< Home

Web: Example for Configuring Hot Standby in Active/Standby Mode Where Firewalls Are Deployed in In-path Mode and Connect to Switches in Upstream and Downstream Directions

This section provides a web example of configuring hot standby in active/standby mode in which the service interfaces of the firewalls work at Layer 3 and connect to switches in upstream and downstream directions.

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to switches. The upstream switch is connected to the carrier network and the public IP address assigned to the enterprise is 1.1.1.1. The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. When FW_A goes faulty, FW_B takes over.

Figure 1 Active/standby networking in which the service interfaces of each FW work at Layer 3 and are directly connected to switches

Procedure

  1. Complete interfaces and basic network configurations.
    1. Configure interfaces on FW_A.

      1. Choose Network > Interface.

      2. Click GE0/0/1, set the parameters as follows, click OK.

        Zone

        untrust

        IPv4

        IP Address

        10.2.0.1/24

      3. Repeat the preceding steps to configure GE0/0/3.

        Zone

        trust

        IPv4

        IP Address

        10.3.0.1/24

      4. Repeat the preceding steps to configure GE0/0/7.

        Zone

        DMZ

        IPv4

        IP Address

        10.10.0.1/24

    2. Configure interfaces on FW_B.

      1. Choose Network > Interface.

      2. Click GE0/0/1, set the parameters as follows, click OK.

        Zone

        untrust

        IPv4

        IP Address

        10.2.0.2/24

      3. Repeat the preceding steps to configure GE0/0/3.

        Zone

        trust

        IPv4

        IP Address

        10.3.0.2/24

      4. Repeat the preceding steps to configure GE0/0/7.

        Zone

        DMZ

        IPv4

        IP Address

        10.10.0.2/24

  2. Configure static routes.
    1. Configure a default route on the FW_A.

      1. Choose Network > Route > Static Route.

      2. In Static Route List, click Add, configure a default route based on the following parameter values, and click OK.

        Protocol

        IPv4

        Destination Address/Mask

        0.0.0.0/0.0.0.0

        Interface

        GigabitEthernet0/0/1

        Next Hop

        1.1.1.10

    2. Configure a default route on the FW_B.

      1. Choose Network > Route > Static Route.

      2. In Static Route List, click Add, configure a default route based on the following parameter values, and click OK.

        Protocol

        IPv4

        Destination Address/Mask

        0.0.0.0/0.0.0.0

        Interface

        GigabitEthernet0/0/1

        Next Hop

        1.1.1.10

  3. Configure hot standby.
    1. Configure hot standby on FW_A.

      1. Choose System > High Availability > Dual-System Hot Standby and click Edit.

      2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.

    2. Configure hot standby on FW_B.

      1. Choose System > High Availability > Dual-System Hot Standby and click Edit.

      2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.

  4. Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group 2.
  5. Configure the security policies.

    Security policies configured on FW_A are automatically backed up to FW_B.

    1. Choose Policy > Security Policy > Security Policy.
    2. Click Add Security Policy, configure security policies and set the parameters as follows, and then click OK.

      Name

      policy_sec

      Source Zone

      trust

      Destination Zone

      untrust

      Source Address/Region

      10.3.0.0/24

      Action

      Permit

  6. Configure a NAT policy to allow intranet users to access the Internet.

    NAT policies configured on FW_A are automatically backed up to FW_B.

    1. Choose Policy > NAT Policy > NAT Policy.

    2. Click the Source Translation Address Pool tab, click Add, configure a NAT address pool and set the parameters as follows, and then click OK.

      Name

      addressgroup1

      IP Address Range

      1.1.1.1-1.1.1.1

    3. Click the NAT Policy tab, click Add, configure NAT policy policy_nat and set the parameters as follows, and then click OK.

      Name

      policy_nat

      NAT Type

      NAT

      NAT Mode

      Source address translation

      Source Zone

      trust

      Destination Type

      Destination Zone: untrust

      Source Address Translated To

      IP Addresses in the IP Address Pool

      Source Translation Address Pool

      addressgroup1

Configuration Verification

Choose System > High Availability > Dual-System Hot Standby to view the operating status of hot standby.

  • Normally, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Active. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Standby. This shows that traffic is forwarded by FW_A.
  • When FW_A goes faulty, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Standby. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Active. This shows that traffic is forwarded by FW_B.

Configuration Scripts

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
#
interface GigabitEthernet 0/0/1
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.3 active
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#
 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 1.1.1.10
#    
 nat address-group addressgroup1 0 
 section 0 1.1.1.1 1.1.1.1
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1
 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
#
interface GigabitEthernet 0/0/1
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.3 standby
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#    
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#    
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#    
firewall zone dmz    
 set priority 50     
 add interface GigabitEthernet0/0/7
#
 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 1.1.1.10
#    
 nat address-group addressgroup1 0 
 section 0 1.1.1.1 1.1.1.1
#    
security-policy  
 rule name policy_sec  
  source-zone trust  
  destination-zone untrust 
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >