Web: Example for Deploying Firewalls in In-path Mode and Connecting to Switches in Upstream and Downstream Directions

This section provides a web example of configuring hot standby in active/standby mode in which the service interfaces of the firewalls work at Layer 3 and connect to switches in upstream and downstream directions.

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to switches. The upstream switch is connected to the carrier network and the public IP address assigned to the enterprise is 1.1.1.1. The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. When FW_A goes faulty, FW_B takes over.

Figure 1 Active/standby networking in which the service interfaces of each FW work at Layer 3 and are directly connected to switches

Procedure

Complete interfaces and basic network configurations.
1. Configure interfaces on FW_A.
  1. Choose Network > Interface.
  2. Click GE0/0/1, set the parameters as follows, click OK.
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    10.2.0.1/24
  3. Repeat the preceding steps to configure GE0/0/3.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.3.0.1/24
  4. Repeat the preceding steps to configure GE0/0/7.
    
    Zone
    
    DMZ
    
    IPv4
    
    IP Address
    
    10.10.0.1/24
2. Configure interfaces on FW_B.
  1. Choose Network > Interface.
  2. Click GE0/0/1, set the parameters as follows, click OK.
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    10.2.0.2/24
  3. Repeat the preceding steps to configure GE0/0/3.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.3.0.2/24
  4. Repeat the preceding steps to configure GE0/0/7.
    
    Zone
    
    DMZ
    
    IPv4
    
    IP Address
    
    10.10.0.2/24
Configure static routes.
1. Configure a default route on the FW_A.
  1. Choose Network > Route > Static Route.
  2. In Static Route List, click Add, configure a default route based on the following parameter values, and click OK.
    
    Protocol
    
    IPv4
    
    Destination Address/Mask
    
    0.0.0.0/0.0.0.0
    
    Interface
    
    GigabitEthernet0/0/1
    
    Next Hop
    
    1.1.1.10
2. Configure a default route on the FW_B.
  1. Choose Network > Route > Static Route.
  2. In Static Route List, click Add, configure a default route based on the following parameter values, and click OK.
    
    Protocol
    
    IPv4
    
    Destination Address/Mask
    
    0.0.0.0/0.0.0.0
    
    Interface
    
    GigabitEthernet0/0/1
    
    Next Hop
    
    1.1.1.10
Configure hot standby.
1. Configure hot standby on FW_A.
  1. Choose System > High Availability > Dual-System Hot Standby and click Edit.
  2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.
2. Configure hot standby on FW_B.
  1. Choose System > High Availability > Dual-System Hot Standby and click Edit.
  2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.
Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group 2.
Configure the security policies.
Security policies configured on FW_A are automatically backed up to FW_B.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add Security Policy, configure security policies and set the parameters as follows, and then click OK.
  
  Name
  
  policy_sec
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  10.3.0.0/24
  
  Action
  
  Permit

Zone	untrust
IPv4
IP Address	10.2.0.1/24

Zone	trust
IPv4
IP Address	10.3.0.1/24

Zone	DMZ
IPv4
IP Address	10.10.0.1/24

Zone	untrust
IPv4
IP Address	10.2.0.2/24

Zone	trust
IPv4
IP Address	10.3.0.2/24

Zone	DMZ
IPv4
IP Address	10.10.0.2/24

Protocol	IPv4
Destination Address/Mask	0.0.0.0/0.0.0.0
Interface	GigabitEthernet0/0/1
Next Hop	1.1.1.10

Protocol	IPv4
Destination Address/Mask	0.0.0.0/0.0.0.0
Interface	GigabitEthernet0/0/1
Next Hop	1.1.1.10

Name	policy_sec
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.0/24
Action	Permit

Configure a NAT policy to allow intranet users to access the Internet.

NAT policies configured on FW_A are automatically backed up to FW_B.

Choose Policy > NAT Policy > NAT Policy.
Click the Source Translation Address Pool tab, click Add, configure a NAT address pool and set the parameters as follows, and then click OK.

Name

addressgroup1

IP Address Range

1.1.1.1-1.1.1.1

Name	addressgroup1
IP Address Range	1.1.1.1-1.1.1.1

Click the NAT Policy tab, click Add, configure NAT policy policy_nat and set the parameters as follows, and then click OK.

Name	policy_nat
NAT Type	NAT
NAT Mode	Source address translation
Source Zone	trust
Destination Type	Destination Zone: untrust
Source Address Translated To	IP Addresses in the IP Address Pool
Source Translation Address Pool	addressgroup1

Configuration Verification

Choose System > High Availability > Dual-System Hot Standby to view the operating status of hot standby.

Normally, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Active. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Standby. This shows that traffic is forwarded by FW_A.
When FW_A goes faulty, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Standby. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Active. This shows that traffic is forwarded by FW_B.

Configuration Scripts

FW_A	FW_B
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 # interface GigabitEthernet 0/0/1 ip address 10.2.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active # interface GigabitEthernet 0/0/3 ip address 10.3.0.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.0.3 active # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/7 # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 1.1.1.10 # nat address-group addressgroup1 0 section 0 1.1.1.1 1.1.1.1 # security-policy rule name policy_sec source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat source-zone trust destination-zone untrust action source-nat address-group addressgroup1	# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 # interface GigabitEthernet 0/0/1 ip address 10.2.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby # interface GigabitEthernet 0/0/3 ip address 10.3.0.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.0.3 standby # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 1.1.1.10 # nat address-group addressgroup1 0 section 0 1.1.1.1 1.1.1.1 # security-policy rule name policy_sec source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat source-zone trust destination-zone untrust action source-nat address-group addressgroup1

FW_A

FW_B

#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
#
interface GigabitEthernet 0/0/1
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.3 active
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#
 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 1.1.1.10
#    
 nat address-group addressgroup1 0 
 section 0 1.1.1.1 1.1.1.1
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1

#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
#
interface GigabitEthernet 0/0/1
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.3 standby
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#    
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#    
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#    
firewall zone dmz    
 set priority 50     
 add interface GigabitEthernet0/0/7
#
 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 1.1.1.10
#    
 nat address-group addressgroup1 0 
 section 0 1.1.1.1 1.1.1.1
#    
security-policy  
 rule name policy_sec  
  source-zone trust  
  destination-zone untrust 
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1