Web: Example for Configuring Firewalls to Work at Layer 2 and Connect to Routers in the Upstream and Downstream Directions

This section provides a web example of how to configure hot standby in load balancing mode in which the service interfaces of the firewalls work at Layer 2 and connect to routers in upstream and downstream directions.

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 2 and are directly connected to routers. The uplink and downlink service interfaces of each FW are added to the same VLAN.

The FWs and directly connected routers run OSPF. The FWs transparently transmit OSPF packets and do not calculate routes.

The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B forward traffic. When one FW goes faulty, the other FW takes over all the traffic load.

Figure 1 Load balancing networking in which the service interfaces of each FW work at Layer 2 and are directly connected to routers

Procedure

Configure interfaces and basic network configurations.
1. Configure interfaces on FW_A.
  1. Choose Network > Interface.
  2. Click GE0/0/1, set the parameters as follows, and click OK.
    
    Zone
    
    untrust
    
    Mode
    
    Switching
    
    Connection Type
    
    Access
    
    Access VLAN ID
    
    2
  3. Repeat the preceding steps to set the parameters of GE0/0/3.
    
    Zone
    
    trust
    
    Mode
    
    Switching
    
    Connection Type
    
    Access
    
    Access VLAN ID
    
    2
  4. Repeat the preceding steps to set the parameters of GE0/0/7.
    
    Zone
    
    dmz
    
    IPv4
    
    IP Address
    
    10.10.0.1/24
2. Configure interfaces on FW_B.
  1. Choose Network > Interface.
  2. Click GE0/0/1, set the parameters as follows, and click OK.
    
    Zone
    
    untrust
    
    Mode
    
    Switching
    
    Connection Type
    
    Access
    
    Access VLAN ID
    
    2
  3. Repeat the preceding steps to set the parameters of GE0/0/3.
    
    Zone
    
    trust
    
    Mode
    
    Switching
    
    Connection Type
    
    Access
    
    Access VLAN ID
    
    2
  4. Repeat the preceding steps to set the parameters of GE0/0/7.
    
    Zone
    
    dmz
    
    IPv4
    
    IP Address
    
    10.10.0.2/24
Configure hot standby.
1. Configure hot standby on FW_A.
  1. Choose System > High Availability > Dual-System Hot Standby and click Edit.
  2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.
2. Configure hot standby on FW_B.
  1. Choose System > High Availability > Dual-System Hot Standby and click Edit.
  2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.

Zone	untrust
Mode	Switching
Connection Type	Access
Access VLAN ID	2

Zone	trust
Mode	Switching
Connection Type	Access
Access VLAN ID	2

Zone	dmz
IPv4
IP Address	10.10.0.1/24

Zone	untrust
Mode	Switching
Connection Type	Access
Access VLAN ID	2

Zone	trust
Mode	Switching
Connection Type	Access
Access VLAN ID	2

Zone	dmz
IPv4
IP Address	10.10.0.2/24

Configure the security policies.

Security policies configured on FW_A are automatically backed up to FW_B.

Choose Policy > Security Policy > Security Policy.

Click Add Security Policy, set the parameters as follows, and click OK.

# Configure a security policy to allow OSPF packets transmitted between the upstream and downstream routers and the packets exchanged between the intranet and Internet.

When the service interfaces of the FWs work at Layer 2, OSPF packets between upstream and downstream devices need to pass through the FWs. OSPF packets are controlled by the firewall packet-filter basic-protocol enable command. By default, the function of the firewall packet-filter basic-protocol enable command is enabled. That is, OSPF packets are controlled by security policies. In this case, a security policy must be configured between the security zone where the upstream service interface resides and the security zone where the downstream service interface resides to allow OSPF packets to pass. In this example, enabling the firewall packet-filter basic-protocol enable command is used as an example.

Name	policy_ospf_1
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.1/32,10.3.1.1/32
Destination Address/Region	10.3.0.2/32,10.3.1.2/32
Service	ospf
Action	Permit

Name	policy_ospf_2
Source Zone	untrust
Destination Zone	trust
Source Address/Region	10.3.0.2/32,10.3.1.2/32
Destination Address/Region	10.3.0.1/32,10.3.1.1/32
Service	ospf
Action	Permit

Name	policy_sec
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.2.0/24,10.3.3.0/24
Action	Permit

Configure the routers.
Configure OSPF on the routers to advertise routes. For configuration commands, refer to the related documents of the routers.

Verification

Choose System > High Availability > Dual-System Hot Standby to view the operating status of hot standby.

Normally, the Current Running Mode of FW_A is Load Balancing and the Current Status is Active. The Current Running Mode of FW_B is Load Balancing and the Current Status is Active. This shows that both FWs forward traffic.
When FW_A goes faulty, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Standby. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Active. This shows that traffic is forwarded by FW_B.

Configuration Scripts

FW_A	FW_B
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 hrp mirror session enable hrp track vlan 2 # vlan batch 2 # interface GigabitEthernet 0/0/3 portswitch port default vlan 2 # interface GigabitEthernet 0/0/1 portswitch port default vlan 2 # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # security-policy rule name policy_ospf_1 source-zone trust destination-zone untrust source-address 10.3.0.1 32 source-address 10.3.1.1 32 destination-address 10.3.0.2 32 destination-address 10.3.1.2 32 service ospf action permit rule name policy_ospf_2 source-zone untrust destination-zone trust source-address 10.3.0.2 32 source-address 10.3.1.2 32 destination-address 10.3.0.1 32 destination-address 10.3.1.1 32 service ospf action permit rule name policy_sec source-zone trust destination-zone untrust source-address 10.3.2.0 24 source-address 10.3.3.0 24 action permit	# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 hrp mirror session enable hrp track vlan 2 # vlan batch 2 # interface GigabitEthernet 0/0/3 portswitch port default vlan 2 # interface GigabitEthernet 0/0/1 portswitch port default vlan 2 # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # security-policy rule name policy_ospf_1 source-zone trust destination-zone untrust source-address 10.3.0.1 32 source-address 10.3.1.1 32 destination-address 10.3.0.2 32 destination-address 10.3.1.2 32 service ospf action permit rule name policy_ospf_2 source-zone untrust destination-zone trust source-address 10.3.0.2 32 source-address 10.3.1.2 32 destination-address 10.3.0.1 32 destination-address 10.3.1.1 32 service ospf action permit rule name policy_sec source-zone trust destination-zone untrust source-address 10.3.2.0 24 source-address 10.3.3.0 24 action permit

FW_A

FW_B

#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp mirror session enable
 hrp track vlan 2  
#
vlan batch 2
#
interface GigabitEthernet 0/0/3
 portswitch
 port default vlan 2  
#
interface GigabitEthernet 0/0/1
 portswitch
 port default vlan 2  
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/7
#
security-policy  
 rule name policy_ospf_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 32
  source-address 10.3.1.1 32
  destination-address 10.3.0.2 32
  destination-address 10.3.1.2 32
  service ospf
  action permit
 rule name policy_ospf_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.2 32
  source-address 10.3.1.2 32
  destination-address 10.3.0.1 32
  destination-address 10.3.1.1 32
  service ospf
  action permit
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  source-address 10.3.2.0 24
  source-address 10.3.3.0 24
  action permit

#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp mirror session enable
 hrp track vlan 2  
#
vlan batch 2
#
interface GigabitEthernet 0/0/3
 portswitch
 port default vlan 2  
#
interface GigabitEthernet 0/0/1
 portswitch
 port default vlan 2  
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/7
#
security-policy  
 rule name policy_ospf_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 32
  source-address 10.3.1.1 32
  destination-address 10.3.0.2 32
  destination-address 10.3.1.2 32
  service ospf
  action permit
 rule name policy_ospf_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.2 32
  source-address 10.3.1.2 32
  destination-address 10.3.0.1 32
  destination-address 10.3.1.1 32
  service ospf
  action permit
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  source-address 10.3.2.0 24
  source-address 10.3.3.0 24
  action permit