< Home

CLI: Example for Configuring Hot Standby (Load Balancing) of Virtual Systems on Firewalls Connecting to Upstream Routers Through the Public System and Downstream Subnets Through Virtual Systems

This section provides a CLI example for configuring hot standby in load balancing mode in which multiple virtual systems configured on the FW connect to different downstream subnets through switches and share an upstream public system interface to connect to routers.

Networking Requirements

As shown in Figure 1, an enterprise deploys two FWs as egress gateways to connect the intranet to the Internet. The two FWs are in hot standby deployment for high availability. The service interfaces of both FWs work at Layer 3 and connect to upstream routers (with OSPF running between the FWs and routers) and downstream switches (to connect to different subnets isolated from each other). Specific requirements are as follows:
  • The enterprise has only one upstream interface. All departments need to access the Internet through this interface.
  • Different departments on the intranet need to be isolated from and cannot communicate with each other.
  • The two FWs work in load balancing mode. In normal situations, FW_A forwards traffic from department A, and FW_B forwards traffic from department B. If one FW fails, traffic from both departments is forwarded by the other FW. This ensures that the services are not interrupted.
  • The upstream and downstream links of the two FWs shall be in the same state, so that when the interface of one FW is down, the interface of the other FW can take over for service continuity.
Figure 1 Hot standby networking when virtual systems are configured

Data Planning

Table 1 Data planning of FW_A

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.2/30

Security zone: Untrust

Upstream interface of public system public

Interface number: GigabitEthernet 0/0/2

IP address: 10.3.1.2/24

Security zone: Trust

Downstream interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/3

IP address: 10.3.2.2/24

Security zone: Trust

Downstream interface of virtual system vsysb

Interface number: GigabitEthernet 0/0/7

IP address: 10.10.0.1/24

Security zone: DMZ

Heartbeat interface

VRRP groups

VRRP group 1: 10.3.1.1/24 active

-

VRRP group 2: 10.3.2.1/24 standby

-

Routes

Blackhole route

Destination IP address: 1.1.1.1/32

Blackhole route configured for the NAT address pool of public system public to prevent route loops

OSPF 100

Advertised network segment: 192.168.0.0/30

Static routes imported

OSPF configuration of public system public
Table 2 Data planning of FW_B

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.10/30

Security zone: Untrust

Upstream interface of public system public

Interface number: GigabitEthernet 0/0/2

IP address: 10.3.1.3/24

Security zone: Trust

Downstream interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/3

IP address: 10.3.2.3/24

Security zone: Trust

Downstream interface of virtual system vsysb

Interface number: GigabitEthernet 0/0/7

IP address: 10.10.0.2/24

Security zone: DMZ

Heartbeat interface

VRRP groups

VRRP group 1: 10.3.1.1/24 standby

-

VRRP group 2: 10.3.2.1/24 active

-

Routes

Blackhole route

Destination IP address: 1.1.1.1/32

Blackhole route configured for the NAT address pool of public system public to prevent route loops

OSPF 100

Advertised network segment: 192.168.0.8/30

Static routes imported

OSPF configuration of public system public
Table 3 Data planning of Router1

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.1/30

Connecting to FW public system public

Interface number: GigabitEthernet 0/0/2

IP address: 192.168.0.5/30

Connecting to Router2

OSPF

OSPF 100

Advertised network segment: 192.168.0.0/30

Default routes imported

-
Table 4 Data planning of Router2

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.9/30

Connecting to FW public system public

Interface number: GigabitEthernet 0/0/2

IP address: 192.168.0.6/30

Connecting to Router1

OSPF

OSPF 100

Advertised network segment: 192.168.0.8/30

Default routes imported

-

Configuration Roadmap

  1. Create different virtual systems on FW_A and FW_B to isolate networks of different departments.
  2. Configure mutual communication between the virtual systems and the public system on FW_A and FW_B so that different virtual systems can share the interface of the public system to access the Internet.
  3. The service interfaces of FW_A and FW_B work at Layer 3 in load balancing mode, connect to upstream routers, and run OSPF. Therefore, you need to configure OSPF and VGMP groups to monitor service interfaces. That is, configure OSPF-based hot standby in load balancing mode. The service interfaces also connect to downstream switches. Therefore, you need to configure VRRP groups. In addition, you shall also complete basic configurations, such as configuring heartbeat interfaces and enabling the hot standby function.
  4. Configure a Link-Group on FW_A and FW_B and add the upstream interface of the public system and the downstream interfaces of the virtual systems to this Link-Group to ensure that the upstream and downstream interfaces are in the same state.
  5. After hot standby is deployed, configure security policies and NAT policies for intranet users to access the Internet on FW_A. You do not need to configure the policies on FW_B in that the policies can be automatically synchronized from FW_A.

Procedure

  1. Create virtual systems vsysa and vsysb and assign interfaces to them.

    The virtual system names and IDs on FW_A and FW_B must be the same. You can run the display vsys command on both FWs to compare the configurations after virtual systems are created.

    This example describes only virtual system configurations closely related to hot standby. For details about how to allocate other resources to the virtual systems, see the "Virtual System" part in the Configuration Guide.

    FW_A

    FW_B

    # Enable the virtual system function on FWs.

    		 
    <FW_A> system-view
[FW_A] vsys enable
    		 
    <FW_B> system-view
[FW_B] vsys enable

    # Create virtual system vsysa on FWs and assign interface GigabitEthernet 0/0/2 to it.

    		 
    [FW_A] vsys name vsysa
[FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[FW_A-vsys-vsysa] quit
    		 
    [FW_B] vsys name vsysa
[FW_B-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[FW_B-vsys-vsysa] quit

    # Create virtual system vsysb on FWs and assign interface GigabitEthernet 0/0/3 to it.

    		 
    [FW_A] vsys name vsysb
[FW_A-vsys-vsysb] assign interface GigabitEthernet 0/0/3
[FW_A-vsys-vsysb] quit
    		 
    [FW_B] vsys name vsysb
[FW_B-vsys-vsysb] assign interface GigabitEthernet 0/0/3
[FW_B-vsys-vsysb] quit

  2. Configure interfaces.
    1. Configure the public system interfaces on FWs and assign the interfaces to security zones.

      FW_A

      FW_B

      # Set the IP addresses for the upstream and heartbeat interfaces of the public system on FWs.

      		 
      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 192.168.0.2 30
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/7
[FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet0/0/7] quit
      		 
      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 192.168.0.10 30
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/7
[FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet0/0/7] quit

      # Set the IP address for virtual interface Virtual-if0 of the public system on FWs. The IP address can be any value that is not in conflict with the IP addresses of other interfaces.

      		 
      [FW_A] interface Virtual-if 0 
[FW_A-Virtual-if0] ip address 172.16.0.1 24 
[FW_A-Virtual-if0] quit 
      [FW_B] interface Virtual-if 0 
[FW_B-Virtual-if0] ip address 172.16.0.2 24 
[FW_B-Virtual-if0] quit

      # Assign the interfaces of the public system to security zones on FWs.

      		 
      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust 
[FW_A-zone-trust] add interface Virtual-if 0 
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_A-zone-dmz] quit
      		 
      [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust 
[FW_B-zone-trust] add interface Virtual-if 0 
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit

    2. Configure the interfaces of virtual system vsysa on FWs and assign the interfaces to security zones.

      FW_A

      FW_B

      # Configure the IP addresses and VRRP groups for the downstream interfaces of virtual system vsysa on FWs.

      		 
      [FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.3.1.2 24
[FW_A-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.3.1.1 24 active
[FW_A-GigabitEthernet0/0/2] quit
      		 
      [FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.3.1.3 24
[FW_B-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.3.1.1 24 standby
[FW_B-GigabitEthernet0/0/2] quit

      # Set the IP address for virtual interface Virtual-if1 of virtual system vsysa on FWs. The IP address can be any value that is not in conflict with the IP addresses of other interfaces.

      		 
      [FW_A] interface Virtual-if 1 
[FW_A-Virtual-if1] ip address 172.16.1.1 24 
[FW_A-Virtual-if1] quit
      		 
      [FW_B] interface Virtual-if 1 
[FW_B-Virtual-if1] ip address 172.16.1.2 24 
[FW_B-Virtual-if1] quit

      # Assign the interfaces of virtual system vsysa to security zones on FWs.

      		 
      [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] firewall zone trust
[FW_A-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-vsysa-zone-trust] quit
[FW_A-vsysa] firewall zone untrust
[FW_A-vsysa-zone-untrust] add interface Virtual-if1
[FW_A-vsysa-zone-untrust] quit
[FW_A-vsysa] quit
<FW_A-vsysa> quit
      		 
      [FW_B] switch vsys vsysa
<FW_B-vsysa> system-view
[FW_B-vsysa] firewall zone trust
[FW_B-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-vsysa-zone-trust] quit
[FW_B-vsysa] firewall zone untrust
[FW_B-vsysa-zone-untrust] add interface Virtual-if1
[FW_B-vsysa-zone-untrust] quit
[FW_B-vsysa] quit
<FW_B-vsysa> quit

    3. Configure the interfaces of virtual system vsysb on FWs and assign the interfaces to security zones.

      FW_A

      FW_B

      # Configure the IP addresses and VRRP groups for the downstream interfaces of virtual system vsysb on FWs.

      		 
      [FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.3.2.2 24
[FW_A-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.3.2.1 24 standby
[FW_A-GigabitEthernet0/0/3] quit
      		 
      [FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.3.2.3 24
[FW_B-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.3.2.1 24 active
[FW_B-GigabitEthernet0/0/3] quit

      # Set the IP address for virtual interface Virtual-if2 of virtual system vsysb on FWs. The IP address can be any value that is not in conflict with the IP addresses of other interfaces.

      		 
      [FW_A] interface Virtual-if 2 
[FW_A-Virtual-if2] ip address 172.16.2.1 24 
[FW_A-Virtual-if2] quit
      		 
      [FW_B] interface Virtual-if 2 
[FW_B-Virtual-if2] ip address 172.16.2.2 24 
[FW_B-Virtual-if2] quit

      # Assign the interfaces of virtual system vsysb to security zones on FWs.

      		 
      [FW_A] switch vsys vsysb
<FW_A-vsysb> system-view
[FW_A-vsysb] firewall zone trust
[FW_A-vsysb-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-vsysb-zone-trust] quit
[FW_A-vsysb] firewall zone untrust
[FW_A-vsysb-zone-untrust] add interface Virtual-if2
[FW_A-vsysb-zone-untrust] quit
[FW_A-vsysb] quit
<FW_A-vsysb> quit
      		 
      [FW_B] switch vsys vsysb
<FW_B-vsysb> system-view
[FW_B-vsysb] firewall zone trust
[FW_B-vsysb-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-vsysb-zone-trust] quit
[FW_B-vsysb] firewall zone untrust
[FW_B-vsysb-zone-untrust] add interface Virtual-if2
[FW_B-vsysb-zone-untrust] quit
[FW_B-vsysb] quit
<FW_B-vsysb> quit

  3. Configures static routes.

    FW_A

    FW_B

    # On FWs, configure a blackhole route pointing to the addresses in the NAT address pool of the public system. 1.1.1.1 32 shall be consistent with the address in the NAT address pool specified in 8.

    		 
    [FW_A] ip route-static 1.1.1.1 32 null 0
    		 
    [FW_B] ip route-static 1.1.1.1 32 null 0

    # Configure a static route to guide return traffic of employees in vsysa from the Internet to vsysa.

    		 
    [FW_A] ip route-static 10.3.1.0 24 vpn-instance vsysa
    		 
    [FW_B] ip route-static 10.3.1.0 24 vpn-instance vsysa

    # Configure a static route to guide return traffic of employees in vsysb from the Internet to vsysb.

    		 
    [FW_A] ip route-static 10.3.2.0 24 vpn-instance vsysb
    		 
    [FW_B] ip route-static 10.3.2.0 24 vpn-instance vsysb

    # Configure a static route to guide Internet access traffic from employees in vsysa to the public system.

    NOTE:

    In this example, the network topology and route configuration are simplified. If vsysa only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0 0.0.0.0. That is, all packets are sent to the public system. In practice, for accurate routing information, you shall set Destination Address/Mask to a specific Internet address range that the intranet users are allowed to access. Incorrect route configuration may result in communication failure of multiple LANs connected with vsysa.

    		 
    [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] ip route-static 0.0.0.0 0.0.0.0 public
[FW_A-vsysa] quit
<FW_A-vsysa> quit
    		 
    [FW_B] switch vsys vsysa
<FW_B-vsysa> system-view
[FW_B-vsysa] ip route-static 0.0.0.0 0.0.0.0 public
[FW_B-vsysa] quit
<FW_B-vsysa> quit

    # Configure a static route to guide Internet access traffic from employees in vsysb to the public system.

    NOTE:

    In this example, the network topology and route configuration are simplified. If vsysb only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0 0.0.0.0. That is, all packets are sent to the public system. In practice, for accurate routing information, you shall set Destination Address/Mask to a specific Internet address range that the intranet users are allowed to access. Incorrect route configuration may result in communication failure of multiple LANs connected with vsysb.

    		 
    [FW_A] switch vsys vsysb
<FW_A-vsysb> system-view
[FW_A-vsysb] ip route-static 0.0.0.0 0.0.0.0 public
[FW_A-vsysb] quit
<FW_A-vsysb> quit
    		 
    [FW_B] switch vsys vsysb
<FW_B-vsysb> system-view
[FW_B-vsysb] ip route-static 0.0.0.0 0.0.0.0 public
[FW_B-vsysb] quit
<FW_B-vsysb> quit

  4. Configure OSPF.

    FW_A

    FW_B

    		 
    [FW_A] ospf 100
[FW_A-ospf-100] import-route static
[FW_A-ospf-100] area 0
[FW_A-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[FW_A-ospf-100-area-0.0.0.0] quit
[FW_A-ospf-100] quit
    		 
    [FW_B] ospf 100
[FW_B-ospf-100] import-route static
[FW_B-ospf-100] area 0
[FW_B-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[FW_B-ospf-100-area-0.0.0.0] quit
[FW_B-ospf-100] quit

  5. Configure the Link-Group function to ensure that the upstream and downstream interfaces are in the same state.

    # Add the public system interface (upstream interface) and virtual system interfaces (downstream interfaces) to the same Link-Group on FWs.

    FW_A

    FW_B

    		 
    [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] link-group 1
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] link-group public 1
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] link-group public 1
[FW_A-GigabitEthernet0/0/3] quit
    		 
    [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] link-group 1
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] link-group public 1
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] link-group public 1
[FW_B-GigabitEthernet0/0/3] quit

  6. Configure hot standby.

    FW_A

    FW_B

    # Configure VGMP groups to monitor upstream service interface on FWs.

    		 
    [FW_A] hrp track interface GigabitEthernet 0/0/1
    		 
    [FW_B] hrp track interface GigabitEthernet 0/0/1

    # Configure quick session backup on both FWs in case of inconsistent forward and return packet paths.

    		 
    [FW_A] hrp mirror session enable
    		 
    [FW_B] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on FWs.

    		 
    [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
[FW_A] hrp enable
    		 
    [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
[FW_B] hrp enable

    # To prevent port conflicts in address translation on the FWs in load balancing mode, configure available port ranges on FW_A and FW_B.

    NOTE:

    In the hot standby load balancing scenario, If NAPT is configured, the FWs may have conflicting public ports. To prevent such conflicts, configure respective NAT resources (including public IP addresses and ports) for the FWs. You can run the hrp nat resource primary-group command on the active FW. The standby FW will automatically generate the hrp nat resource secondary-group command (if you run the hrp nat resource secondary-group command on the active FW, the standby FW will automatically generate the hrp nat resource primary-group command).

    		 
    HRP_M[FW_A] hrp nat resource primary-group
    		 
    HRP_S[FW_B] hrp nat resource secondary-group

  7. Configure security policies.

    Security policies can be backed up. That is, policies configured on FW_A can be automatically synchronized to FW_B. If you have configured security policies separately on FW_A and FW_B before configuring hot standby, ensure that their configurations and the sequences in which they are configured are the same on FW_A and FW_B. Otherwise, services may become abnormal after active/standby switchover.

    1. Configure the security policy for the public system.

      # On FW_A, configure a security policy for the public system to allow intranet users to access the Internet. When configuring the security policy for the public system, you do not need to specify the IP address range. When configuring the security policy for the virtual system, you need to specify the IP addresses of the intranet employees to configure a strict security policy.

      HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec
HRP_M[FW_A-policy-security-rule-policy_sec] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-policy-security-rule-policy_sec] quit
HRP_M[FW_A-policy-security] quit

    2. Configure security policies in vsysa.

      # In vsysa of FW_A, configure a security policy to isolate vsysa from vsysb. Because routes have been configured in the public system to divert the return traffic to vsysa and vsysb, vsysa and vsysb can communicate with each other through the public system. To isolate them from each other, you must configure this security policy in vsysa.

      HRP_M[FW_A] switch vsys vsysa
HRP_M<FW_A-vsysa> system-view
HRP_M[FW_A-vsysa] security-policy
HRP_M[FW_A-vsysa-policy-security] rule name vsysa_to_vsysb
HRP_M[FW_A-vsysa-policy-security-rule-vsysa_to_vsysb] source-zone trust 
HRP_M[FW_A-vsysa-policy-security-rule-vsysa_to_vsysb] destination-zone untrust
HRP_M[FW_A-vsysa-policy-security-rule-vsysa_to_vsysb] source-address 10.3.1.0 24
HRP_M[FW_A-vsysa-policy-security-rule-vsysa_to_vsysb] destination-address 10.3.2.0 24
HRP_M[FW_A-vsysa-policy-security-rule-vsysa_to_vsysb] action deny
HRP_M[FW_A-vsysa-policy-security-rule-vsysa_to_vsysb] quit

      # On FW_A, configure a security policy for vsysa to allow intranet users to access the Internet.

      HRP_M[FW_A-vsysa-policy-security] rule name policy_sec
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-zone trust 
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-address 10.3.1.0 24
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] quit
HRP_M[FW_A-vsysa-policy-security] quit

    3. Configure security policies in vsysb.

      # In vsysb of FW_A, configure a security policy to isolate vsysa from vsysb. Because routes have been configured in the public system to divert the return traffic to vsysa and vsysb, vsysa and vsysb can communicate with each other through the public system. To isolate them from each other, you must configure this security policy in vsysb.

      HRP_M[FW_A] switch vsys vsysb
HRP_M<FW_A-vsysb> system-view
HRP_M[FW_A-vsysb] security-policy
HRP_M[FW_A-vsysb-policy-security] rule name vsysb_to_vsysa
HRP_M[FW_A-vsysb-policy-security-rule-vsysb_to_vsysa] source-zone trust 
HRP_M[FW_A-vsysb-policy-security-rule-vsysb_to_vsysa] destination-zone untrust
HRP_M[FW_A-vsysb-policy-security-rule-vsysb_to_vsysa] source-address 10.3.2.0 24
HRP_M[FW_A-vsysb-policy-security-rule-vsysb_to_vsysa] destination-address 10.3.1.0 24
HRP_M[FW_A-vsysb-policy-security-rule-vsysb_to_vsysa] action deny
HRP_M[FW_A-vsysb-policy-security-rule-vsysb_to_vsysa] quit

      # On FW_A, configure a security policy for vsysb to allow intranet users to access the Internet.

      HRP_M[FW_A-vsysb-policy-security] rule name policy_sec
HRP_M[FW_A-vsysb-policy-security-rule-policy_sec] source-zone trust 
HRP_M[FW_A-vsysb-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-vsysb-policy-security-rule-policy_sec] source-address 10.3.2.0 24
HRP_M[FW_A-vsysb-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-vsysb-policy-security-rule-policy_sec] quit
HRP_M[FW_A-vsysb-policy-security] quit

  8. Configure a NAT policy.

    # On FW_A, configure a NAT policy for the public system to allow intranet users to access the Internet. The NAT policy configured on FW_A can be automatically synchronized to FW_B.

    HRP_M[FW_A] nat address-group addressgroup1 
HRP_M[FW_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.1 
HRP_M[FW_A-address-group-addressgroup1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat
HRP_M[FW_A-policy-nat-rule-policy_nat] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat] source-address 10.3.1.0 24
HRP_M[FW_A-policy-nat-rule-policy_nat] source-address 10.3.2.0 24
HRP_M[FW_A-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1
HRP_M[FW_A-policy-nat-rule-policy_nat] quit
HRP_M[FW_A-policy-nat] quit

  9. Configure routers.

    The following part uses Huawei routers to illustrate the configuration.

    Router1

    Router2

    		 
    [router1] interface GigabitEthernet 0/0/1
[router1-GigabitEthernet0/0/1] ip address 192.168.0.1 30
[router1-GigabitEthernet0/0/1] quit
[router1] interface GigabitEthernet 0/0/2
[router1-GigabitEthernet0/0/2] ip address 192.168.0.5 30
[router1-GigabitEthernet0/0/2] quit
[router1] ospf 100
[router1-ospf-100] default-route-advertise
[router1-ospf-100] area 0
[router1-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[router1-ospf-100-area-0.0.0.0] quit
[router1-ospf-100] quit
    		 
    [router2] interface GigabitEthernet 0/0/1
[router2-GigabitEthernet0/0/1] ip address 192.168.0.9 30
[router2-GigabitEthernet0/0/1] quit
[router2] interface GigabitEthernet 0/0/2
[router2-GigabitEthernet0/0/2] ip address 192.168.0.6 30
[router2-GigabitEthernet0/0/2] quit
[router2] ospf 100
[router2-ospf-100] default-route-advertise
[router2-ospf-100] area 0
[router2-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[router2-ospf-100-area-0.0.0.0] quit
[router2-ospf-100] quit

Verification

  1. Run the display hrp state verbose command on FW_A and FW_B to check the HRP status. If the following information is displayed, HRP is successfully configured.

    FW_A

    FW_B

    		 
    HRP_M[FW_A] display hrp state verbose
 Role: active, peer: active     
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%    
 Stable time: 0 days, 15 hours, 41 minutes
 Last state change information: 2018-02-11 17:42:06 HRP link changes to up.
                                        
 Configuration:                         
 hello interval:              1000ms      
 preempt:                     60s        
 mirror configuration:        off 
 mirror session:              on 
 track trunk member:          on 
 auto-sync configuration:     on 
 auto-sync connection-status: on 
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                primary 
                        
 Detail information:      
           GigabitEthernet0/0/2 vrrp vrid 1: active 
           GigabitEthernet0/0/3 vrrp vrid 2: standby
                       GigabitEthernet0/0/1: up
                                  ospf-cost: +0
                                ospfv3-cost: +0     
                                   bgp-cost: +0 
    HRP_S[FW_B] display hrp state verbose
 Role: active, peer: active
 Running priority: 45000, peer: 45000    
 Backup channel usage: 0.00%     
 Stable time: 0 days, 15 hours, 48 minutes   
 Last state change information: 2018-02-11 9:53:30 HRP link changes to up.
         
 Configuration:                
 hello interval:              1000ms
 preempt:                     60s 
 mirror configuration:        off
 mirror session:              on
 track trunk member:          on
 auto-sync configuration:     on   
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                secondary

 Detail information:            
           GigabitEthernet0/0/2 vrrp vrid 1: standby
           GigabitEthernet0/0/3 vrrp vrid 2: active
                       GigabitEthernet0/0/1: up
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0

  2. Access the Internet from the enterprise network. The access succeeds. Check session information on FW_A and FW_B.

    FW_A

    FW_B

    		 
    HRP_M[FW_A] display firewall session table all-systems
 Current Total Sessions : 4
 udp  VPN: vsysb --> public  Remote 10.3.2.4:1001 --> 3.3.3.4:2001 
 udp  VPN: public --> public  Remote 10.3.2.4:1001[1.1.1.1:2049] --> 3.3.3.4:2001 
 udp  VPN: vsysa --> public  10.3.1.4:1000 --> 3.3.3.3:2000  
 udp  VPN: public --> public  10.3.1.4:1000[1.1.1.1:2119] --> 3.3.3.3:2000 
    HRP_S[FW_B] display firewall session table all-systems
 Current Total Sessions : 4     
 udp  VPN: vsysb --> public  10.3.2.4:1001 --> 3.3.3.4:2001 
 udp  VPN: public --> public  10.3.2.4:1001[1.1.1.1:2049] --> 3.3.3.4:2001  
 udp  VPN: vsysa --> public  Remote 10.3.1.4:1000 --> 3.3.3.3:2000    
 udp  VPN: public --> public  Remote 10.3.1.4:1000[1.1.1.1:2119] --> 3.3.3.3:2000

    As shown in the preceding information, a session tagged with Remote is created on FW_A and FW_B, indicating that the session is successfully synchronized after hot standby is configured.

  3. Ping an IP address on the Internet from an intranet PC and remove the network cable from GigabitEthernet 0/0/2 on FW_A. FW status switchover occurs, the status of FW_A changes from HRP_M to HRP_S, and no ping packets are discarded. Then run the display link-group command. The status of upstream interface GigabitEthernet 0/0/1 also changes to Down, which is consistent with that of GigabitEthernet 0/0/2.

    HRP_S[FW_A] display link-group
 link group 1, total 3, fault 1
 -------------------------------------------------------------------------------
 Interface                       Vsys                            State          
 -------------------------------------------------------------------------------
 GigabitEthernet0/0/1            public                          down           
 GigabitEthernet0/0/2            vsysa                           fault          
 GigabitEthernet0/0/3            vsysb                           down           
 -------------------------------------------------------------------------------

    Then insert the network cable back to GigabitEthernet 0/0/2 on FW_A. The status of FW_A changes from HRP_S to HRP_M, no ping packets are discarded, and the interfaces in the Link-Group become Up again.

    HRP_M[FW_A] display link-group
 link group 1, total 3, fault 0
 -------------------------------------------------------------------------------
 Interface                       Vsys                            State          
 -------------------------------------------------------------------------------
 GigabitEthernet0/0/1            public                          up
 GigabitEthernet0/0/2            vsysa                           up 
 GigabitEthernet0/0/3            vsysb                           up 
 -------------------------------------------------------------------------------

  4. Ping an IP address on the Internet from an intranet PC and remove the network cable from GigabitEthernet 0/0/3 on FW_B. FW status switchover occurs, the status of FW_B changes from HRP_M to HRP_S, and no ping packets are discarded. Then run the display link-group command. The status of upstream interface GigabitEthernet 0/0/1 also changes to Down, which is consistent with that of GigabitEthernet 0/0/3.

    HRP_S[FW_B] display link-group
 link group 1, total 3, fault 1
 -------------------------------------------------------------------------------
 Interface                       Vsys                            State          
 -------------------------------------------------------------------------------
 GigabitEthernet0/0/1            public                          down
 GigabitEthernet0/0/2            vsysa                           down
 GigabitEthernet0/0/3            vsysb                           fault
 -------------------------------------------------------------------------------

    Then insert the network cable back to GigabitEthernet 0/0/3 on FW_B. The status of FW_B changes from HRP_S to HRP_M, no ping packets are discarded, and the interfaces in the Link-Group become Up again.

    HRP_M[FW_B] display link-group
 link group 1, total 3, fault 0
 -------------------------------------------------------------------------------
 Interface                       Vsys                            State          
 -------------------------------------------------------------------------------
 GigabitEthernet0/0/1            public                          up
 GigabitEthernet0/0/2            vsysa                           up 
 GigabitEthernet0/0/3            vsysb                           up 
 -------------------------------------------------------------------------------

Configuration Scripts

Configuration script of the public system:

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp track interface GigabitEthernet 0/0/1
 hrp mirror session enable
 hrp nat resource primary-group
#
interface GigabitEthernet 0/0/1
 ip address 192.168.0.2 255.255.255.252
 link-group 1 
#
interface GigabitEthernet 0/0/2
 ip binding vpn-instance vsysa
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
 link-group public 1
#
interface GigabitEthernet 0/0/3
 ip binding vpn-instance vsysb
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
 link-group public 1
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
 add interfac Virtual-if0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
vsys enable 
resource-class r0 
#  
vsys name vsysa 
 assign interface GigabitEthernet 0/0/2  
#    
vsys name vsysb 
 assign interface GigabitEthernet 0/0/3 
#
 ip route-static 1.1.1.1 255.255.255.255 null 0
 ip route-static 10.3.1.0 255.255.255.0 vpn-instance vsysa
 ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysb  
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.0 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  action permit
# 
 nat address-group addressgroup1 
  section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust
    source-address 10.3.1.0 24
    source-address 10.3.2.0 24
    action source-nat address-group addressgroup1
 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp track interface GigabitEthernet 0/0/1
 hrp mirror session enable
 hrp nat resource secondary-group
#
interface GigabitEthernet 0/0/1
 ip address 192.168.0.10 255.255.255.252
 link-group 1
#
interface GigabitEthernet 0/0/2
 ip binding vpn-instance vsysa
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
 link-group public 1
#
interface GigabitEthernet 0/0/3
 ip binding vpn-instance vsysb
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
 link-group public 1
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.2 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.2 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
 add interfac Virtual-if0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 0/0/1
#
vsys enable 
resource-class r0 
#  
vsys name vsysa 
 assign interface GigabitEthernet 0/0/2  
#    
vsys name vsysb 
 assign interface GigabitEthernet 0/0/3 
#
 ip route-static 1.1.1.1 255.255.255.255 null 0
 ip route-static 10.3.1.0 255.255.255.0 vpn-instance vsysa
 ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysb  
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.8 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust
    source-address 10.3.1.0 24
    source-address 10.3.2.0 24
    action source-nat address-group addressgroup1

Configuration script of vsysa:

FW_A

FW_B

 
#
switch vsys vsysa
#      
interface GigabitEthernet 0/0/2 
 ip binding vpn-instance vsysa  
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
 link-group public 1     
#
interface Virtual-if1  
 ip address 172.16.1.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5   
 add interface Virtual-if1
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysa_to_vsysb
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  destination-address 10.3.2.0 24
  action deny    
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit    
#
switch vsys vsysa
#      
interface GigabitEthernet 0/0/2 
 ip binding vpn-instance vsysa  
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
 link-group public 1     
#
interface Virtual-if1  
 ip address 172.16.1.2 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5 
 add interface Virtual-if1
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysa_to_vsysb
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  destination-address 10.3.2.0 24
  action deny    
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit

Configuration script of vsysb:

FW_A

FW_B

 
#
switch vsys vsysb
#      
interface GigabitEthernet 0/0/3 
 ip binding vpn-instance vsysb  
 ip address 10.3.2.2 255.255.255.0  
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
 link-group public 1     
#
interface Virtual-if2  
 ip address 172.16.2.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5   
 add interface Virtual-if2
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysb_to_vsysa
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  destination-address 10.3.1.0 24
  action deny    
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit
 
#
switch vsys vsysb
#      
interface GigabitEthernet 0/0/3 
 ip binding vpn-instance vsysb  
 ip address 10.3.2.3 255.255.255.0 
 vrrp vrid 2 virtual-ip 10.3.2.1 active
 link-group public 1     
#
interface Virtual-if2  
 ip address 172.16.2.2 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5 
 add interface Virtual-if2
#
 ip route-static 0.0.0.0 0.0.0.0 public
#    
security-policy  
 rule name vsysb_to_vsysa
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  destination-address 10.3.1.0 24
  action deny
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic