CLI: Example for Basic Configuration

After logging in, an administrator needs to complete the basic network configuration first so that the device can connect to the network.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW as the enterprise network egress gateway. After logging in to the FW, the administrator needs to complete basic network configuration on the FW, including setting the device name, clock, and interface IP addresses, adding interfaces to security zones, and configuring default routes and default packet filtering rules.

After the preceding configuration is complete, the FW can connect to the Internet.

Figure 1 Networking diagram for basic network configuration

Configuration Roadmap

Set a device name for the FW.
Set the clock on the FW.
Set IP addresses for the service interfaces on the FW. The IP addresses must be planned in advance.
Add the service interfaces to security zones. Generally, the interfaces connecting to the Internet must be added to security zones with a low security level (such as the Untrust zone), and the interfaces connecting to the enterprise network must be added to security zones with high security level (such as the Trust zone). Servers can be deployed in the DMZ.
Configure a default route and set the next hop to the access point provided by the ISP.
Configure the default packet-filtering rule to permit the FW to access the Internet. By default, the FW is prohibited from accessing the Internet.

You are advised to use the default setting and configure security policies to specify the data flows that are permitted.

Procedure

Set a device name for the FW.

<FW> system-view
[FW] sysname FW_A
[FW_A] quit

Set the time and time zone.
```
<FW> clock datetime 18:10:45 2014-01-01
<FW> clock timezone BJ add 08:00:00
```
Beijing is in time zone UTC+8. Therefore, you need to add 8 hours to the default UTC time zone during configuration.

Set interface IP addresses.

The IP addresses (1.1.1.1/24 in this example) of the interfaces connecting to the ISP network needs to be obtained from the ISP.

<FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/0
[FW_A-GigabitEthernet0/0/0] ip address 192.168.1.1 24
[FW_A-GigabitEthernet0/0/0] quit
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit

Add the service interfaces to security zones.

[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/0
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/1
[FW_A-zone-dmz] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

Configure a default route.

[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

Configure the default packet-filtering rule to permit the FW to access the Internet.

You are advised to use the default setting and configure security policies to specify the data flows that are permitted.
```
[FW_A] security-policy
[FW_A-policy-security] default action permit
```

Configuration Scripts

#
 sysname FW_A
#                                                                               
interface GigabitEthernet0/0/0
 ip address 192.168.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#                                                                               
security-policy                                                                 
 default action permit      
#
return