Web: Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems Sharing the WAN Interface of the Public System)

Procedure

1. Click Dashboard on the main menu. In the Device Information area, click Configure on the line of Virtual System to enable the virtual system function.

   

2. Configure a resource class.
   1. Choose System > Virtual System > Resource Class.

      

   2. Click Add and set the following parameters.

      

   3. Click OK.
3. In the root system, create virtual systems vsysa, vsysb, and vsysc and allocate resources to them.
   1. Choose System > Virtual System > Virtual System.

      

   2. Click Add and then the Basic Settings tab and set the following parameters.

      

   3. Click the Interface Settings tab and allocate interfaces to the virtual system.

      

   4. Click OK.
   5. Create vsysb and vsysc and allocate resources to them.
4. Create administrators for the virtual systems in the root system.
   1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page to access vsysa.

      

   2. Choose System > Administrator > Administrator.

      

   3. Click Add and set the following parameters.

      User Name	admin@@vsysa
      Authentication Type	Local authentication
      Password	Vsysadmin@123
      Confirm Password	Vsysadmin@123
      Role	system-admin
      Service type	web telnet ssh

   4. Repeat these steps to create administrators admin@@vsysb for vsysb and admin@@vsysc for vsysc.
5. In the root system, set IP addresses for the interfaces and assign the interfaces to security zones. The IP address of Virtual-if 0 can be set to any address but it must be different from the IP addresses of all the other interfaces.
   1. Select public from the Virtual System drop-down list in the upper right corner to access the public system.
   2. Choose Network > Interface.
   3. Click the interface name and set the following parameters for the interface.

      Interface	GigabitEthernet 0/0/1	Virtual-if 0
      Security Zone	untrust	trust
      IP Address	1.1.1.1/24	172.16.0.1/24

   4. Click OK.
6. In the root system, configure routes for intranet users to access the Internet.
   1. Choose Network > Route > Static Route.

      

   2. Click Add and configure a static route to the Internet.

      Protocol	IPv4
      Source Virtual Router	public
      Destination Address/Mask	0.0.0.0/0.0.0.0
      Destination Virtual Router	public
      Next Hop	1.1.1.254
      Outgoing Interface	NONE

   3. Click OK.
7. In the root system, configure security policies for intranet users to access the Internet.
   1. Choose Policy > Security Policy > Security Policy.
   2. Choose Add Security Policy and set the following IP address range.

      Name	to_internet
      Source Zone	trust
      Destination Zone	untrust
      Action	permit

      

      Virtual system administrators can configure strict security policies abased on the IP addresses of intranet employees. Therefore, the root system administrator does not need to specify the IP address range.

   3. Click OK.
8. In the root system, configure a NAT policy for intranet users to access the Internet.
   1. Choose Policy > NAT Policy > NAT Policy > NAT Policy, click Add, and set the following NAT policy parameters.

      Name	nat1
      NAT Type	NAT
      NAT Mode	Source address translation
      Source Zone	trust
      Destination Type	Outbound Interface
      Outbound Interface	GigabitEthernet 0/0/1
      Source Address	10.3.0.0/16
      Source Address Translated To	Outbound Interface

   2. Click OK.
9. Set IP addresses in vsysa.
   

   Use the vsysa administrator account admin@@vsysa to log in to the firewall. Change the login password before performing the following operations.

   Set IP addresses for interfaces and assign the interfaces to security zones. The IP address of Virtual-if 1 can be set to any address but it must be different from the IP addresses of all the other interfaces.

   The IDs of Virtual-if interfaces are randomly assigned from available IDs in the system. Therefore, in the actual configuration, the interface may not be Virtual-if 1.

   1. Select vsysa from the Virtual System drop-down list in the upper right corner to access vsysa.
   2. Choose Network > Interface.
   3. Click the interface name and set the following parameters for the interface.

      Interface	GigabitEthernet 0/0/3	GigabitEthernet Virtual-if 1
      Security Zone	trust	untrust
      IP Address	10.3.0.1/24	172.16.1.1/24

   4. Click OK.
10. Configure routes in vsysa to guide Internet access traffic from employees in vsysa to the root system.
    

    In this example, the network topology and routing configuration are simplified. If vsysa only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0 0.0.0.0. That is, all packets are sent to the root system. In practice, for accurate routing information, Destination Address/Mask should be set to a specific Internet address range that the intranet users are allowed to access. Incorrect routing configurations may interrupt the communications of the private networks connected to vsysa.

    1. Choose Network > Route > Static Route.

       

    2. Click Add and configure the following default route.

       Protocol	IPv4
       Source Virtual Router	vsysa
       Destination Address/Mask	0.0.0.0/0.0.0.0
       Destination Virtual Router	public
       Next Hop	—
       Outgoing Interface	NONE

    3. Click OK.
    4. Repeat these steps to configure a static route to guide return traffic of employees in vsysa from the Internet to intranet.

       Protocol	IPv4
       Source Virtual Router	vsysa
       Destination Address/Mask	10.3.0.0/255.255.255.0
       Destination Virtual Router	vsysa
       Next Hop	10.3.0.254
       Outgoing Interface	NONE

    5. Click OK.
11. Configure security policies in vsysa.
    1. Choose Object > Address > Address.

       

    2. Click Add and set the following IP address range.

       Name	ipaddress1
       IP Address Range	10.3.0.2-10.3.0.10

    3. Click OK.
    4. Choose Policy > Security Policy > Security Policy.
    5. Choose Add Security Policy and configure a security policy for vsysa based on the following parameter values to prohibit employees on a specific network segment from access the administrative department network. Because routes have been configured in the root system to divert the return traffic to vsysa and vsysc, vsysa and vsysc to communicate with each other through the root system. To isolate the virtual systems, you must configure this security policy in vsysa.

       Name	to_admin_department
       Source Zone	trust
       Destination Zone	untrust
       Source Address/Region	ipaddress1
       Destination Address/Region	10.3.2.0/24
       Action	deny

    6. Click OK.
    7. Configure the following security policy for vsysa to allow employees on a specific network segment to access the Internet.

       Name	to_internet
       Source Zone	trust
       Destination Zone	untrust
       Source Address/Region	ipaddress1
       Action	permit

    8. Click OK.
    9. Configure another security policy for vsysa to prohibit all employees from accessing the Internet. The priority of this policy is lower than that of the previous policy, and therefore no address range needs to be specified.

       Name	to_internet2
       Source Zone	trust
       Destination Zone	untrust
       Action	deny

    10. Click OK.
12. The financial department administrator admin@@vsysb and administrative department administrator admin@@vsysc log in to the FW and configure IP addresses, security zones, and security policies for vsysb and vsysc, respectively.

    The configuration is similar to that of the R&D department except the following:

    • The IP address of the inside interface is different.
    • You do not need to create an IP address range for the financial department. You only need to configure a security policy to prevent all IP addresses from accessing the Internet.
    • You do not need to create an IP address range for the administrative department. You only need to configure a security policy to prohibit all IP addresses from accessing the R&D department network and another security policy to allow all IP addresses to access the Internet.