Web: Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems Having Independent WAN Interfaces)

The FW functions as the access gateway of the office area of a large campus network to protect the intranet. The intranet has multiple service departments, and the administrator configures virtual systems for each department to implement independent management over department networks.

Networking Requirements

As shown in Figure 1, a FW is deployed in area of the large campus network as the gateway. The network of area A comprises the R&D and non-R&D departments, and the two departments have different network access permissions. Requirements are as follows:

Some employees in the R&D department can access the Internet, and all employees in the non-R&D department can access the Internet.
The R&D and non-R&D departments are isolated from each other and cannot communicate.
The service volumes of the R&D and non-R&D departments are nearly the same. Therefore, the same virtual system resources are allocated to them.

Figure 1 Networking diagram of network isolation (Layer-3 access, virtual systems having independent WAN interfaces)

Data Planning

Item	Data	Description
vsysa	Virtual system name: vsysa Outside interface: GE0/0/1 Outside interface IP address: 10.1.1.8/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/3 Inside interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the inside interface belongs: Trust IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb Outside interface: GE0/0/2 Outside interface IP address: 10.1.1.9/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/4 Inside interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the inside interface belongs: Trust	-
Resource class	Name: r1 Reserved Number for session: 10000 Maximum Number for session: 50000 User: 300 User Group: 10 Policy: 300 Outbound Reserved Bandwidth: 20 Mbps	-

Configuration Roadmap

The public system administrator creates two virtual systems vsysa, and vsysb, assigns resources.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysa.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.

Procedure

Click Dashboard on the main menu. In the Device Information area, click Configure on the line of Virtual System to enable the virtual system function.
Configure a resource class.
1. Choose System > Virtual System > Resource Class.
2. Click Add and set the following parameters.
In the root system, create virtual systems vsysa and vsysb and allocate resources to them.
1. Choose System > Virtual System > Virtual System.
2. Click Add and then the Basic Settings tab and set the following parameters.
3. Click the Interface Settings tab and allocate interfaces to the virtual system.
4. Set GE0/0/1 as the public interface.
  
  Bandwidth resource configurations in resource classes take effect only after the public interface is configured.
  
  In this example, the bandwidth should be limited for intranet users to access the Internet. Set WAN interface GE0/0/1 as the public interface. Then all traffic from intranet users to the Internet is forwarded through GE0/0/1, which is called the outgoing direction. This function can work with Uplink Bandwidth configured in 2.b to limit the bandwidth for intranet users to access the Internet.
5. Repeat these steps to create vsysb and allocate the resource class r1 and interfaces GE0/0/2 and GE0/0/4 to it.
Set IP addresses in vsysa.
1. Select vsysa from the Virtual System drop-down list in the upper right corner to access vsysa.
2. Choose Network > Interface.
3. Click the interface name and set the following parameters for the interface.
  
  Interface
  
  GigabitEthernet 0/0/1
  
  GigabitEthernet 0/0/3
  
  Security Zone
  
  untrust
  
  trust
  
  IP Address
  
  10.1.1.8/24
  
  10.3.0.1/24
Configure routes in vsysa.
1. Choose Network > Route > Static Route.
2. Click Add and configure the following static route.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  vsysa
  
  Destination Address/Mask
  
  0.0.0.0/0.0.0.0
  
  Destination Virtual Router
  
  vsysa
  
  Next Hop
  
  10.1.1.1
  
  Outgoing Interface
  
  NONE
Configure security policies in vsysa.
1. Choose Object > Address > Address.
2. Click Add and set the following IP address range.
  
  Name
  
  ipaddress1
  
  IP Address Range
  
  10.3.0.2-10.3.0.10
3. Choose Policy > Security Policy > Security Policy.
4. Choose Add Security Policy and configure the following security policy for vsysa to allow R&D employees on a specific network segment to access the Internet. Packets from employees on other network segments to the Internet will match the default security policy and are denied.
  
  Name
  
  to_internet
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  ipaddress1
  
  Action
  
  permit

Interface	GigabitEthernet 0/0/1	GigabitEthernet 0/0/3
Security Zone	untrust	trust
IP Address	10.1.1.8/24	10.3.0.1/24

Protocol	IPv4
Source Virtual Router	vsysa
Destination Address/Mask	0.0.0.0/0.0.0.0
Destination Virtual Router	vsysa
Next Hop	10.1.1.1
Outgoing Interface	NONE

Name	ipaddress1
IP Address Range	10.3.0.2-10.3.0.10

Name	to_internet
Source Zone	trust
Destination Zone	untrust
Source Address/Region	ipaddress1
Action	permit

Configure a NAT policy in vsysa.

Choose Policy > NAT Policy > NAT Policy > NAT Policy, click Add, and set the following NAT policy parameters.

Name	nat1
NAT Type	NAT
NAT Mode	Source address translation
Source Zone	trust
Destination Type	Outbound Interface
Outbound Interface	GigabitEthernet 0/0/1
Source Address	ipaddress1
Source Address Translated To	Outbound Interface

The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.
The configuration is similar to that of the R&D department except the following:
- The IP address of the inside interface is different.
- You do not need to create an IP address range for the non-R&D department. You only need to configure a security policy to allow all IP addresses to access the Internet.
- The outbound interface of the NAT policy must be set to GE0/0/2, and the source address must be set to any.

Verification

Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department and use the PCs to access the Internet. If the results are as expected, the IP addresses, security policies and NAT policies of vsysa are correctly configured.
Access the Internet from the non-R&D department. If the access succeeds, the IP addresses, security policies and NAT policies of vsysb are correctly configured.

Configuration Scripts

Configuration script of the public system

#
 sysname FW
# 
 vsys enable 
# 
resource-class r1    
 resource-item-limit session reserved-number 10000 maximum 50000
 resource-item-limit policy reserved-number 300      
 resource-item-limit user reserved-number 300     
 resource-item-limit user-group reserved-number 10                              
 resource-item-limit bandwidth 20 outbound 
# 
vsys name vsysa 1    
 assign resource-class r1      
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/3 
#                    
vsys name vsysb 2    
 assign resource-class r1        
 assign interface GigabitEthernet0/0/2
 assign interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/1
 set public-interface
#
interface GigabitEthernet0/0/2
 set public-interface
#  
return

Configuration script of vsysa

#
interface GigabitEthernet0/0/1
 ip address 10.1.1.8 255.255.255.0
# 
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/3
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/1
#
ip address-set ipaddress1 type object 
 address 0 range 10.3.0.2 10.3.0.10   
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  source-address address-set ipaddress1 
  action permit      
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/1
   source-address address-set ipaddress1
   action source-nat easy-ip
#    
return

Configuration script of vsysb

#
interface GigabitEthernet0/0/2
 ip address 10.1.1.9 255.255.255.0
# 
interface GigabitEthernet0/0/4
 ip address 10.3.1.1 255.255.255.0
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/4
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/2
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  action permit
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/2
   action source-nat easy-ip
#    
return