CLI: Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems Sharing the WAN Interface of the Public System)

An enterprise may have multiple departments, and each department has specific functions and responsibilities and requires specific network management policies, which complicates the configuration. As the egress gateway of the enterprise network, the FW uses virtual systems to manage departments separately, simplifying the configuration.

Networking Requirements

Medium-sized enterprise A deploys a firewall as the network gateway. The network of this enterprise is divided into three subnets respectively for the R&D, financial, and administrative department. The security policies for the three departments are different and must meet the following requirements:

The intranet has only one public IP address and one outside interface. Therefore, all departments must use the same interface to access the Internet.
Internet access is granted to all employees of the administrative department, some employees of the R&D department, but none of the employees of the financial department.
The three departments have similar traffic volumes and therefore are assigned the same amount of virtual system resources.

Configure virtual systems to meet the preceding requirements. Figure 1 shows the networking diagram.

Figure 1 Networking diagram of network isolation (Layer-3 access, virtual systems sharing the WAN interface of the public system)

Data Planning

Item	Data	Description
public	Outside interface: GE0/0/1 Security zone to which the outside interface belongs: Untrust Outside interface IP address: 1.1.1.1/24 Inside interface: virtual interface Virtual-if0 of the public system Security zone to which the inside interface belongs: Trust IP address of the carrier network gateway: 1.1.1.254/24	In the example, all departments must access the Internet from their own virtual systems through the public system. The departments do not have overlapping private IP addresses. Therefore, you are advised to configure the NAT policies on the public system.
vsysa	Virtual system name: vsysa Outside interface: vsysa's virtual interface Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/3 Inside interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the inside interface belongs: Trust Administrator: admin@@vsysa IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb Outside interface: vsysb's virtual interface Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/4 Inside interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the inside interface belongs: Trust Administrator: admin@@vsysb	-
vsysc	Virtual system name: vsysc Outside interface: vsysc's virtual interface Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/5 Inside interface IP address: 10.3.2.1/24 Private IP address range: 10.3.2.0/24 Security zone to which the inside interface belongs: Trust Administrator: admin@@vsysc	-
Resource class	Name: r1 Reserved Number for session: 10000 Maximum Number for session: 50000 User: 300 User Group: 10 Policy: 300 Outbound Reserved Bandwidth: 20 Mbps	The three departments have similar traffic volumes and therefore are assigned the same resource class.

Configuration Roadmap

The public system administrator creates three virtual systems vsysa, vsysb, and vsysc, assigns resources, and configures an administrator for each virtual system.
The public system administrator configures routes and NAT policies for intranet users to access the Internet.
The administrator of the R&D department logs in to the FW to configure IP addresses, routes, and security policies for vsysa.
The administrator of the financial department logs in to the FW to configure IP addresses, routes, and security policies for vsysb.
The administrator of the administrative department logs in to the FW to configure IP addresses, routes, and security policies for vsysc.

Procedure

The public system administrator creates virtual systems vsysa, vsysb, and vsysc and assigns resources to them.

# Use the account of the public system administrator to log in to the FW.

# Enable the virtual system function.

<FW> system-view
[FW] vsys enable

# Configure a resource class.

[FW] resource-class r1
[FW-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000
[FW-resource-class-r1] resource-item-limit policy reserved-number 300
[FW-resource-class-r1] resource-item-limit user reserved-number 300
[FW-resource-class-r1] resource-item-limit user-group reserved-number 10
[FW-resource-class-r1] resource-item-limit bandwidth 20 outbound
[FW-resource-class-r1] quit

# Create virtual systems and allocate resources to them.

[FW] vsys name vsysa
[FW-vsys-vsysa] assign resource-class r1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/3
[FW-vsys-vsysa] quit
[FW] vsys name vsysb
[FW-vsys-vsysb] assign resource-class r1
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/4
[FW-vsys-vsysb] quit
[FW] vsys name vsysc
[FW-vsys-vsysc] assign resource-class r1
[FW-vsys-vsysc] assign interface GigabitEthernet 0/0/5
[FW-vsys-vsysc] quit

The public system administrator configures administrators for virtual systems.

# The public system administrator creates administrator account admin@@vsysa for vsysa.

[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] aaa
[FW-vsysa-aaa] manager-user admin@@vsysa
[FW-vsysa-aaa-manager-user-admin@@vsysa] password
Enter Password:                                                                 
Confirm Password:                                                               
[FW-vsysa-aaa-manager-user-admin@@vsysa] service-type web telnet ssh
[FW-vsysa-aaa-manager-user-admin@@vsysa] level 15
[FW-vsysa-aaa-manager-user-admin@@vsysa] quit
[FW-vsysa-aaa] bind manager-user admin@@vsysa role system-admin
[FW-vsysa-aaa] quit
[FW-vsysa] quit
<FW-vsysa> quit

Configure administrators admin@@vsysb and admin@@vsysc respectively for the vsysb and vsysc by referring to the preceding substeps.

The public system administrator configures routes, security policies, and NAT policies for intranet users to access the Internet.

# Set IP addresses for interfaces and add the interfaces to security zones. The IP address of Virtual-if0 can be any value as long as it does not conflict with the IP address on any other interface.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if 0
[FW-zone-trust] quit

# Create a default route with the next hop being 1.1.1.254.

[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

# Configure a security policy. This security policy allows intranet users to access the Internet. A virtual system administrator can configure security policies specific to intranet users' IP addresses. Therefore, the public system administrator does not need to specify IP address ranges when configuring a security policy.

[FW] security-policy                                                        
[FW-policy-security] rule name to_internet                                  
[FW-policy-security-rule-to_internet] source-zone trust                     
[FW-policy-security-rule-to_internet] destination-zone untrust              
[FW-policy-security-rule-to_internet] action permit                         
[FW-policy-security-rule-to_internet] quit                                  
[FW-policy-security] quit

# Configure a NAT policy.

[FW] nat-policy
[FW-policy-nat] rule name nat1
[FW-policy-nat-rule-nat1] source-zone trust
[FW-policy-nat-rule-nat1] egress-interface GigabitEthernet 0/0/1
[FW-policy-nat-rule-nat1] source-address 10.3.0.0 16
[FW-policy-nat-rule-nat1] action source-nat easy-ip
[FW-policy-nat-rule-nat1] quit
[FW-policy-nat] quit

The administrator of the R&D department configures IP addresses, routes, and security policies for vsysa.

# Use the virtual system administrator account admin@@vsysa to log in to the FW. Change the login password before performing the following operations.

# Set IP addresses for interfaces and add the interfaces to security zones. The IP address of Virtual-if1 can be any value as long as it does not conflict with the IP address on any other interface.

The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the actual interface may not be Virtual-if1.

<vsysa> system-view
[vsysa] interface GigabitEthernet 0/0/3
[vsysa-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[vsysa-GigabitEthernet0/0/3] quit
[vsysa] interface Virtual-if 1
[vsysa-Virtual-if1] ip address 172.16.1.1 24
[vsysa-Virtual-if1] quit
[vsysa] firewall zone trust
[vsysa-zone-trust] add interface GigabitEthernet 0/0/3
[vsysa-zone-trust] quit
[vsysa] firewall zone untrust
[vsysa-zone-untrust] add interface Virtual-if 1
[vsysa-zone-untrust] quit

# Configure a static route. This static route is used to divert the Internet traffic requested by users of vsysa to the public system.

For simplicity, this example is based on the assumption that vsysa only processes the Internet access of intranet users. Therefore, in this example, Destination Address/Mask is set to 0.0.0.0 0.0.0.0 so that all packets are sent to the public system by default. In real-world configurations, to ensure correct routing, you must set Destination Address/Mask to a specific IP address range that is allowed to access the Internet. If the routing configuration is incorrect, the private networks attached to vsysa may not communicate with each other.

[vsysa] ip route-static 0.0.0.0 0.0.0.0 public

# Configure a static route. This static route is used to divert to intranet the Internet traffic requested by users of vsysa.

[vsysa] ip route-static 10.3.0.0 255.255.255.0 10.3.0.254

# Configure an address set.

[vsysa] ip address-set ipaddress1 type object
[vsysa-object-address-set-ipaddress1] address range 10.3.0.2 10.3.0.10
[vsysa-object-address-set-ipaddress1] quit

# Configure a security policy. This security policy allows intranet users of a specific network segment to access the Internet.

[vsysa-policy-security] rule name to_internet                                  
[vsysa-policy-security-rule-to_internet] source-zone trust                     
[vsysa-policy-security-rule-to_internet] destination-zone untrust              
[vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
[vsysa-policy-security-rule-to_internet] action permit                         
[vsysa-policy-security-rule-to_internet] quit

# Configure a security policy. This security policy prohibits all employees from accessing the Internet. The priority of this policy is lower than that of the previous policy, and therefore no address range needs to be specified.

[vsysa-policy-security] rule name to_internet2                                  
[vsysa-policy-security-rule-to_internet2] source-zone trust                     
[vsysa-policy-security-rule-to_internet2] destination-zone untrust              
[vsysa-policy-security-rule-to_internet2] action deny                         
[vsysa-policy-security-rule-to_internet2] quit                                  
[vsysa-policy-security] quit

The financial department administrator admin@@vsysb and administrative department administrator admin@@vsysc log in to the FW and configure IP addresses, security zones, and security policies for vsysb and vsysc, respectively.
The configuration is similar to that of the R&D department except the following:
- The IP address of the inside interface is different.
- You do not need to create an IP address range for the financial department. You only need to configure a security policy to prevent all IP addresses from accessing the Internet.
- You do not need to create an IP address range for the administrative department. You only need to configure a security policy to prohibit all IP addresses from accessing the R&D department network and another security policy to allow all IP addresses to access the Internet.

Verification

Access the Internet from the administrative department. If the access succeeds, the IP addresses, security policies of vsysc, and NAT policy of the public system are correctly configured.
Access the Internet from the financial department. If the access fails, the IP addresses and security policies of vsysb are correctly configured.
Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department to access the Internet. If the results are as expected, the IP addresses and security policies of vsysa are correctly configured.

Configuration Scripts

Configuration script of the public system

#
 sysname FW
#                 
 vsys enable 
#                 
resource-class r1 
 resource-item-limit session reserved-number 10000 maximum 50000                
 resource-item-limit policy reserved-number 300     
 resource-item-limit user reserved-number 300  
 resource-item-limit user-group reserved-number 10  
 resource-item-limit bandwidth 20 outbound
#                 
vsys name vsysa 1 
 assign resource-class r1                           
 assign interface GigabitEthernet0/0/3    
#                 
vsys name vsysb 2 
 assign resource-class r1            
 assign interface GigabitEthernet0/0/4   
#                 
vsys name vsysc 3 
 assign resource-class r1                
 assign interface GigabitEthernet0/0/5 
#                 
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0  
# 
interface Virtual-if0                    
 ip address 172.16.0.1 255.255.255.0       
#                  
firewall zone trust 
 set priority 85  
 add interface Virtual-if0 
#                 
firewall zone untrust              
 set priority 5   
 add interface GigabitEthernet0/0/1 
#                 
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254                 
#                 
security-policy  
 rule name to_internet 
  source-zone trust 
  destination-zone untrust
  action permit 
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/1
   source-address 10.3.0.0 16
   action source-nat easy-ip
#
return

Configuration script of vsysa

#                 
interface GigabitEthernet0/0/3  
 ip address 10.3.0.1 255.255.255.0            
 service-manage ping permit  
#                                                                               
interface Virtual-if1                                                           
 ip address 172.16.1.1 255.255.255.0                                              
#                 
firewall zone trust
 set priority 85  
 add interface GigabitEthernet0/0/3     
#                 
firewall zone untrust         
 set priority 5   
 add interface Virtual-if1      
#                 
aaa               
 manager-user admin@@vsysa           
  password cipher %@%@@~QEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]X%@%@      
  service-type web telnet ssh          
  level 15        
 
 bind manager-user admin@@vsysa role system-admin 
#                 
ip address-set ipaddress1 type object            
 address 0 range 10.3.0.2 10.3.0.10   
#                 
 ip route-static 0.0.0.0 0.0.0.0 public      
 ip route-static 10.3.0.0 255.255.255.0 10.3.0.254
#                 
security-policy   
 rule name to_admin_department            
  source-zone trust                  
  destination-zone untrust               
  source-address address-set ipaddress1   
  destination-address 10.3.2.0 24
  action deny
 rule name to_internet            
  source-zone trust                  
  destination-zone untrust               
  source-address address-set ipaddress1   
  action permit   
 rule name to_internet2                
  source-zone trust                      
  destination-zone untrust             
  action deny
#                 
return

Configuration script of vsysb

#                 
interface GigabitEthernet0/0/4                     
 ip address 10.3.1.1 255.255.255.0             
 service-manage ping permit  
#                                                                               
interface Virtual-if2                                                           
 ip address 172.16.2.1 255.255.255.0                                              
#                 
firewall zone trust                 
 set priority 85  
 add interface GigabitEthernet0/0/4 
#                 
firewall zone untrust                
 set priority 5   
 add interface Virtual-if2      
#                 
aaa               
 manager-user admin@@vsysb                   
  password cipher %@%@zG{;O|!gEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]      
  service-type web telnet ssh                   
  level 15        
 
 bind manager-user admin@@vsysb role system-admin 
#                 
 ip route-static 0.0.0.0 0.0.0.0 public  
 ip route-static 10.3.1.0 255.255.255.0 10.3.1.254
#                 
security-policy   
 rule name to_internet     
  source-zone trust        
  destination-zone untrust
  action deny   
#                 
return

Configuration script of vsysc

#                 
interface GigabitEthernet0/0/5       
 ip address 10.3.2.1 255.255.255.0         
 service-manage ping permit  
#                                                                               
interface Virtual-if3                                                           
 ip address 172.16.3.1 255.255.255.0                                              
#                 
firewall zone trust              
 set priority 85  
 add interface GigabitEthernet0/0/5     
#                 
firewall zone untrust             
 set priority 5   
 add interface Virtual-if3      
#                 
aaa               
 manager-user admin@@vsysc            
  password cipher %@%@zG{;x|!gEN5"Db/6dvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]      
  service-type web telnet ssh             
  level 15        
 
 bind manager-user admin@@vsysc role system-admin 
#                 
 ip route-static 0.0.0.0 0.0.0.0 public    
 ip route-static 10.3.2.0 255.255.255.0 10.3.2.254
#                 
security-policy   
 rule name to_rd_department            
  source-zone trust                  
  destination-zone untrust               
  destination-address 10.3.0.0 24
  action deny
 rule name to_internet    
  source-zone trust                
  destination-zone untrust
  action permit 
#                 
return