Professional Documents
Culture Documents
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)
Issue: 04 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005
Example 5: NAT Server for Internet Users to Access Intranet Servers 038
Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046
Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093
Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126
Example 9.6: L2TP over IPSec Access from Clients (Android) 136
Example 9.7: L2TP over IPSec Access from Clients (iOS) 145
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 274
Note:
• This document is written based on USG6000E V600R007C00 and can be used as a reference for USG6000E V600R007C00,
USG6000/USG9500/NGFW Module V500R005C20, and later versions. The web UI may vary according to the version. You
can refer to the configuration procedure in this case but the actual web UI prevails.
• This document describes only the web UI configuration in typical firewall scenarios. For details about feature principles, CLI
configuration methods, and more configuration cases, log in to the Huawei enterprise technical support website and
download the corresponding product documentation. If you want to learn how to locate and rectify common firewall faults,
log in to the Huawei enterprise technical support website and download the maintenance guide of the corresponding
product.
Back to Contents
Networking Diagram
192.168.0.* GE0/0/0
192.168.0.1/24
Network interface
User Firewall
Note: For USG6000E V600R007C20 and later versions, there is no administrator by default. If you log in to the web interface for the first time,
you must register an administrator account and password. Administrators created in this mode have the system administrator role and
web service type, but cannot be the virtual system administrator "manager-user@@vsys-name".
Back to Contents
1
Set the IP address of the 2
administrator PC, within a range from
Open the browser on the administrator PC. In
192.168.0.2 to 192.168.0.254.
the address box, enter the default IP address of
the management interface
(https://192.168.0.1:8443).
3
The browser displays an insecure
certificate warning. Select Continue
to this website (not recommended).
On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Back to Contents
4 5
Enter the user name Log In to the Web
and password. Configuration Page.
Operation
Navigation Area
Tree
CLI
Console
Back to Contents
Trust Untrust
PC
1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router
PC
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.
Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy
1
2
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT
1
2
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.
GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy
1
2
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT
1
2
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route
2
3
4
Configure a default route to ensure that
intranet users are routable to the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram
Trust Untrust
Student
Education
network GE0/0/3 network
PC 10.3.0.1/24
FW
PC GE0/0/4
Teacher 10.3.1.1/24
network
Untrust1
A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet on ly through
the education network, and PCs on the teacher network can access the Internet only through the ISP network.
Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones
1
2
3
4
Create security zone untrust1
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)
2 1
4 6
Set WAN interface parameters Set WAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)
2 1
5
4 6
Set LAN interface parameters Set LAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies
1
2
4 5
Allow PCs on the student Allow PCs on the teacher
network to access the Internet network to access the Internet
Back to Contents
3
2
4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies
1
2
3
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes
PCs on the student network access the PCs on the teacher network
Internet through GigabitEthernet 0/0/2 access the Internet through
3 over the education network. GigabitEthernet 0/0/1.
2 4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations
PCs on the student network access the Internet through GigabitEthernet 0/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 0/0/1 over the ISP network.
Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram
PC_A
Source NAT policy
Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE0/0/1 GE0/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B
The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW
2 1
5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW
1
2
4
Allow intranet users to
access the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW
3
2
4
Configure a NAT address
pool to provide public
addresses for intranet users.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW
1
2
3
4
Configure a NAT policy for access
from the intranet to the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations
1
Intranet hosts can access the Internet.
2
The Source NAT policy table shows that the Source NAT policy has been matched.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram
FTP Server
10.2.0.8/24 ISP1
GE0/0/2
10.2.0.1/24 untrust1
10.2.0.0/24
FW
trust
ISP2
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW
1
2
4
Create security zones untrust1 and untrust2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)
2 1
5
4 6
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)
2
1
4
Set LAN interface parameters.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW
1
2
4
Allow Internet users to
access intranet servers.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW
2
3
4
Configure server mappings policy_ftp1 and policy_ftp2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP
2
4
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations
1
Internet users can access intranet servers through different ISP networks.
2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram
PC Trust Untrust
10.3.0.31/24 10.3.0.0/24
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24
Firewall Router
FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy
1
2
4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool
3
2
4
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT
1
2
3
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
4 5
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping
2
3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG
2
4 By default, the NAT ALG
is enabled for FTP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations
4. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is
1.1.1.2. To view the port translation information, click of the corresponding entry.
Back to Contents
IPSec tunnel
Network A Network B
Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE0/0/3 GE0/0/1 GE0/0/1 GE0/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B
can proactively initiate connections to the peer network.
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
1
2
4
Permit private IP
addresses on Network A
to connect to the private
IP addresses on Network B.
5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
6
Permit Firewall_A to
connect to the public IP
address of Firewall_B.
7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Back to Contents
2
3
4
Configure a route to private IP addresses
on Network B. In the example, the next-
hop IP address from Firewall_A to the
Internet is 1.1.3.2.
Back to Contents
4
2 Select a scenario
and complete
basic settings.
7
The Pre-Shared Key Configure an
is Admin@123. IKE/IPSec proposal.
6
Add a data flow to be encrypted.
Back to Contents
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
1
2
3
4
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
5
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.
7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Back to Contents
2
3
4
Configure a route to private IP
addresses on Network A. In the
example, the next-hop IP address from
Firewall_B to the Internet is 1.1.5.2.
Back to Contents
4
2 Select a scenario
and complete
basic settings.
6
Add a data flow to be encrypted.
Back to Contents
After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec
tunnel. Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or
server on Network A. The access also succeeds.
GE0/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE0/0/1
GE0/0/3 GE0/0/1 Untrust branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B
FW_B
and Firewall_C use dynamically obtained IP
PC2
Headquarters GE0/0/3 10.1.2.2/24 addresses to access the Internet.
10.1.3.1/24
Trust
FW_A
PC1 IPSec tunnels are established between Firewall_A
10.1.1.2/24 GE0/0/1 Branch 2
Untrust and Firewall_B and between Firewall_A and
FW_C Firewall_C, so that PCs in branches 1 and 2 can
PC3
IPSec Tunnel 2 10.1.3.2/24 initiate connections to the headquarters (the
headquarters is not allowed to initiate connections
to branches).
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A
1
2
3
4
Allow the private IP address of
the headquarters to access the
private IP addresses of
branches 1 and 2.
5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.
6
Allow the public IP addresses
of branches 1 and 2 to
access Firewall_A.
7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A
2
3
4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP branch 2. In the example, the next-hop IP address
address from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A
1
3
6
Configure an Add the data flow (from
IPSec policy. the headquarters to
4 branch 1) to be encrypted.
7
5 Add the data flow (from
the headquarters to
branch 2) to be encrypted.
If the static routes to branches are not configured based on step 3, select Reverse Route
Injection in the Data Flow to Be Encrypted area, so that the private routes from the
headquarters to branches are automatically generated.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B
2 1
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B
1
2
3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 1.
6
Allow the public IP address
of the headquarters to
access Firewall_B.
7
Allow Firewall_B to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B
7
Configure an
IKE/IPSec proposal.
6
Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C
2 1
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step10 Configure security policies on Firewall_C
1
2
3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 2.
6
Allow the public IP address
of the headquarters to
access Firewall_C.
7
Allow Firewall_C to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C
Select a scenario
2 and complete
basic settings.
4
7
Configure an
IKE/IPSec proposal.
6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)
After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a
PC in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause
and solution.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (2)
Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (3)
Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram
Headquarters
GE0/0/1 GE0/0/2
Mobile User 1.1.1.1/24 Firewall 10.1.1.1/24
SecoClient (LNS)
(LAC)
Server
10.1.2.1/24
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.1/24
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies
1
2
3
4
Permit LAC clients to
communicate with
the firewall.
5
Permits the firewall
to communicate with
LAC clients.
6
Permit LAC clients to
access the servers in
the headquarters.
7
Permit servers at the
headquarters to access
the Internet.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes
2
3
4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users
2 3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
4
In the example, the user name is user0001,
and the password is Password@123.
5
Add a L2TP user.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool
4
Add an IP address pool named
pool, the pool range is 172.16.1.1
to 172.16.1.100.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec
In the example,
the pre-shared key
is Admin@123. 6
Add and set the following
parameters to configure
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group
3
Enable L2TP.
2
4
In the example, the tunnel
password is Hello@123.
5
Create a L2TP group.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)
4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)
1
Select Enable IPSec Protocol.
2
Complete the IPSec Configuration.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step9 Verify the configurations (1)
1
Choose the created
L2TP over IPSec
connection and click
Connect.
2
Enter the user
name and password.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step9 Verify the configurations (2)
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Networking diagram
Untrust Trust
L2TP over IPSec VPN Tunnel
Headquarters
GE0/0/1 GE0/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Windows XP (LNS)
(LAC Client)
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step2 Configure security policies
2 1
3
4
Permit servers at the
headquarters to access
the Internet.
5
Permit LAC clients to
access the servers in the
headquarters.
6
Permit LAC clients to
communicate with
the firewall.
7
Permits the firewall to
communicate with
LAC clients.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step 3 Configure L2TP users
4
In the example, the user name
is vpdnuser, and the password
is Hello@123.
5
Add a L2TP user.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step4 Add an IP pool
4
Add an IP address pool named
pool, the pool range is 10.1.2.2
to 10.1.2.100.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step5 Configure L2TP over IPSec
5
Add IP pool.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (1)
4
5
1
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (2)
2
3
5
4
6
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (3)
3
1
4
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step7 Verify the configurations (1)
1
Enter the user
name and password.
4
In Network Connections,
you can see the VPN
2
connection status.
Click Connect. A message is displayed,
indicating that the VPN connection succeeds.
3
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step7 Verify the configurations (2)
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Networking diagram
Headquaters
GE0/0/1 GE0/0/3
PC 1.1.1.2/29 Firewall 10.1.1.1/24
Windows 7 (LNS)
(LAC)
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step2 Configure security policies
1
2
3
4
Permit servers at the
headquarters to access
the Internet.
5
Permit LAC clients to
access the servers in the
headquarters.
6
Permit LAC clients to
communicate with
the firewall.
7
Permits the firewall
to communicate with
LAC clients.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step 3 Configure L2TP users
2 3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
4
5
Add a L2TP user.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step4 Add an IP pool
4
Add an IP address pool named
pool, the pool range is 10.1.2.2
to 10.1.2.100.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step5 Configure L2TP over IPSec
5
Add IP pool.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (1)
4
1
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (2)
7
8 9
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (3)
7
1
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step7 Verify the configurations (1)
2 3
1
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step7 Verify the configurations (2)
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Networking diagram
Headquaters
GE0/0/1 GE0/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Windows 10 (LNS)
(LAC Client)
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step2 Configure security policies
1
2
3
4
Permit servers at the
headquarters to access
the Internet.
5
Permit LAC clients to
access the servers in the
headquarters.
6
Permit LAC clients to
communicate with
the firewall.
7
Permits the firewall to
communicate with
LAC clients.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step 3 Configure L2TP users
3
2 Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
4
In the example, the user
name is vpdnuser, and the
password is Hello@123.
5
Add a L2TP user.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step4 Add an IP pool
4
Add an IP address pool named pool, the
pool range is 10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step5 Configure L2TP over IPSec
5
Add IP pool.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step6 Configure the LAC client (1)
4
2
1
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step6 Configure the LAC client (2)
2 3
5
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step6 Configure the LAC client (3)
2
1
Right-click and choose Properties
from the short-cut menu.
4
3
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step7 Verify the configurations (1)
3
Enter the user name
and password.
2
Click Connect.
4
The VPN connection
succeeds.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step7 Verify the configurations (2)
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Networking diagram
Headquaters
GE0/0/1 GE0/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Mac OS X (LNS)
(LAC Client)
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step2 Configure security policies
1
2
3
4
Permit servers at the
headquarters to access
the Internet.
5
Permit LAC clients to
access the servers in the
headquarters.
6
Permit LAC clients to
communicate with
the firewall.
7
Permits the firewall to
communicate with
LAC clients.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step 3 Configure L2TP users
3
2 Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
5
Add a L2TP user.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step4 Add an IP pool
4
Add an IP address pool named pool,
the pool range is 10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step5 Configure L2TP over IPSec
5
Add IP pool.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step6 Configure the LAC client (1)
1
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step6 Configure the LAC client (2)
4
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step7 Verify the configurations (1)
2
After the connection
succeeds, the Status
value is updated to
Connected.
1
After the configuration is
complete, click Connect.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step7 Verify the configurations (2)
Example 9.6: L2TP over IPSec Access from Clients (Android) Networking diagram
Untrust Trust
GE0/0/1 GE0/0/3
1.1.1.2/24 10.1.1.1/24
Headquaters
Android
L2TP over IPSec VPN Tunnel Firewall
( LAC )
( LNS )
3.3.3.3/24 Server
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
L2TP settings User name: vpdnuser
Password: Hello@123
IP Address 3.3.3.3/24
Example 9.6: L2TP over IPSec Access from Clients (Android) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step2 Configure security policies
1
2
3
4
Permit servers at the
headquarters to access
the Internet.
5
Permit LAC clients to
access the servers in the
headquarters.
6
Permit LAC clients to
communicate with the
firewall.
7
Permits the firewall to
communicate with
LAC clients.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step 3 Configure L2TP users
3
2 Select L2TP/L2TP over IPSec
for Scenario and Local for User
Location.
4
In the example, the user name is vpdnuser,
and the password is Hello@123.
5
Add a L2TP user.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step4 Add an IP pool
4
Add an IP address pool named
pool, the pool range is
10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step5 Configure L2TP over IPSec
5
Add IP pool.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step6 Configure the LAC client
4
Enter the IP address of the
WAN interface on the firewall
and the pre-shared key
(Admin@123 in this example).
2
1 Access the VPN page.
Access the Settings page.
3 5
Confirm information and
Add a VPN.
save the configuration.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step7 Verify the configurations (1)
1
Select a VPN to be added.
After the connection succeeds,
Connected is displayed in the
VPN list, and the VPN connection
icon is displayed in the status bar
2 on the top of the screen.
Enter the user name and password. In
this example, the user name is vpdnuser,
and the password is Hello@123.
3
Confirm information
and click CONNECT.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step7 Verify the configurations (2)
Example 9.7: L2TP over IPSec Access from Clients (iOS) Networking diagram
Untrust Trust
GE0/0/1 GE0/0/3
1.1.1.2/24 10.1.1.1/24
Headquaters
iOS
L2TP over IPSec VPN Tunnel Firewall
( LAC )
( LNS )
3.3.3.3/24 Server
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
L2TP settings User name: vpdnuser
Password: Hello@123
IP Address 3.3.3.3/24
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step1 Configure interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step2 Configure security policies
1
2
3
4
Permit servers at the
headquarters to access
the Internet.
5
Permit LAC clients to
access the servers in
the headquarters.
6
Permit LAC clients to
communicate with
the firewall.
7
Permits the firewall
to communicate with
LAC clients.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step 3 Configure L2TP users
3
2 Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
5
Add a L2TP user.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step4 Add an IP pool
4
Add an IP address pool named
pool, the pool range is
10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step5 Configure L2TP over IPSec
5
Add IP pool.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step6 Configure the LAC client
1
Access the Settings page.
2
Access the VPN page.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step7 Verify the configurations (1)
2
Enable the VPN function.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step7 Verify the configurations (2)
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Networking diagram
The enterprise requires that each teleworker have an intranet IP address to access intranet resources as if they were access the resources on
the LAN. For security reasons, local authentication should be configured to authenticate teleworkers.
Item Data
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step1 Configure interfaces
2 1
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step2 Create a user group and its users
4 6
Create a user.
7
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step3 Configure an SSL VPN gateway (1)
1
3
4
2 Configure basic SSL VPN
gateway parameters based on
the networking requirements.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step3 Configure an SSL VPN gateway (2)
5
Select SSL versions
and encryption suites.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step3 Configure an SSL VPN gateway (3)
6
Select required functions.
To enable SSL VPN network extension, you do not need to configure any route from
the virtual gateway to the user's IP address. After the FW enables IP spoofing attack
defense, the packets from the user to the virtual gateway will be identified as IP
spoofing attack packets and discarded. In such cases, configure a route from the
virtual gateway to the user's IP address when you enable network extension.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step3 Configure an SSL VPN gateway (4)
7
Configure network extension.
8
Add an accessible private
network segment.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step3 Configure an SSL VPN gateway (5)
9
Add role authentication.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step4 Configure security policies
1
2
Set the source address to the network extension address
pool and destination address to the IP address of the
intranet resource that teleworkers are allowed to access.
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step5 Verify the configurations (1)
1
Enter https://1.1.1.1 on the browser. Install controls as prompted by the browser upon the first login.
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step5 Verify the configurations (2)
3
Enable network extension. Install the virtual network adapter as prompted upon the first login.
4
Network extension status
after being enabled.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step5 Verify the configurations (3)
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Networking diagram
Untrust Trust
SSL VPN
GE0/0/1 GE0/0/3
1.1.1.1/24 10.1.1.1/24
DNS Server
Enterprise
Teleworker FW
network
The enterprise requires that each teleworker have an intranet IP address to access intranet resources as if they were access the resources on
the LAN. For security reasons, certificate and local authentication (certificate challenge) should be configured to authenticate teleworkers.
Item Data
Certificate challenge
Authentication mode
Auxiliary authentication mode: VPNDB
SSL VPN user User name: user
Password: Admin@123
Client certificate user.p12
Import the client certificate to the browser on the device for teleworking. The firewall verifies the user's identity
based on the client certificate (the CN field of the client certificate is used as the user name). When making the
client certificate, ensure that the CN field value is the VPN user name (user).
Client CA certificate ca.crt
The CA server that issues the client certificate has a CA certificate. After being imported to the firewall, this CA
certificate is used by the firewall to verify the validity of the client certificate.
Virtual IP address pool 10.1.1.50~10.1.1.100
of network extension After the device for teleworking connects to the enterprise network through SSL VPN and enables network
extension, the firewall will assign an IP address in the address pool to the device.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step1 Configure interfaces
2
1
5
Set WAN interface Set LAN interface
parameters. parameters.
4 6
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step2 Create a user group and its users
6
4
5 7
Create a user group. Create a user.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step3 Upload the client CA certificate
1
2
4
After applying for or producing the client CA
certificate and client certificate, upload the
client CA certificate to the firewall.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step4 Configure an SSL VPN gateway (1)
1
Configure basic SSL VPN
gateway parameters based on
3 the networking requirements.
4
2
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step4 Configure an SSL VPN gateway (2)
5
Select SSL versions
and encryption suites.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step4 Configure an SSL VPN gateway (3)
6
Select required functions.
To enable SSL VPN network extension, you do not need to configure any route from the virtual
gateway to the user's IP address. After the FW enables IP spoofing attack defense, the packets from
the user to the virtual gateway will be identified as IP spoofing attack packets and discarded. In
such cases, configure a static route from the virtual gateway to the user's IP address when you
enable network extension. The destination address is the IP address in the user address pool. The
next hop is the next hop IP address of the virtual gateway to the Internet.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step4 Configure an SSL VPN gateway (4)
7
Configure network extension.
8
Add an accessible private
network segment.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step4 Configure an SSL VPN gateway (5)
9
Add role authentication.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step5 Configure security policies
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step6 Install the client certificate (1)
1 3
4
Open the Internet Explorer.
6
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step6 Install the client certificate (2)
9
Click Next to complete
operations as prompted
by the browser.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step7 Verify the configurations (1)
1
Enter https://1.1.1.1 on the browser. Install controls as prompted by the browser upon the first login.
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step7 Verify the configurations (2)
3
Enable network extension. Install the virtual network adapter as prompted upon the first login.
4
Network extension status
after being enabled.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step7 Verify the configurations (3)
GE0/0/2 GE0/0/2
Heartbeat interface
10.3.2.0/24 10.3.3.0/24 10.10.0.1/24 10.10.0.2/24
Example 11: Transparent Access for Load Balancing Step 1 Configure Interfaces on FW_A (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 11: Transparent Access for Load Balancing Step 1 Configure Interfaces on FW_A (2)
2 1
Example 11: Transparent Access for Load Balancing Step 2 Configure Interfaces on FW_B (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 11: Transparent Access for Load Balancing Step 2 Configure Interfaces on FW_B (2)
2 1
Example 11: Transparent Access for Load Balancing Step 3 Configure FW_A to Work in Load Balancing Mode
1
Configure FW_A to work
in load balancing mode.
3
4
5
Configure VLAN monitoring:
Set the interface type to
VLAN, set the VLAN ID to 2,
and click Add.
Back to Contents
Example 11: Transparent Access for Load Balancing Step 4 Configure FW_B to Work in Load Balancing Mode
1
Configure FW_B to work
in load balancing mode.
3
4
5
Configure VLAN monitoring:
Set the interface type to
VLAN, set the VLAN ID to 2,
and click Add.
Back to Contents
Example 11: Transparent Access for Load Balancing Step5 Configure Security Policies on FW_A (1)
1
2
Example 11: Transparent Access for Load Balancing Step5 Configure Security Policies on FW_A (2)
2 1
4
Configure a security policy to
allow intranet users to access
public IP addresses.
Back to Contents
Example 11: Transparent Access for Load Balancing Step 6 Verify the Configuration (1)
After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A and FW_B are working in load
balancing mode and both firewalls forward traffic.
FW_A
FW_B
Back to Contents
Example 11: Transparent Access for Load Balancing Step 6 Verify the Configuration (2)
Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.
FW_B: becomes the active device in active/standby mode and forwards traffic.
Back to Contents
As shown in the following figure, configure the VRF function on core switches Both firewalls and switches use VRRP for link backup.
to virtualize each switch into a switch (root switch Public) connecting to the The following figure shows the VRRP group
upstream and a switch (virtual switch VRF) connecting to the downstream. configuration of the firewalls and switches.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
Data center core area GE1/0/1 GE1/0/1
Active Standby
VRRP4 VLANIF3 VLANIF3
GE0/0/2 GE0/0/2 10.1.0.6/24
10.10.0.1/24 10.10.0.2/24 10.1.0.4/24 10.1.0.5/24
Active GE0/0/3 GE0/0/3 Standby
10.1.0.1/24 10.1.0.2/24 VRRP2
GE1/0/1 GE1/0/2 GE1/0/1 10.1.0.1/24 10.1.0.2/24
GE0/0/3 GE0/0/3 10.1.0.3/24
Public GE1/0/2 Public GE0/0/2
VRF GE1/0/4 VRF 10.10.0.1/24
GE0/0/1 GE0/0/1 GE0/0/2
GE1/0/3 GE1/0/4 GE1/0/3 10.10.0.2/24
10.0.0.1/24 SW1 SW2 10.0.0.2/24 VRRP1
FW_A FW_B 10.0.0.3/24 GE0/0/1 GE0/0/1
Active 10.0.0.1/24 10.0.0.2/24 Standby
VRRP3
10.0.0.6/24 VLANIF2 VLANIF2
Active 10.0.0.4/24 10.0.0.5/24 Standby
GE1/0/3 GE1/0/3
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (2)
2 1
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (2)
2 1
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Active/Standby Mode
1 Configure FW_A as
the active device in
3 active/standby mode.
4
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Active/Standby Mode.
Configure FW_B as
the standby device
1 in active/standby
mode.
3 4
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 7 Configure a Security Policy on FW_A.
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1
# Configure Switch 1.
[Switch1] ip vpn-instance VRF //Create a VRF.
[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit
Only the configuration related to interconnection
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2 with the firewall is provided here.
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add interfaces to VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to the VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Configure VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The device with a higher priority is active.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add interfaces to VLAN3.
[Switch1-vlan3] quit
[Switch1] interface Vlanif 3
[Switch1-Vlanif3] ip address 10.1.0.4 24
[Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Configure VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The device with a higher priority is active.
[Switch1-Vlanif3] quit
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 1.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 8 Configure Core Switch 2
# Configure Switch 2.
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (1)
After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A is active and FW_B is standby
in active/standby backup mode.
FW_A
FW_B
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (2)
Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.
FW_B: becomes the active device in active/standby mode and forwards traffic.
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (3)
After recovery, FW_A preempts to be the active device, and FW_B becomes standby. Traffic is forwarded through FW_A.
GE0/0/2 GE0/0/2
Heartbeat interface
10.10.0.1/24 10.10.0.2/24
Server area
192.168.0.0/16
Back to Contents
As shown in the following figure, configure the VRF function on core switches Both firewalls and switches use VRRP for link backup.
to virtualize each switch into a switch (root switch Public) connecting to the The following figure shows the VRRP group
upstream and a switch (virtual switch VRF) connecting to the downstream. configuration of the firewalls and switches.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
Data center core area GE1/0/1 GE1/0/1 VRRP group 4
Active VLANIF3 VLANIF3 Standby 10.1.0.6/24
Standby 10.1.0.4/24 10.1.0.5/24 Active VRRP group 8
GE0/0/2 GE0/0/2
VRRP group 6 10.1.0.8/24
10.10.0.1/24 10.10.0.2/24
10.1.0.7/24 Standby GE0/0/3 GE0/0/3 Active
GE0/0/3 GE0/0/3 VRRP group 2 Active 10.1.0.1/24 10.1.0.2/24 Standby
GE1/0/1 GE1/0/2 GE1/0/1
10.1.0.1/24 10.1.0.2/24 10.1.0.3/24
GE1/0/2 Public
Public GE0/0/2
10.10.0.1/24
VRF GE1/0/4 VRF
GE0/0/1 GE0/0/1 GE0/0/2
GE1/0/3 GE1/0/4 GE1/0/3 10.10.0.2/24
10.0.0.1/24 SW1 SW2 10.0.0.2/24 VRRP group 1
10.0.0.3/24 Active GE0/0/1 GE0/0/1 Standby
FW_A FW_B 10.0.0.1/24 10.0.0.2/24
VRRP group 5 Standby Active
10.0.0.7/24 VRRP group 7
Standby VLANIF2 VLANIF2 Active 10.0.0.8/24
Active 10.0.0.4/24 10.0.0.5/24 Standby VRRP group 3
GE1/0/3 GE1/0/3 10.0.0.6/24
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (2)
2
1
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (2)
2 1
3
Set parameters for the
heartbeat interface.
4
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A (1)
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A (2)
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B (1)
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B (2)
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Load Balancing Mode (1)
Configure FW_A
1 to work in load
balancing mode.
3 4
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Load Balancing Mode (2)
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Load Balancing Mode (1)
Configure FW_B
1 to work in load
balancing mode.
3
4
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Load Balancing Mode (2)
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 7 Configure a Security Policy on FW_A
1
2
3
4
Configure a security policy to allow
Internet users to access servers in
the DC (network segment:
192.168.0.0/16; port: 80).
The security policy configured on
FW_A will be automatically backed
up to FW_B.
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1 (1)
# Configure Switch 1.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1 (2)
# Configure Switch 1.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 9 Configure Core Switch 2 (1)
# Configure Switch 2.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 9 Configure Core Switch 2 (2)
# Configure Switch 2.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (1)
After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A and FW_B are working in load
balancing mode and both firewalls forward traffic.
FW_A
FW_B
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (2)
Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.
FW_B: becomes the active device in active/standby mode and forwards traffic.
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (3)
After FW_A recovers, FW_A and FW_B start to work in load balancing mode again and forward traffic together.
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_A (1)
2 1
5
Set parameters for the Set parameters for the
upstream interface. downstream interface.
4 6
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_A (2)
2 1
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_B (1)
2 1
5
Set parameters for the Set parameters for the
upstream interface. downstream interface.
4 6
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 2 Configure interfaces on FW_B (2)
2
1
4
Set parameters for the
heartbeat interface.
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 3 Configure FW_A as the Active Device
1
Configure FW_A as the active device
in active/standby backup mode.
3
4
Example 14: Active/Standby Backup in In-path Deployment Step 4 Configure FW_B as the Standby Device
Example 14: Active/Standby Backup in In-path Deployment Step 5 Configure a security policy on FW_A
1
2
4
Configure a security policy to
allow intranet users to access
public IP addresses.
The security policy configured
on FW_A will be automatically
synchronized to FW_B.
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 6 Verify the configuration (1)
After the configuration is complete, view the running status of FW_A and FW_B. You can see that FW_A and FW_B are working in
active/standby mode. FW_A is active, while FW_B is standby.
FW_A is active.
FW_B is standby.
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 6 Verify the configuration (2)
Example 14: Active/Standby Backup in In-path Deployment Step 6 Verify the configuration (3)
VRRP group 2
1.1.1.4/24
GE0/0/1 VRRP group 1
GE0/0/1
10.2.0.1/24 1.1.1.3/24 Item FW_A FW_B
GE0/0/2 10.2.0.2/24
10.10.0.2/24
FW_A FW_B Working
GE0/0/2 Active/standby backup Active/standby backup
10.10.0.1/24 Mode
GE0/0/3 GE0/0/3
VRRP group 3
10.3.0.1/24 10.3.0.2/24
10.3.0.3/24
VRRP group 4
Heartbeat GE0/0/2 GE0/0/2
10.3.0.4/24
interface 10.10.0.1/24 10.10.0.2/24
Service link
Intranet Heartbeat link
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 1 Configure interfaces on FW_A (1)
2 1
5
Set parameters for the Set parameters for the
upstream interface. downstream interface.
4 6
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 1 Configure interfaces on FW_A (2)
2 1
Example 15: In-path Deployment in a Load Balancing Scenario Step 2 Configure interfaces on FW_B (1)
2 1
5
Set parameters for the Set parameters for the
upstream interface. downstream interface.
4 6
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 2 Configure interfaces on FW_B (2)
2 1
4
Set parameters for the
heartbeat interface.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 3 Configure load balancing on FW_A (1)
1
Configure FW_A to work in the load
3 balancing mode.
4
Example 15: In-path Deployment in a Load Balancing Scenario Step 3 Configure load balancing on FW_A (2)
Example 15: In-path Deployment in a Load Balancing Scenario Step 4 Configure load balancing on FW_B (1)
1
Configure FW_B to work in the load
balancing mode.
3
4
Example 15: In-path Deployment in a Load Balancing Scenario Step 4 Configure load balancing on FW_B (2)
Example 15: In-path Deployment in a Load Balancing Scenario Step 5 Configure a route on FW_A
2
3
4
Configure the default route on FW_A.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 6 Configure a route on FW_B
1
Configure default routes on intranet devices.
Set the next-hop address of the default
routes to the virtual IP address (10.3.0.3) of
VRRP group 3 for some devices and to the
4
Configure the default route on FW_B.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 7 Configure a security policy on FW_A
2 1
4
Configure a security policy to
allow intranet users to access
public IP addresses.
The security policy configured
on FW_A will be automatically
synchronized to FW_B.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 8 Verify the configuration (1)
Check the hot standby status on FW_A and FW_B. You can find that FW_A and FW_B work in the load balancing mode.
FW_A
FW_B
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 8 Verify the configuration (2)
When FW_A fails, FW_A switches to the standby state, and FW_B switches to the active state. This indicates that FW_B forwards traffic.
Example 16:Configuring Source Address-based PBR Step1 Configure the interfaces (1)
2 1
5
4 6
Set WAN interface parameters Set LAN interface parameters
Back to Contents
Example 16:Configuring Source Address-based PBR Step1 Configure the interfaces (2)
8
Set WAN interface parameters.
Back to Contents
1
2
4
Allow intranet users to
access extranet resources.
Back to Contents
4 5
Detect the ISP-A link status. Detect the ISP-B link status.
Back to Contents
4 5
When the ISP_B link is When the ISP_A link is
unreachable, all traffic is unreachable, all traffic is
forwarded over ISP_A link. forwarded over ISP_B link.
Back to Contents
Example 16:Configuring Source Address-based PBR Step 6 Verify the configurations (1)
The traffic sent from the marketing department (10.1.1.0/24) is forwarded by GigabitEthernet 0/0/2 and reaches the Internet over ISP_A link.
The traffic sent from the R&D department (10.1.2.0/24) is forwarded by GigabitEthernet 0/0/4 and reaches the Internet over ISP_B link.
Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access extranet hosts (10.30.1. 1).
Back to Contents
Example 16:Configuring Source Address-based PBR Step 6 Verify the configurations (2)
When the ISP_A link is unreachable, the traffic sent from the marketing department (10.1.1.0/24) and R&D department (10.1.2.0 /24) is
forwarded by GigabitEthernet0/0/4 and reaches the Internet over ISP_B link. When the ISP_B link is unreachable, the traffic sent from the
marketing department (10.1.1.0/24) and R&D department (10.1.2.0/24) is forwarded by GigabitEthernet0/0/2 and reaches the Internet over
the ISP_A link.
Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access an extranet
host (10.30.1.1) in case of ISP_A link unreachability
Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access an extranet
host (10.30.1.1) in case of ISP_B link unreachability
Back to Contents
• The highest download traffic rate and maximum number of users are subject to
Trust the actual specifications.
10.3.0.0/24
• The web configuration for limiting the upload traffic rate is similar to that for file
downloading. This example describes how to limit the file download traffic rate.
Manager
Untrust
Product 2
Research Firewall ISP Router
· upload
·
·
Marketing
A firewall is deployed as an egress gateway at the border of an enterprise network. Due to the bandwidth resource is limited for enterprise,
when the number of users online is too much, it is likely to cause congestion, which may affect important flows. Limiting the user traffic
rate effectively prevents network congestion.
Back to Contents
Data must be planned based on the global bandwidth that the operator rents to
the enterprise and the number of users who need to access the Internet.
6
Set parameters for the interface
connecting to the Internet.
4
7
5 Set parameters for the interface
Set interface bandwidth parameters.
connecting to the enterprise network.
Limit the total bandwidth to 20 Mbps.
Back to Contents
4 7
Create a user group
Create a user group
for senior managers.
for product group 1.
5 8
Create a user group for the Create a user group
marketing department. for product group 2.
Back to Contents
3
6
You can create multiple users Create a user for
for each user group as required. product group 1.
4 5 7
Create a senior manager user. Create a user for the Create a user for
marketing department. product group 2.
Back to Contents
1
2
4
Configure a security policy
to allow users in subnet
10.3.0.0/24 of the Trust
zone to access the Internet.
Back to Contents
Example 17: User-specific Bandwidth Management Step5 Configure traffic profiles for intranet users
3 1
5 7
Configure a traffic profile to Configure a traffic profile to
limit the global downlink limit the global maximum
bandwidth. downlink bandwidth to 2 Mbps.
4
Configure a traffic profile to limit 6 8
the per-user maximum downlink Configure a traffic profile to Configure a traffic profile to
bandwidth to 2 Mbps. limit the global maximum limit the global maximum
downlink bandwidth to 5 Mbps. downlink bandwidth to 2 Mbps.
Back to Contents
Example 17: User-specific Bandwidth Management Step6 Configure traffic policies for intranet users
4 Configure a traffic policy 6 Configure a traffic policy for 8 Configure a traffic policy
for senior managers. the R&D department. for product group 2.
Back to Contents
Example 17: User-specific Bandwidth Management Step7 Verify the configuration (1)
1. A senior manager uses FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed 6 Mbps.
FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 6 Mbps (946.8 KB/s = 7.5744
Mbps). After the configuration, the download traffic rate for the same file ranges from 2 to 6 Mbps (567.0 KB/s = 4.536 Mbps).
2. Marketing employees use FileZilla and FTP tools to download files from the Internet. The per-user download traffic rate should not
exceed 2 Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8
KB/s = 7.5744 Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (177.7 KB/s = 1.4216
Mbps).
Example 17: User-specific Bandwidth Management Step7 Verify the configuration (2)
3. Employees in product group 1 use FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed
2 Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946. 8 KB/s =
7.5744 Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (175.8 KB/s = 1.4064 Mbps).
4. Employees in product group 2 use FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed
2 Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8 KB/s =
7.5744 Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (190.8 KB/s = 1.5264 Mbps).
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Networking Diagram
QQ
Trust Untrust
10.3.0.0/24
GE0/0/1 GE0/0/3
10.3.0.1/24 1.1.1.1/24
Firewall
P2P
An enterprise allows employees to access the Internet, but requires to disable chatting software for productivity, such as QQ, and limit the
P2P download traffic to 3 Mbps.
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step1 Configure Interfaces
4 6
Configure LAN interfaces. Configure WAN interfaces.
Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step2 Configure Traffic Profile
3
2
4
Set the maximum global
downlink bandwidth to 3 Mbps.
Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step3 Configure Traffic Policy
3
2
4
Create a traffic policy to
limit P2P download
bandwidth within 3 Mbps.
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step4 Configure Security Policy
When multiple security policies exist in the same interzone, the device will match the
1 flow to the policies one by one in the list, from top to bottom. Once the flow
2
matching to a security policy, the matching process will stop. So, in the case of
3 multiple security policies, to ensure that the security policy configurations take effect,
you need to adjust the priority of the security policies, which means move the most
exactly matching security policy in front of the broad ones.
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step5 Verify the Configurations