keep persistent
connections for specified traffic. The prolonged session aging time of a protocol is a global
configuration and takes effect on all sessions of the protocol. As a result, sessions that do
not need persistent connections cannot be aged, occupying session entry resources. Once
session entry resources are exhausted, no services can be created.
Therefore, if you confirm that all sessions of a protocol require a long session aging time,
you can prolong the session aging time of the protocol for persistent connections.
Otherwise, use the persistent connection function.
The persistent connection function is valid only for TCP-based connections.

Firewall NAT Planning


NAT Server

N Name Protocol Public IP Public Private IP Private


o. Address Port Address Port

1 https_serv tcp 1.1.3.2 4433 192.168.4. 443


er1 2

2 https_serv tcp 1.1.3.3 4433 192.168.4. 443


er2 3

3 https_serv tcp 1.1.3.4 8000 192.168.4. 80


er1 4

4 https_serv tcp 1.1.3.5 8000 192.168.4. 80


er2 5

Firewall Route Planning


Static routes on firewalls

No. Destination Mask Next Hop Remarks


Address

1 10.1.0.0 255.255.0.0 172.7.1.4 Route to data


center service
area 1

2 10.2.0.0 255.255.0.0 172.7.1.4 Route to data


center service
area 2

3 10.3.0.0 255.255.0.0 172.7.1.4 Route to data


center service
area 3

4 192.168.0.0 255.255.0.0 172.7.1.4 Route to the


DMZ

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 181


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

No. Destination Mask Next Hop Remarks


Address

4 172.168.3.0 255.255.255.0 1.1.1.2 Route to SSL


VPN access
terminals of
employees on
the move

5 172.168.4.0 255.255.255.0 1.1.4.2 Route to the


partner's
network

7 10.9.1.0 255.255.255.0 1.1.2.2 Route to branch


2's network

8 0.0.0.0 0.0.0.0 1.1.3.2 Default route to


the Internet

IPSec Data Planning


VPN IPSec Local Peer Authen Pre- Local Peer ID
Gatew Policy Addres Addres ticatio shared ID
ay Creatio s s n Mode Key
Locatio n Mode
n

HQ Policy - - Pre- Test! IP IP


templat shared 1234 address address
e key

Branch ISAKMP 2.2.2.2 1.1.2.1 Pre- Test! IP IP


mode shared 1234 address address
key

SSL VPN Data Planning


The SSL VPN configuration is almost the same for employees on the move and
partners. The SSL VPN configuration for employees on the move is used as an
example.

Item Data

Virtual gateway Name: example


IP address: 1.1.1.1
Domain name: www.example.com
Maximum number of users: 150
Maximum number of online users: 100

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 182


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Item Data

AD server Primary server IP address: 192.168.5.4


Secondary server IP address: 192.168.5.5

Web proxy Name: resource1; link: http://10.1.1.10


resource Name: resource2; link: http://10.1.1.11

Network Network extension address pool: 172.168.3.2-172.168.3.254


extension Routing mode: manual
Intranet subnet accessible to network extension users:
10.1.1.0/24

Security Defense Planning


● Attack defense planning
To defend the internal network against network attacks, you need to
configure attack defense on the firewalls.
Normally, you are recommended to configure the defense against the
following attacks:
– Smurf attacks
– Land attacks
– Fraggle attacks
– Ping of Death attacks
– WinNuke attacks
– IP packet with route record option attacks
– IP packet with source route option attacks
– IP packet with timestamp option attacks
– SYN flood attacks
– UDP flood attacks
– ICMP flood attacks
In practice, you can set a comparatively large value for the maximum rate
of attack packets on interfaces for the preceding flood attacks, observe
the attack traffic, and gradually change the rate to smaller values until a
proper one (limiting the attack traffic but not affecting services).
● IPS planning
To prevent hackers, zombies, Trojan horses, and worms from intruding the
internal network, you need to configure IPS on the firewalls.

The IPS may be deployed on the firewalls or deployed as an independent IPS device.

To configure the IPS functions, you reference an IPS profile when defining security
policies. In the present case, the IPS profile is referenced in all the above planned
security policies (except those for the local zone). This means that IPS detection is
carried out for all traffic permitted by the security policies.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 183


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Generally, when the firewalls are initially deployed, you can select the default IPS
profile default. After the firewalls are active for some time, the administrator can
define a profile based on the network status. The IPS also supports the default
profile ids, which means alarms are generated upon the detection of intrusions
but the intrusions are not blocked. If high security is required, to reduce false
positives reported by the IPS, you can select the ids profile.

3.5.3 Precautions
IPS
The IPS signature database must be the latest before the IPS function is
configured.

Attack Defense
The attack defense configuration is the recommended standard configuration.

Policy Backup-based Acceleration Function


When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.

3.5.4 Configuration Procedure

3.5.4.1 Configuring Interfaces, Security Zones, and Routes

Procedure
Step 1 Configure IP addresses for the interfaces of FW-5.
<sysname> system-view
[sysname] sysname FW-5
[FW-5] interface Eth-trunk 1
[FW-5-Eth-Trunk1] description Link_To_SW5
[FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
[FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
[FW-5-Eth-Trunk1] quit
[FW-5] interface Eth-trunk 1.1
[FW-5-Eth-Trunk1.1] vlan-type dot1q 10
[FW-5-Eth-Trunk1.1] ip address 172.6.1.2 29
[FW-5-Eth-Trunk1.1] quit
[FW-5] interface Eth-trunk 1.2
[FW-5-Eth-Trunk1.2] vlan-type dot1q 20
[FW-5-Eth-Trunk1.2] ip address 172.6.2.2 29
[FW-5-Eth-Trunk1.2] quit
[FW-5] interface Eth-trunk 1.3
[FW-5-Eth-Trunk1.3] vlan-type dot1q 30
[FW-5-Eth-Trunk1.3] ip address 172.6.3.2 29
[FW-5-Eth-Trunk1.3] quit
[FW-5] interface Eth-trunk 1.4
[FW-5-Eth-Trunk1.4] vlan-type dot1q 40
[FW-5-Eth-Trunk1.4] ip address 172.6.4.2 29
[FW-5-Eth-Trunk1.4] quit
[FW-5] interface Eth-trunk 2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 184


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

[FW-5-Eth-Trunk2] description Link_To_SW1


[FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/3
[FW-5-Eth-Trunk2] trunkport GigabitEthernet 1/0/4
[FW-5-Eth-Trunk2] quit
[FW-5] interface Eth-trunk 2.1
[FW-5-Eth-Trunk2.1] vlan-type dot1q 103
[FW-5-Eth-Trunk2.1] ip address 172.7.1.2 29
[FW-5-Eth-Trunk2.1] quit
[FW-5] interface Eth-trunk 2.2
[FW-5-Eth-Trunk2.2] vlan-type dot1q 104
[FW-5-Eth-Trunk2.2] ip address 172.7.2.2 29
[FW-5-Eth-Trunk2.2] quit
[FW-5] interface Eth-trunk 0
[FW-5-Eth-Trunk0] description HRP_Interface
[FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/5
[FW-5-Eth-Trunk0] trunkport GigabitEthernet 1/0/6
[FW-5-Eth-Trunk0] ip address 12.12.12.1 24
[FW-5-Eth-Trunk0] quit

Step 2 Assign the interfaces of FW-5 to appropriate security zones.


[FW-5] firewall zone name zone1
[FW-5-zone-zone1] set priority 45
[FW-5-zone-zone1] add interface Eth-trunk1.1
[FW-5-zone-zone1] quit
[FW-5] firewall zone name zone2
[FW-5-zone-zone2] set priority 40
[FW-5-zone-zone2] add interface Eth-trunk1.2
[FW-5-zone-zone2] quit
[FW-5] firewall zone name zone3
[FW-5-zone-zone3] set priority 10
[FW-5-zone-zone3] add interface Eth-trunk1.3
[FW-5-zone-zone3] quit
[FW-5] firewall zone name zone4
[FW-5-zone-zone4] set priority 30
[FW-5-zone-zone4] add interface Eth-trunk1.4
[FW-5-zone-zone4] quit
[FW-5] firewall zone trust
[FW-5-zone-trust] add interface Eth-trunk2.1
[FW-5-zone-trust] quit
[FW-5] firewall zone dmz
[FW-5-zone-dmz] add interface Eth-trunk2.2
[FW-5-zone-dmz] quit
[FW-5] firewall zone name hrp
[FW-5-zone-hrp] set priority 85
[FW-5-zone-hrp] add interface Eth-trunk0
[FW-5-zone-hrp] quit

Step 3 Configure static routes on FW-5.


# On FW-5, configure a static route to the data center service area and set the
next hop to the IP address of the core switch.
[FW-5] ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
[FW-5] ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
[FW-5] ip route-static 10.3.0.0 255.255.0.0 172.7.1.4

# On FW-5, configure static routes to the SSL VPN access terminal, branch,
partner network, and Internet and set the next hop to the IP address of the ISP
router.
[FW-5] ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
[FW-5] ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
[FW-5] ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
[FW-5] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 185


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Step 4 Configure the IP addresses, security zones, and routes of FW-6 interfaces
according to the above procedure. The difference lies in the IP addresses of the
interfaces.

----End

3.5.4.2 Configuring Hot Standby

Procedure
Step 1 Configure VRRP group on the interfaces of FW-5, setting its state to Active.
<FW-5> system-view
[FW-5] interface Eth-Trunk1.1
[FW-5-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active
[FW-5-Eth-Trunk1.1] quit
[FW-5] interface Eth-Trunk1.2
[FW-5-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 active
[FW-5-Eth-Trunk1.2] quit
[FW-5] interface Eth-Trunk1.3
[FW-5-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 active
[FW-5-Eth-Trunk1.3] quit
[FW-5] interface Eth-Trunk1.4
[FW-5-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 active
[FW-5-Eth-Trunk1.4] quit
[FW-5] interface Eth-Trunk2.1
[FW-5-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 active
[FW-5-Eth-Trunk2.1] quit
[FW-5] interface Eth-Trunk2.2
[FW-5-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 active
[FW-5-Eth-Trunk2.2] quit

Step 2 Designate Eth-Trunk 0 as the heartbeat interface of FW-5, and enable hot standby.
[FW-5] hrp interface Eth-Trunk0 remote 12.12.12.2
[FW-5] hrp enable

Step 3 Configure VRRP group on the interfaces of FW-6, setting its state to Standby.
<FW-6> system-view
[FW-6] interface Eth-Trunk1.1
[FW-6-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 standby
[FW-6-Eth-Trunk1.1] quit
[FW-6] interface Eth-Trunk1.2
[FW-6-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 standby
[FW-6-Eth-Trunk1.2] quit
[FW-6] interface Eth-Trunk1.3
[FW-6-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 standby
[FW-6-Eth-Trunk1.3] quit
[FW-6] interface Eth-Trunk1.4
[FW-6-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 standby
[FW-6-Eth-Trunk1.4] quit
[FW-6] interface Eth-Trunk2.1
[FW-6-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 standby
[FW-6-Eth-Trunk2.1] quit
[FW-6] interface Eth-Trunk2.2
[FW-6-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 standby
[FW-6-Eth-Trunk2.2] quit

Step 4 Designate Eth-Trunk 0 as the heartbeat interface of FW-6, and enable hot standby.
[FW-6] hrp interface Eth-Trunk0 remote 12.12.12.1
[FW-6] hrp enable

----End

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 186


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Result
A hot-standby relationship has been established to back up most subsequent
configurations. Therefore, in the subsequent steps, you only need to make
configurations on the active FW-5 (unless otherwise stated).

3.5.4.3 Configuring the NAT Server

Procedure
Step 1 Configure NAT Server to map the pre-service servers' private IP addresses to public
IP addresses.
HRP_M[FW-5] nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
HRP_M[FW-5] nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
HRP_M[FW-5] nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
HRP_M[FW-5] nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80

Step 2 Configure a black-hole route to the public address of the NAT server to prevent
routing loops between the firewall and ISP routers.
Route configuration does not support backup. Therefore, you need to configure
black-hole routes on both FW-5 and FW-6.
HRP_M[FW-5] ip route-static 1.1.3.2 32 NULL 0
HRP_M[FW-5] ip route-static 1.1.3.3 32 NULL 0
HRP_M[FW-5] ip route-static 1.1.3.4 32 NULL 0
HRP_M[FW-5] ip route-static 1.1.3.5 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.2 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.3 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.4 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.5 32 NULL 0

----End

3.5.4.4 Configuring Security Policies and Security Protection

Procedure
Step 1 Configure security policies and IPS functions.
# Configure an address group on FW-5.
HRP_M[FW-5] ip address-set remote_users type object
HRP_M[FW-5-object-address-set-remote_users] address 0 172.168.3.0 mask 24
HRP_M[FW-5-object-address-set-remote_users] description "for remote users"
HRP_M[FW-5-object-address-set-remote_users] quit
HRP_M[FW-5] ip address-set partner type object
HRP_M[FW-5-object-address-set-partner] address 0 172.168.4.0 mask 24
HRP_M[FW-5-object-address-set-partner] description "for partner"
HRP_M[FW-5-object-address-set-partner] quit
HRP_M[FW-5] ip address-set branch2 type object
HRP_M[FW-5-object-address-set-branch2] address 0 10.9.1.0 mask 24
HRP_M[FW-5-object-address-set-branch2] description "for branch2"
HRP_M[FW-5-object-address-set-branch2] quit
HRP_M[FW-5] ip address-set server1 type object
HRP_M[FW-5-object-address-set-server1] address 0 10.1.1.10 mask 32
HRP_M[FW-5-object-address-set-server1] address 1 10.1.1.11 mask 32
HRP_M[FW-5-object-address-set-server1] description "for server1"
HRP_M[FW-5-object-address-set-server1] quit
HRP_M[FW-5] ip address-set server2 type object
HRP_M[FW-5-object-address-set-server2] address 0 10.2.1.4 mask 32
HRP_M[FW-5-object-address-set-server2] address 1 10.2.1.5 mask 32

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 187


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

HRP_M[FW-5-object-address-set-server2] description "for server2"


HRP_M[FW-5-object-address-set-server2] quit
HRP_M[FW-5] ip address-set server4 type object
HRP_M[FW-5-object-address-set-server4] address 0 10.1.1.4 mask 32
HRP_M[FW-5-object-address-set-server4] address 1 10.1.1.5 mask 32
HRP_M[FW-5-object-address-set-server4] description "for server4"
HRP_M[FW-5-object-address-set-server4] quit
HRP_M[FW-5] ip address-set server5 type object
HRP_M[FW-5-object-address-set-server5] address 0 192.168.4.2 mask 32
HRP_M[FW-5-object-address-set-server5] address 1 192.168.4.3 mask 32
HRP_M[FW-5-object-address-set-server5] address 2 192.168.4.4 mask 32
HRP_M[FW-5-object-address-set-server5] address 3 192.168.4.5 mask 32
HRP_M[FW-5-object-address-set-server5] description "for server5"
HRP_M[FW-5-object-address-set-server5] quit
HRP_M[FW-5] ip address-set ad_server type object
HRP_M[FW-5-object-address-set-ad_server] address 0 192.168.5.4 mask 32
HRP_M[FW-5-object-address-set-ad_server] address 1 192.168.5.5 mask 32
HRP_M[FW-5-object-address-set-ad_server] description "for ad_server"
HRP_M[FW-5-object-address-set-ad_server] quit

# Configure a service set on FW-5.


HRP_M[FW-5] ip service-set tcp_1414 type object
HRP_M[FW-5-object-service-set-tcp_1414] service 0 protocol tcp destination-port 1414
HRP_M[FW-5-object-service-set-tcp_1414] quit

# Configure the security policy remote_users_to_server1 on FW-5 and reference


the IPS profile.
HRP_M[FW-5] security-policy
HRP_M[FW-5-policy-security] rule name remote_users_to_server1
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-zone zone1
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-zone trust
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] source-address address-set remote_users
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] destination-address address-set server1
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] service ftp http
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] action permit
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] profile ips default
HRP_M[FW-5-policy-security-rule-remote_users_to_server1] quit

# Configure the security policy partner_to_server2 on FW-5 and reference the IPS
profile.
HRP_M[FW-5-policy-security] rule name partner_to_server2
HRP_M[FW-5-policy-security-rule-partner_to_server2] source-zone zone4
HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-zone trust
HRP_M[FW-5-policy-security-rule-partner_to_server2] source-address address-set partner
HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-address address-set server2
HRP_M[FW-5-policy-security-rule-partner_to_server2] service tcp_1414
HRP_M[FW-5-policy-security-rule-partner_to_server2] action permit
HRP_M[FW-5-policy-security-rule-partner_to_server2] profile ips default
HRP_M[FW-5-policy-security-rule-partner_to_server2] quit

# Configure the security policy branch2_to_server4 on FW-5 and reference the IPS
profile.
HRP_M[FW-5-policy-security] rule name branch2_to_server4
HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-zone zone2
HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-zone trust
HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-address address-set branch2
HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-address address-set server4
HRP_M[FW-5-policy-security-rule-branch2_to_server4] service ftp
HRP_M[FW-5-policy-security-rule-branch2_to_server4] action permit
HRP_M[FW-5-policy-security-rule-branch2_to_server4] profile ips default
HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit

# Configure the security policy internet_to_server5 on FW-5 and reference the IPS
profile.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 188


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

HRP_M[FW-5-policy-security] rule name internet_to_server5


HRP_M[FW-5-policy-security-rule-internet_to_server5] source-zone zone3
HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-zone dmz
HRP_M[FW-5-policy-security-rule-internet_to_server5] destination-address address-set server5
HRP_M[FW-5-policy-security-rule-internet_to_server5] service https http
HRP_M[FW-5-policy-security-rule-internet_to_server5] action permit
HRP_M[FW-5-policy-security-rule-internet_to_server5] profile ips default
HRP_M[FW-5-policy-security-rule-internet_to_server5] quit

# Configure the security policy remote_users_to_server1 on FW-5.


HRP_M[FW-5-policy-security] rule name ipsec
HRP_M[FW-5-policy-security-rule-ipsec] source-zone zone2 local
HRP_M[FW-5-policy-security-rule-ipsec] destination-zone zone2 local
HRP_M[FW-5-policy-security-rule-ipsec] source-address 1.1.2.1 32
HRP_M[FW-5-policy-security-rule-ipsec] source-address 2.2.2.2 32
HRP_M[FW-5-policy-security-rule-ipsec] destination-address 1.1.2.1 32
HRP_M[FW-5-policy-security-rule-ipsec] destination-address 2.2.2.2 32
HRP_M[FW-5-policy-security-rule-ipsec] action permit
HRP_M[FW-5-policy-security-rule-ipsec] quit

# Configure the security policy ssl_vpn on FW-5.


HRP_M[FW-5-policy-security] rule name ssl_vpn
HRP_M[FW-5-policy-security-rule-ssl_vpn] source-zone zone1 zone4
HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-zone local
HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.1.1 32
HRP_M[FW-5-policy-security-rule-ssl_vpn] destination-address 1.1.4.1 32
HRP_M[FW-5-policy-security-rule-ssl_vpn] action permit
HRP_M[FW-5-policy-security-rule-ssl_vpn] quit

# Configure the security policy to_ad_server on FW-5.


HRP_M[FW-5-policy-security] rule name to_ad_server
HRP_M[FW-5-policy-security-rule-to_ad_server] source-zone local
HRP_M[FW-5-policy-security-rule-to_ad_server] destination-zone dmz
HRP_M[FW-5-policy-security-rule-to_ad_server] destination-address address-set ad_server
HRP_M[FW-5-policy-security-rule-to_ad_server] action permit
HRP_M[FW-5-policy-security-rule-to_ad_server] quit
HRP_M[FW-5-policy-security] quit

Step 2 Configure persistent connections.


# Change the session aging time to 40000 seconds for tcp_1414.
HRP_M[FW-5] firewall session aging-time service-set tcp_1414 40000

# Enable the persistent connection function in security policy branch2_to_server4


and change the aging time to 480 hours for connections matching this policy.
HRP_M[FW-5] security-policy
HRP_M[FW-5-policy-security] rule name branch2_to_server4
HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link enable
HRP_M[FW-5-policy-security-rule-branch2_to_server4] long-link aging-time 480
HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit
HRP_M[FW-5-policy-security] quit

Step 3 Configure attack defense.


# Configure defense against single packet attacks on FW-5.
HRP_M[FW-5] firewall defend land enable
HRP_M[FW-5] firewall defend smurf enable
HRP_M[FW-5] firewall defend fraggle enable
HRP_M[FW-5] firewall defend ip-fragment enable
HRP_M[FW-5] firewall defend tcp-flag enable
HRP_M[FW-5] firewall defend winnuke enable
HRP_M[FW-5] firewall defend source-route enable
HRP_M[FW-5] firewall defend teardrop enable
HRP_M[FW-5] firewall defend route-record enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 189


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

HRP_M[FW-5] firewall defend time-stamp enable


HRP_M[FW-5] firewall defend ping-of-death enable

Step 4 Configure policy backup-based acceleration function.


When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.
HRP_M[FW-5] policy accelerate standby enable

----End

3.5.4.5 Configuring IPSec VPN

Procedure
Step 1 Configure an IPSec policy on FW-5 and apply the policy to the corresponding
interface.
1. Define data flows to be protected. Configure advanced ACL 3000 to permit
the users on network segment 10.1.1.0/24 to access network segment
10.9.1.0/24.
HRP_M<FW-5> system-view
HRP_M[FW-5] acl 3000
HRP_M[FW-5-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0
0.0.0.255
HRP_M[FW-5-acl-adv-3000] quit
2. Configure an IPSec proposal using the default parameters. You do not need to
set default parameters.
HRP_M[FW-5] ipsec proposal tran1
HRP_M[FW-5-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
HRP_M[FW-5-ipsec-proposal-tran1] esp encryption-algorithm aes-256
HRP_M[FW-5-ipsec-proposal-tran1] quit
3. Configure an IKE proposal using the default parameters. You do not need to
set default parameters.
HRP_M[FW-5] ike proposal 10
HRP_M[FW-5-ike-proposal-10] authentication-method pre-share
HRP_M[FW-5-ike-proposal-10] prf hmac-sha2-256
HRP_M[FW-5-ike-proposal-10] encryption-algorithm aes-256
HRP_M[FW-5-ike-proposal-10] dh group2
HRP_M[FW-5-ike-proposal-10] integrity-algorithm hmac-sha2-256
HRP_M[FW-5-ike-proposal-10] quit
4. Configure an IKE peer.
HRP_M[FW-5] ike peer b
HRP_M[FW-5-ike-peer-b] ike-proposal 10
HRP_M[FW-5-ike-peer-b] pre-shared-key Test!1234
HRP_M[FW-5-ike-peer-b] quit
5. Configure an IPSec policy.
HRP_M[FW-5] ipsec policy-template policy1 1
HRP_M[FW-5-ipsec-policy-templet-policy1-1] security acl 3000
HRP_M[FW-5-ipsec-policy-templet-policy1-1] proposal tran1
HRP_M[FW-5-ipsec-policy-templet-policy1-1] ike-peer b
HRP_M[FW-5-ipsec-policy-templet-policy1-1] quit
HRP_M[FW-5] ipsec policy map1 10 isakmp template policy1
6. Apply IPSec policy map1 to Eth-Trunk1.2.
HRP_M[FW-5] interface Eth-Trunk1.2
HRP_M[FW-5-Eth-Trunk1.2] ipsec policy map1
HRP_M[FW-5-Eth-Trunk1.2] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 190


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

Step 2 Configure an IPSec policy on the FW of branch and apply the policy to the
corresponding interface.
1. Configure advanced ACL 3000 to permit the users on network segment
10.9.1.0/24 to access network segment 10.1.1.0/24.
<FW-branch> system-view
[FW-branch] acl 3000
[FW-branch-acl-adv-3000] rule 5 permit ip source 10.9.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW-branch-acl-adv-3000] quit

2. Configure an IPSec proposal using the default parameters.


[FW-branch] ipsec proposal tran1
[FW-branch-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW-branch-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW-branch-ipsec-proposal-tran1] quit

3. Configure an IKE proposal using the default parameters.


[FW-branch] ike proposal 10
[FW-branch-ike-proposal-10] authentication-method pre-share
[FW-branch-ike-proposal-10] prf hmac-sha2-256
[FW-branch-ike-proposal-10] encryption-algorithm aes-256
[FW-branch-ike-proposal-10] dh group2
[FW-branch-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW-branch-ike-proposal-10] quit

4. Configure an IKE peer.


[FW-branch] ike peer a
[FW-branch-ike-peer-a] ike-proposal 10
[FW-branch-ike-peer-a] remote-address 1.1.2.1
[FW-branch-ike-peer-a] pre-shared-key Test!1234
[FW-branch-ike-peer-a] quit

5. Configure an IPSec policy.


[FW-branch] ipsec policy map1 10 isakmp
[FW-branch-ipsec-policy-isakmp-map1-10] security acl 3000
[FW-branch-ipsec-policy-isakmp-map1-10] proposal tran1
[FW-branch-ipsec-policy-isakmp-map1-10] ike-peer a
[FW-branch-ipsec-policy-isakmp-map1-10] quit

6. Apply IPSec policy group map1 to the interface. In this example, the WAN
interface is GE1/0/1 for the branch.
[FW-branch] interface GigabitEthernet 1/0/1
[FW-branch-GigabitEthernet1/0/1] ipsec policy map1
[FW-branch-GigabitEthernet1/0/1] quit

----End

3.5.4.6 Configuring SSL VPN

Procedure
Step 1 Set parameters for interconnection between the FW and AD server.

The parameter settings on the FW must be consistent with those on the AD server.
HRP_M[FW-5] ad-server template ad_server
HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.4 88
HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.5 88 secondary
HRP_M[FW-5-ad-ad_server] ad-server authentication base-dn dc=cce,dc=com
HRP_M[FW-5-ad-ad_server] ad-server authentication manager cn=administrator,cn=users Admin@123
Admin@123
HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server.cce.com
HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server2.cce.com secondary
HRP_M[FW-5-ad-ad_server] ad-server authentication ldap-port 389
HRP_M[FW-5-ad-ad_server] ad-server user-filter sAMAccountName
HRP_M[FW-5-ad-ad_server] ad-server group-filter ou

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 191


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

If you are unfamiliar with the AD server and cannot provide the server name, Base
DN, or filter field values, you can use the AD Explorer or LDAP Browser software
to connect to the AD server to query the attribute values. The AD Explorer is used
as an example. The AD server attributes and mappings between the server
attributes and parameters on the FW are as follows.

# Test the connectivity between the FW and AD server.


HRP_M[FW-5-ad-ad_server] test-aaa user_0001 Admin@123 ad-template ad_server
Info: Server detection succeeded.
HRP_M[FW-5-ad-ad_server] quit

The user name and password used for the test must be the same as those on the AD server.

Step 2 Configure an authentication domain.

When the FW uses AD or LDAP authentication, the authentication domain name configured
on the FW must be the same as that configured on the authentication server. In this
example, the domain name on the AD server is cce.com. Therefore, the authentication
domain name must be set to cce.com on the FW.
HRP_M[FW-5] aaa
HRP_M[FW-5-aaa] authentication-scheme ad
HRP_M[FW-5-aaa-authen-ad] authentication-mode ad
HRP_M[FW-5-aaa-authen-ad] quit
HRP_M[FW-5-aaa] domain cce.com
HRP_M[FW-5-aaa-domain-cce.com] service-type ssl-vpn
HRP_M[FW-5-aaa-domain-cce.com] authentication-scheme ad
HRP_M[FW-5-aaa-domain-cce.com] ad-server ad_server
HRP_M[FW-5-aaa-domain-cce.com] reference user current-domain
HRP_M[FW-5-aaa-domain-cce.com] quit
HRP_M[FW-5-aaa] quit

Step 3 Configure a policy to import user information from the AD server to the FW.
HRP_M[FW-5] user-manage import-policy ad_server from ad
HRP_M[FW-5-import-ad_server] server template ad_server
HRP_M[FW-5-import-ad_server] server basedn dc=cce,dc=com
HRP_M[FW-5-import-ad_server] server searchdn ou=remoteusers,dc=cce,dc=com
HRP_M[FW-5-import-ad_server] destination-group /cce.com
HRP_M[FW-5-import-ad_server] user-attribute sAMAccountName

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 192


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

HRP_M[FW-5-import-ad_server] import-type all


HRP_M[FW-5-import-ad_server] import-override enable
HRP_M[FW-5-import-ad_server] sync-mode incremental schedule interval 120
HRP_M[FW-5-import-ad_server] sync-mode full schedule daily 01:00
HRP_M[FW-5-import-ad_server] quit

● If you need to import user groups only, set import-type to group and set the new user
option in Step 5 to new-user add-temporary group /cce.com auto-import ad_server.
Authenticated users use the permissions of their owning groups.
● The user and user group filtering conditions in this example use the default values (&(|
(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!
(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)). To change
them, run the user-filter and group-filter commands.

Step 4 Execute the import policy to import users to the FW.


HRP_M[FW-5] execute user-manage import-policy ad_server
Now importing user, security group and user-group information from remote server...successfully.

After the import succeeds, you can run the display user-manage user verbose
command to view information about the imported users.
Step 5 Set the new user option for the authentication domain on the FW.
HRP_M[FW-5] aaa
HRP_M[FW-5-aaa] domain cce.com
HRP_M[FW-5-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import ad_server
HRP_M[FW-5-aaa-domain-cce.com] quit
HRP_M[FW-5-aaa] quit

Step 6 Configure an SSL VPN virtual gateway.


# Create an SSL VPN virtual gateway.
HRP_M[FW-5] v-gateway example 1.1.1.1 private www.example.com
HRP_M[FW-5-example] quit

# Configure the maximum number of users and maximum number of concurrent


users allowed by the virtual gateway.
HRP_M[FW-5] v-gateway example max-user 150
HRP_M[FW-5] v-gateway example cur-max-user 100

# Bind the virtual gateway to the authentication domain.


HRP_M[FW-5] v-gateway example authentication-domain cce.com

If the virtual gateway is bound to an authentication domain, the user name entered for a
login should not carry the authentication domain information. If the user name carries an
authentication domain name, the gateway considers the string following the at sign (@) as
a part of the user name, not an authentication domain name. For example, if the virtual
gateway has been bound to the authentication domain cce.com, you should enter
user_0001, not [email protected], as the user name.

Step 7 Configure the web proxy function.


# Enable the web proxy function.
HRP_M[FW-5] v-gateway example
HRP_M[FW-5-example] service
HRP_M[FW-5-example-service] web-proxy enable

# Add web proxy resources Webmail and ERP.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 193


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

HRP_M[FW-5-example-service] web-proxy proxy-resource resource1 http://10.1.1.10 show-link


HRP_M[FW-5-example-service] web-proxy proxy-resource resource2 http://10.1.1.11 show-link

Step 8 Configure the network extension function.


# Enable the network extension function.
HRP_M[FW-5-example-service] network-extension enable

# Configure the network extension address pool.


HRP_M[FW-5-example-service] network-extension netpool 172.168.3.2 172.168.3.254 255.255.255.0

# Set the network extension routing mode to manual.


HRP_M[FW-5-example-service] network-extension mode manual

# Configure the intranet subnet accessible to network extension users.


HRP_M[FW-5-example-service] network-extension manual-route 10.1.1.0 255.255.255.0
HRP_M[FW-5-example-service] quit

Step 9 Configure SSL VPN role authorization/users.


# Add user group remoteusers to the virtual gateway.
HRP_M[FW-5-example] vpndb
HRP_M[FW-5-example-vpndb] group /cce.com/remoteusers
HRP_M[FW-5-example-vpndb] quit

# Create role remoteusers.


HRP_M[FW-5-example] role
HRP_M[FW-5-example-role] role remoteusers

# Bind the role to corresponding user group.


HRP_M[FW-5-example-role] role remoteusers group /cce.com/remoteusers

# Configure functions for the roles. Enable web proxy and network extension for
role remoteusers.
HRP_M[FW-5-example-role] role remoteusers web-proxy network-extension enable

# Associate the roles with web proxy resources.


HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1
HRP_M[FW-5-example-role] role remoteusers web-proxy resource resource1
HRP_M[FW-5-example-role] quit
HRP_M[FW-5-example] quit

----End

3.5.5 Verification
● Employees on the move and partners can establish SSL VPN tunnels with the
firewalls at the Internet egress and can access resource servers in the data
center.
● The firewalls at branch egresses and the firewalls at the Internet egress can
establish IPSec VPN tunnels. The branches can access resource servers in the
data center.
● Internet users can access the pre-service servers in the DMZ.
● Run the shutdown command on a service interface of the active firewall to
simulate a link fault. The active/standby switchover is performed without
interrupting services.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 194


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

3.5.6 Configuration Scripts


Configuration scripts of interfaces, routes, and hot standby

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 195


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
# #
hrp enable hrp enable
hrp interface Eth-Trunk0 remote 12.12.12.2 hrp interface Eth-Trunk0 remote 12.12.12.1
# #
nat server https_server1 protocol tcp global 1.1.3.2 nat server https_server1 protocol tcp global 1.1.3.2
4433 inside 192.168.4.2 443 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 nat server https_server2 protocol tcp global 1.1.3.3
4433 inside 192.168.4.3 443 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 nat server http_server1 protocol tcp global 1.1.3.4
8000 inside 192.168.4.4 80 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 nat server http_server2 protocol tcp global 1.1.3.5
8000 inside 192.168.4.5 80 8000 inside 192.168.4.5 80
# #
interface Eth-Trunk0 interface Eth-Trunk0
ip address 12.12.12.1 255.255.255.0 ip address 12.12.12.2 255.255.255.0
# #
interface Eth-Trunk1 interface Eth-Trunk1
description Link_To_SW5 description Link_To_SW6
# #
interface Eth-trunk 2 interface Eth-trunk 2
description Link_To_SW1 description Link_To_SW2
# #
interface Eth-Trunk1.1 interface Eth-Trunk1.1
vlan-type dot1q 10 vlan-type dot1q 10
ip address 172.6.1.2 255.255.255.248 ip address 172.6.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 active vrrp vrid 1 virtual-ip 1.1.1.1 standby
# #
interface Eth-Trunk1.2 interface Eth-Trunk1.2
vlan-type dot1q 20 vlan-type dot1q 20
ip address 172.6.2.2 255.255.255.248 ip address 172.6.2.3 255.255.255.248
vrrp vrid 2 virtual-ip 1.1.2.1 active vrrp vrid 2 virtual-ip 1.1.2.1 standby
# #
interface Eth-Trunk1.3 interface Eth-Trunk1.3
vlan-type dot1q 30 vlan-type dot1q 30
ip address 172.6.3.2 255.255.255.248 ip address 172.6.3.3 255.255.255.248
vrrp vrid 3 virtual-ip 1.1.3.1 active vrrp vrid 3 virtual-ip 1.1.3.1 standby
# #
interface Eth-Trunk1.4 interface Eth-Trunk1.4
vlan-type dot1q 40 vlan-type dot1q 40
ip address 172.6.4.2 255.255.255.248 ip address 172.6.4.3 255.255.255.248
vrrp vrid 4 virtual-ip 1.1.4.1 active vrrp vrid 4 virtual-ip 1.1.4.1 standby
# #
interface Eth-Trunk2.1 interface Eth-Trunk2.1
vlan-type dot1q 103 vlan-type dot1q 103
ip address 172.7.1.2 255.255.255.248 ip address 172.7.1.3 255.255.255.248
vrrp vrid 5 virtual-ip 172.7.1.1 active vrrp vrid 5 virtual-ip 172.7.1.1 standby
# #
interface Eth-Trunk2.2 interface Eth-Trunk2.2
vlan-type dot1q 104 vlan-type dot1q 104
ip address 172.7.2.2 255.255.255.248 ip address 172.7.2.3 255.255.255.248
vrrp vrid 6 virtual-ip 172.7.2.1 active vrrp vrid 6 virtual-ip 172.7.2.1 standby
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/4 interface GigabitEthernet 1/0/4
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 196


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
# #
firewall zone trust firewall zone trust
add interface Eth-Trunk2.1 add interface Eth-Trunk2.1
# #
firewall zone dmz firewall zone dmz
add interface Eth-Trunk2.2 add interface Eth-Trunk2.2
# #
firewall zone hrp firewall zone hrp
set priority 85 set priority 85
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
firewall zone name zone1 firewall zone name zone1
set priority 45 set priority 45
add interface Eth-Trunk1.1 add interface Eth-Trunk1.1
# #
firewall zone name zone2 firewall zone name zone2
set priority 40 set priority 40
add interface Eth-Trunk1.2 add interface Eth-Trunk1.2
# #
firewall zone name zone3 firewall zone name zone3
set priority 10 set priority 10
add interface Eth-Trunk1.3 add interface Eth-Trunk1.3
# #
firewall zone name zone4 firewall zone name zone4
set priority 30 set priority 30
add interface Eth-Trunk1.4 add interface Eth-Trunk1.4
# #
ip route-static 10.1.0.0 255.255.0.0 172.7.1.4 ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
ip route-static 10.2.0.0 255.255.0.0 172.7.1.4 ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
ip route-static 10.3.0.0 255.255.0.0 172.7.1.4 ip route-static 10.3.0.0 255.255.0.0 172.7.1.4
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
ip route-static 10.9.1.0 255.255.255.0 1.1.2.2 ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
ip route-static 172.168.3.0 255.255.255.0 1.1.1.2 ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
ip route-static 172.168.4.0 255.255.255.0 1.1.4.2 ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
ip route-static 1.1.3.2 32 NULL 0 ip route-static 1.1.3.2 32 NULL 0
ip route-static 1.1.3.3 32 NULL 0 ip route-static 1.1.3.3 32 NULL 0
ip route-static 1.1.3.4 32 NULL 0 ip route-static 1.1.3.4 32 NULL 0
ip route-static 1.1.3.5 32 NULL 0 ip route-static 1.1.3.5 32 NULL 0

Configuration scripts of NAT Server

FW-5 FW-6
# #
nat server https_server1 protocol tcp global 1.1.3.2 nat server https_server1 protocol tcp global 1.1.3.2
4433 inside 192.168.4.2 443 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 nat server https_server2 protocol tcp global 1.1.3.3
4433 inside 192.168.4.3 443 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 nat server http_server1 protocol tcp global 1.1.3.4
8000 inside 192.168.4.4 80 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 nat server http_server2 protocol tcp global 1.1.3.5
8000 inside 192.168.4.5 80 8000 inside 192.168.4.5 80

Configuration scripts of security policies and attack defense

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 197


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
# #
firewall defend land enable firewall defend land enable
firewall defend smurf enable firewall defend smurf enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ip-fragment enable firewall defend ip-fragment enable
firewall defend tcp-flag enable firewall defend tcp-flag enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend source-route enable firewall defend source-route enable
firewall defend teardrop enable firewall defend teardrop enable
firewall defend route-record enable firewall defend route-record enable
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
# #
ip address-set remote_users type object ip address-set remote_users type object
description "for remote users" description "for remote users"
address 0 172.168.3.0 mask 24 address 0 172.168.3.0 mask 24
# #
ip address-set partner type object ip address-set partner type object
description "for partner" description "for partner"
address 0 172.168.4.0 mask 24 address 0 172.168.4.0 mask 24
# #
ip address-set branch2 type object ip address-set branch2 type object
description "for branch2" description "for branch2"
address 0 10.9.1.0 mask 24 address 0 10.9.1.0 mask 24
# #
ip address-set server1 type object ip address-set server1 type object
description "for server1" description "for server1"
address 0 10.1.1.10 mask 32 address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32 address 1 10.1.1.11 mask 32
# #
ip address-set server2 type object ip address-set server2 type object
description "for server2" description "for server2"
address 0 10.2.1.4 mask 32 address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32 address 1 10.2.1.5 mask 32
# #
ip address-set server4 type object ip address-set server4 type object
description "for server4" description "for server4"
address 0 10.1.1.4 mask 32 address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32 address 1 10.1.1.5 mask 32
# #
ip address-set server5 type object ip address-set server5 type object
description "for server5" description "for server5"
address 0 192.168.4.2 mask 32 address 0 192.168.4.2 mask 32
address 1 192.168.4.3 mask 32 address 1 192.168.4.3 mask 32
address 2 192.168.4.4 mask 32 address 2 192.168.4.4 mask 32
address 3 192.168.4.5 mask 32 address 3 192.168.4.5 mask 32
# #
ip address-set ad_server type object ip address-set ad_server type object
description "for ad_server" description "for ad_server"
address 0 192.168.5.4 mask 32 address 0 192.168.5.4 mask 32
address 1 192.168.5.5 mask 32 address 1 192.168.5.5 mask 32
# #
ip service-set tcp_1414 type object ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414 service 0 protocol tcp destination-port 1414
# #
firewall session aging-time service-set tcp_1414 firewall session aging-time service-set tcp_1414
40000 40000
# #
security-policy security-policy
rule name remote_users_to_server1 rule name remote_users_to_server1
source-zone zone1 source-zone zone1
destination-zone trust destination-zone trust
source-address address-set remote_users source-address address-set remote_users
destination-address address-set server1 destination-address address-set server1
service http service http
service ftp service ftp

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 198


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
profile ips default profile ips default
action permit action permit
rule name partner_to_server2 rule name partner_to_server2
source-zone zone4 source-zone zone4
destination-zone trust destination-zone trust
source-address address-set partner source-address address-set partner
destination-address address-set server2 destination-address address-set server2
service tcp_1414 service tcp_1414
profile ips default profile ips default
action permit action permit
rule name branch2_to_server4 rule name branch2_to_server4
source-zone zone2 source-zone zone2
destination-zone trust destination-zone trust
source-address address-set branch2 source-address address-set branch2
destination-address address-set server4 destination-address address-set server4
service ftp service ftp
profile ips default profile ips default
long-link enable long-link enable
long-link aging-time 480 long-link aging-time 480
action permit action permit
rule name internet_to_server5 rule name internet_to_server5
source-zone zone3 source-zone zone3
destination-zone dmz destination-zone dmz
destination-address address-set server5 destination-address address-set server5
service http service http
service https service https
profile ips default profile ips default
action permit action permit
rule name ipsec rule name ipsec
source-zone zone2 source-zone zone2
source-zone local source-zone local
destination-zone zone2 destination-zone zone2
destination-zone local destination-zone local
source-address 1.1.2.1 32 source-address 1.1.2.1 32
source-address 2.2.2.2 32 source-address 2.2.2.2 32
destination-address 1.1.2.1 32 destination-address 1.1.2.1 32
destination-address 2.2.2.2 32 destination-address 2.2.2.2 32
action permit action permit
rule name ssl_vpn rule name ssl_vpn
source-zone zone1 source-zone zone1
source-zone zone4 source-zone zone4
destination-zone local destination-zone local
destination-address 1.1.1.1 32 destination-address 1.1.1.1 32
destination-address 1.1.4.1 32 destination-address 1.1.4.1 32
action permit action permit
rule name to_ad_server rule name to_ad_server
source-zone local source-zone local
destination-zone dmz destination-zone dmz
destination-address address-set ad_server destination-address address-set ad_server
action permit action permit

Configuration scripts of IPSec VPN

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 199


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
# #
acl number 3000 acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 rule 5 permit ip source 10.1.1.0 0.0.0.255
destination 10.9.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
# #
ipsec proposal tran1 ipsec proposal tran1
esp authentication-algorithm sha2-256 esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 esp encryption-algorithm aes-256
# #
ike proposal 10 ike proposal 10
encryption-algorithm aes-256 encryption-algorithm aes-256
dh group2 dh group2
authentication-algorithm sha2-256 authentication-algorithm sha2-256
authentication-method pre-share authentication-method pre-share
integrity-algorithm hmac-sha2-256 integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 prf hmac-sha2-256
# #
ike peer b ike peer b
pre-shared-key %@%@'OMi3SPl pre-shared-key %@%@'OMi3SPl
%@TJdx5uDE(44*I^%@%@ %@TJdx5uDE(44*I^%@%@
ike-proposal 10 ike-proposal 10
remote-address 1.1.5.1 remote-address 1.1.5.1
# #
ipsec policy-template policy1 1 ipsec policy-template policy1 1
security acl 3000 security acl 3000
ike-peer b ike-peer b
proposal tran1 proposal tran1
# #
ipsec policy map1 10 isakmp template policy1 ipsec policy map1 10 isakmp template policy1
# #
interface Eth-Trunk1.2 interface Eth-Trunk1.2
ip address 1.1.3.1 255.255.255.0 ip address 1.1.3.1 255.255.255.0
ipsec policy map1 ipsec policy map1

Configuration scripts of SSL VPN

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 200


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
# #
ad-server template ad_server ad-server template ad_server
ad-server authentication 192.168.5.4 88 ad-server authentication 192.168.5.4 88
ad-server authentication 192.168.5.5 88 secondary ad-server authentication 192.168.5.5 88 secondary
ad-server authentication base-dn dc=cce,dc=com ad-server authentication base-dn dc=cce,dc=com
ad-server authentication manager ad-server authentication manager
cn=administrator,cn=users %$% cn=administrator,cn=users %$%
$M#._~J4QrR[kJu7PUMtHUqh_%$%$ $M#._~J4QrR[kJu7PUMtHUqh_%$%$
ad-server authentication host-name info- ad-server authentication host-name info-
server2.cce.com secondary server2.cce.com secondary
ad-server authentication host-name info- ad-server authentication host-name info-
server.cce.com server.cce.com
ad-server authentication ldap-port 389 ad-server authentication ldap-port 389
ad-server user-filter sAMAccountName ad-server user-filter sAMAccountName
ad-server group-filter ou ad-server group-filter ou
# #
user-manage import-policy ad_server from ad user-manage import-policy ad_server from ad
server template ad_server server template ad_server
server basedn dc=cce,dc=com server basedn dc=cce,dc=com
server searchdn ou=remoteusers,dc=cce,dc=com server searchdn ou=remoteusers,dc=cce,dc=com
destination-group /cce.com destination-group /cce.com
user-attribute sAMAccountName user-attribute sAMAccountName
user-filter (&(|(objectclass=person) user-filter (&(|(objectclass=person)
(objectclass=organizationalPerson))(cn=*)(! (objectclass=organizationalPerson))(cn=*)(!
(objectclass=computer))) (objectclass=computer)))
group-filter (|(objectclass=organizationalUnit) group-filter (|(objectclass=organizationalUnit)
(ou=*)) (ou=*))
import-type all import-type all
import-override enable import-override enable
sync-mode incremental schedule interval 120 sync-mode incremental schedule interval 120
sync-mode full schedule daily 01:00 sync-mode full schedule daily 01:00
# #
aaa aaa
authentication-scheme ad authentication-scheme ad
authentication-mode ad authentication-mode ad
# #
domain cce.com domain cce.com
authentication-scheme ad authentication-scheme ad
ad-server ad_server ad-server ad_server
service-type ssl-vpn service-type ssl-vpn
reference user current-domain reference user current-domain
new-user add-temporary group /cce.com auto- new-user add-temporary group /cce.com auto-
import ad_server import ad_server
# #
v-gateway example 1.1.1.1 private v-gateway example 1.1.1.1 private
www.example.com www.example.com
v-gateway example authentication-domain v-gateway example authentication-domain
cce.com cce.com
v-gateway example max-user 150 v-gateway example max-user 150
v-gateway example cur-max-user 100 v-gateway example cur-max-user 100
# #
v-gateway example v-gateway example
service service
web-proxy enable web-proxy enable
web-proxy web-link enable web-proxy web-link enable
web-proxy proxy-resource resource1 http:// web-proxy proxy-resource resource1 http://
10.1.1.10 show-link 10.1.1.10 show-link
web-proxy proxy-resource resource2 http:// web-proxy proxy-resource resource2 http://
10.1.1.11 show-link 10.1.1.11 show-link
network-extension enable network-extension enable
network-extension keep-alive enable network-extension keep-alive enable
network-extension netpool 172.168.3.2 network-extension netpool 172.168.3.2
172.168.3.254 255.255.255.0 172.168.3.254 255.255.255.0
network-extension mode manual network-extension mode manual
network-extension manual-route 10.1.1.0 network-extension manual-route 10.1.1.0
255.255.255.0 255.255.255.0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 201


HUAWEI Firewall 3 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Financial Data Centers

FW-5 FW-6
role role
role remoteusers condition all role remoteusers condition all
role remoteusers network-extension enable role remoteusers network-extension enable
role remoteusers web-proxy enable role remoteusers web-proxy enable
role remoteusers web-proxy resource resource1 role remoteusers web-proxy resource resource1
role remoteusers web-proxy resource resource2 role remoteusers web-proxy resource resource2

# The following configuration is one-time # The following configuration is one-time


operation and is not saved in the configuration file. operation and is not saved in the configuration file.
execute user-manage import-policy ad_server execute user-manage import-policy ad_server
# The following configuration is saved in the # The following configuration is saved in the
database, not displayed in the configuration file. database, not displayed in the configuration file.
v-gateway example v-gateway example
vpndb vpndb
group /cce.com/remoteusers group /cce.com/remoteusers
role role
role director group /cce.com/remoteusers role director group /cce.com/remoteusers

3.6 Conclusion and Suggestions


This section describes the typical application of firewalls in a finance data center.
It takes the application of firewalls in the data center of a bank as an example.
This section details the security policy planning and network deployment planning
of firewalls in the data center.
The procedure of security planning is as follows:
1. Analyze and determine the security levels of services and users of the network
areas.
2. Determine the inter-zone access privileges based on the security levels of
services and users and the specific requirements of the enterprise.
3. Convert the planning of access control to the planning of firewall security
policies.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 202


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

4 Application of Firewalls in the Security


Solution for Cloud Computing Networks

4.1 Introduction
A firewall is attached to a core switch of the cloud computing network in off-line
mode. Virtual machine services on the network are isolated using virtual systems.
Two firewalls are deployed in hot standby mode to improve service availability.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, Eudemon200E-
N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, USG6000E V600R006C00,
Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document
content may vary according to version.

4.2 Solution Overview


Introduction to Cloud Computing Networks
The rapid development of cloud computing makes it easy for enterprises to access
a cloud computing network to obtain server, storage, and application resources.
This reduces the CapEx on the IT infrastructure and speeds up the development of
information services.
As shown in Figure 4-1, an "industrial cloud" provides enterprise users with cloud
computing services. Services on the network are as follows:
● Enterprise users access virtual machines to obtain custom resources.
● Enterprise users access the Portal system to apply for accounts and manage
virtual machine spaces.
● The management component in the cloud computing network manages the
virtual machines, Portal system, and network devices.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 203


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-1 Cloud computing network

Application of Firewalls in the Security Solution for Cloud Computing


Networks
As shown in Figure 4-2, a firewall is attached to a core switch of the cloud
computing network. The addresses of the Portal system and virtual machines are
advertised for access of enterprise users. Virtual machine services accessed by
enterprise users are isolated.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 204


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-2 Application of firewalls in a cloud computing network

The following firewall functions are used on the cloud computing network:

● Hot standby
Two firewalls are deployed in hot standby mode to improve service
availability.
● NAT Server
The public addresses of the Portal system and virtual machines are advertised
through the NAT server for access of enterprise users on the Internet.
● Virtual system
A virtual system is built on each virtual machine to isolate virtual machine
services accessed by enterprise users. Security policies are also configured for
the virtual system for access control.

4.3 Solution 1: Firewall Serving as Gateway

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 205


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

4.3.1 Typical Networking


On the cloud computing network, the core switches are the CE12800, the access
switches are the CE6800, and the firewalls are the USG9500. The present case
focuses on the configuration on the firewalls. Figure 4-3 shows the overall
networking.

Figure 4-3 Cloud computing network

The cloud computing network requires that:

● Access of different extranet enterprise users to the virtual machines must be


isolated, and the bandwidth resources available for each virtual machine
service is limited to a specific range to avoid the consumption of large
quantities of resources.
● Private addresses are configured for the Portal system and virtual machines
for intranet use, and their public addresses are advertised to the extranet to
allow external enterprise users to access the Portal system and virtual
machines.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 206


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● Access behavior of extranet enterprise users to the Portal system and virtual
machines is controlled to permit only service access traffic.
● Device availability is improved to avoid service interruption caused by the
failure of only one device.
The firewalls are attached to the CE12800 core switches in off-path mode. The
above requirements are satisfied by the following features:
● Virtual system: Virtual systems are used to isolate virtual machine services
accessed by external enterprise users. Each virtual machine belongs to one
virtual system, and each virtual system has its maximum bandwidth.
● Subinterface: The firewall is connected to the CE12800 through subinterfaces.
The subinterfaces are assigned to the virtual systems and the root system. The
subinterfaces in the virtual systems carry virtual machine services, and the
subinterface in the root system carries portal services.
● NAT server: The NAT servers advertise the public addresses of the Portal
system and virtual machines to the extranet. A NAT server dedicated to a
virtual machine is configured in each virtual system, and NAT servers
dedicated to the Portal system are configured in the root system.
● Security policy: Security policies are applied to control access to the Portal
system and virtual machines. Security policies used to control access to
services of a virtual machine are configured in each virtual system, and
security policies used to control access to services of the Portal system are
configured in the root system.
● Hot standby: Two firewalls are deployed in hot standby mode to improve
availability. When the active firewall fails, the standby firewall takes over
without services interrupted.

4.3.2 Service Planning


As shown in Figure 4-4, the FW is attached to the CE12800 and works at Layer 3.
Logically, the CE12800 includes upstream part and downstream interfaces. The
upstream interfaces provide Layer-3 forwarding, and the downstream interfaces
provide Layer-2 forwarding. OSPF runs between the FW and the upstream
interfaces the CE12800, and VRRP runs between the FW and the downstream
interface of the CE12800. The virtual IP addresses of the VRRP groups on the FW
serve as gateway addresses for the Portal system and virtual machines. Traffic
from extranet enterprise users to the Portal system or virtual machines is
forwarded by the upstream interfaces of the CE12800 to the FW. Then, after
processing of the FW, the traffic is forwarded by the downstream interfaces of the
CE12800 to the Portal system or virtual machines. The return traffic is first
forwarded by the downstream interfaces of the CE12800 to the FW. Then, after
processing of the FW, the traffic is forwarded by the upstream interfaces of the
CE12800.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 207


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-4 Off-line deployment of FWs

The following describes the service planning in detail.

Interfaces and Security Zones


This section describes the connection between FW_A and CE12800_A.
As shown in Figure 4-5, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of
CE12800_A. Details are as follows:
● Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each
subinterface has an IP address. Most subinterfaces belong to different virtual
systems and are assigned to the Untrust zone of the virtual systems. One
subinterface belongs to the root system and is assigned to the Untrust zone
of the root system.
● 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of
multiple VLANs. Each VLANIF interface has an IP address and is logically
connected to the related subinterface of FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 208


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-5 GE1/0/1 connection of FW_A

As shown in Figure 4-6, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of


CE12800_A. Details are as follows:
● Two (or more as required by the Portal system) subinterfaces are defined for
GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the
DMZ of the root system.
● 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of
multiple VLANs.
● The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A
serve as gateway addresses for the Portal system and terminate VLAN
services. CE12800_A transparently transmits L2 packets.

Figure 4-6 GE1/0/2 connection of FW_A

As shown in Figure 4-7, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of


CE12800_A. Details are as follows:
● Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each
subinterface has an IP address. Each subinterface belongs to a different virtual
system and is assigned to the Trust zone of the virtual system.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 209


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of


multiple VLANs.
● The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A
serve as gateway addresses for the virtual machines and terminate VLAN
services. CE12800_A transparently transmits L2 packets.

Figure 4-7 GE1/0/3 connection of FW_A

The connection between FW_B and CE12800_B is the same.

One virtual machine can request to access the public address of another. The exchanged
packets are forwarded by the CE12800.

Table 4-1 describes the planning of interfaces and security zones on the FWs.

Table 4-1 Planning of interfaces and security zones


FW_A FW_B Description

GE1/0/1 GE1/0/1 Connected to


IP address: none IP address: none 10GE1/1/0/1 of the
CE12800.
Virtual system: public Virtual system: public
Security zone: Untrust Security zone: Untrust

GE1/0/1.10 GE1/0/1.10 subinterface of vfw1.


IP address: IP address:
172.16.10.252/24 172.16.10.253/24
Virtual system: vfw1 Virtual system: vfw1
Security zone: Untrust Security zone: Untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 210


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B Description

GE1/0/1.11 GE1/0/1.11 subinterface of vfw2.


IP address: IP address:
172.16.11.252/24 172.16.11.253/24
Virtual system: vfw2 Virtual system: vfw2
Security zone: Untrust Security zone: Untrust

GE1/0/1.1000 GE1/0/1.1000 subinterface of the root


IP address: IP address: system.
172.16.9.252/24 172.16.9.253/24
Virtual system: public Virtual system: public
Security zone: Untrust Security zone: Untrust

GE1/0/2 GE1/0/2 Connected to


IP address: none IP address: none 10GE1/1/0/2 of the
CE12800.
Virtual system: public Virtual system: public
Security zone: DMZ Security zone: DMZ

GE1/0/2.1 GE1/0/2.1 subinterface of the root


IP address: IP address: system.
10.159.1.252/24 10.159.1.253/24 10.159.1.254 serves as a
Virtual system: public Virtual system: public gateway for the Portal
system.
Security zone: DMZ Security zone: DMZ
VRRP ID: 1 VRRP ID: 1
Virtual IP address: Virtual IP address:
10.159.1.254 10.159.1.254
State: active State: standby

GE1/0/2.2 GE1/0/2.2 subinterface of the root


IP address: IP address: system.
10.159.2.252/24 10.159.2.253/24 10.159.2.254 serves as a
Virtual system: public Virtual system: public gateway for the Portal
system.
Security zone: DMZ Security zone: DMZ
VRRP ID: 2 VRRP ID: 2
Virtual IP address: Virtual IP address:
10.159.2.254 10.159.2.254
State: active State: standby

GE1/0/3 GE1/0/3 Connected to


IP address: none IP address: none 10GE1/1/0/3 of the
CE12800.
Virtual system: public Virtual system: public
Security zone: Trust Security zone: Trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 211


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B Description

GE1/0/3.10 GE1/0/3.10 subinterface of vfw1.


IP address: IP address: 10.159.10.254 serves as a
10.159.10.252/24 10.159.10.253/24 gateway for the virtual
Virtual system: vfw1 Virtual system: vfw1 machine.
Security zone: Trust Security zone: Trust
VRRP ID: 10 VRRP ID: 10
Virtual IP address: Virtual IP address:
10.159.10.254 10.159.10.254
State: active State: standby

GE1/0/3.11 GE1/0/3.11 subinterface of vfw2.


IP address: IP address: 10.159.11.254 serves as a
10.159.11.252/24 10.159.11.253/24 gateway for the virtual
Virtual system: vfw2 Virtual system: vfw2 machine.
Security zone: Trust Security zone: Trust
VRRP ID: 11 VRRP ID: 11
Virtual IP address: Virtual IP address:
10.159.11.254 10.159.11.254
State: active State: standby

Eth-Trunk1 Eth-Trunk1 HRP backup interface.


Member interfaces: Member interfaces:
GE1/0/8 and GE2/0/8 GE1/0/8 and GE2/0/8
IP address: 10.1.1.1/30 IP address: 10.1.1.2/30
Virtual system: public Virtual system: public
Security zone: hrpzone Security zone: hrpzone

Virtual Systems
Virtual systems carry virtual machine services. Each virtual system corresponds to
one virtual machine. The planning of interfaces for the virtual systems has been
described in the above interfaces and security zones. In addition, to limit the
bandwidth available for each virtual system, it is also necessary to configure
resource classes for the virtual systems.
Table 4-2 describes the planning of virtual systems on the FWs. Only two virtual
systems are listed. In practice, you can create multiple virtual systems as needed.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 212


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Table 4-2 Planning of virtual systems


Item FW_A FW_B Description

Resource classes Name: vfw1_car Name: vfw1_car The maximum


Maximum Maximum bandwidth for the
bandwidth: 100M bandwidth: 100M virtual system
vfw1 is 100M.

Name: vfw2_car Name: vfw2_car The maximum


Maximum Maximum bandwidth for the
bandwidth: 100M bandwidth: 100M virtual system
vfw2 is 100M.

Virtual systems Name: vfw1 Name: vfw1 -


Resource class: Resource class:
vfw1_car vfw1_car

Name: vfw2 Name: vfw2 -


Resource class: Resource class:
vfw2_car vfw2_car

Routes
There are routes in the root system and routes in virtual systems, both including
the default route, black-hole route, and OSPF route. The OSPF routes run on the
upstream subinterface connecting the FW to the CE12800, as shown in Figure 4-8.

Figure 4-8 OSPF routes on FW_A

Specifically:
● A default route is configured for the root system with the next hop being the
related VLANIF IP address of CE12800_A. A default route is configured for
each virtual system with the next hop being the related VLANIF IP address of
CE12800_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 213


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● Black-hole routes with destination addresses being the public addresses of the
Portal system are configured in the root system. These black-hole routes are
advertised to CE12800_A by the root system through OSPF. A black-hole route
with the destination address being the public address of the virtual machine is
configured for each virtual system. This black-hole route is advertised to
CE12800_A by the virtual system through OSPF.
● OSPF runs on both the root system and virtual systems. The VPN instance
corresponding to a virtual system is bound in the root system to run OSPF in
the virtual system.
OSPF also runs on CE12800_A to advertise the network segment of each VLANIF
interface.
Table 4-3 describes the planning of routes on the FWs.

Table 4-3 Planning of routes


Item FW_A FW_B Description

Routes in the root Default route Default route Default routes of


system Next hop: Next hop: the root system,
172.16.9.251 172.16.9.251 the next-hop
address being the
CE12800.

Black-hole route Black-hole route Black-hole routes


Destination Destination to the global
address: address: addresses of the
117.1.1.1/32 and 117.1.1.1/32 and Portal system to
117.1.1.2/32 117.1.1.2/32 prevent a routing
loop.

OSPF OSPF The global


Advertised Advertised addresses of the
network segment: network segment: Portal system are
172.16.9.0/24 172.16.9.0/24 introduced to
OSPF and
Static routes are Static routes are advertised to the
used. used. CE12800.

Routes in the Default route Default route Default routes of


virtual system Next hop: Next hop: vfw1, the next-
vfw1 172.16.10.251 172.16.10.251 hop address being
the CE12800.

Black-hole route Black-hole route Black-hole routes


Destination Destination to the global
address: address: address of the
118.1.1.1/32 118.1.1.1/32 virtual machine to
prevent a routing
loop.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 214


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Item FW_A FW_B Description

OSPF OSPF The global


Bound VPN Bound VPN address of the
instance: vfw1 instance: vfw1 virtual machine is
introduced to
Advertised Advertised OSPF and
network segment: network segment: advertised to the
172.16.10.0/24 172.16.10.0/24 CE12800.
Static routes are Static routes are
used. used.

Routes in the Default route Default route Default routes of


virtual system Next hop: Next hop: vfw1, the next-
vfw2 172.16.11.251 172.16.11.251 hop address being
the CE12800.

Black-hole route Black-hole route Black-hole routes


Destination Destination to the global
address: address: address of the
118.1.1.2/32 118.1.1.2/32 virtual machine to
prevent a routing
loop.

OSPF OSPF The global


Bound VPN Bound VPN address of the
instance: vfw2 instance: vfw2 virtual machine is
introduced to
Advertised Advertised OSPF and
network segment: network segment: advertised to the
172.16.11.0/24 172.16.11.0/24 CE12800.
Static routes are Static routes are
used. used.

Hot Standby
The hot standby networking is typical, where firewalls are connected to upstream
Layer-3 devices and connected to downstream Layer-2 devices. Figure 4-9 shows
the logical networking where extranet enterprise users access services of the
virtual machines.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 215


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-9 Logical networking of virtual machine services

Figure 4-10 shows the logical networking where extranet enterprise users access
services of the Portal system.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 216


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-10 Logical networking of Portal systems

After hot standby is configured, FW_A serves as the active firewall, and FW_B
serves as the standby firewall. As shown in Figure 4-11, when the network is
normal, FW_A advertises routes normally, and the cost of routes advertised by
FW_B increases by 65,500 (default value, configurable). When Router_A or
Router_B forwards the traffic of extranet enterprise users to a Portal system or

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 217


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

virtual machine, it selects a path with a smaller cost. Therefore, the traffic is
forwarded by FW_A.

For the return traffic, when the Portal system or virtual machine requests the MAC
address of the gateway, only the active firewall FW_A responds and sends the
virtual MAC address to the Portal system or virtual machine. The CE6800 records
the mapping between the virtual MAC address and port and forwards the return
traffic to FW_A.

Figure 4-11 Normal traffic flow

When FW_A or the link of FW_A fails, an active/standby switchover takes place.
Then, FW_B advertises routes normally, and the cost of routes advertised by FW_A
increases by 65,500. After the routes converge again, all traffic is forwarded by
FW_B, as shown in Figure 4-12.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 218


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

For the return traffic, after the active/standby switchover, FW_B sends a gratuitous
ARP packet to make the CE6800 update the mapping between the virtual MAC
address and port. Then, the return traffic is forwarded by the CE6800 to FW_B.

Figure 4-12 Traffic flow when the active link fails

Security Policies
There are security policies in the root system and security policies in virtual
systems. Security policies in the root system permit packets from extranet
enterprise users to the Portal system and permit OSPF packets exchanged
between the root system and the CE12800. Security policies in a virtual system
permit packets from extranet enterprise users to the virtual machine and permit
OSPF packets exchanged between the virtual system and the CE12800.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 219


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

In addition, antivirus and IPS profiles can be included in the security policies to
defend against attacks of viruses, worms, Trojan horses, and zombies. Normally,
the default antivirus and IPS profiles can be used.
Table 4-4 describes the planning of security policies on the FWs.

Table 4-4 Planning of security policies


Item FW_A FW_B Description

Security policies in Name: sec_portal Name: sec_portal Permit packets


the root system Source security Source security from extranet
zone: Untrust zone: Untrust enterprise users
to the Portal
Destination Destination system.
security zone: security zone:
DMZ DMZ
Destination Destination
address: address:
10.159.0.0/16 10.159.0.0/16
Action: permit Action: permit
Antivirus: default Antivirus: default
IPS: default IPS: default

Name: sec_ospf Name: sec_ospf Permit OSPF


Source security Source security packets
zone: Untrust and zone: Untrust and exchanged
Local Local between the FW
and CE12800.
Destination Destination
security zone: security zone:
Local and Untrust Local and Untrust
Service: ospf Service: ospf
Action: permit Action: permit

Security policies in Name: sec_vm1 Name: sec_vm1 Permit packets


the virtual system Source security Source security from extranet
vfw1 zone: Untrust zone: Untrust enterprise users
to the virtual
Destination Destination machine.
security zone: security zone:
Trust Trust
Destination Destination
address: address:
10.159.10.0/24 10.159.10.0/24
Action: permit Action: permit
Antivirus: default Antivirus: default
IPS: default IPS: default

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 220


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Item FW_A FW_B Description

Name: Name: Permit OSPF


sec_vm1_ospf sec_vm1_ospf packets
Source security Source security exchanged
zone: Untrust and zone: Untrust and between the FW
Local Local and CE12800.
Destination Destination
security zone: security zone:
Local and Untrust Local and Untrust
Service: ospf Service: ospf
Action: permit Action: permit

Security policies in Name: sec_vm2 Name: sec_vm2 Permit packets


the virtual system Source security Source security from extranet
vfw2 zone: Untrust zone: Untrust enterprise users
to the virtual
Destination Destination machine.
security zone: security zone:
Trust Trust
Destination Destination
address: address:
10.159.11.0/24 10.159.11.0/24
Action: permit Action: permit
Antivirus: default Antivirus: default
IPS: default IPS: default

Name: Name: Permit OSPF


sec_vm2_ospf sec_vm2_ospf packets
Source security Source security exchanged
zone: Untrust and zone: Untrust and between the FW
Local Local and CE12800.
Destination Destination
security zone: security zone:
Local and Untrust Local and Untrust
Service: ospf Service: ospf
Action: permit Action: permit

NAT Servers
There are NAT servers in the root system and NAT servers in virtual systems. The
NAT servers in the root system mirror the address of Portal system to a public
address for access of extranet enterprise users. The NAT server in a virtual system
mirrors the address of a virtual machine to a public address to access of extranet
enterprise users.
In order that extranet enterprise users can access the Portal system and virtual
machines, it is necessary to apply for public addresses for every Portal system and
virtual machine. It is assumed that the public addresses for the Portal system are

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 221


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are
118.1.1.1 and 118.1.1.2. Table 4-5 describes the planning of NAT servers on the
FWs.

Table 4-5 Planning of NAT servers

Item FW_A FW_B Description

NAT servers in the Name: Name: NAT servers of


root system nat_server_portal1 nat_server_portal1 the Portal system
Global address: Global address:
117.1.1.1 117.1.1.1
Inside address: Inside address:
10.159.1.100 10.159.1.100

Name: Name: NAT servers of


nat_server_portal2 nat_server_portal2 the Portal system
Global address: Global address:
117.1.1.2 117.1.1.2
Inside address: Inside address:
10.159.2.100 10.159.2.100

NAT server in the Name: Name: NAT server of the


virtual system nat_server_vm1 nat_server_vm1 virtual machine
vfw1 Global address: Global address:
118.1.1.1 118.1.1.1
Inside address: Inside address:
10.159.10.100 10.159.10.100

NAT server in the Name: Name: NAT server of the


virtual system nat_server_vm2 nat_server_vm2 virtual machine
vfw2 Global address: Global address:
118.1.1.2 118.1.1.2
Inside address: Inside address:
10.159.11.100 10.159.11.100

4.3.3 Precautions

Virtual System
By default, the USG9500 supports 10 virtual systems. To have more virtual
systems, you must apply for a license.

OSPF
You cannot configure OSPF directly in a virtual system. You must bind the VPN
instance corresponding to the virtual system when creating the OSPF process in
the root system.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 222


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Black-hole Route
Configure black-hole routes to the public addresses of the Portal system in the
root system and black-hole routes to the public addresses of virtual machines in
the virtual systems to prevent routing loops. These black-hole routes can be
advertised through OSPF.

Policy Backup-based Acceleration Function


When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.

4.3.4 Configuration Procedure


Prerequisites
The license file of virtual systems has been obtained and activated successfully on
FW_A and FW_B.

Procedure
Step 1 Configure interfaces and security zones.

# Create subinterfaces on FW_A.


<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1.10
[FW_A-GigabitEthernet1/0/1.10] quit
[FW_A] interface GigabitEthernet 1/0/1.11
[FW_A-GigabitEthernet1/0/1.11] quit
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] interface GigabitEthernet 1/0/3.10
[FW_A-GigabitEthernet1/0/3.10] quit
[FW_A] interface GigabitEthernet 1/0/3.11
[FW_A-GigabitEthernet1/0/3.11] quit

# Create subinterfaces on FW_B.


<FW_B> system-view
[FW_B] interface GigabitEthernet 1/0/1.10
[FW_B-GigabitEthernet1/0/1.10] quit
[FW_B] interface GigabitEthernet 1/0/1.11
[FW_B-GigabitEthernet1/0/1.11] quit
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] quit
[FW_B] interface GigabitEthernet 1/0/3.10
[FW_B-GigabitEthernet1/0/3.10] quit
[FW_B] interface GigabitEthernet 1/0/3.11
[FW_B-GigabitEthernet1/0/3.11] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 223


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

# Configure an Eth-trunk interface on FW_A.


[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] ip address 10.1.1.1 30
[FW_A-Eth-Trunk1] quit
[FW_A] interface GigabitEthernet 1/0/8
[FW_A-GigabitEthernet1/0/8] eth-trunk 1
[FW_A-GigabitEthernet1/0/8] quit
[FW_A] interface GigabitEthernet 2/0/8
[FW_A-GigabitEthernet2/0/8] eth-trunk 1
[FW_A-GigabitEthernet2/0/8] quit

# Configure an Eth-trunk interface on FW_B.


[FW_B] interface Eth-Trunk 1
[FW_B-Eth-Trunk1] ip address 10.1.1.2 30
[FW_B-Eth-Trunk1] quit
[FW_B] interface GigabitEthernet 1/0/8
[FW_B-GigabitEthernet1/0/8] eth-trunk 1
[FW_B-GigabitEthernet1/0/8] quit
[FW_B] interface GigabitEthernet 2/0/8
[FW_B-GigabitEthernet2/0/8] eth-trunk 1
[FW_B-GigabitEthernet2/0/8] quit

# Configure IP addresses for root system interfaces on FW_A, and assign the
interfaces to the security zones of the root system.
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_A-zone-dmz] quit
[FW_A] firewall zone name hrpzone
[FW_A-zone-hrpzone] set priority 65
[FW_A-zone-hrpzone] add interface Eth-Trunk 1
[FW_A-zone-hrpzone] quit

# Configure IP addresses for root system interfaces on FW_B, and assign the
interfaces to the security zones of the root system.
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24
[FW_B-GigabitEthernet1/0/2.2] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 224


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1


[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000
[FW_B-zone-untrust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_B-zone-dmz] quit
[FW_B] firewall zone name hrpzone
[FW_B-zone-hrpzone] set priority 65
[FW_B-zone-hrpzone] add interface Eth-Trunk 1
[FW_B-zone-hrpzone] quit

Step 2 Configure virtual systems.


# Enable the virtual system function on FW_A.
[FW_A] vsys enable

# Enable the virtual system function on FW_B.


[FW_B] vsys enable

Configure resource classes on FW_A.


[FW_A] resource-class vfw1_car
[FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire
[FW_A-resource-class-vfw1_car] quit
[FW_A] resource-class vfw2_car
[FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire
[FW_A-resource-class-vfw2_car] quit

Configure resource classes on FW_B.


[FW_B] resource-class vfw1_car
[FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire
[FW_B-resource-class-vfw1_car] quit
[FW_B] resource-class vfw2_car
[FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire
[FW_B-resource-class-vfw2_car] quit

# Create virtual systems on FW_A, and allocate resources to the virtual systems.
[FW_A] vsys name vfw1
[FW_A-vsys-vfw1] assign resource-class vfw1_car
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_A-vsys-vfw1] quit
[FW_A] vsys name vfw2
[FW_A-vsys-vfw2] assign resource-class vfw2_car
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_A-vsys-vfw2] quit

# Create virtual systems on FW_B, and allocate resources to the virtual systems.
[FW_B] vsys name vfw1
[FW_B-vsys-vfw1] assign resource-class vfw1_car
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_B-vsys-vfw1] quit
[FW_B] vsys name vfw2
[FW_B-vsys-vfw2] assign resource-class vfw2_car
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_B-vsys-vfw2] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 225


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

# Configure IP addresses for interfaces in virtual system vfw1 on FW_A, and


assign the interfaces to security zones.
[FW_A] switch vsys vfw1
<FW_A-vfw1> system-view
[FW_A-vfw1] interface GigabitEthernet 1/0/1.10
[FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24
[FW_A-vfw1-GigabitEthernet1/0/1.10] quit
[FW_A-vfw1] interface GigabitEthernet 1/0/3.10
[FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24
[FW_A-vfw1-GigabitEthernet1/0/3.10] quit
[FW_A-vfw1] firewall zone untrust
[FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
[FW_A-vfw1-zone-untrust] quit
[FW_A-vfw1] firewall zone trust
[FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
[FW_A-vfw1-zone-trust] quit
[FW_A-vfw1] quit
<FW_A-vfw1> quit

Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_A,


and assign the interfaces to security zones.
# Configure IP addresses for interfaces in virtual system vfw1 on FW_B, and
assign the interfaces to security zones.
[FW_B] switch vsys vfw1
<FW_B-vfw1> system-view
[FW_B-vfw1] interface GigabitEthernet 1/0/1.10
[FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24
[FW_B-vfw1-GigabitEthernet1/0/1.10] quit
[FW_B-vfw1] interface GigabitEthernet 1/0/3.10
[FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24
[FW_B-vfw1-GigabitEthernet1/0/3.10] quit
[FW_B-vfw1] firewall zone untrust
[FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
[FW_B-vfw1-zone-untrust] quit
[FW_B-vfw1] firewall zone trust
[FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
[FW_B-vfw1-zone-trust] quit
[FW_B-vfw1] quit
<FW_B-vfw1> quit

Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B,


and assign the interfaces to security zones.
Step 3 Configure routes.
# Configure routes of the root system on FW_A.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
[FW_A] ip route-static 117.1.1.1 32 NULL 0
[FW_A] ip route-static 117.1.1.2 32 NULL 0
[FW_A] ospf 1000
[FW_A-ospf-1000] import-route static
[FW_A-ospf-1000] area 0
[FW_A-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255
[FW_A-ospf-1000-area-0.0.0.0] quit
[FW_A-ospf-1000] quit

# Configure routes of the root system on FW_B.


[FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
[FW_B] ip route-static 117.1.1.1 32 NULL 0
[FW_B] ip route-static 117.1.1.2 32 NULL 0
[FW_B] ospf 1000
[FW_B-ospf-1000] import-route static
[FW_B-ospf-1000] area 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 226


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

[FW_B-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255


[FW_B-ospf-1000-area-0.0.0.0] quit
[FW_B-ospf-1000] quit

# Configure routes of the virtual systems on FW_A.


[FW_A] ip vpn-instance vfw1
[FW_A-vpn-instance-vfw1] route-distinguisher 10:1
[FW_A-vpn-instance-vfw1] quit
[FW_A] ip vpn-instance vfw2
[FW_A-vpn-instance-vfw2] route-distinguisher 11:1
[FW_A-vpn-instance-vfw2] quit
[FW_A] ospf 1 vpn-instance vfw1
[FW_A-ospf-1] import-route static
[FW_A-ospf-1] area 0
[FW_A-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] quit
[FW_A-ospf-1] quit
[FW_A] ospf 2 vpn-instance vfw2
[FW_A-ospf-2] import-route static
[FW_A-ospf-2] area 0
[FW_A-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255
[FW_A-ospf-2-area-0.0.0.0] quit
[FW_A-ospf-2] quit
[FW_A] switch vsys vfw1
<FW_A-vfw1> system-view
[FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
[FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0
[FW_A-vfw1] quit
<FW_A-vfw1> quit
[FW_A] switch vsys vfw2
<FW_A-vfw2> system-view
[FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
[FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0
[FW_A-vfw2] quit
<FW_A-vfw2> quit

# Configure routes of the virtual systems on FW_B.


[FW_B] ip vpn-instance vfw1
[FW_B-vpn-instance-vfw1] route-distinguisher 10:1
[FW_B-vpn-instance-vfw1] quit
[FW_B] ip vpn-instance vfw2
[FW_B-vpn-instance-vfw2] route-distinguisher 11:1
[FW_B-vpn-instance-vfw2] quit
[FW_B] ospf 1 vpn-instance vfw1
[FW_B-ospf-1] import-route static
[FW_B-ospf-1] area 0
[FW_B-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] quit
[FW_B-ospf-1] quit
[FW_B] ospf 2 vpn-instance vfw2
[FW_B-ospf-2] import-route static
[FW_B-ospf-2] area 0
[FW_B-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255
[FW_B-ospf-2-area-0.0.0.0] quit
[FW_B-ospf-2] quit
[FW_B] switch vsys vfw1
<FW_B-vfw1> system-view
[FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
[FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0
[FW_B-vfw1] quit
<FW_B-vfw1> quit
[FW_B] switch vsys vfw2
<FW_B-vfw2> system-view
[FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
[FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0
[FW_B-vfw2] quit
<FW_B-vfw2> quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 227


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Step 4 Configure hot standby.


# Configure a VGMP group to track GE1/0/1 on FW_A.
[FW_A] hrp track interface GigabitEthernet 1/0/1

# Configure OSPF cost adjustment according to the VGMP status on FW_A.


[FW_A] hrp adjust ospf-cost enable

# Configure VRRP groups on FW_A, setting their states to Active.


[FW_A] interface GigabitEthernet 1/0/3.10
[FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10
[FW_A-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 active
[FW_A-GigabitEthernet1/0/3.10] quit
[FW_A] interface GigabitEthernet 1/0/3.11
[FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11
[FW_A-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 active
[FW_A-GigabitEthernet1/0/3.11] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2
[FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active
[FW_A-GigabitEthernet1/0/2.2] quit

# Specify the heartbeat interface on FW_A and enable hot standby.


[FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2
[FW_A] hrp enable

# Configure a VGMP group to track GE1/0/1 on FW_B.


[FW_B] hrp track interface GigabitEthernet 1/0/1

# Configure OSPF cost adjustment according to the VGMP status on FW_B.


[FW_B] hrp adjust ospf-cost enable

# Configure VRRP groups on FW_B, setting their states to Standby.


[FW_B] interface GigabitEthernet 1/0/3.10
[FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10
[FW_B-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 standby
[FW_B-GigabitEthernet1/0/3.10] quit
[FW_B] interface GigabitEthernet 1/0/3.11
[FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11
[FW_B-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 standby
[FW_B-GigabitEthernet1/0/3.11] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2
[FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby
[FW_B-GigabitEthernet1/0/2.2] quit

# Specify the heartbeat interface on FW_B and enable hot standby.


[FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1
[FW_B] hrp enable

Step 5 Configure security policies.


# Configure security policies in the root system on FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 228


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name sec_portal
HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust
HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz
HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.159.0.0 16
HRP_M[FW_A-policy-security-rule-sec_portal] action permit
HRP_M[FW_A-policy-security-rule-sec_portal] profile av default
HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default
HRP_M[FW_A-policy-security-rule-sec_portal] quit
HRP_M[FW_A-policy-security] rule name sec_ospf
HRP_M[FW_A-policy-security-rule-sec_ospf] source-zone untrust local
HRP_M[FW_A-policy-security-rule-sec_ospf] destination-zone local untrust
HRP_M[FW_A-policy-security-rule-sec_ospf] service ospf
HRP_M[FW_A-policy-security-rule-sec_ospf] action permit
HRP_M[FW_A-policy-security-rule-sec_ospf] quit
HRP_M[FW_A-policy-security] quit

# Configure security policies in virtual system vfw1 on FW_A.


HRP_M[FW_A] switch vsys vfw1
HRP_M<FW_A-vfw1> system-view
HRP_M[FW_A-vfw1] security-policy
HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.159.10.0 24
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit
HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1_ospf
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] source-zone untrust local
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] destination-zone local untrust
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] service ospf
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] action permit
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] quit
HRP_M[FW_A-vfw1-policy-security] quit
HRP_M[FW_A-vfw1] quit
HRP_M<FW_A-vfw1> quit

Similarly, configure security policies in virtual system vfw2 on FW_A.


# After hot standby is configured, the configuration on FW_A will be automatically
synchronized to FW_B. Therefore, it is not necessary to configure security policies
manually on FW_B.
Step 6 Configure policy backup-based acceleration function.
When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.
HRP_M[FW-A] policy accelerate standby enable

# After hot standby is configured, the configuration on FW_A will be automatically


synchronized to FW_B. Therefore, it is not necessary to configure policy backup-
based acceleration function manually on FW_B.
Step 7 Configure NAT servers.

The NAT server configuration commands are only exemplary. In practice, NAT servers are
configured on the management component, and the management component delivers the
configuration to the FW.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 229


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

# Configure NAT servers in the root system on FW_A.


HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.159.1.100
HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.159.2.100

# Configure a NAT server in virtual system vfw1 on FW_A.


HRP_M[FW_A] switch vsys vfw1
HRP_M<FW_A-vfw1> system-view
HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.159.10.100
HRP_M[FW_A-vfw1] quit
HRP_M<FW_A-vfw1> quit

Similarly, configure a NAT server in virtual system vfw2 on FW_A.


# After hot standby is configured, the configuration on FW_A will be automatically
synchronized to FW_B. Therefore, it is not necessary to configure NAT servers
manually on FW_B.
Step 8 Configure other network devices.
The present case focuses on the configuration on the FW. For the configuration on
other network devices, note that:
● You need to configure routes to the global addresses of the Portal system and
virtual machines on the upstream router, and set the next hop of the routes to
the CE12800.
● When configuring OSPF on the CE12800, you need to run the default-route-
advertise always command in the OSPF process.
● The CE6800 transmits Layer-2 packets transparently, and you only need to
configure Layer-2 forwarding on it.

----End

4.3.5 Verification
1. Run the display hrp state command on FW_A and FW_B. The current HRP
state is normal.
2. Enterprise users on the Internet can access virtual machine services normally.
3. Enterprise users on the Internet can access the Portal system normally.
4. Run the shutdown command on GE1/0/2.1 of FW_A to simulate a link fault.
The active/standby switchover is normal without services interrupted.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 230


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

4.3.6 Configuration Scripts


FW_A FW_B
# #
sysname FW_A sysname FW_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk 1 remote 10.1.1.2 hrp interface Eth-Trunk 1 remote 10.1.1.1
hrp track interface GigabitEthernet 1/0/1 hrp track interface GigabitEthernet 1/0/1
# #
vsys enable vsys enable
resource-class vfw1_car resource-class vfw1_car
resource-item-limit bandwidth 100 entire resource-item-limit bandwidth 100 entire
resource-class vfw2_car resource-class vfw2_car
resource-item-limit bandwidth 100 entire resource-item-limit bandwidth 100 entire
# #
# #
vsys name vfw1 1 vsys name vfw1 1
assign interface GigabitEthernet1/0/1.10 assign interface GigabitEthernet1/0/1.10
assign interface GigabitEthernet1/0/3.10 assign interface GigabitEthernet1/0/3.10
assign resource-class vfw1_car assign resource-class vfw1_car
assign global-ip 118.1.1.1 118.1.1.1 assign global-ip 118.1.1.1 118.1.1.1 exclusive
exclusive #
# vsys name vfw2 2
vsys name vfw2 2 assign interface GigabitEthernet1/0/1.11
assign interface GigabitEthernet1/0/1.11 assign interface GigabitEthernet1/0/3.11
assign interface GigabitEthernet1/0/3.11 assign resource-class vfw2_car
assign resource-class vfw2_car assign global-ip 118.1.1.2 118.1.1.2 exclusive
assign global-ip 118.1.1.2 118.1.1.2 #
exclusive ip vpn-instance vfw1
# ipv4-family
ip vpn-instance vfw1 route-distinguisher 10:1
ipv4-family ipv6-family
route-distinguisher 10:1 #
ipv6-family ip vpn-instance vfw2
# ipv4-family
ip vpn-instance vfw2 route-distinguisher 11:1
ipv4-family ipv6-family
route-distinguisher 11:1 #
ipv6-family interface Eth-Trunk1
# ip address 10.1.1.2 255.255.255.252
interface Eth-Trunk1 #
ip address 10.1.1.1 255.255.255.252 interface GigabitEthernet1/0/1
# undo shutdown
interface GigabitEthernet1/0/1 #
undo shutdown interface GigabitEthernet1/0/1.10
# ip binding vpn-instance vfw1
interface GigabitEthernet1/0/1.10 ip address 172.16.10.253 255.255.255.0
ip binding vpn-instance vfw1 #
ip address 172.16.10.252 255.255.255.0 interface GigabitEthernet1/0/1.11
# ip binding vpn-instance vfw2
interface GigabitEthernet1/0/1.11 ip address 172.16.11.253 255.255.255.0
ip binding vpn-instance vfw2 #
ip address 172.16.11.252 255.255.255.0 interface GigabitEthernet1/0/1.1000
# ip address 172.16.9.253 255.255.255.0
interface GigabitEthernet1/0/1.1000 #
ip address 172.16.9.252 255.255.255.0 interface GigabitEthernet1/0/2
# undo shutdown
interface GigabitEthernet1/0/2 #
undo shutdown interface GigabitEthernet1/0/2.1
# vlan-type dot1q 1
interface GigabitEthernet1/0/2.1 ip address 10.159.1.253 255.255.255.0
vlan-type dot1q 1 vrrp vrid 1 virtual-ip 10.159.1.254 standby
ip address 10.159.1.252 255.255.255.0 #
vrrp vrid 1 virtual-ip 10.159.1.254 active interface GigabitEthernet1/0/2.2
# vlan-type dot1q 2
interface GigabitEthernet1/0/2.2 ip address 10.159.2.253 255.255.255.0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 231


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B
vlan-type dot1q 2 vrrp vrid 1 virtual-ip 10.159.2.254 standby
ip address 10.159.2.252 255.255.255.0 #
vrrp vrid 2 virtual-ip 10.159.2.254 active interface GigabitEthernet1/0/3
# undo shutdown
interface GigabitEthernet1/0/3 #
undo shutdown interface GigabitEthernet1/0/3.10
# vlan-type dot1q 10
interface GigabitEthernet1/0/3.10 ip binding vpn-instance vfw1
vlan-type dot1q 10 ip address 10.159.10.253 255.255.255.0
ip binding vpn-instance vfw1 vrrp vrid 10 virtual-ip 10.159.10.254 standby
ip address 10.159.10.252 255.255.255.0 #
vrrp vrid 10 virtual-ip 10.159.10.254 active interface GigabitEthernet1/0/3.11
# vlan-type dot1q 11
interface GigabitEthernet1/0/3.11 ip binding vpn-instance vfw2
vlan-type dot1q 11 ip address 10.159.11.253 255.255.255.0
ip binding vpn-instance vfw2 vrrp vrid 11 virtual-ip 10.159.11.254 standby
ip address 10.159.11.252 255.255.255.0 #
vrrp vrid 11 virtual-ip 10.159.11.254 active interface GigabitEthernet1/0/8
# undo shutdown
interface GigabitEthernet1/0/8 eth-trunk 1
undo shutdown #
eth-trunk 1 interface GigabitEthernet2/0/8
# undo shutdown
interface GigabitEthernet2/0/8 eth-trunk 1
undo shutdown #
eth-trunk 1 firewall zone trust
# set priority 85
firewall zone trust add interface GigabitEthernet1/0/3
set priority 85 #
add interface GigabitEthernet1/0/3 firewall zone untrust
# set priority 5
firewall zone untrust add interface GigabitEthernet1/0/1
set priority 5 add interface GigabitEthernet1/0/1.1000
add interface GigabitEthernet1/0/1 #
add interface GigabitEthernet1/0/1.1000 firewall zone dmz
# set priority 50
firewall zone dmz add interface GigabitEthernet1/0/2
set priority 50 add interface GigabitEthernet1/0/2.1
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2.2
add interface GigabitEthernet1/0/2.1 #
add interface GigabitEthernet1/0/2.2 firewall zone name hrpzone id 4
# set priority 65
firewall zone name hrpzone id 4 add interface Eth-Trunk1
set priority 65 #
add interface Eth-Trunk1 ospf 1 vpn-instance vfw1
# import-route static
ospf 1 vpn-instance vfw1 area 0.0.0.0
import-route static network 172.16.10.0 0.0.0.255
area 0.0.0.0 #
network 172.16.10.0 0.0.0.255 ospf 2 vpn-instance vfw2
# import-route static
ospf 2 vpn-instance vfw2 area 0.0.0.0
import-route static network 172.16.11.0 0.0.0.255
area 0.0.0.0 #
network 172.16.11.0 0.0.0.255 ospf 1000
# import-route static
ospf 1000 area 0.0.0.0
import-route static network 172.16.9.0 0.0.0.255
area 0.0.0.0 #
network 172.16.9.0 0.0.0.255 ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
# ip route-static 117.1.1.1 255.255.255.255 NULL 0
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 117.1.1.2 255.255.255.255 NULL 0
ip route-static 117.1.1.1 255.255.255.255 NULL 0 #
ip route-static 117.1.1.2 255.255.255.255 NULL 0 nat server nat_server_portal1 0 global 117.1.1.1
# inside 10.159.1.100
nat server nat_server_portal1 0 global 117.1.1.1 nat server nat_server_portal2 1 global 117.1.1.2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 232


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B
inside 10.159.1.100 inside 10.159.2.100
nat server nat_server_portal2 1 global 117.1.1.2 #
inside 10.159.2.100 security-policy
# rule name sec_portal
security-policy source-zone untrust
rule name sec_portal destination-zone dmz
source-zone untrust destination-address 10.159.0.0 16
destination-zone dmz profile av default
destination-address 10.159.0.0 16 profile ips default
profile av default action permit
profile ips default rule name sec_ospf
action permit source-zone local
rule name sec_ospf source-zone untrust
source-zone local destination-zone local
source-zone untrust destination-zone untrust
destination-zone local service ospf
destination-zone untrust action permit
service ospf #
action permit return
# #
return switch vsys vfw1
# #
switch vsys vfw1 interface GigabitEthernet1/0/1.10
# ip binding vpn-instance vfw1
interface GigabitEthernet1/0/1.10 ip address 172.16.10.253 255.255.255.0
ip binding vpn-instance vfw1 #
ip address 172.16.10.252 255.255.255.0 interface GigabitEthernet1/0/3.10
# vlan-type dot1q 10
interface GigabitEthernet1/0/3.10 ip binding vpn-instance vfw1
vlan-type dot1q 10 ip address 10.159.10.253 255.255.255.0
ip binding vpn-instance vfw1 vrrp vrid 10 virtual-ip 10.159.10.254 standby
ip address 10.159.10.252 255.255.255.0 #
vrrp vrid 10 virtual-ip 10.159.10.254 active interface Virtual-if1
# #
interface Virtual-if1 firewall zone trust
# set priority 85
firewall zone trust add interface GigabitEthernet1/0/3.10
set priority 85 #
add interface GigabitEthernet1/0/3.10 firewall zone untrust
# set priority 5
firewall zone untrust add interface GigabitEthernet1/0/1.10
set priority 5 #
add interface GigabitEthernet1/0/1.10 security-policy
# rule name sec_vm1
security-policy source-zone untrust
rule name sec_vm1 destination-zone trust
source-zone untrust destination-address 10.159.10.0 24
destination-zone trust profile av default
destination-address 10.159.10.0 24 profile ips default
profile av default action permit
profile ips default rule name sec_vm1_ospf
action permit source-zone local
rule name sec_vm1_ospf source-zone untrust
source-zone local destination-zone local
source-zone untrust destination-zone untrust
destination-zone local service ospf
destination-zone untrust action permit
service ospf #
action permit ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
# ip route-static 118.1.1.1 255.255.255.255 NULL 0
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 #
ip route-static 118.1.1.1 255.255.255.255 NULL 0 nat server nat_server_vm1 2 global 118.1.1.1
# inside 10.159.10.100
nat server nat_server_vm1 2 global 118.1.1.1 #
inside 10.159.10.100 return
# #

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 233


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B
return switch vsys vfw2
# #
switch vsys vfw2 interface GigabitEthernet1/0/1.11
# ip binding vpn-instance vfw2
interface GigabitEthernet1/0/1.11 ip address 172.16.11.253 255.255.255.0
ip binding vpn-instance vfw2 #
ip address 172.16.11.252 255.255.255.0 interface GigabitEthernet1/0/3.11
# vlan-type dot1q 11
interface GigabitEthernet1/0/3.11 ip binding vpn-instance vfw2
vlan-type dot1q 11 ip address 10.159.11.253 255.255.255.0
ip binding vpn-instance vfw2 vrrp vrid 11 virtual-ip 10.159.11.254 standby
ip address 10.159.11.252 255.255.255.0 #
vrrp vrid 11 virtual-ip 10.159.11.254 active interface Virtual-if2
# #
interface Virtual-if2 firewall zone trust
# set priority 85
firewall zone trust add interface GigabitEthernet1/0/3.11
set priority 85 #
add interface GigabitEthernet1/0/3.11 firewall zone untrust
# set priority 5
firewall zone untrust add interface GigabitEthernet1/0/1.11
set priority 5 #
add interface GigabitEthernet1/0/1.11 security-policy
# rule name sec_vm2
security-policy source-zone untrust
rule name sec_vm2 destination-zone trust
source-zone untrust destination-address 10.159.11.0 24
destination-zone trust profile av default
destination-address 10.159.11.0 24 profile ips default
profile av default action permit
profile ips default rule name sec_vm2_ospf
action permit source-zone local
rule name sec_vm2_ospf source-zone untrust
source-zone local destination-zone local
source-zone untrust destination-zone untrust
destination-zone local service ospf
destination-zone untrust action permit
service ospf #
action permit ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
# ip route-static 118.1.1.2 255.255.255.255 NULL 0
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 #
ip route-static 118.1.1.2 255.255.255.255 NULL 0 nat server nat_server_vm2 3 global 118.1.1.2
# inside 10.159.11.100
nat server nat_server_vm2 3 global 118.1.1.2 #
inside 10.159.11.100 return
#
return

4.4 Solution 2: Switch Serving as Gateway

4.4.1 Typical Networking


On the cloud computing network, the core switches are the CE12800, the access
switches are the CE6800, and the firewalls are the USG9500. The present case
focuses on the configuration on the firewalls. Figure 4-13 shows the overall
networking.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 234


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-13 Cloud computing network

The cloud computing network requires that:

● Access of different extranet enterprise users to the virtual machines must be


isolated, and the bandwidth resources available for each virtual machine
service is limited to a specific range to avoid the consumption of large
quantities of resources.
● Private addresses are configured for the Portal system and virtual machines
for intranet use, and their public addresses are advertised to the extranet to
allow external enterprise users to access the Portal system and virtual
machines.
● Access behavior of extranet enterprise users to the Portal system and virtual
machines is controlled to permit only service access traffic.
● Device availability is improved to avoid service interruption caused by the
failure of only one device.

The firewalls are attached to the CE12800 core switches in off-path mode. The
above requirements are satisfied by the following features:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 235


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● Virtual system: Virtual systems are used to isolate virtual machine services
accessed by external enterprise users. Each virtual machine belongs to one
virtual system, and each virtual system has its maximum bandwidth.
● Subinterface: The firewall is connected to the CE12800 through subinterfaces.
The subinterfaces are assigned to the virtual systems and the root system. The
subinterfaces in the virtual systems carry virtual machine services, and the
subinterface in the root system carries portal services.
● NAT server: The NAT servers advertise the public addresses of the Portal
system and virtual machines to the extranet. A NAT server dedicated to a
virtual machine is configured in each virtual system, and NAT servers
dedicated to the Portal system are configured in the root system.
● Security policy: Security policies are applied to control access to the Portal
system and virtual machines. Security policies used to control access to
services of a virtual machine are configured in each virtual system, and
security policies used to control access to services of the Portal system are
configured in the root system.
● Hot standby: Two firewalls are deployed in hot standby mode to improve
availability. When the active firewall fails, the standby firewall takes over
without services interrupted.

4.4.2 Service Planning


As shown in Figure 4-14, the FW is attached to the CE12800 and works at Layer 3.
VRF is configured on the CE12800 to virtualize the CE12800 as an upstream switch
(root switch Public) and downstream switches (multiple virtual switches VRF).
VRRP runs between the FW and the root switch Public and virtual switches VRF of
the CE12800. The virtual IP addresses of the VRRP groups on the CE12800 serve as
gateway addresses for the Portal system and virtual machines. Traffic from
extranet enterprise users to the Portal system or virtual machines is forwarded by
the root switch Public of the CE12800 to the FW. Then, after processing of the FW,
the traffic is forwarded by the virtual switches VRF of the CE12800 to the Portal
system or virtual machines. The return traffic is first forwarded by the virtual
switch VRF of the CE12800 to the FW. Then, after processing of the FW, the traffic
is forwarded by the root switch Public of the CE12800.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 236


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-14 Off-line deployment of FWs

The following describes the service planning in detail.

Interfaces and Security Zones


This section describes the connection between FW_A and CE12800_A.
As shown in Figure 4-15, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of
CE12800_A. Details are as follows:
● Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each
subinterface has an IP address. Most subinterfaces belong to different virtual
systems and are assigned to the Untrust zone of the virtual systems. One
subinterface belongs to the root system and is assigned to the Untrust zone
of the root system.
● 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of
multiple VLANs. Each VLANIF interface has an IP address and is logically
connected to the related subinterface of FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 237


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-15 GE1/0/1 connection of FW_A

As shown in Figure 4-16, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of


CE12800_A. Details are as follows:

● Two (or more as required by the Portal system) subinterfaces are defined for
GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the
DMZ of the root system.
● 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of two
VLANs. Each VLANIF interface has an IP address and is logically connected to
the related subinterface of FW_A.

Figure 4-16 GE1/0/2 connection of FW_A

As shown in Figure 4-17, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of


CE12800_A. Details are as follows:

● Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each
subinterface has an IP address. Each subinterface belongs to a different virtual
system and is assigned to the Trust zone of the virtual system.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 238


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of


multiple VLANs. Each VLANIF interface has an IP address and is logically
connected to the related subinterface of FW_A.

Figure 4-17 GE1/0/3 connection of FW_A

The connection between FW_B and CE12800_B is the same as the only difference
in IP addresses.

One virtual machine can request to access the public address of another. The exchanged
packets are forwarded by the CE12800.

Table 4-6 describes the planning of interfaces and security zones on the FWs.

Table 4-6 Planning of interfaces and security zones

FW_A FW_B Description

GE1/0/1 GE1/0/1 Connected to


IP address: none IP address: none 10GE1/1/0/1 of the
CE12800.
Virtual system: public Virtual system: public
Security zone: Untrust Security zone: Untrust

GE1/0/1.10 GE1/0/1.10 subinterface of vfw1.


IP address: IP address:
172.16.10.252/24 172.16.10.253/24
Virtual system: vfw1 Virtual system: vfw1
Security zone: Untrust Security zone: Untrust
VRRP ID: 10 VRRP ID: 10
Virtual IP address: Virtual IP address:
172.16.10.254 172.16.10.254
State: active State: standby

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 239


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B Description

GE1/0/1.11 GE1/0/1.11 subinterface of vfw2.


IP address: IP address:
172.16.11.252/24 172.16.11.253/24
Virtual system: vfw2 Virtual system: vfw2
Security zone: Untrust Security zone: Untrust
VRRP ID: 11 VRRP ID: 11
Virtual IP address: Virtual IP address:
172.16.11.254 172.16.11.254
State: active State: standby

GE1/0/1.1000 GE1/0/1.1000 subinterface of the root


IP address: IP address: system.
172.16.9.252/24 172.16.9.253/24
Virtual system: public Virtual system: public
Security zone: Untrust Security zone: Untrust
VRRP ID: 9 VRRP ID: 9
Virtual IP address: Virtual IP address:
172.16.9.254 172.16.9.254
State: active State: standby

GE1/0/2 GE1/0/2 Connected to


IP address: none IP address: none 10GE1/1/0/2 of the
CE12800.
Virtual system: public Virtual system: public
Security zone: DMZ Security zone: DMZ

GE1/0/2.1 GE1/0/2.1 subinterface of the root


IP address: IP address: system.
10.159.1.252/24 10.159.1.253/24
Virtual system: public Virtual system: public
Security zone: DMZ Security zone: DMZ
VRRP ID: 1 VRRP ID: 1
Virtual IP address: Virtual IP address:
10.159.1.254 10.159.1.254
State: active State: standby

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 240


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B Description

GE1/0/2.2 GE1/0/2.2 subinterface of the root


IP address: IP address: system.
10.159.2.252/24 10.159.2.253/24
Virtual system: public Virtual system: public
Security zone: DMZ Security zone: DMZ
VRRP ID: 2 VRRP ID: 2
Virtual IP address: Virtual IP address:
10.159.2.254 10.159.2.254
State: active State: standby

GE1/0/3 GE1/0/3 Connected to


IP address: none IP address: none 10GE1/1/0/3 of the
CE12800.
Virtual system: public Virtual system: public
Security zone: Trust Security zone: Trust

GE1/0/3.10 GE1/0/3.10 subinterface of vfw1.


IP address: IP address:
10.159.10.252/24 10.159.10.253/24
Virtual system: vfw1 Virtual system: vfw1
Security zone: Trust Security zone: Trust
VRRP ID: 110 VRRP ID: 110
Virtual IP address: Virtual IP address:
10.159.10.254 10.159.10.254
State: active State: standby

GE1/0/3.11 GE1/0/3.11 subinterface of vfw2.


IP address: IP address:
10.159.11.252/24 10.159.11.253/24
Virtual system: vfw2 Virtual system: vfw2
Security zone: Trust Security zone: Trust
VRRP ID: 111 VRRP ID: 111
Virtual IP address: Virtual IP address:
10.159.11.254 10.159.11.254
State: active State: standby

Eth-Trunk1 Eth-Trunk1 HRP backup interface.


Member interfaces: Member interfaces:
GE1/0/8 and GE2/0/8 GE1/0/8 and GE2/0/8
IP address: 10.1.1.1/30 IP address: 10.1.1.2/30
Virtual system: public Virtual system: public
Security zone: hrpzone Security zone: hrpzone

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 241


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Virtual System
Virtual systems carry virtual machine services. Each virtual system corresponds to
one virtual machine. The planning of interfaces for the virtual systems has been
described in the above interfaces and security zones. In addition, to limit the
bandwidth available for each virtual system, it is also necessary to configure
resource classes for the virtual systems.
Table 4-7 describes the planning of virtual systems on the FWs. Only two virtual
systems are listed. In practice, you can create multiple virtual systems as needed.

Table 4-7 Planning of virtual systems


Item FW_A FW_B Description

Resource class Name: vfw1_car Name: vfw1_car The maximum


Maximum Maximum bandwidth for the
bandwidth: 100M bandwidth: 100M virtual system
vfw1 is 100M.

Name: vfw2_car Name: vfw2_car The maximum


Maximum Maximum bandwidth for the
bandwidth: 100M bandwidth: 100M virtual system
vfw2 is 100M.

Virtual System Name: vfw1 Name: vfw1 -


Resource class: Resource class:
vfw1_car vfw1_car

Name: vfw2 Name: vfw2 -


Resource class: Resource class:
vfw2_car vfw2_car

Routes
Traffic is forwarded using static routes between the FW and CE12800.
● Static routes are configured in the root switch Public on the CE12800. The
destination addresses of these static routes are public addresses of the Portal
system and virtual machines, and the next-hop addresses are the addresses of
the subinterfaces on the FW. With these static routes, traffic from external
enterprise users to the Portal system or virtual systems can be forwarded to
the FW.
● A default route is configured in each virtual switch VRF on the CE12800. The
next-hop addresses of these default routes are the addresses of the
subinterfaces on the FW. With these default routes, the return traffic from the
Portal system or virtual machines can be forwarded to the FW.
● Static routes are configured on the FW. The destination addresses of these
static routes are private addresses of the Portal system and virtual machines,
and the next-hop addresses are the VLANIF addresses of the virtual switches
VRF of the CE12800. With these static routes, traffic from external enterprise
users to the public addresses of the Portal system and virtual systems can be
forwarded by the FW after processing to the CE12800.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 242


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● Default routes are configured on the FW. The next-hop addresses of these
default routes are the VLANIF address of the root switch Public on the
CE12800. With these default routes, return traffic from the Portal system or
virtual machines can be forwarded by the FW after processing to the
CE12800.
Routes on the FW include routes in the root system and routes in the virtual
systems. Table 4-8 describes the planning of routes.

Table 4-8 Planning of routes


Item FW_A FW_B Description

Routes in the root Default route Default route Default routes of


system Next hop: Next hop: the root system,
172.16.9.251 172.16.9.251 the next-hop
address being the
CE12800.

Black-hole route Black-hole route Black-hole routes


Destination Destination to the global
address: address: addresses of the
117.1.1.1/32 and 117.1.1.1/32 and Portal system to
117.1.1.2/32 117.1.1.2/32 prevent a routing
loop.

Static route Static route Static routes to


Destination Destination the private
address: address: addresses of the
10.160.1.0/24 10.160.1.0/24 Portal system, the
next-hop address
Next hop: Next hop: being the
10.159.1.251 10.159.1.251 CE12800.
Destination Destination
address: address:
10.160.2.0/24 10.160.2.0/24
Next hop: Next hop:
10.159.2.251 10.159.2.251

Routes in the Default route Default route Default routes of


virtual system Next hop: Next hop: vfw1, the next-
vfw1 172.16.10.251 172.16.10.251 hop address being
the CE12800.

Black-hole route Black-hole route Black-hole routes


Destination Destination to the global
address: address: address of the
118.1.1.1/32 118.1.1.1/32 virtual machine to
prevent a routing
loop.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 243


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Item FW_A FW_B Description

Static route Static route Static routes to


Destination Destination the private
address: address: address of the
10.160.10.0/24 10.160.10.0/24 virtual machine,
the next-hop
Next hop: Next hop: address being the
10.159.10.251 10.159.10.251 CE12800.

Routes in the Default route Default route Default routes of


virtual system Next hop: Next hop: vfw1, the next-
vfw2 172.16.11.251 172.16.11.251 hop address being
the CE12800.

Black-hole route Black-hole route Black-hole routes


Destination Destination to the global
address: address: address of the
118.1.1.2/32 118.1.1.2/32 virtual machine to
prevent a routing
loop.

Static route Static route Static routes to


Destination Destination the private
address: address: address of the
10.160.11.0/24 10.160.11.0/24 virtual machine,
the next-hop
Next hop: Next hop: address being the
10.159.11.251 10.159.11.251 CE12800.

Hot Standby
The hot standby networking is typical where firewalls are connected to Layer-2
devices on both the upstream and the downstream. Figure 4-18 shows the logical
networking where extranet enterprise users access services of the virtual
machines. For the ease of description, only one virtual machine is described.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 244


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-18 Logical networking of virtual machine services

Figure 4-19 shows the logical networking where external enterprise users access
services of the Portal system. For the ease of description, only one Portal system is
described.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 245


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-19 Logical networking of Portal systems

After hot standby is configured, FW_A serves as the active firewall, and FW_B
serves as the standby firewall. As shown in Figure 4-20, when the network is
normal, FW_A responds to the ARP packet sent by the root switch Public of the
CE12800 to request the MAC address of the gateway, and traffic from external
enterprise users to the Portal system or virtual machines is forwarded by the
FW_A. Likewise, the return traffic from the Portal system or virtual machines is
also forwarded to FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 246


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-20 Normal traffic flow

When FW_A or the link connecting FW_A fails, an active/standby switchover takes
place. Then, FW_B sends a gratuitous ARP packet to make the CE12800 update the
mapping between the virtual MAC address and port. All traffic is forwarded by
FW_B, as shown in Figure 4-21. Likewise, the return traffic from the Portal system
or virtual machines is also forwarded to FW_B.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 247


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Figure 4-21 Traffic flow when the active link fails

Security Policies
There are security policies in the root system and security policies in virtual
systems. Security policies in the root system permit packets from extranet
enterprise users to the Portal system. Security policies in a virtual system permit
packets from external enterprise users to the virtual machine.
In addition, antivirus and IPS profiles can be included in the security policies to
defend against attacks of viruses, worms, Trojan horses, and zombies. Normally,
the default antivirus and IPS profiles can be used.
Table 4-9 describes the planning of security policies on the FWs.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 248


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Table 4-9 Planning of security policies


Item FW_A FW_B Description

Security policies in Name: sec_portal Name: sec_portal Permit packets


the root system Source security Source security from external
zone: Untrust zone: Untrust enterprise users
to the Portal
Destination Destination system.
security zone: security zone:
DMZ DMZ
Destination Destination
address: address:
10.160.0.0/16 10.160.0.0/16
Action: permit Action: permit
Antivirus: default Antivirus: default
IPS: default IPS: default

Security policies in Name: sec_vm1 Name: sec_vm1 Permit packets


the virtual system Source security Source security from external
vfw1 zone: Untrust zone: Untrust enterprise users
to the virtual
Destination Destination machine.
security zone: security zone:
Trust Trust
Destination Destination
address: address:
10.160.10.0/24 10.160.10.0/24
Action: permit Action: permit
Antivirus: default Antivirus: default
IPS: default IPS: default

Security policies in Name: sec_vm2 Name: sec_vm2 Permit packets


the virtual system Source security Source security from external
vfw2 zone: Untrust zone: Untrust enterprise users
to the virtual
Destination Destination machine.
security zone: security zone:
Trust Trust
Destination Destination
address: address:
10.160.11.0/24 10.160.11.0/24
Action: permit Action: permit
Antivirus: default Antivirus: default
IPS: default IPS: default

NAT Servers
There are NAT servers in the root system and NAT servers in virtual systems. The
NAT servers in the root system mirror the address of Portal system to a public

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 249


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

address for access of extranet enterprise users. The NAT server in a virtual system
mirrors the address of a virtual machine to a public address to access of extranet
enterprise users.

In order that extranet enterprise users can access the Portal system and virtual
machines, it is necessary to apply for public addresses for every Portal system and
virtual machine. It is assumed that the public addresses for the Portal system are
117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are
118.1.1.1 and 118.1.1.2. Table 4-10 describes the planning of NAT servers on the
FWs.

Table 4-10 Planning of NAT servers

Item FW_A FW_B Description

NAT servers in the Name: Name: NAT servers of


root system nat_server_portal1 nat_server_portal1 the Portal system
Global address: Global address:
117.1.1.1 117.1.1.1
Inside address: Inside address:
10.160.1.100 10.160.1.100

Name: Name: NAT servers of


nat_server_portal2 nat_server_portal2 the Portal system
Global address: Global address:
117.1.1.2 117.1.1.2
Inside address: Inside address:
10.160.2.100 10.160.2.100

NAT server in the Name: Name: NAT server of the


virtual system nat_server_vm1 nat_server_vm1 virtual machine
vfw1 Global address: Global address:
118.1.1.1 118.1.1.1
Inside address: Inside address:
10.160.10.100 10.160.10.100

NAT server in the Name: Name: NAT server of the


virtual system nat_server_vm2 nat_server_vm2 virtual machine
vfw2 Global address: Global address:
118.1.1.2 118.1.1.2
Inside address: Inside address:
10.160.11.100 10.160.11.100

4.4.3 Precautions

Virtual System
By default, the USG9500 supports 10 virtual systems. To have more virtual
systems, you must apply for a license.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 250


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

Black-hole Route
Configure black-hole routes to the public addresses of the Portal systems in the
root system and black-hole routes to the public addresses of virtual machines in
the virtual systems to prevent routing loops.

Policy Backup-based Acceleration Function


When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.

4.4.4 Configuration Procedure


Prerequisites
The license file of virtual systems has been obtained and activated successfully on
FW_A and FW_B.

Procedure
Step 1 Configure interfaces and security zones.
# Create subinterfaces on FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1.10
[FW_A-GigabitEthernet1/0/1.10] quit
[FW_A] interface GigabitEthernet 1/0/1.11
[FW_A-GigabitEthernet1/0/1.11] quit
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] interface GigabitEthernet 1/0/3.10
[FW_A-GigabitEthernet1/0/3.10] quit
[FW_A] interface GigabitEthernet 1/0/3.11
[FW_A-GigabitEthernet1/0/3.11] quit

# Create subinterfaces on FW_B.


<FW_B> system-view
[FW_B] interface GigabitEthernet 1/0/1.10
[FW_B-GigabitEthernet1/0/1.10] quit
[FW_B] interface GigabitEthernet 1/0/1.11
[FW_B-GigabitEthernet1/0/1.11] quit
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] quit
[FW_B] interface GigabitEthernet 1/0/3.10
[FW_B-GigabitEthernet1/0/3.10] quit
[FW_B] interface GigabitEthernet 1/0/3.11
[FW_B-GigabitEthernet1/0/3.11] quit

# Configure an Eth-trunk interface on FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 251


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

[FW_A] interface Eth-Trunk 1


[FW_A-Eth-Trunk1] ip address 10.1.1.1 30
[FW_A-Eth-Trunk1] quit
[FW_A] interface GigabitEthernet 1/0/8
[FW_A-GigabitEthernet1/0/8] eth-trunk 1
[FW_A-GigabitEthernet1/0/8] quit
[FW_A] interface GigabitEthernet 2/0/8
[FW_A-GigabitEthernet2/0/8] eth-trunk 1
[FW_A-GigabitEthernet2/0/8] quit

# Configure an Eth-trunk interface on FW_B.


[FW_B] interface Eth-Trunk 1
[FW_B-Eth-Trunk1] ip address 10.1.1.2 30
[FW_B-Eth-Trunk1] quit
[FW_B] interface GigabitEthernet 1/0/8
[FW_B-GigabitEthernet1/0/8] eth-trunk 1
[FW_B-GigabitEthernet1/0/8] quit
[FW_B] interface GigabitEthernet 2/0/8
[FW_B-GigabitEthernet2/0/8] eth-trunk 1
[FW_B-GigabitEthernet2/0/8] quit

# Configure IP addresses for root system interfaces on FW_A, and assign the
interfaces to the security zones of the root system.
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_A-zone-dmz] quit
[FW_A] firewall zone name hrpzone
[FW_A-zone-hrpzone] set priority 65
[FW_A-zone-hrpzone] add interface Eth-Trunk 1
[FW_A-zone-hrpzone] quit

# Configure IP addresses for root system interfaces on FW_B, and assign the
interfaces to the security zones of the root system.
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24
[FW_B-GigabitEthernet1/0/2.2] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 252


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

[FW_B-zone-untrust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_B-zone-dmz] quit
[FW_B] firewall zone name hrpzone
[FW_B-zone-hrpzone] set priority 65
[FW_B-zone-hrpzone] add interface Eth-Trunk 1
[FW_B-zone-hrpzone] quit

Step 2 Configure virtual systems.

# Enable the virtual system function on FW_A.


[FW_A] vsys enable

# Enable the virtual system function on FW_B.


[FW_B] vsys enable

Configure resource classes on FW_A.


[FW_A] resource-class vfw1_car
[FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire
[FW_A-resource-class-vfw1_car] quit
[FW_A] resource-class vfw2_car
[FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire
[FW_A-resource-class-vfw2_car] quit

Configure resource classes on FW_B.


[FW_B] resource-class vfw1_car
[FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire
[FW_B-resource-class-vfw1_car] quit
[FW_B] resource-class vfw2_car
[FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire
[FW_B-resource-class-vfw2_car] quit

# Create virtual systems on FW_A, and allocate resources to the virtual systems.
[FW_A] vsys name vfw1
[FW_A-vsys-vfw1] assign resource-class vfw1_car
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_A-vsys-vfw1] quit
[FW_A] vsys name vfw2
[FW_A-vsys-vfw2] assign resource-class vfw2_car
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_A-vsys-vfw2] quit

# Create virtual systems on FW_B, and allocate resources to the virtual systems.
[FW_B] vsys name vfw1
[FW_B-vsys-vfw1] assign resource-class vfw1_car
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_B-vsys-vfw1] quit
[FW_B] vsys name vfw2
[FW_B-vsys-vfw2] assign resource-class vfw2_car
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_B-vsys-vfw2] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 253


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

# Configure IP addresses for interfaces in the virtual system vfw1 on FW_A, and
assign the interfaces to security zones.
[FW_A] switch vsys vfw1
<FW_A-vfw1> system-view
[FW_A-vfw1] interface GigabitEthernet 1/0/1.10
[FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24
[FW_A-vfw1-GigabitEthernet1/0/1.10] quit
[FW_A-vfw1] interface GigabitEthernet 1/0/3.10
[FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24
[FW_A-vfw1-GigabitEthernet1/0/3.10] quit
[FW_A-vfw1] firewall zone untrust
[FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
[FW_A-vfw1-zone-untrust] quit
[FW_A-vfw1] firewall zone trust
[FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
[FW_A-vfw1-zone-trust] quit
[FW_A-vfw1] quit
<FW_A-vfw1> quit

Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_A,


and assign the interfaces to security zones.
# Configure IP addresses for interfaces in virtual system vfw1 on FW_B, and assign
the interfaces to security zones.
[FW_B] switch vsys vfw1
<FW_B-vfw1> system-view
[FW_B-vfw1] interface GigabitEthernet 1/0/1.10
[FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24
[FW_B-vfw1-GigabitEthernet1/0/1.10] quit
[FW_B-vfw1] interface GigabitEthernet 1/0/3.10
[FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24
[FW_B-vfw1-GigabitEthernet1/0/3.10] quit
[FW_B-vfw1] firewall zone untrust
[FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
[FW_B-vfw1-zone-untrust] quit
[FW_B-vfw1] firewall zone trust
[FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
[FW_B-vfw1-zone-trust] quit
[FW_B-vfw1] quit
<FW_B-vfw1> quit

Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B,


and assign the interfaces to security zones.
Step 3 Configure routes.
# Configure routes of the root system on FW_A.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
[FW_A] ip route-static 117.1.1.1 32 NULL 0
[FW_A] ip route-static 117.1.1.2 32 NULL 0
[FW_A] ip route-static 10.160.1.0 24 10.159.1.251
[FW_A] ip route-static 10.160.2.0 24 10.159.2.251

# Configure routes of the root system on FW_B.


[FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
[FW_B] ip route-static 117.1.1.1 32 NULL 0
[FW_B] ip route-static 117.1.1.2 32 NULL 0
[FW_B] ip route-static 10.160.1.0 24 10.159.1.251
[FW_B] ip route-static 10.160.2.0 24 10.159.2.251

# Configure routes of the virtual systems on FW_A.


[FW_A] switch vsys vfw1
<FW_A-vfw1> system-view

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 254


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

[FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251


[FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0
[FW_A-vfw1] ip route-static 10.160.10.0 24 10.159.10.251
[FW_A-vfw1] quit
<FW_A-vfw1> quit
[FW_A] switch vsys vfw2
<FW_A-vfw2> system-view
[FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
[FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0
[FW_A-vfw2] ip route-static 10.160.11.0 24 10.159.11.251
[FW_A-vfw2] quit
<FW_A-vfw2> quit

# Configure routes of the virtual systems on FW_B.


[FW_B] switch vsys vfw1
<FW_B-vfw1> system-view
[FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
[FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0
[FW_B-vfw1] ip route-static 10.160.10.0 24 10.159.10.251
[FW_B-vfw1] quit
<FW_B-vfw1> quit
[FW_B] switch vsys vfw2
<FW_B-vfw2> system-view
[FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
[FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0
[FW_B-vfw2] ip route-static 10.160.11.0 24 10.159.11.251
[FW_B-vfw2] quit
<FW_B-vfw2> quit

Step 4 Configure hot standby.

# Configure VRRP groups on FW_A, setting their states to Active.


[FW_A] interface GigabitEthernet 1/0/1.10
[FW_A-GigabitEthernet1/0/1.10] vlan-type dot1q 10
[FW_A-GigabitEthernet1/0/1.10] vrrp vrid 10 virtual-ip 172.16.10.254 active
[FW_A-GigabitEthernet1/0/1.10] quit
[FW_A] interface GigabitEthernet 1/0/1.11
[FW_A-GigabitEthernet1/0/1.11] vlan-type dot1q 11
[FW_A-GigabitEthernet1/0/1.11] vrrp vrid 11 virtual-ip 172.16.11.254 active
[FW_A-GigabitEthernet1/0/1.11] quit
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] vlan-type dot1q 9
[FW_A-GigabitEthernet1/0/1.1000] vrrp vrid 9 virtual-ip 172.16.9.254 active
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/3.10
[FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10
[FW_A-GigabitEthernet1/0/3.10] vrrp vrid 110 virtual-ip 10.159.10.254 active
[FW_A-GigabitEthernet1/0/3.10] quit
[FW_A] interface GigabitEthernet 1/0/3.11
[FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11
[FW_A-GigabitEthernet1/0/3.11] vrrp vrid 111 virtual-ip 10.159.11.254 active
[FW_A-GigabitEthernet1/0/3.11] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2
[FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active
[FW_A-GigabitEthernet1/0/2.2] quit

# Specify the heartbeat interface on FW_A and enable hot standby.


[FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2
[FW_A] hrp enable

# Configure VRRP groups on FW_B, setting their states to Standby.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 255


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

[FW_B] interface GigabitEthernet 1/0/1.10


[FW_B-GigabitEthernet1/0/1.10] vlan-type dot1q 10
[FW_B-GigabitEthernet1/0/1.10] vrrp vrid 10 virtual-ip 172.16.10.254 standby
[FW_B-GigabitEthernet1/0/1.10] quit
[FW_B] interface GigabitEthernet 1/0/1.11
[FW_B-GigabitEthernet1/0/1.11] vlan-type dot1q 11
[FW_B-GigabitEthernet1/0/1.11] vrrp vrid 11 virtual-ip 172.16.11.254 standby
[FW_B-GigabitEthernet1/0/1.11] quit
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] vlan-type dot1q 9
[FW_B-GigabitEthernet1/0/1.1000] vrrp vrid 9 virtual-ip 172.16.9.254 standby
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/3.10
[FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10
[FW_B-GigabitEthernet1/0/3.10] vrrp vrid 110 virtual-ip 10.159.10.254 standby
[FW_B-GigabitEthernet1/0/3.10] quit
[FW_B] interface GigabitEthernet 1/0/3.11
[FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11
[FW_B-GigabitEthernet1/0/3.11] vrrp vrid 111 virtual-ip 10.159.11.254 standby
[FW_B-GigabitEthernet1/0/3.11] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2
[FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby
[FW_B-GigabitEthernet1/0/2.2] quit

# Specify the heartbeat interface on FW_B and enable hot standby.


[FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1
[FW_B] hrp enable

Step 5 Configure security policies.

# Configure security policies in the root system on FW_A.


HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name sec_portal
HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust
HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz
HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.160.0.0 16
HRP_M[FW_A-policy-security-rule-sec_portal] action permit
HRP_M[FW_A-policy-security-rule-sec_portal] profile av default
HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default
HRP_M[FW_A-policy-security-rule-sec_portal] quit
HRP_M[FW_A-policy-security] quit

# Configure security policies in virtual system vfw1 on FW_A.


HRP_M[FW_A] switch vsys vfw1
HRP_M<FW_A-vfw1> system-view
HRP_M[FW_A-vfw1] security-policy
HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.160.10.0 24
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit
HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit
HRP_M[FW_A-vfw1-policy-security] quit
HRP_M[FW_A-vfw1] quit
HRP_M<FW_A-vfw1> quit

Similarly, configure security policies in virtual system vfw2 on FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 256


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

# After hot standby is configured, the configuration on FW_A will be automatically


synchronized to FW_B. Therefore, it is not necessary to configure security policies
manually on FW_B.
Step 6 Configure policy backup-based acceleration function.
When a large number of policies exist (such as over 500 policies), the policy
backup-based acceleration function must be enabled to improve policy matching
efficiency during policy modification. If this function is enabled, however, the
newly configured policy takes effect only after the policy backup-based
acceleration process completes.
HRP_M[FW-A] policy accelerate standby enable

# After hot standby is configured, the configuration on FW_A will be automatically


synchronized to FW_B. Therefore, it is not necessary to configure policy backup-
based acceleration function manually on FW_B.
Step 7 Configure NAT servers.

The NAT server configuration commands are only exemplary. In practice, NAT servers are
configured on the management component, and the management component delivers the
configuration to the FW.

# Configure NAT servers in the root system on FW_A.


HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.160.1.100
HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.160.2.100

# Configure a NAT server in virtual system vfw1 on FW_A.


HRP_M[FW_A] switch vsys vfw1
HRP_M<FW_A-vfw1> system-view
HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.160.10.100
HRP_M[FW_A-vfw1] quit
HRP_M<FW_A-vfw1> quit

Similarly, configure a NAT server in virtual system vfw2 on FW_A.


# After hot standby is configured, the configuration on FW_A will be automatically
synchronized to FW_B. Therefore, it is not necessary to configure NAT servers
manually on FW_B.
Step 8 Configure other network devices.
The present case focuses on the configuration on the FW. For the configuration on
other network devices, note that:
● OSPF runs between the upstream router and the CE12800. The upstream
router learns the routes to the public addresses of the Portal systems and
virtual machines trough OSPF study. The next hop is the CE12800.
● You need to configure multiple virtual switches VRF on the CE12800, binding
the VRF switches to the VLANIF addresses, and then configure VRRP groups
on the VLANIF interfaces. In addition, you need to configure static routes to
the public addresses of the Portal systems and virtual machines on the root
switch Public of the CE12800 and set the next hops to the virtual IP addresses
of the VRRP groups on the FW; you also need to configure default routes on
the virtual machines VRF and set the next hops also to the virtual IP
addresses of the VRRP groups on the FW.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 257


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

● The CE6800 transmits Layer-2 packets transparently, and you only need to
configure Layer-2 forwarding on it.

----End

4.4.5 Verification
1. Run the display hrp state command on FW_A and FW_B. The current HRP
state is normal.
2. Enterprise users on the Internet can access virtual machine services normally.
3. Enterprise users on the Internet can access the Portal system normally.
4. Run the shutdown command on GE1/0/1.10 of FW_A to simulate a link fault.
The active/standby switchover is normal without services interrupted.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 258


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

4.4.6 Configuration Scripts


FW_A FW_B
# #
sysname FW_A sysname FW_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk 1 remote 10.1.1.2 hrp interface Eth-Trunk 1 remote 10.1.1.1
# #
vsys enable vsys enable
resource-class vfw1_car resource-class vfw1_car
resource-item-limit bandwidth 100 entire resource-item-limit bandwidth 100 entire
resource-class vfw2_car resource-class vfw2_car
resource-item-limit bandwidth 100 entire resource-item-limit bandwidth 100 entire
# #
# #
vsys name vfw1 1 vsys name vfw1 1
assign interface GigabitEthernet1/0/1.10 assign interface GigabitEthernet1/0/1.10
assign interface GigabitEthernet1/0/3.10 assign interface GigabitEthernet1/0/3.10
assign resource-class vfw1_car assign resource-class vfw1_car
assign global-ip 118.1.1.1 118.1.1.1 exclusive assign global-ip 118.1.1.1 118.1.1.1 exclusive
# #
vsys name vfw2 2 vsys name vfw2 2
assign interface GigabitEthernet1/0/1.11 assign interface GigabitEthernet1/0/1.11
assign interface GigabitEthernet1/0/3.11 assign interface GigabitEthernet1/0/3.11
assign resource-class vfw2_car assign resource-class vfw2_car
assign global-ip 118.1.1.2 118.1.1.2 exclusive assign global-ip 118.1.1.2 118.1.1.2 exclusive
# #
interface Eth-Trunk1 interface Eth-Trunk1
ip address 10.1.1.1 255.255.255.252 ip address 10.1.1.2 255.255.255.252
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
undo shutdown undo shutdown
# #
interface GigabitEthernet1/0/1.10 interface GigabitEthernet1/0/1.10
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 172.16.10.252 255.255.255.0 ip address 172.16.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 172.16.10.254 active vrrp vrid 10 virtual-ip 172.16.10.254 standby
# #
interface GigabitEthernet1/0/1.11 interface GigabitEthernet1/0/1.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 172.16.11.252 255.255.255.0 ip address 172.16.11.253 255.255.255.0
vrrp vrid 11 virtual-ip 172.16.11.254 active vrrp vrid 11 virtual-ip 172.16.11.254 standby
# #
interface GigabitEthernet1/0/1.1000 interface GigabitEthernet1/0/1.1000
vlan-type dot1q 9 vlan-type dot1q 9
ip address 172.16.9.252 255.255.255.0 ip address 172.16.9.253 255.255.255.0
vrrp vrid 9 virtual-ip 172.16.9.254 active vrrp vrid 9 virtual-ip 172.16.9.254 standby
# #
interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/2
undo shutdown undo shutdown
# #
interface GigabitEthernet1/0/2.1 interface GigabitEthernet1/0/2.1
vlan-type dot1q 1 vlan-type dot1q 1
ip address 10.159.1.252 255.255.255.0 ip address 10.159.1.253 255.255.255.0
vrrp vrid 1 virtual-ip 10.159.1.254 active vrrp vrid 1 virtual-ip 10.159.1.254 standby
# #
interface GigabitEthernet1/0/2.2 interface GigabitEthernet1/0/2.2
vlan-type dot1q 2 vlan-type dot1q 2
ip address 10.159.2.252 255.255.255.0 ip address 10.159.2.253 255.255.255.0
vrrp vrid 2 virtual-ip 10.159.2.254 active vrrp vrid 1 virtual-ip 10.159.2.254 standby
# #
interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/3
undo shutdown undo shutdown
# #

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 259


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B
interface GigabitEthernet1/0/3.10 interface GigabitEthernet1/0/3.10
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 110.159.10.252 255.255.255.0 ip address 10.159.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 10.159.10.254 active vrrp vrid 110 virtual-ip 10.159.10.254 standby
# #
interface GigabitEthernet1/0/3.11 interface GigabitEthernet1/0/3.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 10.159.11.252 255.255.255.0 ip address 10.159.11.253 255.255.255.0
vrrp vrid 111 virtual-ip 10.159.11.254 active vrrp vrid 111 virtual-ip 10.159.11.254 standby
# #
interface GigabitEthernet1/0/8 interface GigabitEthernet1/0/8
undo shutdown undo shutdown
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet2/0/8 interface GigabitEthernet2/0/8
undo shutdown undo shutdown
eth-trunk 1 eth-trunk 1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3 add interface GigabitEthernet1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/1.1000 add interface GigabitEthernet1/0/1.1000
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/2.1 add interface GigabitEthernet1/0/2.1
add interface GigabitEthernet1/0/2.2 add interface GigabitEthernet1/0/2.2
# #
firewall zone name hrpzone id 4 firewall zone name hrpzone id 4
set priority 65 set priority 65
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
ip route-static 117.1.1.1 255.255.255.255 NULL 0 ip route-static 117.1.1.1 255.255.255.255 NULL 0
ip route-static 117.1.1.2 255.255.255.255 NULL 0 ip route-static 117.1.1.2 255.255.255.255 NULL 0
ip route-static 10.160.1.0 255.255.255.0 ip route-static 10.160.1.0 255.255.255.0
10.159.1.251 10.159.1.251
ip route-static 10.160.2.0 255.255.255.0 ip route-static 10.160.2.0 255.255.255.0
10.159.2.251 10.159.2.251
# #
nat server nat_server_portal1 0 global 117.1.1.1 nat server nat_server_portal1 0 global 117.1.1.1
inside 10.160.1.100 inside 10.160.1.100
nat server nat_server_portal2 1 global 117.1.1.2 nat server nat_server_portal2 1 global 117.1.1.2
inside 10.160.2.100 inside 10.160.2.100
# #
security-policy security-policy
rule name sec_portal rule name sec_portal
source-zone untrust source-zone untrust
destination-zone dmz destination-zone dmz
destination-address 10.160.0.0 16 destination-address 10.159.0.0 16
profile av default profile av default
profile ips default profile ips default
action permit action permit
# #
return return
# #
switch vsys vfw1 switch vsys vfw1
# #
interface GigabitEthernet1/0/1.10 interface GigabitEthernet1/0/1.10

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 260


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 172.16.10.252 255.255.255.0 ip address 172.16.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 172.16.10.254 active vrrp vrid 10 virtual-ip 172.16.10.254 standby
# #
interface GigabitEthernet1/0/3.10 interface GigabitEthernet1/0/3.10
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 10.159.10.252 255.255.255.0 ip address 10.159.10.253 255.255.255.0
vrrp vrid 110 virtual-ip 10.159.10.254 active vrrp vrid 110 virtual-ip 10.159.10.254 standby
# #
interface Virtual-if1 interface Virtual-if1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3.10 add interface GigabitEthernet1/0/3.10
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet1/0/1.10 add interface GigabitEthernet1/0/1.10
# #
security-policy security-policy
rule name sec_vm1 rule name sec_vm1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 10.159.10.0 24 destination-address 10.159.10.0 24
profile av default profile av default
profile ips default profile ips default
action permit action permit
# #
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
ip route-static 118.1.1.1 255.255.255.255 NULL 0 ip route-static 118.1.1.1 255.255.255.255 NULL 0
ip route-static 10.160.10.0 255.255.255.0 ip route-static 10.160.10.0 255.255.255.0
10.159.10.251 10.159.10.251
# #
nat server nat_server_vm1 2 global 118.1.1.1 nat server nat_server_vm1 2 global 118.1.1.1
inside 10.160.10.100 inside 10.160.10.100
# #
return return
# #
switch vsys vfw2 switch vsys vfw2
# #
interface GigabitEthernet1/0/1.11 interface GigabitEthernet1/0/1.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 172.16.11.252 255.255.255.0 ip address 172.16.11.253 255.255.255.0
vrrp vrid 11 virtual-ip 172.16.11.254 active vrrp vrid 11 virtual-ip 172.16.11.254 standby
# #
interface GigabitEthernet1/0/3.11 interface GigabitEthernet1/0/3.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 10.159.11.252 255.255.255.0 ip address 10.159.11.253 255.255.255.0
vrrp vrid 111 virtual-ip 10.159.11.254 active vrrp vrid 111 virtual-ip 10.159.11.254 standby
# #
interface Virtual-if2 interface Virtual-if2
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3.11 add interface GigabitEthernet1/0/3.11
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet1/0/1.11 add interface GigabitEthernet1/0/1.11
# #
security-policy security-policy
rule name sec_vm2 rule name sec_vm2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 261


HUAWEI Firewall 4 Application of Firewalls in the Security Solution for
Comprehensive Configuration Examples Cloud Computing Networks

FW_A FW_B
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 10.159.11.0 24 destination-address 10.159.11.0 24
profile av default profile av default
profile ips default profile ips default
action permit action permit
# #
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
ip route-static 118.1.1.2 255.255.255.255 NULL 0 ip route-static 118.1.1.2 255.255.255.255 NULL 0
ip route-static 10.160.11.0 255.255.255.0 ip route-static 10.160.11.0 255.255.255.0
10.159.11.251 10.159.11.251
# #
nat server nat_server_vm2 3 global 118.1.1.2 nat server nat_server_vm2 3 global 118.1.1.2
inside 10.160.11.100 inside 10.160.11.100
# #
return return

4.5 Conclusion and Suggestions


● The virtual machine feature is configured on the FW. Each virtual system
corresponds to one virtual machine. The virtual machines are isolated through
the virtual systems. Security policies can also be configured in the virtual
systems to realize access control.
● Interfaces between the FW and CE12800 are limited. Therefore, multiple
subinterfaces are created. The subinterfaces are allocated to the root system
and virtual systems. Their use is flexible.
● In solution 1, when OSPF is configured on the FW, because OSPF cannot be
configured in a virtual system directly, the VPN instance corresponding to the
virtual system must be bound to the OSPF process in the root system.
● In solution 2, VRF is configured on the CE12800 to virtualize the CE12800 as
an upstream switch (root switch Public) and downstream switches (multiple
virtual switches VRF). VRRP runs between the FW and both Public and VRF
switches of the CE12800.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 262


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

5 Application of Firewalls in the Egress


Security Solution for Enterprise Campus
Networks

5.1 Introduction
This section describes how to deploy the firewall as an egress gateway for a large-
or medium-sized enterprise network to protect the security of the enterprise
network. It describes the most common scenarios and features of the firewall and
provides reference for the administrator to plan and build the enterprise network.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.

5.2 Solution Overview


Introduction to Enterprise Campus Networks
An enterprise campus network is an intranet of an enterprise or organization. Its
routing structure is managed by the enterprise or organization. The network
interworks with the WAN and the data center. Partners, mobile employees, and
guests access the enterprise intranet through the VPN, WAN or Internet.
An enterprise campus network is generally a non-profiting network with a high
user density where large quantities of terminals and users concentrate in limited
space. The major concerns of an enterprise campus network are availability, ease
of use, ease of deployment, and ease of maintenance. Therefore, the topology of
enterprise campus networks is mostly a star structure. The ring structure is not
often used (ring structures are usually used in the MAN and backbone networks
of carriers to save fiber resources).
Figure 5-1 shows the architecture of an enterprise network. For traffic originating
from intranet users to the Internet, the traffic needs to pass through the Layer 3
aggregation switch, Layer 3 core switch, and gateway.
Enterprise employees are in different departments based on their business lines.
The network must ensure normal Internet access for internal users and keep them

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 263


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

secure from attacks. On this basis, Internet access privileges and traffic restrictions
must also be defined for different departments. In addition, branch and travelling
employees must be able to access the central network for business
communication and resource sharing.

Figure 5-1 Networking of an enterprise network

● Access layer
The access layer is normally made up of Ethernet switches. It connects various
terminals to the campus network. For some terminals, it may be necessary to
add specific access devices, for example, APs for wireless access and IADs for
POTS access.
● Aggregation layer
Traffic of the access devices and users converges at the aggregation layer and
is then forwarded to the core layer. The aggregation layer increases the
quantity of users who can access the core layer.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 264


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

● Core layer
The core layer is responsible for the high-speed interworking of the entire
campus network. Specific services are generally not deployed here. The core
network must ensure high bandwidth efficiency and quick failure
convergence.
● Enterprise campus egress
The enterprise campus egress is a border between the enterprise campus
network and the public extranet. Internal users of the campus network are
connected to the public network through an edge network. Extranet users
(including customers, partners, branches, and remote users) also access the
internal network through the edge network.
● Data center
The data center is the area where servers and application systems are
deployed. The data center provides data and application services for internal
and external users.
● Network management center
The network management center is the area where the network, servers, and
applications systems are managed. It provides fault management,
configuration management, performance management, and security
management.

Application of FWs at the Egress of an Enterprise Campus Network


The FW generally serves as an egress gateway of an enterprise campus network. It
provides the following features:

● Hot standby
To improve network availability, two FWs can be deployed at the egress of the
enterprise campus network in hot standby mode. When the link of the active
FW fails, traffic on the network is switched to the standby FW to ensure
normal communication of the intranet and extranet.
● NAT
Because public IPv4 addresses are limited, private addresses are allocated for
intranet use, and public addresses are normally not allocated. Therefore, when
an internal user needs to access the Internet, address translation is required.
The FW is deployed at the egress of the intranet to the Internet to provide
NAT functions.
● Security defense
The FW provides attack defense to protect the enterprise network against
external attacks.
● Content security
The FW provides intrusion prevention, antivirus, and URL filtering functions to
ensure a green environment for the intranet.
● Bandwidth management
The FW provides bandwidth management. It identifies traffic based on the
application or user and applies traffic-based control.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 265


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

5.3 Solution Design

5.3.1 Typical Networking


For access to the Internet, the enterprise network environment is challenged by
access control, security defense, and egress bandwidth management. The FW is
deployed at the egress of the enterprise network to provide a solution and ensure
normal service operation.
As shown in Figure 5-2, an enterprise leases two 10G links from two ISPs to
provide broadband Internet access. The enterprise also deploys servers in the
server area for access of intranet and extranet users.
Two FWs are deployed at the egress of the enterprise network to the Internet as
gateways to connect the intranet and extranet and protect the security of the
intranet. The upstream interfaces of the two FWs are connected to the two ISPs
through aggregation switches; the downstream interfaces of the FWs are
connected to the switches in the intranet and the server area through Layer 3 core
switches.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 266


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Figure 5-2 Security networking for the egress of an enterprise network

An enterprise has many employees and business lines. The traffic on the enterprise
network is varied. When the intranet of the enterprise is connected to the Internet,
the following targets and challenges must be considered:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 267


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

1. The egress gateway must be highly available. Two devices should be deployed
in hot standby mode to avoid single-point failure. When one device fails, the
another takes over its work, ensuring that normal services are not interrupted.
2. The enterprise leases two links from two ISPs. Therefore, the gateway must be
able to identify traffic based on applications and distribute different types of
traffic to the appropriate links to improve link efficiency and avoid network
congestion.
3. Enterprise employees are in different business lines, including R&D, marketing,
production, and management. Therefore, access control policies are defined
for the egress gateways based on users/departments and applications
according to the business needs of the departments.
4. To enable a large number of intranet users to access the Internet using public
addresses, the egress gateway must be capable of translating private
addresses to public addresses.
5. User and department information is stored in the gateway to provide the
organizational structure of the enterprise for reference of policies. AD servers
are deployed in the server area to facilitate user-based network behavior
control and network permission planning.
6. Extranet users can access the web servers and FTP servers.
7. The enterprise intranet faces unauthorized access and all kinds of attacks and
intrusions from the Internet. Therefore, the egress gateway must be able to
defend against viruses, worms, Trojan horses, and zombies to protect the
security of the enterprise network. In addition, websites accessible by the
enterprise employees must be controlled by filtering, prohibiting access to all
adult and illegal websites.
8. The egress gateway must be able to defend against SYN flood, UDP flood,
and malformed packet attacks targeting at the intranet.
9. The egress gateway must be capable of application-base traffic control to
restrict traffic that takes up much network bandwidth (such as P2P traffic)
and ensure normal operation of critical services. In addition, the egress
gateway can provide differentiated bandwidth management based on users/
departments.
10. The network must ensure secure access to the ERP and email systems of the
enterprise for travelling and home-based R&D employees. It should also
ensure that travelling and home-based senior managers and marketing
employees can complete their office work as if they are in the intranet.

5.3.2 Service Planning


Planning of Interfaces and Security Zones
As shown in the following figure, one firewall has five interfaces that are
connected to different security zones. Therefore, the five interfaces need to be
assigned to different security zones.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 268


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Figure 5-3 Security zones of interfaces of the FWs

● GE1/0/1 is connected to the ISP1 link and assigned to the ISP1 zone. The ISP1
zone needs to be created, and its priority is 15.
● GE1/0/2 is connected to the ISP2 link and assigned to the ISP2 zone. The ISP2
zone needs to be created, and its priority is 20.
● GE1/0/3 and GE2/0/1 connected to the core router form Eth-Trunk1 and are
assigned to the Heart zone. The Heart zone needs to be created, and its
priority is 75.
● GE1/0/4 is connected to the server area and assigned to the Trust zone. The
Trust zone is a default security zone of the firewall. Its priority is 85.
● As a mirroring interface (Layer 2 interface), GE1/0/5 functions as the interface
for receiving mirrored AD authentication packets.

Hot Standby Planning


One ISP provides one link, and one link cannot be directly connected to two
firewalls. Therefore, it is necessary to deploy an egress aggregation switch
between the ISP and the firewalls. The egress aggregation switch can split one ISP
link into two links and then connect the two links to the upstream interfaces of
the two firewalls. OSPF runs between the firewalls and downstream core switches.
The two firewalls are connected to the upstream interfaces of the two core
switches.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 269


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

To save public IP addresses, private IP addresses are planned for the upstream
interfaces of the firewalls. However, the address of a VRRP group must be a public
address allocated by the ISP to enable the communication with the ISP.

Table 5-1 Hot standby planning


Item Data Description

FW_A Interface GE1/0/1 Interface connecting FW_A to


● Security zone: ISP1 the upstream L2 switch. It is
connected to ISP1 and
● IP address: assigned to the ISP1 security
1.1.1.2/24 zone.

Interface GE1/0/2 Interface connecting FW_A to


● Security zone: ISP2 the upstream L2 switch. It is
connected to ISP2 and
● IP address: assigned to the ISP2 security
2.2.2.2/24 zone.

Interface Eth-Trunk1 Heartbeat interface connected


● Security zone: to FW_B. It is assigned to the
Heart Heart security zone.
● IP address:
10.10.0.1/24

Interface GE1/0/4 Interface connecting FW_A to


● Security zone: Trust the downstream L3 switch. It
is assigned to the Trust
● IP address: security zone.
10.1.1.1/16

VRRP group 1 VRRP group 1 on FW_A.


● Interface: GE1/0/1
● ID: 1
● Virtual IP address:
1.1.1.1
● State: master

VRRP group 2 VRRP group 2 on FW_A.


● Interface: GE1/0/2
● ID: 2
● Virtual IP address:
2.2.2.1
● State: master

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 270


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

OSPF OSPF on FW_A.


● Process ID: 100
● Network segment:
1.1.1.0 0.0.0.255
● Network segment:
10.1.0.0 0.0.0.255

FW_B Interface GE1/0/1 Interface connecting FW_B to


● Security zone: ISP1 the upstream L2 switch. It is
connected to ISP1 and
● IP address: assigned to the ISP1 security
1.1.1.3/24 zone.

Interface GE1/0/2 Interface connecting FW_B to


● Security zone: ISP2 the upstream L2 switch. It is
connected to ISP2 and
● IP address: assigned to the ISP2 security
2.2.2.3/24 zone.

Interface Eth-Trunk1 Heartbeat interface connected


● Security zone: to FW_A. It is assigned to the
Heart Heart security zone.
● IP address:
10.10.0.2/24

Interface GE1/0/4 Interface connecting FW_B to


● Security zone: Trust the downstream L3 switch. It
is assigned to the Trust
● IP address: security zone.
10.2.1.1/16

VRRP group 1 VRRP group 1 on FW_B.


● Interface: GE1/0/1
● ID: 1
● Virtual IP address:
1.1.1.1
● State: slave

VRRP group 2 VRRP group 2 on FW_B.


● Interface: GE1/0/2
● ID: 2
● Virtual IP address:
2.2.2.1
● State: slave

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 271


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

OSPF OSPF on FW_B.


● Process ID: 100
● Network segment:
2.2.2.0 0.0.0.255
● Network segment:
10.2.0.0 0.0.0.255

Multi-ISP Uplink Selection Planning


When the FW serves as the egress gateway and provides multiple outbound
interfaces, the administrator must plan multi-ISP uplink selection. The matching
order for multi-ISP uplink selection is PBRs, specific routes, and default routes. For
the two ISP links leased by the enterprise for Internet access, ISP1 provides fast
Internet access and stable bandwidth but at a higher price; ISP2 is cheap but
provides slower access. The enterprise expects that traffic of different applications
is forwarded through different links and that Internet traffic is carried over the link
of the best transmission quality. Therefore, the global uplink selection policies in
the present case include application-based PBR and link quality-based load
balancing. Such multi-egress routing planning is as follows:
● Application-based PBR
P2P traffic and web video traffic use much bandwidth. Therefore, the two
types of traffic are routed to specific links for forwarding. This is implemented
through application-based PBR.
PBRs pbr_1 and pbr_2 are created. All traffic related to the Intranet and
services goes out from GE1/0/1 and is forwarded by ISP1 to the Internet. The
intranet entertainment traffic, such as traffic of video and VoIP all goes out
from GE1/0/2 and is forwarded by ISP2 to the Internet.
● Intelligent uplink selection (link quality-based load balancing)
Because the enterprise requests to use the link of the best transmission
quality to carry Internet traffic, the intelligent uplink selection mode is set to
link quality-based load balancing. The outbound interfaces of the FWs directly
connected to ISP1 and ISP2 are set as the member interfaces for intelligent
uplink selection.

User Authentication Planning


R&D employees and marketing employees can log in to the AD domain using their
domain accounts and passwords and access network resources without further
authentication. The user information of new employees may have been created in
the AD server but not stored in the FW. Therefore, it is required that the user
information be imported to the FW according to the organizational structure in
the AD server after the users are authenticated.
1. Configure the AD server on the FW, and ensure normal communication
between the FW and AD server.
2. Configure an authentication domain on the FW, setting the name of the
authentication domain to the domain name on the AD server.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 272


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

3. Configure the server import policy on the FW to import the user information
in the AD server to the FW.
4. Configure the new user option of the authentication domain, and
authenticated user that does not exist in the FW login as a temporary user.
5. Configure SSO parameters on the FW, ensuring that the FW monitors the
authentication result packet sent by the AD server to the user PC.
In the present case, the authentication packet does not pass through the FW.
Therefore, it is necessary to mirror the authentication result packet sent by
the AD server to the user PC.
6. Set the online user aging time to 480 minutes to avoid frequent sign-on
authentication due to the aging of online connections during business hours
(assuming 8 hours).
7. Configure port mirroring on the switch to mirror the authentication packets to
the FW.

Table 5-2 User authentication planning


Item Data Description

AD server ● Name: Configure the AD server on


auth_server_ad the FW. This is to set the
● IP address of the parameters used for
primary communication between the
authentication FW and the AD server.
server: 10.3.0.251 The parameters set here must
● Port: 88 be consistent with those set
on the AD server.
● Device name of the
primary
authentication
server: ad.cce.com
● Base DN/Port DN:
dc=cce, dc=com
● LDAP port: 389
● Administrator DN:
cn=administrator,
cn=users
● Administrator
password:
Admin@123

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 273


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

Import policy ● Name: Import user information from


policy_import the AD server to the FW.
● Server type: AD
● Server name:
auth_server_ad
● Import type: import
users and user
groups locally
● Destination
group: /cce.com
● Automatic
synchronization
with server: 120
minutes
● Override the local
user record when
the current user
already exists

AD single-sign-on ● AD single-sign-on: Configure single-sign-on


enable parameters on the FW to
● Work mode: no- receive user sign-on
plug-in information sent by the AD
server.
● Interface receiving
mirrored
authentication
packets:
GigabitEthernet
1/0/4
● Parsed traffic:
10.3.0.251:88
(server IP address:
authentication
port)

Security Policy Planning


Different security policies are configured for different user groups to control the
Internet permissions for users of different departments:

● Senior managers can access the Internet freely.


● Marketing employees can access the Internet but cannot play games or watch
videos on the Internet.
● R&D employees can access the Internet but cannot carry out entertainment
activities, including games, IM chatting, video calls, voice calls, and access to
social websites.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 274


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

In addition, antivirus, IPS, and URL filtering profiles can be included in the security
policies to defend against attacks of viruses, worms, Trojan horses, and Botnet and
filter websites.
Normally, you can just use the default antivirus and IPS profiles. Create a URL
filtering profile, setting the URL filtering control level to "medium", which can
restrict the access to all adult and illegal websites.

Table 5-3 Security policy planning


Item Data Description

Security policy for senior ● Name: The security policy


management policy_sec_manageme policy_sec_management
nt allows senior managers
● Source security zone: to access the Internet
trust freely.
● Destination security
zone: ISP1 and ISP2
● User: management
● Action: permit
● Antivirus: default
● IPS: default
● URL filtering:
profile_url

Security policy 1 for ● Name: The security policy


marketing policy_sec_marketing_ policy_sec_marketing_1
1 prohibits marketing
● Source security zone: employees from playing
trust games through the
Internet.
● Destination security
zone: ISP1 and ISP2 Game indicates game
applications.
● User: marketing Media_Sharing indicates
● Application: Game media sharing.
and Media_Sharing
● Action: deny

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 275


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

Security policy 2 for ● Name: The security policy


marketing policy_sec_marketing_ policy_sec_marketing_2
2 allows marketing
● Source security zone: employees to access the
trust Internet.
● Destination security
zone: ISP1 and ISP2
● User: marketing
● Action: permit
● Antivirus: default
● IPS: default
● URL filtering:
profile_url

Security policy 1 for R&D ● Name: The security policy


policy_sec_research_1 policy_sec_research_1
● Source security zone: prohibits R&D employees
trust from entertainment
activities through the
● Destination security Internet.
zone: ISP1 and ISP2
Entertainment indicates
● User: research entertainment
● Application: applications.
Entertainment
● Action: deny

Security policy 2 for R&D ● Name: The security policy


policy_sec_research_2 policy_sec_research_2
● Source security zone: allows R&D employees
trust to access the Internet.
● Destination security
zone: ISP1 and ISP2
● User: research
● Action: permit
● Antivirus: default
● IPS: default
● URL filtering:
profile_url

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 276


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

IPSec security policy 1 ● Name: The security policy


policy_sec_ipsec_1 policy_sec_ipsec_1 allows
● Source security zone: setup of IPSec tunnels
local, ISP1, and ISP2 between NGFWs of the
headquarters and
● Destination security branches.
zone: local, ISP1, and
ISP2
● Source address/
region: 1.1.1.2/32 and
3.3.3.1/32
● Destination address/
region: 1.1.1.2/32 and
3.3.3.1/32
● Action: permit

IPSec security policy 2 ● Name: The security policy


policy_sec_ipsec_2 policy_sec_ipsec_2 allows
● Source security zone: headquarter employees
trust to access branch
employees through IPSec
● Destination security tunnels.
zone: ISP1 and ISP2
The source address/
● Source address/ region is the network
region: 10.1.0.0/16 segment for the
● Destination address/ headquarter employees,
region: 192.168.1.0/24 and the destination
● Action: permit address/region is the
network segment for
● Antivirus: default branch employees.
● IPS: default

IPSec security policy 3 ● Name: The security policy


policy_sec_ipsec_3 policy_sec_ipsec_3 allows
● Source security zone: branch employees to
ISP1 and ISP2 access headquarter
employees through IPSec
● Destination security tunnels.
zone: trust
The source address/
● Source address/ region is the network
region: 192.168.1.0/24 segment for branch
● Action: permit employees.
● Antivirus: default
● IPS: default

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 277


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Security policy 1 for L2TP ● Name: The security policy


over IPSec policy_sec_l2tp_ipsec_ policy_sec_l2tp_ipsec_1
1 allows headquarter
● Source security zone: employees to access
trust mobile employees.
● Destination security The destination address
zone: ISP1 and ISP2 is the network segment
of the L2TP address pool.
● Destination address/
region: 10.1.1.1/16
● Destination address/
region: 10.1.1.2
-10.1.1.100
● Action: permit

Security policy 2 for L2TP ● Name: The security policy


over IPSec policy_sec_l2tp_ipsec_ policy_sec_l2tp_ipsec_2
2 allows mobile employees
● Source security zone: to access the enterprise
untrust intranet.
● Destination security
zone: trust
● Source address/
region:
10.1.1.2-10.1.1.100
● Destination address/
region: 10.1.1.1/16
● Action: permit
● Antivirus: default
● IPS: default

Security policy for server ● Name: The security policy


access of extranet users policy_sec_server policy_sec_server allows
● Source security zone: extranet users to access
ISP1 and ISP2 intranet servers of the
enterprise network.
● Destination security
zone: trust The destination address/
region is the mirrored-to
● Destination address/ private IP address of a
region: 10.2.0.10/32 server.
and 10.2.0.11/32
● Action: permit
● Antivirus: default
● IPS: default

NAT Planning
The enterprise has 500 employees but limited public IP addresses. To enable a
large number of intranet users to access the Internet with the limited public

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 278


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

addresses, it is necessary to deploy source NAT on the FW to translate the source


addresses of packets from intranet users to the Internet from private addresses to
public addresses.
In addition, the enterprise network provides web servers and FTP servers for public
network users.
However, because the servers are deployed inside the enterprise network, it is
necessary to configure server mapping to map the private IP address of a server to
a public address.

Table 5-4 Data planning


Item Data Description

NAT policy ● Name: NAT is not performed for traffic to


for traffic policy_nat_ipsec_01 the branches (destination IP address:
to branches ● Source security zone: 192.168.1.0/24). This traffic is routed
trust directly to the IPSec tunnel.
● Destination security
zone: ISP1
● Destination address:
192.168.1.0/24
● Action: no NAT

● Name:
policy_nat_ipsec_02
● Source security zone:
trust
● Destination security
zone: ISP2
● Destination address:
192.168.1.0/24
● Action: no NAT

NAT policy NAT policy NAT is performed for traffic to the


for traffic ● Name: Internet. The source address is
to the policy_nat_internet_01 translated from a private IP address
Internet to a public IP address in the address
● Source security zone: pool.
trust
The four IP addresses, 1.1.1.1 to
● Destination security 1.1.1.4, obtained from the carrier are
zone: ISP1 used as addresses in the NAT
● Source address: address pool.
addresses in the
address pool
● Address pool: 1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 279


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

NAT policy
● Name:
policy_nat_internet_02
● Source security zone:
trust
● Destination security
zone: ISP2
● Source address:
addresses in the
address pool
● Address pool: 1

NAT address pool


● Name: nataddr
● IP address range:
1.1.1.1-1.1.1.4

Web server ● Name: With this mapping, extranet users


mapping policy_nat_web_01 can access 1.1.1.5 and 2.2.2.6, and
policy ● Zone: ISP1 traffic to port 8080 can be routed to
the intranet web server.
● Public address: 1.1.1.5
The private address of the web
● Private address: server is 10.2.0.10, and its private
10.2.0.10 port number is 80.
● Public port: 8080
● Private port: 80
● Name:
policy_nat_web_02
● Zone: ISP2
● Public address: 2.2.2.5
● Private address:
10.2.0.10
● Public port: 8080
● Private port: 80

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 280


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

FTP server ● Name: With this mapping, extranet users


mapping policy_nat_ftp_01 can access 1.1.1.6 and 2.2.2.6, and
policy ● Zone: ISP1 traffic to port 21 can be routed to
the intranet FTP server.
● Public address: 1.1.1.6
The private address of the FTP server
● Private address: is 10.2.0.811, and its private port
10.2.0.11 number is 21.
● Public port: 21
● Private port: 21
● Name:
policy_nat_ftp_02
● Zone: ISP2
● Public address: 2.2.2.6
● Private address:
10.2.0.11
● Public port: 21
● Private port: 21

Bandwidth Management Planning


The total bandwidth is 20 Gbit/s. To ensure bandwidth for normal work, it is
necessary to configure a traffic policy that restricts P2P traffic. In addition,
different traffic profiles and traffic policies are also needed for different intranet
users.
1. The maximum upstream bandwidth for P2P traffic between intranet users and
the Internet is 2 Gbit/s, and the maximum downstream bandwidth is 6 Gbit/s,
to avoid the consumption of large quantities of bandwidth resources.
2. To ensure the normal operation of email and ERP applications during business
hours, bandwidth for such traffic is at least 4 Gbit/s.
3. For Internet access of senior managers, the minimum upstream and
downstream bandwidth is 200 Mbit/s, and the maximum downstream
bandwidth per user is 20 Mbit/s.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 281


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Table 5-5 Planning of traffic policies


Item Data Description

Traffic Traffic policy The P2P online video and P2P file
policy ● Name: sharing applications are selected,
restricting policy_bandwidth_p2p which are P2P media and P2P
P2P traffic download.
● Source security zone:
trust
● Destination security
zone: ISP1, ISP2
● Application: P2P online
video and P2P file
sharing
● Action: limit
● Traffic profile:
profile_p2p

Traffic profile
● Name: profile_p2p
● Restrict mode:
upstream bandwidth
and downstream
bandwidth
● Maximum upstream
bandwidth: 2000 Mbit/s
● Maximum downstream
bandwidth: 6000 Mbit/s
● Whole maximum
connections: 10,000

Traffic Traffic policy The Outlook Web Access and


policy ● Name: LotusNotes applications are selected,
ensuring policy_bandwidth_email which are email applications.
major
services ● Source security zone:
trust
● Destination security
zone: ISP1, ISP2
● Application: Outlook
Web Access and
LotusNotes
● Time range: work_time
● Action: restrict
● Traffic profile:
profile_email

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 282


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

Traffic profile
● Name: profile_email
● Restrict mode:
upstream bandwidth
and downstream
bandwidth
● Guaranteed upstream
bandwidth: 4000 Mbit/s
● Guaranteed
downstream
bandwidth: 4000 Mbit/s

Traffic Traffic policy -


policy for ● Name:
senior policy_bandwidth_man
manageme agement
nt
● Source security zone:
ISP1, ISP2
● Destination security
zone: trust
● User: /management
● Action: restrict
● Traffic profile:
profile_management

Traffic profile
● Name:
profile_management
● Restrict mode:
upstream bandwidth
and downstream
bandwidth
● Guaranteed upstream
bandwidth: 200 Mbit/s
● Guaranteed
downstream
bandwidth: 200 Mbit/s
● Maximum upstream
bandwidth for one IP
address: 2 Mbit/s
● Maximum downstream
bandwidth for one IP
address: 2 Mbit/s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 283


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Attack Defense
Attack defense should be enabled on the FW for security defense. The
recommended configuration is as follows:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable

IPSec Planning
For branch employees, to ensure their secure communication with the headquarter
employees and ensure their access to the headquarter servers, IPSec VPN is
needed. If there are not many branches, point-to-point IPSec VPN in IKE mode is
recommended. In the case of many branches, point-to-multipoint IPSec VPN is
recommended.

Table 5-6 IPSec policy planning


Item Data Description

IPSec policy IPSec policy ● The headquarter and branch


for ● Scenario: point-to-point must have consistent pre-shared
headquarte keys.
r FW_A ● Authentication mode:
pre-shared key ● The peer gateway IP address is
the IP address of the branch
● Pre-shared key: public interface.
Admin@123
● The source address is the network
● Local ID: IP address segment of the headquarter
● Peer ID: IP address intranet.
● The destination address is the
network segment of the branch
intranet.
● The default values of the
parameters not in the data plan
can be used. Any modification
must be made at both ends to
keep the configuration consistent.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 284


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data Description

IPSec policy IPSec policy ● The headquarter and branch


for branch ● Scenario: point-to-point must have consistent pre-shared
FW_C keys.
● Authentication mode:
pre-shared key ● The peer gateway IP address is
the IP address of the headquarter
● Pre-shared key: public interface.
Admin@123
● The source address is the network
● Local ID: IP address segment of the branch intranet.
● Peer ID: IP address ● The destination address is the
network segment of the
headquarter intranet.
● The destination address is the
network segment of the branch
intranet. Any modification must
be made at both ends to keep the
configuration consistent.

To ensure access of mobile and home-office employees to the enterprise network,


L2TP over IPSec is needed.

Table 5-7 L2TP over IPSec planning


Item Data

FW_A(LNS) Port number: GigabitEthernet 1/0/1


IP address: 1.1.1.2/24
Security zone: ISP1

Port number: GigabitEthernet 1/0/4


IP address: 10.1.1.1/16
Security zone: Trust

Virtual-Template port
Port number: Virtual-Template 1
IP address: 10.11.1.1/24

L2TP configuration
Authentication mode: CHAP and PAP
Tunnel authentication: enable
Tunnel peer name: client1
Tunnel local name: lns
Tunnel password: Password@123

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 285


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Item Data

Address pool and user configuration


IP pool 1
Address range: 10.1.1.2 to 10.1.1.100
Name for user authentication: vpdnuser
Password for user authentication: Hello123

IPSec configuration
Use the LNS server's IP address: enable
Encapsulation mode: tunnel
Security protocol: ESP
ESP authentication algorithm: SHA-1
ESP encryption algorithm: AES-128
NAT traversal: enable

LAC L2TP configuration


Authentication mode: CHAP
Tunnel name: client1

User configuration
Name for user authentication: vpdnuser
Password for user authentication: Hello123

IPSec configuration
Pre-shared key: Test!1234
Peer address: 1.1.1.2

5.4 Precautions
Intelligent Uplink Selection
For versions earlier than V500R001C30SPC600, global intelligent uplink selection
and PBR intelligent uplink selection cannot be used together with IP address
spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP address
spoofing defense or URPF is enabled, the FW may drop packets.

Hot Standby
● When hot standby runs together with IPSec, the upstream and downstream
tunneling interfaces of the active and standby devices must be Layer 3
interfaces.
● When hot standby runs together with IPSec, the hot standby configuration
and IPSec configuration are the same as they run alone.
● IPSec policy configuration of the active firewall is automatically replicated to
the standby firewall, but the configuration on interfaces is not replicated.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 286


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Therefore, it is necessary to apply the replicated IPSec policy on the egress


interface of the standby firewall.
● If the local device is the initiator of an IPSec tunnel, the tunnel local ip-
address command must be run to set the local address that initiates
negotiation to the virtual IP address of the VRRP group.

Security and Applications


● Intrusion prevention is available no matter whether the firewall is licensed.
When no license is available, intrusion prevention can run by means of user-
defined signatures.
● When the license expires or is deactivated, the existing intrusion prevention
signature database and user-defined signatures can still be used, but the
signature database cannot be updated.
● Update of the intrusion prevention signature database requires license
support. After the license is loaded, the signature database needs to be
loaded manually.
● After the intrusion prevention signature database is updated, if an old
predefined signature is not in the new signature database, all configuration
related to the signature is not effective.
● Update of the antivirus function and its signature database also requires
license support. Before a license is loaded, the antivirus function can be
configured but the configuration is not effective. After the license is loaded,
the AV signature database needs to be loaded manually. Otherwise, the
antivirus function cannot work normally. After the license expires, the
antivirus function can continue functioning but the AV signature database
cannot be updated. For better security protection, you are recommended to
purchase a new license.
● The AV signature database is updated frequently. To ensure an effective
antivirus function, you are recommended to update the signature database
periodically.
● In IPv6 networking, no antivirus function is available for IMAP, SMTP, and
POP3 services.
● For files whose transfer is resumed from the last disconnected location,
antivirus detection is not available.
● In a networking environment where the paths for packets in two directions
are different, the detection of network intrusions may be not effective, and no
antivirus function is available for SMTP and POP3 services.
● Predefined applications are dependent on the embedded application signature
database of the system. Because new applications keep emerging, when a
new application cannot be identified using the embedded application
signature database, you are recommended to update the application
signature database.

User and Authentication


Users are organized into multiple tree structures with an authentication domain
being the top-level node. Note the following:
● For a command referencing a user or security group in a non-default
authentication domain to run, the command must carry "@authentication

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 287


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

domain name". For example, "user1@test" represents the user user1 in the
test authentication domain, secgroup1 represents the security group
secgroup1 in the authentication domain test.
● User related actions, including creating a user, moving a user, and importing a
user from the server, are all based on one authentication domain. Inter-
domain actions are not supported.

NAT Policies
● When configuring the two source NAT mechanisms, NAT No-PAT and triplet
NAT, do not set the address of a firewall interface to an address in the NAT
address pool to avoid impact on access to the firewall itself.
● When NAT and VPN functions work together, define precise matching
conditions for NAT policies to ensure that NAT is not performed for packets
requiring VPN encapsulation.

IPSec VPN
● When the IPSec proposal is configured, the security protocol, authentication
algorithm, encryption algorithm, and packet encapsulation must be exactly
the same at both ends of the IPSec tunnel.
● It is recommended that the MTU on the interface where an IPSec security
policy group is applied be not smaller than 256 bytes. This is because the size
of IP packets increases after IPSec processing and the increased part varies
with the encapsulation mode, security protocol, authentication algorithm, and
encryption algorithm (at most over 100 bytes). If the MTU is too small, large
IP packets will be fragmented. When there are too many fragments, the peer
device may have a problem in processing the received fragments.
● When both IPSec and NAT are configured, NAT cannot be performed for IPSec
traffic, and no-NAT is required.

5.5 Solution Configuration

5.5.1 Configuration Procedure


Procedure
Step 1 Configure IP addresses for interfaces.
# Configure IP addresses for the interfaces of FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 1.1.1.2 24
[FW_A-GigabitEthernet1/0/1] gateway 1.1.1.254
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 2.2.2.2 24
[FW_A-GigabitEthernet1/0/2] gateway 2.2.2.254
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface eth-trunk 1
[FW_A-Eth-Trunk1] ip address 10.10.0.1 24
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/3
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 2/0/1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 288


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

[FW_A-Eth-Trunk1] quit
[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] ip address 10.1.1.1 16
[FW_A-GigabitEthernet1/0/4] quit
[FW_A] interface GigabitEthernet 1/0/5
[FW_A-GigabitEthernet1/0/5] portswitch
[FW_A-GigabitEthernet1/0/5] quit

# Similarly, configure IP addresses of the interfaces of FW_B.


Step 2 Assign the interfaces to security zones.
# Create the security zones ISP1, ISP2, and Heart on FW_A, and set their priorities
to 15, 20, and 75 respectively.
[FW_A] firewall zone name ISP1
[FW_A-zone-ISP1] set priority 15
[FW_A-zone-ISP1] quit
[FW_A] firewall zone name ISP2
[FW_A-zone-ISP2] set priority 20
[FW_A-zone-ISP2] quit
[FW_A] firewall zone name Heart
[FW_A-zone-Heart] set priority 75
[FW_A-zone-Heart] quit

# Assign the interfaces of FW_A to the security zones.


[FW_A] firewall zone ISP1
[FW_A-zone-ISP1] add interface GigabitEthernet 1/0/1
[FW_A-zone-ISP1] quit
[FW_A] firewall zone ISP2
[FW_A-zone-ISP2] add interface GigabitEthernet 1/0/2
[FW_A-zone-ISP2] quit
[FW_A] firewall zone Heart
[FW_A-zone-Heart] add interface Eth-Trunk 1
[FW_A-zone-Heart] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/4
[FW_A-zone-trust] add interface GigabitEthernet 1/0/5
[FW_A-zone-trust] quit

# Similarly, assign the interfaces of FW_B to the security zones.


Step 3 Configure default routes.
# Configure the IP-links, checking whether the links provided by the ISPs are
normal.
[FW_A] ip-link check enable
[FW_A] ip-link name ip_link_1
[FW_A-iplink-ip_link_1] destination 1.1.1.254 interface GigabitEthernet1/0/1
[FW_A-iplink-ip_link_1] quit
[FW_A] ip-link name ip_link_2
[FW_A-iplink-ip_link_2] destination 2.2.2.254 interface GigabitEthernet1/0/2
[FW_A-iplink-ip_link_2] quit

# Configure two default routes on FW_A, and set their next hops respectively to
the access points of the two ISPs.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1
[FW_A] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2

# Similarly, configure the IP-links and defaults routes on FW_B.


Step 4 Configure intelligent uplink selection.
# Configure global intelligent uplink selection and set load balancing based on
link quality.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 289


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

[FW_A] multi-interface
[FW_A-multi-inter] mode priority-of-link-quality
[FW_A-multi-inter] add interface GigabitEthernet1/0/1
[FW_A-multi-inter] add interface GigabitEthernet1/0/2
[FW_A-multi-inter] priority-of-link-quality protocol tcp-simple
[FW_A-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW_A-multi-inter] priority-of-link-quality interval 3 times 5
[FW_A-multi-inter] priority-of-link-quality table aging-time 60
[FW_A-multi-inter] quit

# Similarly, configure intelligent uplink selection on FW_B.

Step 5 Configure PBR.


[FW_A] policy-based-route
[FW_A-policy-pbr] rule name pbr_1
[FW_A-policy-pbr-rule-pbr_1] description pbr_1
[FW_A-policy-pbr-rule-pbr_1] source-zone trust
[FW_A-policy-pbr-rule-pbr_1] application category Business_Systems
[FW_A-policy-pbr-rule-pbr_1] track ip-link ip_link_1
[FW_A-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.254
[FW_A-policy-pbr-rule-pbr_1] quit
[FW_A-policy-pbr] rule name pbr_2
[FW_A-policy-pbr-rule-pbr_2] description pbr_2
[FW_A-policy-pbr-rule-pbr_2] source-zone trust
[FW_A-policy-pbr-rule-pbr_2] application category Entertainment sub-category VoIP
[FW_A-policy-pbr-rule-pbr_2] application category Entertainment sub-category PeerCasting
[FW_A-policy-pbr-rule-pbr_2] track ip-link ip_link_2
[FW_A-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet 1/0/2 next-hop 2.2.2.254
[FW_A-policy-pbr-rule-pbr_2] quit

# Similarly, configure PBR on FW_B.

Step 6 Configure OSPF.

# Configure OSPF on FW_A.


[FW_A] router id 1.1.1.2
[FW_A] ospf 100
[FW_A-ospf-100] default-route-advertise
[FW_A-ospf-100] area 0
[FW_A-ospf-100-area-0.0.0.0] network 1.1.1.0 0.0.0.255
[FW_A-ospf-100-area-0.0.0.0] network 10.1.0.0 0.0.255.255
[FW_A-ospf-100-area-0.0.0.0] quit
[FW_A-ospf-100] quit

# Configure OSPF on FW_B.


[FW_B] router id 2.2.2.3
[FW_B] ospf 100
[FW_B-ospf-100] default-route-advertise
[FW_B-ospf-100] area 0
[FW_B-ospf-100-area-0.0.0.0] network 2.2.2.0 0.0.0.255
[FW_B-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.255.255
[FW_B-ospf-100-area-0.0.0.0] quit
[FW_B-ospf-100] quit

Step 7 Configure hot standby.

# Configure VRRP groups on FW_A and set their states to Active.


[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 2.2.2.1 24 active
[FW_A-GigabitEthernet1/0/2] quit

# Specify the heartbeat interface on FW_A and enable hot standby.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 290


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

[FW_A] hrp interface Eth-Trunk 1 remote 10.10.0.2


[FW_A] hrp enable

# Configure VRRP groups on FW_B and set their states to Standby.


[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/2
[FW_B-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 2.2.2.1 24 standby
[FW_B-GigabitEthernet1/0/2] quit

# Specify the heartbeat interface on FW_B and enable hot standby.


[FW_B] hrp interface Eth-Trunk 1 remote 10.10.0.1
[FW_B] hrp enable

Step 8 Configure users, user groups, and their authentication.


# Create groups and users for senior managers.
HRP_M[FW_A] user-manage group /default/management
HRP_M[FW_A-usergroup-/default/management] quit
HRP_M[FW_A] user-manage user user_0001
HRP_M[FW_A-localuser-user_0001] alias Tom
HRP_M[FW_A-localuser-user_0001] parent-group /default/management
HRP_M[FW_A-localuser-user_0001] password Admin@123
HRP_M[FW_A-localuser-user_0001] quit

# Similarly, create the groups marketing, research, and onbusiness, and create all
users of every department/group according to the corporate organizational
structure.
# Configure the AD server.
The parameters set here must be consistent with those set on the AD server.
HRP_M[FW_A] ad-server template auth_server_ad
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication 10.3.0.251 88
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users
Admin@123
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication host-name ad.cce.com
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication ldap-port 389
HRP_M[FW_A-ad-auth_server_ad] ad-server user-filter sAMAccountName
HRP_M[FW_A-ad-auth_server_ad] ad-server group-filter ou
HRP_M[FW_A-ad-auth_server_ad] quit

# Configure the authentication domain.


HRP_M[FW_A] aaa
HRP_M[FW_A-aaa] domain cce.com
HRP_M[FW_A-aaa-domain-cce.com] service-type internetaccess
HRP_M[FW_A-aaa-domain-cce.com] quit
HRP_M[FW_A] quit

# Configure the import-from-server policy, and import users.


HRP_M[FW] user-manage import-policy policy_import from ad
HRP_M[FW-import-policy_import] server template auth_server_ad
HRP_M[FW-import-policy_import] server basedn dc=cce,dc=com
HRP_M[FW-import-policy_import] destination-group /cce.com
HRP_M[FW-import-policy_import] user-attribute sAMAccountName
HRP_M[FW-import-policy_import] import-type user-group
HRP_M[FW-import-policy_import] import-override enable
HRP_M[FW-import-policy_import] quit
HRP_M[FW] execute user-manage import-policy policy_import

# Configure the new user option of the authentication domain.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 291


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

HRP_M[FW] aaa
HRP_M[FW-aaa] domain cce.com
HRP_M[FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import
HRP_M[FW-aaa-domain-cce.com] quit
HRP_M[FW-aaa] quit

# Configure single-sign-on parameters of the AD server.


HRP_M[FW] user-manage single-sign-on ad
HRP_M[FW-sso-ad] mode no-plug-in
HRP_M[FW-sso-ad] no-plug-in traffic server-ip 10.3.0.251 port 88
HRP_M[FW-sso-ad] no-plug-in interface GigabitEthernet1/0/5
HRP_M[FW-sso-ad] enable
HRP_M[FW-sso-ad] quit

# Configure the online user timeout time to 480 minutes.


HRP_M[FW] user-manage online-user aging-time 480

Step 9 Configure security policies. After hot standby is enabled, the security policies of
FW_A are automatically replicated to FW_B.
# Configure URL filtering profile profile_url and set the URL filtering control level
to medium.
HRP_M[FW_A] profile type url-filter name profile_url
HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined control-level medium
HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined action allow
HRP_M[FW_A-profile-url-filter-profile_url] quit

# Configure security policies for senior managers.


HRP_M<FW_A> system-view
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec_management
HRP_M[FW_A-policy-security-rule-policy_sec_management] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_management] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_management] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_management] profile av default
HRP_M[FW_A-policy-security-rule-policy_sec_management] profile ips default
HRP_M[FW_A-policy-security-rule-policy_sec_management] profile url-filter profile_url
HRP_M[FW_A-policy-security-rule-policy_sec_management] user user-group /default/management
HRP_M[FW_A-policy-security-rule-policy_sec_management] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_management] quit
HRP_M[FW_A-policy-security] quit

# Configure security policies for marketing employees.


HRP_M[FW_A-policy-security] rule name policy_sec_marketing_1
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-
category Media_Sharing
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-
category Game
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] action deny
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] quit
HRP_M[FW_A-policy-security] rule name policy_sec_marketing_2
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile av default
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile ips default
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile url-filter profile_url
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] user user-group /default/marketing
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] quit

# Configure security policies for R&D employees.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 292


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

HRP_M[FW_A-policy-security] rule name policy_sec_research_1


HRP_M[FW_A-policy-security-rule-policy_sec_research_1] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] user user-group /default/research
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] application category Entertainment
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] action deny
HRP_M[FW_A-policy-security-rule-policy_sec_research_1] quit
HRP_M[FW_A-policy-security] rule name policy_sec_research_2
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile av default
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile ips default
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile url-filter profile_url
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] user user-group /default/research
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_research_2] quit

# Configure IPSec security policies.


HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_1
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone local
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone local
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-address 1.1.1.2 32
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-address 3.3.3.1 32
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-address 1.1.1.2 32
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-address 3.3.3.1 32
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] quit
HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_2
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] source-address 10.1.0.0 16
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-address 192.168.1.0 24 HRP_M[FW_A-
policy-security-rule-policy_sec_ipsec_2] profile av default
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] profile ips default
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] quit
HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_3
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] destination-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-address 192.168.1.0 24
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] profile av default
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] profile ips default
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] quit

# Configure L2TP over IPSec security policies.


HRP_M[FW-policy-security] rule name policy_sec_l2tp_ipsec_1
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] source-zone trust
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-zone ISP1
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-zone ISP2
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] source-address 10.1.1.1 16
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-address range 10.1.1.2 10.1.1.100
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] action permit
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] quit
HRP_M[FW-policy-security] rule name policy_sec_l2tp_ipsec_2
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] source-zone untrust
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] destination-zone trust
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] source-address range 10.1.1.2 10.1.1.100
HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] destination-address 10.1.1.1 16

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 293


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] action permit


HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] quit

# Configure security policies for the AD server.


HRP_M[FW_A-policy-security] rule name local_policy_ad_01
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] source-zone local
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] destination-zone trust
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] destination-address 10.3.0.251 32
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] action permit
HRP_M[FW_A-policy-security-rule-local_policy_ad_01] quit
HRP_M[FW_A-policy-security] rule name local_policy_ad_02
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] source-zone trust
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] destination-zone local
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] source-address 10.3.0.251 32
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] action permit
HRP_M[FW_A-policy-security-rule-local_policy_ad_02] quit

# Configure the security policy that allows extranet users to access the intranet
servers.
HRP_M[FW_A-policy-security] rule name policy_sec_server
HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.10 32
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.11 32
HRP_M[FW_A-policy-security-rule-policy_sec_server] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_server] quit
HRP_M[FW_A-policy-security] quit

Step 10 Configure NAT. After hot standby is enabled, the NAT policies of FW_A are
automatically synchronized to FW_B.
# Configure NAT address pool nataddr.
HRP_M[FW_A] nat address-group nataddr
HRP_M[FW_A-nat-address-group-nataddr] mode pat
HRP_M[FW_A-nat-address-group-nataddr] section 0 1.1.1.1 1.1.1.4
HRP_M[FW_A-nat-address-group-nataddr] route enable
HRP_M[FW_A-nat-address-group-nataddr] quit

# Configure the NAT policy for traffic to the Internet, policy_nat_internet_01 and
policy_nat_internet_02.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat_internet_01
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] destination-zone ISP1
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] action source-nat address-group nataddr
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] quit
HRP_M[FW_A-policy-nat] rule name policy_nat_internet_02
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] destination-zone ISP2
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] action source-nat address-group nataddr
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] quit

# Configure NAT policies policy_nat_ipsec_01 and policy_nat_ipsec_02 for traffic to


branches.
HRP_M[FW_A-policy-nat] rule name policy_nat_ipsec_01
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] destination-zone ISP1
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] destination-address 192.168.1.0 24
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] action no-nat
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] quit
HRP_M[FW_A-policy-nat] rule name policy_nat_ipsec_02
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] destination-zone ISP2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 294


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] destination-address 192.168.1.0 24


HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] action no-nat
HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] quit
HRP_M[FW_A-policy-nat] quit

# Configure the NAT server function.


HRP_M[FW_A] nat server for_web_01 zone ISP1 protocol tcp global 1.1.1.5 8080 inside 10.2.0.10 www
HRP_M[FW_A] nat server for_web_02 zone ISP2 protocol tcp global 2.2.2.5 8080 inside 10.2.0.10 www
HRP_M[FW_A] nat server for_ftp_01 zone ISP1 protocol tcp global 1.1.1.6 ftp inside 10.2.0.11 ftp
HRP_M[FW_A] nat server for_ftp_02 zone ISP2 protocol tcp global 2.2.2.6 ftp inside 10.2.0.11 ftp

# Enable NAT ALG for FTP.


HRP_M[FW_A] firewall interzone trust untrust
HRP_M[FW_A-interzone-trust-untrust] detect ftp
HRP_M[FW_A-interzone-trust-untrust] quit

Step 11 Configure attack defense. After hot standby is enabled, the attack defense
configuration of FW_A is automatically synchronized to FW_B.
HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable
HRP_M[FW_A] firewall defend route-record enable
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable

Step 12 Configure traffic policies. After hot standby is enabled, the traffic policies of FW_A
are automatically replicated to FW_B.
# Configure the time range.
HRP_M[FW_A] time-range work_time
HRP_M[FW_A-time-range-work_time] period-range 09:00:00 to 18:00:00 working-day
HRP_M[FW_A-time-range-work_time] quit

# Configure the traffic profile that restricts P2P traffic, profile_p2p.


HRP_M[FW_A] traffic-policy
HRP_M[FW_A-policy-traffic] profile profile_p2p
HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole upstream
2000000
HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole downstream
6000000
HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
HRP_M[FW_A-policy-traffic-profile-profile_p2p] quit

# Configure the traffic policy that restricts P2P traffic, policy_bandwidth_p2p.


HRP_M[FW_A-policy-traffic] rule name policy_bandwidth_p2p
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] source-zone trust
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] destination-zone ISP1
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] destination-zone ISP2
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] application category Entertainment sub-
category PeerCasting
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] application category General_Internet sub-
category FileShare_P2P
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] action qos profile profile_p2p
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] quit

# Configure the traffic profile that guarantees the bandwidth for email and ERP
applications.
HRP_M[FW_A-policy-traffic] profile profile_email
HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole upstream
4000000
HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole downstream

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 295


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

4000000
HRP_M[FW_A-policy-traffic-profile-profile_email] quit

# Configure the traffic policy that guarantees the bandwidth for email and ERP
applications.
HRP_M[FW_A-policy-traffic] rule name policy_email
HRP_M[FW_A-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP1
HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP2
HRP_M[FW_A-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FW_A-policy-traffic-rule-policy_email] time-range work_time
HRP_M[FW_A-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FW_A-policy-traffic-rule-policy_email] quit

# Configure the traffic profile for senior management.


[FW] traffic-policy
HRP_M[FW_A-policy-traffic] profile profile_management
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth guaranteed-bandwidth whole
upstream 200000
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth guaranteed-bandwidth whole
downstream 200000
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth maximum-bandwidth per-ip
upstream 20000
HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth maximum-bandwidth per-ip
downstream 20000
HRP_M[FW_A-policy-traffic-profile-profile_management] quit

# Configure the traffic policy for senior management.


HRP_M[FW_A-policy-traffic] rule name policy_bandwidth_management
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] source-zone ISP1
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] source-zone ISP2
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] destination-zone trust
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] user user-group /default/management
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] action qos profile profile_management
HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] quit

Step 13 Configure IPSec VPN. After hot standby is enabled, the IPSec VPN configuration of
FW_A is automatically synchronized to FW_B.
# Configure IPSec on FW_A at the headquarters.
HRP_M[FW_A] acl 3000
HRP_M[FW_A-acl-adv-3000] rule permit ip source 10.1.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
HRP_M[FW_A-acl-adv-3000] quit
HRP_M[FW_A] ipsec proposal tran1
HRP_M[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
HRP_M[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-128
HRP_M[FW_A-ipsec-proposal-tran1] quit
HRP_M[FW_A] ike proposal 10
HRP_M[FW_A-ike-proposal-10] authentication-method pre-share
HRP_M[FW_A-ike-proposal-10] prf hmac-sha1
HRP_M[FW_A-ike-proposal-10] encryption-algorithm 3des
HRP_M[FW_A-ike-proposal-10] dh group5
HRP_M[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
HRP_M[FW_A-ike-proposal-10] quit
HRP_M[FW_A] ike peer headquarters
HRP_M[FW_A-ike-peer-headquarters] ike-proposal 10
HRP_M[FW_A-ike-peer-headquarters] pre-shared-key Admin@123
HRP_M[FW_A-ike-peer-headquarters] quit
HRP_M[FW_A] ipsec policy-template temp 1
HRP_M[FW_A-ipsec-policy-templet-temp-1] security acl 3000
HRP_M[FW_A-ipsec-policy-templet-temp-1] proposal tran1
HRP_M[FW_A-ipsec-policy-templet-temp-1] ike-peer headquarters
HRP_M[FW_A-ipsec-policy-templet-temp-1] quit
HRP_M[FW_A] ipsec policy policy1 1 isakmp template temp
HRP_M[FW_A] interface GigabitEthernet 1/0/1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 296


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

HRP_M[FW_A-GigabitEthernet1/0/1] ipsec policy policy1


HRP_M[FW_A-GigabitEthernet1/0/1] quit

# Configure IPSec on FW_C of a branch.


[FW_C] acl 3000
[FW_C-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
[FW_C-acl-adv-3000] quit
[FW_C] ipsec proposal tran1
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha1
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[FW_C-ipsec-proposal-tran1] quit
[FW_C] ike proposal 10
[FW_C-ike-proposal-10] authentication-method pre-share
[FW_C-ike-proposal-10] prf hmac-sha1
[FW_C-ike-proposal-10] encryption-algorithm 3des
[FW_C-ike-proposal-10] dh group5
[FW_C-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_C-ike-proposal-10] quit
[FW_C] ike peer branch
[FW_C-ike-peer-branch] ike-proposal 10
[FW_C-ike-peer-branch] pre-shared-key Admin@123
[FW_C-ike-peer-branch] remote-address 1.1.1.1
[FW_C-ike-peer-branch] quit
[FW_C] ipsec policy policy2 1 isakmp
[FW_C-ipsec-policy-isakmp-policy2-1] security acl 3000
[FW_C-ipsec-policy-isakmp-policy2-1] proposal tran1
[FW_C-ipsec-policy-isakmp-policy2-1] ike-peer branch
[FW_C-ipsec-policy-isakmp-policy2-1] quit
[FW_C] interface GigabitEthernet 1/0/1
[FW_C-GigabitEthernet1/0/1] ipsec policy policy2
[FW_C-GigabitEthernet1/0/1] quit

Step 14 Configure L2TP over IPSec.

# Enable L2TP.
HRP_M[FW_A] l2tp enable

# Configure L2TP access users and an authentication scheme.


HRP_M[FW_A] ip pool pool1
HRP_M[FW_A-ip-pool-pool1] section 1 10.1.1.2 10.1.1.100
HRP_M[FW_A-ip-pool-pool1] quit
HRP_M[FW_A] user-manage user vpdnuser
HRP_M[FW_A-localuser-vpdnuser] password Hello123
HRP_M[FW_A-localuser-vpdnuser] quit
HRP_M[FW_A] aaa
HRP_M[FW_A_aaa] authentication-scheme default
HRP_M[FW_A_aaa-authen-default] authentication-mode local
HRP_M[FW_A_aaa-authen-default] quit
HRP_M[FW_A-aaa] service-scheme l2tp
HRP_M[FW_A-aaa-service-l2tp] ip-pool pool1
HRP_M[FW_A-aaa-service-l2tp] quit
HRP_M[FW_A-aaa] domain net1
HRP_M[FW_A-aaa-domain-net1] service-type internetaccess l2tp
HRP_M[FW_A-aaa-domain-net1] authentication-scheme default
HRP_M[FW_A-aaa-domain-net1] service-scheme l2tp

# Configure the virtual interface template, and add it to a security zone.


HRP_M[FW_A] interface Virtual-Template 1
HRP_M[FW_A-Virtual-Template1] ppp authentication-mode chap pap
HRP_M[FW_A-Virtual-Template1] ip address 10.11.1.1 255.255.255.0
HRP_M[FW_A-Virtual-Template1] remote service-scheme l2tp
HRP_M[FW_A-Virtual-Template1] quit
HRP_M[FW_A] firewall zone untrust
HRP_M[FW_A-zone-untrust] add interface Virtual-Template 1
HRP_M[FW_A-zone-untrust] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 297


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

The IP address of the virtual interface must not be an address in the configured address
pool or the address of any other interface. You can set any IP address except the mentioned
ones.
The service scheme for allocating the peer IP address must be consistent with that
configured in the AAA domain. Otherwise, the LNS cannot allocate an address to the client.

# Create an L2TP group, bind the virtual interface template, and configure tunnel
authentication.
HRP_M[FW_A] l2tp-group 1
HRP_M[FW_A-l2tp1] allow l2tp virtual-template 1 remote client1
HRP_M[FW_A-l2tp1] tunnel name lns
HRP_M[FW_A-l2tp1] tunnel authentication
HRP_M[FW_A-l2tp1] tunnel password cipher Password@123
HRP_M[FW_A-l2tp1] quit

# Similarly, configure L2TP over IPSec on FW_B.


# Configure the client on the terminals of mobile employees.
The L2TP client must be installed on the terminals of mobile employees. The client
is connected to the Internet through dialup. The Secoway VPN Client is taken as
an example.
1. Open the Secoway VPN Client, select an existing connection, and click
Properties.

This step should be performed when the VPN Client is disconnected from the dialup
connection.
If no connection exists, click New to create a connection following the instructions.
2. Configure the basic information in the Basic Settings tab and enable an IPSec
security protocol.
See Figure 5-4 for the parameter settings. Enable the IPSec security protocol,
and set the login password to "Hello123" and the identity authentication
word to "Test!1234".

The IPSec identity authentication word set on the VPN Client must be consistent with
the pre-shared key set on the LNS.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 298


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Figure 5-4 Basic settings of the LAC

3. If the user needs to access the Internet, select Allow Internet Access in the
Basic Settings tab, and configure related routes in the Route Settings tab.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 299


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Figure 5-5 Selecting Allow Internet Access

Figure 5-6 Adding a route

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 300


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

4. Set L2TP properties in the L2TP Settings tab.


See Figure 5-7 for the parameter settings. The tunnel name is client1. The
authentication mode is CHAP. Enable tunnel authentication, and set the
tunnel authentication password to "Password@123".

Figure 5-7 L2TP settings of the LAC

5. Set the basic information of IPSec in the IPSec Settings tab. See Figure 5-8
for the parameter settings.

When the VPN tunnel on the LNS side is L2TP over IPSec, the LNS does not perform
tunnel authentication for the VPN Client. Therefore, it is not necessary to configure the
L2TP Settings tab on the VPN Client.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 301


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Figure 5-8 IPSec settings of the LAC

6. Set the basic information of IKE in the IKE Settings tab. See Figure 5-9 for
the parameter settings.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 302


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

Figure 5-9 IKE settings of the LAC

----End

5.5.2 Verification
Procedure
Step 1 Run the display hrp state command on FW_A to view the current HRP state. The
following information indicates that HRP is successfully set up.
HRP_M[FW_A] display hrp state
Role: active, peer: standby
Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes

Step 2 Different users on the intranet and mobile employees can access the Internet as
planned.
Step 3 Run the shutdown command on GigabitEthernet1/0/1 of FW_A to simulate a link
fault. The active/standby switchover is normal without services interrupted.

----End

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 303


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

5.5.3 Configuration Scripts


FW_A FW_B
# #
sysname FW_A sysname FW_B
# #
l2tp enable l2tp enable
# #
acl number 3000 acl number 3000
rule permit ip source 10.1.0.0 0.0.0.255 rule permit ip source 10.1.0.0 0.0.0.255
destination 192.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
# #
hrp enable hrp enable
hrp interface Eth-Trunk 1 remote 10.10.0.2 hrp interface Eth-Trunk 1 remote 10.10.0.1
hrp track interface GigabitEthernet 1/0/1 hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/4 hrp track interface GigabitEthernet 1/0/4
# #
time-range work_time time-range work_time
period-range 09:00:00 to 18:00:00 working-day period-range 09:00:00 to 18:00:00 working-day
# #
firewall defend land enable firewall defend land enable
firewall defend smurf enable firewall defend smurf enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend source-route enable firewall defend source-route enable
firewall defend route-record enable firewall defend route-record enable
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
# #
ike proposal 10 ike proposal 10
encryption-algorithm 3des encryption-algorithm 3des
dh group5 dh group5
authentication-method pre-share authentication-method pre-share
integrity-algorithm hmac-sha2-256 integrity-algorithm hmac-sha2-256
prf hmac-sha1 prf hmac-sha1
# #
ike peer headquarters ike peer headquarters
pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/% pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%
$%$ $%$
ike-proposal 10 ike-proposal 10
# #
ipsec proposal tran1 ipsec proposal tran1
esp authentication-algorithm sha1 esp authentication-algorithm sha1
esp encryption-algorithm aes-128 esp encryption-algorithm aes-128
# #
ipsec policy-template temp 1 ipsec policy-template temp 1
security acl 3000 security acl 3000
ike-peer headquarter ike-peer headquarter
proposal tran1 proposal tran1
# #
ipsec policy map1 1 isakmp template temp ipsec policy map1 1 isakmp template temp
# #
l2tp-group 1 l2tp-group 1
allow l2tp virtual-template 1 remote client1 allow l2tp virtual-template 1 remote client1
tunnel name lns tunnel name lns
tunnel authentication tunnel authentication
tunnel password cipher %$%$f#c=(BljBC! tunnel password cipher %$%$f#c=(BljBC!
s=)Xc*3*%$%$ s=)Xc*3*%$%$
# #
interface Virtual-Template1 interface Virtual-Template1
ppp authentication-mode chap pap ppp authentication-mode chap pap
remote service-scheme l2tp remote service-scheme l2tp
ip address 10.11.1.1 255.255.255.0 ip address 10.11.1.1 255.255.255.0
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
undo shutdown undo shutdown
ip address 1.1.1.2 255.255.255.0 ip address 1.1.1.3 255.255.255.0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 304


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

FW_A FW_B
gateway 1.1.1.254 gateway 1.1.1.254
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0
ipsec policy policy1 standby
# ipsec policy policy1
interface GigabitEthernet1/0/2 #
undo shutdown interface GigabitEthernet1/0/2
ip address 2.2.2.2 255.255.255.0 undo shutdown
gateway 2.2.2.254 ip address 2.2.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 active gateway 2.2.2.254
# vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 standby
interface GigabitEthernet1/0/4 #
undo shutdown interface GigabitEthernet1/0/4
ip address 10.1.1.1 255.255.0.0 undo shutdown
# ip address 10.2.1.1 255.255.0.0
interface GigabitEthernet1/0/5 #
portswitch interface GigabitEthernet1/0/5
# portswitch
interface Eth-Trunk 1 #
ip address 10.10.0.1 255.255.255.0 interface Eth-Trunk 1
trunkport GigabitEthernet 1/0/3 ip address 10.10.0.2 255.255.255.0
trunkport GigabitEthernet 2/0/1 trunkport GigabitEthernet 1/0/3
# trunkport GigabitEthernet 2/0/1
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet1/0/4 set priority 85
add interface GigabitEthernet1/0/5 add interface GigabitEthernet1/0/4
# add interface GigabitEthernet1/0/5
firewall zone untrust #
set priority 5 firewall zone untrust
add interface Virtual-Template1 set priority 5
# add interface Virtual-Template1
firewall zone ISP1 #
set priority 15 firewall zone ISP1
add interface GigabitEthernet1/0/1 set priority 15
# add interface GigabitEthernet1/0/1
firewall zone ISP2 #
set priority 20 firewall zone ISP2
add interface GigabitEthernet1/0/2 set priority 20
# add interface GigabitEthernet1/0/2
firewall zone Heart #
set priority 75 firewall zone Heart
add interface Eth-Trunk1 set priority 75
# add interface Eth-Trunk1
router id 1.1.1.2 #
# router id 2.2.2.3
ospf 100 #
default-route-advertise ospf 100
area 0 default-route-advertise
network 1.1.1.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 network 2.2.2.0 0.0.0.255
# network 10.2.0.0 0.0.0.255
ip-link check enable #
ip-link name ip_link_1 ip-link check enable
destination 1.1.1.254 interface ip-link name ip_link_1
GigabitEthernet1/0/1 destination 1.1.1.254 interface
ip-link name ip_link_2 GigabitEthernet1/0/1
destination 2.2.2.254 interface ip-link name ip_link_2
GigabitEthernet1/0/2 destination 2.2.2.254 interface
# GigabitEthernet1/0/2
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip- #
link ip_link_1 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-
ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip- link ip_link_1
link ip_link_2 ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-
# link ip_link_2
user-manage online-user aging-time 480 #
user-manage single-sign-on ad user-manage online-user aging-time 480

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 305


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

FW_A FW_B
mode no-plug-in user-manage single-sign-on ad
no-plug-in interface GigabitEthernet1/0/5 mode no-plug-in
no-plug-in traffic server-ip 10.3.0.251 port 88 no-plug-in interface GigabitEthernet1/0/5
enable no-plug-in traffic server-ip 10.3.0.251 port 88
# enable
user-manage user vpdnuser #
password Hello123 user-manage user vpdnuser
# password Hello123
ad-server template auth_server_ad #
ad-server authentication 10.3.0.251 88 ad-server template auth_server_ad
ad-server authentication base-dn dc=cce,dc=com ad-server authentication 10.3.0.251 88
ad-server authentication manager ad-server authentication base-dn dc=cce,dc=com
cn=administrator,cn=users %$% ad-server authentication manager
$M#._~J4QrR[kJu7PUMtHUqh_%$%$ cn=administrator,cn=users %$%
ad-server authentication host-name ad.cce.com $M#._~J4QrR[kJu7PUMtHUqh_%$%$
ad-server authentication ldap-port 389 ad-server authentication host-name ad.cce.com
ad-server user-filter sAMAccountName ad-server authentication ldap-port 389
ad-server group-filter ou ad-server user-filter sAMAccountName
# ad-server group-filter ou
user-manage import-policy policy_import from ad #
server template auth_server_ad user-manage import-policy policy_import from ad
server basedn dc=cce,dc=com server template auth_server_ad
destination-group /cce.com server basedn dc=cce,dc=com
user-attribute sAMAccountName destination-group /cce.com
user-filter (&(|(objectclass=person) user-attribute sAMAccountName
(objectclass=organizationalPerson))(cn=*)(! user-filter (&(|(objectclass=person)
(objectclass=computer))) (objectclass=organizationalPerson))(cn=*)(!
group-filter (|(objectclass=organizationalUnit) (objectclass=computer)))
(ou=*)) group-filter (|(objectclass=organizationalUnit)
import-type user-group (ou=*))
import-override enable import-type user-group
# import-override enable
ip pool pool1 #
section 1 10.1.1.2 10.1.1.100 ip pool pool1
# section 1 10.1.1.2 10.1.1.100
aaa #
authorization-scheme default aaa
authentication-mode local authorization-scheme default
service-scheme l2tp authentication-mode local
ip-pool pool1 service-scheme l2tp
domain net1 ip-pool pool1
service-type internetaccess l2tp domain net1
authentication-scheme default service-type internetaccess l2tp
service-scheme l2tp authentication-scheme default
# service-scheme l2tp
profile type url-filter name profile_url #
category pre-defined control-level medium profile type url-filter name profile_url
category pre-defined action allow category pre-defined control-level medium
# category pre-defined action allow
nat address-group nataddr #
mode pat nat address-group nataddr
route enable mode pat
section 0 1.1.1.1 1.1.1.4 route enable
# section 0 1.1.1.1 1.1.1.4
multi-interface #
mode priority-of-link-quality multi-interface
priority-of-link-quality parameter delay jitter loss mode priority-of-link-quality
priority-of-link-quality protocol tcp-simple priority-of-link-quality parameter delay jitter loss
priority-of-link-quality interval 3 times 5 priority-of-link-quality protocol tcp-simple
priority-of-link-quality table aging-time 60 priority-of-link-quality interval 3 times 5
add interface GigabitEthernet1/0/1 priority-of-link-quality table aging-time 60
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/1
# add interface GigabitEthernet1/0/2
policy-based-route #
rule name pbr_1 policy-based-route
description pbr_1 rule name pbr_1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 306


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

FW_A FW_B
source-zone trust description pbr_1
application category Business_Systems source-zone trust
track ip-link ip_link_1 application category Business_Systems
action pbr egress-interface GigabitEthernet1/0/1 track ip-link ip_link_1
next-hop 1.1.1.254 action pbr egress-interface GigabitEthernet1/0/1
rule name pbr_2 next-hop 1.1.1.254
description pbr_2 rule name pbr_2
source-zone trust description pbr_2
application category Entertainment sub-category source-zone trust
VoIP application category Entertainment sub-category
application category Entertainment sub-category VoIP
PeerCasting application category Entertainment sub-category
track ip-link ip_link_2 PeerCasting
action pbr egress-interface GigabitEthernet1/0/2 track ip-link ip_link_2
next-hop 2.2.2.254 action pbr egress-interface GigabitEthernet1/0/2
# next-hop 2.2.2.254
security-policy #
rule name policy_sec_management security-policy
source-zone trust rule name policy_sec_management
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/management destination-zone ISP2
profile av default user user-group /default/management
profile ips default profile av default
profile url-filter profile_url profile ips default
action permit profile url-filter profile_url
rule name policy_sec_marketing_1 action permit
source-zone trust rule name policy_sec_marketing_1
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/marketing destination-zone ISP2
application category Entertainment sub- user user-group /default/marketing
category Media_Sharing application category Entertainment sub-
application category Entertainment sub- category Media_Sharing
category Game application category Entertainment sub-
action deny category Game
rule name policy_sec_marketing_2 action deny
source-zone trust rule name policy_sec_marketing_2
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/marketing destination-zone ISP2
profile av default user user-group /default/marketing
profile ips default profile av default
profile url-filter profile_url profile ips default
action permit profile url-filter profile_url
rule name policy_sec_research_1 action permit
source-zone trust rule name policy_sec_research_1
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/research destination-zone ISP2
application category Entertainment user user-group /default/research
action deny application category Entertainment
rule name policy_sec_research_2 action deny
source-zone trust rule name policy_sec_research_2
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/research destination-zone ISP2
profile av default user user-group /default/research
profile ips default profile av default
profile url-filter profile_url profile ips default
action permit profile url-filter profile_url
rule name policy_sec_manufacture action permit
source-zone trust rule name policy_sec_manufacture
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/manufacture destination-zone ISP2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 307


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

FW_A FW_B
action deny user user-group /default/manufacture
rule name policy_sec_ipsec_1 action deny
source-zone local rule name policy_sec_ipsec_1
source-zone ISP1 source-zone local
source-zone ISP2 source-zone ISP1
destination-zone local source-zone ISP2
destination-zone ISP1 destination-zone local
destination-zone ISP2 destination-zone ISP1
source-address 1.1.1.2 32 destination-zone ISP2
source-address 3.3.3.1 32 source-address 1.1.1.2 32
destination-address 1.1.1.2 32 source-address 3.3.3.1 32
destination-address 3.3.3.1 32 destination-address 1.1.1.2 32
action permit destination-address 3.3.3.1 32
rule name policy_sec_ipsec_2 action permit
source-zone trust rule name policy_sec_ipsec_2
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
source-address 10.1.0.0 16 destination-zone ISP2
destination-address 192.168.1.0 24 source-address 10.1.0.0 16
profile av default destination-address 192.168.1.0 24
profile ips default profile av default
action permit profile ips default
rule name policy_sec_ipsec_3 action permit
source-zone ISP1 rule name policy_sec_ipsec_3
source-zone ISP2 source-zone ISP1
destination-zone trust source-zone ISP2
source-address 192.168.1.0 24 destination-zone trust
profile av default source-address 192.168.1.0 24
profile ips default profile av default
action permit profile ips default
rule name policy_sec_l2tp_ipsec_1 action permit
source-zone trust rule name policy_sec_l2tp_ipsec_1
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
source-address 10.1.1.1 16 destination-zone ISP2
destination-address range 10.1.1.2 10.1.1.100 source-address 10.1.1.1 16
action permit destination-address range 10.1.1.2 10.1.1.100
rule name policy_sec_l2tp_ipsec_2 action permit
source-zone untrust rule name policy_sec_l2tp_ipsec_2
destination-zone trust source-zone untrust
source-address range 10.1.1.2 10.1.1.100 destination-zone trust
destination-address 10.1.1.1 16 source-address range 10.1.1.2 10.1.1.100
action permit destination-address 10.1.1.1 16
rule name local_policy_ad_01 action permit
source-zone local rule name local_policy_ad_01
destination-zone trust source-zone local
destination-address 10.3.0.251 32 destination-zone trust
action permit destination-address 10.3.0.251 32
rule name local_policy_ad_02 action permit
source-zone trust rule name local_policy_ad_02
destination-zone local source-zone trust
source-address 10.3.0.251 32 destination-zone local
action permit source-address 10.3.0.251 32
rule name policy_sec_server action permit
source-zone ISP1 rule name policy_sec_server
source-zone ISP2 source-zone ISP1
destination-zone trust source-zone ISP2
destination-address 10.2.0.10 32 destination-zone trust
destination-address 10.2.0.11 32 destination-address 10.2.0.10 32
action permit destination-address 10.2.0.11 32
# action permit
nat-policy #
rule name policy_nat_internet_01 nat-policy
source-zone trust rule name policy_nat_internet_01
destination-zone ISP1 source-zone trust
action source-nat address-group nataddr destination-zone ISP1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 308


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

FW_A FW_B
rule name policy_nat_internet_02 action source-nat address-group nataddr
source-zone trust rule name policy_nat_internet_02
destination-zone ISP2 source-zone trust
action source-nat address-group nataddr destination-zone ISP2
rule name policy_nat_ipsec_01 action source-nat address-group nataddr
source-zone trust rule name policy_nat_ipsec_01
destination-zone ISP1 source-zone trust
destination-address 192.168.1.0 24 destination-zone ISP1
action no-pat destination-address 192.168.1.0 24
rule name policy_nat_ipsec_02 action no-pat
source-zone trust rule name policy_nat_ipsec_02
destination-zone ISP2 source-zone trust
destination-address 192.168.1.0 24 destination-zone ISP2
action no-pat destination-address 192.168.1.0 24
# action no-pat
traffic-policy #
profile profile_p2p traffic-policy
bandwidth maximum-bandwidth whole profile profile_p2p
upstream 2000000 bandwidth maximum-bandwidth whole
bandwidth connection-limit whole downstream upstream 2000000
6000000 bandwidth connection-limit whole downstream
bandwidth connection-limit whole both 10000 6000000
profile profile_email bandwidth connection-limit whole both 10000
bandwidth guaranteed-bandwidth whole profile profile_email
upstream 4000000 bandwidth guaranteed-bandwidth whole
bandwidth guaranteed-bandwidth whole upstream 4000000
downstream 4000000 bandwidth guaranteed-bandwidth whole
profile profile_management downstream 4000000
bandwidth guaranteed-bandwidth whole profile profile_management
upstream 200000 bandwidth guaranteed-bandwidth whole
bandwidth guaranteed-bandwidth whole upstream 200000
downstream 200000 bandwidth guaranteed-bandwidth whole
bandwidth maximum-bandwidth per-ip downstream 200000
upstream 20000 bandwidth maximum-bandwidth per-ip
bandwidth maximum-bandwidth per-ip upstream 20000
downstream 20000 bandwidth maximum-bandwidth per-ip
rule name policy_bandwidth_p2p downstream 20000
source-zone trust rule name policy_bandwidth_p2p
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
application category Entertainment sub-category destination-zone ISP2
PeerCasting application category Entertainment sub-category
application category General_Internet sub- PeerCasting
category FileShare_P2P application category General_Internet sub-
action qos profile profile_p2p category FileShare_P2P
rule name policy_email action qos profile profile_p2p
source-zone trust rule name policy_email
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
application app LotusNotes destination-zone ISP2
application app OWA application app LotusNotes
time-range work_time application app OWA
action qos profile profile_email time-range work_time
rule name policy_bandwidth_management action qos profile profile_email
source-zone ISP1 rule name policy_bandwidth_management
source-zone ISP2 source-zone ISP1
destination-zone trust source-zone ISP2
user user-group /default/management destination-zone trust
action qos profile profile_management user user-group /default/management
# The following configurations are used to create action qos profile profile_management
users/groups. These configurations are stored in # The following configurations are used to create
the database and are not contained in the users/groups. These configurations are stored in
configuration file. the database and are not contained in the
user-manage group /default/management configuration file.
user-manage group /default/marketing user-manage group /default/management
user-manage group /default/research user-manage group /default/marketing

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 309


HUAWEI Firewall 5 Application of Firewalls in the Egress Security
Comprehensive Configuration Examples Solution for Enterprise Campus Networks

FW_A FW_B
user-manage user user_0001 user-manage group /default/research
alias Tom user-manage user user_0001
parent-group /default/management alias Tom
password ********* parent-group /default/management
undo multi-ip online enable password *********
undo multi-ip online enable

5.6 Conclusion and Suggestions


1. This section describes the typical application of firewalls at the egress of an
enterprise campus network to the Internet. If you are facing the same
scenario, this example will be a good reference.
2. The typical hot standby networking is introduced, where the firewall is
connected to an upstream switch and a downstream router. This section
describes the typical application of hot standby.
3. This solution demonstrates the multi-ISP uplink selection capabilities of the
firewall that serves as a gateway. Such capabilities include global intelligent
uplink selection and PBR intelligent uplink selection.
4. The solution also embodies the application identification and control
functions of the firewall. The firewall can identify ports and various
applications and is capable of access control, PBR, and traffic control based on
the applications.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 310


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

6 Application of the Firewalls in the SCG


Carrier Scenario

6.1 Introduction
This section describes the application of the firewall in the Service Control
Gateway (SCG) carrier scenario. By analyzing the security issues faced by the SCG,
this section provides a typical application solution of the firewall.
This document is based on Eudemon8000E-X V500R005C00 and can be used as a
reference for Eudemon8000E-X V500R005C00, V600R006C00, and later versions.
Document content may vary according to version.

6.2 Solution Overview


SCG Overview
The Service Control Gateway (SCG) is a wireless comprehensive gateway product
developed by Huawei. The SCG provides not only service-based charging and
bandwidth control but also WAP/HTTP service awareness and conversion, access
control, Ad insertion, and malicious URL filtering. Figure 6-1 shows the position of
the SCG on the network. Terminal users access the SCG over the bearer network
of a carrier, and the SP/CP provides services for terminal users through the SCG.
The FWs are deployed on the uplink and downlink sides of the SCG and provide
NAT, interzone isolation, and border protection functions.

Figure 6-1 Application of the firewall in the SCG scenario

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 311


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

The SCG works in explicit or transparent proxy mode based on WAP/HTTP service
awareness.
● Explicit proxy (WAPGW)
The SCG provides gateway services. In this mode, service access users must set the SCG
address as the gateway address on their clients. After receiving a user request, the SCG
translates the user address into the SCG address and connects to the Internet.
● Transparent proxy (Proxy)
The SCG is similar to a router and does not provide gateway services. In this mode,
service access users do not need to set gateway addresses on their clients. User requests
are routed to the SCG through network devices. After receiving a user request, the SCG
uses the client IP address to connect to the web server. This implementation prevents
denial of services or verification code input due to duplicate or intensive user addresses
after NAT in explicit proxy mode.

Traffic Models
The GGSN and uplink FW establish a GRE tunnel. The GGSN sends service traffic
through the GRE tunnel to the uplink FW to access the SCG. The SCG performs
WAP/HTTP service awareness and translation and sends the traffic to the
downlink FW. The downlink FW performs NAT and sends the traffic to the
Internet.

6.3 Solution Design

6.3.1 Typical Networking


Networking diagram
As shown in Figure 6-2, the FWs are deployed at the uplink and downlink sides of
the SCG respectively, and the service interfaces of the FWs work at Layer 3. The
FW at the uplink side connects to the GGSN via a switch, and the FW at the
downlink side connects to the Internet via a router.
Service traffic, such as mobile phone traffic, at the GGSN side reaches the SCG
through FW_A and then is forwarded by FW_C to the Internet. FW
Hot standby in active/standby mode is carried out between FW_A and FW_B and
between FW_C and FW_D. When services at the uplink side are operating properly,
the traffic that enters the SCG is forwarded by FW_A. If FW_A fails, the traffic is
forwarded by FW_B. When services at the downlink side are operating properly,
the traffic that leaves the SCG is forwarded by FW_C. If FW_C fails, the traffic is
forwarded by FW_D. In this way, service continuity at both sides of the SCG is
ensured.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 312


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Root systems and virtual systems are designed for the FWs. The root systems of the FWs
are configured as the FWs at the uplink side and carry out hot standby. The virtual systems
of the FWs are configured as the FWs at downlink side and carry out hot standby.
In this scenario, Only hot standby in active/standby mode is supported.

Figure 6-2 Application of the FWs in the SCG networking

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 313


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Reliability Analysis
Figure 6-3 shows the active/standby switchovers when FW_A in the active state at
the uplink side and its link become faulty and recover. The active/standby
switchover processes are as follows:
● Switchover in case of a fault
When FW_A and its link fail, FW_B becomes the active firewall, and the route
is switched to FW_B.
● Switchover in case of fault recovery
After FW_A and its link recover, FW_A preempts to be the active firewall, the
route and traffic are switched back to FW_A.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 314


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Figure 6-3 Switchover in case of a fault at the uplink side

Figure 6-4 shows the active/standby switchovers when FW_C in the active state
and its link become faulty and recover. The active/standby switchover processes
are as follows:
● Switchover in case of a fault
When FW_C and its connected link fail, FW_D becomes the active firewall,
and the route is switched to FW_D.
● Switchover in case of fault recovery
After FW_C and its link recover, FW_C preempts to be the active firewall, the
route and traffic are switched back to FW_C.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 315


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Figure 6-4 Switchover in case of a fault at the downlink side

6.3.2 Service Planning

6.3.2.1 Interfaces and Security Zones


To prevent communication failures between active and standby firewalls due to
heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface
is recommended. For devices on which multiple NICs can be installed (for the
support situation, see the hardware guide), an inter-board Eth-Trunk interface is
required. That is, the member interfaces of the Eth-Trunk interface are on different
LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 316


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

devices that do not support interface expansion or inter-board Eth-Trunk, it is


possible that a faulty LPU may cause all HRP backup channels to be unavailable
and compromise services.
The upstream and downstream physical links must have the same bandwidth that
is greater than the peak traffic. Otherwise, services are affected due to traffic
congestion in case of traffic burst.
Table 6-1 describes the planning of interfaces and security zones on FW_A and
FW_B, and Table 6-2 describes the planning of interfaces and security zones on
FW_C and FW_D.

Table 6-1 Interface and security zone planning for FW_A and FW_B
FW_A FW_B Description

Eth-Trunk0: Eth-Trunk0: Heartbeat interface


● Member interface: ● Member interface:
1. GE1/0/0 1. GE1/0/0
2.GE2/0/1 2.GE2/0/1
● IP address: ● IP address:
10.10.0.1/24 10.10.0.2/24
● Security zone: DMZ ● Security zone: DMZ

Eth-Trunk1: Eth-Trunk1: Service interface


● Member interface: ● Member interface: connected to the GGSN
1. GE1/0/2 1. GE1/0/2
2. GE1/0/3 2. GE1/0/3
● Subinterface: Eth- ● Subinterface: Eth-
Trunk1.1 Trunk1.1
– Associated VLAN – Associated VLAN
ID: 11 ID: 11
– IP address: – IP address:
10.2.0.1/24 10.2.0.2/24
– Security zone: – Security zone:
Untrust Untrust
● Subinterface: Eth- ● Subinterface: Eth-
Trunk1.2 Trunk1.2
– Associated VLAN – Associated VLAN
ID: 12 ID: 12
– IP address: – IP address:
10.2.2.1/24 10.2.2.2/24
– Security zone: – Security zone:
Untrust Untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 317


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

FW_A FW_B Description

Eth-Trunk2: Eth-Trunk2: Service interface


● Member interface: ● Member interface: connected to the SCG
1. GE1/0/4 1. GE1/0/4
2. GE1/0/5 2. GE1/0/5
● Subinterface: Eth- ● Subinterface: Eth-
Trunk2.1 Trunk2.1
– Associated VLAN – Associated VLAN
ID: 21 ID: 21
– IP address: – IP address:
10.3.0.1/24 10.3.0.2/24
– Security zone: Trust – Security zone: Trust

Table 6-2 Interface and security zone planning for FW_C and FW_D
FW_C FW_D Description

Eth-Trunk0: Eth-Trunk0: Heartbeat interface


● Member interface: ● Member interface:
1. GE1/0/0 1. GE1/0/0
2.GE2/0/1 2.GE2/0/1
● IP address: ● IP address:
10.10.0.3/24 10.10.0.4/24
● Security zone: DMZ ● Security zone: DMZ

Eth-Trunk1: Eth-Trunk1: Interface connected to


● Member interface: ● Member interface: the Internet
1. GE1/0/2 1. GE1/0/2
2. GE1/0/3 2. GE1/0/3
● Subinterface: Eth- ● Subinterface: Eth-
Trunk1.1 Trunk1.1
– Associated VLAN – Associated VLAN
ID: 11 ID: 11
– IP address: – IP address:
10.2.1.1/24 10.2.1.1/24
– Security zone: – Security zone:
Untrust Untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 318


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

FW_C FW_D Description

Eth-Trunk2: Eth-Trunk2: Service interface


● Member interface: ● Member interface: connected to the SCG
1. GE1/0/4 1. GE1/0/4
2. GE1/0/5 2. GE1/0/5
● Subinterface: Eth- ● Subinterface: Eth-
Trunk2.1 Trunk2.1
– Associated VLAN – Associated VLAN
ID: 21 ID: 21
– IP address: – IP address:
10.3.1.1/24 10.3.1.2/24
– Security zone: Trust – Security zone: Trust

6.3.2.2 Availability
Hot standby in active/standby mode is carried out between FW_A and FW_B and
between FW_C and FW_D. When services at the uplink side are operating properly,
the traffic that enters the SCG is forwarded by FW_A. If FW_A fails, the traffic is
forwarded by FW_B. When services at the downlink side are operating properly,
the traffic that leaves the SCG is forwarded by FW_C. If FW_C fails, the traffic is
forwarded by FW_D. In this way, service continuity at both sides of the SCG is
ensured. Table 6-3 describes the availability planning for FW_A and FW_B, and
Table 6-4 describes the availability planning for FW_C and FW_D.

Table 6-3 Availability planning

Item FW_A FW_B

Backup mode Active/standby backup Active/standby backup

Heartbeat interface Eth-trunk0 Eth-trunk0

Preemption delay 300s 300s

Monitoring interface Eth-trunk1 Eth-trunk1

Function of Enabled Enabled


automatically
adjusting the cost

Table 6-4 Availability planning

Item FW_C FW_D

Backup mode Active/standby backup Active/standby backup

Heartbeat interface Eth-trunk0 Eth-trunk0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 319


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Item FW_C FW_D

Preemption delay 300s 300s

Monitoring interface Eth-trunk1 Eth-trunk1

Function of Enabled Enabled


automatically
adjusting the cost

6.3.2.3 GRE Tunnels


GRE tunnels are established between the GGSN and two private networks
connected to the uplink FW so that the two network segments can communicate.
In this way, service traffic, such as mobile phone traffic, can reach the FW over the
GRE tunnels. In this section, two GRE tunnels are planned. Table 6-5 describes the
GRE tunnel planning.

Plan the number of GRE tunnels based on actual service requirements.

Table 6-5 GRE tunnel planning


Item FW_A FW_B

Loopback Loopback1 address: Loopback1 address: 10.2.0.10/32


interface 10.2.0.10/32 Loopback2 address: 10.2.0.11/32
Loopback2 address:
10.2.0.11/32

Tunnel Encapsulation parameter Encapsulation parameter


interface 1 ● Encapsulation protocol: ● Encapsulation protocol: GRE
GRE ● MTU: 1476
● MTU: 1476 ● Source address: loopback1
● Source address: ● Key word: 123456
loopback1
● Security zone: tunnelzone
● Key word: 123456
● Security zone:
tunnelzone

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 320


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Item FW_A FW_B

Tunnel Encapsulation parameter Encapsulation parameter


interface 2 ● Encapsulation protocol: ● Encapsulation protocol: GRE
GRE ● MTU: 1476
● MTU: 1476 ● Source address: loopback2
● Source address: ● Key word: 123456
loopback2
● Security zone: tunnelzone
● Key word: 123456
● Security zone:
tunnelzone

Route OSPF is used to advertise OSPF is used to advertise routes to


routes to direct traffic to a direct traffic to a specific GRE tunnel.
specific GRE tunnel. ● network 172.16.2.0 0.0.0.255//
● network 172.16.2.0 tunnel interface
0.0.0.255//tunnel
interface

Security Permit GRE packets. Permit GRE packets.


policy ● Configure a security ● Configure a security policy to
policy to permit pre- permit pre-encapsulated GRE
encapsulated GRE packets.
packets. ● Configure a security policy to
● Configure a security permit encapsulated GRE packets.
policy to permit
encapsulated GRE
packets.

6.3.2.4 Security Policies


This section describes how to configure security policies to permit packet
exchanges between security zones. Table 6-6 describes the security policy
planning of FW_A and FW_B, and Table 6-7 describes the security policy planning
of FW_C and FW_D.

Table 6-6 Security policy planning

Item Data Flow Direction Description

trust - tunnelzone Outbound Security policy for pre-


encapsulated GRE packets

Inbound Security policy for pre-


encapsulated GRE packets

local - dmz Outbound Security policy for the backup


interfaces of the active and
standby firewalls

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 321


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Item Data Flow Direction Description

Inbound Security policy for the backup


interfaces of the active and
standby firewalls

local- untrust Outbound Security policy for


encapsulated GRE packets

Inbound Security policy for


encapsulated GRE packets

Table 6-7 Security policy planning

Item Data Flow Direction Description

local - dmz Outbound Security policy for the backup


interfaces of the active and
standby firewalls

Inbound Security policy for the backup


interfaces of the active and
standby firewalls

trust - untrust Outbound Security policy for


implementing source NAT for
private addresses

Inbound Security policy for


implementing source NAT for
private addresses

6.3.2.5 NAT
The GGSN sends user information to the RADIUS server for authentication. If the
authentication succeeds, the RADIUS server sends the user information to the FW.
The NAT Server function is configured at the SCG side to translate private
addresses of the SCG network into public addresses for the RADIUS server to
access, as listed in Table 6-8.

You are advised to set the number of public addresses of the downlink firewall to
[Maximum number of online users x 60%]/[2 x 60000].

Table 6-8 NAT Server planning

Item FW_A FW_B

Public IP 3.3.3.3 3.3.3.3


address

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 322


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Item FW_A FW_B

Private IP 10.3.0.10 10.3.0.10


address

The FW needs to perform NAT for traffic sent by users connected to the SCG so
that these users can use post-NAT addresses (public addresses) to access Internet
services. NAT saves public address resources and improves intranet security.

The FW usually uses NAT PAT. Table 6-9 describes the NAT address pool planning.
The active and standby firewalls must have the same NAT address pool planning.

Table 6-9 NAT address pool planning

Item FW_C FW_D

Security Trust - Untrust Trust - Untrust


zone

Direction Outbound Outbound

Action source-nat source-nat

Addresses 1.1.1.6 to 1.1.1.10 1.1.1.6 to 1.1.1.10


in the
address
pool

6.3.2.6 Routes
As shown in Figure 6-5, the egress gateways of the SCG are the FWs at the uplink
and downlink sides of the GGSN. OSPF process 1 is planned on FW_A and FW_B to
connect to the GGSN, and OSPF process 2 is planned on FW_C and FW_D to
connect to the Internet.

The route planning is as follows:

● The FW advertises routes through OSPF.


● A black-hole route is configured on FW_C and FW_D.
● The firewalls work in active/standby mode. Therefore, the recommended
interface cost is 10 on the active firewall and 1000 on the standby firewall.
The firewall adjusts the OSPF cost based on the HRP status to adjust the
routes for service forwarding.

Different costs are set for FW interfaces to advertise the routes from the firewalls to the
SCG to the GGSN and Internet so that return packets will be sent to the active firewalls.
The Holddown timer and Multipath parameter use their default values on the Layer-2
switch at the GGSN side and the router at the Internet.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 323


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Figure 6-5 Route Planning

Table 6-10 describes route planning for FW_A and FW_B.

Table 6-10 Route planning

Item FW_A FW_B

Protocol type OSPF OSPF

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 324


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Item FW_A FW_B

Area ID 0.0.0.0 0.0.0.0

Process ID 1 1

Authentication mode MD5 MD5

Authentication Huawei-123 Huawei-123


password
NOTE
You can set an
authentication password
as required.

Cost 10 1000

Hello interval 30s 30s

OSPF interface mode P2P P2P

SPF calculation Default value Default value


interval

Network segment ● 10.2.0.0 0.0.0.255 ● 10.2.0.0 0.0.0.255


● 10.3.0.0 0.0.0.255 ● 10.3.0.0 0.0.0.255

Table 6-11 describes route planning for FW_C and FW_D.

Table 6-11 Route planning

Item FW_C FW_D

Protocol type OSPF OSPF

Area ID 0.0.0.0 0.0.0.0

Process ID 2 2

Authentication mode MD5 MD5

Authentication Huawei-123 Huawei-123


password
NOTE
You can set an
authentication password
as required.

Cost 10 1000

Hello interval 30s 30s

OSPF interface mode P2P P2P

SPF calculation Default value Default value


interval

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 325


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

Item FW_C FW_D

Network segment ● 10.2.1.0 0.0.0.255 ● 10.2.1.0 0.0.0.255


● 10.3.1.0 0.0.0.255 ● 10.3.1.0 0.0.0.255

Configure a black-hole ● Destination address: ● Destination address:


route to avoid routing 1.1.1.6 1.1.1.6
loops. 1.1.1.7 1.1.1.7
1.1.1.8 1.1.1.8
1.1.1.9 1.1.1.9
1.1.1.10 1.1.1.10
● Next-hop address: ● Next-hop address:
NULL0 NULL0

6.3.2.7 Others

ASPF
If multi-channel protocols, such as FTP, RTSP, and PPTP, are used between zones,
run the detect command in the interzone view. Recommended detect commands
are as follows:
detect rtsp
detect ftp
detect pptp

The detect qq and detect msn commands are not recommended in the interzone view.

Attack Defense
Attack defense is configured on the FWs to provide security protection.
Recommended attack defense configuration commands are as follows:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 326


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

firewall defend time-stamp enable

firewall defend ping-of-death enable

NMS (SNMP)
The Simple Network Management Protocol (SNMP) is the most widely used
network management protocol on TCP/IP networks. On the FW, configure the
SNMP proxy to manage the FWs through the NMS server.

6.4 Precautions
Hot Standby
● In this scenario, Only hot standby in active/standby mode is supported.
● The recommended HRP preemption delay is 300s.
● The traffic bandwidth of the heartbeat interface must not be less than 20% of
device traffic.
● The interfaces connecting the FWs at the uplink and downlink sides to the
intranet switches need to be added to link groups.

Routes
● Different costs are set for FW interfaces to advertise the routes from the
firewalls to the SCG to the GGSN and Internet so that return packets will be
sent to the active firewalls.
● The Holddown timer and Multipath parameter use their default values on the
Layer-2 switch at the GGSN side and the router at the Internet.

NAT
You are advised to set the number of public addresses of the downlink firewall to
[Maximum number of online users x 60%]/[2 x 60000].

ASPF
The detect qq and detect msn commands are not recommended in the interzone
view.

Attack Defense
You are advised to use the recommended attack defense configuration.

6.5 Solution Configuration

6.5.1 Procedure

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 327


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

6.5.1.1 Configuring Interfaces and Security Zones

Procedure
Step 1 Configure interfaces and security zones for FW_A.
# Create Eth-Trunk 0 and configure an IP address for it.
<FW_A> system-view
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] description To_FW_B
[FW_A-Eth-Trunk0] ip address 10.10.0.1 24
[FW_A-Eth-Trunk0] quit

# Create Eth-Trunk 1.1 and configure an IP address for it.


[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] quit
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] description To_GGSN1
[FW_A-Eth-Trunk1.1] ip address 10.2.0.1 24
[FW_A-Eth-Trunk1.1] vlan-type dot1q 11
[FW_A-Eth-Trunk1.1] quit

# Create Eth-Trunk 1.2 and configure an IP address for it.


[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] description To_GGSN2
[FW_A-Eth-Trunk1.2] ip address 10.2.2.1 24
[FW_A-Eth-Trunk1.2] vlan-type dot1q 12
[FW_A-Eth-Trunk1.2] quit

# Create Eth-Trunk 2.1 and configure an IP address for it.


[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] quit
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] description To_SCG
[FW_A-Eth-Trunk2.1] ip address 10.3.0.1 24
[FW_A-Eth-Trunk2.1] vlan-type dot1q 21
[FW_A-Eth-Trunk2.1] quit

# Add GigabitEthernet1/0/0 and GigabitEthernet2/0/1 to Eth-Trunk 0.


[FW_A] interface GigabitEthernet 1/0/0
[FW_A-GigabitEthernet1/0/0] eth-trunk 0
[FW_A-GigabitEthernet1/0/0] quit
[FW_A] interface GigabitEthernet 2/0/1
[FW_A-GigabitEthernet1/0/1] eth-trunk 0
[FW_A-GigabitEthernet1/0/1] quit

# Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.


[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] eth-trunk 1
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] eth-trunk 1
[FW_A-GigabitEthernet1/0/3] quit

# Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.


[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] eth-trunk 2
[FW_A-GigabitEthernet1/0/4] quit
[FW_A] interface GigabitEthernet 1/0/5
[FW_A-GigabitEthernet1/0/5] eth-trunk 2
[FW_A-GigabitEthernet1/0/5] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 328


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

# Assign Eth-Trunk 0 to the dmz zone.


[FW_A] firewall zone name dmz
[FW_A-zone-dmz] add interface Eth-Trunk 0
[FW_A-zone-dmz] quit

# Assign Eth-Trunk 1.1 and Eth-Trunk 1.2 to the untrust zone.


[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface Eth-Trunk 1.1
[FW_A-zone-untrust] add interface Eth-Trunk 1.2
[FW_A-zone-untrust] quit

# Assign Eth-Trunk 2.1 to the trust zone.


[FW_A] firewall zone trust
[FW_A-zone-trust] add interface Eth-Trunk 2.1
[FW_A-zone-trust] quit

Step 2 Configure interfaces and security zones for FW_B.


# Create Eth-Trunk 0 and configure an IP address for it.
<FW_B> system-view
[FW_B] interface Eth-Trunk 0
[FW_B-Eth-Trunk0] description To_FW_A
[FW_B-Eth-Trunk0] ip address 10.10.0.2 24
[FW_B-Eth-Trunk0] quit

# Create Eth-Trunk 1.1 and configure an IP address for it.


[FW_B] interface Eth-Trunk 1
[FW_B-Eth-Trunk1] quit
[FW_B] interface Eth-Trunk 1.1
[FW_B-Eth-Trunk1.1] description To_GGSN1
[FW_B-Eth-Trunk1.1] ip address 10.2.0.2 24
[FW_B-Eth-Trunk1.1] vlan-type dot1q 11
[FW_B-Eth-Trunk1.1] quit

# Create Eth-Trunk 1.2 and configure an IP address for it.


[FW_B] interface Eth-Trunk 1.2
[FW_B-Eth-Trunk1.2] description To_GGSN2
[FW_B-Eth-Trunk1.2] ip address 10.2.2.2 24
[FW_B-Eth-Trunk1.2] vlan-type dot1q 12
[FW_B-Eth-Trunk1.2] quit

# Create Eth-Trunk 2.1 and configure an IP address for it.


[FW_B] interface Eth-Trunk 2
[FW_B-Eth-Trunk2] quit
[FW_B] interface Eth-Trunk 2.1
[FW_B-Eth-Trunk2.1] description To_SCG
[FW_B-Eth-Trunk2.1] ip address 10.3.0.2 24
[FW_B-Eth-Trunk2.1] vlan-type dot1q 21
[FW_B-Eth-Trunk2.1] quit

# Add GigabitEthernet1/0/0 and GigabitEthernet2/0/1 to Eth-Trunk 0.


[FW_B] interface GigabitEthernet 1/0/0
[FW_B-GigabitEthernet1/0/0] eth-trunk 0
[FW_B-GigabitEthernet1/0/0] quit
[FW_B] interface GigabitEthernet 2/0/1
[FW_B-GigabitEthernet1/0/1] eth-trunk 0
[FW_B-GigabitEthernet1/0/1] quit

# Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.


[FW_B] interface GigabitEthernet 1/0/2
[FW_B-GigabitEthernet1/0/2] eth-trunk 1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 329


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

[FW_B-GigabitEthernet1/0/2] quit
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] eth-trunk 1
[FW_B-GigabitEthernet1/0/3] quit

# Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.


[FW_B] interface GigabitEthernet 1/0/4
[FW_B-GigabitEthernet1/0/4] eth-trunk 2
[FW_B-GigabitEthernet1/0/4] quit
[FW_B] interface GigabitEthernet 1/0/5
[FW_B-GigabitEthernet1/0/5] eth-trunk 2
[FW_B-GigabitEthernet1/0/5] quit

# Assign Eth-Trunk 0 to the dmz zone.


[FW_B] firewall zone name dmz
[FW_B-zone-dmz] add interface Eth-Trunk 0
[FW_B-zone-dmz] quit

# Assign Eth-Trunk 1.1 and Eth-Trunk 1.2 to the untrust zone.


[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface Eth-Trunk 1.1
[FW_B-zone-untrust] add interface Eth-Trunk 1.2
[FW_B-zone-untrust] quit

# Assign Eth-Trunk 2.1 to the trust zone.


[FW_B] firewall zone trust
[FW_B-zone-trust] add interface Eth-Trunk 2.1
[FW_B-zone-trust] quit

Step 3 Configure interfaces and security zones for FW_C.


# Create Eth-Trunk 0 and configure an IP address for it.
<FW_C> system-view
[FW_C] interface Eth-Trunk 0
[FW_C-Eth-Trunk0] description To_FW_D
[FW_C-Eth-Trunk0] ip address 10.10.0.3 24
[FW_C-Eth-Trunk0] quit

# Create Eth-Trunk 1 and configure an IP address for it.


[FW_C] interface Eth-Trunk 1
[FW_C-Eth-Trunk1] quit
[FW_C] interface Eth-Trunk 1.1
[FW_C-Eth-Trunk1.1] description To_Internet
[FW_C-Eth-Trunk1.1] ip address 10.2.1.1 24
[FW_C-Eth-Trunk1.1] vlan-type dot1q 11
[FW_C-Eth-Trunk1.1] quit

# Create Eth-Trunk 2.1 and configure an IP address for it.


[FW_C] interface Eth-Trunk 2
[FW_C-Eth-Trunk2] quit
[FW_C] interface Eth-Trunk 2.1
[FW_C-Eth-Trunk2.1] description To_SCG
[FW_C-Eth-Trunk2.1] ip address 10.3.1.1 24
[FW_C-Eth-Trunk2.1] vlan-type dot1q 21
[FW_C-Eth-Trunk2.1] quit

# Add GigabitEthernet1/0/0 and GigabitEthernet2/0/1\ to Eth-Trunk 0.


[FW_C] interface GigabitEthernet 1/0/0
[FW_C-GigabitEthernet1/0/0] eth-trunk 0
[FW_C-GigabitEthernet1/0/0] quit
[FW_C] interface GigabitEthernet 2/0/1
[FW_C-GigabitEthernet1/0/1] eth-trunk 0
[FW_C-GigabitEthernet1/0/1] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 330


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

# Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.


[FW_C] interface GigabitEthernet 1/0/2
[FW_C-GigabitEthernet1/0/2] eth-trunk 1
[FW_C-GigabitEthernet1/0/2] quit
[FW_C] interface GigabitEthernet 1/0/3
[FW_C-GigabitEthernet1/0/3] eth-trunk 1
[FW_C-GigabitEthernet1/0/3] quit

# Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.


[FW_C] interface GigabitEthernet 1/0/4
[FW_C-GigabitEthernet1/0/4] eth-trunk 2
[FW_C-GigabitEthernet1/0/4] quit
[FW_C] interface GigabitEthernet 1/0/5
[FW_C-GigabitEthernet1/0/5] eth-trunk 2
[FW_C-GigabitEthernet1/0/5] quit

# Assign Eth-Trunk 0 to the dmz zone.


[FW_C] firewall zone name dmz
[FW_C-zone-dmz] add interface Eth-Trunk 0
[FW_C-zone-dmz] quit

# Assign Eth-Trunk 1.1 to the untrust zone.


[FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface Eth-Trunk 1.1
[FW_C-zone-untrust] quit

# Assign Eth-Trunk 2.1 to the trust zone.


[FW_C] firewall zone trust
[FW_C-zone-trust] add interface Eth-Trunk 2.1
[FW_C-zone-trust] quit

Step 4 Configure interfaces and security zones for FW_D.


# Create Eth-Trunk 0 and configure an IP address for it.
<FW_D> system-view
[FW_D] interface Eth-Trunk 0
[FW_D-Eth-Trunk0] description To_FW_C
[FW_D-Eth-Trunk0] ip address 10.10.0.4 24
[FW_D-Eth-Trunk0] quit

# Create Eth-Trunk 1.1 and configure an IP address for it.


[FW_D] interface Eth-Trunk 1
[FW_D-Eth-Trunk1] quit
[FW_D] interface Eth-Trunk 1.1
[FW_D-Eth-Trunk1.1] description To_Internet
[FW_D-Eth-Trunk1.1] ip address 10.2.1.2 24
[FW_D-Eth-Trunk1.1] vlan-type dot1q 11
[FW_D-Eth-Trunk1.1] quit

# Create Eth-Trunk 2.1 and configure an IP address for it.


[FW_D] interface Eth-Trunk 2
[FW_D-Eth-Trunk2] quit
[FW_D] interface Eth-Trunk 2.1
[FW_D-Eth-Trunk2.1] description To_SCG
[FW_D-Eth-Trunk2.1] ip address 10.3.1.2 24
[FW_D-Eth-Trunk2.1] vlan-type dot1q 21
[FW_D-Eth-Trunk2.1] quit

# Add GigabitEthernet1/0/0 and GigabitEthernet2/0/1 to Eth-Trunk 0.


[FW_D] interface GigabitEthernet 1/0/0
[FW_D-GigabitEthernet1/0/0] eth-trunk 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 331


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

[FW_D-GigabitEthernet1/0/0] quit
[FW_D] interface GigabitEthernet 2/0/1
[FW_D-GigabitEthernet1/0/1] eth-trunk 0
[FW_D-GigabitEthernet1/0/1] quit

# Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.


[FW_D] interface GigabitEthernet 1/0/2
[FW_D-GigabitEthernet1/0/2] eth-trunk 1
[FW_D-GigabitEthernet1/0/2] quit
[FW_D] interface GigabitEthernet 1/0/3
[FW_D-GigabitEthernet1/0/3] eth-trunk 1
[FW_D-GigabitEthernet1/0/3] quit

# Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.


[FW_D] interface GigabitEthernet 1/0/4
[FW_D-GigabitEthernet1/0/4] eth-trunk 2
[FW_D-GigabitEthernet1/0/4] quit
[FW_D] interface GigabitEthernet 1/0/5
[FW_D-GigabitEthernet1/0/5] eth-trunk 2
[FW_D-GigabitEthernet1/0/5] quit

# Assign Eth-Trunk 0 to the dmz zone.


[FW_D] firewall zone name dmz
[FW_D-zone-dmz] add interface Eth-Trunk 0
[FW_D-zone-dmz] quit

# Assign Eth-Trunk 1.1 to the untrust zone.


[FW_D] firewall zone untrust
[FW_D-zone-untrust] add interface Eth-Trunk 1.1
[FW_D-zone-untrust] quit

# Assign Eth-Trunk 2.1 to the trust zone.


[FW_D] firewall zone trust
[FW_D-zone-trust] add interface Eth-Trunk 2.1
[FW_D-zone-trust] quit

----End

6.5.1.2 Configuring Availability

Procedure
Step 1 Configure the hot standby configuration on FW_A.
# Enable the HRP function.
[FW_A] hrp enable

# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
[FW_A] hrp ospf-cost adjust-enable

# Set the preemption delay of the VGMP group.


[FW_A] hrp preempt delay 300

The recommended preemption delay is 300s.

# Configure a heartbeat interface.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 332


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

[FW_A] hrp interface Eth-Trunk 0 remote 10.10.0.2

# Configure the VGMP group to monitor upstream service interfaces.


[FW_A] hrp track interface Eth-Trunk 1.1
[FW_A] hrp track interface Eth-Trunk 1.2

# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to active.
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 active
[FW_A-Eth-Trunk2.1] quit

# Add the interfaces connected to the intranet switch to a link group.


[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] link-group 1
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] link-group 1
[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] link-group 1
[FW_A] interface GigabitEthernet 1/0/5
[FW_A-GigabitEthernet1/0/5] link-group 1

Step 2 Configure the hot standby configuration on FW_B.


# Enable the HRP function.
[FW_B] hrp enable

# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
[FW_B] hrp ospf-cost adjust-enable

# Set the preemption delay of the VGMP group.


[FW_B] hrp preempt delay 300

The recommended preemption delay is 300s.

# Configure a heartbeat interface.


[FW_B] hrp interface Eth-Trunk 0 remote 10.10.0.1

# Configure the VGMP group to monitor upstream service interfaces.


[FW_B] hrp track interface Eth-Trunk 1.1
[FW_B] hrp track interface Eth-Trunk 1.2

# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to standby.
[FW_B] interface Eth-trunk 2.1
[FW_B-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 standby
[FW_B-Eth-Trunk2.1] quit

Step 3 Configure the hot standby configuration on FW_C.


# Enable the HRP function.
[FW_C] hrp enable

# Enable the function of adjusting the OSPF cost based on the VGMP group
status.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 333


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

[FW_C] hrp ospf-cost adjust-enable

# Set the preemption delay of the VGMP group.


[FW_C] hrp preempt delay 300

The recommended preemption delay is 300s.

# Configure a heartbeat interface.


[FW_C] hrp interface Eth-Trunk 0 remote 10.10.0.4

# Configure the VGMP group to monitor upstream service interfaces.


[FW_C] hrp track interface Eth-Trunk 1.1

# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to active.
[FW_C] interface Eth-trunk 2.1
[FW_C-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 active
[FW_C-Eth-Trunk2.1] quit

# Add the interfaces connected to the intranet switch to a link group.


[FW_C] interface GigabitEthernet 1/0/2
[FW_C-GigabitEthernet1/0/2] link-group 1
[FW_C] interface GigabitEthernet 1/0/3
[FW_C-GigabitEthernet1/0/3] link-group 1
[FW_C] interface GigabitEthernet 1/0/4
[FW_C-GigabitEthernet1/0/4] link-group 1
[FW_C] interface GigabitEthernet 1/0/5
[FW_C-GigabitEthernet1/0/5] link-group 1

Step 4 Configure the hot standby configuration on FW_D.

# Enable the HRP function.


[FW_D] hrp enable

# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
[FW_D] hrp ospf-cost adjust-enable

# Set the preemption delay of the VGMP group.


[FW_D] hrp preempt delay 300

The recommended preemption delay is 300s.

# Configure a heartbeat interface.


[FW_D] hrp interface Eth-Trunk 0 remote 10.10.0.3

# Configure the VGMP group to monitor upstream service interfaces.


[FW_D] hrp track interface Eth-Trunk 1.1

# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to standby.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 334


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

[FW_D] interface Eth-Trunk 2.1


[FW_D-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 standby
[FW_D-Eth-Trunk2.1] quit

----End

6.5.1.3 Configuring GRE Tunnels

Procedure
Step 1 Configure GRE tunnels on FW_A and FW_B.

Set required parameters on the devices at both end of a GRE tunnel.


For details on security policy configuration, see the related section.

Configure GRE tunnels on FW_A.


HRP_M[FW_A] interface loopback 1
HRP_M[FW_A-loopback1] ospf cost 10
HRP_M[FW_A-loopback1] ip address 10.2.0.10 32
HRP_M[FW_A-loopback1] quit
HRP_M[FW_A] interface loopback 2
HRP_M[FW_A-loopback2] ospf cost 10
HRP_M[FW_A-loopback2] ip address 10.2.0.11 32
HRP_M[FW_A-loopback2] quit
HRP_M[FW_A] interface Tunnel 1
HRP_M[FW_A-Tunnel1 ]ip address 172.16.2.1 32
HRP_M[FW_A-Tunnel1] quit
HRP_M[FW_A] interface Tunnel 2
HRP_M[FW_A-Tunnel2] ip address 172.16.2.2 32
HRP_M[FW_A-Tunnel2] quit
HRP_M[FW_A]firewall zone name tunnelzone
HRP_M[FW_A-zone-tunnelzone] set priority 20
HRP_M[FW_A-zone-tunnelzone] add interface tunnel 1
HRP_M[FW_A-zone-tunnelzone] add interface tunnel 2
HRP_M[FW_A-zone-tunnelzone] quit
HRP_M[FW_A] ospf 1
HRP_M[FW_A-ospf-1] area 1
HRP_M[FW_A-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255
HRP_M[FW_A-ospf-1] quit
HRP_M[FW_A] interface Tunnel 1
HRP_M[FW_A-Tunnel1] tunnel-protocol gre
HRP_M[FW_A-Tunnel1] source loopback1
HRP_M[FW_A-Tunnel1] destination 10.2.10.1//IP address of the peer tunnel interface
HRP_M[FW_A-Tunnel1] gre key cipher 123456
HRP_M[FW_A-Tunnel1] ospf timer hello 30
HRP_M[FW_A-Tunnel1] quit
HRP_M[FW_A] interface Tunnel 2
HRP_M[FW_A-Tunnel2] tunnel-protocol gre
HRP_M[FW_A-Tunnel2] source loopback2
HRP_M[FW_A-Tunnel2] destination 10.2.11.1//IP address of the peer tunnel interface
HRP_M[FW_A-Tunnel2] gre key cipher 123456
HRP_M[FW_A-Tunnel2] ospf timer hello 30
HRP_M[FW_A-Tunnel2] quit

Configure GRE tunnels on FW_B.


HRP_S[FW_B] interface loopback 1
HRP_S[FW_B-loopback1] ospf cost 1000
HRP_S[FW_B-loopback1] ip address 10.2.0.10 32
HRP_S[FW_B-loopback1] quit
HRP_S[FW_B] interface loopback 2
HRP_S[FW_B-loopback2] ospf cost 1000
HRP_S[FW_B-loopback2] ip address 10.2.0.11 32

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 335


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

HRP_S[FW_B-loopback2] quit
HRP_S[FW_B] interface Tunnel 1
HRP_S[FW_B-Tunnel1] ip address 172.16.2.3 32
HRP_S[FW_B-Tunnel1] quit
HRP_S[FW_B] interface Tunnel 2
HRP_S[FW_B-Tunnel2] ip address 172.16.2.4 32
HRP_S[FW_B-Tunnel2] quit
HRP_S[FW_B] ospf 1
HRP_S[FW_B-ospf-1] area 1
HRP_S[FW_B-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255
HRP_S[FW_B-ospf-1] quit
HRP_S[FW_B] interface Tunnel 1
HRP_S[FW_B-Tunnel1] tunnel-protocol gre
HRP_S[FW_B-Tunnel1] source loopback1
HRP_S[FW_B-Tunnel1] destination 10.2.10.2//IP address of the peer tunnel interface
HRP_S[FW_B-Tunnel1] gre key cipher 123456
HRP_S[FW_B-Tunnel1] ospf timer hello 30
HRP_S[FW_B-Tunnel1] quit
HRP_S[FW_B] interface Tunnel 2
HRP_S[FW_B-Tunnel2] tunnel-protocol gre
HRP_S[FW_B-Tunnel2] source loopback2
HRP_S[FW_B-Tunnel2] destination 10.2.11.2//IP address of the peer tunnel interface
HRP_S[FW_B-Tunnel2] gre key cipher 123456
HRP_S[FW_B-Tunnel2] ospf timer hello 30
HRP_S[FW_B-Tunnel2] quit

----End

6.5.1.4 Configuring Security Policies

Procedure
Step 1 Configure security policies on FW_A and FW_B.

After hot standby is implemented, the security policy configuration on FW_A is


automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

Configure a Trust-tunnelzone interzone security policy to permit pre-encapsulated


packets.
HRP_M[FW_A-policy-security] rule name trust_tunnelzone_outbound
HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] source-zone trust
HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] destination-zone tunnelzone
HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] source-address 10.3.0.0 24
HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] action permit
HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] quit
HRP_M[FW_A-policy-security] rule name trust_tunnelzone_inbound
HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] source-zone tunnelzone
HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] destination-zone trust
HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] destination-address 10.3.0.0 24
HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] action permit
HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] quit

# Configure a Local-DMZ interzone security policy to permit heartbeat packets.


HRP_M[FW_A-policy-security] rule name local_dmz_outbound
HRP_M[FW_A-policy-interzone-local_dmz_outbound] source-zone local
HRP_M[FW_A-policy-interzone-local_dmz_outbound] destination-zone dmz
HRP_M[FW_A-policy-interzone-local_dmz_outbound] source-address 10.10.0.0 24
HRP_M[FW_A-policy-interzone-local_dmz_outbound] action permit
HRP_M[FW_A-policy-interzone-local_dmz_outbound] quit
HRP_M[FW_A-policy-security] rule name local_dmz_inbound
HRP_M[FW_A-policy-interzone-local_dmz_inbound] source-zone dmz
HRP_M[FW_A-policy-interzone-local_dmz_inbound] destination-zone local

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 336


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

HRP_M[FW_A-policy-interzone-local_dmz_inbound] destination-address 10.10.0.0 24


HRP_M[FW_A-policy-interzone-local_dmz_inbound] action permit
HRP_M[FW_A-policy-interzone-local_dmz_inbound] quit

Configure a Local-Untrust interzone security policy to permit encapsulated GRE


packets.
HRP_M[FW_A-policy-security] rule name local_untrust_outbound
HRP_M[FW_A-policy-security-rule-local_untrust_outbound] source-zone untrust
HRP_M[FW_A-policy-security-rule-local_untrust_outbound] destination-zone local
HRP_M[FW_A-policy-security-rule-local_untrust_outbound] source-address 10.2.0.0 16
HRP_M[FW_A-policy-security-rule-local_untrust_outbound] action permit
HRP_M[FW_A-policy-security-rule-local_untrust_outbound] quit
HRP_M[FW_A-policy-security] rule name local_untrust_inbound
HRP_M[FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust
HRP_M[FW_A-policy-security-rule-local_untrust_inbound] destination-zone local
HRP_M[FW_A-policy-security-rule-local_untrust_inbound] destination-address 10.2.0.0 16
HRP_M[FW_A-policy-security-rule-local_untrust_inbound] action permit
HRP_M[FW_A-policy-security-rule-local_untrust_inbound] quit

Step 2 Configure security policies on FW_C and FW_D.

After hot standby is implemented, the security policy configuration on FW_C is


automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

# Configure a Local-DMZ interzone security policy to permit heartbeat packets.


HRP_M[FW_C-policy-security] rule name local_dmz_outbound
HRP_M[FW_C-policy-interzone-local_dmz_outbound] source-zone local
HRP_M[FW_C-policy-interzone-local_dmz_outbound] destination-zone dmz
HRP_M[FW_C-policy-interzone-local_dmz_outbound] source-address 10.10.0.0 24
HRP_M[FW_C-policy-interzone-local_dmz_outbound] action permit
HRP_M[FW_C-policy-interzone-local_dmz_outbound] quit
HRP_M[FW_C-policy-security] rule name local_dmz_inbound
HRP_M[FW_C-policy-interzone-local_dmz_inbound] source-zone dmz
HRP_M[FW_C-policy-interzone-local_dmz_inbound] destination-zone local
HRP_M[FW_C-policy-interzone-local_dmz_inbound] destination-address 10.10.0.0 24
HRP_M[FW_C-policy-interzone-local_dmz_inbound] action permit
HRP_M[FW_C-policy-interzone-local_dmz_inbound] quit

# Configure a Trust-Untrust interzone security policy.


HRP_M[FW_C-policy-security] rule name trust_untrust_outbound
HRP_M[FW_C-policy-interzone-trust_untrust_outbound] source-zone trust
HRP_M[FW_C-policy-interzone-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_C-policy-interzone-trust_untrust_outbound] destination-address 10.2.1.0 24
HRP_M[FW_C-policy-interzone-trust_untrust_outbound] action permit
HRP_M[FW_C-policy-interzone-trust_untrust_outbound] quit
HRP_M[FW_C-policy-security] rule name trust_untrust_inbound
HRP_M[FW_C-policy-interzone-trust_untrust_inbound] source-zone trust
HRP_M[FW_C-policy-interzone-trust_untrust_inbound] destination-zone untrust
HRP_M[FW_C-policy-interzone-trust_untrust_inbound] source-address 10.2.1.0 24
HRP_M[FW_C-policy-interzone-trust_untrust_inbound] action permit
HRP_M[FW_C-policy-interzone-trust_untrust_inbound] quit

----End

6.5.1.5 Configuring NAT

Procedure
Step 1 Configure the NAT Server function on FW_A and FW_B.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 337


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

After hot standby is implemented, the NAT configuration on FW_A is automatically backed
up to FW_B. You do not need to repeat the configuration on FW_B.
Configure NAT Server based on the service requirements.

Configure the NAT Server function on FW_A.


HRP_M[FW_A] nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80

Step 2 Configure source NAT on FW_C and FW_D.

After hot standby is implemented, the NAT and ASPF configurations on FW_C are
automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.

# Create a NAT address pool on FW_C.


HRP_M[FW_C] nat address-group addressgroup1
HRP_M[FW_C-address-group-addressgroup1] section 1.1.1.6 1.1.1.10
HRP_M[FW_C-address-group-addressgroup1] mode pat
HRP_M[FW_C-address-group-addressgroup1] quit

# Configure a NAT policy. In this section, the source addresses of the packets from
network segment 10.3.1.0/24 at the SCG are translated. Add rules to the NAT
policy as required.
HRP_M[FW_C] nat-policy
HRP_M[FW_C-policy-nat] rule name trust_untrust_outbound
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-zone trust
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-address 10.3.1.0 0.0.0.255
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addressgroup1
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] quit
HRP_M[FW_C-policy-nat] quit

----End

6.5.1.6 Configuring Routes

Procedure
Step 1 Configure routes on FW_A.
HRP_M[FW_A] acl number 2000
HRP_M[FW_A-acl-basic-2000] description ospf1_import_ggsn
HRP_M[FW_A-acl-basic-2000] rule 5 permit source 221.180.0.0 0.0.0.255//Network segment of GGSN
HRP_M[FW_A-acl-basic-2000] rule 100 deny
HRP_M[FW_A] interface eth-Trunk 1
HRP_M[FW_A-Eth-trunk1] ospf cost 10
HRP_M[FW_A-Eth-trunk1] ospf network-type p2p
HRP_M[FW_A-Eth-trunk1] quit
HRP_M[FW_A] ospf 1
HRP_M[FW_A-ospf-1] filter-policy 2000 import
HRP_M[FW_A-ospf-1] area 1
HRP_M[FW_A-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123
HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255
HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255
HRP_M[FW_A-ospf-1-area-0.0.0.1] quit
HRP_M[FW_A-ospf-1] quit

Step 2 Configure routes on FW_B.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 338


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

After hot standby is implemented, the ACL configuration on FW_A is automatically backed
up to FW_B. You do not need to repeat the configuration on FW_B.
HRP_S[FW_B] interface eth-Trunk 1
HRP_S[FW_B-Eth-trunk1] ospf cost 1000
HRP_S[FW_B-Eth-trunk1] ospf network-type p2p
HRP_S[FW_B-Eth-trunk1] quit
HRP_S[FW_B] ospf 1
HRP_S[FW_B-ospf-1] filter-policy 2000 import
HRP_S[FW_B-ospf-1] area 1
HRP_S[FW_B-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123
HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255
HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255
HRP_S[FW_B-ospf-1-area-0.0.0.1] quit
HRP_S[FW_B-ospf-1] quit

Step 3 Configure routes on FW_C.


HRP_M[FW_C] acl number 2100
HRP_M[FW_C-acl-basic-2000] description ospf1_import_ggsn
HRP_M[FW_C-acl-basic-2000] rule 5 permit source 0.0.0.0 0
HRP_M[FW_C-acl-basic-2000] rule 1000 deny
HRP_M[FW_C] interface eth-Trunk 1
HRP_M[FW_C-Eth-trunk1] ospf cost 10
HRP_M[FW_C-Eth-trunk1] ospf network-type p2p
HRP_M[FW_C-Eth-trunk1] quit
HRP_M[FW_C] ospf 2
HRP_M[FW_C-ospf-2] filter-policy 2100 import
HRP_M[FW_C-ospf-2] import-route static
HRP_M[FW_C-ospf-2] area 2
HRP_M[FW_C-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123
HRP_M[FW_C-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255
HRP_M[FW_C-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255
HRP_M[FW_C-ospf-2-area-0.0.0.2] quit
HRP_M[FW_C-ospf-2] quit

# Configure black-hole routes.


HRP_M[FW_C] ip route-static 1.1.1.6 32 NULL 0
HRP_M[FW_C] ip route-static 1.1.1.7 32 NULL 0
HRP_M[FW_C] ip route-static 1.1.1.8 32 NULL 0
HRP_M[FW_C] ip route-static 1.1.1.9 32 NULL 0
HRP_M[FW_C] ip route-static 1.1.1.10 32 NULL 0

Step 4 Configure routes on FW_D.

After hot standby is implemented, the ACL configuration on FW_C is automatically backed
up to FW_D. You do not need to repeat the configuration on FW_D.
HRP_S[FW_D] interface eth-Trunk 1
HRP_S[FW_D-Eth-trunk1] ospf cost 10
HRP_S[FW_D-Eth-trunk1] ospf network-type p2p
HRP_S[FW_D-Eth-trunk1] quit
HRP_S[FW_D] ospf 2
HRP_S[FW_D-ospf-2] filter-policy 2100 import
HRP_S[FW_D-ospf-2] import-route static
HRP_S[FW_D-ospf-2] area 2
HRP_S[FW_D-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123
HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255
HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255
HRP_S[FW_D-ospf-2-area-0.0.0.2] quit
HRP_S[FW_D-ospf-2] quit

# Configure black-hole routes.


HRP_S[FW_D] ip route-static 1.1.1.6 32 NULL 0
HRP_S[FW_D] ip route-static 1.1.1.7 32 NULL 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 339


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

HRP_S[FW_D] ip route-static 1.1.1.8 32 NULL 0


HRP_S[FW_D] ip route-static 1.1.1.9 32 NULL 0
HRP_S[FW_D] ip route-static 1.1.1.10 32 NULL 0

----End

6.5.1.7 Others

Procedure
Step 1 Configure ASPF.

After hot standby is implemented, the ASPF configuration on FW_A is automatically backed
up to FW_B. You do not need to repeat the configuration on FW_B.

# Configure ASPF on FW_A.


HRP_M[FW_A] firewall interzone trust untrust
HRP_M[FW_A-interzone-trust-untrust] detect rtsp
HRP_M[FW_A-interzone-trust-untrust] detect ftp
HRP_M[FW_A-interzone-trust-untrust] detect pptp
HRP_M[FW_A-interzone-trust-untrust] quit

After hot standby is implemented, the NAT and ASPF configurations on FW_C are
automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.

# Configure ASPF on FW_C.


HRP_M[FW_C] firewall interzone trust untrust
HRP_M[FW_C-interzone-trust-untrust] detect rtsp
HRP_M[FW_C-interzone-trust-untrust] detect ftp
HRP_M[FW_C-interzone-trust-untrust] detect pptp
HRP_M[FW_C-interzone-trust-untrust] quit

Step 2 Configure attack defense.

After hot standby is implemented, the attack defense configuration on FW_A is


automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

Configure attack defense on FW_A.


HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend ip-fragment enable
HRP_M[FW_A] firewall defend tcp-flag enable
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable
HRP_M[FW_A] firewall defend teardrop enable
HRP_M[FW_A] firewall defend route-record enable
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable

After hot standby is implemented, the attack defense configuration on FW_C is


automatically backed up to FW_B. You do not need to repeat the configuration on FW_D.

Configure attack defense on FW_C.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 340


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

HRP_M[FW_C] firewall defend land enable


HRP_M[FW_C] firewall defend smurf enable
HRP_M[FW_C] firewall defend fraggle enable
HRP_M[FW_C] firewall defend ip-fragment enable
HRP_M[FW_C] firewall defend tcp-flag enable
HRP_M[FW_C] firewall defend winnuke enable
HRP_M[FW_C] firewall defend source-route enable
HRP_M[FW_C] firewall defend teardrop enable
HRP_M[FW_C] firewall defend route-record enable
HRP_M[FW_C] firewall defend time-stamp enable
HRP_M[FW_C] firewall defend ping-of-death enable

Step 3 Configure the NMS (SNMP).

After hot standby is implemented, the SNMP configuration on FW_A is automatically


backed up to FW_B. You do not need to repeat the configuration on FW_B.
You need to refer to the configuration guide of the NMS that is deployed. Make sure the
configuration of authentication parameters on the NMS is consistent with the configuration
on the FWs. Otherwise, the NMS cannot manage the FWs. In this example, SNMPv3 is used
by the FWs and NMS to communicate.

Configure the SNMP version on the FW. This step is optional. By default, SNMPv3
is used. To change the SNMP version, perform this step.
HRP_M[FW_A] snmp-agent sys-info version v3

# Configure an SNMPv3 user group.


HRP_M[FW_A] snmp-agent group v3 NMS1 privacy

# Configure an SNMPv3 user.


HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123
privacy-mode aes256 Admin@456

# Configure contact information.


HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang

# Configure location information.


HRP_M[FW_A] snmp-agent sys-info location Beijing

# Configure the SNMP alarm function on the FW.


HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
Admin123 v3 privacy
HRP_M[FW_A] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

After hot standby is implemented, the SNMP configuration on FW_C is automatically


backed up to FW_D. You do not need to repeat the configuration on FW_D.
You need to refer to the configuration guide of the NMS that is deployed. Make sure the
configuration of authentication parameters on the NMS is consistent with the configuration
on the FWs. Otherwise, the NMS cannot manage the FWs. In this example, SNMPv3 is used
by the FWs and NMS to communicate.

Configure the SNMP version on the FW. This step is optional. By default, SNMPv3
is used. To change the SNMP version, perform this step.
HRP_M[FW_C] snmp-agent sys-info version v3

# Configure an SNMPv3 user group.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 341


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

HRP_M[FW_C] snmp-agent group v3 NMS1 privacy

# Configure an SNMPv3 user.


HRP_M[FW_C] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123
privacy-mode aes256 Admin@456

# Configure contact information.


HRP_M[FW_C] snmp-agent sys-info contact Mr.zhang

# Configure location information.


HRP_M[FW_C] snmp-agent sys-info location Beijing

# Configure the SNMP alarm function on the FW.


HRP_M[FW_C] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
Admin123 v3 privacy
HRP_M[FW_A] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

Step 4 For basic network parameter settings and active/standby configurations of the
upstream and downstream switches and routers, see the product documentation
of the switches and routers.

----End

6.5.2 Verification
1. Run the display hrp state command on FW_A to check the HRP status. If the
following information is displayed, HRP is successfully configured.
HRP_M[FW_A] display hrp stateRole: active, peer: standby
Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes

2. Run the shutdown command on GigabitEthernet 1/0/2 or GigabitEthernet


1/0/3 of FW_A or FW_C to simulate a link failure. The active/standby
switchover is properly performed, and services are not interrupted.
3. Run the display firewall session table command on FW_A to view address
translation information. RADIUS server address 3.3.3.4 is used as an example.
HRP_M<FW_A> display firewall session table
Current Total Sessions : 1
http VPN:public --> public 3.3.3.4:8080-->3.3.3.3:8080[10.3.0.10:80]

4. Run the display nat-policy rule rule-name command on FW_C to check the
source NAT policy match count. If the value is 1 or greater, there are data
flows matching the source NAT policy.
5. Run the display firewall session table command on FW_C to search for an
entry whose source address is the private address of the SCG. If the entry
exists and the post-NAT IP address exists in the NAT address pool, the NAT
policy is successfully configured. Information in the square brackets ([]) is the
post-NAT IP address and port. Address 3.3.3.30 at the Internet side is used as
an example.
HRP_M<FW_C> display firewall session table
Current Total Sessions : 1
http VPN:public --> public 10.3.1.0:2474[1.1.1.10:3761]-->3.3.3.30:8080

6. If the RADIUS server can access intranet servers, server mappings are
successfully configured.
7. Users can access the Internet by using their mobile phones.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 342


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

8. The SCG can implement service-based charging and bandwidth control.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 343


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

6.5.3 Configuration Scripts


FW_A FW_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk 0 remote 10.10.0.2 hrp interface Eth-Trunk 0 remote 10.10.0.1
hrp adjust ospf-cost enable hrp adjust ospf-cost enable
hrp preempt delay 300 hrp preempt delay 300
hrp track interface Eth-Trunk 1.1 hrp track interface Eth-Trunk 1.1
hrp track interface Eth-Trunk 1.2 hrp track interface Eth-Trunk 1.2
# #
firewall defend land enable firewall defend land enable
firewall defend smurf enable firewall defend smurf enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ip-fragment enable firewall defend ip-fragment enable
firewall defend tcp-flag enable firewall defend tcp-flag enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend source-route enable firewall defend source-route enable
firewall defend teardrop enable firewall defend teardrop enable
firewall defend route-record enable firewall defend route-record enable
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
# #
interface Eth-Trunk0 interface Eth-Trunk0
description To_FW_B description To_FW_A
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
interface Eth-Trunk1.1 interface Eth-Trunk1.1
description To_GGSN1 description To_GGSN1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.0.2 255.255.255.0
vlan-type dot1q 11 vlan-type dot1q 11
ospf cost 10 ospf cost 1000
ospf network-type p2p ospf network-type p2p
# #
interface Eth-Trunk1.2 interface Eth-Trunk1.2
description To_GGSN2 description To_GGSN2
ip address 10.2.2.1 255.255.255.0 ip address 10.2.2.2 255.255.255.0
vlan-type dot1q 12 vlan-type dot1q 12
ospf cost 10 ospf cost 1000
ospf network-type p2p ospf network-type p2p
# #
interface Eth-Trunk2.1 interface Eth-Trunk2.1
description To_SCG description To_SCG
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vlan-type dot1q 21 vlan-type dot1q 21
vrrp vrid 1 virtual-ip 10.3.0.3 24 active vrrp vrid 1 virtual-ip 10.3.0.3 24 standby
# #
interface loopback 1 interface loopback 1
ip address 10.2.0.10 32 ip address 10.2.0.10 32
ospf cost 10 ospf cost 1000
# #
interface loopback 2 interface loopback 2
ip address 10.2.0.11 32 ip address 10.2.0.11 32
ospf cost 10 ospf cost 1000
# #
interface GigabitEthernet1/0/0 interface GigabitEthernet1/0/0
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet2/0/1 interface GigabitEthernet2/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/2
eth-trunk 1 eth-trunk 1
link-group 1
# #
interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/3
eth-trunk 1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 344


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

FW_A FW_B
eth-trunk 1
link-group 1 #
# interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/4 eth-trunk 2
eth-trunk 2
link-group 1 #
# interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/5 eth-trunk 2
eth-trunk 2
link-group 1 #
# firewall zone trust
firewall zone trust set priority 85
set priority 85 add interface Eth-Trunk2.1
add interface Eth-Trunk2.1 #
# firewall zone untrust
firewall zone untrust set priority 5
set priority 5 add interface Eth-Trunk1.1
add interface Eth-Trunk1.1 add interface Eth-Trunk1.2
add interface Eth-Trunk1.2 #
# firewall zone dmz
firewall zone dmz set priority 50
set priority 50 add interface Eth-Trunk0
add interface Eth-Trunk0 #
# firewall zone tunnelzone
firewall zone tunnelzone set priority 20
set priority 20 add interface tunnel1
add interface tunnel1 add interface tunnel2
add interface tunnel2 #
# firewall interzone trust untrust
firewall interzone trust untrust detect rtsp
detect rtsp detect ftp
detect ftp detect pptp
detect pptp #
# security-policy
security-policy #
# rule name trust_tunnelzone_outbound
rule name trust_tunnelzone_outbound source-zone trust
source-zone trust destination-zone tunnelzone
destination-zone tunnelzone source-address 10.3.0.0 24
source-address 10.3.0.0 24 action permit
action permit #
# rule name trust_tunnelzone_inbound
rule name trust_tunnelzone_inbound source-zone tunnelzone
source-zone tunnelzone destination-zone trust
destination-zone trust destination-address 10.3.0.0 24
destination-address 10.3.0.0 24 action permit
action permit #
# rule name local_dmz_outbound
rule name local_dmz_outbound source-zone local
source-zone local destination-zone dmz
destination-zone dmz source-address 10.10.0.0 24
source-address 10.10.0.0 24 action permit
action permit #
# rule name local_dmz_inbound
rule name local_dmz_inbound source-zone dmz
source-zone dmz destination-zone local
destination-zone local destination-address 10.10.0.0 24
destination-address 10.10.0.0 24 action permit
action permit #
# rule name local_untrust_outbound
rule name local_untrust_outbound source-zone local
source-zone local destination-zone untrust
destination-zone untrust source-address 10.2.0.0 16
source-address 10.2.0.0 16 action permit
action permit #
# rule name local_untrust_inbound

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 345


HUAWEI Firewall 6 Application of the Firewalls in the SCG Carrier
Comprehensive Configuration Examples Scenario

FW_A FW_B
rule name local_untrust_inbound source-zone dmz
source-zone dmz destination-zone local
destination-zone local destination-address 10.2.0.0 16
destination-address 10.2.0.0 16 action permit
action permit #
# nat server for_server protocol tcp global 3.3.3.3
nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80
8080 inside 10.3.0.10 80 #
# acl number 2000
acl number 2000 description ospf1_import_ggsn
description ospf1_import_ggsn rule 5 permit source 221.180.0.0 0.0.0.255
rule 5 permit source 221.180.0.0 0.0.0.255 rule 100 deny
rule 100 deny #
# ospf 1
ospf 1 filter-policy 2000 import
filter-policy 2000 import area 0.0.0.1
area 0.0.0.1 authentication-mode md5 1 cipher Huawei-123
authentication-mode md5 1 cipher Huawei-123 network 10.2.0.0 0.0.0.255
network 10.2.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 172.16.2.0 0.0.0.255
network 172.16.2.0 0.0.0.255 #
# interface Tunnel1
interface Tunnel1 ip address 172.16.2.3 32
ip address 172.16.2.1 32 tunnel-protocol gre
tunnel-protocol gre source loopback1
source loopback1 destination 10.2.10.2
destination 10.2.10.1 gre key cipher 123456
gre key cipher 123456 ospf timer hello 30
ospf timer hello 30 #
# interface Tunnel2
interface Tunnel2 ip address 172.16.2.4 32
ip address 172.16.2.2 32 tunnel-protocol gre
tunnel-protocol gre source loopback2
source loopback2 destination 10.2.11.2
destination 10.2.11.1 gre key cipher 123456
gre key cipher 123456 ospf timer hello 30
ospf timer hello 30 #
# snmp-agent
snmp-agent snmp-agent local-engineid
snmp-agent local-engineid 000007DB7FFFFFFF000077D0
000007DB7FFFFFFF000077D0 snmp-agent sys-info version v3
snmp-agent sys-info version v3 snmp-agent sys-info contact Mr.zhang
snmp-agent sys-info contact Mr.zhang snmp-agent sys-info location Beijing
snmp-agent sys-info location Beijing snmp-agent group v3 NMS1 privacy
snmp-agent group v3 NMS1 privacy snmp-agent target-host trap address udp-domain
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
10.1.1.1 params securityname %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3
%$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager
privacy private-netmanager snmp-agent usm-user v3 Admin123 NMS1
snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,
authentication-mode md5 %$%$q:JqX0VlJ, 5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$
5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.
privacy-mode aes256 %$%$.AA`F. dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4 #
# return
return

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 346


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

7 Application of Firewalls in the Core


Network PS Domain

7.1 Introduction
This section describes the application of firewalls in the PS security solution. By
analyzing the security issues faced by the mobile core network, this section
provides a typical application solution of the firewall.
This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-
X V500R005C00 and can be used as a reference for Eudemon200E-
N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-
G&Eudemon1000E-G V600R006C00, and later versions. Document content may
vary according to version.

7.2 Solution Overview


Introduction to Mobile Core Networks
Figure 7-1 shows the architecture of a mobile network. Data from a mobile
terminal passes through the mobile access/aggregation network (or RAN) and the
mobile core network before it arrives at the Internet.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 347


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Figure 7-1 Application of the FW on the mobile core network

The 2G/3G mobile core network includes a Circuit Switched (CS) domain and a
Packet Switched (PS) domain. The CS domain deals with voice services (such as
telephony); the PS domain provides data services (such as Internet access).
Long Term Evolution (LTE) is the evolutionary technology of 3G. Currently, all
mainstream carriers are regarding LTE as the major 4G trend. The LTE network
includes the E-UTRAN (radio access subsystem) and SAE (core network
subsystem). The LTE architecture builds entirely on the PS domain and has no CS
domain of 2G/3G. The LTE core network is also referred to as the Evolved Packet
Core (EPC).

Application of the FW on the Mobile Core Network


Because public IPv4 addresses are limited, private addresses are generally
allocated to mobile terminals on the core network, and public addresses are
normally not allocated. Therefore, where a mobile terminal needs to access the
Internet, address translation is required.
As shown in Figure 7-1, the FW is deployed at the Internet egress of a mobile core
network (the Internet egress of 2G/3G core networks is the Gi interface, and the
Internet egress of 4G core networks is the SGi interface). The FW provides NAT,
inter-zone isolation, and border protection.

Traffic Model
Traffic on the FW comes mainly from the Gi/SGi interface. Some of the traffic is
directly routed to the Internet; other traffic is routed to the WAP gateway (and
then forwarded by the WAP gateway to the Internet). The traffic from the mobile
terminal directly to the Internet is referred to as Internet traffic; the traffic from
the mobile terminal to the WAP gateway is referred to as WAP traffic. Internet
traffic and WAP traffic are collectively referred as Gi/SGi traffic.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 348


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

In addition to the Gi/SGi traffic, Gn and Gp traffic sometimes also passes through
the firewall. Gn traffic is the traffic between the local GGSN (P-GW) and SGSN (S-
GW).
The paths for various types of service traffic are as follows:
● Internet traffic
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone >
Internet
Packets of the mobile terminal pass through the access/aggregation network
and the core network and arrive at the Gi/SGi interface. Then the FW
performs NAT for the packets and forwards them to the Internet. In this case,
the FW processes the original TCP/UDP packets from the mobile terminal.
● WAP traffic
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone >
WAP gateway
A GRE tunnel is set up directly between the GGSN (P-GW) and WAP gateway.
The traffic is sent to the WAP gateway which serves as a proxy to forward the
packets to the Internet. In this case, the FW processes GRE packets. Such
traffic shrinks on 4G networks.

7.3 Solution Design

7.3.1 Typical Networking


Networking Diagram
Figure 7-2 shows the typical networking of the FW at the Gi/SGi egress of a
mobile core network. The service interface works at Layer 3, and the FW is
connected to the backbone and GGSN/P-GW through routers.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 349


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Figure 7-2 Typical networking of the FW in a mobile core network

The following functions are deployed on the FW in the networking:

1. HRP is configured on the FWs so that the FWs work in active/standby mode,
improving network reliability and preventing single points of failure. A
heartbeat link is connected between the two FWs for active/standby
negotiation and status backup.
If a great deal of data needs to be backed up, multiple heartbeat links are
recommended. When a 10GE link serves as an HRP backup channel, it can
support 50,000/s new session rate or 5 million concurrent sessions or carry 5G
service traffic. The number of required interfaces is assessed based on the
actual traffic volume. The N+1 backup mode is recommended for the

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 350


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

interfaces. For example, if there are 10 million concurrent sessions, at least


two 10GE links are required as HRP backup channels. During design, three
10GE interfaces are bundled for backup.
2. OSPF is deployed between the FWs and their upstream and downstream
devices. The FWs run in OSPF1 process with their upstream backbone network
and in OSPF2 process with their downstream GGSN network.
The hrp adjust ospf-cost enable command is run to enable the function of
adjusting the OSPF cost based on the active/standby status for HRP-OSPF
association. In normal cases, the cost of OSPF routes advertised by the
standby firewall increases by 65,500 so that the traffic is routed to the active
firewall in priority. When an interface of the FW or the FW itself fails, an
active/standby switchover takes place, and the cost of OSPF routes is
adjusted. The cost of the OSPF route over the primary link increases by
65,500, and the cost of the OSPF route over the backup link decreases, so that
traffic is routed to the original standby firewall in priority, ensuring service
continuity.
3. The hrp track command is configured on the upstream and downstream
interfaces of the FW to monitor these interfaces.
4. Unforced delivery of default routes is configured in OSPF2 process to divert
traffic to the backbone network from the firewall.
5. The HRP track BFD function is configured to detect remote link faults, such as
faults in the link between RouterC and the backbone network.
The bfd cfg-name bind peer-ip peer-ip [ interface interface-type interface-
number ] command is used to bind a BFD session with a peer IP address, and
the link to be detected needs to be specified. The process-interface-status
command is used to associate the BFD session with the bound interface.
If the peer device does not support BFD, IP-link can be used to carry out an
active/standby switchover in case of a fault.

Availability Analysis
Figure 7-3 shows the switchover upon failure of the active firewall FW_A. The
specific process is as follows:
● Switchover upon failure:
FW_A fails, and FW_B becomes active. The OSPF neighbor relationships
between the routers RouterA, RouterC, and FW_A no longer exist, and the
route is switched to FW_B.
● Recovery from failure:
After FW_A recovers from the failure, the OSPF neighbor relationships
between the routers RouterA, RouterC, and FW_A are restored, and FW_A
becomes active. The route is switched back to FW_A, and traffic is routed to
FW_A again.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 351


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Figure 7-3 Firewall failure

Figure 7-4 shows the switchover upon failure of the link connecting the active
firewall FW_A fails (the link to the backbone or GGSN/P-GW). The specific process
is as follows:

● Switchover upon failure:


When the active link fails, FW_A becomes standby, and its neighbor
relationship with RouterA (RouterC) is torn down. FW_B becomes active, and
the cost of the OSPF routes is adjusted. The route on the right side is selected
in priority, and traffic is switched over to the corresponding link.
● Recovery from failure:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 352


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

After the links recovers from the failure, FW_A becomes active, and its
neighbor relationship with RouterA (RouterC) is restored. The route is
switched back to FW_A, and the traffic is switched back to the original link.

Figure 7-4 Link failure

7.3.2 Service Planning


Interfaces and Security Zones
To prevent communication failures between active and standby firewalls due to
heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 353


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

is recommended. For devices on which multiple NICs can be installed (for the
support situation, see the hardware guide), an inter-board Eth-Trunk interface is
required. That is, the member interfaces of the Eth-Trunk interface are on different
LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For
devices that do not support interface expansion or inter-board Eth-Trunk, it is
possible that a faulty LPU may cause all HRP backup channels to be unavailable
and compromise services.
The upstream and downstream physical links must have the same bandwidth that
is greater than the peak traffic. Otherwise, services are affected due to traffic
congestion in case of traffic burst.
Table 7-1 describes the planning of interfaces and security zones on the FWs.

Table 7-1 Planning of interfaces and security zones


FW_A FW_B Description

Eth-Trunk0: Eth-Trunk0: HRP backup interface.


● Member ports: ● Member ports:
1. GE1/0/1 1. GE1/0/1
2. GE2/0/1 2. GE2/0/1
● IP address: ● IP address:
192.168.3.1/24 192.168.3.2/24
● Security zone: ● Security zone:
hrpzone hrpzone

Eth-Trunk1: Eth-Trunk1: Interface connecting the


● Member ports: ● Member ports: Internet.
1. GE2/0/2 1. GE2/0/2
2. GE2/0/3 2. GE2/0/3
● IP address: 1.1.1.1/24 ● IP address: 1.1.2.1/24
● Security zone: untrust ● Security zone: untrust

Eth-Trunk2: Eth-Trunk2: Eth-Trunk2 is the


● Member ports: ● Member ports: interface connecting to
Gi/SGi services.
1. GE2/0/4 1. GE2/0/4
2. GE2/0/5 2. GE2/0/5
● IP address: ● IP address:
10.14.1.1/24 10.14.2.1/24
● Security zone: trust ● Security zone: trust

Security Policies
Table 7-2 describes the planning of security policies on the FW.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 354


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Table 7-2 Planning of security policies


Item Source Destin Description
Zone ation
Zone

Local - Trust Local Trust The security policy for access of the FW to
the trust zone, which may be set to permit
all packets. If a fine-grained policy is
required, note that OSPF packets should be
permitted.

Trust Local The security policy for access from the


Trust zone to the FW, which may be set to:
● Permit packets for login and device
management, including SSH and HTTPS
packets.
● Permit OSPF packets.

Local - Local Untrus The security policy for access of the FW to


Untrust t the untrust zone, which may be set to
permit all packets. If a fine-grained policy
is required, note that OSPF packets should
be permitted.

Untrust Local The security policy for access from the


untrust zone to the FW, which may be set
to:
● Permit packets for login and device
management, including SSH and HTTPS
packets.
● Permit OSPF packets.

Local - Local hrpzon Security policy between the backup


hrpzone e interfaces of the active and standby
firewalls, which can be used for the login
switching between the firewalls.

hrpzone local Security policy between the backup


interfaces of the active and standby
firewalls, which can be used for the login
switching between the firewalls.

Trust - Trust Untrus ● Configure a rule that permits packets


Untrust t whose source address is a private
address of a mobile terminal, and
configure NAT for the private address.
● Configure packet filtering for the start
GGSN and WAP-side end router of a
GRE tunnel.

Untrust Trust Configure packet filtering for the start


GGSN and WAP-side end router of a GRE
tunnel.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 355


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Routes
The route planning is as follows:
1. Black-hole routes are configured for NAT addresses, and static routes are
advertised to avoid routing loops.
2. The firewall learns the default route from the Internet-side device and
advertises the default route to the core network-side device in the way of
unforced delivery of OSPF routes. Routing policies also need to be configured.
When the firewall and Internet-side device import static routes, only the
routes to addresses in the NAT address pool are advertised, and the routes to
the other private addresses are not advertised.
3. The firewall learns the addresses of intranet servers and terminal IP addresses
from the core network side device and advertises the routes of the servers to
the Internet side device. Filtering policies are configured for the firewall and
the core network side device, and the firewall does not need to learn the
default route from the core network side device.
Table 7-3 describes the planning of routes on the FWs.

Table 7-3 Planning of routes


FW_A FW_B Description

● Destination ● Destination address: Default routes learned through


address: 0.0.0.0/0 OSPF.
0.0.0.0/0 ● Next hop:
● Next hop: 1.1.2.2 (IP address of
1.1.1.2 (IP RouterD)
address of
RouterC)

● Destination ● Destination address: The route to the GGSN side


address: 10.20.0.0/16 learned through OSPF.
10.20.0.0/16 ● Next hop:
● Next hop: 10.14.2.2 (IP address
10.14.1.2 (IP of RouterB)
address of
RouterA)

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 356


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

FW_A FW_B Description

● Destination ● Destination address: Black-hole routes to prevent


address: 1.1.10.10 route loops.
1.1.10.10 1.1.10.11
1.1.10.11 1.1.10.12
1.1.10.12 1.1.10.13
1.1.10.13 1.1.10.14
1.1.10.14 1.1.10.15
1.1.10.15 ● Next hop:
● Next hop: NULL0
NULL0

NAT
If the IP address obtained by a mobile terminal is a private address, NAT is
required on the FW. The public address obtained through NAT is used for Internet
access. NAT reduces the use of public addresses and improves the intranet
security.
The usual NAT mode for FWs is NAT PAT. Empirically, one NAT address supports
the NAT for 5000 to 10,000 private IP addresses. Table 7-4 describes the planning
of the NAT address pool. The configuration is the same for the active and standby
firewalls.

Table 7-4 Planning of the NAT address pool


Item FW_A FW_B

ID 1 1

Mode pat pat

Addresses 1.1.10.10-1.1.10.15 1.1.10.10-1.1.10.15

Table 7-5 describes the planning of NAT policies.

Table 7-5 Planning of NAT policies


Item FW_A FW_B

Security Trust - Untrust Trust - Untrust


zone

Direction Outbound Outbound

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 357


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Item FW_A FW_B

Match All packets from the All packets from the 10.10.0.0/16
condition 10.10.0.0/16 network network segment
segment

Action source-nat source-nat

NAT 1 1
address
pool ID

NAT is performed by the FW for FTP, RTSP, and PPTP traffic from mobile terminals
to the Internet. It is necessary to configure ASPF between the zone where the
Gi/SGi interface resides and the Untrust zone to ensure normal functioning of
these applications.

Attack Defense
Attack defense should be enabled on the FW for security defense. The
recommended configuration is as follows:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable

Network Management (SNMP)


The Simple Network Management Protocol (SNMP) is the most widely used
network management protocol on TCP/IP networks. An SNMP proxy should be
configured on the FW so that the FW can be managed through an NMS server.

Log (eLog)
The eLog server is used to collect NAT session logs for source tracing. Configure
the FW to output session logs to the eLog server, including the log output format,
source address, and source port.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 358


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

7.4 Precautions
Hot Standby
● The recommended preemption delay of a VGMP group is 300s.
● Hot standby supports only OSPF and BGP route adjustment, but not IS-IS
route adjustment. If OSPF or BGP route adjustment is configured, configure
an interzone policy to permit OSPF or BGP packets.
● In hot standby networking, if the upstream device runs BGP, the downstream
device runs OSPF, and OSPF uses default-route-advertise to generate a
default route, ,perform the following configurations to avoid loops:
– Change the BGP route priority to a value larger than 10 and smaller than
150.
The default priority of an intra-area route is 10 (highest priority). The
default route is an external route, and its default priority is 150. The
default priority of a BGP route is 255 (lowest priority). If the default
priority is used, the BGP route cannot take effect.
– Configure route filtering to prevent the learning of the default
downstream OSPF route.
If the upstream device learns the default downstream route, the traffic of
the upstream device cannot reach the extranet.
● HRP is associated with routing protocols for cost adjustment. Table 7-6
describes the support for routes.

Table 7-6 Routing protocols for cost adjustment associated with HRP
Item Supported or Not

BGP routes that By route type 1. BGP IPv4 unicast routes


can be associated 2. BGP VPNv4 routes
with HRP
3. BGP IPv6 unicast routes

By route origin 1. Routes learned from IBGP


peers
2. Routes learned from EBGP
peers
3. Routes learned from other
routing protocols
4. Advertised default routes

OSPF routes that By route origin 1. Direct routes advertised


can be associated using the network
with HRP command
2. Imported external routes
3. Advertised default routes

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 359


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Item Supported or Not

By LSA type 1. Type 1 LSA: router LSA


2. Type 3 LSA: summary LSA
3. Type 5 LSA: AS-external-
LSA
4. Type 7 LSA: NSSA AS-
external-LSA

Security Policies
Considering security, interzone security policies are designed based on the security
policy planning. Do not open all interzone security policies.

Attack Defense
The recommended configuration should be used.

NAT
● When planning the NAT address pool, keep the ratio of public addresses to
private addresses at about 1:5,000.
● If servers on the core network provide extranet access services, use port-based
mapping, but not one-to-one IP address mapping, when configuring the NAT
server.
● The recommended NAT mode is 5-tuple NAT. If customers require to use
triplet NAT, contact service or R&D engineers to reassess the solution.
● In load balancing scenarios, both devices process service traffic. If NAT is
configured, the devices may have conflicting public ports in the NAPT mode.
To prevent such conflicts, configure respective NAT port resources for the
devices. You can run the hrp nat resource primary-group command on the
active device. The standby device will automatically generate the hrp nat
resource secondary-group command.
● You are advised to configure blackhole routes for the NAT address pool to
prevent such issues as routing loops.

GRE
When the following conditions are met, you are recommended to enable the
function of using GRE inner packets for selecting the SPU. In this way, traffic is
evenly distributed on multiple CPUs.

● All traffic is encapsulated over one or more GRE tunnels.


● The number of CPU sessions over a single GRE tunnel is more than 1,000,000.

You can run the firewall gre inner hash enable command to enable the function
of selecting a CPU based on the hash value calculated according to GRE inner
packet information.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 360


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Performance
In load-balancing hot standby scenarios, ensure that the traffic does not exceed
70% of the interface bandwidth utilization and SPU CPU processing capability
after being switched to a device. You can run the display interface command to
check the interface bandwidth utilization and the display cpu-usage command to
check the SPU CPU processing capability.

7.5 Solution Configuration

7.5.1 Configuration Procedure


Procedure
Step 1 Configure interfaces and security zones.
1. Configure the interfaces and security zones of FW_A.
# Create Eth-Trunk0, setting its IP address.
<FW_A> system-view
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] description To_FW_B
[FW_A-Eth-Trunk0] ip address 192.168.3.1 24
[FW_A-Eth-Trunk0] undo service-manage enable
[FW_A-Eth-Trunk0] quit

# Create Eth-Trunk1, setting its IP address.


[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] description To_Backbone
[FW_A-Eth-Trunk1] ip address 1.1.1.1 24
[FW_A-Eth-Trunk1] undo service-manage enable
[FW_A-Eth-Trunk1] quit

# Create Eth-Trunk2, setting its IP address.


[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] description To_GI
[FW_A-Eth-Trunk2] ip address 10.14.1.1 24
[FW_A-Eth-Trunk2] undo service-manage enable
[FW_A-Eth-Trunk2] quit

# Add GigabitEthernet1/0/1 and GigabitEthernet2/0/1 to Eth-Trunk 0.


[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet2/0/0] Eth-Trunk 0
[FW_A-GigabitEthernet2/0/0] quit
[FW_A] interface GigabitEthernet 2/0/1
[FW_A-GigabitEthernet2/0/1] Eth-Trunk 0
[FW_A-GigabitEthernet2/0/1] quit

# Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.


[FW_A] interface GigabitEthernet 2/0/2
[FW_A-GigabitEthernet2/0/2] Eth-Trunk 1
[FW_A-GigabitEthernet2/0/2] quit
[FW_A] interface GigabitEthernet 2/0/3
[FW_A-GigabitEthernet2/0/3] Eth-Trunk 1
[FW_A-GigabitEthernet2/0/3] quit

# Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk 2.


[FW_A] interface GigabitEthernet 2/0/4
[FW_A-GigabitEthernet2/0/4] Eth-Trunk 2
[FW_A-GigabitEthernet2/0/4] quit
[FW_A] interface GigabitEthernet 2/0/5

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 361


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

[FW_A-GigabitEthernet2/0/5] Eth-Trunk 2
[FW_A-GigabitEthernet2/0/5] quit
# Add Eth-Trunk0 to the hrpzone security zone.
[FW_A] firewall zone name hrpzone
[FW_A-zone-hrpzone] set priority 65
[FW_A-zone-hrpzone] add interface Eth-Trunk 0
[FW_A-zone-hrpzone] quit
# Add Eth-Trunk1 to the untrust security zone.
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface Eth-Trunk 1
[FW_A-zone-untrust] quit
# Add Eth-Trunk2 to the trust security zone.
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface Eth-Trunk 2
[FW_A-zone-trust] quit
2. Configure the interfaces and security zones of FW_B.
# Create Eth-Trunk0, setting its IP address.
<FW_B> system-view
[FW_B] interface Eth-Trunk 0
[FW_B-Eth-Trunk0] description To_FW_A
[FW_B-Eth-Trunk0] ip address 192.168.3.2 24
[FW_B-Eth-Trunk0] undo service-manage enable
[FW_B-Eth-Trunk0] quit
# Create Eth-Trunk1, setting its IP address.
[FW_B] interface Eth-Trunk 1
[FW_B-Eth-Trunk1] description To_Backbone
[FW_B-Eth-Trunk1] ip address 1.1.2.1 24
[FW_B-Eth-Trunk1] undo service-manage enable
[FW_B-Eth-Trunk1] quit
# Create Eth-Trunk 2, setting its IP address.
[FW_B] interface Eth-Trunk 2
[FW_B-Eth-Trunk2] description To_GI
[FW_B-Eth-Trunk2] ip address 10.14.2.1 24
[FW_B-Eth-Trunk2] undo service-manage enable
[FW_B-Eth-Trunk2] quit
# Add GigabitEthernet1/0/1 and GigabitEthernet2/0/1 to Eth-Trunk 0.
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet2/0/0] Eth-Trunk 0
[FW_B-GigabitEthernet2/0/0] quit
[FW_B] interface GigabitEthernet 2/0/1
[FW_B-GigabitEthernet2/0/1] Eth-Trunk 0
[FW_B-GigabitEthernet2/0/1] quit
# Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.
[FW_B] interface GigabitEthernet 2/0/2
[FW_B-GigabitEthernet2/0/2] Eth-Trunk 1
[FW_B-GigabitEthernet2/0/2] quit
[FW_B] interface GigabitEthernet 2/0/3
[FW_B-GigabitEthernet2/0/3] Eth-Trunk 1
[FW_B-GigabitEthernet2/0/3] quit
# Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk 2.
[FW_B] interface GigabitEthernet 2/0/4
[FW_B-GigabitEthernet2/0/4] Eth-Trunk 2
[FW_B-GigabitEthernet2/0/4] quit
[FW_B] interface GigabitEthernet 2/0/5
[FW_B-GigabitEthernet2/0/5] Eth-Trunk 2
[FW_B-GigabitEthernet2/0/5] quit
# Add Eth-Trunk0 to the hrpzone security zone.
[FW_B] firewall zone name hrpzone
[FW_B-zone-hrpzone] set priority 65

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 362


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

[FW_B-zone-hrpzone] add interface Eth-Trunk 0


[FW_B-zone-hrpzone] quit

# Add Eth-Trunk1 to the untrust security zone.


[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface Eth-Trunk 1
[FW_B-zone-untrust] quit

# Add Eth-Trunk2 to the trust security zone.


[FW_B] firewall zone trust
[FW_B-zone-trust] add interface Eth-Trunk 2
[FW_B-zone-trust] quit

Step 2 Configure security policies.


1. Configure the security policies of FW_A.
# Configure the security policy between the local and trust zones.
[FW_A] security-policy
[FW_A-policy-security] rule name local_trust_outbound
[FW_A-policy-security-rule-local_trust_outbound] source-zone local
[FW_A-policy-security-rule-local_trust_outbound] destination-zone trust
[FW_A-policy-security-rule-local_trust_outbound] source-address 10.14.1.0 24
[FW_A-policy-security-rule-local_trust_outbound] action permit
[FW_A-policy-security-rule-local_trust_outbound] quit
[FW_A-policy-security] rule name local_trust_inbound
[FW_A-policy-security-rule-local_trust_inbound] source-zone trust
[FW_A-policy-security-rule-local_trust_inbound] destination-zone local
[FW_A-policy-security-rule-local_trust_inbound] destination-address 10.14.1.0 24
[FW_A-policy-security-rule-local_trust_inbound] action permit
[FW_A-policy-security-rule-local_trust_inbound] quit

# Configure the security policy between the local and untrust zones.
[FW_A-policy-security] rule name local_untrust_outbound
[FW_A-policy-security-rule-local_untrust_outbound] source-zone local
[FW_A-policy-security-rule-local_untrust_outbound] destination-zone untrust
[FW_A-policy-security-rule-local_untrust_outbound] source-address 1.1.1.0 24
[FW_A-policy-security-rule-local_untrust_outbound] action permit
[FW_A-policy-security-rule-local_untrust_outbound] quit
[FW_A-policy-security] rule name local_untrust_inbound
[FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust
[FW_A-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_A-policy-security-rule-local_untrust_inbound] destination-address 1.1.1.0 24
[FW_A-policy-security-rule-local_untrust_inbound] action permit
[FW_A-policy-security-rule-local_untrust_inbound] quit

# Configure the security policy between the local and hrpzone zones.
[FW_A-policy-security] rule name local_hrpzone_outbound
[FW_A-policy-security-rule-local_hrpzone_outbound] source-zone local
[FW_A-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
[FW_A-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
[FW_A-policy-security-rule-local_hrpzone_outbound] action permit
[FW_A-policy-security-rule-local_hrpzone_outbound] quit
[FW_A-policy-security] rule name local_hrpzone_inbound
[FW_A-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
[FW_A-policy-security-rule-local_hrpzone_inbound] destination-zone local
[FW_A-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
[FW_A-policy-security-rule-local_untrust_inbound] action permit
[FW_A-policy-security-rule-local_untrust_inbound] quit

# Configure the security policy between the Trust and Untrust zones,
permitting tunnel packets from mobile terminals to the WAP gateway.
Configure more refined security policies based on site requirements.
[FW_A-policy-security] rule name trust_untrust_outbound1
[FW_A-policy-interzone-trust_untrust_outbound1] source-zone trust
[FW_A-policy-interzone-trust_untrust_outbound1] destination-zone untrust
[FW_A-policy-interzone-trust_untrust_outbound1] action permit
[FW_A-policy-interzone-trust_untrust_outbound1] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 363


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

[FW_A-policy-security] rule name trust_untrust_inbound1


[FW_A-policy-interzone-trust_untrust_inbound1] source-zone untrust
[FW_A-policy-interzone-trust_untrust_inbound1] destination-zone trust
[FW_A-policy-interzone-trust_untrust_inbound1] action permit
[FW_A-policy-interzone-trust_untrust_inbound1] quit

# Configure the security policy between the trust and untrust zones,
permitting packets from mobile terminals to the Internet. All packets from the
10.10.0.0/16 network segment are matched. In practice, you can add rules as
needed.
[FW_A-policy-security] rule name trust_untrust_outbound2
[FW_A-policy-security-rule-trust_untrust_outbound2] source-zone trust
[FW_A-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
[FW_A-policy-security-rule-trust_untrust_outbound2] source-address 10.10.0.0 16
[FW_A-policy-security-rule-trust_untrust_outbound2] action permit
[FW_A-policy-security-rule-trust_untrust_outbound2] quit

2. Configure the security policies of FW_B.


# Configure the security policy between the local and trust zones.
[FW_B] security-policy
[FW_B-policy-security] rule name local_trust_outbound
[FW_B-policy-security-rule-local_trust_outbound] source-zone local
[FW_B-policy-security-rule-local_trust_outbound] destination-zone trust
[FW_B-policy-security-rule-local_trust_outbound] source-address 10.14.2.0 24
[FW_B-policy-security-rule-local_trust_outbound] action permit
[FW_B-policy-security-rule-local_trust_outbound] quit
[FW_B-policy-security] rule name local_trust_inbound
[FW_B-policy-security-rule-local_trust_inbound] source-zone trust
[FW_B-policy-security-rule-local_trust_inbound] destination-zone local
[FW_B-policy-security-rule-local_trust_inbound] destination-address 10.14.2.0 24
[FW_B-policy-security-rule-local_trust_inbound] action permit
[FW_B-policy-security-rule-local_trust_inbound] quit

# Configure the security policy between the local and untrust zones.
[FW_B-policy-security] rule name local_untrust_outbound
[FW_B-policy-security-rule-local_untrust_outbound] source-zone local
[FW_B-policy-security-rule-local_untrust_outbound] destination-zone untrust
[FW_B-policy-security-rule-local_untrust_outbound] source-address 1.1.2.0 24
[FW_B-policy-security-rule-local_untrust_outbound] action permit
[FW_B-policy-security-rule-local_untrust_outbound] quit
[FW_B-policy-security] rule name local_untrust_inbound
[FW_B-policy-security-rule-local_untrust_inbound] source-zone untrust
[FW_B-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_B-policy-security-rule-local_untrust_inbound] destination-address 1.1.2.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit

# Configure the security policy between the local and hrpzone zones.
[FW_B-policy-security] rule name local_hrpzone_outbound
[FW_B-policy-security-rule-local_hrpzone_outbound] source-zone local
[FW_B-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
[FW_B-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
[FW_B-policy-security-rule-local_hrpzone_outbound] action permit
[FW_B-policy-security-rule-local_hrpzone_outbound] quit
[FW_B-policy-security] rule name local_hrpzone_inbound
[FW_B-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
[FW_B-policy-security-rule-local_hrpzone_inbound] destination-zone local
[FW_B-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit

# Configure the security policy between the Trust and Untrust zones,
permitting tunnel packets from mobile terminals to the WAP gateway.
Configure more refined security policies based on site requirements.
[FW_B-policy-security] rule name trust_untrust_outbound1
[FW_B-policy-interzone-trust_untrust_outbound1] source-zone trust
[FW_B-policy-interzone-trust_untrust_outbound1] destination-zone untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 364


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

[FW_B-policy-interzone-trust_untrust_outbound1] action permit


[FW_B-policy-interzone-trust_untrust_outbound1] quit
[FW_B-policy-security] rule name trust_untrust_inbound1
[FW_B-policy-interzone-trust_untrust_inbound1] source-zone untrust
[FW_B-policy-interzone-trust_untrust_inbound1] destination-zone trust
[FW_B-policy-interzone-trust_untrust_inbound1] action permit
[FW_B-policy-interzone-trust_untrust_inbound1] quit

# Configure the security policy between the trust and untrust zones,
permitting packets from mobile terminals to the Internet. All packets from the
10.10.0.0/16 network segment are matched. In practice, you can add rules as
needed.
[FW_B-policy-security] rule name trust_untrust_outbound2
[FW_B-policy-security-rule-trust_untrust_outbound2] source-zone trust
[FW_B-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
[FW_B-policy-security-rule-trust_untrust_outbound2] source-address 10.10.0.0 16
[FW_B-policy-security-rule-trust_untrust_outbound2] action permit
[FW_B-policy-security-rule-trust_untrust_outbound2] quit

Step 3 Configure routes.

Specify different router IDs for the active and standby firewalls to support the OSPF process
to prevent OSPF route flapping.

1. Configure the OSPF routes of FW_A.


# Configure routing policies to advertise only addresses in the NAT address
pool but not VPN addresses when static routes are imported to the side of the
FW_A connecting the backbone.
[FW_A] ip ip-prefix natAddress permit 1.1.10.10 32
[FW_A] ip ip-prefix natAddress permit 1.1.10.11 32
[FW_A] ip ip-prefix natAddress permit 1.1.10.12 32
[FW_A] ip ip-prefix natAddress permit 1.1.10.13 32
[FW_A] ip ip-prefix natAddress permit 1.1.10.14 32
[FW_A] ip ip-prefix natAddress permit 1.1.10.15 32
[FW_A] route-policy PS_NAT permit node 10
[FW_A-route-policy] if-match ip-prefix natAddress
[FW_A-route-policy] quit
[FW_A] ospf 1 router-id 1.1.1.1
[FW_A-ospf-1] import-route static route-policy PS_NAT
[FW_A-ospf-1] area 0.0.0.0
[FW_A-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] quit
[FW_A-ospf-1] quit

# Configure route filtering policies for the side of the FW_A connecting the
core network so as not to learn the default route.
[FW_A] ip ip-prefix no-default deny 0.0.0.0 0
[FW_A] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
[FW_A] ospf 2 router-id 10.14.1.1
[FW_A-ospf-2] filter-policy ip-prefix no-default import
[FW_A-ospf-2] default-route-advertise
[FW_A-ospf-2] area 0.0.0.0
[FW_A-ospf-2-area-0.0.0.0] network 10.14.1.0 0.0.0.255
[FW_A-ospf-2-area-0.0.0.0] quit
[FW_A-ospf-2] quit

# Configure black-hole routes.


[FW_A] ip route-static 1.1.10.10 32 NULL 0
[FW_A] ip route-static 1.1.10.11 32 NULL 0
[FW_A] ip route-static 1.1.10.12 32 NULL 0
[FW_A] ip route-static 1.1.10.13 32 NULL 0
[FW_A] ip route-static 1.1.10.14 32 NULL 0
[FW_A] ip route-static 1.1.10.15 32 NULL 0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 365


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

2. Configure the OSPF routes of FW_B.


# Configure routing policies to advertise only addresses in the NAT address
pool but not VPN addresses when static routes are imported to the side of the
FW_B connecting the backbone.
[FW_B] ip ip-prefix natAddress permit 1.1.10.10 32
[FW_B] ip ip-prefix natAddress permit 1.1.10.11 32
[FW_B] ip ip-prefix natAddress permit 1.1.10.12 32
[FW_B] ip ip-prefix natAddress permit 1.1.10.13 32
[FW_B] ip ip-prefix natAddress permit 1.1.10.14 32
[FW_B] ip ip-prefix natAddress permit 1.1.10.15 32
[FW_B] route-policy PS_NAT permit node 10
[FW_B-route-policy] if-match ip-prefix natAddress
[FW_B-route-policy] quit
[FW_B] ospf 1 router-id 1.1.2.1
[FW_B-ospf-1] import-route static route-policy PS_NAT
[FW_B-ospf-1] area 0.0.0.0
[FW_B-ospf-1-area-0.0.0.0] network 1.1.2.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] quit
[FW_B-ospf-1] quit

# Configure route filtering policies for the side of the FW_B connecting the
core network so as not to learn the default route.
[FW_B] ip ip-prefix no-default deny 0.0.0.0 0
[FW_B] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
[FW_B] ospf 2 router-id 10.14.2.1
[FW_B-ospf-2] filter-policy ip-prefix no-default import
[FW_B-ospf-2] default-route-advertise
[FW_B-ospf-2] area 0
[FW_B-ospf-2-area-0.0.0.0] network 10.14.2.0 0.0.0.255
[FW_B-ospf-2-area-0.0.0.0] quit
[FW_B-ospf-2] quit

# Configure black-hole routes.


[FW_B] ip route-static 1.1.10.10 32 NULL 0
[FW_B] ip route-static 1.1.10.11 32 NULL 0
[FW_B] ip route-static 1.1.10.12 32 NULL 0
[FW_B] ip route-static 1.1.10.13 32 NULL 0
[FW_B] ip route-static 1.1.10.14 32 NULL 0
[FW_B] ip route-static 1.1.10.15 32 NULL 0

Step 4 Complete the availability configuration.


1. Complete the hot standby configuration of FW_A.
# Configure HRP to track the interfaces connecting FW_A to the backbone
and core networks.
[FW_A] hrp track interface Eth-Trunk 1
[FW_A] hrp track interface Eth-Trunk 2

# Enable OSPF cost adjustment based on the HRP state.


[FW_A] hrp adjust ospf-cost enable

# Configure the heartbeat interface.


[FW_A] hrp interface Eth-Trunk 0 remote 192.168.3.2

# Enable HRP.
[FW_A] hrp enable

# Set the preemption delay of the VGMP group to 300s.


[FW_A] hrp preempt delay 300

2. Complete the hot standby configuration of FW_B.


# Configure HRP to track the upstream and downstream interfaces.
[FW_B] hrp track interface Eth-Trunk 1
[FW_B] hrp track interface Eth-Trunk 2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 366


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

# Enable OSPF cost adjustment based on the HRP state.


[FW_B] hrp adjust ospf-cost enable

# Configure the heartbeat interface.


[FW_B] hrp interface Eth-Trunk 0 remote 192.168.3.1

# Enable HRP.
[FW_B] hrp enable

# Configure the current device as the standby device.


[FW_B] hrp standby-device

Step 5 Configure NAT and ASPF.

After hot standby is enabled, the NAT and ASPF configuration of FW_A is automatically
synchronized to FW_B.

# Create the NAT address pool.

1. Configure NAT for FW_A.


HRP_M[FW_A] nat address-group addressgroup1
HRP_M[FW_A-address-group-addressgroup1] section 1.1.10.10 1.1.10.15
HRP_M[FW_A-address-group-addressgroup1] quit

# Configure the NAT policy. The source addresses of all packets from the
10.10.0.0/16 network segment are translated. In practice, you can add rules as
needed.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name trust_untrust_outbound
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-zone trust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-address 10.10.0.0 0.0.255.255
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] action source-nat address-group
addressgroup1
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] quit
HRP_M[FW_A-policy-nat] quit

2. Configure ASPF for FW_A.


HRP_M[FW_A] firewall interzone trust untrust
HRP_M[FW_A-interzone-trust-untrust] detect rtsp
HRP_M[FW_A-interzone-trust-untrust] detect ftp
HRP_M[FW_A-interzone-trust-untrust] detect pptp
HRP_M[FW_A-interzone-trust-untrust] quit

Step 6 Configure attack defense.

After hot standby is enabled, the attack defense configuration of FW_A is automatically
synchronized to FW_B.

Configure attack defense for FW_A.


HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend ip-fragment enable
HRP_M[FW_A] firewall defend tcp-flag enable
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable
HRP_M[FW_A] firewall defend teardrop enable
HRP_M[FW_A] firewall defend route-record enable
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 367


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Step 7 Configure network management (SNMP).


1. Configure network management (SNMP) on FW_A.
# Configure the SNMP version of the FW. This step is optional. By default, the
SNMP version is SNMPv3. Carry out this step if it is not SNMPv3.
HRP_M[FW_A] snmp-agent sys-info version v3

# Configure the SNMPv3 user group.


HRP_M[FW_A] snmp-agent group v3 NMS1 privacy

# Configure the SNMPv3 user.


HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123
privacy-mode aes256 Admin@456

# Configure the contact information.


HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang

# Configure the location information.


HRP_M[FW_A] snmp-agent sys-info location Beijing

# Configure the alarm function of SNMP on the FW.


HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
Admin123 v3 privacy private-netmanager
HRP_M[FW_A] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

2. Configure network management (SNMP) on FW_B.


# Configure the SNMP version of the FW. This step is optional. By default, the
SNMP version is SNMPv3. Carry out this step if it is not SNMPv3.
HRP_S[FW_B] snmp-agent sys-info version v3

# Configure the SNMPv3 user group.


HRP_S[FW_B] snmp-agent group v3 NMS1 privacy

# Configure the SNMPv3 user.


HRP_S[FW_B] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123
privacy-mode aes256 Admin@456

# Configure the contact information.


HRP_S[FW_B] snmp-agent sys-info contact Mr.zhang

# Configure the location information.


HRP_S[FW_B] snmp-agent sys-info location Beijing

# Configure the alarm function of SNMP on the FW.


HRP_S[FW_B] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
Admin123 v3 privacy private-netmanager
HRP_M[FW_B] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

Step 8 Configure the LogCenter.

For the configuration on the LogCenter log server, see the product manual of the
LogCenter. Only the configuration on the FW is described.
After hot standby is enabled, the LogCenter configuration of FW_A is automatically
synchronized to FW_B. However, the source address and source port for log export need to
be configured on FW_B.

1. Configure FW_A.
# Configure a log host. When the log format is syslog, the address of the log
host is 2.2.2.2, and the host port must be 514.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 368


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

HRP_M[FW_A] firewall log host 1 2.2.2.2 514

# Enable the session log function in the security policy as required. Configure
this function depending on the actual situation.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_untrust
HRP_M[FW_A-policy-security-rule-trust_untrust] session logging
HRP_M[FW_A-policy-security-rule-trust_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_untrust] quit
HRP_M[FW_A-policy-security] quit

Configure the log output format, concurrent mode, and source address/port
(3.3.3.3/ 6000) of the logs.
HRP_M[FW_A] firewall log session log-type syslog
HRP_M[FW_A] firewall log session multi-host-mode concurrent
HRP_M[FW_A] firewall log source 3.3.3.3 6000

2. Configure FW_B.
Configure the source address and source port for log export (3.3.3.4/6000).
HRP_S[FW_B] firewall log source 3.3.3.4 6000

----End

7.5.2 Verification
1. Run the display hrp state command on FW_A to view the current HRP state.
The following information indicates that HRP is successfully set up.
HRP_M[FW_A] display hrp stateRole: active, peer: standby
Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes

2. Users can browse web pages and receive and send multimedia messages
using mobile terminals.
3. Users can roam normally with their mobile terminals.
4. Run the shutdown command on GigabitEthernet2/0/0 of FW_A to simulate a
link fault. The active/standby switchover is normal without services
interrupted.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 369


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

7.5.3 Configuration Scripts


FW_A FW_B
# #
sysname FW_A sysname FW_B
# #
info-center source default channel 2 log level info-center source default channel 2 log level
warning warning
info-center loghost 10.2.0.10 info-center loghost 10.2.0.10
# #
firewall log session log-type syslog firewall log session log-type syslog
firewall log session multi-host-mode concurrent firewall log session multi-host-mode concurrent
firewall log source 3.3.3.3 6000 firewall log source 3.3.3.4 6000
firewall log host 1 2.2.2.2 514 firewall log host 1 2.2.2.2 514
# #
nat address-group 1 nat address-group 1
mode pat mode pat
status active status active
section 0 1.1.10.10 1.1.10.15 section 0 1.1.10.10 1.1.10.15
# #
hrp enable hrp enable
hrp interface Eth-Trunk 0 remote 192.168.3.2 hrp standby-device
hrp adjust ospf-cost enable hrp interface Eth-Trunk 0 remote 192.168.3.1
hrp preempt delay 300 hrp adjust ospf-cost enable
hrp track interface Eth-Trunk 1 hrp track interface Eth-Trunk 1
hrp track interface Eth-Trunk 2 hrp track interface Eth-Trunk 2
# #
firewall defend land enable firewall defend land enable
firewall defend smurf enable firewall defend smurf enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ip-fragment enable firewall defend ip-fragment enable
firewall defend tcp-flag enable firewall defend tcp-flag enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend source-route enable firewall defend source-route enable
firewall defend teardrop enable firewall defend teardrop enable
firewall defend route-record enable firewall defend route-record enable
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
# #
interface Eth-Trunk0 interface Eth-Trunk0
description To_FW_B description To_FW_A
ip address 192.168.3.1 255.255.255.0 ip address 192.168.3.2 255.255.255.0
undo service-manage enable undo service-manage enable
# #
interface Eth-Trunk1 interface Eth-Trunk1
description To_Backbone description To_Backbone
ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.3 255.255.255.0
undo service-manage enable undo service-manage enable
# #
interface Eth-Trunk2 interface Eth-Trunk2
description To_GI description To_GI
ip address 10.14.1.1 255.255.255.0 ip address 10.14.1.3 255.255.255.0
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet2/0/1 interface GigabitEthernet2/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet2/0/2 interface GigabitEthernet2/0/2
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet2/0/3 interface GigabitEthernet2/0/3
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet2/0/4 interface GigabitEthernet2/0/4

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 370


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

FW_A FW_B
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet2/0/5 interface GigabitEthernet2/0/5
eth-trunk 2 eth-trunk 2
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface Eth-Trunk2 add interface Eth-Trunk2
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
firewall zone hrpzone firewall zone hrpzone
set priority 65 set priority 65
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
firewall interzone trust untrust firewall interzone trust untrust
detect rtsp detect rtsp
detect ftp detect ftp
detect pptp detect pptp
# #
security-policy security-policy
rule name local_trust_outbound rule name local_trust_outbound
source-zone local source-zone local
destination-zone trust destination-zone trust
source-address 10.14.1.0 24 source-address 10.14.2.0 24
action permit action permit
rule name local_trust_inbound rule name local_trust_inbound
source-zone trust source-zone trust
destination-zone local destination-zone local
destination-address 10.14.1.0 24 destination-address 10.14.2.0 24
action permit action permit
rule name local_untrust_outbound rule name local_untrust_outbound
source-zone local source-zone local
destination-zone untrust destination-zone untrust
source-address 1.1.1.0 24 source-address 1.1.2.0 24
action permit action permit
rule name local_untrust_inbound rule name local_untrust_inbound
source-zone untrust source-zone Untrust
destination-zone local destination-zone local
destination-address 1.1.1.0 24 destination-address 1.1.2.0 24
action permit action permit
rule name local_hrpzone_outbound rule name local_hrpzone_outbound
source-zone local source-zone local
destination-zone hrpzone destination-zone hrpzone
source-address 192.168.3.0 24 source-address 192.168.3.0 24
action permit action permit
rule name local_hrpzone_inbound rule name local_hrpzone_inbound
source-zone hrpzone source-zone hrpzone
destination-zone local destination-zone local
destination-address 192.168.3.0 24 destination-address 192.168.3.0 24
action permit action permit
rule name trust_untrust_outbound1 rule name trust_untrust_outbound1
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
rule name trust_untrust_inbound1 rule name trust_untrust_inbound1
source-zone untrust source-zone Untrust
destination-zone trust destination-zone trust
action permit action permit
rule name trust_untrust_outbound2 rule name trust_untrust_outbound2
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 10.10.0.0 16 source-address 10.10.0.0 16
action permit action permit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 371


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

FW_A FW_B
rule name trust_untrust rule name trust_untrust
session logging session logging
action permit action permit
# #
nat-policy nat-policy
rule name trust_untrust_outbound rule name trust_untrust_outbound
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 10.10.0.0 16 source-address 10.10.0.0 16
action source-nat address-group addressgroup1 action source-nat address-group addressgroup1
# #
ip ip-prefix natAddress permit 1.1.10.10 32 ip ip-prefix natAddress permit 1.1.1.10 32
ip ip-prefix natAddress permit 1.1.10.11 32 ip ip-prefix natAddress permit 1.1.1.11 32
ip ip-prefix natAddress permit 1.1.10.12 32 ip ip-prefix natAddress permit 1.1.1.12 32
ip ip-prefix natAddress permit 1.1.10.13 32 ip ip-prefix natAddress permit 1.1.1.13 32
ip ip-prefix natAddress permit 1.1.10.14 32 ip ip-prefix natAddress permit 1.1.1.14 32
ip ip-prefix natAddress permit 1.1.10.15 32 ip ip-prefix natAddress permit 1.1.1.15 32
ip ip-prefix no-default deny 0.0.0.0 0 ip ip-prefix no-default deny 0.0.0.0 0
ip ip-prefix no-default permit 0.0.0.0 0 less-equal ip ip-prefix no-default permit 0.0.0.0 0 less-equal
32 32
# #
route-policy PS_NAT permit node 10 route-policy PS_NAT permit node 10
if-match ip-prefix natAddress if-match ip-prefix natAddress
# #
ospf 1 router-id 1.1.1.1 ospf 1 router-id 1.1.1.3
import-route static route-policy PS_NAT import-route static route-policy PS_NAT
area 0.0.0.0 area 0.0.0.0
network 1.1.1.0 0.0.0.255 network 1.1.2.0 0.0.0.255
# #
ospf 2 router-id 10.14.1.1 ospf 2 router-id 10.14.1.3
default-route-advertise default-route-advertise
filter-policy ip-prefix no-default import filter-policy ip-prefix no-default import
area 0.0.0.0 area 0.0.0.0
network 10.14.1.0 0.0.0.255 network 10.15.1.0 0.0.0.255
# #
ip route-static 1.1.10.10 255.255.255.255 NULL0 ip route-static 1.1.10.10 255.255.255.255 NULL0
ip route-static 1.1.10.11 255.255.255.255 NULL0 ip route-static 1.1.10.11 255.255.255.255 NULL0
ip route-static 1.1.10.12 255.255.255.255 NULL0 ip route-static 1.1.10.12 255.255.255.255 NULL0
ip route-static 1.1.10.13 255.255.255.255 NULL0 ip route-static 1.1.10.13 255.255.255.255 NULL0
ip route-static 1.1.10.14 255.255.255.255 NULL0 ip route-static 1.1.10.14 255.255.255.255 NULL0
ip route-static 1.1.10.15 255.255.255.255 NULL0 ip route-static 1.1.10.15 255.255.255.255 NULL0
# #
snmp-agent snmp-agent
snmp-agent local-engineid snmp-agent local-engineid
000007DB7FFFFFFF000077D0 000007DB7FFFFFFF000077D0
snmp-agent sys-info version v3 snmp-agent sys-info version v3
snmp-agent sys-info contact Mr.zhang snmp-agent sys-info contact Mr.zhang
snmp-agent sys-info location Beijing snmp-agent sys-info location Beijing
snmp-agent group v3 NMS1 privacy snmp-agent group v3 NMS1 privacy
snmp-agent target-host trap address udp-domain snmp-agent target-host trap address udp-domain
10.1.1.1 params securityname %$% 10.1.1.1 params securityname %$%
$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy $Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy
private-netmanager private-netmanager
snmp-agent usm-user v3 Admin123 NMS1 snmp-agent usm-user v3 Admin123 NMS1
authentication-mode md5 %$%$q:JqX0VlJ, authentication-mode md5 %$%$q:JqX0VlJ,
5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ 5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$
privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz; privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;
0PYcZQ">eB&vh6t$]4 0PYcZQ">eB&vh6t$]4
# #
return return

7.6 Other Solutions

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 372


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

7.6.1 VRRP + OSPF (Active/Standby Backup)

Networking Diagram
As shown in Figure 7-5, the service interfaces of both firewalls work at Layer 3,
connecting to the backbone through routers and to the GGSN/P-GW through
Layer 2 switches. OSPF runs between the firewall and router, and VRRP is enabled
on the interface connecting the firewall to the switch.

The two firewalls work in active/standby mode. Normally, traffic is forwarded by


FW_A. When FW_A fails, traffic is forwarded by FW_B. This ensures that the
services are not interrupted.

Figure 7-5 Active/standby backup with OSPF+VRRP running on the FW

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 373


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Switchover upon Failure


● When the link to the backbone fails, the priority of FW_A is lowered through
the HRP track function configured on the interface to trigger an active/
standby switchover. The active route is switched to FW_B that becomes the
active device in the VRRP group, and thereby the traffic is switched over.
● The upstream and downstream interfaces of the FW are bound to the same
link group, and the HRP track function is configured to monitor these
interfaces. The switchover mode in case of a fault in the link to the GGSN/P-
GW is the same as that in case of a fault in the link to the backbone network.

Configuration Difference
Ite FW_A FW_B
m

Int # #
interface Eth-Trunk0 interface Eth-Trunk0
erf description TO-FW-B description TO-FW-A
ace ip address 192.168.3.1 255.255.255.240 ip address 192.168.3.2 255.255.255.240
s # #
interface Eth-Trunk1 interface Eth-Trunk1
ip address 1.1.1.1 255.255.255.0 ip address 1.1.2.1 255.255.255.0
# #
interface Eth-Trunk2 interface Eth-Trunk2
description TO-GI description TO-GI
ip address 10.14.1.1 255.255.255.0 ip address 10.14.1.2 255.255.255.0
vrrp vrid 20 virtual-ip 10.14.1.3 active vrrp vrid 20 virtual-ip 10.14.1.3 standby
# #

Ro ip route-static 0.0.0.0 0.0.0.0 1.1.1.2//Configure ip route-static 0.0.0.0 0.0.0.0 1.1.2.2//Configure


a default route to the public network a default route to the public network
ute ip route-static x.x.x.x x.x.x.x 10.14.1.5// ip route-static x.x.x.x x.x.x.x 10.14.1.5//
s Configure a route to the private addresses of Configure a route to the private addresses of
mobile terminals to the Gi/SGi interface mobile terminals to the Gi/SGi interface

7.6.2 OSPF (Load Balancing)


Networking Diagram
As shown in Figure 7-6, the service interfaces of both firewalls work at Layer 3
and connect to both the backbone and GGSN/P-GW through routers. OSPF runs
between the firewall and router.
The two firewalls work in active/standby mode. Normally, traffic is forwarded by
FW_A. When FW_A fails, traffic is forwarded by FW_B. This ensures that the
services are not interrupted.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 374


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Figure 7-6 OSPF (load sharing) networking

The two firewalls are expected to work in load balancing mode. Normally, FW_A
and FW_B forward traffic together. When one firewall fails, the other firewall
forwards all traffic. The services are not interrupted.

Switchover upon Failure


● When FW_A fails, the OSPF route is switched to FW_B through hot standby so
that the traffic is switched over.
● When FW_B fails, the OSPF route is switched to FW_A through hot standby so
that the traffic is switched over.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 375


HUAWEI Firewall 7 Application of Firewalls in the Core Network PS
Comprehensive Configuration Examples Domain

Configuration Difference
Ite FW_A FW_B
m

Ho hrp enable hrp enable


hrp interface Eth-Trunk0 remote 192.168.3.2 hrp interface Eth-Trunk0 remote 192.168.3.1
t hrp mirror session enable hrp mirror session enable
sta hrp preempt delay 120 hrp preempt delay 120
nd hrp adjust ospf-cost enable hrp adjust ospf-cost enable
hrp track interface Eth-Trunk1 hrp track interface Eth-Trunk1
by hrp track interface Eth-Trunk2 hrp track interface Eth-Trunk2
hrp nat resource primary-group //Set the NAT hrp nat resource secondary-group //Set the
port segment of the dual firewalls NAT port segment of the dual firewalls

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 376


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

8 Application of Firewalls in the CGN


Solution

8.1 Introduction
The shortage of public IPv4 addresses entails the transition from IPv4 to IPv6, and
the CGN solution enables smooth transition from IPv4 to IPv6.

This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-


X V500R005C00 and can be used as a reference for Eudemon200E-
N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-
G&Eudemon1000E-G V600R006C00, and later versions. Document content may
vary according to version.

8.2 Solution Overview


As a new network system architecture, the IPv6 network needs to be improved
and optimized even if the IPv6 protocol has various similar or same contents as
the IPv4 protocol. The transition from the IPv4 network to the IPv6 network is
undertaken step by step. The transition plan must fully consider the conditions of
the live network, fully use the existing network infrastructure, protect existing
network investments to the maximum extent, and ensure the smooth transition of
user services and support of new services. The dual-stack technology, tunneling
technology, and network address translation (NAT) technology can resolve the
network interconnection and Internet resource access issues during the transition
from the IPv4 network to the IPv6 network. These technologies are well
recognized. The NAT44(4), DS-Lite, and NAT64 schemes of the technology and the
6RD scheme of the tunneling technology are widely applied by the industry as
recognized transition schemes.

NAT44
You can understand the NAT44 as the traditional IPv4 NAT function. The NAT44 is
mainly used to translate the private IPv4 addresses to public IPv4 addresses. The
public network address assignment authority specifies the following network
addresses as the reserved addresses for the private network:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 377


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

● 10.0.0.0 to 10.255.255.255
● 172.16.0.0 to 172.31.255.255
● 192.168.0.0 to 192.168.255.255
The addresses on the preceding network segments are not allocated to Internet
users. These addresses are used on private networks. Private network addresses
are not used on the Internet. Hosts assigned with private network addresses
cannot directly access the Internet. With the NAT function, private network
addresses are translated into public network addresses so that the hosts on the
private network can access the Internet. The NAT device allocates a temporary
valid IP address to a host when the host accesses the Internet. In this manner,
hosts can access the Internet without legitimate IP addresses. Therefore, IP address
resources are optimized.
As shown in Figure 8-1, to further save IP address resources, carriers deploy two-
level NAT (NAT444) on the egress gateway at the user side and the egress
gateway at the carrier side. That is, the NAT444 is deployed on the customer
premise equipment (CPE) and carrier grade NAT (CGN).

Figure 8-1 Schematic diagram of NAT444

The NAT function deployed on the CPE translates the user's private network
addresses into the carrier's private network addresses. Then, the NAT function
deployed on the CGN translates the addresses of the carrier private network into
the public network addresses. With two-level NAT on the CPE and CGN, the
NAT444 technology supports three types of addresses, that is, addresses of the
user's private network, carrier's private network addresses, and public network
addresses. The private network addresses cannot conflict with the carrier's private
network addresses. Therefore, the network segments of private networks are
effectively used and the issue about insufficient private network addresses is
avoided.

Dual Stack
The dual stack technology is the basis for the transition from IPv4 to IPv6. All the
other transition technologies are developed on the basis of the dual stack
technology. When nodes on the network support the IPv4 and IPv6 protocols,
source nodes select different protocol stacks based on different destination nodes.
Network devices use different protocol stacks to process and forward packets

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 378


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

based on different protocol types of the packets. The dual stack technology can be
implemented on single network device or on a dual-stack network. For the dual-
stack network, all devices must support both IPv4 and IPv6 protocol stacks. The
interfaces that connect to the dual-stack network must be configured with both
IPv4 and IPv6 addresses. Figure 8-2 shows the schematic diagram of the dual
stack.

Figure 8-2 Schematic diagram of the dual stack

The advantages of the dual stack technology used in the transition from the IPv4
network to the IPv6 network are as follows:

1. On the dual-stack network, IPv6 and IPv4 service data is forwarded on


respective forwarding planes. Logically, two forwarding planes are considered
as two networks to facilitate network deployment. The dual stack technology
supports smooth transition to the IPv6 network.
2. The dual-stack network does not involve interconnection and access between
IPv6 services and IPv4 services. Therefore, the implementation is simple.
3. The dual-stack network is easy to maintain and manage.

6RD Tunneling
The 6RD tunneling technology is based on the existing IPv4 network. It helps users
to deploy the IPv6 access service rapidly. The 6RD tunneling technology is
improved based on the original 6to4 solution. The difference between these two
is: The address defined by the 6to4 uses the known 2002::/16 as its prefix.
However, the 6RD address prefix can be obtained after the carrier divides its IPv6
address space.

To allow IPv6 users to send packets over carriers' IPv4 network and access IPv6
services and resources, the 6RD solution automatically establishes and removes
the tunnels between CPEs and the CGN gateway. Automatically establishing the
tunnel is completed based on predefining the 6RD prefix.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 379


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

The 6RD address consists of 6RD prefix (an IPv6 prefix allocated by the carrier and
the 6RD prefix length is between 0 to 32), IPv4 address, subnet ID (allocated by
the carrier), and interface identifier. Figure 8-3 shows the 6RD address format.

Figure 8-3 6RD address format

The 6RD delegated prefix contains the 6RD prefix and part or entire IPv4 address,
and is calculated on the basis of them. The IPv4 address length in the 6RD
delegated prefix is determined by the IPv4 address length configured for the 6RD
tunnel.

Figure 8-4 shows the 6RD tunneling.

Figure 8-4 Schematic diagram of the 6RD tunneling

1. The carrier allocates a 6RD prefix, an IPv4 address, and an IPv4 address of the
CGN (6RD Border Relay) for the user's CPE. The CPE generates its own 6RD
delegated prefix and then delivers it to the IPv6 terminal.
2. Upon receiving the packet sent by the IPv6 terminal, the CPE encapsulates the
IPv6 packet in the IPv4 tunnel and send it to the CGN. The external layer
source address of the tunnel is the CPE IPv4 address and the destination
address is the CGN IPv4 address.
3. The CGN decapsulates the received IPv4 tunnel packet and then forwards the
IPv6 packet.

NAT64
The NAT64 technology is mainly applied in the scenario where a single stack host
on the IPv6 network accesses resources on the IPv4 network. As shown in Figure
8-5, the CGN device is deployed between the IPv6 network and the IPv4 network
to bidirectionally translate addresses of the IPv6 and IPv4 networks. The DNS64
devices that support the resolution of IPv4 and IPv6 domain names must be
deployed on the network.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 380


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

The DNS64 device provides a mapping between domain names and IPv6 addresses,
generates IPv6 addresses by combining the NAT64 prefixes configured on the CGN device
and the IPv4 addresses on the IPv4 server, and generates corresponding AAAA records.

Figure 8-5 Schematic diagram of NAT64

The NAT64 is classified into static NAT64 and dynamic NAT64.


● Static NAT64
The static NAT64 maps IPv6 addresses and IPv4 addresses on the CGN
statically. When an IPv4 host interworks with an IPv6 host, the CGN translates
addresses based on the mapping information. Any host can initiate the
connection to the other host.
● Dynamic NAT64
The dynamic NAT64 uses the dynamic address mapping and upper-layer
protocol mapping methods to translate a large number of IPv6 addresses with
a few IPv4 addresses. The dynamic NAT64 allows only IPv6 users to access the
IPv4 network.
Figure 8-5 shows the process for a host on the IPv6 network accessing a
server on the IPv4 network through a domain name.
a. The IPv6 host obtains the IPv6 address mapped to the domain name of
the IPv4 server. The IPv6 address contains an IPv6 prefix and the IPv4
address of the server. The host uses this IPv6 address as the destination
address when requesting the access to the IPv4 server.
b. If the CGN receives an IPv6 packet containing a NAT64 prefix (predefined
on the CGN), the CGN performs NAT64 translation on the IPv6 packet.
c. The CGN uses the address translation algorithm to extract the IPv4
address from the IPv6 packet. The IPv6 packet is then translated into an
IPv4 packet according to the interzone dynamic NAT64 mapping, using

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 381


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

the IPv4 addresses in the NAT address pool as the source IP addresses of
the resulting IPv4 packets. A session table is generated in this process.
d. The CGN sends the resulting IPv4 packet to the server.
e. The CGN receives the response packet from the IPv4 server, translates the
IPv4 packet into an IPv6 packet according to the session table, and sends
the resulting IPv6 packet to the host.

DS-Lite
The dual stack technology is an effective technology used during the transition
from the IPv4 network to the IPv6 network. The dual stack technology, however,
requires the maintenance of both IPv4 and IPv6 networks. In the mid-and-late
phase of the transition, some carriers require the deployment of the IPv6 MAN to
simplify network management and maintenance. Certain emerging carriers
require direct deployment of the IPv6 MAN to provide large-scale IPv6 services
and a few IPv4 services. In this scenario, certain IPv4 nodes need to traverse the
IPv6 network to access the IPv4 network. To fulfill this requirement, the DS-Lite
technology is developed as an IPv6 transition technology.

The DS-Lite system consists of dual-stack hosts and IPv6 network. As shown in
Figure 8-6, only the CPE and CGN on the DS-Lite network support dual stack.
Other network nodes support only the IPv6 protocol.

Figure 8-6 Schematic diagram of DS-Lite

The CGN must support IPv4 over IPv6 tunneling and NAT44 functions. The CPE
users can obtain IPv6 addresses and private IPv4 addresses so that IPv6 packets
directly traverse the CPE and access the IPv6 Internet. IPv4 packets are transmitted
to the CGN over the IPv4 over IPv6 tunnel and are decapsulated on the CGN. After
the private IPv4 addresses are translated into public network addresses, the
packets are transmitted to the IPv4 Internet. The packet traversing process from
the private IPv4 network to the IPv4 Internet over the IPv6 network is as follows:

1. The carrier supports only IPv6 service access. The IPv6 prefix is allocated to
the CPE. The CPE allocates private IPv4 addresses to internal network users.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 382


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

2. When a private IPv4 user accesses the IPv4 Internet, an IPv4 packet is sent to
the CPE. The CPE encapsulates the packet and sends the packets to the CGN
over the IPv4 over IPv6 tunnel.
3. After decapsulating the packet, the CGN translates the IPv4 packet using the
NAT44. After translating the private IPv4 address into the IPv4 Internet
address, the CGN sends the packet to the IPv4 network.

Scenarios for Transition Schemes


In actual situations, carriers comprehensively consider various factors such as
network, user, service, and upgrade cost when selecting transition schemes.
Multiple transition technologies can be used together to plan a proper network
transition solution.
The transition solutions and technical methods vary with IPv4 address quantity,
network status, development scale of IPv4 and IPv6 users, and service provisioning
status. The network transition technologies are mainly applied in the following
scenarios:
● Scenario 1:
The carrier's network is mainly the IPv4 network and the IPv4 public
addresses are not exhausted. The IPv4 traffic still dominates the service traffic.
Service applications are not migrated to the IPv6 network in a large scale. The
carrier requires the development of a few IPv6 users for commercial network
trials. In this scenario, the transition scheme targets the service
interconnection for IPv6 services traversing the IPv4 network. The 6RD and
NAT444 technologies are applicable to this scenario.
● Scenario 2:
The carrier's network is the dual-stack network. The dual-stack network
mainly serves IPv4 users and certain IPv6 users and services. Most service
applications are not migrated to the IPv6 network. The IPv4 traffic still
dominates the service traffic. The carriers require the interaction of IPv6 and
IPv4 services and the migration to the IPv6 network because of insufficient
IPv4 addresses. The transition scheme targets the IPv6 service interaction, IPv4
service interaction, and interaction between IPv6 and IPv4 services. The dual
stack, NAT444, and NAT64 technologies are applicable to this scenario.
● Scenario 3:
The backbone MAN of the carrier is the IPv6 network or dual-stack network
on which the IPv6 traffic dominates the service traffic. The networks and
services mainly use the IPv6 protocol. The network also serves certain IPv4
users and provides IPv4 services. The carrier requires the service interaction
between IPv4 users and access of the IPv4 users to the IPv6 network. In this
scenario, the transition scheme targets the service interconnection for IPv4
services traversing the IPv6 network and access to the IPv6 network resources.
The NAT64 and DS-Lite technologies are applicable to this scenario.

8.3 Scheme 1: 6RD+NAT444

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 383


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

8.3.1 Typical Networking


Networking
Carrier A's live network is the IPv4 network. The IPv4 public addresses are not
exhausted. To save the IPv4 public addresses, carrier A assigns private IPv4
addresses to the internal MAN. To fulfill increasing service requirements, carrier A
requires to develop a few IPv6 users on the live network for trial commercial
network purposes.
The carrier uses the solution shown in Figure 8-7 to meet the preceding
requirements. The solution is as follows:
1. To save public IPv4 addresses, private addresses are allocated to IPv4 users.
The CPE and CGN are configured with the 2-level NAT function so that users
on the private IPv4 network can access the IPv4 Internet.
2. For newly-developed IPv6/IPv4 dual-stack users, IPv4 traffic is carried over the
IPv4 network and the IPv6 traffic is transmitted to the CGN over the 6RD
tunnel.

The 6RD tunnel is established on the CPE and CGN.


3. Currently, carrier A needs to develop only a few IPv6 users for the trial
commercial network. Therefore, in network interface planning, only the CPE
and CGN need to be upgraded to dual stack for tunnel establishment. The
devices on the internal MAN do not need to be upgraded, which saves
network reconstruction cost. Due to less IPv6 service traffic and no need for
the interaction between IPv4 and IPv6 services, the network configuration can
be simple.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 384


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Figure 8-7 NAT444+6RD networking diagram

CPE: Customer Premises Equipment CGN: Carrier Grade NAT

BRAS: Broadband Remote Access -


Server

● The CPE is used to connect terminal users and allocate addresses to the users.
– The CPE allocates private IPv4 addresses to IPv4 users.
– The CPE allocates IPv6 addresses to IPv6 users. The IPv6 address prefix
indicates the 6RD delegated prefix calculated by the CPE.
In addition, the CPE translates addresses for the private IPv4 users and
establishes 6RD tunnels with the CGN.
● As an egress gateway on the MAN, the CGN translates addresses for private
IPv4 users to access the IPv4 Internet and provides 6RD tunnels for IPv6 users
to access the IPv6 Internet.
● As a device at the aggregation layer, the BRAS allocates IPv4 addresses for the
CPEs to connect to the MAN.

Application of the FW in the Networking


The FW serves the CPE and the CGN in the scenario and provides the following
functions:
● Providing the NAT function

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 385


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

To save public IP addresses, the carrier uses private addresses internally.


Therefore, it is necessary to configure address translation on the CPE and the
CGN to enable access to the IPv4 Internet using private addresses through
two translations.
● Providing the tunneling function
A 6RD tunnel is established between the CGN and the CPE so that IPv6 users
can access the IPv6 Internet over the IPv4 network.
● Providing routing tunnels
The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore,
they must support both the IPv6 and IPv6 protocol stacks.

8.3.2 Service Planning


Requirements Analysis

Table 8-1 Scheme Implementation Analysis


Scheme Advantage Implementation

The 6RD Compared with IPv6 over Implement the following


tunneling IPv4 tunneling technologies, configurations on the CGN and
technology is the 6RD tunneling features CPE:
used to the following advantages: ● CGN
access IPv6 ● The 6RD tunneling
services. – Create a tunnel interface.
technology is improved
based on the 6to4 – Set the tunnel
tunneling technology encapsulation mode to 6RD.
while inheriting all the – Specify the source address
advantages of the 6to4 or source interface of the
tunneling technology, for 6RD tunnel.
example, point-to- – Set the 6RD prefix and
multipoint connection prefix length.
and automatic discovery
of the remote end of a – Set the IPv4 prefix length
tunnel. for the 6RD tunnel.

● Compared with the 6to4 – Configure the IPv6 address


tunnel, the 6RD uses for the tunnel interface
IPv6 prefixes of the using the calculated
carriers rather than the delegated prefix.
well-known 2002::/16 ● CPE
prefix. Therefore, Different from the CGN, the
different carriers can use 6RD BR IPv4 address must be
different prefixes to configured on the CPE. In this
deploy 6RD tunnels, case, the IPv4 address is the
which facilitates the private IPv4 address used by
network planning. the CGN to connect to the
internal MAN.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 386


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Scheme Advantage Implementation

Two-level Without upgrading the live Deploy two-level NAT on the CPE
NAT network to the IPv6 and the CGN.
(NAT444) network, the NAT444 ● Set the NAT mode of the CPE
function is function can be deployed to to Easy IP, that is, replacing the
used to resolve the IPv4 address source IP address in a packet
enable shortage issue. The IPv4- with the address of the
private IPv4 based NAT technology is outbound interface.
users to mature and widely applied
access the on IPv4 networks. ● The CGN translates addresses
IPv4 Internet. Therefore, the two-level using NAPT, which requires
NAT444 scheme is a configuration of a public
feasible transition scheme. address pool. On the CGN, a
port is pre-allocated to the
CPE to facilitate the ease of
user tracing.

Data Planning
Figure 8-8 shows the networking diagram with data to facilitate configurations
and understanding.

Figure 8-8 NAT444+6RD networking diagram with data

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 387


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-2 describes the general network data planning.

Table 8-2 Data planning


Item IP Address Description

CPE GE1/0/0 (Trust IPv4 private GE1/0/0 (Trust


zone) address: zone) is used to
192.168.0.1/24 connect to the
private IPv4 user.

GE1/0/1 (Trust The prefix is IPv6 users on the


zone) allocated based CPE belong to
on the calculated the same 6RD
6RD delegated domain.
prefixes.
In this case, the
6RD delegated
prefix is
22:0:101:100::/56.
The address of
the GE1/0/1
interface is set to
22:0:101:101::1/6
4.

GE1/0/2 Private IPv4 GE1/0/2 (Untrust


(Untrust zone) address of the zone) is used to
carrier: connect to the
10.1.1.1/24 MAN of the
carrier. Assume
that the next hop
address that
connects to the
MAN is 10.1.1.2.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 388


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

Tunnel1 6RD prefix: The Tunnel1


interface 22::/32 interface
(Untrust zone) IPv4 prefix (Untrust zone) is
length: 8 used to create a
6RD tunnel with
NOTE
The IPv4 prefix
the CGN.
length of the 6RD
tunnel may be
different from the
mask length of
the interface. The
length of the IPv4
address in the
IPv6 address
equals to the
value that 32 is
subtracted by the
IPv4 prefix length.
IPv6 address: The
IPv6 address is
calculated based
on the 6RD
delegated prefix
and source
address of the
6RD tunnel. In
this case, the
6RD delegated
prefix is
22:0:101:100::/56.
The address of
the Tunnel1
interface is set to
22:0:101:100::1/5
6.
6RD BR IPv4
address:
10.1.2.1/24

Address pool The address of The address pool


the GE1/0/2 is used to
interface is used translate the
as the translated private IPv4
address. addresses of the
users to the
private IPv4
address of the
carrier.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 389


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

CGN GE1/0/0 IPv4 Internet GE1/0/0 (Untrust


(Untrust zone) address: zone) is used to
1.1.1.1/24 connect to the
IPv4 Internet.
Assume that the
next hop address
is 1.1.1.2/24.

GE1/0/1 IPv6 address: GE1/0/1 (Untrust


(Untrust zone) 3000::1/64 zone) is used to
connect to the
IPv6 Internet.

GE1/0/2 (Trust IPv4 private GE1/0/2 (Trust


zone) address: zone) is used to
10.1.2.1/24 connect to the
MAN of the
carrier. Assume
that the next hop
address that
connects to the
MAN is 10.1.2.2.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 390


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

Tunnel1 6RD prefix: The Tunnel1


interface (Trust 22::/32 interface (Trust
zone) IPv4 prefix zone) is used to
length: 8 create a 6RD
tunnel with the
NOTE
The IPv4 prefix
CPE.
length of the 6RD
tunnel may be
different from the
mask length of
the interface. The
length of the IPv4
address in the
IPv6 address
equals to the
value that 32 is
subtracted by the
IPv4 prefix length.
IPv6 address: The
IPv6 address is
calculated based
on the 6RD
delegated prefix
and source
address of the
6RD tunnel. In
this case, the
6RD delegated
prefix is
22:0:102:100::/56.
The address of
the Tunnel1
interface is set to
22:0:102:100::1/5
6.

Address pool Addresses in the The address pool


address pool: is used to
1.1.2.1 to 1.1.2.5. translate the
The size of the private IPv4
pre-allocated addresses of the
port block is 256 carrier to the
bytes. public IPv4
addresses.

PC1 IPv4 private –


address:
192.168.0.2/24

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 391


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

PC2 IPv6 address: The address


22:0:101:100::2/6 prefix is the 6RD
4 delegate prefix
calculated by the
CPE.

PC3 IPv6 address: –


3000::2/64

FTP Server IPv4 Internet –


address:
1.1.3.1/32

Table 8-3 describes the IPv4 route planning.

Table 8-3 IPv4 route planning


Item Routing Destination Next Hop Description
Protocol Network Address
Segment

CPE Static IPv4 10.1.2.0/24 10.1.1.2 Route


route connecting
the CPE to
the MAN
interface of
the CGN

CGN Static IPv4 10.1.1.0/24 10.1.2.2 Route


route connecting
the CGN to
the MAN
interface of
the CPE

Static IPv4 1.1.3.1/32 1.1.1.2 Route


route connecting
the CGN to
the server on
the IPv4
Internet

Table 8-4 describes the IPv6 route planning.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 392


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-4 IPv6 route planning


Item Routing Destination Next Hop Description
Protocol Network Address and
Segment Interface

CPE Static IPv6 22::/32 Tunnel1 Route from


route interface the CPE to
the 6RD
tunnel
interface of
the CGN

Static IPv6 3000::/64 22:0:102:100:: Route


route 1 connecting
the CPE to
the IPv6
network
interface of
the CGN

CGN Static IPv6 22::/32 Tunnel1 Route


route interface connecting
the CGN to
the 6RD
tunnel
interface and
6RD domain
of the CPE

8.3.3 Precautions
When the Eudemon8000E-X serves as the CGN, if port pre-allocation is configured,
the hash-based CPU selection mode must be source address hash.

8.3.4 Configuration Flow


Table 8-5 shows the configuration flow of the solution.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 393


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-5 Configuration flow


Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

CPE 1 Configure the uplink and downlink interface data. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
d
a
t
a
b
a
s
e
d
o
n
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 394


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 395


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2 Configure the NAT function. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
s
e
t
t
h
e
N
A
T
m
o
d
e
f
o
r
t
h
e
i
n
t
e
r
f

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 396


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
c
e
I
P
a
d
d
r
e
s
s
e
s
t
o
N
A
P
T
(
E
a
s
y
I
P
)
.
T
h
e
p
r
i
v
a
t
e
I

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 397


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
u
s
e
r
s
a
r
e
t
r
a
n
s
l
a
t
e
d
i
n
t
o
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 398


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
p
r
i
v
a
t
e
I
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
c
a
r
r
i
e
r
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 399


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3 Configure the 6RD tunnel. M


a
n
d
a
t
o
r
y
T
h
e
6
R
D
t
u
n
n
e
l
t
h
a
t
c
o
n
n
e
c
t
s
t
o
t
h
e
C
G

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 400


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

N
i
s
c
r
e
a
t
e
d
t
o
i
m
p
l
e
m
e
n
t
t
h
e
i
n
t
e
r
a
c
t
i
o
n
b
e
t
w
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 401


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
n
I
P
v
6
u
s
e
r
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 402


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.1 Specify the encapsulation type M


of the tunnel. a
n
d
a
t
o
r
y
T
h
e
e
n
c
a
p
s
u
l
a
t
i
o
n
t
y
p
e
o
f
t
h
e
t
u
n
n
e
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 403


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

i
s
i
p
v
6
-
i
p
v
4
6
r
d
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 404


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.2 Specify the source address or M


source interface of the tunnel. a
n
d
a
t
o
r
y
● I
t
s
p
e
c
i
fi
e
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
r
s
o
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 405


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
6
R
D
t
u
n
n
e
l
.
Y
o
u
c
a
n
s
p
e
c
i
f
y

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 406


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a
t
i
s
c
o
n
n
e
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 407


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
f
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 408


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n
t
e
r
f
a
c
e
a
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 409


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f
y
e
i
t
h
e
r
a
p

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 410


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r
f
a
c
e
s
u
c
h
a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 411


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 412


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
o
f
t
h
e
t
u
n
n
e
l
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 413


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.3 Set the 6RD prefix and prefix M


length. a
n
d
a
t
o
r
y
I
t
i
s
t
h
e
I
P
v
6
a
d
d
r
e
s
s
p
r
e
fi
x
u
s
e
d
b
y
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 414


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
c
a
r
r
i
e
r
a
n
d
s
e
r
v
e
s
a
s
a
p
a
r
t
o
f
t
h
e
6
R
D
d
e
l
e
g
a
t
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 415


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

d
p
r
e
fi
x
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 416


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.4 Set the IPv4 prefix length for M


the 6RD tunnel. a
n
d
a
t
o
r
y
T
h
e
I
P
v
4
p
r
e
fi
x
l
e
n
g
t
h
i
n
d
i
c
a
t
e
s
t
h
a
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 417


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
e
h
i
g
h
-
o
r
d
e
r
b
i
t
s
o
f
t
h
e
l
e
n
g
t
h
a
r
e
d
e
l
e
t
e
d
f
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 418


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

o
m
t
h
e
s
o
u
r
c
e
I
P
v
4
a
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
a
n
d
o
t
h
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 419


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
b
i
t
s
f
o
r
m
a
p
a
r
t
o
f
t
h
e
6
R
D
p
r
e
fi
x
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 420


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.5 Specify the 6RD BR IPv4 M


address. a
n
d
a
t
o
r
y
D
i
ff
e
r
e
n
t
f
r
o
m
t
h
e
C
G
N
,
t
h
e
C
P
E
r
e
q
u
i
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 421


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
s
s
p
e
c
i
fi
c
6
R
D
B
R
I
P
v
4
a
d
d
r
e
s
s
,
t
h
a
t
i
s
,
t
h
e
p
r
i
v

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 422


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
t
e
I
P
v
4
a
d
d
r
e
s
s
(
1
0
.
1
.
2
.
1
/
2
4
)
t
h
a
t
c
o
n
n
e
c
t
s
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 423


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
C
G
N
t
o
t
h
e
i
n
t
e
r
n
a
l
M
A
N
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 424


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.6 Configure the interface address M


of the 6RD tunnel. a
n
d
a
t
o
r
y
T
h
e
i
n
t
e
r
f
a
c
e
a
d
d
r
e
s
s
o
f
t
h
e
6
R
D
t
u
n
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 425


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
l
i
s
c
o
n
fi
g
u
r
e
d
b
a
s
e
d
o
n
t
h
e
6
R
D
d
e
l
e
g
a
t
e
d
p
r
e
fi
x

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 426


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
a
t
i
n
c
l
u
d
e
s
t
h
e
6
R
D
p
r
e
fi
x
a
n
d
a
p
a
r
t
o
f
o
r
t
h
e
e
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 427


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
i
r
e
I
P
v
4
a
d
d
r
e
s
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 428


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

4 Configure routes. M
a
n
d
a
t
o
r
y
R
o
u
t
e
s
i
n
c
l
u
d
e
t
h
e
I
P
v
4
s
e
r
v
i
c
e
r
o
u
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 429


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
a
n
d
I
P
v
6
s
e
r
v
i
c
e
r
o
u
t
e
.
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
r
o

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 430


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

u
t
e
b
a
s
e
d
o
n
t
h
e
r
o
u
t
e
p
l
a
n
n
i
n
g
i
n
8
.
3
.
2
S
e
r
v
i
c
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 431


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

P
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 432


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

CGN 1 Configure the uplink and downlink interface data. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
d
a
t
a
b
a
s
e
d
o
n
t
h
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 433


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 434


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2 Configure the NAT function. M


a
n
d
a
t
o
r
y
T
h
e
N
A
T
f
u
n
c
t
i
o
n
i
s
u
s
e
d
t
o
t
r
a
n
s
l
a
t
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 435


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

p
r
i
v
a
t
e
I
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
c
a
r
r
i
e
r
t
o
t
h
e
p
u
b

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 436


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

l
i
c
I
P
v
4
a
d
d
r
e
s
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 437


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2.1 Configure the NAT address pool. M


a
n
d
a
t
o
r
y
T
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l
i
s
a
c
o
l
l
e
c
t
i
o
n
o

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 438


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

f
c
o
n
s
e
c
u
t
i
v
e
I
P
a
d
d
r
e
s
s
e
s
.
W
h
e
n
a
p
a
c
k
e
t
f
r
o
m
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 439


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
p
r
i
v
a
t
e
n
e
t
w
o
r
k
r
e
a
c
h
e
s
t
h
e
p
u
b
l
i
c
n
e
t
w
o
r
k
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 440


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
r
o
u
g
h
N
A
T
,
a
n
a
d
d
r
e
s
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l
i
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 441


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
e
l
e
c
t
e
d
a
s
t
h
e
I
P
a
d
d
r
e
s
s
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 442


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

S
e
t
t
h
e
p
r
e
-
a
l
l
o
c
a
t
e
d
p
o
r
t
b
l
o
c
k
s
i
z
e
i
n
t
h
e
a
d
d

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 443


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
e
s
s
p
o
o
l
f
o
r
t
h
e
p
r
e
-
a
l
l
o
c
a
t
i
o
n
o
f
p
o
r
t
r
e
s
o
u
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 444


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

c
e
s
f
o
r
N
A
T
t
o
t
h
e
C
P
E
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 445


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2.2 Configure the NAT policy. M


a
n
d
a
t
o
r
y
S
p
e
c
i
f
y
t
h
e
s
e
c
u
r
i
t
y
i
n
t
e
r
z
o
n
e
i
n
w
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 446


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

i
c
h
t
h
e
N
A
T
p
o
l
i
c
y
t
a
k
e
s
e
ff
e
c
t
a
n
d
t
h
e
N
A
T
a
d
d
r
e
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 447


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
p
o
l
i
c
y
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 448


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3 Configure the 6RD tunnel. M


a
n
d
a
t
o
r
y
T
h
e
6
R
D
t
u
n
n
e
l
t
h
a
t
c
o
n
n
e
c
t
s
t
o
t
h
e
C
P

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 449


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

E
i
s
c
r
e
a
t
e
d
t
o
i
m
p
l
e
m
e
n
t
t
h
e
i
n
t
e
r
a
c
t
i
o
n
b
e
t
w
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 450


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
n
I
P
v
6
u
s
e
r
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 451


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.1 Specify the encapsulation type M


of the tunnel. a
n
d
a
t
o
r
y
T
h
e
e
n
c
a
p
s
u
l
a
t
i
o
n
t
y
p
e
o
f
t
h
e
t
u
n
n
e
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 452


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

i
s
i
p
v
6
-
i
p
v
4
6
r
d
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 453


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.2 Specify the source address or M


source interface of the tunnel. a
n
d
a
t
o
r
y
● I
t
s
p
e
c
i
fi
e
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
r
s
o
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 454


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
6
R
D
t
u
n
n
e
l
.
Y
o
u
c
a
n
s
p
e
c
i
f
y

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 455


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a
t
i
s
c
o
n
n
e
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 456


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
f
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 457


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n
t
e
r
f
a
c
e
a
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 458


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f
y
e
i
t
h
e
r
a
p

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 459


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r
f
a
c
e
s
u
c
h
a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 460


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 461


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
o
f
t
h
e
t
u
n
n
e
l
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 462


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.3 Set the 6RD prefix and prefix M


length. a
n
d
a
t
o
r
y
I
t
i
s
t
h
e
I
P
v
6
a
d
d
r
e
s
s
p
r
e
fi
x
u
s
e
d
b
y
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 463


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
c
a
r
r
i
e
r
a
n
d
s
e
r
v
e
s
a
s
a
p
a
r
t
o
f
t
h
e
6
R
D
d
e
l
e
g
a
t
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 464


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

d
p
r
e
fi
x
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 465


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.4 Set the IPv4 prefix length for M


the 6RD tunnel. a
n
d
a
t
o
r
y
T
h
e
I
P
v
4
p
r
e
fi
x
l
e
n
g
t
h
i
n
d
i
c
a
t
e
s
t
h
a
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 466


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
e
h
i
g
h
-
o
r
d
e
r
b
i
t
s
o
f
t
h
e
l
e
n
g
t
h
i
s
d
e
l
e
t
e
d
f
r
o

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 467


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

m
t
h
e
s
o
u
r
c
e
I
P
v
4
a
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
a
n
d
o
t
h
e
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 468


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

b
i
t
s
f
o
r
m
a
p
a
r
t
o
f
t
h
e
6
R
D
p
r
e
fi
x
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 469


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3.5 Configure the interface address M


of the 6RD tunnel. a
n
d
a
t
o
r
y
T
h
e
i
n
t
e
r
f
a
c
e
a
d
d
r
e
s
s
o
f
t
h
e
6
R
D
t
u
n
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 470


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
l
i
s
c
o
n
fi
g
u
r
e
d
b
a
s
e
d
o
n
t
h
e
6
R
D
d
e
l
e
g
a
t
e
d
p
r
e
fi
x

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 471


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
h
a
t
i
n
c
l
u
d
e
s
t
h
e
6
R
D
p
r
e
fi
x
a
n
d
a
p
a
r
t
o
f
o
r
t
h
e
e
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 472


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

t
i
r
e
I
P
v
4
a
d
d
r
e
s
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 473


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

4 Configure routes. M
a
n
d
a
t
o
r
y
R
o
u
t
e
s
i
n
c
l
u
d
e
t
h
e
I
P
v
4
s
e
r
v
i
c
e
r
o
u
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 474


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
a
n
d
I
P
v
6
s
e
r
v
i
c
e
r
o
u
t
e
.
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
r
o

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 475


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

u
t
e
b
a
s
e
d
o
n
t
h
e
r
o
u
t
e
p
l
a
n
n
i
n
g
i
n
8
.
3
.
2
S
e
r
v
i
c
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 476


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n

P
l
a
n
n
i
n
g
.

8.3.5 Configuration Procedure


Procedure
● Configure the CPE.
a. Enable the IPv6 packet forwarding function.
<CPE> system-view
[CPE] ipv6
b. Configure IP addresses for interfaces and add the interfaces to security
zones.
# Configure an IP address for GigabitEthernet 1/0/0.
[CPE] interface GigabitEthernet 1/0/0
[CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0
[CPE-GigabitEthernet1/0/0] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 1/0/0
[CPE-zone-trust] quit
# Configure an IP address for GigabitEthernet 1/0/2.
[CPE] interface GigabitEthernet 1/0/2
[CPE-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[CPE-GigabitEthernet1/0/2] quit
[CPE] firewall zone untrust
[CPE-zone-untrust] add interface GigabitEthernet 1/0/2
[CPE-zone-untrust] quit
c. Configure security policies. Configure policy1 that allows sending packets
from the private network to the public network and policy2 that allows
tunnel packets to pass through.
[CPE] security-policy
[CPE-policy-security] rule name policy1
[CPE-policy-security-policy1] source-zone trust
[CPE-policy-security-policy1] destination-zone untrust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 477


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CPE-policy-security-policy1] source-address 192.168.0.0 24


[CPE-policy-security-policy1] source-address 22:0:101:101:: 64
[CPE-policy-security-policy1] action permit
[CPE-policy-security-policy1] quit
[CPE-policy-security] rule name policy2
[CPE-policy-security-policy2] source-zone local
[CPE-policy-security-policy2] destination-zone untrust
[CPE-policy-security-policy2] source-address 22:0:101:100:: 56
[CPE-policy-security-policy2] action permit
[CPE-policy-security-policy2] quit
d. Configure the NAT function to translate the IPv4 addresses of the user's
private network into the carrier's private IPv4 addresses.
[CPE] nat-policy
[CPE-policy-nat] rule name policy_nat_1
[CPE-policy-nat-rule-policy_nat_1] source-zone trust
[CPE-policy-nat-rule-policy_nat_1] destination-zone untrust
[CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24
[CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip
[CPE-policy-nat-rule-policy_nat_1] quit
[CPE-policy-nat] quit
# Configure NAT ALG for the Trust-Untrust interzone to ensure the
proper running of the FTP service.

Enable the ASPF functions for the corresponding services. This section uses the
FTP protocol as an example.
[CPE] firewall interzone trust untrust
[CPE-interzone-trust-untrust] detect ftp
[CPE-interzone-trust-untrust] quit
e. Configure the 6RD tunnel.
# Configure the interface Tunnel1 of the 6RD tunnel.
[CPE] interface Tunnel 1
[CPE-Tunnel1] tunnel-protocol ipv6-ipv4 6rd
[CPE-Tunnel1] ipv6 enable
[CPE-Tunnel1] source 10.1.1.1
[CPE-Tunnel1] ipv6-prefix 22::/32
[CPE-Tunnel1] ipv4-prefix length 8
[CPE-Tunnel1] border-relay address 10.1.2.1
[CPE-Tunnel1] quit

After the 6RD prefix and IPv4 prefix length are configured, the CPE automatically
calculates the 6RD delegated prefix. When you run the display interface Tunnel
1 command, the 6RD delegated prefix is displayed. You can configure the IPv6
address for the Tunnel interface based on this 6RD delegated prefix.
# View the calculated 6RD delegated prefix.
[CPE] display interface Tunnel 1
Tunnel1 current state : UP
Line protocol current state : UP
Description: Tunnel1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.1.1.1(GigabitEthernet1/0/2), destination auto
Tunnel protocol/transport IPV6 over IPv4(6rd) ipv6 prefix 22::/32
ipv4 prefix length 8
6RD Operational, Delegated Prefix is 22:0:101:100::/56
# Configure the IPv6 address for the Tunnel1 interface based on the 6RD
delegated prefix.
[CPE-Tunnel1] ipv6 address 22:0:101:100::1 56
[CPE-Tunnel1] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 478


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

# Add the Tunnel1 interface to the Untrust zone.


[CPE] firewall zone untrust
[CPE-zone-untrust] add interface Tunnel 1
[CPE-zone-untrust] quit

# Configure the IPv6 address for the GigabitEthernet 1/0/1 interface.


[CPE] interface GigabitEthernet 1/0/1
[CPE-GigabitEthernet1/0/1] ipv6 address 22:0:101:101::1 64
[CPE-GigabitEthernet1/0/1] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 1/0/1
[CPE-zone-trust] quit

f. Configure routes.
# Configure the static IPv4 route from the CGN to the MAN. Assume that
the next hop address of the CPE to the MAN is 10.1.1.2.
[CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2

# Configure the route from the CPE to the 6RD tunnel interface of the
CGN.
[CPE] ipv6 route-static 22:: 32 Tunnel 1

# Configure the static route from the CGN to the IPv6 network. Set the
next hop address to the IPv6 address of the Tunnel interface of the CGN.
[CPE] ipv6 route-static 3000:: 64 22:0:102:100::1

● Configure the CGN.


a. Enable the IPv6 packet forwarding function.
<CGN> system-view
[CGN] ipv6

b. Configure IP addresses for interfaces and add the interfaces to security


zones.
# Configure an IP address for GigabitEthernet 1/0/0.
[CGN] interface GigabitEthernet 1/0/0
[CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
[CGN-GigabitEthernet1/0/0] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 1/0/0
[CGN-zone-untrust] quit

# Configure an IP address for GigabitEthernet 1/0/2.


[CGN] interface GigabitEthernet 1/0/2
[CGN-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0
[CGN-GigabitEthernet1/0/2] quit
[CGN] firewall zone trust
[CGN-zone-trust] add interface GigabitEthernet 1/0/2
[CGN-zone-trust] quit

# Configure an IP address for GigabitEthernet 1/0/1.


[CGN] interface GigabitEthernet 1/0/1
[CGN-GigabitEthernet1/0/1] ipv6 enable
[CGN-GigabitEthernet1/0/1] ipv6 address 3000::1 64
[CGN-GigabitEthernet1/0/1] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 1/0/1
[CGN-zone-untrust] quit

# Configure security policies. Configure policy1 that allows sending


packets from the private network to the public network and policy2 that
allows tunnel packets to pass through.
[CGN] security-policy
[CGN-policy-security] rule name policy1
[CGN-policy-security-policy1] source-zone trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 479


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CGN-policy-security-policy1] destination-zone untrust


[CGN-policy-security-policy1] destination-address 1.1.1.0 24
[CGN-policy-security-policy1] destination-address 3000:: 64
[CGN-policy-security-policy1] action permit
[CGN-policy-security-policy1] quit
[CGN-policy-security] rule name policy2
[CGN-policy-security-policy2] source-zone trust
[CGN-policy-security-policy2] destination-zone local
[CGN-policy-security-policy2] source-address 22:0:102:100:: 56
[CGN-policy-security-policy2] action permit
[CGN-policy-security-policy2] quit

c. Configure NAT to translate the carrier's private IPv4 addresses into public
IPv4 addresses.
# Configure a NAT address pool. The size of the pre-allocated port block
is 256 bytes.
[CGN] nat address-group addressgroup1
[CGN-address-group-addressgroup1] mode pat
[CGN-address-group-addressgroup1] route enable
[CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
[CGN-address-group-addressgroup1] port-block-size 256
[CGN-address-group-addressgroup1] quit

# Configure a NAT policy.


[CGN] nat-policy
[CGN-policy-nat] rule name policy_nat_1
[CGN-policy-nat-rule-policy_nat_1] source-zone trust
[CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
[CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24
[CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
[CGN-policy-nat-rule-policy_nat_1] quit
[CGN-policy-nat] quit

# Configure NAT ALG for the Trust-Untrust interzone to ensure the


proper running of the FTP service.
[CGN] firewall interzone trust untrust
[CGN-interzone-trust-untrust] detect ftp
[CGN-interzone-trust-untrust] quit

d. Configure the 6RD tunnel.


# Configure the interface Tunnel1 of the 6RD tunnel.
[CGN] interface Tunnel 1
[CGN-Tunnel1] tunnel-protocol ipv6-ipv4 6rd
[CGN-Tunnel1] ipv6 enable
[CGN-Tunnel1] source 10.1.2.1
[CGN-Tunnel1] ipv6-prefix 22::/32
[CGN-Tunnel1] ipv4-prefix length 8

After the 6RD prefix and IPv4 prefix length are configured, the CGN
automatically calculates the 6RD delegated prefix. When you run the display
interface Tunnel 1 command, the 6RD delegated prefix is displayed. You can
configure the IPv6 address for the Tunnel interface based on this 6RD delegated
prefix.
# View the calculated 6RD delegated prefix.
[CGN] display interface Tunnel 1
Tunnel1 current state : UP
Line protocol current state : UP
Description: Tunnel1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.1.2.1(GigabitEthernet1/0/2), destination auto
Tunnel protocol/transport IPV6 over IPv4(6rd)

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 480


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

ipv6 prefix 22::/32


ipv4 prefix length 8
6RD Operational, Delegated Prefix is 22:0:102:100::/56

# Configure the IPv6 address for the Tunnel interface based on the 6RD
delegated prefix.
[CGN-Tunnel1] ipv6 address 22:0:102:100::1 56
[CGN-Tunnel1] quit

# Add the Tunnel1 interface to the Untrust zone.


[CGN] firewall zone trust
[CGN-zone-trust] add interface Tunnel 1
[CGN-zone-trust] quit

e. Configure routes.
Configure the static IPv4 route to the MAN interface of the CPE. Assume
that the next hop address of the CGN to the MAN is 10.1.2.2.
[CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2

Configure the static IPv4 route to the FTP server on the Internet. In this
example, the next-hop address of the CGN to the Internet is 1.1.1.2.
[CGN] ip route-static 1.1.3.1 255.255.255.255 1.1.1.2

# Configure the route to the 6RD tunnel interface and 6RD domain of the
CPE.
[CGN] ipv6 route-static 22:: 32 Tunnel 1

● Configure the FTP server.


In normal situations, the ISP is responsible for configuring the FTP servers.
This topic describes only the key points of FTP Server configuration.
– Set the IP address of the server to 1.1.3.1/32.
– The route to addresses in the address pool of the CGN must be
configured on the server.
● Configure PC1, PC2, and PC3.
You must specify gateways for each PC. The configuration methods of PC
addresses and routes vary with the operating systems of the PCs. The
configuration methods are not described here.

8.3.6 Verification
● Verify the IPv4 services.
a. After the configuration is complete, access the FTP Server on the Internet
using PC1 on the private IPv4 network.
C:\Documents and Settings\Administrator>ftp 1.1.3.1
Connected to 1.1.3.1.
220 FTP service ready.
User (1.1.3.1:(none)): admin
331 Password required for admin.
Password:
230 User logged in.
ftp>

b. Run the display firewall session table verbose command on the CPE to
check the address translation.
[CPE] display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public ID: ab016391fa4c03558d54c16fac122
Zone: untrust --> trust TTL: 00:00:10 Left: 00:00:03
Interface: GigabitEthernet1/0/2 NextHop: 10.1.1.2 MAC: 0018-8239-1e5c
<--packets:20 bytes:1168 -->packets:26 bytes:1150

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 481


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 PolicyName:policy_sec_1
ftp-data VPN:public --> public ID: ab016391fa4c03558d54c16acd159
Zone: untrust--> trust TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet1/0/0 NextHop: 192.168.0.2 MAC: 0018-826f-b3f4
<--packets:3 bytes:124 -->packets:5 bytes:370
1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034] PolicyName:policy_nat_1

According to output 192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 and


1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034], you can learn that IPv4
address 192.168.0.2 of the user's private network is translated to the
carrier's private IPv4 address 10.1.1.1. The session information indicates
that the control channel and data channel are enabled.
c. Run the display firewall session table verbose command on the CGN to
check the address translation.
[CGN] display firewall session table verbose
Current total sessions: 2
ftp VPN: public --> public ID: a38f36333beb0f5654453374
Zone: trust --> untrust Slot: 6 CPU: 2 TTL: 00:10:00 Left: 00:09:56
Interface: GigabitEthernet1/0/0 Nexthop: 1.1.1.2
<--packets: 15 bytes: 676 -->packets: 17 bytes: 764
10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 PolicyName:policy_nat_1

ftp-data VPN: public --> public ID: a48f3636f5030144b54453ad0


Zone: untrust --> trust Slot: 6 CPU: 0 TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet1/0/2 Nexthop: 10.1.2.2
<--packets: 3 bytes: 124 -->packets: 5 bytes: 370
1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362] PolicyName:policy_nat_1

According to output 10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 and


1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362], you can learn that IPv4
address 10.1.1.1 of the carrier's private network is translated to IPv4
Internet address 1.1.2.4 (an address in the address pool). The session
information indicates that the control channel and data channel are
enabled.
d. Run the display cpe-user information cpe-ipv4 10.1.1.1 command in
any view of the CGN to check the details about the CPE user at 10.1.1.1.
[CGN] display cpe-user information cpe-ipv4 10.1.1.1 slot 6 cpu 2
This operation will take a few minutes. Press 'Ctrl+C' to break ...
UserTbl item(s) on slot 6 cpu 2
--------------------------------------------------------------------
Scene: NAT444 DstZone: untrust CPEIP: 10.1.1.1
TTL: 40 LeftTime: 34 Increase Count: 0 VPN: public
PoolID: addressgroup1 SectionID: 1 PublicIP: 1.1.2.4 StartPort: 2048
PortNumber: 256 PortTotal: 256 Used Port Number: 1

As shown in the preceding command output, the source addresses of


service flows sent by the CPE at 10.1.1.1 are translated into 1.1.2.4. The
port range is from 2048 to 2303, containing 256 ports.
● Verify the IPv6 services.
a. After the 6RD tunnel is configured, ping the interface address of the 6RD
tunnel of the CGN from the CPE.
<CPE> ping ipv6 22:0:102:100::1
PING 22:0:102:100::1 : 56 data bytes, press CTRL_C to break
Reply from 22:0:102:100::1
bytes=56 Sequence=1 hop limit=64 time = 90 ms
Reply from 22:0:102:100::1
bytes=56 Sequence=2 hop limit=64 time = 100 ms
Reply from 22:0:102:100::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 22:0:102:100::1
bytes=56 Sequence=4 hop limit=64 time = 60 ms
Reply from 22:0:102:100::1
bytes=56 Sequence=5 hop limit=64 time = 40 ms

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 482


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

--- 22:0:102:100::1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/66/100 ms
If the ping is successful, the 6RD tunnel configuration is correct. Run the
display ipv6 interface tunnel command in any view on the CGN to view
the IPv6 status and configurations of the Tunnel1 interface.
[CGN] display ipv6 interface tunnel 1
Tunnel1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::101:101
Global unicast address(es):
22:0:102:100::1, subnet is 22:0:102:100::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF01:101
FF02::2
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND stale time is 1200 seconds
b. Ping the interface address of the CGN that connects to the IPv6 network
from the CPE, that is, the address of the GigabitEthernet 1/0/1 interface.
<CPE> ping ipv6 3000::1
PING 3000::1 : 56 data bytes, press CTRL_C to break
Reply from 3000::1
bytes=56 Sequence=1 hop limit=64 time = 90 ms
Reply from 3000::1
bytes=56 Sequence=2 hop limit=64 time = 100 ms
Reply from 3000::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 3000::1
bytes=56 Sequence=4 hop limit=64 time = 60 ms
Reply from 3000::1
bytes=56 Sequence=5 hop limit=64 time = 40 ms

--- 3000::1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/66/100 ms
If the ping is successful, the IPv6 route between the CPE to the CGN
works properly.
c. On PC2, ping PC3.
C:\> ping6 3000::2
from 22:0:101:100::1 with 32 bytes of data:
Reply from 3000::2: time<1ms
Reply from 3000::2: time<1ms
Reply from 3000::2: time<1ms
Reply from 3000::2: time<1ms
Ping statistics for 3000::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
If the ping is successful, the configurations of devices on the entire
network are correct.

8.3.7 Configuration Scripts


● The CPE configuration script is as follows:
#
sysname CPE

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 483


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

#
ipv6
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
#
interface GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 22:0:101:101::1/64
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel1
ipv6 enable
ipv6 address 22:0:101:100::1/56
tunnel-protocol ipv6-ipv4 6rd
source 10.1.1.1
ipv6-prefix 22::/32
ipv4-prefix length 8
border-relay address 10.1.2.1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
firewall zone dmz
set priority 50
#
firewall interzone trust untrust
detect ftp
#
ipv6 route-static 22:: 32 Tunnel 1
ipv6 route-static 3000:: 64 22:0:102:100::1
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
source-address 22:0:101:101:: 64
action permit
rule name policy2
source-zone local
destination-zone untrust
source-address 22:0:101:100:: 56
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action source-nat easy-ip
#
return

● The CGN configuration script is as follows:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 484


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

#
sysname CGN
#
ipv6
#
firewall hash-mode source-only
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 3000::1/64
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel1
ipv6 enable
ipv6 address 22:0:102:100::1/56
tunnel-protocol ipv6-ipv4 6rd
source 10.1.2.1
ipv6-prefix 22::/32
ipv4-prefix length 8
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
nat address-group addressgroup1
mode pat
port-block-size 256
route enable
section 1 1.1.2.1 1.1.2.5
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 1.1.1.0 24
source-address 3000:: 64
action permit
rule name policy2
source-zone trust
destination-zone local
source-address 22:0:102:100:: 56
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
action source-nat address-group addressgroup1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 485


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

#
firewall interzone trust untrust
detect ftp
#
ipv6 route-static 22:: 32 Tunnel 1
#
return

8.4 Scheme 2: Dual Stack+NAT444+NAT64

8.4.1 Typical Networking


Networking
After a period of operation and development, the IPv6 user and service scale reach
a certain extent. The IPv4 addresses on the Internet are insufficient. Most services
are not migrated to the IPv6 network. The IPv4 traffic still dominates the service
traffic. The MAN of carrier A is upgraded from the IPv4 network to the dual-stack
network. To enable the IPv4 users to access the IPv4 Internet, the IPv6 users to
access the IPv6 Internet, and the IPv6 users to access IPv4 Internet, carrier uses
the solution shown in Figure 8-9.
1. For the IPv4 services, two-level NAT function (NAT444) is configured on the
CPE and CGN. The NAT444 translates the private IPv4 addresses into the
public IPv4 addresses.
2. The MAN of carrier A is upgraded to the dual-stack network. Therefore, the
IPv6 users can directly access the IPv6 Internet using the IPv6 routes.
3. If the IPv6 users need to access the IPv4 Internet, the NAT64 function is
configured on the CGN so that the IPv6 addresses are translated into IPv4
public addresses.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 486


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Figure 8-9 Dual stack+NAT444+NAT64

CPE: Customer Premises Equipment CGN: Carrier Grade NAT

BRAS: Broadband Remote Access -


Server

● The CPE is used to connect terminal users and allocate addresses to the users.
– The CPE allocates private IPv4 addresses to IPv4 users.
– The CPE allocates private IPv6 addresses to IPv6 users.
The CPE translates addresses for users on the IPv4 private network.
● As an egress gateway of the MAN, the CGN translates addresses for the IPv4
users to access the IPv4 Internet, provides channels for the IPv6 users to
access the IPv6 Internet, and translates IPv6 addresses into IPv4 addresses for
the IPv6 users to access the IPv4 network.
● As a device at the aggregation layer, the BRAS allocates IPv4 or IPv6
addresses for the CPEs to connect to the MAN.

Application of the CGN in the Networking


The FW serves the CPE and the CGN in the scenario and provides the following
functions:
● Providing the NAT function
To save public IP addresses, the carrier uses private addresses internally.
Therefore, it is necessary to configure address translation on the CPE and the

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 487


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

CGN to enable access to the IPv4 Internet using private addresses through
two translations.
● Providing routing tunnels
The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore,
they must support both the IPv6 and IPv6 protocol stacks.
● Providing NAT from IPv6 addresses to IPv4 addresses
To enable the IPv6 users to access the IPv4 network, configure NAT64 on the
CGN.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 488


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

8.4.2 Service Planning


Requirements Analysis

Table 8-6 Scheme implementation analysis


Scheme Advantage Implementation

The dual stack The dual stack technology The configuration of the dual
technology is is the basis for the stack function is simple. The
used. transition from IPv4 to IPv6. configuration of dual stack on
All the other transition the CGN and CPE is as follows:
technologies are developed ● Enable the IPv4 function at
on the basis of the dual the IPv4 service interface. By
stack technology. The default, the IPv4 function is
advantages of the dual enabled.
stack technology used in
the transition from the IPv4 ● Enable the IPv6 function at
network to the IPv6 the IPv6 service interface.
network are as follows: Enable the IPv6 function in
the system view.
● On the dual-stack
network, IPv6 and IPv4
service data is forwarded
on respective forwarding
planes. Logically, two
forwarding planes are
considered as two
networks to facilitate
network deployment.
The dual stack
technology supports
smooth transition to the
IPv6 network.
● The dual-stack network
does not involve
interconnection and
access between IPv6
services and IPv4
services. Therefore, the
implementation is
simple.
● The dual-stack network
is easy to maintain and
manage.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 489


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Scheme Advantage Implementation

Two-level NAT On the live network, the Deploy two-level NAT on the
(NAT444) IPv4 traffic still dominates CPE and the CGN.
function is the service traffic and the ● Set the NAT mode of the CPE
used to Internet IP addresses are to Easy IP, that is, replacing
enable private insufficient. Therefore, the the source IP address in a
IPv4 users to NAT444 function can be packet with the address of
access the deployed to resolve the the outbound interface.
IPv4 Internet. IPv4 address shortage issue.
The IPv4-based NAT ● The CGN translates addresses
technology is mature and using NAPT, which requires a
widely applied on IPv4 public address pool. On the
networks. Therefore, the CGN, a port is pre-allocated
two-level NAT444 scheme to the CPE to facilitate the
is a feasible transition ease of user tracing.
scheme.

The dynamic The dynamic NAT64 uses Configure the NAT64 function
NAT64 the dynamic address on the CGN.
function is mapping and upper-layer ● Configure the NAT64 prefix.
used to protocol mapping methods
implement to translate a large number ● Configure the address pool
the of IPv6 addresses with a for the IPv4 Internet.
communicatio few IPv4 addresses. The ● Configure the NAT64 policy.
n between dynamic NAT64 function
IPv4 and IPv6 saves IPv4 public addresses
users. and is applicable to large-
scale deployment.

Data planning
Figure 8-10 shows the networking diagram with data to facilitate configurations
and understanding.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 490


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Figure 8-10 Dual stack+NAT444+NAT64 networking diagram with data

Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain
name translation. The prefix and length configured for the DNS64 are the same as
those of the NAT64 device. Figure 8-11 shows the NAT64 networking diagram.

Figure 8-11 NAT64 networking diagram

After the MAN is upgraded to the dual-stack network, two networks exist, that is,
IPv4 and IPv6. For the IPv4 network, the routing plan keeps unchanged. The route
between the CPE and the CGN uses the static routing protocol. For the IPv6
network, the OSPFv3 routing protocol is used, as shown in Figure 8-12.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 491


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Figure 8-12 OSPFv3 protocol planning on the IPv6 network

Table 8-7 describes the general network data planning.

Table 8-7 Data planning


Item IP Address Description

CPE GE1/0/0 (Trust IPv4 private GE1/0/0 (Trust


zone) address: zone) is used to
192.168.0.1/24 connect to the
private IPv4 user.

GE1/0/1 (Trust IPv6 address: The GE1/0/1 (Trust


zone) 2000::1/64 zone) is used to
connect to the
IPv6 user.

GE1/0/2 Private IPv4 The MAN is


(Untrust zone) address of the upgraded to the
carrier: 10.1.1.1/24 dual-stack
network.
Therefore, the
interface is used to
connect to the
IPv4 MAN. Assume
that the next hop
address to the IPv4
MAN is 10.1.1.2.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 492


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

GE1/0/3 IPv6 address: The MAN is


(Untrust zone) 3000::1/64 upgraded to the
dual-stack
network.
Therefore, the
interface is used to
connect to the
IPv6 MAN.

Address pool The address of the The address pool


GE1/0/2 interface is used to translate
is used as the IPv4 addresses of
translated address. the user's private
network to the
IPv4 address of the
carrier's private
network.

CGN GE1/0/0 IPv4 Internet GE1/0/0 (Untrust


(Untrust zone) address: 1.1.1.1/24 zone) is used to
connect to the
IPv4 Internet.
Assume that the
next hop address
is 1.1.1.2/24.

GE1/0/1 IPv6 address: The GE1/0/1


(Untrust zone) 5000::1/64 (Untrust zone) is
used to connect to
the IPv6 Internet.

GE1/0/2 (Trust Private IPv4 The MAN is


zone) address of the upgraded to the
carrier: 10.1.2.1/24 dual-stack
network.
Therefore, the
interface is used to
connect to the
IPv4 MAN. Assume
that the next hop
address to the IPv4
MAN is 10.1.2.2.

GE1/0/3 (Trust IPv6 address: The MAN is


zone) 4000::1/64 upgraded to the
dual-stack
network.
Therefore, the
interface is used to
connect to the
IPv6 MAN.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 493


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

Address pool Addresses in ● Address pool 1


address pool 1: is used to
1.1.2.1 to 1.1.2.5 translate IPv4
Addresses in addresses of
address pool 2: the carrier's
1.1.2.11 to 1.1.2.15 private network
to the IPv4
address of the
IPv4 public
addresses.
● Address pool 2
is used to
translate IPv6
addresses to
the IPv4
address of the
IPv4 public
addresses.

NAT64 prefix 6000::/96 The CGN


determines
whether to
perform the NA64
function on an
IPv6 packet by
checking whether
the IPv6 packet
contains the
NAT64 prefix.

DNS64 NAT64 prefix 6000::/96 The NAT64 prefix


configured on the
DNS64 must be
the same as that
configured on the
CGN.

Domain name: Address that The address that


www.example.c corresponds to the corresponds to the
om domain name: domain name is
6000::0101:301 calculated based
on the NAT64
prefix and IPv4
Internet address of
the server on the
IPv4 Internet.

PC1 IPv4 private –


address:
192.168.0.2/24

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 494


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

PC2 IPv6 address: –


2000::2/64

PC3 IPv6 address: –


5000::2/64

Server IPv4 Internet –


address: 1.1.3.1/32

Table 8-7 describes the IPv4 route planning.

Table 8-8 IPv4 route planning


Item Routing Target Next Hop Description
Protocol Network Address
Segment

CPE Static IPv4 10.1.2.0/24 10.1.1.2 Route


route connecting
the CPE to
the IPv4 MAN
interface of
the CGN

CGN Static IPv4 10.1.1.0/24 10.1.2.2 Route


route connecting
the CGN to
the IPv4 MAN
interface of
the CPE

Static IPv4 1.1.3.1/32 1.1.1.2 Route


route connecting
the CGN to
the server on
the IPv4
Internet

Table 8-9 describes the IPv6 route planning.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 495


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-9 IPv6 route planning


Item Routing Advertising Area Description
Protocol Network
Segment

CPE OSPFv3 2000::/64 Area 1 Route


connecting
the CPE to
the IPv6 user
interface

OSPFv3 3000::/64 Area 0 Route


connecting
the CPE to
the IPv6 MAN

CGN OSPFv3 4000::/64 Area 0 Route


connecting
the CGN to
the IPv6 MAN

OSPFv3 5000::/64 Area 2 Route


connecting
the CGN to
the IPv6
Internet

8.4.3 Precautions
When the CGN is the Eudemon8000E-X, if triplet DS-Lite NAT is configured, the
hash-based CPU selection mode must be source address hash.

8.4.4 Configuration Flow


Table 8-10 shows the configuration flow of the solution.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 496


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-10 Configuration flow


Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

CPE 1 Configure the uplink and downlink interface data. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
d
a
t
a
b
a
s
e
d
o
n
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 497


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 498


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2 Configure the NAT function. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
E
a
s
y
I
P
.
T
h
e
I
P
v
4
a
d
d

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 499


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
e
s
s
e
s
o
f
t
h
e
u
s
e
r
'
s
p
r
i
v
a
t
e
n
e
t
w
o
r
k
a
r
e
t
r
a
n
s
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 500


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
t
e
d
i
n
t
o
t
h
e
c
a
r
r
i
e
r
'
s
I
P
v
4
a
d
d
r
e
s
s
e
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 501


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
f
o
r
t
h
e
C
P
E
i
n
c
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 502


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

u
d
e
:
● S
t
a
t
i
c
I
P
v
4
r
o
u
t
e
:
f
o
r
w
a
r
d
s
I
P
v
4
s
e
r
v
i
c
e
p

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 503


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t
e
r
f
a
c
e
t
o
c
o
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 504


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s
I
P
v
6
s
e
r
v
i
c
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 505


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

p
a
c
k
e
t
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 506


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

CGN 1 Configure the uplink and downlink interface data. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
d
a
t
a
b
a
s
e
d
o
n
t
h
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 507


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 508


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2 Configure the NAT function. M


a
n
d
a
t
o
r
y
T
h
e
N
A
T
f
u
n
c
t
i
o
n
i
s
u
s
e
d
t
o
t
r
a
n
s
l
a
t
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 509


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

I
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
c
a
r
r
i
e
r
'
s
p
r
i
v
a
t
e
n
e
t
w
o
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 510


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

k
t
o
t
h
e
I
P
v
4
a
d
d
r
e
s
s
o
f
t
h
e
I
P
v
4
p
u
b
l
i
c
a
d
d
r
e
s
s
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 511


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 512


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2.1 Configure the NAT address pool. M


a
n
d
a
t
o
r
y
T
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l
i
s
a
c
o
l
l
e
c
t
i
o
n
o

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 513


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

f
c
o
n
s
e
c
u
t
i
v
e
I
P
a
d
d
r
e
s
s
e
s
.
W
h
e
n
a
p
a
c
k
e
t
f
r
o
m
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 514


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
p
r
i
v
a
t
e
n
e
t
w
o
r
k
r
e
a
c
h
e
s
t
h
e
p
u
b
l
i
c
n
e
t
w
o
r
k
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 515


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
r
o
u
g
h
N
A
T
,
a
n
a
d
d
r
e
s
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l
i
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 516


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
e
l
e
c
t
e
d
a
s
t
h
e
I
P
a
d
d
r
e
s
s
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 517


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

S
e
t
t
h
e
p
r
e
-
a
l
l
o
c
a
t
e
d
p
o
r
t
b
l
o
c
k
s
i
z
e
i
n
t
h
e
a
d
d

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 518


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
e
s
s
p
o
o
l
f
o
r
t
h
e
p
r
e
-
a
l
l
o
c
a
t
i
o
n
o
f
p
o
r
t
r
e
s
o
u
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 519


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

c
e
s
f
o
r
N
A
T
t
o
t
h
e
C
P
E
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 520


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

2.2 Configure the NAT policy. M


a
n
d
a
t
o
r
y
S
p
e
c
i
f
y
t
h
e
s
e
c
u
r
i
t
y
i
n
t
e
r
z
o
n
e
i
n
w
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 521


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

i
c
h
t
h
e
N
A
T
p
o
l
i
c
y
t
a
k
e
s
e
ff
e
c
t
a
n
d
t
h
e
N
A
T
a
d
d
r
e
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 522


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
p
o
l
i
c
y
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 523


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
i
n
c
l
u
d
e
:
● S
t
a
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 524


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

i
c
r
o
u
t
e
t
o
t
h
e
C
P
E
a
n
d
I
P
v
4
I
n
t
e
r
n
e
t
:
f
o
r
w
a
r
d
s
I

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 525


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

P
v
4
s
e
r
v
i
c
e
p
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 526


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
r
f
a
c
e
t
o
c
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 527


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

I
P
v
6
s
e
r
v
i
c
e
p
a
c
k
e
t
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 528


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

4 Configure the NAT64 function. M


a
n
d
a
t
o
r
y
T
h
e
N
A
T
6
4
f
u
n
c
t
i
o
n
e
n
a
b
l
e
s
t
h
e
I
P
v
6
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 529


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
e
r
s
t
o
a
c
c
e
s
s
t
h
e
I
P
v
4
n
e
t
w
o
r
k
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 530


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

4.1 Configure the NAT address pool. M


a
n
d
a
t
o
r
y
T
h
e
a
d
d
r
e
s
s
e
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 531


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
r
e
u
s
e
d
a
s
t
h
e
I
P
v
4
a
d
d
r
e
s
s
e
s
a
f
t
e
r
t
h
e
N
A
T
6
4
t
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 532


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 533


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

4.2 Configure the NAT64 prefix and M


advertise it on the IPv6 network. a
n
d
a
t
o
r
y
W
h
e
t
h
e
r
t
h
e
C
G
N
p
e
r
f
o
r
m
s
N
A
T
6
4
t
r
a
n
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 534


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

l
a
t
i
o
n
o
n
a
n
I
P
v
6
p
a
c
k
e
t
d
e
p
e
n
d
s
o
n
w
h
e
t
h
e
r
t
h
e
I

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 535


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

P
v
6
p
a
c
k
e
t
c
o
n
t
a
i
n
s
a
N
A
T
6
4
p
r
e
fi
x
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 536


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

4.3 Configure the NAT64 policy. M


a
n
d
a
t
o
r
y
C
o
n
fi
g
u
r
e
N
A
T
6
4
d
y
n
a
m
i
c
m
a
p
p
i
n
g
i
n
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 537


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

e
N
A
T
p
o
l
i
c
y
,
a
n
d
s
p
e
c
i
f
y
t
h
e
N
A
T
t
y
p
e
a
s
N
A
T
6
4
.
W

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 538


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

h
e
n
p
e
r
f
o
r
m
i
n
g
N
A
T
6
4
t
r
a
n
s
l
a
t
i
o
n
,
t
h
e
C
G
N
s
e
l
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 539


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

c
t
s
o
n
e
I
P
v
4
a
d
d
r
e
s
s
r
a
n
d
o
m
l
y
f
r
o
m
t
h
e
N
A
T
a
d
d
r
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 540


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

s
s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
6
4
p
o
l
i
c
y
a
s
t
h
e
s
o
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 541


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n

r
c
e
a
d
d
r
e
s
s
o
f
a
p
a
c
k
e
t
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 542


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

8.4.5 Configuration Procedure


Procedure
● Configure the CPE.
a. Enable the IPv6 packet forwarding function.
<CPE> system-view
[CPE] ipv6

b. Configure IP addresses for interfaces and add the interfaces to security


zones.
# Configure an IP address for GigabitEthernet 1/0/0.
[CPE] interface GigabitEthernet 1/0/0
[CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0
[CPE-GigabitEthernet1/0/0] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 1/0/0
[CPE-zone-trust] quit

# Configure an IP address for GigabitEthernet 1/0/1.


[CPE] interface GigabitEthernet 1/0/1
[CPE-GigabitEthernet1/0/1] ipv6 enable
[CPE-GigabitEthernet1/0/1] ipv6 address 2000::1 64
[CPE-GigabitEthernet1/0/1] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 1/0/1
[CPE-zone-trust] quit

# Configure an IP address for GigabitEthernet 1/0/2.


[CPE] interface GigabitEthernet 1/0/2
[CPE-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[CPE-GigabitEthernet1/0/2] quit
[CPE] firewall zone untrust
[CPE-zone-untrust] add interface GigabitEthernet 1/0/2
[CPE-zone-untrust] quit

# Configure an IP address for GigabitEthernet 1/0/3.


[CPE] interface GigabitEthernet 1/0/3
[CPE-GigabitEthernet1/0/3] ipv6 enable
[CPE-GigabitEthernet1/0/3] ipv6 address 3000::1 64
[CPE-GigabitEthernet1/0/3] quit
[CPE] firewall zone untrust
[CPE-zone-untrust] add interface GigabitEthernet 1/0/3
[CPE-zone-untrust] quit

c. Configure a security policy. Configure security policy policy_sec_1 that


allows sending packets from the private network to the public network.
[CPE] security-policy
[CPE-policy-security] rule name policy_sec_1
[CPE-policy-security-rule-policy_sec_1] source-zone trust
[CPE-policy-security-rule-policy_sec_1] destination-zone untrust
[CPE-policy-security-rule-policy_sec_1] source-address 192.168.0.0 24
[CPE-policy-security-rule-policy_sec_1] source-address 2000:: 64
[CPE-policy-security-rule-policy_sec_1] action permit
[CPE-policy-security-rule-policy_sec_1] quit
[CPE-policy-security] quit

d. Configure the NAT function to translate the IPv4 addresses of the user's
private network into the carrier's private IPv4 addresses.
[CPE] nat-policy
[CPE-policy-nat] rule name policy_nat_1
[CPE-policy-nat-rule-policy_nat_1] source-zone trust
[CPE-policy-nat-rule-policy_nat_1] destination-zone untrust
[CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24
[CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 543


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CPE-policy-nat-rule-policy_nat_1] quit
[CPE-policy-nat] quit

# Configure the NAT ALG between the Trust zone and the Untrust zone
so that the server can provide FTP services externally.
[CPE] firewall interzone trust untrust
[CPE-interzone-trust-untrust] detect ftp
[CPE-interzone-trust-untrust] quit

e. Configure OSPFv3 for routing the IPv6 services.


[CPE] ospfv3
[CPE-ospfv3-1] router-id 1.1.1.1
[CPE-ospfv3-1] quit
[CPE] interface GigabitEthernet1/0/3
[CPE-GigabitEthernet1/0/3] ospfv3 1 area 0
[CPE-GigabitEthernet1/0/3] quit
[CPE] interface GigabitEthernet1/0/1
[CPE-GigabitEthernet1/0/1] ospfv3 1 area 1
[CPE-GigabitEthernet1/0/1] quit

f. Configure a static IPv4 route.


Configure a static IPv4 route to the CGN. Assume that the next-hop
address from the CPE to the IPv4 MAN is 10.1.1.2.
[CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2

● Configure the CGN.


a. Enable the IPv6 packet forwarding function.
<CGN> system-view
[CGN] ipv6

b. Set the hash board selection mode to source address-based hash mode.
[CGN] firewall hash-mode source-only

c. Configure IP addresses for interfaces and add the interfaces to security


zones.
# Configure an IP address for GigabitEthernet 1/0/0.
[CGN] interface GigabitEthernet 1/0/0
[CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
[CGN-GigabitEthernet1/0/0] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 1/0/0
[CGN-zone-untrust] quit

# Configure an IP address for GigabitEthernet 1/0/1.


[CGN] interface GigabitEthernet 1/0/1
[CGN-GigabitEthernet1/0/1] ipv6 enable
[CGN-GigabitEthernet1/0/1] ipv6 address 5000::1 64
[CGN-GigabitEthernet1/0/1] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 1/0/1
[CGN-zone-untrust] quit

# Configure an IP address for GigabitEthernet 1/0/2.


[CGN] interface GigabitEthernet 1/0/2
[CGN-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0
[CGN-GigabitEthernet1/0/2] quit
[CGN] firewall zone trust
[CGN-zone-trust] add interface GigabitEthernet 1/0/2
[CGN-zone-trust] quit

# Configure an IP address for GigabitEthernet 1/0/3.


[CGN] interface GigabitEthernet 1/0/3
[CGN-GigabitEthernet1/0/3] ipv6 enable
[CGN-GigabitEthernet1/0/3] ipv6 address 4000::1 64
[CGN-GigabitEthernet1/0/3] quit
[CGN] firewall zone trust

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 544


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CGN-zone-trust] add interface GigabitEthernet 1/0/3


[CGN-zone-trust] quit
d. Configure a security policy. Configure security policy policy1 that allows
sending packets from the private network to the public network.
[CGN] security-policy
[CGN-policy-security] rule name policy1
[CGN-policy-security-policy1] source-zone trust
[CGN-policy-security-policy1] destination-zone untrust
[CGN-policy-security-policy1] destination-address 1.1.1.0 24
[CGN-policy-security-policy1] destination-address 5000:: 64
[CGN-policy-security-policy1] action permit
[CGN-policy-security-policy1] quit
e. Configure NAT to translate the carrier's private IPv4 addresses into public
IPv4 addresses.
# Configure a NAT address pool.
[CGN] nat address-group addressgroup1
[CGN-address-group-addressgroup1] mode pat
[CGN-address-group-addressgroup1] route enable
[CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
[CGN-address-group-addressgroup1] port-block-size 256
[CGN-address-group-addressgroup1] quit
# Configure a NAT policy.
[CGN] nat-policy
[CGN-policy-nat] rule name policy_nat_1
[CGN-policy-nat-rule-policy_nat_1] source-zone trust
[CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
[CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24
[CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
[CGN-policy-nat-rule-policy_nat_1] quit
[CGN-policy-nat] quit
# Configure the NAT ALG between the Trust zone and the Untrust zone
so that the server can provide FTP services externally.
[CGN] firewall interzone trust untrust
[CGN-interzone-trust-untrust] detect ftp
[CGN-interzone-trust-untrust] quit
f. Configure a static IPv4 route.
Configure a static IPv4 route to the CPE. Assume that the next-hop
address from the CGN to the IPv4 MAN is 10.1.2.2.
[CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2
Configure the static IPv4 route to the FTP server on the Internet. Assume
that the next-hop address of the CGN to the Internet is 1.1.1.2.
[CGN] ip route-static 1 1.3.1 255.255.255.255 1.1.1.2
g. Configure OSPFv3 for routing the IPv6 services.
[CGN] ospfv3
[CGN-ospfv3-1] router-id 2.2.2.2
[CGN-ospfv3-1] quit
[CGN] interface GigabitEthernet1/0/3
[CGN-GigabitEthernet1/0/3] ospfv3 1 area 0
[CGN-GigabitEthernet1/0/3] quit
[CGN] interface GigabitEthernet1/0/1
[CGN-GigabitEthernet1/0/1] ospfv3 1 area 2
[CGN-GigabitEthernet1/0/1] quit
h. Configure the NAT64 function.
# Configure IPv4 NAT address pool 2 and set the address range to
1.1.2.11 to 1.1.2.15. The addresses in the NAT address pool are used as
the IPv4 addresses after the NAT64 translation.
[CGN] nat address-group addressgroup2
[CGN-address-group-addressgroup2] mode pat

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 545


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CGN-address-group-addressgroup2] route enable


[CGN-address-group-addressgroup2] section 1 1.1.2.11 1.1.2.15
[CGN-address-group-addressgroup2] quit

# Set the NAT64 prefix to 6000::/96.


[CGN] nat64 prefix 6000:: 96

# Configure the NAT64 policy.


[CGN] nat-policy
[CGN-policy-nat] rule name policy_nat64
[CGN-policy-nat-rule-policy_nat64] nat-type nat64
[CGN-policy-nat-rule-policy_nat64] source-zone trust
[CGN-policy-nat-rule-policy_nat64] destination-zone untrust
[CGN-policy-nat-rule-policy_nat64] source-address 2000:: 64
[CGN-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup2
[CGN-policy-nat-rule-policy_nat64] quit
[CGN-policy-nat] quit

# Configure the blackhole route to advertise the NAT64 prefix.


[CGN] ipv6 route-static 6000:: 96 NULL 0

# Introduce the blackhole route with the NAT64 prefix to the OSPFv3
protocol.
[CGN] ospfv3
[CGN-ospfv3-1] import-route static
[CGN-ospfv3-1] quit

● Configure the DNS64 device.


Set the NAT64 prefix of the DNS64 device to 6000::/96, which is the same as
that configured on the CGN.
Set the route between the DNS64 device and the PC and the route between
DNS64 device and the server to ensure reachability.
On the DNS64 device, set the IPv6 address that corresponds to domain name
www.example.com to 6000::ca01:301.
● Configure the server.
In normal situations, the ISP configures the servers. Only the key points of
server configuration are described here:
– Set the IP address of the server to 1.1.3.1/32.
– The route to addresses in the address pool of the CGN must be
configured on the server.
– The server provides both FTP and HTTP services.
● Configure PC1, PC2, and PC3.
You must specify gateways for each PC. The configuration methods of PC
addresses and routes vary with the operating systems of the PCs. The
configuration methods are not described here.

8.4.6 Verification
● Verify the IPv4 services.
a. After the configuration is complete, PC1 on the private IPv4 network can
be used to access the FTP service provided by the server on the Internet.
C:\Documents and Settings\Administrator>ftp 1.1.3.1
Connected to 1.1.3.1.
220 FTP service ready.
User (1.1.3.1:(none)): admin
331 Password required for admin.
Password:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 546


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

230 User logged in.


ftp>

b. Run the display firewall session table verbose command on the CPE to
check the address translation.
[CPE] display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public ID: ab016391fa4c03558d54c16fac122
Zone: trust--> untrust TTL: 00:10:00 Left: 00:09:59
Interface: GigabitEthernet1/0/2 NextHop: 10.1.1.2 MAC: 0018-8239-1e5c
<--packets:20 bytes:1168 -->packets:26 bytes:1150
192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 PolicyName:policy_sec_1

ftp-data VPN:public --> public ID: ab016391fa4c03558d54c16acd159


Zone: untrust--> trust TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet1/0/0 NextHop: 192.168.0.2 MAC: 0018-826f-b3f4
<--packets:3 bytes:124 -->packets:5 bytes:370
1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034] PolicyName:policy_nat_1

According to output 192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 and


1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034], you can learn that IPv4
address 192.168.0.2 of the user's private network is translated to the
carrier's privateIPv4 address 10.1.1.1. The session information indicates
that the control channel and data channel are enabled.
c. Run the display firewall session table verbose command on the CGN to
check the address translation.
[CGN] display firewall session table verbose
Current total sessions: 2
ftp VPN: public --> public ID: a38f36333beb0f5654453374
Zone: trust --> untrust Slot: 6 CPU: 2 TTL: 00:10:00 Left: 00:09:56
Interface: GigabitEthernet1/0/0 Nexthop: 1.1.1.2
<--packets: 0 bytes: 0 -->packets: 17 bytes: 764
10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 PolicyName:policy_nat_1

ftp-data VPN: public --> public ID: a48f3636f5030144b54453ad0


Zone: untrust --> trust Slot: 6 CPU: 2 TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet1/0/2 Nexthop: 10.1.2.2
<--packets: 3 bytes: 124 -->packets: 5 bytes: 370
1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362] PolicyName:policy_nat_1

According to output 10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 and


1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362], you can learn that IPv4
address 10.1.1.1 of the carrier's private network is translated to IPv4
Internet address 1.1.2.4 (an address in the address pool). The session
information indicates that the control channel and data channel are
enabled.
d. Run the display cpe-user information cpe-ipv4 10.1.1.1 command in
any view of the CGN to check the details about the CPE user at 10.1.1.1.
[CGN] display cpe-user information cpe-ipv4 10.1.1.1 slot 6 cpu 2
This operation will take a few minutes. Press 'Ctrl+C' to break ...
UserTbl item(s) on slot 6 cpu 2
--------------------------------------------------------------------
Scene: NAT444 DstZone: untrust CPEIP: 10.1.1.1
TTL: 40 LeftTime: 34 Increase Count: 0 VPN: public
PoolID: addressgroup1 SectionID: 1 PublicIP: 1.1.2.4 StartPort: 2048
PortNumber: 256 PortTotal: 256 Used Port Number: 1

As shown in the preceding command output, the source addresses of


service flows sent by the CPE at 10.1.1.1 are translated into 1.1.2.4. The
port range is from 2048 to 2303, containing 256 ports.
● Verify the IPv6 services.
a. Ping the interface address of the CGN that connects to the IPv6 network
from the CPE, that is, the address of the GigabitEthernet 1/0/3 interface.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 547


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

<CPE> ping ipv6 4000::1


PING 4000::1 : 56 data bytes, press CTRL_C to break
Reply from 4000::1
bytes=56 Sequence=1 hop limit=64 time = 90 ms
Reply from 4000::1
bytes=56 Sequence=2 hop limit=64 time = 100 ms
Reply from 4000::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 4000::1
bytes=56 Sequence=4 hop limit=64 time = 60 ms
Reply from 4000::1
bytes=56 Sequence=5 hop limit=64 time = 40 ms

--- 4000::1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/66/100 ms

The CGN can be successfully pinged and the IPv6 routes to the CPE and
CGN are configured. On the CPE and CGN, you can run the display
ospfv3 routing command to view the OSPFv3 routing tables.
[CPE] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
2000::/64 1
directly connected, GigabitEthernet1/0/1
3000::/64 1
directly connected, GigabitEthernet1/0/3
IA 4000::/64 2
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3
IA 5000::/64 3
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3

According to the OSPFv3 routing table, you can learn that the CPE learns
the routes from the CGN to the IPv6 MAN and IPv6 Internet.
[CGN] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 2000::/64 3
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3
IA 3000::/64 2
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3
4000::/64 1
directly connected, GigabitEthernet1/0/3
5000::/64 1
directly connected, GigabitEthernet1/0/1

According to the OSPFv3 routing table, you can learn that the CGN learns
the routes from the CPE to the IPv6 MAN and IPv6 users.
b. On PC2, ping PC3.
C:\> ping6 5000::2
from 2000::2 with 32 bytes of data:
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Ping statistics for 5000::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

PC3 is successfully pinged and the configurations of IPv6 routes on the


entire network are correct.
● Enable an IPv6 user to access the IPv4 Internet.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 548


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

a. Ping domain name www.example.com on PC2.


Pinging 6000::0101:301 with 32 bytes of data:

Reply from 6000::0101:301: time=23ms


Reply from 6000::0101:301: time=6ms
Reply from 6000::0101:301: time=12ms
Reply from 6000::0101:301: time=33ms

Ping statistics for 6000::0101:301:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 33ms, Average = 18ms
The IPv4 address of the server can be successfully pinged on the PC.
b. In any view of the CGN, run the display firewall ipv6 session table
command to check the NAT64 session table.
<CGN> display firewall ipv6 session table
Slot: 6 CPU: 1
NAT64: icmp6 VPN: public --> public 2000::2.44152[1.1.2.14:10296] -->
6000::0101:301.2048[1.1.3.1:2048]
According to the NAT64 session table, you can learn the translation
mapping between IPv6 addresses and IPv4 addresses.

8.4.7 Configuration Scripts


● The CPE configuration script is as follows:
#
sysname CPE
#
ipv6
#
interface GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 2000::1/64
ospfv3 1 area 0.0.0.1
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ipv6 enable
ipv6 address 3000::1/64
ospfv3 1 area 0.0.0.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
firewall zone dmz
set priority 50
#
firewall interzone trust untrust
detect ftp
#
ospfv3 1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 549


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

router-id 1.1.1.1
area 0.0.0.0
area 0.0.0.1
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
source-address 2000::2 64
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
action source-nat easy-ip
#
return

● The CGN configuration script is as follows:


#
sysname CGN
#
ipv6
#
firewall hash-mode source-only
#
nat64 prefix 6000:: 96
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 5000::1/64
ospfv3 1 area 0.0.0.2
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ipv6 enable
ipv6 address 4000::1/64
ospfv3 1 area 0.0.0.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
security-policy

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 550


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

rule name policy1


source-zone trust
destination-zone untrust
destination-address 1.1.1.0 24
destination-address 5000:: 64
action permit
#
nat address-group addressgroup1
mode pat
port-block-size 256
route enable
section 1 1.1.2.1 1.1.2.5
nat address-group addressgroup2
nat-type nat64
mode pat
route enable
section 1 1.1.2.11 1.1.2.15
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
action source-nat address-group addressgroup1
rule name policy_nat64
source-zone trust
destination-zone untrust
source-address 2000:: 64
action source-nat address-group addressgroup2
#
firewall interzone trust untrust
detect ftp
#
ospfv3 1
router-id 2.2.2.2
import-route static
#
ipv6 route-static 6000:: 96 NULL0
#
return

8.5 Scheme 3: DS-Lite+NAT64

8.5.1 Typical Networking

Networking
After the IPv4 and IPv6 services on carrier A's network are developed for a period,
the IPv4 public addresses are exhausted. Services are gradually migrated to the
IPv6 network. The IPv6 traffic dominates the service traffic. The carrier's MAN is
completely upgraded to the IPv6 network. To meet the network development
requirements, carrier A uses the DS-Lite+NAT64 solution, as shown in Figure 8-13.

● For the IPv6 users, the IPv6 users can directly access the IPv6 Internet over the
IPv6 routes because the IPv6 routes are reachable.
● For the IPv4 users, the DS-Lite function must be configured because the
access to the IPv4 Internet requires the IPv6 MAN. The configuration
procedure of the DS-Lite function is as follows:
a. Configure a DS-Lite tunnel between the CPE and the CGN.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 551


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

b. Configure the DS-Lite NAT policy on the CGN.


● If the IPv6 users need to access the IPv4 Internet, the NAT64 function is
configured on the CGN so that the IPv6 addresses are translated into IPv4
public addresses.

Figure 8-13 DS-Lite+NAT64

CPE: Customer Premises Equipment CGN: Carrier Grade NAT

BRAS: Broadband Remote Access -


Server

● The CPE is used to connect terminal users and allocate addresses to the users.
– The CPE allocates private IPv4 addresses to IPv4 users.
– The CPE allocates private IPv6 addresses to IPv6 users.
The DS-Lite tunnel must be established between the CPE and the CGN.
● As an egress gateway of the MAN, the CGN provides DS-Lite tunnels for the
private IPv4 users to access the IPv4 Internet and translates their IPv4
addresses into IPv4 Internet address; the CGN provides routing channels for
addresses for the IPv6 users to access the IPv4 network and translates IPv6
addresses into IPv4 ones.
● As a device at the aggregation layer, the BRAS allocates IPv6 addresses for the
CPEs to connect to the MAN.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 552


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Application of the FW in the Networking


The FW serves the CPE and the CGN in the scenario and provides the following
functions:
● Providing the DS-Lite function
To enable private IPv4 users to access the IPv4 Internet using the IPv6 MAN of
a carrier, it is necessary to configure the DS-Lite tunnel on the CPE and the
CGN. It is also necessary to configure the DS-Lite NAT policy on the CGN.
● Providing routing tunnels
The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore,
they must support both the IPv6 and IPv6 protocol stacks.
● Providing NAT from IPv6 addresses to IPv4 addresses
To enable the IPv6 users to access the IPv4 network, configure NAT64 on the
CGN.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 553


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

8.5.2 Service Planning

Requirements Analysis

Table 8-11 Scheme implementation analysis

Scheme Advantage Implementation

The DS-Lite DS-Lite, also called The configuration of the DS-Lite


technology lightweight 4over6, function is as follows:
helps private consists of dual-stack ● CPE
IPv4 users hosts and IPv6 network.
access the On DS-Lite networks, – Configure the tunnel
IPv4 Internet only CPEs and CGNs interfaces.
over the IPv6 support the dual stack. – Set the encapsulation mode of
network. Other intermediate the tunnel to IPv4 over IPv6.
network nodes need to – Specify the source address or
support only IPv6. source interface of the tunnel.
Therefore, all the
configuration and – Set the destination address of
maintenance operations the tunnel.
are performed on CPEs – Configure the IPv4 address for
and CGNs. the tunnel interface.
● CGN
– Configure the tunnel
interfaces.
– Set the encapsulation mode of
the tunnel to DS-Lite.
– Specify the source address or
source interface of the tunnel.
– Configure the IPv4 address for
the tunnel interface.
– Configure the address pool.
– Configure the DS-Lite NAT
policy.

The dynamic The dynamic NAT64 Configure the NAT64 function on


NAT64 uses the dynamic the CGN.
function is address mapping and ● Configure the NAT64 prefix.
used to upper-layer protocol
implement mapping methods to ● Configure the address pool for
the translate a large the IPv4 Internet.
communicatio number of IPv6 ● Configure the NAT64 policy.
n between addresses with a few
IPv4 and IPv6 IPv4 addresses. The
users. dynamic NAT64
function saves IPv4
public addresses and is
applicable to large-scale
deployment.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 554


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Data Planning
Figure 8-14 shows the networking diagram with data to facilitate configurations
and understanding.

Figure 8-14 DS-Lite+NAT64 networking diagram with data

Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain
name translation. The prefix and length configured for the DNS64 are the same as
those of the NAT64 device. Figure 8-15 shows the NAT64 networking diagram.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 555


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Figure 8-15 NAT64 networking diagram

After the MAN is upgraded to the IPv6 network, the OSPFv3 protocol is still used
to plan IPv6 routing. Figure 8-16 shows the protocol planning.

Figure 8-16 OSPFv3 protocol planning on the IPv6 network

Table 8-12 describes the general network data planning.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 556


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-12 Data planning


Item IP Address Description

CPE GE1/0/0 IPv4 private GE1/0/0 (Trust


(Trust zone) address: zone) is used to
192.168.0.1/24 connect to the
private IPv4 user.

GE1/0/1 IPv6 address: GE1/0/1 (Trust


(Trust zone) 2000::1/64 zone) is used to
connect to the IPv6
user.

GE1/0/2 IPv6 address: GE1/0/2 (Untrust


(Untrust 3000::1/64 zone) is used to
zone) connect to the
MAN.

Tunnel1 Source address: The Tunnel1


interface 3000::1/64 interface (Untrust
(Untrust Destination zone) is used to
zone) address: 4000::1/64 create a IPv4 over
IPv6 tunnel with
IPv4 address of the the CGN.
tunnel interface:
10.1.1.1/24

CGN GE1/0/0 IPv4 Internet GE1/0/0 (Untrust


(Untrust address: 1.1.1.1/24 zone) is used to
zone) connect to the IPv4
Internet. Assume
that the next hop
address is
1.1.1.2/24.

GE1/0/1 IPv6 address: GE1/0/1 (Untrust


(Untrust 5000::1/64 zone) is used to
zone) connect to the IPv6
Internet.

GE1/0/2 IPv6 address: GE1/0/2 (Untrust


(Trust zone) 4000::1/64 zone) is used to
connect to the
MAN.

Tunnel1 Source address: The Tunnel1


interface 4000::1/64 interface (Trust
(Trust zone) IPv4 address of the zone) is used to
tunnel interface: create a DS-Lite
10.1.1.2/24 tunnel with the
CPE.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 557


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

Address pool Addresses in ● Address pool 1 is


address pool 1: used to translate
1.1.2.1 to 1.1.2.5 IPv4 addresses
Addresses in of the private
address pool 2: IPv4 addresses
1.1.2.11 to 1.1.2.15 to the IPv4
public addresses
based on the
DS-Lite NAT
policy.
● Address pool 2 is
used to translate
IPv6 addresses
to the IPv4
address of the
IPv4 public
addresses.

NAT64 prefix 6000::/96 The CGN


determines
whether to perform
the NA64 function
on an IPv6 packet
by checking
whether the IPv6
packet contains the
NAT64 prefix.

DNS64 NAT64 prefix 6000::/96 The NAT64 prefix


configured on the
DNS64 must be the
same as that
configured on the
CGN.

Domain Address that The address that


name: corresponds to the corresponds to the
www.example domain name: domain name is
.com 6000::ca01:301 calculated based
on the NAT64
prefix and IPv4
Internet address of
the server on the
IPv4 Internet.

PC1 IPv4 private –


address:
192.168.0.2/24

PC2 IPv6 address: –


2000::2/64

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 558


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item IP Address Description

PC3 IPv6 address: –


5000::2/64

Server IPv4 Internet –


address: 1.1.3.1/32

Table 8-13 describes the IPv4 route planning.

Table 8-13 IPv4 route planning


Item Routing Target Next Hop Description
Protocol Network Address and
Segment Interface

CPE Default IPv4 0.0.0.0/0 Tunnel 1 Route


route connecting
the CPE to
the DS-Lite
tunnel of the
CGN

CGN Static IPv4 1.1.3.1/32 1.1.1.2 Route


route connecting
the CGN to
the server on
the IPv4
Internet

Table 8-14 describes the IPv6 route planning.

Table 8-14 IPv6 route planning


Item Routing Advertising Area Description
Protocol Network
Segment

CPE OSPFv3 2000::/64 Area 1 Route


connecting
the CPE to
the IPv6 user
interface

OSPFv3 3000::/64 Area 0 Route


connecting
the CPE to
the MAN

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 559


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item Routing Advertising Area Description


Protocol Network
Segment

CGN OSPFv3 4000::/64 Area 0 Route


connecting
the CGN to
the MAN

OSPFv3 5000::/64 Area 2 Route


connecting
the CGN to
the IPv6
Internet

8.5.3 Precautions
When the CGN is the Eudemon8000E-X, if the triplet DS-Lite NAT function is
required, the hash board selection mode must be source address hash.

8.5.4 Configuration Flow


Table 8-15 shows the configuration flow of the solution.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 560


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Table 8-15 Configuration flow


Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

CPE 1 Configure the uplink and downlink interface data. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
s
e
t
t
h
e
p
a
r
a
m
e
t
e
r
s
b
a
s
e
d
o
n
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 561


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

h
e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 562


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2 Configure an IPv4 over IPv6 tunnel. M


a
n
d
a
t
o
r
y
T
h
e
I
P
v
4
o
v
e
r
I
P
v
6
t
u
n
n
e
l
i
s
u
s
e
d
b
y
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 563


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
I
P
v
4
u
s
e
r
t
o
a
c
c
e
s
s
t
h
e
C
G
N
b
y
t
r
a
v
e
r
s
i
n
g
t
h
e
I
P

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 564


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

v
6
M
A
N
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 565


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.1 Specify the encapsulation M


type of the tunnel. a
n
d
a
t
o
r
y
T
h
e
e
n
c
a
p
s
u
l
a
t
i
o
n
t
y
p
e
o
f
t
h
e
t
u
n
n
e
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 566


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

i
s
i
p
v
4
-
i
p
v
6

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 567


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.2 Specify the source address M


or source interface of the a
tunnel. n
d
a
t
o
r
y
● I
t
s
p
e
c
i
fi
e
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
r
s
o
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 568


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
I
P
v
4
o
v
e
r
I
P
v
6
t
u
n
n
e
l
.
Y
o
u
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 569


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

a
n
s
p
e
c
i
f
y
t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 570


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

t
i
s
c
o
n
n
e
c
t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 571


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 572


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 573


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

y
e
i
t
h
e
r
a
p
h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 574


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

f
a
c
e
s
u
c
h
a
s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 575


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
t
u
n
n
e
l
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 576


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.3 Set the destination M


address of the tunnel. a
n
d
a
t
o
r
y
T
h
e
d
e
s
t
i
n
a
t
i
o
n
a
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 577


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

l
i
n
d
i
c
a
t
e
s
t
h
e
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
(
4
0
0
0
:

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 578


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

:
1
/
6
4
)
t
h
a
t
c
o
n
n
e
c
t
s
t
h
e
C
G
N
t
o
t
h
e
M
A
N
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 579


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.4 Configure the IPv4 M


address for the tunnel a
interface. n
d
a
t
o
r
y

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 580


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
f
o
r
t
h
e
C
P
E
i
n
c
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 581


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

u
d
e
:
● D
S
-
L
i
t
e
t
u
n
n
e
l
r
o
u
t
e
:
f
o
r
w
a
r
d
s
I
P
v
4
s
e
r
v
i

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 582


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

c
e
p
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t
e
r
f
a
c
e
t
o

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 583


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

c
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s
I
P
v
6
s
e
r
v

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 584


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

i
c
e
p
a
c
k
e
t
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 585


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

CGN 1 Configure the uplink and downlink interface data. M


a
n
d
a
t
o
r
y
Y
o
u
c
a
n
s
e
t
t
h
e
p
a
r
a
m
e
t
e
r
s
b
a
s
e
d
o
n
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 586


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 587


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2 Configure the DS-Lite function. M


a
n
d
a
t
o
r
y
T
h
e
D
S
-
L
i
t
e
e
n
a
b
l
e
s
p
r
i
v
a
t
e
I
P
v
4
u
s
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 588


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

r
s
t
o
t
r
a
v
e
r
s
e
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
n
d
a
c
c
e
s
s
t
h
e
I
P

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 589


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

v
4
I
n
t
e
r
n
e
t
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 590


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.1 Configure the DS-Lite M


tunnel interfaces. a
n
d
a
t
o
r
y
T
h
e
I
P
v
4
o
v
e
r
I
P
v
6
t
u
n
n
e
l
i
s
u
s
e
d
b
y
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 591


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
I
P
v
4
u
s
e
r
t
o
a
c
c
e
s
s
t
h
e
C
G
N
b
y
t
r
a
v
e
r
s
i
n
g
t
h
e
I
P

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 592


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

v
6
M
A
N
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 593


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.2 Specify the encapsulation M


type of the tunnel. a
n
d
a
t
o
r
y
T
h
e
e
n
c
a
p
s
u
l
a
t
i
o
n
t
y
p
e
o
f
t
h
e
t
u
n
n
e
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 594


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

i
s
i
p
v
4
-
i
p
v
6
d
s
-
l
i
t
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 595


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.3 Specify the source address M


or source interface of the a
tunnel. n
d
a
t
o
r
y
● I
t
s
p
e
c
i
fi
e
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
r
s
o
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 596


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
I
P
v
4
o
v
e
r
I
P
v
6
t
u
n
n
e
l
.
Y
o
u
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 597


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

a
n
s
p
e
c
i
f
y
t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 598


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

t
i
s
c
o
n
n
e
c
t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 599


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 600


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 601


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

y
e
i
t
h
e
r
a
p
h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 602


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

f
a
c
e
s
u
c
h
a
s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 603


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
t
u
n
n
e
l
.

2.4 Configure the IPv4 M


address of the tunnel a
interface. n
d
a
t
o
r
y

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 604


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.5 Configure the NAT M


address pool. a
n
d
a
t
o
r
y
T
h
e
a
d
d
r
e
s
s
e
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 605


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

a
r
e
u
s
e
d
a
s
t
h
e
I
P
v
4
a
d
d
r
e
s
s
e
s
a
f
t
e
r
t
h
e
D
S
-
L
i
t
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 606


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

N
A
T
t
r
a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 607


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

2.6 Configure the DS-Lite NAT M


policy. a
n
d
a
t
o
r
y
T
h
e
D
S
-
L
i
t
e
N
A
T
p
o
l
i
c
y
c
o
v
e
r
s
t
h
e
D
S
-

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 608


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

L
i
t
e
N
A
T
p
o
l
i
c
y
,
a
n
d
D
S
-
L
i
t
e
N
A
T
S
e
r
v
e
r
.
Y
o
u
c
a
n

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 609


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

c
o
n
fi
g
u
r
e
t
h
e
D
S
-
L
i
t
e
N
A
T
p
o
l
i
c
y
b
a
s
e
d
o
n
a
c
t
u
a
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 610


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

n
e
t
w
o
r
k
c
o
n
d
i
t
i
o
n
s
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 611


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
i
n
c
l
u
d
e
:
● S
t
a
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 612


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

i
c
r
o
u
t
e
t
o
t
h
e
C
P
E
a
n
d
I
P
v
4
I
n
t
e
r
n
e
t
:
f
o
r
w
a
r
d
s
I

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 613


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

P
v
4
s
e
r
v
i
c
e
p
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 614


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
r
f
a
c
e
t
o
c
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 615


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

I
P
v
6
s
e
r
v
i
c
e
p
a
c
k
e
t
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 616


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

4 Configure the NAT64 function. M


a
n
d
a
t
o
r
y
T
h
e
D
S
-
L
i
t
e
N
A
T
f
u
n
c
t
i
o
n
e
n
a
b
l
e
s
t
h
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 617


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

I
P
v
6
u
s
e
r
s
t
o
a
c
c
e
s
s
t
h
e
I
P
v
4
n
e
t
w
o
r
k
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 618


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

4.1 Configure the NAT M


address pool. a
n
d
a
t
o
r
y
T
h
e
a
d
d
r
e
s
s
e
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 619


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

a
r
e
u
s
e
d
a
s
t
h
e
I
P
v
4
a
d
d
r
e
s
s
e
s
a
f
t
e
r
t
h
e
N
A
T
6
4
t
r

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 620


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 621


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

4.2 The NAT64 prefix is M


configured and advertised a
on the IPv6 network. n
d
a
t
o
r
y
W
h
e
t
h
e
r
t
h
e
C
G
N
p
e
r
f
o
r
m
s
N
A
T
6
4
t
r
a
n
s

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 622


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

l
a
t
i
o
n
o
n
a
n
I
P
v
6
p
a
c
k
e
t
d
e
p
e
n
d
s
o
n
w
h
e
t
h
e
r
t
h
e
I

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 623


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

P
v
6
p
a
c
k
e
t
c
o
n
t
a
i
n
s
a
N
A
T
6
4
p
r
e
fi
x
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 624


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

4.4 Configure the NAT64 M


policy. a
n
d
a
t
o
r
y
C
o
n
fi
g
u
r
e
N
A
T
6
4
d
y
n
a
m
i
c
m
a
p
p
i
n
g
i
n
t
h

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 625


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

e
N
A
T
p
o
l
i
c
y
,
a
n
d
s
p
e
c
i
f
y
t
h
e
N
A
T
t
y
p
e
a
s
N
A
T
6
4
.
W

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 626


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

h
e
n
p
e
r
f
o
r
m
i
n
g
N
A
T
6
4
t
r
a
n
s
l
a
t
i
o
n
,
t
h
e
C
G
N
s
e
l
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 627


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

c
t
s
o
n
e
I
P
v
4
a
d
d
r
e
s
s
r
a
n
d
o
m
l
y
f
r
o
m
t
h
e
N
A
T
a
d
d
r
e

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 628


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

s
s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
6
4
p
o
l
i
c
y
a
s
t
h
e
s
o
u

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 629


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n

r
c
e
a
d
d
r
e
s
s
o
f
a
p
a
c
k
e
t
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 630


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

8.5.5 Configuration Procedure


Procedure
● Configure the CPE.
a. Enable the IPv6 packet forwarding function.
<CPE> system-view
[CPE] ipv6

b. Configure IP addresses for interfaces and add the interfaces to security


zones.
# Configure an IP address for GigabitEthernet 1/0/0.
[CPE] interface GigabitEthernet 1/0/0
[CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0
[CPE-GigabitEthernet1/0/0] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 1/0/0
[CPE-zone-trust] quit

# Configure an IP address for GigabitEthernet 1/0/1.


[CPE] interface GigabitEthernet 1/0/1
[CPE-GigabitEthernet1/0/1] ipv6 enable
[CPE-GigabitEthernet1/0/1] ipv6 address 2000::1 64
[CPE-GigabitEthernet1/0/1] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 1/0/1
[CPE-zone-trust] quit

# Configure an IP address for GigabitEthernet 1/0/2.


[CPE] interface GigabitEthernet 1/0/2
[CPE-GigabitEthernet1/0/2] ipv6 enable
[CPE-GigabitEthernet1/0/2] ipv6 address 3000::1 64
[CPE-GigabitEthernet1/0/2] quit
[CPE] firewall zone untrust
[CPE-zone-untrust] add interface GigabitEthernet 1/0/2
[CPE-zone-untrust] quit

c. Configure an IPv4 over IPv6 tunnel.


# Configure the IPv4 over IPv6 tunnel interface Tunnel1.
[CPE] interface Tunnel 1
[CPE-Tunnel1] tunnel-protocol ipv4-ipv6
[CPE-Tunnel1] source 3000::1
[CPE-Tunnel1] destination 4000::1
[CPE-Tunnel1] ip address 10.1.1.1 255.255.255.0
[CPE-Tunnel1] quit

# Add Tunnel1 to the Untrust zone.


[CPE] firewall zone untrust
[CPE-zone-untrust] add interface tunnel 1
[CPE-zone-untrust] quit

d. Configure security policies. Configure policy1 that allows sending packets


from the private network to the public network and policy2 that allows
tunnel packets to pass through.
[CPE] security-policy
[CPE-policy-security] rule name policy1
[CPE-policy-security-policy1] source-zone trust
[CPE-policy-security-policy1] destination-zone untrust
[CPE-policy-security-policy1] source-address 192.168.0.0 24
[CPE-policy-security-policy1] source-address 2000:: 64
[CPE-policy-security-policy1] action permit
[CPE-policy-security-policy1] quit
[CPE-policy-security] rule name policy2
[CPE-policy-security-policy2] source-zone local

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 631


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CPE-policy-security-policy2] destination-zone untrust


[CPE-policy-security-policy2] source-address 10.1.1.0 24
[CPE-policy-security-policy2] action permit
[CPE-policy-security-policy2] quit
[CPE-policy-security] quit

e. Configure OSPFv3 for routing the IPv6 services.


[CPE] ospfv3
[CPE-ospfv3-1] router-id 1.1.1.1
[CPE-ospfv3-1] quit
[CPE] interface GigabitEthernet1/0/2
[CPE-GigabitEthernet1/0/2] ospfv3 1 area 0
[CPE-GigabitEthernet1/0/2] quit
[CPE] interface GigabitEthernet1/0/1
[CPE-GigabitEthernet1/0/1] ospfv3 1 area 1
[CPE-GigabitEthernet1/0/1] quit

f. Configure the default IPv4 route for the tunnel.


[CPE] ip route-static 0.0.0.0 0.0.0.0 tunnel 1

● Configure the CGN.


a. Enable the IPv6 packet forwarding function.
<CGN> system-view
[CGN] ipv6

b. Set the hash board selection mode to source address-based hash mode.
[CGN] firewall hash-mode source-only

c. Configure IP addresses for interfaces and add the interfaces to security


zones.
# Configure an IP address for GigabitEthernet 1/0/0.
[CGN] interface GigabitEthernet 1/0/0
[CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
[CGN-GigabitEthernet1/0/0] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 1/0/0
[CGN-zone-untrust] quit

# Configure an IP address for GigabitEthernet 1/0/1.


[CGN] interface GigabitEthernet 1/0/1
[CGN-GigabitEthernet1/0/1] ipv6 enable
[CGN-GigabitEthernet1/0/1] ipv6 address 5000::1 64
[CGN-GigabitEthernet1/0/1] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 1/0/1
[CGN-zone-untrust] quit

# Configure an IP address for GigabitEthernet 1/0/2.


[CGN] interface GigabitEthernet 1/0/2
[CGN-GigabitEthernet1/0/2] ipv6 enable
[CGN-GigabitEthernet1/0/2] ipv6 address 4000::1 64
[CGN-GigabitEthernet1/0/2] quit
[CGN] firewall zone trust
[CGN-zone-trust] add interface GigabitEthernet 1/0/2
[CGN-zone-trust] quit

d. Configure security policies. Configure policy1 that allows sending packets


from the private network to the public network and policy2 that allows
tunnel packets to pass through.
[CGN] security-policy
[CGN-policy-security] rule name policy1
[CGN-policy-security-policy1] source-zone trust
[CGN-policy-security-policy1] destination-zone untrust
[CGN-policy-security-policy1] destination-address 1.1.1.0 24
[CGN-policy-security-policy1] destination-address 5000:: 64
[CGN-policy-security-policy1] action permit
[CGN-policy-security-policy1] quit
[CGN-policy-security] rule name policy2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 632


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CGN-policy-security-policy2] source-zone trust


[CGN-policy-security-policy2] destination-zone local
[CGN-policy-security-policy2] destination-address 10.1.1.0 24
[CGN-policy-security-policy2] action permit
[CGN-policy-security-policy2] quit
[CGN-policy-security] quit
e. Configure the DS-Lite function.
# Configure the DS-Lite tunnel interface Tunnel1.
[CGN] interface Tunnel 1
[CGN-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite
[CGN-Tunnel1] source 4000::1
[CGN-Tunnel1] ip address 10.1.1.2 255.255.255.0
[CGN-Tunnel1] quit
# Add Tunnel1 to the Trust zone.
[CGN] firewall zone trust
[CGN-zone-trust] add interface tunnel 1
[CGN-zone-trust] quit
# Configure a NAT address pool.
[CGN] nat address-group addressgroup1
[CGN-address-group-addressgroup1] route enable
[CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
[CGN-address-group-addressgroup1] quit
# Configure the DS-Lite NAT policy.
[CGN] nat-policy
[CGN-policy-nat] rule name policy_nat_1
[CGN-policy-nat-rule-policy_nat_1] nat-type ds-lite
[CGN-policy-nat-rule-policy_nat_1] source-zone trust
[CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
[CGN-policy-nat-rule-policy_nat_1] source-address 3000::1 64
[CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
[CGN-policy-nat-rule-policy_nat_1] quit
[CGN-policy-nat] quit
# Configure the NAT ALG between the Trust zone and the Untrust zone
so that the server can provide FTP services externally.
[CGN] firewall interzone trust untrust
[CGN-interzone-trust-untrust] detect ftp
[CGN-interzone-trust-untrust] quit
f. Configure a static IPv4 route.
Configure the static IPv4 route to the FTP server on the Internet. Assume
that the next-hop address of the CGN to the Internet is 1.1.1.2.
[CGN] ip route-static 1.1.3.1.255.255.255.255 1.1.1.2
g. Configure OSPFv3 for routing the IPv6 services.
[CGN] ospfv3
[CGN-ospfv3-1] router-id 2.2.2.2
[CGN-ospfv3-1] quit
[CGN] interface GigabitEthernet1/0/2
[CGN-GigabitEthernet1/0/2] ospfv3 1 area 0
[CGN-GigabitEthernet1/0/2] quit
[CGN] interface GigabitEthernet1/0/1
[CGN-GigabitEthernet1/0/1] ospfv3 1 area 2
[CGN-GigabitEthernet1/0/1] quit
h. Configure the NAT64 function.
# Configure IPv4 NAT address pool 2 and set the address range to
1.1.2.11 to 1.1.2.15. The addresses in the NAT address pool are used as
the IPv4 addresses after the NAT64 translation.
[CGN] nat address-group addressgroup2
[CGN-address-group-addressgroup2] mode pat
[CGN-address-group-addressgroup2] route enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 633


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

[CGN-address-group-addressgroup2] section 1 1.1.2.11 1.1.2.15


[CGN-address-group-addressgroup2] quit
# Set the NAT64 prefix to 6000::/96.
[CGN] nat64 prefix 6000:: 96
# Configure the NAT64 policy.
[CGN] nat-policy
[CGN-policy-nat] rule name policy_nat64
[CGN-policy-nat-rule-policy_nat64] nat-type nat64
[CGN-policy-nat-rule-policy_nat64] source-zone trust
[CGN-policy-nat-rule-policy_nat64] destination-zone untrust
[CGN-policy-nat-rule-policy_nat64] source-address 2000:: 64
[CGN-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup2
[CGN-policy-nat-rule-policy_nat64] quit
[CGN-policy-nat] quit
# Configure the blackhole route to advertise the NAT64 prefix.
[CGN] ipv6 route-static 6000:: 96 NULL 0
# Introduce the blackhole route with the NAT64 prefix to the OSPFv3
protocol.
[CGN] ospfv3
[CGN-ospfv3-1] import-route static
[CGN-ospfv3-1] quit
● Configure the DNS64 device.
Set the NAT64 prefix of the DNS64 device to 6000::/96, which is the same as
that configured on the CGN.
Set the route between the DNS64 device and the PC and the route between
DNS64 device and the server to ensure reachability.
On the DNS64 device, set the IPv6 address that corresponds to domain name
www.example.com to 6000::ca01:301.
● Configure the server.
In normal situations, the ISP configures the servers. Only the key points of
server configuration are described here:
– Set the IP address of the server to 1.1.3.1/32.
– The route to addresses in the address pool of the CGN must be
configured on the server.
– The server provides both FTP and HTTP services.
● Configure PC1, PC2, and PC3.
You must specify gateways for each PC. The configuration methods of PC
addresses and routes vary with the operating systems of the PCs. The
configuration methods are not described here.

8.5.6 Verification
● Verify the IPv4 services.
a. After the configuration is complete, access the FTP service provided by
the server on the Internet using PC1 on the private IPv4 network.
C:\Documents and Settings\Administrator>ftp 1.1.3.1
Connected to 1.1.3.1.
220 FTP service ready.
User (1.1.3.1:(none)): admin
331 Password required for admin.
Password:
230 User logged in.
ftp>

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 634


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

b. Run the display firewall session table verbose command on the CPE to
check the session information.
[CPE] display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public ID: ab016391fa4c03558d54c16fac122
Zone: trust--> untrust TTL: 00:10:00 Left: 00:09:59
Interface: Tunnel1 NextHop: 1.1.3.1 MAC: 0000-0000-0000
<--packets:8 bytes:498 -->packets:12 bytes:541
192.168.0.2:1035+->1.1.3.1:21 PolicyName: ---

ftp-data VPN:public --> public ID: ab016391fa4c03558d54c16acd159


Zone: untrust--> trust TTL: 00:00:10 Left: 00:00:00
Interface: GigabitEthernet1/0/0 NextHop: 192.168.0.2 MAC: 0018-826f-b3f4
<--packets:3 bytes:124 -->packets:5 bytes:370
1.1.3.1:20-->192.168.0.2:1036 PolicyName: ---

The output shows that the outbound interface is the Tunnel1 interface
and the tunnel is successfully established.
● Verify the IPv6 services.
a. Ping the interface address of the CGN that connects to the IPv6 network
from the CPE, that is, the address of the GigabitEthernet 1/0/2 interface.
<CPE> ping ipv6 4000::1
PING 4000::1 : 56 data bytes, press CTRL_C to break
Reply from 4000::1
bytes=56 Sequence=1 hop limit=64 time = 90 ms
Reply from 4000::1
bytes=56 Sequence=2 hop limit=64 time = 100 ms
Reply from 4000::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 4000::1
bytes=56 Sequence=4 hop limit=64 time = 60 ms
Reply from 4000::1
bytes=56 Sequence=5 hop limit=64 time = 40 ms

--- 4000::1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/66/100 ms

If the CGN can be successfully pinged, the IPv6 routes to the CPE and
CGN are configured. On the CPE and CGN, you can run the display
ospfv3 routing command to view the OSPFv3 routing tables.
[CPE] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
2000::/64 1
directly connected, GigabitEthernet1/0/1
3000::/64 1
directly connected, GigabitEthernet1/0/2
IA 4000::/64 2
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2
IA 5000::/64 3
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2

According to the OSPFv3 routing table, you can learn that the CPE learns
the routes from the CGN to the IPv6 MAN and IPv6 Internet.
[CGN] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 2000::/64 3
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2
IA 3000::/64 2
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 635


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

4000::/64 1
directly connected, GigabitEthernet1/0/2
5000::/64 1
directly connected, GigabitEthernet1/0/1
According to the OSPFv3 routing table, you can learn that the CGN learns
the routes from the CPE to the IPv6 MAN and IPv6 users.
b. On PC2, ping PC3.
C:\> ping6 5000::2
from 2000::2 with 32 bytes of data:
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Ping statistics for 5000::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
If PC3 is pinged through, the configurations of the IPv6 routes on the
entire network are correct.
● Enable an IPv6 user to access the IPv4 Internet.
a. Ping domain name www.example.com on PC2.
Pinging 6000::ca01:301 with 32 bytes of data:

Reply from 6000::ca01:301: time=23ms


Reply from 6000::ca01:301: time=6ms
Reply from 6000::ca01:301: time=12ms
Reply from 6000::ca01:301: time=33ms

Ping statistics for 6000::ca01:301:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 33ms, Average = 18ms
The IPv4 address of the server can be successfully pinged on the PC.
b. In any view of the CGN, run the display firewall ipv6 session table
command to check the NAT64 session table.
<CGN> display firewall ipv6 session table
Slot: 6 CPU: 1
NAT64: icmp6 VPN: public --> public 2000::2.44152[1.1.2.14:10296] -->
6000::CA01:301.2048[1.1.3.1:2048]
According to the NAT64 session table, you can learn the translation
mapping between IPv6 addresses and IPv4 addresses.

8.5.7 Configuration Scripts


● The CPE configuration script is as follows:
#
sysname CPE
#
ipv6
#
interface GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 2000::1/64
ospfv3 1 area 0.0.0.1
#
interface GigabitEthernet1/0/2
ipv6 enable
ipv6 address 3000::1/64
ospfv3 1 area 0.0.0.0

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 636


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

#
interface Tunnel1
ip address 10.1.1.1 255.255.255.0
tunnel-protocol ipv4-ipv6
source 3000::1
destination 4000::1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
source-address 2000:: 64
action permit
rule name policy2
source-zone local
destination-zone untrust
source-address 10.1.1.0 24
action permit
#
firewall zone dmz
set priority 50
#
ospfv3 1
router-id 1.1.1.1
area 0.0.0.0
area 0.0.0.1
#
ip route-static 0.0.0.0 0.0.0.0 Tunnel1
#
return

● The CGN configuration script is as follows:


#
sysname CGN
#
ipv6
#
firewall hash-mode source-only
#
nat address-group 1
section 1 1.1.2.1 1.1.2.5
#
nat address-group 1
section 1 1.1.2.11 1.1.2.15
#
nat64 prefix 6000:: 96
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 5000::1/64
ospfv3 1 area 0.0.0.2

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 637


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

#
interface GigabitEthernet1/0/2
undo shutdown
ipv6 enable
ipv6 address 4000::1/64
ospfv3 1 area 0.0.0.0
#
interface Tunnel1
ip address 10.1.1.2 255.255.255.0
tunnel-protocol ipv4-ipv6 ds-lite
source 4000::1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
destination-address 1.1.1.0 24
destination-address 5000:: 64
action permit
rule name policy2
source-zone trust
destination-zone local
destination-address 10.1.1.0 24
action permit
#
nat address-group addressgroup1
route enable
section 1 1.1.2.1 1.1.2.5
nat address-group addressgroup2
mode pat
route enable
section 1 1.1.2.11 1.1.2.15
#
nat-policy
rule name policy_nat_1
nat-type ds-lite
source-zone trust
destination-zone untrust
source-address 3000::1 64
action source-nat address-group addressgroup1
rule name policy_nat64
nat-type nat64
source-zone trust
destination-zone untrust
source-address 2000:: 64
action source-nat address-group addressgroup2
#
firewall interzone trust untrust
detect ftp
#
ospfv3 1
router-id 2.2.2.2
import-route static

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 638


HUAWEI Firewall
Comprehensive Configuration Examples 8 Application of Firewalls in the CGN Solution

#
ipv6 route-static 6000:: 96 NULL0
#
return

8.6 Conclusion and Suggestions


The selection of the three schemes for the CGN solution depends on the
deployment of IPv4 and IPv6 protocols on the network. The three schemes
correspond respectively to IPv4-dominated network, IPv4 and IPv6 coexistent
network, and IPv6-dominated network.
● IPv4-dominated network
Use NAT444 as the major transitional technology to save public addresses as
many possible. Configure port pre-allocation for early planning of the ports
for translation, which ensures proper utilization of the ports. In addition,
configure linkage with the log server to resolve the issue of user tracing.
Use IPv6 tunneling to enable the access between the small number of IPv6
users on the network.
● IPv4 and IPv6 coexistent network
Use NAT444 and port pre-allocation in combination for IPv4 services to save
public addresses and facilitate the ease of user tracing.
Because IPv6 has been deployed on the network, the access between IPv6
services can be implemented through IPv6 route query.
The access between IPv6 and IPv4 services can be completed through NAT64.
● IPv6-dominated network
IPv6 services on the network can access each other through IPv6 route query
without the need of any transitional technology.
The access between the small quantity of IPv4 services can be completed
through DS-Lite. You can also configure port pre-allocation to pre-allocate
ports for the users and provide user tracing.
The access between IPv6 and IPv4 services can be completed through NAT64.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 639


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

9 Application of Firewalls in the LTE IPSec


Solution

9.1 Introduction
This section describes the applications of IPSec in the LTE and the IPSec
configuration in the networking where hot standby devices are deployed in off-
line mode.

This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-


X V500R005C00 and can be used as a reference for Eudemon200E-
N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-
G&Eudemon1000E-G V600R006C00, and later versions. Document content may
vary according to version.

9.2 Solution Overview


Introduction to LTE
Long Term Evolution (LTE) is a project initiated by Third Generation Partnership
Project (3GPP) in December 2004 for the long term evolution of the Universal
Mobile Telecommunications System (UMTS). The objective of the project is to
increase the data rate of mobile communications systems, reduce network nodes
and the system complexity, and therefore cut down the CapEx and OpEx of
networks. Since the analog technology was adopted in the 1G system, mobile
communications networks have been through the revolution of 2G and 3G
technologies and stepped into the 4G era. LTE has become a major 4G standard.
Strictly, LTE does not meet the 4G definition of the ITU. It is only a quasi-4G
technology. This, however, does not hold carriers back from setting LTE as the
mainstream 4G standard.

Network Architecture of LTE


The network architecture of LTE is flatter and more IP-based than that of 3G
networks, as shown in Figure 9-1.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 640


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-1 Network architecture of LTE

An LTE network consists of the following parts:

● User Equipment (UE): the general term for mobile terminals, such as mobile
phones, smart phones, and multimedia devices, used on the LTE network
● Evolved NodeB (eNodeB): wireless base station that provides wireless access
services for users
● IP-Radio Access Network (RAN): IP-based wireless access network. It is the
access network of the entire LTE network.
● Evolved Packet Core (EPC): the core network of LTE
– Mobility Management Entity (MME): responsible for the control function
of the core network. Traffic from the eNodeB to the EPC includes
signaling flows and service flows, and the MME processes signaling
traffic.
– Serving Gateway (S-GW): processes the service traffic from the eNodeB
to the EPC.
– Operation and Maintenance Center (OMC): includes the M2000, CME,
and LMT. The administrator manages the NEs on the LTE network in a
centralized manner through the OMC. For the ease of management,
some certificate servers, such as the CA server and RA server, are also
deployed in the OMC area.

Interfaces of the eNodeB


The eNodeB provides two interfaces, S1 and X2:

● S1 interface
The S1 interface is between the MME/S-GW and the eNodeB. Based on the
service plane, the S1 interface is further split to the S1 user plane interface
and the S1 control plane interface.
– S1 user plane interface (S1-U)
The S1-U interface is between the eNodeB and the S-GW. It carries user
data, also called service data, between the eNodeB and the S-GW. The
S1-U works on the simple GTP over UDP/IP transport protocol. This

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 641


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

protocol encapsulates user data. There is no mechanism for traffic


control, error control, or other data transfer assurance on the S1-U
interface.
– S1 control plane interface (S1-C)
The S1-C interface is between the eNodeB and the MME for controlling
the signaling interaction between the eNodeB and the MME. For reliable
transfer of signaling messages, the S1-C works on SCTP above the IP
layer.
● X2 interface
The X2 interface is an interface for communication between eNodeBs. The X2
is a new interface defined by LTE. It is a mesh interface and enables inter-
eNodeB packet forwarding when the terminal moves. This helps to reduce the
packet loss rate.
– X2 user plane interface (X2-U)
The X2-U interface carries user data between eNodeBs. It is used for data
forwarding only when a terminal moves from one eNodeB to another.
The X2-U also works on GTP over UDP/IP.
– X2 control plane interface (X2-C)
The X2-C is a signaling interface between eNodeBs. It enables signaling
interaction between the eNodeBs. The X2-C is related to user movement.
It transfers the user context between eNodeBs. Like the S1-C, the X2-C
also uses SCTP to ensure transmission.

9.3 Solution Design

9.3.1 Networking Requirements


On a 3G network, access authentication and data encryption mechanisms are
available on the control and user planes from the UE to the RNC, and therefore,
data transmission is secured. On an LTE network, although access authentication
and data encryption mechanisms still work from the UE to the EPC, S1-U, on the
user plane, has only authentication mechanisms but no encryption mechanisms.
Therefore, compared with the 3G network, the LTE network requires additional
security devices to eliminate security risks.
In the LTE IPSec solution, an IPSec tunnel is set up between the eNodeB and the
security gateway (the FW, also referred to as the SeMG in LTE) to encrypt S1 data
streams, preventing user data from being intruded on the IP-RAN and thereby
ensuring the security of the LTE network. Generally, the FW is attached to both
sides of a router in the EPC in off-path mode and serves as the IPSec gateway for
the eNodeB to access the MME and S-GW. Two FWs are deployed in hot standby
mode to improve the network stability. Figure 9-2 shows the network topology.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 642


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-2 Network topology for off-path deployment of the FW

In the LTE IPSec solution, traffic on the eNodeB includes S1 traffic, X2 traffic, and
OM traffic and PKI traffic for communication with the NMS. Considering the
security and real-time performance, the carrier has different requirements for the
processing of different types of traffic:
● S1 traffic
The S1 traffic is classified into user plane (S1 UP) traffic for voices and control
plane (S1 CP) traffic for signaling. This traffic requires high security and
therefore is transmitted over the IPSec tunnel.
● X2 traffic
The X2 traffic is burst traffic and does not require high security. This traffic
can be either encrypted or not encrypted. In the present case, the X2 traffic is
not IPSec-encrypted because the IPSec tunnel encapsulation increases its
transmission delay.
● OM traffic
Network devices, including the eNodeB and FW are managed by the OM
server in a centralized manner. This management traffic does not require
protection of the IPSec tunnel. For example, a small jitter is required for the
clock synchronization between the NTP server of the OM and the eNodeB,
and therefore, IPSec encryption is inappropriate.
● PKI traffic
The PKI server issues certificates to the eNodeB and the IPSec gateway. When
the eNodeB and the IPSec gateway establish an IPSec tunnel, they exchange
certificates to verify the identity of each other. This traffic does not require
IPSec protection either. It is sent by the eNodeB directly to the PKI server.
Figure 9-3 shows the transmission paths of different traffic.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 643


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-3 Transmission of different eNodeB traffic in the LTE IPSec solution

9.3.2 Service Planning

9.3.2.1 IPSec Service Planning


In this solution, templates are used to establish IPSec tunnels. Table 9-1 describes
IPSec service planning.

Table 9-1 IPSec service planning


Scheme Strength and Weakness

Policy 1. Allows simultaneous establishment of IPSec tunnels with


template multiple eNodeBs without the need to specify the remote IP
address of the tunnel.
2. Requires a small amount of network configuration, easy to
maintain.
In the case of a large quantity of eNodeBs, you may need to
extend the address range in the ACL. When the ACL is being
modified, the tunnel is interrupted for a short time. This can be
overcome through reasonable data planning.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 644


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Scheme Strength and Weakness

Certificate The eNodeB and security gateway use certificates for


authenticatio authentication to establish an IPSec tunnel. After hot standby is
n enabled, the active device needs to generate a key pair to apply
for a device certificate. After the active device generates a key
pair, the key pair is automatically backed up to the standby
device. In addition, the devices share the same device
certificate. When the active device loads the certificate, the
certificate file will be automatically backed up to the standby
device.

9.3.2.2 Availability Planning


The FW serves as the IPSec gateway to process all traffic from the eNodeB to the
MME and the S-GW. It is a traffic forwarding hub in a critical position of the
network. Therefore, two FWs are generally deployed in hot standby mode for
active/standby backup. Besides the device backup solution, link backup is also
used. For example, the Eth-Trunk link is adopted on the heartbeat interface
between the two firewalls, which can not only improve the link bandwidth but
also ensure data backup between the two firewalls when some links are faulty.
Figure 9-4 shows the networking of off-path deployment of the NGFW. Table 9-2
describes the availability planning.

Figure 9-4 Networking of off-path deployment

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 645


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Table 9-2 Hot standby planning


Scheme Strength Implementation

Hot standby Dual-node deployment is -


in active/ more reliable than standalone
standby mode deployment.

Link bundling Multiple links are more Eth-Trunk bundling is applied


reliable than a single link. between FW_A/FW_B and
The Eth-Trunk increases the Router3/Router 4. Link
link bandwidth. The multiple bundling is applied on the
member interfaces of the Eth- heartbeat line between the
Trunk also implement link FWs.
backup. When one member
interface fails, traffic can still
be carried over other member
interfaces.

Remote Remote backup is more (Optional)


disaster reliable than only local Remote disaster recovery
recovery backup. means multiple FWs are
When a large disaster takes deployed in dual-node mode
place in one location, the in different geographical
disaster recovery device locations.
deployed in another location
can take over to provide
services.

9.3.2.3 Data Planning


For the networking shown in Figure 9-5, the data planning for the network
devices is described in Table 9-3.
When the FW uses a common physical interface to establish an IPSec tunnel with
the eNodeB, if the active NGFW fails, an active/standby switchover is triggered.
When the eNodeB learns that the active NGFW has failed, it tears down the IPSec
tunnel with the active NGFW and sends an IPSec negotiation request to the new
active NGFW (the originally standby one). In this process, the administrator needs
to modify the remote address of the IPSec tunnel on the eNodeB to the IP address
of the new active NGFW. However, modifying the configuration of the eNodeB
manually is not easy. It seems feasible when there are only a small number of
eNodeBs, but in practice, there are usually hundreds and even thousands of
eNodeBs, modifying their configuration one by one is not practical.
Therefore, in the present case, the FW uses the Tunnel interface to establish an
IPSec tunnel with the eNodeB. The Tunnel interfaces of FW_A and FW_B share the
same IP address. When the Tunnel interface is used, even if an active/standby
switchover happens, because the Tunnel interfaces of the two firewalls have the
same IP address, it is not necessary to modify the remote IP address of the IPSec
tunnel on the eNodeB.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 646


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-5 IP address planning for off-path deployment of the NGFW

Table 9-3 Data planning of the LTE network


Device Interface IP Address Security Zone

FW_A Eth-trunk1 IP address of Eth- Eth-Trunk1.1: Untrust


Member interfaces of Trunk1.1: 1.1.1.1/30 Eth-Trunk1.2: Trust
Eth-Trunk1: VLAN:100 Eth-Trunk1.3: Trust
GigabitEthernet1/0/1 Eth-Trunk1.1
and Eth-Trunk1.4: Trust
processes encrypted
GigabitEthernet1/0/2 IPSec traffic sent by
the eNodeB to the
EPC.

IP address of Eth-
Trunk1.2: 1.1.2.1/30
VLAN:200
Eth-Trunk1.2
processes decrypted
service traffic sent by
the eNodeB to the S-
GW.

IP address of Eth-
Trunk1.3: 1.1.3.1/30
VLAN:300
Eth-Trunk1.3
processes decrypted
signaling traffic sent
by the eNodeB to the
MME.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 647


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Device Interface IP Address Security Zone

IP address of Eth-
Trunk1.4: 1.1.4.1/30
VLAN:400
Eth-Trunk1.4
processes the
management traffic
exchanged between
FW_A and the OM
server.

Eth-trunk2 2.1.1.1/30 DMZ


Member interfaces of
Eth-Trunk2:
GigabitEthernet1/0/8
and
GigabitEthernet2/0/8

Tunnel interface 3.1.1.1/30 Untrust


Used for setting up
an IPSec tunnel with
the eNodeB.

FW_B Eth-trunk1 IP address of Eth- Eth-Trunk1.1: Untrust


Member interfaces of Trunk1.1: 5.1.1.1/30 Eth-Trunk1.2: Trust
Eth-Trunk2: VLAN: 100 Eth-Trunk1.3: Trust
GigabitEthernet1/0/1 Eth-Trunk1.1
and Eth-Trunk1.4: Trust
processes encrypted
GigabitEthernet1/0/2 IPSec traffic sent by
the eNodeB to the
EPC after the active/
standby device
switchover.

IP address of Eth-
Trunk1.2: 5.1.2.1/30
VLAN: 200
Eth-Trunk1.2
processes decrypted
service traffic sent by
the eNodeB to the S-
GW after the active/
standby device
switchover.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 648


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Device Interface IP Address Security Zone

IP address of Eth-
Trunk1.3: 5.1.3.1/30
VLAN: 300
Eth-Trunk1.3
processes decrypted
signaling traffic sent
by the eNodeB to the
MME after the active/
standby device
switchover.

IP address of Eth-
Trunk1.4: 5.1.4.1/30
VLAN: 400
Eth-Trunk1.4
processes the
management traffic
exchanged between
FW_B and the OM
server.

Eth-Trunk2 2.1.1.2/30 DMZ


Member interfaces of
Eth-Trunk2:
GigabitEthernet1/0/8
and
GigabitEthernet2/0/8

Tunnel interface 3.1.1.1/30 Untrust


Used for setting up
an IPSec tunnel with
the eNodeB.

eNode 1 Tunnel interface + 3 Tunnel IP: 6.1.1.1/30 Tunnel interface:


B-1 service interfaces UP service IP: Untrust
6.1.2.1/32 Service interfaces:
CP service IP: Trust
6.1.3.1/32
OM service IP:
6.1.4.1/30

eNode 1 Tunnel interface + 3 Tunnel IP: 7.1.1.1/30 Tunnel interface:


B-2 service interfaces UP service IP: Untrust
7.1.2.1/32 Service interfaces:
CP service IP: Trust
7.1.3.1/32
OM service IP:
7.1.4.1/30

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 649


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Device Interface IP Address Security Zone

S-GW S1-U interface 8.1.1.1/30 -

MME S1-C interface 8.1.1.2/30 -

OM U2000 9.1.1.1/30 -

NTP Server 9.1.1.2/30 -

Log Server 9.1.1.3/30 -

PKI CA 9.1.2.4/30 -

9.3.2.4 Route Planning


After two FWs are deployed on the LTE network in hot standby in off-line mode,
the encrypted traffic from the eNodeB to the MME and S-GW (the EPC) should
first be routed to the FW, and then the FW decrypts the traffic and sends the
decrypted traffic back to the EPC. Routing decides the direction of the traffic. To
route the traffic along an expected line, it is necessary to plan the routes on the
FW and the RSG as shown in Figure 9-6.
Create two OSPF processes, OSPF1 and OSPF2, on the FW. OSPF1 advertises the
IPSec gateway route of the FW to the IP-RAN so that the eNodeB acquires the
route to the FW. OSPF2 is used for route exchange between the FW and the EPC.
The FW forwards decrypted traffic to the EPC according to this route. The Eth-
Trunk sub-interfaces between the NGFW and the RSG differentiate IPSec
encrypted traffic, decrypted traffic to the S-GW, and decrypted traffic to the MME.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 650


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-6 Route planning

● Uplink traffic
The uplink traffic from the eNodeB to the EPC relies on the following route
exchange process. The process here is based on the line from eNodeB-1
through the IP-RAN, FW_A, and RSG-1 to the EPC.
a. FW_A advertises the IPSec gateway route to OSPF1.
b. RSG-1 imports the OSPF1 route to the BGP.
c. RSG-1 advertises the IPSec gateway route to the AGG through the IBGP.
d. The AGG receives the IPSec gateway route and advertises it on the IP-
RAN.
When the eNodeB forwards IPSec traffic to the IP-RAN through a static
route, the IP-RAN learns the IPSec gateway route and routes the IPSec
traffic all the way to FW_A.
FW_A learns the route to the EPC through OSPF2. The uplink IPSec traffic
is decrypted and is forwarded to the EPC along the route learnt through
OSPF2.
● Downlink traffic
The downlink response traffic from the EPC to the eNodeB relies on the
following route exchange process. The process here is based on the line from
the EPC through RSG-1, FW_A, and the IP-RAN to eNodeB-1.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 651


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

a. After importing direct routes from the AN, the IP-RAN can learn the IPSec
tunnel route to eNodeB-1.
b. RSG-1 learns the IPSec tunnel route to eNodeB-1 from the IP-RAN
through IBGP.
c. RSG-1 imports the IPSec tunnel route to eNodeB-1 learnt by the IBGP to
OSPF1. FW_A learns the IPSec tunnel route to eNodeB-1.
The response traffic from the EPC to eNodeB-1 is forwarded to FW_A
along the route learnt in OSPF2. The traffic enters the IPSec tunnel along
the route learnt during reverse route injection of FW_A. NGFW_A
forwards the encapsulated traffic to the IP-RAN along the route to
eNodeB-1 learnt in OSPF1. The IP-RAN then forwards the traffic all the
way to eNodeB-1.
In the hot standby scenario, the cost of the OSPF route advertised by the active
IPSec gateway (FW_A) is the original one and is configurable, and the cost of the
OSPF route advertised by the standby IPSec gateway (FW_B) is 65500. Therefore,
the original cost of the OSPF route is generally smaller than 65500. When the
traffic from the eNodeB to the EPC arrives at the RSG, the RSG selects a link with
a smaller route cost to forward the traffic to FW_A. Because the Eth-Trunk sub-
interface Trunk2.1 of RSG-1 and RSG-2 is added to OSPF1, the cost of OSPF1 is
transferred among FW_A, RSG-1, RSG-2, and FW_B. Therefore, no matter whether
the traffic from the eNodeB to the EPC arrives at RSG-1 or RSG-2, the RSG selects
a link with a smaller cost to forward the traffic to FW_A. When FW_A fails, an
active/standby switchover takes place, and the route costs are switched
simultaneously. The traffic is still forwarded by the link with a smaller cost. The
difference is that the traffic is forwarded to FW_B instead of FW_A.

9.4 Precautions
● IPSec configuration
– The tunnel address and service address of the eNodeB must be different.
– If remote disaster recovery is not implemented, when you configure the
tunnel route to the eNodeB for the FW, IPSec reverse route injection is no
longer mandatory, and static routes can be used.
● Networking
In the current LTE IPSec solution, most FWs are deployed in hot standby in
off-path mode while very few are deployed in in-path mode. This is because
off-path deployment has less impact on the original network topology.
● MTU
IPSec encryption increases the packet length. Therefore, you must adjust the
MTU of the entire path after the IPSec gateway is deployed. There are
specifically two MTU adjustment schemes:
– Reduce the MTU on the EPC side and the eNodeB side without changing
it on other nodes. The strength of this scheme is that it involves only a
small number of devices.
– Increase the MTU on the intermediate IPCore, IP-RAN and transmission
nodes. This scheme is advantageous in a high transmission efficiency and
a small IPSec header per packet.
Transmission efficiency = 1 - IPSec header/packet length. The IPSec
header length is fixed. Therefore, a greater packet length indicates a

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 652


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

higher transmission efficiency. The selection of an MTU adjustment


scheme depends on the live network environment.
The following figure shows the IPSec-encapsulated packet length.

AES + MD5/SHA1: 20 (New IPHeader) + 4 (SPI) + 4 (SeqNum) + 16 (IV)


+ 16 (ESP Auth) + 2 to 17 (Padding) = 62 to 77 Bytes
The ESP Auth length varies according to the integrity verification
algorithm. The preceding calculation result is based on SHA2-256.
SHA2-256 is the recommended integrity verification algorithm. The ESP
Auth values in other encapsulation modes are MD5=12, SHA1=12,
SHA2-256=16, SHA2-384=24, and SHA2-512=32. SHA2-384 and
SHA2-512 are not recommended because they can cause the device
running the current version to be unable to properly interwork with third-
party devices.
Packets are tagged with two layers of labels (eight bytes in all) when
being transmitted over the IP-RAN. Therefore, after the packets encrypted
by the IPSec gateway enter the IP-RAN, the packet lengths are increased
to 70 to 85 bytes (calculated based on SHA2-256).
For a new IP-RAN and IPCore project, you are advised to reserve 100
bytes more when designing the MTU. Therefore, if an IPSec gateway is
deployed, you do not need to adjust the configuration of the IP-RAN and
IPCore devices.
● QoS
In an end-to-end LTE solution, when uplink packets are decrypted from the
IPSec tunnel, the DSCP of outer layer packets is mapped to the IP header of
the decrypted packet. When downlink packets arrive at the IPSec gateway and
are encapsulated with an IPSec header, the DSCP of inner layer packets is
mapped to the outer layer packets. Therefore, it is not necessary for the IPSec
gateway to change the QoS of the packets.

9.5 Solution Configuration

9.5.1 Configuring Interfaces and Security Zones


Context
Configure interfaces and security zones.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 653


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-7 Interface IP addresses and security zones

Procedure
Step 1 Configure IP addresses for the interfaces of FW_A.
<FW_A> system-view
[FW_A] sysname FW_A
[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] quit
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] description eth-trunk1
[FW_A-GigabitEthernet1/0/1] Eth-Trunk 1
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] description eth-trunk1
[FW_A-GigabitEthernet1/0/2] Eth-Trunk 1
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] quit
[FW_A] interface GigabitEthernet 1/0/8
[FW_A-GigabitEthernet1/0/8] description eth-trunk2
[FW_A-GigabitEthernet1/0/8] Eth-Trunk 2
[FW_A-GigabitEthernet1/0/8] quit
[FW_A] interface GigabitEthernet 2/0/8
[FW_A-GigabitEthernet2/0/8] description eth-trunk2
[FW_A-GigabitEthernet2/0/8] Eth-Trunk 2
[FW_A-GigabitEthernet2/0/8] quit
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] ip address 1.1.1.1 30
[FW_A-Eth-Trunk1.1] vlan-type dot1q 100
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] ip address 1.1.2.1 30
[FW_A-Eth-Trunk1.2] vlan-type dot1q 200
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk 1.3
[FW_A-Eth-Trunk1.3] ip address 1.1.3.1 30
[FW_A-Eth-Trunk1.3] vlan-type dot1q 300
[FW_A-Eth-Trunk1.3] quit
[FW_A] interface Eth-Trunk 1.4
[FW_A-Eth-Trunk1.4] ip address 1.1.4.1 30
[FW_A-Eth-Trunk1.4] vlan-type dot1q 400
[FW_A-Eth-Trunk1.4] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] ip address 2.1.1.1 30
[FW_A-Eth-Trunk2] quit
[FW_A] interface Tunnel 1

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 654


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

[FW_A-Tunnel1] ip address 3.1.1.1 30


[FW_A-Tunnel1] tunnel-protocol ipsec
[FW_A-Tunnel1] quit

Step 2 Assign the interfaces of FW_A to security zones.


[FW_A] firewall zone trust
[FW_A-zone-trust] add interface Eth-Trunk 1.2
[FW_A-zone-trust] add interface Eth-Trunk 1.3
[FW_A-zone-trust] add interface Eth-Trunk 1.4
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface Eth-Trunk 1.1
[FW_A-zone-untrust] add interface Tunnel 1
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface Eth-Trunk 2
[FW_A-zone-dmz] quit

Step 3 Configure the IP addresses and security zones of the interfaces of FW_B according
to the above procedure. Note that the IP addresses of the interfaces are different.

----End

9.5.2 Configuring Hot Standby


Context
Complete the hot standby configuration according to the figure below.

Figure 9-8 Hot standby networking

Procedure
Step 1 Configure hot standby.
# Configure hot standby on FW_A.
1. Configure a VGMP group to monitor Eth-Trunk1.
[FW_A] hrp track interface Eth-Trunk 1

2. Enable the VGMP group state-based OSPF cost adjustment function.


[FW_A] hrp adjust ospf-cost enable

3. Specify Eth-Trunk2 as the heartbeat interface and enable hot standby.


[FW_A] hrp interface Eth-Trunk 2 remote 2.1.1.2
HRP_M[FW_A] hrp enable

# Configure hot standby on FW_B.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 655


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

1. Configure a VGMP group to monitor Eth-Trunk1.


[FW_B] hrp track interface Eth-Trunk 1

2. Specify FW_B as the standby firewall.


[FW_B] hrp standby-device

3. Enable the VGMP group state-based OSPF cost adjustment function.


[FW_B] hrp adjust ospf-cost enable

4. Specify Eth-Trunk2 as the heartbeat interface and enable hot standby.


[FW_B] hrp interface Eth-Trunk 2 remote 2.1.1.1
HRP_S[FW_B] hrp enable

Step 2 Configure OSPF.


# Configure OSPF on FW_A.
HRP_M[FW_A] router id 1.1.1.1
HRP_M[FW_A] ospf 1
HRP_M[FW_A-ospf-1] area 1.1.1.1
HRP_M[FW_A-ospf-1-area-1.1.1.1] network 1.1.1.1 0.0.0.3
HRP_M[FW_A-ospf-1-area-1.1.1.1] network 3.1.1.1 0.0.0.3
HRP_M[FW_A-ospf-1-area-1.1.1.1] quit
HRP_M[FW_A-ospf-1] quit

# Configure OSPF on FW_B.


HRP_S[FW_A] router id 5.5.5.1
HRP_S[FW_A] ospf 1
HRP_S[FW_A-ospf-1] area 1.1.1.1
HRP_S[FW_A-ospf-1-area-1.1.1.1] network 5.1.1.1 0.0.0.3
HRP_S[FW_A-ospf-1-area-1.1.1.1] network 3.1.1.1 0.0.0.3
HRP_S[FW_A-ospf-1-area-1.1.1.1] quit
HRP_S[FW_A-ospf-1] quit

----End

9.5.3 Configuring IPSec


Procedure
Step 1 Configure IPSec on FW_A.
1. Apply for certificates online for FW_A using CMPv2.
a. Create a 2048-bit RSA key pair rsa_cmp, and set it to be exportable from
the device.
HRP_M[FW_A] pki rsa local-key-pair create rsa_cmp exportable
Info: The name of the new key-pair will be: rsa_cmp
The size of the public key ranges from 2048 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
...........+++
...........+++

b. Configure entity information.


HRP_M[FW_A] pki entity ngfwa
HRP_M[FW_A-pki-entity-ngfwa] common-name hello
HRP_M[FW_A-pki-entity-ngfwa] country cn
HRP_M[FW_A-pki-entity-ngfwa] email [email protected]
HRP_M[FW_A-pki-entity-ngfwa] fqdn test.abc.com
HRP_M[FW_A-pki-entity-ngfwa] ip-address 3.1.1.1
HRP_M[FW_A-pki-entity-ngfwa] state jiangsu
HRP_M[FW_A-pki-entity-ngfwa] organization huawei
HRP_M[FW_A-pki-entity-ngfwa] organization-unit info
HRP_M[FW_A-pki-entity-ngfwa] quit

c. Configure a CMP session.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 656


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

The field order in the CA name must be the same as that in the CA certificate;
otherwise, the server considers the CA name invalid.
# Create a CMP session named cmp.
HRP_M[FW_A] pki cmp session ngfwa
# Specify the PKI entity name referenced by the CMP session.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request entity ngfwa
# Configure a CA name, for example, C=cn,ST=jiangsu,L=SD,O=BB,OU=BB,CN=BB.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request ca-name
"C=cn,ST=jiangsu,L=SD,O=BB,OU=BB,CN=BB"
# Configure the URL for certificate application.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request server url http://9.1.2.4:8080
# Specify the RSA key pair used for certificate application and configure the device to update
the RSA key pair together with the certificate.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request rsa local-key-pair rsa_cmp regenerate
# When applying for a certificate for the first time, use the message authentication code for
authentication. Set the reference value and secret value of the message authentication code, for
example, 1234 and 123456.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request message-authentication-code 1234
123456
HRP_M[FW_A-pki-cmp-session-ngfwa] quit
# Submit an initial certificate request to the CMPv2 server based on the CMP session
configuration.
HRP_M[FW_A] pki cmp initial-request session ngfwa
HRP_M[FW_A]
Info: Initializing configuration.
Info: Creatting initial request packet.
Info: Connectting to CMPv2 server.
Info: Sending initial request packet.
Info: Waitting for initial response packet.
Info: Creatting confirm packet.
Info: Connectting to CMPv2 server.
Info: Sending confirm packet.
Info: Waitting for confirm packet from server.
Info: CMPv2 operation finish.

The obtained CA, RA and local certificates are named ngfwa_ca.cer,


ngfw_ra.cer, and ngfwa_local.cer respectively and stored in the CF card.
d. Install the certificates.
# Import the CA and RA certificates to the memory.
HRP_M[FW_A] pki import-certificate ca filename ngfwa_ca.cer
HRP_M[FW_A] pki import-certificate ca filename ngfw_ra.cer

# Import the local certificate to the memory.


HRP_M[FW_A] pki import-certificate local filename ngfwa_local.cer

2. Configure an IPSec policy on FW_A, and apply the IPSec policy to the
interfaces.
a. Define the protected data streams.

There may be hundreds or even thousands of eNodeBs serving on the live


network. During ACL rule definition, the destination network segment must
include the Service IP addresses of all eNodeBs to ensure all UP and CP traffic
returned by the EPC to the eNodeB enters the IPSec tunnel. Two eNodeBs are
used to illustrate the configuration.
HRP_M[FW_A] acl 3000
HRP_M[FW_A-acl-adv-3000] rule permit ip source 8.1.1.0 0.0.0.255 destination 6.1.0.0
0.0.255.255
HRP_M[FW_A-acl-adv-3000] rule permit ip source 8.1.1.0 0.0.0.255 destination 7.1.0.0
0.0.255.255
HRP_M[FW_A-acl-adv-3000] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 657


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

b. Configure the IPSec proposal.


HRP_M[FW_A] ipsec proposal tran1
HRP_M[FW_A-ipsec-proposal-tran1] transform esp
HRP_M[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
HRP_M[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
HRP_M[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
HRP_M[FW_A-ipsec-proposal-tran1] quit
c. Configure the IKE proposal.
HRP_M[FW_A] ike proposal 10
HRP_M[FW_A-ike-proposal-10] authentication-method rsa-signature
HRP_M[FW_A-ike-proposal-10] encryption-algorithm aes-256
HRP_M[FW_A-ike-proposal-10] dh group2
HRP_M[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
HRP_M[FW_A-ike-proposal-10] quit
d. Configure the IKE peer.
HRP_M[FW_A] ike peer eNodeB
HRP_M[FW_A-ike-peer-eNodeB] ike-proposal 10
HRP_M[FW_A-ike-peer-eNodeB] local-id-type ip
HRP_M[FW_A-ike-peer-eNodeB] remote-id-type dn
HRP_M[FW_A-ike-peer-eNodeB] certificate local-filename ngfwa_local.cer
HRP_M[FW_A-ike-peer-eNodeB] remote-id /CN=eNodeB //CN=eNodeB is the subject field
value of the device certificate of the eNodeB.
HRP_M[FW_A-ike-peer-eNodeB] undo version 1
HRP_M[FW_A-ike-peer-eNodeB] quit
e. Configure policy template policy1, and reference the policy template in
IPSec policy group map1.
The FW is capable of IPSec dynamic reverse route injection to
automatically generate the route to the Service IP address of the eNodeB.
When the IPSec tunnel functions normally, the route is generated
automatically; when the IPSec tunnel fails, the route is deleted
automatically. Dynamic reverse route injection associates the generated
static route with the IPSec tunnel state, so that the peer does not send
traffic to the IPSec tunnel when the IPSec tunnel is Down.
HRP_M[FW_A] ipsec policy-template policy1 1
HRP_M[FW_A-ipsec-policy-template-policy1-1] security acl 3000
HRP_M[FW_A-ipsec-policy-template-policy1-1] proposal tran1
HRP_M[FW_A-ipsec-policy-template-policy1-1] ike-peer eNodeB
HRP_M[FW_A-ipsec-policy-template-policy1-1] route inject dynamic
HRP_M[FW_A-ipsec-policy-template-policy1-1] quit
HRP_M[FW_A] ipsec policy map1 10 isakmp template policy1
f. Configure the OSPF dynamic route to the EPC.
Import the route generated during IPSec dynamic reverse route injection
to OSPF2 to guide the forwarding of the response traffic of the EPC to
the eNodeB. Set the next hop of the route to the Tunnel interface of the
IPSec tunnel.
HRP_M[FW_A] ospf 2
HRP_M[FW_A-ospf-2] import-route unr
HRP_M[FW_A-ospf-2] area 1.1.1.1
HRP_M[FW_A-ospf-2-area-1.1.1.1] network 1.1.2.0 0.0.0.3
HRP_M[FW_A-ospf-2-area-1.1.1.1] quit
HRP_M[FW_A-ospf-2] area 1.1.2.1
HRP_M[FW_A-ospf-2-area-1.1.2.1] network 1.1.3.0 0.0.0.3
HRP_M[FW_A-ospf-2-area-1.1.2.1] quit
HRP_M[FW_A-ospf-2] area 1.1.3.1
HRP_M[FW_A-ospf-2-area-1.1.3.1] network 1.1.4.0 0.0.0.3
HRP_M[FW_A-ospf-2-area-1.1.3.1] quit
HRP_M[FW_A-ospf-2] quit
g. Apply the security policy group map1 to the Tunnel interface.
HRP_M[FW_A] interface Tunnel 1
HRP_M[FW_A-Tunnel1] ipsec policy map1
HRP_M[FW_A-Tunnel1] quit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 658


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Step 2 Configure IPSec on FW_B.

After hot standby is enabled, all configuration information of FW_A except the route
configuration is synchronized to FW_B automatically.

Import the route generated during IPSec dynamic reverse route injection to OSPF2
to guide the forwarding of the response traffic of the EPC to the eNodeB. Set the
next hop of the route to the Tunnel interface of the IPSec tunnel.
HRP_M[FW_B] ospf 2
HRP_M[FW_B-ospf-2] import-route unr
HRP_M[FW_B-ospf-2] area 1.1.1.1
HRP_M[FW_B-ospf-2-area-1.1.1.1] network 5.1.2.0 0.0.0.3
HRP_M[FW_B-ospf-2-area-1.1.1.1] quit
HRP_M[FW_B-ospf-2] area 1.1.2.1
HRP_M[FW_B-ospf-2-area-1.1.2.1] network 5.1.3.0 0.0.0.3
HRP_M[FW_B-ospf-2-area-1.1.2.1] quit
HRP_M[FW_B-ospf-2] area 1.1.3.1
HRP_M[FW_B-ospf-2-area-1.1.3.1] network 5.1.4.0 0.0.0.3
HRP_M[FW_B-ospf-2-area-1.1.3.1] quit
HRP_M[FW_B-ospf-2] quit

----End

9.5.4 Configuring Security Policies


Procedure
Step 1 Configure security policies.
1. Configure a security policy among the Trust, Untrust and Local zones,
allowing OSPF packets to pass through FW_A.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name 1
HRP_M[FW_A-policy-security-rule-1] source-zone trust
HRP_M[FW_A-policy-security-rule-1] source-zone untrust
HRP_M[FW_A-policy-security-rule-1] destination-zone local
HRP_M[FW_A-policy-security-rule-1] service ospf
HRP_M[FW_A-policy-security-rule-1] action permit
HRP_M[FW_A-policy-security-rule-1] quit
HRP_M[FW_A-policy-security] rule name 2
HRP_M[FW_A-policy-security-rule-2] source-zone local
HRP_M[FW_A-policy-security-rule-2] destination-zone trust
HRP_M[FW_A-policy-security-rule-2] destination-zone untrust
HRP_M[FW_A-policy-security-rule-2] service ospf
HRP_M[FW_A-policy-security-rule-2] action permit
HRP_M[FW_A-policy-security-rule-2] quit
2. Configure a security policy between the Untrust and Local zones, allowing
IPSec negotiation packets to pass through FW_A.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name 3
HRP_M[FW_A-policy-security-rule-3] source-zone local
HRP_M[FW_A-policy-security-rule-3] destination-zone untrust
HRP_M[FW_A-policy-security-rule-3] source-address 3.1.1.1 32
HRP_M[FW_A-policy-security-rule-3] destination-address 6.1.1.1 30
HRP_M[FW_A-policy-security-rule-3] destination-address 7.1.1.1 30
HRP_M[FW_A-policy-security-rule-3] action permit
HRP_M[FW_A-policy-security-rule-3] quit
HRP_M[FW_A-policy-security] rule name 4
HRP_M[FW_A-policy-security-rule-4] source-zone untrust
HRP_M[FW_A-policy-security-rule-4] destination-zone local
HRP_M[FW_A-policy-security-rule-4] source-address 6.1.1.1 30
HRP_M[FW_A-policy-security-rule-4] source-address 7.1.1.1 30

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 659


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

HRP_M[FW_A-policy-security-rule-4] destination-address 3.1.1.1 32


HRP_M[FW_A-policy-security-rule-4] action permit
HRP_M[FW_A-policy-security-rule-4] quit

3. Configure a security policy between the Untrust and Trust zones, allowing
decapsulated IPSec traffic to pass through FW_A.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name 5
HRP_M[FW_A-policy-security-rule-5] source-zone untrust
HRP_M[FW_A-policy-security-rule-5] destination-zone trust
HRP_M[FW_A-policy-security-rule-5] source-address 6.1.0.0 16
HRP_M[FW_A-policy-security-rule-5] source-address 7.1.0.0 16
HRP_M[FW_A-policy-security-rule-5] destination-address 8.1.1.1 30
HRP_M[FW_A-policy-security-rule-5] action permit
HRP_M[FW_A-policy-security-rule-5] quit
HRP_M[FW_A-policy-security] rule name 6
HRP_M[FW_A-policy-security-rule-6] source-zone trust
HRP_M[FW_A-policy-security-rule-6] destination-zone untrust
HRP_M[FW_A-policy-security-rule-6] source-address 8.1.1.1 30
HRP_M[FW_A-policy-security-rule-6] destination-address 6.1.0.0 16
HRP_M[FW_A-policy-security-rule-6] destination-address 7.1.0.0 16
HRP_M[FW_A-policy-security-rule-6] action permit
HRP_M[FW_A-policy-security-rule-6] quit

----End

9.5.5 Configuring the Interworking with Servers


Procedure
Step 1 Configure the interworking with the NTP server.
HRP_M[FW_A] ntp-service unicast-server 9.1.1.2

Step 2 Configure the interworking with the log server.


HRP_M[FW_A] log type traffic enable
HRP_M[FW_A] firewall log host 1 9.1.1.3 9002

----End

9.5.6 Verification
1. After the configuration is complete, the IPSec tunnel between the eNodeB
and FW_A is successfully established, and the MME and S-GW can be
accessed.
2. Check the setup of the IKE SA on FW_A.
<FW_A> display ike sa
Spu board slot 1, cpu 0 ike sa information :
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
16792025 6.1.1.1 RD|ST|M v2:2
16792024 6.1.1.1 RD|ST|M v2:1
83887864 7.1.1.1 RD|ST|M v2:2
83887652 7.1.1.1 RD|ST|M v2:1

Number of SA entries : 4
Number of SA entries of all cpu : 4

3. Check the setup of the IPSec SA on FW_A.


<FW_A> display ipsec sa brief
Current ipsec sa num:4

Spu board slot 1, cpu 1 ipsec sa information:


Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 660


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

-------------------------------------------------------------------------------
3.1.1.1 6.1.1.1 3923280450 ESP E:AES-256 A:SHA2-256-128
6.1.1.1 3.1.1.1 787858613 ESP E:AES-256 A:SHA2-256-128
3.1.1.1 7.1.1.1 3923280452 ESP E:AES-256 A:SHA2-256-128
7.1.1.1 3.1.1.1 787858611 ESP E:AES-256 A:SHA2-256-128

4. Run the display hrp state command on FW_A to check the current HRP state.
HRP_M[FW_A] display hrp state
Role: active, peer: active
Running priority: 49012, peer: 49012
Backup channel usage: 3%
Stable time: 0 days, 5 hours, 1 minutes

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 661


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

9.5.7 Configuration Scripts


FW_A FW_B
# #
sysname FW_A sysname FW_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk 2 remote 2.1.1.2 hrp interface Eth-Trunk 2 remote 2.1.1.1
hrp track interface Eth-Trunk 1 hrp track interface Eth-Trunk 1
hrp standby-device
hrp adjust ospf-cost enable hrp adjust ospf-cost enable
# #
pki entity ngfwa pki entity ngfwa
country CN country CN
state jiangsu state jiangsu
organization huawei organization huawei
organization-unit info organization huaweiorganization-unit info
common-name hello common-name hello
fqdn test.abc.com fqdn test.abc.com
ip-address 3.1.1.1 ip-address 3.1.1.1
email [email protected] email [email protected]
# #
pki cmp session ngfwa pki cmp session ngfwa
cmp-request entity ngfwa cmp-request entity ngfwa
cmp-request ca-name cmp-request ca-name
"C=cn,ST=jiangsu,L=SD,O=BB,OU=BB,CN=BB" "C=cn,ST=jiangsu,L=SD,O=BB,OU=BB,CN=BB"
cmp-request server url http://9.1.2.4:8080 cmp-request server url http://9.1.2.4:8080
cmp-request rsa local-key-pair rsa_cmp regenerate cmp-request rsa local-key-pair rsa_cmp regenerate
cmp-request message-authentication-code 1234 cmp-request message-authentication-code 1234
123456 123456
# #
pki cmp initial-request session ngfwa pki cmp initial-request session ngfwa
# #
pki import-certificate ca filename ngfwa_ca.cer pki import-certificate ca filename ngfwa_ca.cer
pki import-certificate ca filename ngfw_ra.cer pki import-certificate ca filename ngfw_ra.cer
pki import-certificate local filename pki import-certificate local filename
ngfwa_local.cer ngfwa_local.cer
# #
acl number 3000 acl number 3000
rule 5 permit ip source 8.1.1.0 0.0.0.255 rule 5 permit ip source 8.1.1.0 0.0.0.255
destination 6.1.0.0 0.0.255.255 destination 6.1.0.0 0.0.255.255
rule 10 permit ip source 8.1.1.0 0.0.0.255 rule 10 permit ip source 8.1.1.0 0.0.0.255
destination 7.1.0.0 0.0.255.255 destination 7.1.0.0 0.0.255.255
# #
ipsec proposal tran1 ipsec proposal tran1
esp authentication-algorithm sha2-256 esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 esp encryption-algorithm aes-256
# #
ike proposal 10 ike proposal 10
encryption-algorithm aes-256 encryption-algorithm aes-256
dh group2 dh group2
authentication-algorithm sha2-256 authentication-algorithm sha2-256
authentication-method rsa-signature authentication-method rsa-signature
integrity-algorithm hmac-sha2-256 integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 prf hmac-sha2-256
# #
ike peer eNodeB ike peer eNodeB
undo version 1 undo version 1
ike-proposal 10 ike-proposal 10
local-id-type ip local-id-type ip
remote-id-type dn remote-id-type dn
remote-id /CN=eNodeB remote-id /CN=eNodeB
certificate local-filename ngfwa_local.cer certificate local-filename ngfwa_local.cer
# #
ipsec policy-template policy1 1 ipsec policy-template policy1 1
security acl 3000 security acl 3000
ike-peer eNodeB ike-peer eNodeB

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 662


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

FW_A FW_B
proposal tran1 proposal tran1
route inject dynamic route inject dynamic
# #
ipsec policy map1 10 isakmp template policy1 ipsec policy map1 10 isakmp template policy1
# #
interface Eth-Trunk 1 interface Eth-Trunk 1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
description eth-trunk1 description eth-trunk1
Eth-Trunk 1 Eth-Trunk 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
description eth-trunk1 description eth-trunk1
Eth-Trunk 1 Eth-Trunk 1
# #
interface Eth-Trunk 2 interface Eth-Trunk 2
ip address 2.1.1.1 255.255.255.252 ip address 2.1.1.2 255.255.255.252
# #
interface GigabitEthernet 1/0/8 interface GigabitEthernet 1/0/8
description eth-trunk2 description eth-trunk2
Eth-Trunk 2 Eth-Trunk 2
# #
interface GigabitEthernet 2/0/8 interface GigabitEthernet 2/0/8
description eth-trunk2 description eth-trunk2
Eth-Trunk 2 Eth-Trunk 2
# #
interface Eth-Trunk 1.1 interface Eth-Trunk 1.1
vlan-type dot1q 100 vlan-type dot1q 1
ip address 1.1.1.1 255.255.255.252 ip address 5.1.1.1 255.255.255.252
# #
interface Eth-Trunk 1.2 interface Eth-Trunk 1.2
vlan-type dot1q 200 vlan-type dot1q 2
ip address 1.1.2.1 255.255.255.252 ip address 5.1.2.1 255.255.255.252
# #
interface Eth-Trunk 1.3 interface Eth-Trunk 1.3
vlan-type dot1q 300 vlan-type dot1q 3
ip address 1.1.3.1 255.255.255.252 ip address 5.1.3.1 255.255.255.252
# #
interface Eth-Trunk 1.4 interface Eth-Trunk 1.4
vlan-type dot1q 400 vlan-type dot1q 4
ip address 1.1.4.1 255.255.255.252 ip address 5.1.4.1 255.255.255.252
# #
interface Tunnel 1 interface Tunnel 1
ip address 3.1.1.1 255.255.255.252 ip address 3.1.1.1 255.255.255.252
tunnel-protocol ipsec tunnel-protocol ipsec
ipsec policy map1 ipsec policy map1
# #
router id 1.1.1.1 router id 5.1.1.1
# #
ospf 1 ospf 1
area 1.1.1.1 area 1.1.1.1
network 1.1.1.0 0.0.0.3 network 5.1.1.0 0.0.0.3
network 3.1.1.0 0.0.0.3 network 3.1.1.0 0.0.0.3
# #
ospf 2 ospf 2
import-route unr import-route unr
area 1.1.1.1 area 1.1.1.1
network 1.1.2.0 0.0.0.3 network 5.1.2.0 0.0.0.3
area 1.1.2.1 area 1.1.2.1
network 1.1.3.0 0.0.0.3 network 5.1.3.0 0.0.0.3
area 1.1.3.1 area 1.1.3.1
network 1.1.4.0 0.0.0.3 network 5.1.4.0 0.0.0.3
# #
ntp-service unicast-server 9.1.1.2 ntp-service unicast-server 9.1.1.2
# #
log type traffic enable log type traffic enable

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 663


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

FW_A FW_B
firewall log host 1 9.1.1.3 9002 firewall log host 1 9.1.1.3 9002
# #
info-center enable info-center enable
snmp-agent snmp-agent
snmp-agent sys-info version v2c snmp-agent sys-info version v2c
snmp-agent target-host inform address udp- snmp-agent target-host inform address udp-
domain 9.1.1.1 params securitynam e private@123 domain 9.1.1.1 params securitynam e private@123
v2c v2c
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface Eth-Trunk1.2 add interface Eth-Trunk1.2
add interface Eth-Trunk1.3 add interface Eth-Trunk1.3
add interface Eth-Trunk1.4 add interface Eth-Trunk1.4
# #
firewall zone untrust firewall zone untrust
set priority 85 set priority 85
add interface Eth-Trunk1.1 add interface Eth-Trunk1.1
add interface Tunnel1 add interface Tunnel1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface Eth-Trunk2 add interface Eth-Trunk2
# #
security-policy security-policy
rule name 1 rule name 1
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
service ospf service ospf
action permit action permit
rule name 2 rule name 2
source-zone local source-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
service ospf service ospf
action permit action permit
rule name 3 rule name 3
source-zone local source-zone local
destination-zone untrust destination-zone untrust
source-address 3.1.1.1 32 source-address 3.1.1.1 32
destination-address 6.1.1.1 30 destination-address 6.1.1.1 30
destination-address 7.1.1.1 30 destination-address 7.1.1.1 30
action permit action permit
rule name 4 rule name 4
source-zone untrust source-zone untrust
destination-zone local destination-zone local
source-address 6.1.1.1 30 source-address 6.1.1.1 30
source-address 7.1.1.1 30 source-address 7.1.1.1 30
destination-address 3.1.1.1 32 destination-address 3.1.1.1 32
action permit action permit
rule name 5 rule name 5
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address 6.1.0.0 16 source-address 6.1.0.0 16
source-address 7.1.0.0 16 source-address 7.1.0.0 16
destination-address 8.1.1.1 30 destination-address 8.1.1.1 30
action permit action permit
rule name 6 rule name 6
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 8.1.1.1 30 source-address 8.1.1.1 30
destination-address 6.1.0.0 16 destination-address 6.1.0.0 16
destination-address 7.1.0.0 16 destination-address 7.1.0.0 16
action permit action permit

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 664


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

FW_A FW_B
# #
return return

9.6 Availability Solution


To prepare for possible failures, disaster recovery is deployed for key areas of the
LTE network. The design principles for disaster recovery schemes in different
positions are as follows:

Disaster Recovery for Link Failure Between the MME/S-GW and RSG
As shown in Figure 9-9, when the link between RSG-1 and the S-GW fails, traffic
from FW_A to the S-GW cannot be transferred along this link. Instead, the traffic
has to be routed to RSG-2 and then forwarded to the S-GW. Adding Eth Trunk2.3
and Eth Trunk2.2 to OSPF2 ensures the change of the route cost of OSPF2 when
this link fails, so that decapsulated IPSec traffic is routed to RSG-2 for forwarding.

Figure 9-9 Disaster recovery for link failure between the MME/S-GW and RSG

Disaster Recovery for Link Failure Between the AGG and RSG
As shown in Figure 9-10, when the link between AGG-1 and RSG-1 fails, the cost
of the route in the IP-RAN area changes, and IPSec traffic from the eNodeB to
FW_A is no longer carried on this link. Instead, the traffic is routed to AGG-2 and
then forwarded to RSG-2. Because Eth Trunk2.1 is added to OSPF1, when the IPSec
traffic arrives at RSG-2, the traffic is forwarded by RSG-2 to RSG-1 and then
forwarded to FW_A. Here, the cost of the route from RSG-2 to FW_B (standby) is
greater than the cost of the route from RSG-2 to FW_A (active). Therefore, it is no
need worrying that RSG-2 forwards the IPSec traffic to FW_B.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 665


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-10 Disaster recovery for link failure between the AGG and RSG

Remote Disaster Recovery for the IPSec Gateway


Remote disaster recovery is considered in network planning to ensure normal
operation of the communication network during large disasters, such as
earthquake, tsunami, and hurricane. As shown in Figure 9-11, the IPSec gateway
in the remote site and the IPSec gateway in the local site are mutual remote
disaster recovery systems. It is assumed that the local site is impacted by a
disaster, that both local IPSec gateways, FW_A and FW_B, fail, and that the EPC
area is not impacted. Then, the IPSec traffic sent from the eNodeB has to be
forwarded to the remote IPSec gateway. The remote IPSec gateway decapsulates
the traffic and forwards it through the RSG to the MME and S-GW in the EPC area
of the local site. In order that the traffic is forwarded along the expected route, it
is necessary to add the local IPSec gateway, RSG and the remote IPSec gateway to
the specified route process to realize route interworking. When the local IPSec
gateway fails, the IPSec traffic can be routed to the remote IPSec gateway. In
addition, it is necessary to enable the interworking between the route in the local
EPC and the route of the remote IPSec gateway, so that the decrypted traffic can
be forwarded to the local EPC.

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 666


HUAWEI Firewall
Comprehensive Configuration Examples 9 Application of Firewalls in the LTE IPSec Solution

Figure 9-11 Remote disaster recovery for the IPSec gateway

Issue 02 (2019-08-30) Copyright © Huawei Technologies Co., Ltd. 667

You might also like