Web: Example for Basic Configuration

After logging in, an administrator needs to complete the basic network configuration first so that the device can connect to the network.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW as the enterprise network egress gateway. After logging in to the FW, the administrator needs to complete basic network configuration on the FW, including setting the device name, clock, and interface IP addresses, adding interfaces to security zones, and configuring default routes and default packet filtering rules.

After the preceding configuration is complete, the FW can connect to the Internet.

Figure 1 Networking diagram for basic network configuration

Configuration Roadmap

Set the clock on the FW.
Set IP addresses for the service interfaces on the FW. The IP addresses must be planned in advance.
Add the service interfaces to security zones. Generally, the interfaces connecting to the Internet must be added to security zones with a low security level (such as the Untrust zone), and the interfaces connecting to the enterprise network must be added to security zones with high security level (such as the Trust zone). Servers can be deployed in the DMZ.
Configure a default route and set the next hop to the access point provided by the ISP.
Configure the default packet-filtering rule to permit the FW to access the Internet. By default, the FW is prohibited from accessing the Internet.

You are advised to use the default setting and configure security policies to specify the data flows that are permitted.

Procedure

Set the time and time zone.
1. Choose System > Setup > Time.
2. Select Manually Set the Time in Configuration Mode.
3. Set Time Zone.
4. Set Date.
5. Set System Time.
6. Click Apply.
Set an IP address for the interface GE0/0/0 and add the interface to a security zone.
1. Choose Network > Interface.
2. Click GE0/0/0.
3. Set the parameters for the interface GE0/0/0 as listed in the following table.
  
  Zone
  
  trust
  
  IP Address
  
  192.168.1.1/24
4. Click OK.
5. Set the parameters for the interface GE0/0/1 by referring to the preceding steps.
  
  Zone
  
  dmz
  
  IP Address
  
  10.1.1.1/24
6. Set the parameters for the interface GE0/0/2 by referring to the preceding steps.
  
  Zone
  
  untrust
  
  IP Address
  
  1.1.1.1/24
Configure the default route.
1. Choose Network > Route > Static Route.
2. Click Add.
3. Set parameters for the default route as listed in the following table.
  
  Destination Address
  
  0.0.0.0
  
  Mask
  
  0.0.0.0
  
  Next Hop
  
  1.1.1.254
4. Click OK.
Configure the default packet-filtering rule to permit the FW to access the Internet.

You are advised to use the default setting and configure security policies to specify the data flows that are permitted.
1. Choose Policy > Security Policy.
2. Set the action of default security policy as Permit.
3. Click OK.

Zone	trust
IP Address	192.168.1.1/24

Zone	dmz
IP Address	10.1.1.1/24

Zone	untrust
IP Address	1.1.1.1/24

Destination Address	0.0.0.0
Mask	0.0.0.0
Next Hop	1.1.1.254

Configuration Scripts

#
 sysname FW_A
#                                                                               
interface GigabitEthernet0/0/0
 ip address 192.168.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#                                                                               
security-policy                                                                 
 default action permit      
#
return