Web: Example for Configuring Communication Between Virtual Systems

The FW uses virtual systems to manage departments separately, simplifying the configuration. This section describes how to implement communication between virtual systems.

Networking Requirements

As shown in Figure 1, a FW is deployed in area of the large campus network as the access gateway. The network of area A comprises the R&D and non-R&D departments, and the two departments have different network access permissions. Requirements are as follows:

Some employees in the R&D department can access the Internet, and all employees in the non-R&D department can access the Internet.
The R&D department is isolated from non-R&D departments, but specific employees in the two departments can communicate.
The service volumes of the R&D and non-R&D departments are nearly the same. Therefore, the same virtual system resources are allocated to them.

Figure 1 Networking diagram of communication between virtual systems

Data Planning

Item	Data	Description
vsysa	Virtual system name: vsysa Outside interface: GE0/0/1 Outside interface IP address: 10.1.1.8/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/3 Inside interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the inside interface belongs: Trust IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb Outside interface: GE0/0/2 Outside interface IP address: 10.1.1.9/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/4 Inside interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the inside interface belongs: Trust	-
Resource class	Name: r1 Reserved Number for session: 10000 Maximum Number for session: 50000 User: 300 User Group: 10 Policy: 300 Outbound Reserved Bandwidth: 20 Mbps	-

Configuration Roadmap

The public system administrator creates two virtual systems vsysa, and vsysb, assigns resources.
The public system administrator configures routes for the employees that can communicate.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysa.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.

Procedure

Click Dashboard on the main menu. In the Device Information area, click Configure on the line of Virtual System to enable the virtual system function.
Configure a resource class.
1. Choose System > Virtual System > Resource Class.
2. Click Add and set the following parameters.
In the root system, create virtual systems vsysa and vsysb and allocate resources to them.
1. Choose System > Virtual System > Virtual System.
2. Click Add and then the Basic Settings tab and set the following parameters.
3. Click the Interface Settings tab and allocate interfaces to the virtual system.
4. Set GE0/0/1 as the public interface.
  
  Bandwidth resource configurations in resource classes take effect only after the public interface is configured.
  
  In this example, the bandwidth should be limited for intranet users to access the Internet. Set WAN interface GE0/0/1 as the public interface. Then all traffic from intranet users to the Internet is forwarded through GE0/0/1, which is called the outgoing direction. This function can work with Uplink Bandwidth configured in 2.b to limit the bandwidth for intranet users to access the Internet.
5. Repeat these steps to create vsysb and allocate the resource class r1 and interfaces GE0/0/2 and GE0/0/4 to it.
Set an IP address for Virtual-if 0 and assign the interface to a security zone. The IP address of Virtual-if 0 can be set to any address but it must be different from the IP addresses of all the other interfaces.
1. Choose Network > Interface.
2. Click the interface name and set the following parameters for the interface.
  
  Interface
  
  Virtual-if 0
  
  Security Zone
  
  trust
  
  IP Address
  
  172.16.0.1/24
In the root system, configures routes for the employees in different virtual systems to communicate.
1. Choose Network > Route > Static Route.
2. Click Add and configure the following static route.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  vsysb
  
  Destination Address/Mask
  
  10.3.0.0/255.255.255.0
  
  Destination Virtual Router
  
  vsysa
  
  Next Hop
  
  -
  
  Outgoing Interface
  
  -
3. Repeat these steps to configure a route to vsysb.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  vsysa
  
  Destination Address/Mask
  
  10.3.1.0/255.255.255.0
  
  Destination Virtual Router
  
  vsysb
  
  Next Hop
  
  -
  
  Outgoing Interface
  
  -
Set interface parameters in vsysa. The IP address of Virtual-if 1 can be set to any address but it must be different from the IP addresses of all the other interfaces.
1. Select vsysa from the Virtual System drop-down list in the upper right corner to access vsysa.
2. Choose Network > Interface.
3. Click the interface name and set the following parameters for the interface.
  
  Interface
  
  GigabitEthernet 0/0/1
  
  GigabitEthernet 0/0/3
  
  Virtual-if 1
  
  Security Zone
  
  untrust
  
  trust
  
  dmz
  
  IP Address
  
  10.1.1.8/24
  
  10.3.0.1/24
  
  172.16.1.1/24
Configure routes in vsysa.
1. Choose Network > Route > Static Route.
2. Click Add and configure the following static route for Internet access.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  vsysa
  
  Destination Address/Mask
  
  0.0.0.0/0.0.0.0
  
  Destination Virtual Router
  
  vsysa
  
  Next Hop
  
  10.1.1.1
  
  Outgoing Interface
  
  NONE
Configure security policies in vsysa.
1. Choose Object > Address > Address.
2. Click Add and set the following IP address range.
  
  Name
  
  ipaddress1
  
  IP Address Range
  
  10.3.0.2-10.3.0.10
3. Repeat these steps to create the following IP address range.
  
  Name
  
  ipaddress2
  
  IP Address Range
  
  10.3.0.20-10.3.0.30
4. Repeat these steps to create the following IP address range.
  
  Name
  
  ipaddress3
  
  IP Address Range
  
  10.3.1.20-10.3.1.30
5. Choose Policy > Security Policy > Security Policy.
6. Choose Add Security Policy and configure the following security policy for vsysa to allow R&D employees on a specific network segment to access the Internet. Packets from employees on other network segments to the Internet will match the default security policy and are denied.
  
  Name
  
  to_internet
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  ipaddress1
  
  Action
  
  permit
7. Repeat these steps to configure another security policy for vsysa to allow specific employees in vsysa and vsysb to communicate.
  
  Name
  
  to_vsysb
  
  Source Zone
  
  trust
  
  Destination Zone
  
  dmz
  
  Source Address/Region
  
  ipaddress2
  
  Destination Address/Region
  
  ipaddress3
  
  Action
  
  permit
8. Repeat these steps to configure another security policy for vsysa to allow specific employees in vsysa and vsysb to communicate.
  
  Name
  
  to_vsysa
  
  Source Zone
  
  dmz
  
  Destination Zone
  
  trust
  
  Source Address/Region
  
  ipaddress3
  
  Destination Address/Region
  
  ipaddress2
  
  Action
  
  permit

Interface	Virtual-if 0
Security Zone	trust
IP Address	172.16.0.1/24

Protocol	IPv4
Source Virtual Router	vsysb
Destination Address/Mask	10.3.0.0/255.255.255.0
Destination Virtual Router	vsysa
Next Hop	-
Outgoing Interface	-

Protocol	IPv4
Source Virtual Router	vsysa
Destination Address/Mask	10.3.1.0/255.255.255.0
Destination Virtual Router	vsysb
Next Hop	-
Outgoing Interface	-

Interface	GigabitEthernet 0/0/1	GigabitEthernet 0/0/3	Virtual-if 1
Security Zone	untrust	trust	dmz
IP Address	10.1.1.8/24	10.3.0.1/24	172.16.1.1/24

Protocol	IPv4
Source Virtual Router	vsysa
Destination Address/Mask	0.0.0.0/0.0.0.0
Destination Virtual Router	vsysa
Next Hop	10.1.1.1
Outgoing Interface	NONE

Name	ipaddress1
IP Address Range	10.3.0.2-10.3.0.10

Name	ipaddress2
IP Address Range	10.3.0.20-10.3.0.30

Name	ipaddress3
IP Address Range	10.3.1.20-10.3.1.30

Name	to_internet
Source Zone	trust
Destination Zone	untrust
Source Address/Region	ipaddress1
Action	permit

Name	to_vsysb
Source Zone	trust
Destination Zone	dmz
Source Address/Region	ipaddress2
Destination Address/Region	ipaddress3
Action	permit

Name	to_vsysa
Source Zone	dmz
Destination Zone	trust
Source Address/Region	ipaddress3
Destination Address/Region	ipaddress2
Action	permit

Configure a NAT policy in vsysa.

Choose Policy > NAT Policy > NAT Policy > NAT Policy, click Add, and configure a NAT policy based on the following parameter values.

Name	nat1
NAT Type	NAT
NAT Mode	Source address translation
Source Zone	trust
Destination Type	Outbound Interface
Outbound Interface	GigabitEthernet 0/0/1
Source Address	ipaddress1
Source Address Translated To	Outbound Interface

The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.
The configuration is similar to that of the R&D department except the following:
- The IP address of the inside interface is different.
- You only need to configure a security policy to allow all IP addresses to access the Internet and another two security policies to allow employee communication.
- The outbound interface of the NAT policy must be set to GE0/0/2, and the source address must be set to any.

Verification

Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department and use the PCs to access the Internet. If the results are as expected, the IP addresses, security policies and NAT policies of vsysa are correctly configured.
Access the Internet from the non-R&D department. If the access succeeds, the IP addresses, security policies and NAT policies of vsysb are correctly configured.

Configuration Scripts

Configuration script of the public system

#
 sysname FW
# 
 vsys enable 
# 
resource-class r1    
 resource-item-limit session reserved-number 10000 maximum 50000
 resource-item-limit policy reserved-number 300      
 resource-item-limit user reserved-number 300     
 resource-item-limit user-group reserved-number 10 
 resource-item-limit bandwidth 20 outbound
# 
vsys name vsysa 1    
 assign resource-class r1      
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/3 
#                    
vsys name vsysb 2    
 assign resource-class r1        
 assign interface GigabitEthernet0/0/2
 assign interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/1
 set public-interface
#
interface GigabitEthernet0/0/2
 set public-interface
#                                                                               
interface Virtual-if0                                                           
 ip address 172.16.0.1 255.255.255.0                                              
#                  
firewall zone trust 
 set priority 85  
 add interface Virtual-if0 
#  
 ip route-static vpn-instance vsysb 10.3.0.0 24 vpn-instance vsysa
 ip route-static vpn-instance vsysa 10.3.1.0 24 vpn-instance vsysb
#
return

Configuration script of vsysa

#
interface GigabitEthernet0/0/1
 ip address 10.1.1.8 255.255.255.0
# 
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#                                                                               
interface Virtual-if1                                                           
 ip address 172.16.1.1 255.255.255.0                                              
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50      
 add interface Virtual-if1
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/1
#                    
ip address-set ipaddress1 type object 
 address 0 range 10.3.0.2 10.3.0.10   
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  source-address address-set ipaddress1 
  action permit      
 rule name to_vsysb 
  source-zone trust  
  destination-zone dmz  
  source-address range 10.3.0.20 10.3.0.30
  destination-address range 10.3.1.20 10.3.1.30
  action permit
 rule name to_vsysa 
  source-zone dmz  
  destination-zone trust  
  source-address range 10.3.1.20 10.3.1.30
  destination-address range 10.3.0.20 10.3.0.30
  action permit
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/1
   source-address address-set ipaddress1
   action source-nat easy-ip
#    
return

Configuration script of vsysb

#
interface GigabitEthernet0/0/2
 ip address 10.1.1.9 255.255.255.0
# 
interface GigabitEthernet0/0/4
 ip address 10.3.1.1 255.255.255.0
#                                                                               
interface Virtual-if2                                                           
 ip address 172.16.2.1 255.255.255.0                                              
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/4
#
firewall zone dmz
 set priority 50      
 add interface Virtual-if2
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/2
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  action permit
 rule name to_vsysa 
  source-zone trust  
  destination-zone dmz  
  source-address range 10.3.1.20 10.3.1.30
  destination-address range 10.3.0.20 10.3.0.30
  action permit
 rule name to_vsysb
  source-zone dmz  
  destination-zone trust 
  source-address range 10.3.0.20 10.3.0.30
  destination-address range 10.3.1.20 10.3.1.30
  action permit
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/2
   action source-nat easy-ip
#    
return