HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)

Quick Configuration Guide
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module

(with New Web UI)
Issue: 04 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005
Example 1: Accessing the Internet Using a Static IP Address 008
Example 2: Accessing the Internet Using PPPoE 015
Example 3: Accessing the Internet Through Multiple ISP Networks 023
Example 4: NAPT-for-intranet-users-to-access-the-internet 032
Example 5: NAT Server for Internet Users to Access Intranet Servers 038
Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046
Example 7: Site-to-Site IPSec Tunnel 054
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065
Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093
Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126
Example 9.6: L2TP over IPSec Access from Clients (Android) 136
Example 9.7: L2TP over IPSec Access from Clients (iOS) 145
Example 10.1: SSL VPN Tunnel Access (Local Authentication) 154
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) 166
Example 11: Firewall Transparent Access for Load Balancing 181
Example 12: Active/Standby Firewalls Attached to Layer-3 Devices 192
Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 208
Example 14: Active/Standby Backup in In-path Deployment 230

Contents
Example 15: Load Balancing in In-path Deployment 241
Example 16: Configuring Source Address-based PBR 255
Example 17: User-specific Bandwidth Management 264
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 274
Note:
• This document is written based on USG6000E V600R007C00 and can be used as a reference for USG6000E V600R007C00,
USG6000/USG9500/NGFW Module V500R005C20, and later versions. The web UI may vary according to the version. You
can refer to the configuration procedure in this case but the actual web UI prevails.
• This document describes only the web UI configuration in typical firewall scenarios. For details about feature principles, CLI
configuration methods, and more configuration cases, log in to the Huawei enterprise technical support website and
download the corresponding product documentation. If you want to learn how to locate and rectify common firewall faults,
log in to the Huawei enterprise technical support website and download the maintenance guide of the corresponding
product.
Back to Contents
Logging In to the Web Configuration Page
Networking Diagram
192.168.0.* GE0/0/0
192.168.0.1/24
Network interface
User Firewall
Default Settings Support Browser Versions
Management Interface GE0/0/0 10.0 -11.0
IP Address 192.168.0.1/24 62.0 (or later versions)
The default username and password are available

in HUAWEI Security Products Default Usernames
User Name/Password and Passwords. If you have not obtained the access 64.0 (or later versions)
permission of the document, see Help on the
website to find out how to obtain it.
Note: For USG6000E V600R007C20 and later versions, there is no administrator by default. If you log in to the web interface for the first time,
you must register an administrator account and password. Administrators created in this mode have the system administrator role and
web service type, but cannot be the virtual system administrator "manager-user@@vsys-name".
Back to Contents
Login Procedure (Internet Explorer for Example)
1
Set the IP address of the 2
administrator PC, within a range from
Open the browser on the administrator PC. In
192.168.0.2 to 192.168.0.254.
the address box, enter the default IP address of
the management interface
(https://192.168.0.1:8443).
3
The browser displays an insecure
certificate warning. Select Continue
to this website (not recommended).
On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Back to Contents
4 5
Enter the user name Log In to the Web
and password. Configuration Page.
Web UI functional areas

Buttons
Tabs
Operation
Navigation Area
Tree
CLI
Console
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Networking Diagram
Trust Untrust
PC
1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router
PC
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.
Item Data Description
DNS server 1.2.2.2/24 Obtained from the carrier
Gateway IP address 1.1.1.254/24 Obtained from the carrier

Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces
2 1
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy
1
2
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT
1
2
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Networking Diagram
Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet
PPPoE Client PPPoE Server
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.

GigabitEthernet 0/0/1 Security zone: Untrust Obtains an IP address and a DNS address from the PPPoE
server (deployed by the carrier) through dial-up.
Dial-up user name: user
Dial-up password: Password@
GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.
DNS server 1.2.2.2/24 Obtains the address from the carrier.

Back to Contents
Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces
2 1
4 6
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy
1
2
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT
1
2
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route
2
3
4
Configure a default route to ensure that
intranet users are routable to the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram
Trust Untrust
Student
Education
network GE0/0/3 network
PC 10.3.0.1/24
FW
PC GE0/0/4
Teacher 10.3.1.1/24
network
Untrust1
A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet on ly through
the education network, and PCs on the teacher network can access the Internet only through the ISP network.
Item policy_route_1 policy_route_2
Type Inbound Interface Inbound Interface
Inbound Interface GE0/0/3 GE0/0/4
Source Address 10.3.0.0/24 10.3.1.0/24
Action Forward Forward
Egress Type Single Single
Outbound Interface GE0/0/2 GE0/0/1
Next Hop 2.2.2.254 1.1.1.254

Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones
1
2
3
4
Create security zone untrust1
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)
2 1
4 6
Set WAN interface parameters Set WAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)
2 1
5
4 6
Set LAN interface parameters Set LAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies
1
2
4 5
Allow PCs on the student Allow PCs on the teacher
network to access the Internet network to access the Internet
Back to Contents
Step4 Configure source NAT address

Example 3: Accessing the Internet Through Multiple ISP Networks
pools
3
2
4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies
1
2
3
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes
PCs on the student network access the PCs on the teacher network
Internet through GigabitEthernet 0/0/2 access the Internet through
3 over the education network. GigabitEthernet 0/0/1.
2 4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations
PCs on the student network access the Internet through GigabitEthernet 0/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 0/0/1 over the ISP network.
Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram
PC_A
Source NAT policy
Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE0/0/1 GE0/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B
The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.
Intranet segment that is

10.1.1.0/24 -
allowed to access the Internet
As private addresses far outnumber public addresses, one-

Public addresses mapped to to-one mapping cannot be implemented. To translate all
1.1.1.10 to 1.1.1.15
private addresses private addresses into public addresses, enable port
translation.
Routing loops are made between the aggregation switch

Black-hole routes on the Destination address: 1.1.1.10 to 1.1.1.15
and egress gateway to prevent Internet users from
aggregation switch Next hop: NULL 0
accessing the after-NAT public addresses.
Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15

Configure a static route with a 32-bit destination address.
gateway Next hop: 10.1.2.1
As the post-NAT public addresses do not correspond to
Destination address: 1.1.1.10 to 1.1.1.15 ports, routing protocols cannot discover such routes.
Static routes on the ISP router
Next hop address: 1.1.1.1 Therefore, you must configure static routes to the public
addresses on the ISP router.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW
2 1
5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW
1
2
4
Allow intranet users to
access the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW
3
2
4
Configure a NAT address
pool to provide public
addresses for intranet users.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW
1
2
3
4
Configure a NAT policy for access
from the intranet to the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations
1
Intranet hosts can access the Internet.
2
The Source NAT policy table shows that the Source NAT policy has been matched.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram
FTP Server
10.2.0.8/24 ISP1
GE0/0/2
10.2.0.1/24 untrust1
10.2.0.0/24
FW
trust
ISP2
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.

Public IP address: 1.1.1.10
Private IP address: 10.2.0.8 When Internet users send traffic to 1.1.1.10, the FW
NAT Server1 Public port: 21 can forward the traffic to the FTP server based on
Private port: 21 this mapping entry.
Zone: untrust1
Public IP address: 2.2.2.20
Private IP address: 10.2.0.8 When Internet users send traffic to 2.2.2.10, the FW
NAT Server2 Public port: 21 can forward the traffic to the FTP server based on
Private port: 21 this mapping entry.
zone: untrust2
Static routes on the ISP1 Destination address: 1.1.1.10 -
router Next hop address: 1.1.1.1
Static routes on the ISP2 Destination address: 2.2.2.10 -
router Next hop address: 2.2.2.2
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW
1
2
4
Create security zones untrust1 and untrust2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)
2 1
5
4 6
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)
2
1
4
Set LAN interface parameters.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW
1
2
4
Allow Internet users to
access intranet servers.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW
2
3
4
Configure server mappings policy_ftp1 and policy_ftp2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP
2
4
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations
1
Internet users can access intranet servers through different ISP networks.
2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram
PC Trust Untrust
10.3.0.31/24 10.3.0.0/24
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24
Firewall Router
FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.

GigabitEthernet 0/0/2 Security zone: Trust FTP server uses 10.3.0.1 as the default gateway address.
IP address: 10.3.0.1/24
GigabitEthernet 0/0/1 Security zone: Untrust 1.1.1.1/24 is a public address provided by the ISP.
IP address: 1.1.1.1/24
FTP server Public IP address : 1.1.1.2 -
Public port: 2121
DNS server 1.2.2.2/24 Obtained from the ISP.
Gateway IP address 1.1.1.254/24 Obtained from the ISP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces
2 1
4 6
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy
1
2
4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool
3
2
4
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT
1
2
3
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
4 5
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping
2
3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG
2
4 By default, the NAT ALG
is enabled for FTP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations
1. The PC on the LAN can access the Internet.

2. Internet users can access public IP address 1.1.1.2 and port 2121 of the FTP server. Intranet users can access public IP address 1.1.1.2 and
port 2121 of the FTP server.
3. Choose Policy > NAT Policy > NAT Policy on the firewall to view the number of packets that match the configured source NAT policy.
4. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is
1.1.1.2. To view the port translation information, click of the corresponding entry.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Networking diagram
IPSec tunnel
Network A Network B
Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE0/0/3 GE0/0/1 GE0/0/1 GE0/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B
can proactively initiate connections to the peer network.
Item Firewall_A Firewall_B

Scenario Site-to-Site Site-to-Site
Peer IP Address 1.1.5.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123
Local ID IP Address IP Address
Peer ID IP Address IP Address
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A
2 1
4 6
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A
1
2
4
Permit private IP
addresses on Network A
to connect to the private
IP addresses on Network B.
5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
6
Permit Firewall_A to
connect to the public IP
address of Firewall_B.
7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A
2
3
4
Configure a route to private IP addresses
on Network B. In the example, the next-
hop IP address from Firewall_A to the
Internet is 1.1.3.2.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A
In the example, all IPSec proposal parameters use
1 the default values. If you have specific requirements

on these parameters, change them, but ensure that
3
they are consistent with those on Firewall_B.
4
2 Select a scenario
and complete
basic settings.
7
The Pre-Shared Key Configure an
is Admin@123. IKE/IPSec proposal.
6
Add a data flow to be encrypted.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step5 Configure the interfaces on Firewall_B
2 1
4 6
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step6 Configure security policies on Firewall_B
1
2
3
4
on Network B to connect to
Network A.
5
on Network A to connect to
Network B.
6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.
7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step7 Configure routes on Firewall_B
2
3
4
Configure a route to private IP
addresses on Network A. In the
example, the next-hop IP address from
Firewall_B to the Internet is 1.1.5.2.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step8 Configure IPSec on Firewall_B
In the example, all IPSec proposal parameters use

the default values. If you have specific requirements
1
on these parameters, change them, but ensure that
3 they are consistent with those on Firewall_A.
4
2 Select a scenario
and complete
basic settings.
The Pre-Shared Key 7

is Admin@123. Configure an
IKE/IPSec proposal.
6
Add a data flow to be encrypted.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (1)
After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec
tunnel. Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or
server on Network A. The access also succeeds.
IPSec policy list and IPSec tunnel monitoring information on Firewall_A.
After the configuration is complete, if no IPSec tunnel is

established, click Diagnose to check for the cause and solution.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (2)
IPSec policy list and IPSec tunnel monitoring information on Firewall_B.

Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Networking diagram
GE0/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE0/0/1
GE0/0/3 GE0/0/1 Untrust branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B
FW_B
and Firewall_C use dynamically obtained IP
PC2
Headquarters GE0/0/3 10.1.2.2/24 addresses to access the Internet.
10.1.3.1/24
Trust
FW_A
PC1 IPSec tunnels are established between Firewall_A
10.1.1.2/24 GE0/0/1 Branch 2
Untrust and Firewall_B and between Firewall_A and
FW_C Firewall_C, so that PCs in branches 1 and 2 can
PC3
IPSec Tunnel 2 10.1.3.2/24 initiate connections to the headquarters (the
headquarters is not allowed to initiate connections
to branches).
Item Firewall_A (Headquarters) Firewall_B (Branch 1) Firewall_C (Branch 2)
Scenario Site-to-Multisite Site-to-Site Site-to-Site

Peer IP Address - 1.1.3.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123 Admin@123
Local ID IP Address IP Address IP Address
Peer ID any IP Address IP Address
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A
2 1
4 6
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A
1
2
3
4
Allow the private IP address of
the headquarters to access the
private IP addresses of
branches 1 and 2.
5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.
6
Allow the public IP addresses
of branches 1 and 2 to
access Firewall_A.
7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A
2
3
4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP branch 2. In the example, the next-hop IP address
address from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A
1
3
6
Configure an Add the data flow (from
IPSec policy. the headquarters to
4 branch 1) to be encrypted.
7
5 Add the data flow (from
the headquarters to
branch 2) to be encrypted.
If the static routes to branches are not configured based on step 3, select Reverse Route
Injection in the Data Flow to Be Encrypted area, so that the private routes from the
headquarters to branches are automatically generated.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B
2 1
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B
1
2
3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 1.
6
Allow the public IP address
access Firewall_B.
7
Allow Firewall_B to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B
This example uses the default

values of proposal parameters. You
1
can change the values as required.
3
2 Select a scenario and

complete basic settings.
4
7
Configure an
IKE/IPSec proposal.
6
Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C
2 1
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step10 Configure security policies on Firewall_C
1
2
3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.
5
Allow private IP address
access the private IP
address of branch 2.
6
Allow the public IP address
access Firewall_C.
7
Allow Firewall_C to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C
This example uses the default

values of proposal parameters. You
1
can change the values as required.
3
Select a scenario
2 and complete
basic settings.
4
7
Configure an
IKE/IPSec proposal.
6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)
After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a
PC in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause
and solution.
Back to Contents
Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Back to Contents
Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram
Untrust L2TP over IPSec VPN Tunnel Trust
Headquarters
GE0/0/1 GE0/0/2
Mobile User 1.1.1.1/24 Firewall 10.1.1.1/24
SecoClient (LNS)
(LAC)
Server
10.1.2.1/24
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
IPSec settings
Peer address: 1.1.1.1/24
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies
1
2
3
4
Permit LAC clients to
communicate with
the firewall.
5
Permits the firewall
to communicate with
LAC clients.
6
access the servers in
the headquarters.
7
Permit servers at the
headquarters to access
the Internet.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes
2
3
4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users
2 3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
4
In the example, the user name is user0001,
and the password is Password@123.
5
Add a L2TP user.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool
4
Add an IP address pool named
pool, the pool range is 172.16.1.1
to 172.16.1.100.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec
1 Set Scenario and Peer

Type, then complete the
3 basic configuration.
4
In the example,
the pre-shared key
is Admin@123. 6
Add and set the following
parameters to configure
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group
3
Enable L2TP.
2
4
In the example, the tunnel
password is Hello@123.
5
Create a L2TP group.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)
Set L2TP connection parameters.

The SecoClient is VPN remote access client software 3
provided by Huawei. It provides secure and convenient
access services for mobile office users to remotely access
resources in an enterprise network. Currently, you can
search and download the SecoClient on Huawei enterprise
support website http://support.huawei.com/enterprise.
Open the SecoClient.

1
4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)
Select Pre-shared Key, the pre-shared Complete the IKE Basic

key is Admin@123. Configuration.
3
1
Select Enable IPSec Protocol.
2
Complete the IPSec Configuration.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step9 Verify the configurations (1)
1
Choose the created
L2TP over IPSec
connection and click
Connect.
2
Enter the user
name and password.
After the VPN connection succeeds, the prompt message

negotiation is successed pops up at the lower right corner.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step9 Verify the configurations (2)
L2TP tunnel information displayed on the firewall.
IPSec tunnel information displayed on the firewall.

Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Networking diagram
Untrust Trust
L2TP over IPSec VPN Tunnel
Headquarters
GE0/0/1 GE0/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Windows XP (LNS)
(LAC Client)
Item Data
Group name: default

L2TP settings User name: vpdnuser
Password: Hello@123
LNS Pre-shared key: Admin@123

Address pool 10.1.2.2 to 10.1.2.100
User authentication name: vpdnuser

L2TP settings
Password: Hello@123
LAC
IPSec settings
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step2 Configure security policies
2 1
3
4
the Internet.
5
access the servers in the
headquarters.
6
communicate with
the firewall.
7
Permits the firewall to
communicate with
LAC clients.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step 3 Configure L2TP users
1 Select L2TP/L2TP over IPSec for

3
4
In the example, the user name
is vpdnuser, and the password
is Hello@123.
5
Add a L2TP user.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step4 Add an IP pool
4
to 10.1.2.100.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step5 Configure L2TP over IPSec
Set Scenario and Peer

3 Type, then complete
the basic configuration.
4
2
In the example, the

pre-shared key is
Admin@123. 6
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (1)
4
5
1
Back to Contents
2
3
5
4
6
Back to Contents
3
1
4
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step7 Verify the configurations (1)
The user name is vpdnuser, and

the password is Hello@123.
1
Enter the user
name and password.
4
In Network Connections,
you can see the VPN
2
connection status.
Click Connect. A message is displayed,
indicating that the VPN connection succeeds.
3
Back to Contents
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step7 Verify the configurations (2)

Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Networking diagram
Headquaters
GE0/0/1 GE0/0/3
PC 1.1.1.2/29 Firewall 10.1.1.1/24
Windows 7 (LNS)
(LAC)
Item Data
Group name: default

Password: Password@123

Address pool 10.1.2.2 to 10.1.2.100

L2TP settings
Password: Password@123
LAC
IPSec settings
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step2 Configure security policies
1
2
3
4
the Internet.
5
headquarters.
6
communicate with
the firewall.
7
to communicate with
LAC clients.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step 3 Configure L2TP users
2 3
Select L2TP/L2TP over IPSec for
4
In the example, the user name

is vpdnuser, and the password
is Password@123.
5
Add a L2TP user.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step4 Add an IP pool
4
to 10.1.2.100.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step5 Configure L2TP over IPSec

4
2
In the example, the

pre-shared key is
Admin@123. 6
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (1)
4
1
Back to Contents
7
8 9
Back to Contents
7
1
Back to Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step7 Verify the configurations (1)
After the connection succeeds, you

can see that the VPN connection
state becomes Connected.
2 3
1
Back to Contents

Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Networking diagram
Headquaters
GE0/0/1 GE0/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Windows 10 (LNS)
(LAC Client)
Item Data
Group name: default

Password: Hello@123

Address pool 10.1.2.2 to 10.1.2.100

L2TP settings
Password: Hello@123
LAC
IPSec settings
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step2 Configure security policies
1
2
3
4
the Internet.
5
headquarters.
6
communicate with
the firewall.
7
communicate with
LAC clients.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step 3 Configure L2TP users
3
4
In the example, the user
name is vpdnuser, and the
5
Add a L2TP user.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step4 Add an IP pool
4
Add an IP address pool named pool, the
pool range is 10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step5 Configure L2TP over IPSec

4
2
In the example, the

pre-shared key is
Admin@123. 6
a data flow rule.
5
Add IP pool.
Back to Contents
4
2
1
Back to Contents
2 3
In Network Connections, you

can see the new connection.
5
Back to Contents
2
1
Right-click and choose Properties
from the short-cut menu.
4
3
Back to Contents
The user name is vpdnuser, and the

3
Enter the user name
and password.
2
Click Connect.
4
The VPN connection
succeeds.
Back to Contents

Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Networking diagram
Headquaters
GE0/0/1 GE0/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Mac OS X (LNS)
(LAC Client)
Item Data
Group name: default

L2TP settings User name: macuser
Password: Hello@123

Address pool 10.1.2.2 to 10.1.2.100
User authentication name: macuser

L2TP settings
Password: Hello@123
LAC
IPSec settings
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step2 Configure security policies
1
2
3
4
the Internet.
5
headquarters.
6
communicate with
the firewall.
7
communicate with
LAC clients.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step 3 Configure L2TP users
3
4 In the example, the user

name is macuser, and the
5
Add a L2TP user.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step4 Add an IP pool
4
Add an IP address pool named pool,
the pool range is 10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step5 Configure L2TP over IPSec

4
2
In the example, the

pre-shared key is
Admin@123. 6
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step6 Configure the LAC client (1)
1
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step6 Configure the LAC client (2)
The password is Hello@123.
The pre-shared key is Admin@123.
The user name is macuser. 3
4
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step7 Verify the configurations (1)
2
After the connection
succeeds, the Status
value is updated to
Connected.
1
After the configuration is
complete, click Connect.
Back to Contents
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step7 Verify the configurations (2)

Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Networking diagram
Untrust Trust
GE0/0/1 GE0/0/3
1.1.1.2/24 10.1.1.1/24
Headquaters
Android
L2TP over IPSec VPN Tunnel Firewall
( LAC )
( LNS )
3.3.3.3/24 Server
Item Data
Group name: default
Password: Hello@123

Address pool 10.1.2.2 to 10.1.2.100
IP Address 3.3.3.3/24

L2TP settings
LAC Password: Hello@123
IPSec settings
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step2 Configure security policies
1
2
3
4
the Internet.
5
headquarters.
6
communicate with the
firewall.
7
communicate with
LAC clients.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step 3 Configure L2TP users
3
2 Select L2TP/L2TP over IPSec
for Scenario and Local for User
Location.
4
In the example, the user name is vpdnuser,
and the password is Hello@123.
5
Add a L2TP user.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step4 Add an IP pool
4
pool, the pool range is
10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step5 Configure L2TP over IPSec

4
2
In the example, the

pre-shared key is
Admin@123. 6
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step6 Configure the LAC client
Android 7.0 is used in this example.
4
Enter the IP address of the
WAN interface on the firewall
and the pre-shared key
(Admin@123 in this example).
2
1 Access the VPN page.
Access the Settings page.
3 5
Confirm information and
Add a VPN.
save the configuration.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step7 Verify the configurations (1)
1
Select a VPN to be added.
After the connection succeeds,
Connected is displayed in the
VPN list, and the VPN connection
icon is displayed in the status bar
2 on the top of the screen.
Enter the user name and password. In
this example, the user name is vpdnuser,
3
Confirm information
and click CONNECT.
Back to Contents
Example 9.6: L2TP over IPSec Access from Clients (Android) Step7 Verify the configurations (2)

Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Networking diagram
Untrust Trust
GE0/0/1 GE0/0/3
1.1.1.2/24 10.1.1.1/24
Headquaters
iOS
L2TP over IPSec VPN Tunnel Firewall
( LAC )
( LNS )
3.3.3.3/24 Server
Item Data
Group name: default
Password: Hello@123

Address pool 10.1.2.2 to 10.1.2.100
IP Address 3.3.3.3/24

L2TP settings
LAC Password: Hello@123
IPSec settings
Peer address: 1.1.1.2
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step1 Configure interfaces
2 1
4 6
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step2 Configure security policies
1
2
3
4
the Internet.
5
access the servers in
the headquarters.
6
communicate with
the firewall.
7
to communicate with
LAC clients.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step 3 Configure L2TP users
3
4 In the example, the user name is vpdnuser,

5
Add a L2TP user.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step4 Add an IP pool
4
pool, the pool range is
10.1.2.2 to 10.1.2.100.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step5 Configure L2TP over IPSec

4
2
In the example, the

pre-shared key is
Admin@123. 6
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step6 Configure the LAC client
iOS 10.0 is used in this example.
Confirm information and

save the configuration.
5
1
Access the Settings page.
2
Access the VPN page.
Enter the IP address of the

WAN interface on the firewall.
Enter the pre-shared key

3 configured on the firewall. It is
Add a VPN. Admin@123 in this example.
Enter the user name and password. In

this example, the user name is vpdnuser,
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step7 Verify the configurations (1)
2
Enable the VPN function.
After the connection succeeds, the

1
Select a VPN. Status value becomes Connected,
and the VPN connection icon is
displayed in the status bar on the
top of the screen.
Back to Contents
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step7 Verify the configurations (2)

Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Networking diagram
The enterprise requires that each teleworker have an intranet IP address to access intranet resources as if they were access the resources on
the LAN. For security reasons, local authentication should be configured to authenticate teleworkers.
Item Data
DNS server IP address: 10.1.1.2/24
Authentication mode Local authentication
SSL VPN user User name: user

Password: Admin@1234
Virtual IP address pool of 10.1.1.50~10.1.1.100
network extension After the device for teleworking connects to the enterprise network through SSL VPN and enables network
extension, the firewall will assign an IP address in the address pool to the device.
The accessible intranet subnet 10.1.1.0/24
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step1 Configure interfaces
2 1
Set WAN interface

Set LAN interface
parameters.
parameters.
4
6
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step2 Create a user group and its users
4 6
Create a user group.

5
Create a user.
7
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step3 Configure an SSL VPN gateway (1)
1
3
4
2 Configure basic SSL VPN
gateway parameters based on
the networking requirements.
Back to Contents
5
Select SSL versions
and encryption suites.
Back to Contents
6
Select required functions.
To enable SSL VPN network extension, you do not need to configure any route from
the virtual gateway to the user's IP address. After the FW enables IP spoofing attack
defense, the packets from the user to the virtual gateway will be identified as IP
spoofing attack packets and discarded. In such cases, configure a route from the
virtual gateway to the user's IP address when you enable network extension.
Back to Contents
7
Configure network extension.
8
Add an accessible private
network segment.
Back to Contents
9
Add role authentication.
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step4 Configure security policies
1
2
Set the source address to the network extension address
pool and destination address to the IP address of the
intranet resource that teleworkers are allowed to access.
Permit employees working Permit teleworkers to

at home to log in to the access intranet resources.
SSL VPN gateway. 4
3
Back to Contents
Example 10.1: SSL VPN Tunnel Access (Local Authentication) Step5 Verify the configurations (1)
1
Enter https://1.1.1.1 on the browser. Install controls as prompted by the browser upon the first login.
Enter a user name and password.

2
Back to Contents
3
Enable network extension. Install the virtual network adapter as prompted upon the first login.
4
Network extension status
after being enabled.
Back to Contents
Virtual IP address and DNS

server address that the client
obtains from the firewall.
The client can access resources on the

enterprise network. For example, the
client can ping the DNS server (10.1.1.2)
on the enterprise network.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Networking diagram
Untrust Trust
SSL VPN
GE0/0/1 GE0/0/3
1.1.1.1/24 10.1.1.1/24
DNS Server
Enterprise
Teleworker FW
network
The enterprise requires that each teleworker have an intranet IP address to access intranet resources as if they were access the resources on
the LAN. For security reasons, certificate and local authentication (certificate challenge) should be configured to authenticate teleworkers.
Item Data
DNS server IP address: 10.1.1.2/24
Certificate challenge
Authentication mode
Auxiliary authentication mode: VPNDB
SSL VPN user User name: user
Password: Admin@123
Client certificate user.p12
Import the client certificate to the browser on the device for teleworking. The firewall verifies the user's identity
based on the client certificate (the CN field of the client certificate is used as the user name). When making the
client certificate, ensure that the CN field value is the VPN user name (user).
Client CA certificate ca.crt
The CA server that issues the client certificate has a CA certificate. After being imported to the firewall, this CA
certificate is used by the firewall to verify the validity of the client certificate.
Virtual IP address pool 10.1.1.50~10.1.1.100
of network extension After the device for teleworking connects to the enterprise network through SSL VPN and enables network
extension, the firewall will assign an IP address in the address pool to the device.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step1 Configure interfaces
2
1
5
Set WAN interface Set LAN interface
parameters. parameters.
4 6
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step2 Create a user group and its users
6
4
5 7
Create a user group. Create a user.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step3 Upload the client CA certificate
1
2
4
After applying for or producing the client CA
certificate and client certificate, upload the
client CA certificate to the firewall.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step4 Configure an SSL VPN gateway (1)
1
Configure basic SSL VPN
gateway parameters based on
3 the networking requirements.
4
2
Back to Contents
5
Select SSL versions
and encryption suites.
Back to Contents
6
Select required functions.
To enable SSL VPN network extension, you do not need to configure any route from the virtual
gateway to the user's IP address. After the FW enables IP spoofing attack defense, the packets from
the user to the virtual gateway will be identified as IP spoofing attack packets and discarded. In
such cases, configure a static route from the virtual gateway to the user's IP address when you
enable network extension. The destination address is the IP address in the user address pool. The
next hop is the next hop IP address of the virtual gateway to the Internet.
Back to Contents
7
Configure network extension.
8
Add an accessible private
network segment.
Back to Contents
9
Add role authentication.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step5 Configure security policies
Do not set the source or destination zone for the policy.

Set the source address to the network extension address
1
2 pool and destination address to the IP address of the
intranet resource that teleworkers are allowed to access.
Permit employees working

at home to log in to the SSL Permit teleworkers to
VPN gateway. access intranet resources.
3 4
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step6 Install the client certificate (1)
1 3
4
Open the Internet Explorer.
6
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step6 Install the client certificate (2)
Select client certificate user.p12 If a private key password is specified

from the local device and import in the certificate, enter the private
it to the PC. key password in Password.
7 8
9
Click Next to complete
operations as prompted
by the browser.
Back to Contents
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) Step7 Verify the configurations (1)
1
Enter https://1.1.1.1 on the browser. Install controls as prompted by the browser upon the first login.
Enter a password and select a certificate.

2
Back to Contents
3
Enable network extension. Install the virtual network adapter as prompted upon the first login.
4
Network extension status
after being enabled.
Back to Contents
Virtual IP address and DNS

server address that the client
obtains from the firewall.
The client can access resources on the

enterprise network. For example, the
client can ping the DNS server (10.1.1.2)
on the enterprise network.
Back to Contents
Example 11: Transparent Access for Load Balancing Networking diagram
Service interfaces on the two firewalls work at Layer 2 and connect

to routers in both upstream and downstream directions. Upstream
and downstream service interfaces on the firewalls are added to the
10.3.0.2/24 OSPF 10.3.1.2/24 same VLAN. OSPF runs between upstream and downstream routers.
As Layer-2 devices, the firewalls transparently transmit OSPF packets
and do not participate in routing protocol calculation.
GE0/0/3 VLAN2 GE0/0/2 GE0/0/3
In this example, the firewalls work in load balancing mode. In
10.10.0.2
FW_A FW_B normal situations, both FW_A and FW_B forward traffic. If one
GE0/0/2
GE0/0/1 10.10.0.1 VLAN2 GE0/0/1 firewall fails, the other is responsible for forwarding all services.
10.3.0.1/24 OSPF 10.3.1.1/24 Item FW_A FW_B
Working mode Load balancing Load balancing
GE0/0/2 GE0/0/2
Heartbeat interface
10.3.2.0/24 10.3.3.0/24 10.10.0.1/24 10.10.0.2/24
Service link Heartbeat link VLAN

Back to Contents
Example 11: Transparent Access for Load Balancing Step 1 Configure Interfaces on FW_A (1)
2 1
5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Back to Contents
Example 11: Transparent Access for Load Balancing Step 1 Configure Interfaces on FW_A (2)
2 1
Set parameters for the

heartbeat interface.
4
Back to Contents
Example 11: Transparent Access for Load Balancing Step 2 Configure Interfaces on FW_B (1)
2 1
5
4 6
Back to Contents
Example 11: Transparent Access for Load Balancing Step 2 Configure Interfaces on FW_B (2)
2 1

4
Back to Contents
Example 11: Transparent Access for Load Balancing Step 3 Configure FW_A to Work in Load Balancing Mode
1
Configure FW_A to work
in load balancing mode.
3
4
5
Configure VLAN monitoring:
Set the interface type to
VLAN, set the VLAN ID to 2,
and click Add.
Back to Contents
Example 11: Transparent Access for Load Balancing Step 4 Configure FW_B to Work in Load Balancing Mode
1
Configure FW_B to work
in load balancing mode.
3
4
5
Configure VLAN monitoring:
Set the interface type to
VLAN, set the VLAN ID to 2,
and click Add.
Back to Contents
Example 11: Transparent Access for Load Balancing Step5 Configure Security Policies on FW_A (1)
1
2
Configure a security policy to Configure a security policy to

allow OSPF packets to pass allow OSPF packets to pass
through the firewall. through the firewall.
4 5
Back to Contents
Example 11: Transparent Access for Load Balancing Step5 Configure Security Policies on FW_A (2)
2 1
4
Configure a security policy to
allow intranet users to access
public IP addresses.
Back to Contents
Example 11: Transparent Access for Load Balancing Step 6 Verify the Configuration (1)
After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A and FW_B are working in load
balancing mode and both firewalls forward traffic.
FW_A
FW_B
Back to Contents
Example 11: Transparent Access for Load Balancing Step 6 Verify the Configuration (2)
Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.
FW_A: fails and switches to the standby device in active/standby mode.
FW_B: becomes the active device in active/standby mode and forwards traffic.
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Networking diagram
Two firewalls are attached to core switches in a DC to safeguard the

Internet/WAN DC network. Traffic passing through the core switches is diverted to
the firewalls through static routes for security checks.
It is required that the two firewalls work in active/standby mode. In
normal situations, FW_A forwards traffic. If FW_A fails, FW_B forwards
Data center core area
traffic, ensuring non-stop services.
GE0/0/2 GE0/0/2
10.10.0.1/24 Heartbeat Link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/1 GE1/0/2 GE1/0/1
GE0/0/3 GE0/0/3
GE1/0/2
GE1/0/4
GE0/0/1
10.0.0.1/24
GE1/0/3 GE1/0/4 GE1/0/3
GE0/0/1
10.0.0.2/24
Item FW_A FW_B
FW_A FW_B
Working mode Active/standby backup Active/standby backup
Role Active Standby
Heartbeat GE0/0/2 GE0/0/2

Server area
interface 10.10.0.1/24 10.10.0.2/24
192.168.0.0/16
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Networking diagram
As shown in the following figure, configure the VRF function on core switches Both firewalls and switches use VRRP for link backup.
to virtualize each switch into a switch (root switch Public) connecting to the The following figure shows the VRRP group
upstream and a switch (virtual switch VRF) connecting to the downstream. configuration of the firewalls and switches.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
Data center core area GE1/0/1 GE1/0/1
Active Standby
VRRP4 VLANIF3 VLANIF3
GE0/0/2 GE0/0/2 10.1.0.6/24
10.10.0.1/24 10.10.0.2/24 10.1.0.4/24 10.1.0.5/24
Active GE0/0/3 GE0/0/3 Standby
10.1.0.1/24 10.1.0.2/24 VRRP2
GE1/0/1 GE1/0/2 GE1/0/1 10.1.0.1/24 10.1.0.2/24
GE0/0/3 GE0/0/3 10.1.0.3/24
Public GE1/0/2 Public GE0/0/2
VRF GE1/0/4 VRF 10.10.0.1/24
GE0/0/1 GE0/0/1 GE0/0/2
GE1/0/3 GE1/0/4 GE1/0/3 10.10.0.2/24
10.0.0.1/24 SW1 SW2 10.0.0.2/24 VRRP1
FW_A FW_B 10.0.0.3/24 GE0/0/1 GE0/0/1
Active 10.0.0.1/24 10.0.0.2/24 Standby
VRRP3
10.0.0.6/24 VLANIF2 VLANIF2
Active 10.0.0.4/24 10.0.0.5/24 Standby
GE1/0/3 GE1/0/3
VRF VLAN2 VRF

GE1/0/4 GE0/0/4
OSPF
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (1)
2 1
5
4 6
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (2)
2 1

4
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (1)
2 1
5
4 6
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (2)
2 1

4
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A
2 Configure an upstream Configure a downstream

3 static route whose next hop static route whose next hop
is the address of VRRP is the address of VRRP group
group 4 on the switch. 3 on the switch.
4 5
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B
2 Configure an upstream Configure a downstream

static route whose next hop static route whose next hop
3 is the address of VRRP is the address of VRRP group
4 5
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Active/Standby Mode
1 Configure FW_A as
the active device in
3 active/standby mode.
4
Configure the Configure the

virtual IP address virtual IP address
5 for VRRP group 1. for VRRP group 2.
6 7
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Active/Standby Mode.
Configure FW_B as
the standby device
1 in active/standby
mode.
3 4

6 7
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 7 Configure a Security Policy on FW_A.
Configure a security policy to allow Internet

users to access servers in the DC (network
1 segment: 192.168.0.0/16; port: 80).
2 The security policy configured on FW_A will
3 be automatically backed up to FW_B.
4
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1
# Configure Switch 1.
[Switch1] ip vpn-instance VRF //Create a VRF.
[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit
Only the configuration related to interconnection
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2 with the firewall is provided here.
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add interfaces to VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to the VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Configure VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The device with a higher priority is active.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The device with a higher priority is active.
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 1.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 8 Configure Core Switch 2

[Switch2] vlan 2
[Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The device with a lower priority is standby.
[Switch2] vlan 3
[Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The device with a lower priority is standby.
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 1.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
Back to Contents
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (1)
After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A is active and FW_B is standby
in active/standby backup mode.
FW_A
FW_B
Back to Contents
Back to Contents
After recovery, FW_A preempts to be the active device, and FW_B becomes standby. Traffic is forwarded through FW_A.
FW_A: preempts to be active.
FW_B: becomes standby.

Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Networking diagram
Two firewalls are attached to core switches in a DC to safeguard the

Internet/WAN
DC network. Traffic passing through the core switches is diverted to
the firewalls through static routes for security checks.
It is required that the firewalls work in load balancing mode. In normal
situations, both FW_A and FW_B forward traffic. If one firewall fails,
Data center core area
the other is responsible for forwarding all services.
GE0/0/2 GE0/0/2
10.10.0.1/24 Heartbeat link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE0/0/3 GE1/0/1 GE1/0/1 GE0/0/3
GE1/0/2
GE1/0/4
GE0/0/1 GE1/0/3 GE1/0/4 GE1/0/3 GE0/0/1
10.0.0.2/24
Item FW_A FW_B
10.0.0.1/24
FW_A FW_B
Working mode Load balancing Load balancing
GE0/0/2 GE0/0/2
Heartbeat interface
10.10.0.1/24 10.10.0.2/24
Server area
192.168.0.0/16
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Networking diagram
As shown in the following figure, configure the VRF function on core switches Both firewalls and switches use VRRP for link backup.
to virtualize each switch into a switch (root switch Public) connecting to the The following figure shows the VRRP group
upstream and a switch (virtual switch VRF) connecting to the downstream. configuration of the firewalls and switches.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
Data center core area GE1/0/1 GE1/0/1 VRRP group 4
Active VLANIF3 VLANIF3 Standby 10.1.0.6/24
Standby 10.1.0.4/24 10.1.0.5/24 Active VRRP group 8
GE0/0/2 GE0/0/2
VRRP group 6 10.1.0.8/24
10.10.0.1/24 10.10.0.2/24
10.1.0.7/24 Standby GE0/0/3 GE0/0/3 Active
GE0/0/3 GE0/0/3 VRRP group 2 Active 10.1.0.1/24 10.1.0.2/24 Standby
GE1/0/1 GE1/0/2 GE1/0/1
10.1.0.1/24 10.1.0.2/24 10.1.0.3/24
GE1/0/2 Public
Public GE0/0/2
10.10.0.1/24
VRF GE1/0/4 VRF
GE0/0/1 GE0/0/1 GE0/0/2
GE1/0/3 GE1/0/4 GE1/0/3 10.10.0.2/24
10.0.0.1/24 SW1 SW2 10.0.0.2/24 VRRP group 1
10.0.0.3/24 Active GE0/0/1 GE0/0/1 Standby
FW_A FW_B 10.0.0.1/24 10.0.0.2/24
VRRP group 5 Standby Active
10.0.0.7/24 VRRP group 7
Standby VLANIF2 VLANIF2 Active 10.0.0.8/24
Active 10.0.0.4/24 10.0.0.5/24 Standby VRRP group 3
GE1/0/3 GE1/0/3 10.0.0.6/24
VRF VLAN2 VRF

GE1/0/4 GE1/0/4
OSPF
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (1)
2 1
5
4 6
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (2)
2
1

4
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (1)
2 1
5
4 6
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (2)
2 1
3
4
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A (1)
Configure an upstream Configure an upstream static

2 static route whose next hop route whose next hop is the
3 is the address of VRRP address of VRRP group 8 on
group 4 on the switch. the switch.
4 5
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A (2)
Configure a downstream Configure a downstream

2 static route whose next hop static route whose next hop
is the address of VRRP is the address of VRRP group
3 group 3 on the switch. 7 on the switch.
4 5
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B (1)
Configure an upstream Configure an upstream static

2 static route whose next hop route whose next hop is the
is the address of VRRP address of VRRP group 8 on
3
group 4 on the switch. the switch.
4 5
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B (2)
Configure a downstream Configure a downstream

2
static route whose next hop static route whose next hop
3 is the address of VRRP is the address of VRRP group
4 5
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Load Balancing Mode (1)
Configure FW_A
1 to work in load
balancing mode.
3 4

for VRRP group 1. for VRRP group 2.
5 6 7
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in

8 9
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Configure FW_B
1 to work in load
balancing mode.
3
4

6 7
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in

8 9
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 7 Configure a Security Policy on FW_A
1
2
3
4
Configure a security policy to allow
Internet users to access servers in
the DC (network segment:
192.168.0.0/16; port: 80).
The security policy configured on
FW_A will be automatically backed
up to FW_B.
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1 (1)

[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both Only the configuration related to interconnection
[Switch1-vpn-instance-VRF-af-ipv4] quit with the firewall is provided here.
[Switch1] vlan 2
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The device with the higher priority is active.
[Switch1-Vlanif2] vrrp vrid 7 priority 100 //Set the priority to 100. The device with the lower priority is standby.
[Switch1] vlan 3
Back to Contents

[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP
group 1.
group 5.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP
group 2.
group 6.
Back to Contents

[Switch2] vlan 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch2] vlan 3
Back to Contents

group 1.
group 5.
group 2.
group 6.
Back to Contents
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (1)
After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A and FW_B are working in load
balancing mode and both firewalls forward traffic.
FW_A
FW_B
Back to Contents
Back to Contents
After FW_A recovers, FW_A and FW_B start to work in load balancing mode again and forward traffic together.
FW_A: restores to work in load balancing mode.
FW_B: becomes to work in load balancing mode.

Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Networking diagram
On the network shown in this figure, the service interfaces of two

firewalls work at Layer 3 and directly connect to Layer 2 switches in
both upstream and downstream directions. The upstream switch
connects to the interface provided by the carrier who has assigned
Router 1.1.1.1 to the enterprise.
1.1.1.10/24
It is required that the two firewalls work in active/standby mode. In
normal situations, FW_A forwards traffic. If FW_A fails, FW_B
VRRP group 1
GE0/0/1 1.1.1.1/24 GE0/0/1 forwards traffic, ensuring non-stop services.
10.2.0.1/24 GE0/0/2 10.2.0.2/24
10.10.0.1/24 Item FW_A FW_B
FW_A FW_B
GE0/0/2 Working
10.10.0.2/24 Active/standby backup Active/standby backup
GE0/0/3 GE0/0/3 Mode
10.3.0.1/24 VRRP group 2 10.3.0.2/24
10.3.0.3/24
Role Active Standby
Service link Heartbeat GE0/0/2 GE0/0/2

Intranet interface 10.10.0.1/24 10.10.0.2/24
Heartbeat link
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_A (1)
2 1
5
upstream interface. downstream interface.
4 6
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_A (2)
2 1

4
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_B (1)
2 1
5
4 6
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 2 Configure interfaces on FW_B (2)
2
1
4
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 3 Configure FW_A as the Active Device
1
Configure FW_A as the active device
in active/standby backup mode.
3
4
Configure the virtual Configure the virtual

IP address of the IP address of the
VRRP group 1. VRRP group 2.
5 6 7
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 4 Configure FW_B as the Standby Device
1 Permit private IP addresses on

Network B to connect to the private
IP addresses on Network A.
3
4

virtual IP address of virtual IP address of
the VRRP group 1. the VRRP group 2.
5 6 7
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 5 Configure a security policy on FW_A
1
2
4
The security policy configured
on FW_A will be automatically
synchronized to FW_B.
Back to Contents
Example 14: Active/Standby Backup in In-path Deployment Step 6 Verify the configuration (1)
After the configuration is complete, view the running status of FW_A and FW_B. You can see that FW_A and FW_B are working in
active/standby mode. FW_A is active, while FW_B is standby.
FW_A is active.
FW_B is standby.
Back to Contents
If FW_A fails, FW_B automatically becomes active.

Back to Contents
After FW_A restores:
FW_A becomes active again through resource preemption.
FW_B becomes standby.

Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Networking diagram
Service interfaces of the two FW devices work at Layer 3, having

upstream and downstream connections to Layer-2 switches.
Now the FW devices are supposed to work in load sharing mode.
Normally, both FW_A and FW_B forward traffic. If either FW fails, the
Router
1.1.1.10/24 other FW forwards all traffic to ensure service continuity.
VRRP group 2
1.1.1.4/24
GE0/0/1 VRRP group 1
GE0/0/1
10.2.0.1/24 1.1.1.3/24 Item FW_A FW_B
GE0/0/2 10.2.0.2/24
10.10.0.2/24
FW_A FW_B Working
GE0/0/2 Active/standby backup Active/standby backup
10.10.0.1/24 Mode
GE0/0/3 GE0/0/3
VRRP group 3
10.3.0.1/24 10.3.0.2/24
10.3.0.3/24
VRRP group 4
Heartbeat GE0/0/2 GE0/0/2
10.3.0.4/24
interface 10.10.0.1/24 10.10.0.2/24
Service link
Intranet Heartbeat link
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 1 Configure interfaces on FW_A (1)
2 1
5
4 6
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 1 Configure interfaces on FW_A (2)
2 1

4
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 2 Configure interfaces on FW_B (1)
2 1
5
4 6
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 2 Configure interfaces on FW_B (2)
2 1
4
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 3 Configure load balancing on FW_A (1)
1
Configure FW_A to work in the load
3 balancing mode.
4

5 6 7
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 3 Configure load balancing on FW_A (2)

8 9
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 4 Configure load balancing on FW_B (1)
1
Configure FW_B to work in the load
balancing mode.
3
4

5 6 7
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 4 Configure load balancing on FW_B (2)

8 9
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 5 Configure a route on FW_A
2
3
4
Configure the default route on FW_A.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 6 Configure a route on FW_B
1
Configure default routes on intranet devices.
Set the next-hop address of the default
routes to the virtual IP address (10.3.0.3) of
VRRP group 3 for some devices and to the
2 virtual IP address (10.3.0.4) of VRRP group 4
3 for the other devices.
4
Configure the default route on FW_B.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 7 Configure a security policy on FW_A
2 1
4
The security policy configured
on FW_A will be automatically
synchronized to FW_B.
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 8 Verify the configuration (1)
Check the hot standby status on FW_A and FW_B. You can find that FW_A and FW_B work in the load balancing mode.
FW_A
FW_B
Back to Contents
Example 15: In-path Deployment in a Load Balancing Scenario Step 8 Verify the configuration (2)
When FW_A fails, FW_A switches to the standby state, and FW_B switches to the active state. This indicates that FW_B forwards traffic.
FW_A becomes the standby device in the active/standby mode.
FW_B becomes the active device in the active/standby mode.

Back to Contents
Example 16：Configuring Source Address-based PBR Networking diagram
An enterprise has a marketing department and an R&D department.

The FW is deployed at the intranet egress. Two links, IPS-A and IPS-B,
ISP_A ISP_B
connect to the Internet.
For the ease of management, it is required that the marketing
Untrust department access the Internet through ISP_A and that the R&D
Router_A Router_B department access the Internet through ISP_B.
10.10.1.2/24 10.20.1.2/24
FW
Item pbr_1 pbr_2
GE0/0/2 GE0/0/4
10.10.1.1/24 10.20.1.1/24 Type Source Zone Source Zone
GE0/0/3 Source Zone trust trust

Main IP: 10.1.1.1/24 Source Address 10.1.1.0/24 10.1.2.0/24
Sub IP: 10.1.2.1/24
Action PBR PBR
Egress Type Single Single

Trust
Inside network Outbound
GE0/0/2 GE0/0/4
Interface
Market Research Next Hop 10.10.1.2 10.20.1.2
department department
Reliability
10.1.1.0/24 10.1.2.0/24 Binding IP-Link Binding IP-Link
Detection
IP-Link Name pbr_1 pbr_2

Back to Contents
Example 16：Configuring Source Address-based PBR Step1 Configure the interfaces (1)
2 1
5
4 6
Set WAN interface parameters Set LAN interface parameters
Back to Contents
Example 16：Configuring Source Address-based PBR Step1 Configure the interfaces (2)
8
Set WAN interface parameters.
Back to Contents
Example 16：Configuring Source Address-based PBR Step2 Configure a security policy
1
2
4
Allow intranet users to
access extranet resources.
Back to Contents
Example 16：Configuring Source Address-based PBR Step3 Configure IP-link
4 5
Detect the ISP-A link status. Detect the ISP-B link status.
Back to Contents
Example 16：Configuring Source Address-based PBR Step 4 Configure PBR routes
The packet of the marketing The packet of the R&D

department received from department received from
the Trust zone is sent to next the Trust zone is sent to
hop 10.10.1.2. next hop 10.20.1.2.
3
4 5
2
Bind IP-Link pbr_1 and Bind IP-Link pbr_2 and

the PBR route. When the the PBR route. When the
ISP_A link is unreachable, ISP_B link is unreachable,
the PBR route does not the PBR route does not
take effect. take effect.
Back to Contents
Example 16：Configuring Source Address-based PBR Step 5 Configure default routes
Routes need to be configured

on intranet hosts. Configure
them as required.
2
3
4 5
When the ISP_B link is When the ISP_A link is
unreachable, all traffic is unreachable, all traffic is
forwarded over ISP_A link. forwarded over ISP_B link.
Back to Contents
Example 16：Configuring Source Address-based PBR Step 6 Verify the configurations (1)
The traffic sent from the marketing department (10.1.1.0/24) is forwarded by GigabitEthernet 0/0/2 and reaches the Internet over ISP_A link.
The traffic sent from the R&D department (10.1.2.0/24) is forwarded by GigabitEthernet 0/0/4 and reaches the Internet over ISP_B link.
Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access extranet hosts (10.30.1. 1).
Back to Contents
Example 16：Configuring Source Address-based PBR Step 6 Verify the configurations (2)
When the ISP_A link is unreachable, the traffic sent from the marketing department (10.1.1.0/24) and R&D department (10.1.2.0 /24) is
forwarded by GigabitEthernet0/0/4 and reaches the Internet over ISP_B link. When the ISP_B link is unreachable, the traffic sent from the
marketing department (10.1.1.0/24) and R&D department (10.1.2.0/24) is forwarded by GigabitEthernet0/0/2 and reaches the Internet over
the ISP_A link.
Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access an extranet
host (10.30.1.1) in case of ISP_A link unreachability
Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access an extranet
host (10.30.1.1) in case of ISP_B link unreachability
Back to Contents
Example 17: User-specific Bandwidth Management Networking diagram
• The highest download traffic rate and maximum number of users are subject to
Trust the actual specifications.
10.3.0.0/24
• The web configuration for limiting the upload traffic rate is similar to that for file
downloading. This example describes how to limit the file download traffic rate.
Manager
Untrust
Product 1 Service download GE0/0/3 GE0/0/1

10.3.0.1/24 1.1.1.1/24
Product 2
Research Firewall ISP Router
· upload
·
·
Marketing
A firewall is deployed as an egress gateway at the border of an enterprise network. Due to the bandwidth resource is limited for enterprise,
when the number of users online is too much, it is likely to cause congestion, which may affect important flows. Limiting the user traffic
rate effectively prevents network congestion.
Back to Contents
Example 17: User-specific Bandwidth Management Data planning
Data must be planned based on the global bandwidth that the operator rents to
the enterprise and the number of users who need to access the Internet.
Total network 1Mbps=1000kbps=125KB

20Mbps
bandwidth /s
• Global guaranteed downlink bandwidth: 2Mbps

• Global maximum downlink bandwidth: 6Mbps
Senior • Group
-
manager Group name: manager / Parent group: default
• User
User name: user_0001 / Group: manager / Authentication type: local authentication
• Global maximum downlink bandwidth for product groups 1 and 2: 2Mbps
• Group
Group name: research / Parent group: default
Group name: research_product1 / Parent group: research
The R&D department has
R&D employee Group name: research_product2 / Parent group: research
two product groups.
• User
User name: user_0003 / Group: research_product1 / Authentication type: local
authentication
User name: user_0004 / Group: research_product2 / Authentication type: local
authentication

• Per-user maximum downlink bandwidth: 2Mbps
Marketing • Group
-
employee Group name: marketing / Parent group: default
• User
User name: user_0002 / Group: marketing / Authentication type: local authentication
Back to Contents
Example 17: User-specific Bandwidth Management Step1 Configure interfaces
To allow users on the enterprise network to access the Internet, you
2 need to configure a Source NAT policy. For detailed configurations,

1
see Example 1: Accessing the Internet Using a Static IP Address.
6
Set parameters for the interface
connecting to the Internet.
4
7
5 Set parameters for the interface
Set interface bandwidth parameters.
connecting to the enterprise network.
Limit the total bandwidth to 20 Mbps.
Back to Contents
Example 17: User-specific Bandwidth Management Step2 Configure user groups
You can create multiple group as required.

6
Create a user group for
the R&D department.
3
4 7
Create a user group
Create a user group
for senior managers.
for product group 1.
5 8
Create a user group for the Create a user group
marketing department. for product group 2.
Back to Contents
Example 17: User-specific Bandwidth Management Step3 Configure users
3
6
You can create multiple users Create a user for
for each user group as required. product group 1.
4 5 7
Create a senior manager user. Create a user for the Create a user for
marketing department. product group 2.
Back to Contents
Example 17: User-specific Bandwidth Management Step4 Configure a security policy
1
2
4
Configure a security policy
to allow users in subnet
10.3.0.0/24 of the Trust
zone to access the Internet.
Back to Contents
Example 17: User-specific Bandwidth Management Step5 Configure traffic profiles for intranet users
3 1
You can set uplink bandwidth

2
parameters based on service
requirements, for example,
limiting the file upload traffic.
5 7
Configure a traffic profile to Configure a traffic profile to
limit the global downlink limit the global maximum
bandwidth. downlink bandwidth to 2 Mbps.
4
Configure a traffic profile to limit 6 8
the per-user maximum downlink Configure a traffic profile to Configure a traffic profile to
bandwidth to 2 Mbps. limit the global maximum limit the global maximum
downlink bandwidth to 5 Mbps. downlink bandwidth to 2 Mbps.
Back to Contents
Example 17: User-specific Bandwidth Management Step6 Configure traffic policies for intranet users
3 Configure the bandwidth

2
policy based on service
requirements. For example,
if you want to limit traffic
based on IP addresses,
specify source and
destination address region,
5 Configure a traffic policy for 7 Configure a traffic policy
not users or user groups. the marketing department. for product group 1.
4 Configure a traffic policy 6 Configure a traffic policy for 8 Configure a traffic policy
for senior managers. the R&D department. for product group 2.
Back to Contents
Example 17: User-specific Bandwidth Management Step7 Verify the configuration (1)
1. A senior manager uses FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed 6 Mbps.
FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 6 Mbps (946.8 KB/s = 7.5744
Mbps). After the configuration, the download traffic rate for the same file ranges from 2 to 6 Mbps (567.0 KB/s = 4.536 Mbps).
Before the configuration
After the configuration
2. Marketing employees use FileZilla and FTP tools to download files from the Internet. The per-user download traffic rate should not
exceed 2 Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8
KB/s = 7.5744 Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (177.7 KB/s = 1.4216
Mbps).

Back to Contents
Example 17: User-specific Bandwidth Management Step7 Verify the configuration (2)
3. Employees in product group 1 use FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed
2 Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946. 8 KB/s =
7.5744 Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (175.8 KB/s = 1.4064 Mbps).
4. Employees in product group 2 use FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed
2 Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8 KB/s =
7.5744 Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (190.8 KB/s = 1.5264 Mbps).

Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Networking Diagram
QQ
Trust Untrust
10.3.0.0/24
GE0/0/1 GE0/0/3
10.3.0.1/24 1.1.1.1/24
Firewall
P2P
An enterprise allows employees to access the Internet, but requires to disable chatting software for productivity, such as QQ, and limit the
P2P download traffic to 3 Mbps.
P2P traffic limiting Maximum bandwidth: 3 Mbps 1M=1000kbps=125KB/s
Security policy Block the QQ protocol. -

Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step1 Configure Interfaces
To enable intranet users to access the Internet, configure Source

2 1 NAT policies. For configurations, see Example 1: Accessing the
Internet Using a Static IP Address.
4 6
Configure LAN interfaces. Configure WAN interfaces.
Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step2 Configure Traffic Profile
3
2
4
Set the maximum global
downlink bandwidth to 3 Mbps.
Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step3 Configure Traffic Policy
3
2
4
Create a traffic policy to
limit P2P download
bandwidth within 3 Mbps.
• FileShare_P2P indicates P2P download, and such

P2P applications include BT, eDonkey/eMule, and
Thunder.
• You can limit specific P2P services as required,
such as permitting BT download but denying
eMule download.
Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step4 Configure Security Policy
When multiple security policies exist in the same interzone, the device will match the
1 flow to the policies one by one in the list, from top to bottom. Once the flow
2
matching to a security policy, the matching process will stop. So, in the case of
3 multiple security policies, to ensure that the security policy configurations take effect,
you need to adjust the priority of the security policies, which means move the most
exactly matching security policy in front of the broad ones.
Deny QQ for Allow enterprise employees

enterprise employees. to access the Internet.
4 5
Back to Contents
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step5 Verify the Configurations
1. Enterprise employees can access the

Internet but cannot log in to QQ. The system
displays “Network time out. It may be caused
by wrong configuration. ”
2. Enterprise employees use tools, such as BT, Before configuration

eDonkey/eMule, and Thunder to download
files from the Internet, and the download
rate does not exceed 3 Mbps.
For example, before configuration, the BT
download rate exceeds 3 Mbps (846.6
KB/s=6.77 Mbps). After the configuration is
After configuration
complete, the file download rate is controlled
within 3 Mbps (268.5 KB/s=2.148 Mbps).
Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)

Uploaded by

Copyright:

Available Formats

You might also like

HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)

Uploaded by

Copyright:

Available Formats

Quick Configuration Guide

HUAWEI USG6000, USG6000E, USG9500, and NGFW Module

Example 1: Accessing the Internet Using a Static IP Address 008

Example 2: Accessing the Internet Using PPPoE 015

Example 3: Accessing the Internet Through Multiple ISP Networks 023

Example 4: NAPT-for-intranet-users-to-access-the-internet 032

Example 7: Site-to-Site IPSec Tunnel 054

Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065

Example 10.1: SSL VPN Tunnel Access (Local Authentication) 154

Example 10.2: SSL VPN Tunnel Access (Certificate challenge) 166

Example 11: Firewall Transparent Access for Load Balancing 181

Example 12: Active/Standby Firewalls Attached to Layer-3 Devices 192

Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 208

Example 14: Active/Standby Backup in In-path Deployment 230

Example 16: Configuring Source Address-based PBR 255

Example 17: User-specific Bandwidth Management 264

Logging In to the Web Configuration Page

Default Settings Support Browser Versions

Management Interface GE0/0/0 10.0 -11.0

IP Address 192.168.0.1/24 62.0 (or later versions)

The default username and password are available

Logging In to the Web Configuration Page

Login Procedure (Internet Explorer for Example)

Logging In to the Web Configuration Page

Web UI functional areas

Example 1: Accessing the Internet Using a Static IP Address Networking Diagram

Item Data Description

DNS server 1.2.2.2/24 Obtained from the carrier

Gateway IP address 1.1.1.254/24 Obtained from the carrier

Example 2: Accessing the Internet Using PPPoE Networking Diagram

PPPoE Client PPPoE Server

Item Data Description

DNS server 1.2.2.2/24 Obtains the address from the carrier.

Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces

Item policy_route_1 policy_route_2

Type Inbound Interface Inbound Interface

Inbound Interface GE0/0/3 GE0/0/4

Source Address 10.3.0.0/24 10.3.1.0/24

Action Forward Forward

Egress Type Single Single

Outbound Interface GE0/0/2 GE0/0/1

Next Hop 2.2.2.254 1.1.1.254

Step4 Configure source NAT address

Item Data Description

Intranet segment that is

As private addresses far outnumber public addresses, one-

Routing loops are made between the aggregation switch

Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15

Item Data Description

Item Data Description

1. The PC on the LAN can access the Internet.

Example 7: Site-to-Site IPSec Tunnel Networking diagram

Item Firewall_A Firewall_B

Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A

Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A

Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A

Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A

In the example, all IPSec proposal parameters use