< Home

CLI: Example for Sending IPv4 Session Logs to the eLog in Hot Standby Deployment of Loading Balancing Mode

This section describes how configure two firewalls in hot standby deployment in load balancing mode to send IPv4 session logs.

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to routers. The FWs and directly connected routers run OSPF.

The FWs are required to work in load balancing mode. In normal cases, FW_A forwards traffic from Dept. A, and FW_B forwards traffic from Dept. B. If either FW fails, the other FW forwards all traffic to ensure service continuity.

The administrator wants to check PAT-mode IPv4 session logs on the eLog to understand the creation of sessions by packets in a timely manner and, when necessary, perform NAT source tracing.

In this load balancing networking, FWs connect to routers in both upstream and downstream directions. On live networks, you must determine whether OSPF is required based on the upstream and downstream devices and interfaces. The Source NAT configuration remains unchanged.

This example does not apply when uplink interfaces connect to different ISP networks.

Figure 1 Network diagram for configuring source NAT in a load balancing scenario.

Data Planning

Item

FW_A

FW_B

Interface

GigabitEthernet 0/0/1

IP address: 10.2.0.1/24

Security zone: Untrust

GigabitEthernet 0/0/3

IP address: 10.3.0.1/24

Security zone: Trust

GigabitEthernet 0/0/7

IP address: 10.10.0.1/24

Security zone: DMZ

GigabitEthernet 0/0/1

IP address: 10.2.1.1/24

Security zone: Untrust

GigabitEthernet 0/0/3

IP address: 10.3.1.1/24

Security zone: Trust

GigabitEthernet 0/0/7

IP address: 10.10.0.2/24

Security zone: DMZ

OSPF

Process ID: 10

Area ID: 0

Network segment for the area: 10.2.0.0/24, 10.3.0.0/24 and 1.1.1.10/32

Process ID: 10

Area ID: 0

Network segment for the area: 10.2.0.0/24, 10.3.0.0/24 and 1.1.1.10/32

Configuration Roadmap

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity on FW_A and FW_B.
  2. Configure OSPF on FW_A and FW_B.
  3. If FW_A and FW_B share one NAT address pool and work properly, they may translate the source IP addresses and source ports of the packets sent from different hosts into the same pair of public IP address and port. To prevent port conflicts, you must specify different port ranges for the active and standby devices.
  4. Configure hot standby on FW_A and FW_B. To be specific, configure interface monitoring, specify heartbeat interfaces, and enable quick session backup.
  5. Configure a security policy on FW_A to allow OSPF packet exchange between FWs and Internet access from the intranet. The security policy configured on FW_A is automatically backed up to FW_B.
  6. Configure a NAT address pool on FW_A. The NAT address pool configured on FW_A is automatically backed up to FW_B.
  7. Configure a Source NAT policy on FW_A to implement source address translation for Internet access from the intranet. The Source NAT policy configured on FW_A is automatically backed up to FW_B.
  8. Configure the downstream devices, so that traffic from department A is forwarded through FW_A, and traffic from department B is forwarded through FW_B.
  9. On the upstream router, configure an interface address and a static route destined for the ISP, and configure OSPF so that the FW and router can learn routes from each other. On the downstream router, configure an interface address and configure OSPF so that the FW and router can learn routes from each other.
  10. Configure log hosts and enable log recording on the two FWs.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Configure interfaces on FW_A.

      # Set interface IP addresses.

      <FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet 0/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet 0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet 0/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet 0/0/3] quit
[FW_A] interface GigabitEthernet 0/0/7
[FW_A-GigabitEthernet 0/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet 0/0/7] quit

      # Assign interfaces to security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 
[FW_A-zone-dmz] quit

    2. Configure interfaces on FW_B.

      # Set interface IP addresses.

      <FW_B> system-view
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet 0/0/1] ip address 10.2.1.1 24
[FW_B-GigabitEthernet 0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet 0/0/3] ip address 10.3.1.1 24
[FW_B-GigabitEthernet 0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/7
[FW_B-GigabitEthernet 0/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet 0/0/7] quit

      # Assign interfaces to security zones.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 
[FW_B-zone-untrust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit

  2. Configure OSPF on FW_A and FW_B.

    # Configure OSPF on FW_A.

    [FW_A] ospf 10
[FW_A-ospf-100] import-route unr
[FW_A-ospf-100] area 0
[FW_A-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.0.255
[FW_A-ospf-100-area-0.0.0.0] network 10.3.0.0 0.0.0.255

    # Configure OSPF on FW_B.

    [FW_B] ospf 10
[FW_B-ospf-100] import-route unr
[FW_B-ospf-100] area 0
[FW_B-ospf-100-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[FW_B-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255

  3. Configure NAT address pool port allocation in the load balancing scenario.

    In the hot standby load balancing scenario, If NAPT is configured, the FWs may have conflicting public ports. To prevent such conflicts, configure respective NAT resources (including public IP addresses and ports) for the FWs. You can run the hrp nat resource primary-group command on the active FW. The standby FW will automatically generate the hrp nat resource secondary-group command (if you run the hrp nat resource secondary-group command on the active FW, the standby FW will automatically generate the hrp nat resource primary-group command).

    [FW_A] hrp nat resource primary-group

  4. Configure hot standby.
    1. Configure hot standby on FW_A.

      # Configure interface monitoring.

      [FW_A] hrp track interface GigabitEthernet 0/0/1
[FW_A] hrp track interface GigabitEthernet 0/0/3

      # Specify a heartbeat interface.

      [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2

      # Enable quick session backup.

      [FW_A] hrp mirror session enable

      When the FWs work in load-balancing mode, the forward and return packets may pass through different FWs. To ensure service continuity, you must enable quick session backup to ensure that the session information on one FW is synchronized to the otherFW.

      # Enable hot standby.

      [FW_A] hrp enable

    2. Configure hot standby on FW_B.

      # Configure interface monitoring.

      [FW_B] hrp track interface GigabitEthernet 0/0/1
[FW_B] hrp track interface GigabitEthernet 0/0/3

      # Specify a heartbeat interface.

      [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1

      # Enable quick session backup.

      [FW_B] hrp mirror session enable

      # Enable hot standby.

      [FW_B] hrp enable

  5. Configure a security policy on FW_A to allow OSPF packet exchange between FWs and Internet access from the intranet.

    The security policy configured on FW_A is automatically backed up to FW_B.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec_1
HRP_M[FW_A-policy-security-rule-policy_sec_1] source-zone local trust untrust
HRP_M[FW_A-policy-security-rule-policy_sec_1] destination-zone local trust untrust
HRP_M[FW_A-policy-security-rule-policy_sec_1] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_1] quit
HRP_M[FW_A-policy-security] quit

  6. Configure a NAT address pool and permit port conversion to reuse public network addresses.

    The NAT address pool configured on FW_A is automatically backed up to FW_B.

    HRP_M[FW_A] nat address-group addressgroup1
HRP_M[FW_A-nat-address-group-addressgroup1] section 0   11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
HRP_M[FW_A-nat-address-group-addressgroup1] mode pat
HRP_M[FW_A-nat-address-group-addressgroup1] route enable
HRP_M[FW_A-nat-address-group-addressgroup1] quit

  7. Configure a NAT policy to allow intranet users to access the Internet by using post-NAT public IP addresses.

    The NAT policy configured on FW_A is automatically backed up to FW_B.

    HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat_1
HRP_M[FW_A-policy-nat-policy_nat_1] source-zone trust
HRP_M[FW_A-policy-nat-policy_nat_1] destination-zone untrust
HRP_M[FW_A-policy-nat-policy_nat_1] action source-nat address-group addressgroup1
HRP_M[FW_A-policy-nat-policy_nat_1] quit
HRP_M[FW_A-policy-nat] quit

  8. Configure the downstream devices, so that traffic from department A is forwarded through FW_A, and traffic from department B is forwarded through FW_B.
  9. On the upstream router, configure an interface address and a static route destined for the ISP, and configure OSPF so that the FW and router can learn routes from each other. On the downstream router, configure an interface address and configure OSPF so that the FW and router can learn routes from each other.
  10. Configure a log host on FW_A.

    HRP_M[FW_A] firewall log host 1 172.16.1.10 9002

  11. Configure the source IP address and port used by the FW to send service logs on FW_A.

    HRP_M[FW_A] firewall log source 172.16.1.1 6666

  12. Configure the source IP address and port used by the FW to send service logs on FW_B.

    HRP_S[FW_B] firewall log source 172.16.1.2 6666

  13. Enable the session log function on FW_A.

    # Enable the record function for session logs in the security policy for service traffic.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec_1
HRP_M[FW_A-policy-security-rule-policy1] session logging
HRP_M[FW_A-policy-security-rule-policy1] quit

  14. Configure the eLog.

    Assume that the eLog has been successfully installed; the collector works normally; and the disk space has been planned. Operations for managing log sources and viewing log reports on the eLog are as follows.

    For details about how to install and use the eLog, see the product documentation of the corresponding version in Technical Support > Product Support > Documentation > Security > eLog.

    1. Log in to the eLog using an administrator account.
    2. Choose System > System Management > Log Source List.
    3. Add a log source.

      Add FW_A and FW_B as log sources.

      Click Add, set Log Source Name to FW_A, IP address to 172.16.1.1, and Log Source Type to firewall, and select Log Source Subtype and OS Version.

      Click Add, set Log Source Name to FW_B, IP address to 172.16.1.2, and Log Source Type to firewall, and select Log Source Subtype and OS Version.

    4. Choose System > System Management > Service Management.
    5. Click next to the collector. Then click in the Operation column of the collector.

      The collector configuration window is displayed.

    6. Click .
    7. Select the added log sources FW_A and FW_B.
    8. Click Next and configure the log collection mode.

      Configure the corresponding log collection mode on the eLog, select SESSION, and set the port number to 9002. If the FW has the UTM feature, select Enable the UTM feature.

    9. Click Finish.

Configuration Verification

After the configurations are complete, when users on internal networks access external networks, corresponding sessions are generated on the FW. After the sessions age, the FW sends the session logs to the eLog. Then you can check the IPv4 session logs on the eLog.

  1. Choose Session Analysis > IPv4 Session Query.

  2. Click the IPv4 PAT tab, set a reasonable query time range, and click Search.

    The query results are as shown in the following figure. The log information given here is only an example. Log information in different network environments should conform to the actual conditions.

    By checking the log information above, the administrator can know about the creation of sessions by packets in time. The administrator can also learn the information (such as the IP address) before the NAT translation is performed on packets and perform, when necessary, the NAT source tracing.

    In addition, the administrator can click , , and and export the query results to corresponding file formats.

Configuration Scripts

FW_A

FW_B

 
#                                                                         
 firewall log host 1 172.16.1.10 9002                                       
 firewall log source 172.16.1.1 6666                                           
 firewall log session new-session enable  
#
 hrp mirror session enable
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
#
hrp nat resource primary-group
#
hrp track interface GigabitEthernet 0/0/1
hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#  
ospf 10 
 import-route unr
 area 0.0.0.0
  network 10.2.0.0 0.0.0.255
  network 10.3.0.0 0.0.0.255
#    
 nat address-group addressgroup1
 mode pat 
 route enable 
 section 0 1.1.1.10 1.1.1.15
#    
security-policy  
 rule name policy_sec_1
  session logging
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust  
  destination-zone untrust
  action permit    
#    
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1
 
#                                                                         
 firewall log host 1 172.16.1.10 9002                                       
 firewall log source 172.16.1.2 6666                                           
 firewall log session new-session enable
#
 hrp mirror session enable
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
#
hrp nat resource secondary-group
#
hrp track interface GigabitEthernet 0/0/1
hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#  
ospf 10 
 import-route unr
 area 0.0.0.0
  network 10.2.1.0 0.0.0.255
  network 10.3.1.0 0.0.0.255
#    
 nat address-group addressgroup1
 mode pat 
 route enable 
 section 0 1.1.1.10 1.1.1.15
#    
security-policy  
 rule name policy_sec_1
  session logging 
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust  
  destination-zone untrust
  action permit    
#    
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1
Parent Topic: Configuring Log Output in Hot Standby Deployment
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >