Web: Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems Sharing the WAN Interface of the Public System)

An enterprise may have multiple departments, and each department has specific functions and responsibilities and requires specific network management policies, which complicates the configuration. As the egress gateway of the enterprise network, the FW uses virtual systems to manage departments separately, simplifying the configuration.

Networking Requirements

Medium-sized enterprise A deploys a firewall as the network gateway. The network of this enterprise is divided into three subnets respectively for the R&D, financial, and administrative department. The security policies for the three departments are different and must meet the following requirements:

The intranet has only one public IP address and one outside interface. Therefore, all departments must use the same interface to access the Internet.
Internet access is granted to all employees of the administrative department, some employees of the R&D department, but none of the employees of the financial department.
The three departments have similar traffic volumes and therefore are assigned the same amount of virtual system resources.

Configure virtual systems to meet the preceding requirements. Figure 1 shows the networking diagram.

Figure 1 Networking diagram of network isolation (Layer-3 access, virtual systems sharing the WAN interface of the public system)

Data Planning

Item	Data	Description
public	Outside interface: GE0/0/1 Security zone to which the outside interface belongs: Untrust Outside interface IP address: 1.1.1.1/24 Inside interface: virtual interface Virtual-if0 of the public system Security zone to which the inside interface belongs: Trust IP address of the carrier network gateway: 1.1.1.254/24	In the example, all departments must access the Internet from their own virtual systems through the public system. The departments do not have overlapping private IP addresses. Therefore, you are advised to configure the NAT policies on the public system.
vsysa	Virtual system name: vsysa Outside interface: vsysa's virtual interface Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/3 Inside interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the inside interface belongs: Trust Administrator: admin@@vsysa IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb Outside interface: vsysb's virtual interface Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/4 Inside interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the inside interface belongs: Trust Administrator: admin@@vsysb	-
vsysc	Virtual system name: vsysc Outside interface: vsysc's virtual interface Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/5 Inside interface IP address: 10.3.2.1/24 Private IP address range: 10.3.2.0/24 Security zone to which the inside interface belongs: Trust Administrator: admin@@vsysc	-
Resource class	Name: r1 Reserved Number for session: 10000 Maximum Number for session: 50000 User: 300 User Group: 10 Policy: 300 Outbound Reserved Bandwidth: 20 Mbps	The three departments have similar traffic volumes and therefore are assigned the same resource class.

Configuration Roadmap

The public system administrator creates three virtual systems vsysa, vsysb, and vsysc, assigns resources, and configures an administrator for each virtual system.
The public system administrator configures routes and NAT policies for intranet users to access the Internet.
The administrator of the R&D department logs in to the FW to configure IP addresses, routes, and security policies for vsysa.
The administrator of the financial department logs in to the FW to configure IP addresses, routes, and security policies for vsysb.
The administrator of the administrative department logs in to the FW to configure IP addresses, routes, and security policies for vsysc.

Procedure

Click Dashboard on the main menu. In the Device Information area, click Configure on the line of Virtual System to enable the virtual system function.
Configure a resource class.
1. Choose System > Virtual System > Resource Class.
2. Click Add and set the following parameters.
3. Click OK.
In the root system, create virtual systems vsysa, vsysb, and vsysc and allocate resources to them.
1. Choose System > Virtual System > Virtual System.
2. Click Add and then the Basic Settings tab and set the following parameters.
3. Click the Interface Settings tab and allocate interfaces to the virtual system.
4. Click OK.
5. Create vsysb and vsysc and allocate resources to them.
Create administrators for the virtual systems in the root system.
1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page to access vsysa.
2. Choose System > Administrator > Administrator.
3. Click Add and set the following parameters.
  
  User Name
  
  admin@@vsysa
  
  Authentication Type
  
  Local authentication
  
  Password
  
  Vsysadmin@123
  
  Confirm Password
  
  Vsysadmin@123
  
  Role
  
  system-admin
  
  Service type
  
  web telnet ssh
4. Repeat these steps to create administrators admin@@vsysb for vsysb and admin@@vsysc for vsysc.
In the root system, set IP addresses for the interfaces and assign the interfaces to security zones. The IP address of Virtual-if 0 can be set to any address but it must be different from the IP addresses of all the other interfaces.
1. Select public from the Virtual System drop-down list in the upper right corner to access the public system.
2. Choose Network > Interface.
3. Click the interface name and set the following parameters for the interface.
  
  Interface
  
  GigabitEthernet 0/0/1
  
  Virtual-if 0
  
  Security Zone
  
  untrust
  
  trust
  
  IP Address
  
  1.1.1.1/24
  
  172.16.0.1/24
4. Click OK.
In the root system, configure routes for intranet users to access the Internet.
1. Choose Network > Route > Static Route.
2. Click Add and configure a static route to the Internet.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  public
  
  Destination Address/Mask
  
  0.0.0.0/0.0.0.0
  
  Destination Virtual Router
  
  public
  
  Next Hop
  
  1.1.1.254
  
  Outgoing Interface
  
  NONE
3. Click OK.
In the root system, configure security policies for intranet users to access the Internet.
1. Choose Policy > Security Policy > Security Policy.
2. Choose Add Security Policy and set the following IP address range.
  
  Name
  
  to_internet
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Action
  
  permit
  
  Virtual system administrators can configure strict security policies abased on the IP addresses of intranet employees. Therefore, the root system administrator does not need to specify the IP address range.
3. Click OK.

User Name	admin@@vsysa
Authentication Type	Local authentication
Password	Vsysadmin@123
Confirm Password	Vsysadmin@123
Role	system-admin
Service type	web telnet ssh

Interface	GigabitEthernet 0/0/1	Virtual-if 0
Security Zone	untrust	trust
IP Address	1.1.1.1/24	172.16.0.1/24

Protocol	IPv4
Source Virtual Router	public
Destination Address/Mask	0.0.0.0/0.0.0.0
Destination Virtual Router	public
Next Hop	1.1.1.254
Outgoing Interface	NONE

Name	to_internet
Source Zone	trust
Destination Zone	untrust
Action	permit

In the root system, configure a NAT policy for intranet users to access the Internet.

Choose Policy > NAT Policy > NAT Policy > NAT Policy, click Add, and set the following NAT policy parameters.

Name	nat1
NAT Type	NAT
NAT Mode	Source address translation
Source Zone	trust
Destination Type	Outbound Interface
Outbound Interface	GigabitEthernet 0/0/1
Source Address	10.3.0.0/16
Source Address Translated To	Outbound Interface

Click OK.

Set IP addresses in vsysa.

Use the vsysa administrator account admin@@vsysa to log in to the firewall. Change the login password before performing the following operations.

Set IP addresses for interfaces and assign the interfaces to security zones. The IP address of Virtual-if 1 can be set to any address but it must be different from the IP addresses of all the other interfaces.

The IDs of Virtual-if interfaces are randomly assigned from available IDs in the system. Therefore, in the actual configuration, the interface may not be Virtual-if 1.
1. Select vsysa from the Virtual System drop-down list in the upper right corner to access vsysa.
2. Choose Network > Interface.
3. Click the interface name and set the following parameters for the interface.
  
  Interface
  
  GigabitEthernet 0/0/3
  
  GigabitEthernet Virtual-if 1
  
  Security Zone
  
  trust
  
  untrust
  
  IP Address
  
  10.3.0.1/24
  
  172.16.1.1/24
4. Click OK.
Configure routes in vsysa to guide Internet access traffic from employees in vsysa to the root system.

In this example, the network topology and routing configuration are simplified. If vsysa only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0 0.0.0.0. That is, all packets are sent to the root system. In practice, for accurate routing information, Destination Address/Mask should be set to a specific Internet address range that the intranet users are allowed to access. Incorrect routing configurations may interrupt the communications of the private networks connected to vsysa.
1. Choose Network > Route > Static Route.
2. Click Add and configure the following default route.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  vsysa
  
  Destination Address/Mask
  
  0.0.0.0/0.0.0.0
  
  Destination Virtual Router
  
  public
  
  Next Hop
  
  —
  
  Outgoing Interface
  
  NONE
3. Click OK.
4. Repeat these steps to configure a static route to guide return traffic of employees in vsysa from the Internet to intranet.
  
  Protocol
  
  IPv4
  
  Source Virtual Router
  
  vsysa
  
  Destination Address/Mask
  
  10.3.0.0/255.255.255.0
  
  Destination Virtual Router
  
  vsysa
  
  Next Hop
  
  10.3.0.254
  
  Outgoing Interface
  
  NONE
5. Click OK.
Configure security policies in vsysa.
1. Choose Object > Address > Address.
2. Click Add and set the following IP address range.
  
  Name
  
  ipaddress1
  
  IP Address Range
  
  10.3.0.2-10.3.0.10
3. Click OK.
4. Choose Policy > Security Policy > Security Policy.
5. Choose Add Security Policy and configure a security policy for vsysa based on the following parameter values to prohibit employees on a specific network segment from access the administrative department network. Because routes have been configured in the root system to divert the return traffic to vsysa and vsysc, vsysa and vsysc to communicate with each other through the root system. To isolate the virtual systems, you must configure this security policy in vsysa.
  
  Name
  
  to_admin_department
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  ipaddress1
  
  Destination Address/Region
  
  10.3.2.0/24
  
  Action
  
  deny
6. Click OK.
7. Configure the following security policy for vsysa to allow employees on a specific network segment to access the Internet.
  
  Name
  
  to_internet
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  ipaddress1
  
  Action
  
  permit
8. Click OK.
9. Configure another security policy for vsysa to prohibit all employees from accessing the Internet. The priority of this policy is lower than that of the previous policy, and therefore no address range needs to be specified.
  
  Name
  
  to_internet2
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Action
  
  deny
10. Click OK.
The financial department administrator admin@@vsysb and administrative department administrator admin@@vsysc log in to the FW and configure IP addresses, security zones, and security policies for vsysb and vsysc, respectively.
The configuration is similar to that of the R&D department except the following:
- The IP address of the inside interface is different.
- You do not need to create an IP address range for the financial department. You only need to configure a security policy to prevent all IP addresses from accessing the Internet.
- You do not need to create an IP address range for the administrative department. You only need to configure a security policy to prohibit all IP addresses from accessing the R&D department network and another security policy to allow all IP addresses to access the Internet.

Interface	GigabitEthernet 0/0/3	GigabitEthernet Virtual-if 1
Security Zone	trust	untrust
IP Address	10.3.0.1/24	172.16.1.1/24

Protocol	IPv4
Source Virtual Router	vsysa
Destination Address/Mask	0.0.0.0/0.0.0.0
Destination Virtual Router	public
Next Hop	—
Outgoing Interface	NONE

Protocol	IPv4
Source Virtual Router	vsysa
Destination Address/Mask	10.3.0.0/255.255.255.0
Destination Virtual Router	vsysa
Next Hop	10.3.0.254
Outgoing Interface	NONE

Name	ipaddress1
IP Address Range	10.3.0.2-10.3.0.10

Name	to_admin_department
Source Zone	trust
Destination Zone	untrust
Source Address/Region	ipaddress1
Destination Address/Region	10.3.2.0/24
Action	deny

Name	to_internet
Source Zone	trust
Destination Zone	untrust
Source Address/Region	ipaddress1
Action	permit

Name	to_internet2
Source Zone	trust
Destination Zone	untrust
Action	deny

Verification

Access the Internet from the administrative department. If the access succeeds, the IP addresses, security policies of vsysc, and NAT policy of the public system are correctly configured.
Access the Internet from the financial department. If the access fails, the IP addresses and security policies of vsysb are correctly configured.
Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department to access the Internet. If the results are as expected, the IP addresses and security policies of vsysa are correctly configured.

Configuration Scripts

Configuration script of the root system:

#
 sysname FW
#                 
 vsys enable 
#                 
resource-class r1 
 resource-item-limit session reserved-number 10000 maximum 50000                
 resource-item-limit policy reserved-number 300                                 
 resource-item-limit user reserved-number 300                                   
 resource-item-limit user-group reserved-number 10  
 resource-item-limit bandwidth 20 outbound
#                 
vsys name vsysa 1 
 assign resource-class r1                           
 assign interface GigabitEthernet0/0/3    
#                 
vsys name vsysb 2 
 assign resource-class r1            
 assign interface GigabitEthernet0/0/4                                          
#                 
vsys name vsysc 3 
 assign resource-class r1                                                       
 assign interface GigabitEthernet0/0/5 
#                 
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0  
#                                                                               
interface Virtual-if0                                                           
 ip address 172.16.0.1 255.255.255.0                                              
#                  
firewall zone trust 
 set priority 85  
 add interface Virtual-if0 
#                 
firewall zone untrust              
 set priority 5   
 add interface GigabitEthernet0/0/1 
#                 
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254                 
#                 
security-policy  
 rule name to_internet 
  source-zone trust 
  destination-zone untrust
  action permit 
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/1
   source-address 10.3.0.0 16
   action source-nat easy-ip
#
return

Configuration script of vsysa:

#                 
interface GigabitEthernet0/0/3  
 ip address 10.3.0.1 255.255.255.0            
 service-manage ping permit  
#                                                                               
interface Virtual-if1                                                           
 ip address 172.16.1.1 255.255.255.0                                              
#                 
firewall zone trust
 set priority 85  
 add interface GigabitEthernet0/0/3     
#                 
firewall zone untrust         
 set priority 5   
 add interface Virtual-if1      
#                 
aaa               
 manager-user admin@@vsysa           
  password cipher %@%@@~QEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]X%@%@      
  service-type web telnet ssh          
  level 15        
  bind manager-user admin@@vsysa role system-admin 
#                 
ip address-set ipaddress1 type object            
 address 0 range 10.3.0.2 10.3.0.10   
#                 
 ip route-static 0.0.0.0 0.0.0.0 public 
 ip route-static 10.3.0.0 255.255.255.0 10.3.0.254          
#                 
security-policy   
 rule name to_admin_department            
  source-zone trust                  
  destination-zone untrust               
  source-address address-set ipaddress1   
  destination-address 10.3.2.0 24
  action deny
 rule name to_internet            
  source-zone trust                  
  destination-zone untrust               
  source-address address-set ipaddress1   
  action permit   
 rule name to_internet2                
  source-zone trust                      
  destination-zone untrust             
  action deny
#                 
return

Configuration script of vsysb:

#                 
interface GigabitEthernet0/0/4                     
 ip address 10.3.1.1 255.255.255.0             
 service-manage ping permit  
#                                                                               
interface Virtual-if2                                                           
 ip address 172.16.2.1 255.255.255.0                                              
#                 
firewall zone trust                 
 set priority 85  
 add interface GigabitEthernet0/0/4 
#                 
firewall zone untrust                
 set priority 5   
 add interface Virtual-if2      
#                 
aaa               
 manager-user admin@@vsysb                   
  password cipher %@%@zG{;O|!gEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]      
  service-type web telnet ssh                   
  level 15        
  bind manager-user admin@@vsysb role system-admin 
#                 
 ip route-static 0.0.0.0 0.0.0.0 public     
 ip route-static 10.3.1.0 255.255.255.0 10.3.1.254
#                 
security-policy   
 rule name to_internet     
  source-zone trust        
  destination-zone untrust
  action deny   
#                 
return

Configuration script of vsysc:

#                 
interface GigabitEthernet0/0/5       
 ip address 10.3.2.1 255.255.255.0         
 service-manage ping permit  
#                                                                               
interface Virtual-if3                                                           
 ip address 172.16.3.1 255.255.255.0                                              
#                 
firewall zone trust              
 set priority 85  
 add interface GigabitEthernet0/0/5     
#                 
firewall zone untrust             
 set priority 5   
 add interface Virtual-if3      
#                 
aaa               
 manager-user admin@@vsysc            
  password cipher %@%@zG{;x|!gEN5"Db/6dvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]      
  service-type web telnet ssh             
  level 15        
  bind manager-user admin@@vsysc role system-admin 
#                 
 ip route-static 0.0.0.0 0.0.0.0 public
 ip route-static 10.3.2.0 255.255.255.0 10.3.2.254            
#                 
security-policy   
 rule name to_rd_department            
  source-zone trust                  
  destination-zone untrust               
  destination-address 10.3.0.0 24
  action deny
 rule name to_internet    
  source-zone trust                
  destination-zone untrust
  action permit 
#                 
return