< Home

Web: Example for Configuring Hot Standby (Load Balancing) of Virtual Systems on Firewalls Connecting to Upstream Routers Through the Public System and Downstream Subnets Through Virtual Systems

This section provides a Web example for configuring hot standby in load balancing mode in which multiple virtual systems configured on the FW connect to different downstream subnets through switches and share an upstream public system interface to connect to routers.

Networking Requirements

As shown in Figure 1, an enterprise deploys two FWs as egress gateways to connect the intranet to the Internet. The two FWs are in hot standby deployment for high availability. The service interfaces of both FWs work at Layer 3 and connect to upstream routers (with OSPF running between the FWs and routers) and downstream switches (to connect to different subnets isolated from each other). Specific requirements are as follows:
  • The enterprise has only one upstream interface. All departments need to access the Internet through this interface.
  • Different departments on the intranet need to be isolated from and cannot communicate with each other.
  • The two FWs work in load balancing mode. In normal situations, FW_A forwards traffic from department A, and FW_B forwards traffic from department B. If one FW fails, traffic from both departments is forwarded by the other FW. This ensures that the services are not interrupted.
  • The upstream and downstream links of the two FWs shall be in the same state, so that when the interface of one FW is down, the interface of the other FW can take over for service continuity.
Figure 1 Hot standby networking when virtual systems are configured

Data Planning

Table 1 Data planning of FW_A

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.2/30

Security zone: Untrust

Upstream interface of public system public

Interface number: GigabitEthernet 0/0/2

IP address: 10.3.1.2/24

Security zone: Trust

Downstream interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/3

IP address: 10.3.2.2/24

Security zone: Trust

Downstream interface of virtual system vsysb

Interface number: GigabitEthernet 0/0/7

IP address: 10.10.0.1/24

Security zone: DMZ

Heartbeat interface

VRRP groups

VRRP group 1: 10.3.1.1/24 active

-

VRRP group 2: 10.3.2.1/24 standby

-

Routes

Blackhole route

Destination IP address: 1.1.1.1/32

Blackhole route configured for the NAT address pool of public system public to prevent route loops

OSPF 100

Advertised network segment: 192.168.0.0/30

Static routes imported

OSPF configuration of public system public
Table 2 Data planning of FW_B

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.10/30

Security zone: Untrust

Upstream interface of public system public

Interface number: GigabitEthernet 0/0/2

IP address: 10.3.1.3/24

Security zone: Trust

Downstream interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/3

IP address: 10.3.2.3/24

Security zone: Trust

Downstream interface of virtual system vsysb

Interface number: GigabitEthernet 0/0/7

IP address: 10.10.0.2/24

Security zone: DMZ

Heartbeat interface

VRRP groups

VRRP group 1: 10.3.1.1/24 standby

-

VRRP group 2: 10.3.2.1/24 active

-

Routes

Blackhole route

Destination IP address: 1.1.1.1/32

Blackhole route configured for the NAT address pool of public system public to prevent route loops

OSPF 100

Advertised network segment: 192.168.0.8/30

Static routes imported

OSPF configuration of public system public
Table 3 Data planning of Router1

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.1/30

Connecting to FW public system public

Interface number: GigabitEthernet 0/0/2

IP address: 192.168.0.5/30

Connecting to Router2

OSPF

OSPF 100

Advertised network segment: 192.168.0.0/30

Default routes imported

-
Table 4 Data planning of Router2

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.9/30

Connecting to FW public system public

Interface number: GigabitEthernet 0/0/2

IP address: 192.168.0.6/30

Connecting to Router1

OSPF

OSPF 100

Advertised network segment: 192.168.0.8/30

Default routes imported

-

Configuration Roadmap

  1. Create different virtual systems on FW_A and FW_B to isolate networks of different departments.
  2. Configure mutual communication between the virtual systems and the public system on FW_A and FW_B so that different virtual systems can share the interface of the public system to access the Internet.
  3. The service interfaces of FW_A and FW_B work at Layer 3 in load balancing mode, connect to upstream routers, and run OSPF. Therefore, you need to configure OSPF and VGMP groups to monitor service interfaces. That is, configure OSPF-based hot standby in load balancing mode. The service interfaces also connect to downstream switches. Therefore, you need to configure VRRP groups. In addition, you shall also complete basic configurations, such as configuring heartbeat interfaces and enabling the hot standby function.
  4. Configure a Link-Group on FW_A and FW_B and add the upstream interface of the public system and the downstream interfaces of the virtual systems to this Link-Group to ensure that the upstream and downstream interfaces are in the same state.
  5. After hot standby is deployed, configure security policies and NAT policies for intranet users to access the Internet on FW_A. You do not need to configure the policies on FW_B in that the policies can be automatically synchronized from FW_A.

Procedure

  1. Create virtual systems vsysa and vsysb and assign interfaces to them.

    The virtual system names and IDs on FW_A and FW_B must be the same. After the virtual systems are created, you can choose System > Virtual System > Virtual System and check whether the virtual system names and configuration sequences are consistent in Virtual System List.

    1. Click Dashboard on the main menu of FW_A. In Device Information area, click Configure on the line of Virtual System to enable the virtual system function.

    2. On FW_A, choose System > Virtual System > Resource Class and click Add to configure a resource class.

    3. On FW_A, choose System > Virtual System > Virtual System to create virtual systems vsysa and vsysb and allocate interfaces and resources to them.

      Click Add, select the Basic Settings tab, enter the virtual system name and select the resource class r1. The following part uses vsysa as an example.

      Select the Interface Settings tab to allocate interfaces GE0/0/2 and GE0/0/3 to the virtual systems vsysa and vsysb respectively. The following part uses vsysa as an example.

    4. By referring to the preceding procedure, create virtual systems vsysa and vsysb on FW_B and allocate interfaces to them.
  2. Configure interfaces.
    1. Configure the public system interfaces on FW_A.

      On FW_A, choose Network > Interface, click Edit on the line of an interface to configure the upstream interface, heartbeat interface, and virtual interface Virtual-if0 of the public system. The IP address for virtual interface Virtual-if0 can be any value that is not in conflict with the IP addresses of other interfaces.

      Interface

      GigabitEthernet 0/0/1

      GigabitEthernet 0/0/7

      Virtual-if0

      Security Zone

      untrust

      dmz

      trust

      IP Address

      192.168.0.2/30

      10.10.0.1/24

      172.16.0.1/24

    2. Configure the interfaces of virtual system vsysa on FW_A.

      On FW_A, choose Network > Interface, click Edit on the line of an interface to configure the downstream interface and virtual interface Virtual-if1 of virtual system vsysa. The IP address for virtual interface Virtual-if1 can be any value that is not in conflict with the IP addresses of other interfaces.

      The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in actual configurations, the interface might not be Virtual-if1. You can view the mapping between the virtual system and virtual interface in Interface List.

      Interface

      GigabitEthernet 0/0/2

      Virtual-if1

      Virtual System

      vsysa

      vsysa

      Security Zone

      trust

      untrust

      IP Address

      10.3.1.2/24

      172.16.1.1/24

    3. Configure the interfaces of virtual system vsysb on FW_A.

      On FW_A, choose Network > Interface, click Edit on the line of an interface to configure the downstream interface and virtual interface Virtual-if2 of virtual system vsysb. The IP address for virtual interface Virtual-if2 can be any value that is not in conflict with the IP addresses of other interfaces.

      Interface

      GigabitEthernet 0/0/3

      Virtual-if2

      Virtual System

      vsysb

      vsysb

      Security Zone

      trust

      untrust

      IP Address

      10.3.2.2/24

      172.16.2.1/24

    4. Configure the public system interfaces on FW_B.

      On FW_B, choose Network > Interface, click Edit on the line of an interface to configure the upstream interface, heartbeat interface, and virtual interface Virtual-if0 of the public system. The IP address for virtual interface Virtual-if0 can be any value that is not in conflict with the IP addresses of other interfaces.

      Interface

      GigabitEthernet 0/0/1

      GigabitEthernet 0/0/7

      Virtual-if0

      Security Zone

      untrust

      dmz

      trust

      IP Address

      192.168.0.10/30

      10.10.0.2/24

      172.16.0.2/24

    5. Configure the interfaces of virtual system vsysa on FW_B.

      On FW_B, choose Network > Interface, click Edit on the line of an interface to configure the downstream interface and virtual interface Virtual-if1 of virtual system vsysa. The IP address for virtual interface Virtual-if1 can be any value that is not in conflict with the IP addresses of other interfaces.

      Interface

      GigabitEthernet 0/0/2

      Virtual-if1

      Virtual System

      vsysa

      vsysa

      Security Zone

      trust

      untrust

      IP Address

      10.3.1.3/24

      172.16.1.2/24

    6. Configure the interfaces of virtual system vsysb on FW_B.

      On FW_B, choose Network > Interface, click Edit on the line of an interface to configure the downstream interface and virtual interface Virtual-if2 of virtual system vsysb. The IP address for virtual interface Virtual-if2 can be any value that is not in conflict with the IP addresses of other interfaces.

      Interface

      GigabitEthernet 0/0/3

      Virtual-if2

      Virtual System

      vsysb

      vsysb

      Security Zone

      trust

      untrust

      IP Address

      10.3.2.3/24

      172.16.2.2/24

  3. Configures static routes.
    1. Configure static routes on FW_A.

      In the public system, choose Network > Route > Static Route and click Add to configure a static route to guide the return traffic from the Internet to employees in vsysa.

      By referring to the preceding procedure, configure a static route to guide the return traffic from the Internet to employees in vsysb.

      By referring to the preceding procedure, configure a static route to guide the Internet access traffic from employees in vsysa to the public system.

      In this example, the network topology and route configuration are simplified. If vsysa only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0/0.0.0.0. That is, all packets are sent to the public system. In practice, for accurate routing information, you shall set Destination Address/Mask to a specific Internet address range that the intranet users are allowed to access. Incorrect route configuration may result in communication failure of multiple LANs connected with vsysa.

      By referring to the preceding procedure, configure a static route to guide the Internet access traffic from employees in vsysb to the public system.

      In this example, the network topology and route configuration are simplified. If vsysb only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0/0.0.0.0. That is, all packets are sent to the public system. In practice, for accurate routing information, you shall set Destination Address/Mask to a specific Internet address range that the intranet users are allowed to access. Incorrect route configuration may result in communication failure of multiple LANs connected with vsysb.

    2. Configure the following static routes on FW_B. The configuration method is the same as that for FW_A.

      • Static route that guides the return traffic from the Internet to employees in vsysa
      • Static route that guides the return traffic from the Internet to employees in vsysb
      • Static route that guides the Internet access traffic from employees in vsysa to the public system
      • Static route that guides the Internet access traffic from employees in vsysb to the public system

  4. Configure OSPF.
    1. On FW_A, choose Network > Route > OSPF, click Add to create OSPF 100, click on the line of OSPF 100, click Add, and set the following area parameters.

    2. By referring to the preceding procedure, configure OSPF on FW_B.

  5. Configure the Link-Group function to ensure that the upstream and downstream interfaces are in the same state.
    1. On FW_A, choose System > High Availability > Link-Group > Link-Group, click on the line of Link-Group1, and set the following parameters. Add the public system interface (upstream interface) and virtual system interfaces (downstream interfaces) to the same Link-Group on FW_A.

    2. On FW_B, add the public system upstream interface and virtual system downstream interfaces to the same link-Group. The configuration method is the same as that for FW_A.
  6. Configure hot standby.
    1. On FW_A, choose System > High Availability > Dual-System Hot Standby, click Edit, select the Enable check box following Dual-System Hot Standby, and set the following parameters.

    2. On FW_B, set the following hot standby parameters.

    3. To prevent port conflicts in address translation on the FWs in load balancing mode, configure available port ranges on FW_A and FW_B. Currently, the configuration cannot be performed on the web UI. Click CLI Console in the lower right corner of the page to display the CLI configuration page and configure it on the CLI.

      In the hot standby load balancing scenario, If NAPT is configured, the FWs may have conflicting public ports. To prevent such conflicts, configure respective NAT resources (including public IP addresses and ports) for the FWs. You can run the hrp nat resource primary-group command on the active FW. The standby FW will automatically generate the hrp nat resource secondary-group command (if you run the hrp nat resource secondary-group command on the active FW, the standby FW will automatically generate the hrp nat resource primary-group command).

      Perform the following configuration on FW_A:

      HRP_M[FW_A] hrp nat resource primary-group

      Perform the following configuration on FW_B:

      HRP_S[FW_B] hrp nat resource secondary-group

  7. Configure security policies.

    Security policies can be backed up. That is, policies configured on FW_A can be automatically synchronized to FW_B. If you have configured security policies separately on FW_A and FW_B before configuring hot standby, ensure that their configurations and the sequences in which they are configured are the same on FW_A and FW_B. Otherwise, services may become abnormal after active/standby switchover.

    1. Configure the security policy for the public system.

      In the public system of FW_A, choose Policy > Security Policy > Security Policy, click Add Security Policy, and set the following parameters to configure a security policy for the public system to allow intranet users to access the Internet. When configuring the security policy for the public system, you do not need to specify the IP address range. When configuring the security policy for the virtual system, you need to specify the IP addresses of the intranet employees to configure a strict security policy.

      Name

      policy_sec

      Source zone

      trust

      Destination zone

      untrust

      Action

      Permit

    2. Configure security policies in vsysa.

      Select vsysa from the Virtual System drop-down list in the upper right corner on FW_A to access vsysa. Choose Policy > Security Policy > Security Policy, click Add Security Policy and configure the following security policy to isolate vsysa from vsysb. Because routes have been configured in the public system to divert the return traffic to vsysa and vsysb, vsysa and vsysb can communicate with each other through the public system. To isolate them from each other, you must configure this security policy in vsysa.

      Name

      vsysa_to_vsysb

      Source zone

      trust

      Destination zone

      untrust

      Source Address/Region

      10.3.1.0 24

      Destination Address/Region

      10.3.2.0 24

      Action

      Deny

      By referring to the preceding procedure, in virtual system vsysa of FW_A, set the following parameters to configure a security policy for vsysa to allow intranet users to access the Internet.

      Name

      policy_sec

      Source zone

      trust

      Destination zone

      untrust

      Source Address/Region

      10.3.1.0 24

      Action

      Permit

    3. Configure security policies in vsysb.

      Select vsysb from the Virtual System drop-down list in the upper right corner on FW_A to access vsysb. Choose Policy > Security Policy > Security Policy, click Add Security Policy and configure the following security policy to isolate vsysa from vsysb. Because routes have been configured in the public system to divert the return traffic to vsysa and vsysb, vsysa and vsysb can communicate with each other through the public system. To isolate them from each other, you must configure this security policy in vsysb.

      Name

      vsysb_to_vsysa

      Source zone

      trust

      Destination zone

      untrust

      Source Address/Region

      10.3.2.0 24

      Destination Address/Region

      10.3.1.0 24

      Action

      Deny

      By referring to the preceding procedure, in virtual system vsysb of FW_A, set the following parameters to configure a security policy for vsysb to allow intranet users to access the Internet.

      Name

      policy_sec

      Source zone

      trust

      Destination zone

      untrust

      Source Address/Region

      10.3.2.0 24

      Action

      Permit

  8. Configure a NAT policy.

    On FW_A, configure a NAT policy for the public system to allow intranet users to access the Internet. The NAT policy configured on FW_A can be automatically synchronized to FW_B.

    1. Select public from the Virtual System drop-down list in the upper right corner on FW_A to access the public system.
    2. Choose Policy > NAT Policy > NAT Policy > Source Translation Address Pool, click Add and configure a NAT address pool based on the following parameter values.

    3. Choose Policy > NAT Policy > NAT Policy > NAT Policy, click Add and configure a NAT policy based on the following parameter values.

  9. Configure routers.

    The following part uses Huawei routers to illustrate the configuration.

    # Configure Router1.

    [router1] interface GigabitEthernet 0/0/1
[router1-GigabitEthernet0/0/1] ip address 192.168.0.1 30
[router1-GigabitEthernet0/0/1] quit
[router1] interface GigabitEthernet 0/0/2
[router1-GigabitEthernet0/0/2] ip address 192.168.0.5 30
[router1-GigabitEthernet0/0/2] quit
[router1] ospf 100
[router1-ospf-100] default-route-advertise
[router1-ospf-100] area 0
[router1-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[router1-ospf-100-area-0.0.0.0] quit
[router1-ospf-100] quit

    # Configure Router2.

    [router2] interface GigabitEthernet 0/0/1
[router2-GigabitEthernet0/0/1] ip address 192.168.0.9 30
[router2-GigabitEthernet0/0/1] quit
[router2] interface GigabitEthernet 0/0/2
[router2-GigabitEthernet0/0/2] ip address 192.168.0.6 30
[router2-GigabitEthernet0/0/2] quit
[router2] ospf 100
[router2-ospf-100] default-route-advertise
[router2-ospf-100] area 0
[router2-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[router2-ospf-100-area-0.0.0.0] quit
[router2-ospf-100] quit

Verification

  1. On FW_A and FW_B, choose System > High Availability > Dual-System Hot Standby to view the operating status of hot standby.
    • Normally, the Current Running Mode of FW_A is Load Balancing and the Current Status is Active. The Current Running Mode of FW_B is Load Balancing and the Current Status is Active. This shows that traffic is forwarded by both FW_A and FW_B.
    • When FW_A goes faulty, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Standby. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Active. This shows that traffic is forwarded by FW_B.

  2. Access from the private network to the Internet succeeds. In the public system and virtual system of FW_A and FW_B, choose Monitor > Session Table to check sessions. If both FWs have sessions with backup flags, sessions have been successfully backed up after hot standby is configured.

  3. Ping an IP address on the Internet from an intranet PC and remove the network cable from GigabitEthernet 0/0/2 on FW_A. FW status switchover occurs, the status of FW_A changes from Active to Standby, and no ping packets are discarded. Then, in the public system of FW_A, choose System > High Availability > Link-Group > Link-Group. The status of upstream interface GigabitEthernet 0/0/1 also changes to Down, which is consistent with that of GigabitEthernet 0/0/2.

    Then insert the network cable back to GigabitEthernet 0/0/2 on FW_A. The status of FW_A changes from Standby to Active, no ping packets are discarded, and the interfaces in the Link-Group become Up again.

  4. Ping an IP address on the Internet from an intranet PC and remove the network cable from GigabitEthernet 0/0/3 on FW_B. FW status switchover occurs, the status of FW_B changes from Active to Standby, and no ping packets are discarded. Then, in the public system of FW_B, choose System > High Availability > Link-Group > Link-Group. The status of upstream interface GigabitEthernet 0/0/1 also changes to Down, which is consistent with that of GigabitEthernet 0/0/3.

    Then insert the network cable back to GigabitEthernet 0/0/3 on FW_B. The status of FW_B changes from Standby to Active, no ping packets are discarded, and the interfaces in the Link-Group become Up again.

Configuration Scripts

Configuration script of the public system:

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp track interface GigabitEthernet 0/0/1
 hrp mirror session enable
 hrp nat resource primary-group
#
interface GigabitEthernet 0/0/1
 ip address 192.168.0.2 255.255.255.252
 link-group 1 
#
interface GigabitEthernet 0/0/2
 ip binding vpn-instance vsysa
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
 link-group public 1
#
interface GigabitEthernet 0/0/3
 ip binding vpn-instance vsysb
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
 link-group public 1
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
 add interfac Virtual-if0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
vsys enable 
resource-class r0 
resource-class r1 
 resource-item-limit session reserved-number 10000 maximum 50000 
 resource-item-limit bandwidth 20 outbound      
 resource-item-limit policy reserved-number 300 
 resource-item-limit user reserved-number 300    
 resource-item-limit user-group reserved-number 30 
#  
vsys name vsysa 
 assign interface GigabitEthernet 0/0/2  
 assign resource-class r1 
#    
vsys name vsysb 
 assign interface GigabitEthernet 0/0/3 
 assign resource-class r1 
#
 ip route-static 10.3.1.0 255.255.255.0 vpn-instance vsysa
 ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysb  
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.0 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  action permit
# 
nat address-group addressgroup1 
 mode pat
 route enable
 section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust
    source-address 10.3.1.0 24
    source-address 10.3.2.0 24
    action source-nat address-group addressgroup1
 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp track interface GigabitEthernet 0/0/1
 hrp mirror session enable
 hrp nat resource secondary-group
#
interface GigabitEthernet 0/0/1
 ip address 192.168.0.10 255.255.255.252
 link-group 1
#
interface GigabitEthernet 0/0/2
 ip binding vpn-instance vsysa
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
 link-group public 1
#
interface GigabitEthernet 0/0/3
 ip binding vpn-instance vsysb
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
 link-group public 1
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.2 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.2 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
 add interfac Virtual-if0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 0/0/1
#
vsys enable 
resource-class r0 
resource-class r1 
 resource-item-limit session reserved-number 10000 maximum 50000 
 resource-item-limit bandwidth 20 outbound      
 resource-item-limit policy reserved-number 300 
 resource-item-limit user reserved-number 300    
 resource-item-limit user-group reserved-number 30 
#  
vsys name vsysa 
 assign interface GigabitEthernet 0/0/2 
 assign resource-class r1  
#    
vsys name vsysb 
 assign interface GigabitEthernet 0/0/3 
 assign resource-class r1 
#
 ip route-static 10.3.1.0 255.255.255.0 vpn-instance vsysa
 ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysb  
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.8 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  action permit    
# 
nat address-group addressgroup1 
 mode pat
 route enable
 section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust
    source-address 10.3.1.0 24
    source-address 10.3.2.0 24
    action source-nat address-group addressgroup1

Configuration script of vsysa:

FW_A

FW_B

 
#
switch vsys vsysa
#      
interface GigabitEthernet 0/0/2 
 ip binding vpn-instance vsysa  
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
 link-group public 1     
#
interface Virtual-if1  
 ip address 172.16.1.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5   
 add interface Virtual-if1
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysa_to_vsysb
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  destination-address 10.3.2.0 24
  action deny    
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit    
#
switch vsys vsysa
#      
interface GigabitEthernet 0/0/2 
 ip binding vpn-instance vsysa  
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
 link-group public 1     
#
interface Virtual-if1  
 ip address 172.16.1.2 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5 
 add interface Virtual-if1
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysa_to_vsysb
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  destination-address 10.3.2.0 24
  action deny    
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit

Configuration script of vsysb:

FW_A

FW_B

 
#
switch vsys vsysb
#      
interface GigabitEthernet 0/0/3 
 ip binding vpn-instance vsysb  
 ip address 10.3.2.2 255.255.255.0  
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
 link-group public 1     
#
interface Virtual-if2  
 ip address 172.16.2.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5   
 add interface Virtual-if2
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysb_to_vsysa
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  destination-address 10.3.1.0 24
  action deny    
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit
 
#
switch vsys vsysb
#      
interface GigabitEthernet 0/0/3 
 ip binding vpn-instance vsysb  
 ip address 10.3.2.3 255.255.255.0 
 vrrp vrid 2 virtual-ip 10.3.2.1 active
 link-group public 1     
#
interface Virtual-if2  
 ip address 172.16.2.2 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5 
 add interface Virtual-if2
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysb_to_vsysa
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  destination-address 10.3.1.0 24
  action deny
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit
Parent Topic: Configuring Hot Standby of Virtual Systems
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >