Web: Example for Deploying Firewalls in In-path Mode and Connecting to Routers Through OSPF in the Upstream Direction and Switches in the Downstream Direction
This section provides a web example of configuring hot standby in active/standby mode in which the service interfaces of the firewalls work at Layer 3 and connect to routers through OSPF in the upstream direction and switches in the downstream direction.
Networking Requirements
On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3, with routers as upstream devices and switches as downstream devices. The FWs and directly connected routers run OSPF.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. When FW_A goes faulty, FW_B takes over.
Procedure
- Configure interfaces and basic network configurations.
- Configure OSPF to ensure IP connectivity.
- Configure OSPF on FW_A.
- Choose .
Click Add, create an OSPF process and set the parameters as follows, and then click OK.
Type
OSPFv2
Process ID
10
Click
, click Add, create an OSPF area and set the parameters as follows, and then click OK.Area
0.0.0.0
IP Network
10.2.0.0
Mask/Wildcard Mask
255.255.255.0
Choose , click Add, create a network and set the parameters as follows, and then click OK.
Area
0.0.0.0
IP Network
10.3.0.0
Mask/Wildcard Mask
255.255.255.0
- Choose .
- Configure OSPF on FW_B.
- Choose .
Click Add, create an OSPF process and set the parameters as follows, and then click OK.
Type
OSPFv2
Process ID
10
Click
, click Add, create an OSPF area and set the parameters as follows, and then click OK.Area
0.0.0.0
IP Network
10.2.1.0
Mask/Wildcard Mask
255.255.255.0
Choose , click Add, create a network and set the parameters as follows, and then click OK.
Area
0.0.0.0
IP Network
10.3.0.0
Mask/Wildcard Mask
255.255.255.0
- Configure OSPF on FW_A.
- Configure hot standby.
- Configure the security policies.
Security policies configured on FW_A are automatically backed up to FW_B.
- Click Add Security Policy, configure security policies and set the parameters as follows, and then click OK.
# Configure security policies to allow the FW and the upstream router (in the untrust zone) to exchange OSPF packets.
Controlling function of security policies for OSPF packets are configured by the firewall packet-filter basic-protocol enable command. By default, the function of the firewall packet-filter basic-protocol enable command is enabled. That is, OSPF packets are controlled by security policies. In this case, a security policy must be configured between the untrust zone where the upstream service interface resides and the local zone to allow OSPF packets to pass. In this example, enabling the firewall packet-filter basic-protocol enable command is used as an example.
Name
policy_ospf_1
Source Zone
local
Destination Zone
untrust
Service
ospf
Action
Permit
Name
policy_ospf_2
Source Zone
untrust
Destination Zone
local
Service
ospf
Action
Permit
# Configure a security policy to allow intranet users to access the Internet.
Name
policy_sec
Source Zone
trust
Destination Zone
untrust
Source Address/Region
10.3.0.0/24
Action
Permit
- Click Add Security Policy, configure security policies and set the parameters as follows, and then click OK.
- Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group 1 on the intranet device.
Configuration Verification
Choose to view the operating status of hot standby.
- Normally, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Active. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Standby. This shows that traffic is forwarded by FW_A.
- When FW_A goes faulty, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Standby. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Active. This shows that traffic is forwarded by FW_B.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 hrp track interface GigabitEthernet 0/0/1 # interface GigabitEthernet 0/0/1 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 ip address 10.3.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.3.0.3 active # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # ospf 10 area 0.0.0.0 network 10.2.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255 # security-policy rule name policy_ospf_1 source-zone local destination-zone untrust service ospf action permit rule name policy_ospf_2 source-zone untrust destination-zone local service ospf action permit rule name policy_sec source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit |
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 hrp track interface GigabitEthernet 0/0/1 # interface GigabitEthernet 0/0/1 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet 0/0/3 ip address 10.3.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.3.0.3 standby # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # ospf 10 area 0.0.0.0 network 10.2.1.0 0.0.0.255 network 10.3.0.0 0.0.0.255 # security-policy rule name policy_ospf_1 source-zone local destination-zone untrust service ospf action permit rule name policy_ospf_2 source-zone untrust destination-zone local service ospf action permit rule name policy_sec source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit |