Professional Documents
Culture Documents
MENU
Support Documentation Security Products Recommend USG6700E Configuration & Commissioning Technical
Translation
Application of Firewalls in the Core Network PS Domain Favorite
Download
Updated: 2019-06-07
Rate and give feedback:
Page navigation
Related
Introduction
Documents
Application of Firewalls in the Core Network PS Domain Solution Overvi
Application of Firewalls in t
ew
he LTE IPSec Solution
Introduction Solution Design
Solution Overview Application of Firewalls in t
Typical Networki
he Security Solution for Cl
Solution Design ng
oud Computing Networks
Typical Networking Service Planning
Configuration Procedure
Verification
Share
Configuration Scripts
Other Solutions
Introduction
This section describes the application of firewalls in the PS security solution. By analyzing the security issues
faced by the mobile core network, this section provides a typical application solution of the firewall.
Solution Overview
Figure 1-1 shows the architecture of a mobile network. Data from a mobile terminal passes through the mobile
access/aggregation network (or RAN) and the mobile core network before it arrives at the Internet.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 1/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Figure 1-1 Application of the FW on the mobile core network
MENU
Translation
Favorite
Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
The 2G/3G mobile core network includes a Circuit Switched (CS) domain and a Packet Switched (PS) domain. The
CS domain deals with voice services (such as telephony); the PS domain provides data services (such as Internet
access).
Long Term Evolution (LTE) is the evolutionary technology of 3G. Currently, all mainstream carriers are regarding
LTE as the major 4G trend. The LTE network includes the E-UTRAN (radio access subsystem) and SAE (core
network subsystem). The LTE architecture builds entirely on the PS domain and has no CS domain of 2G/3G. The
LTE core network is also referred to as the Evolved Packet Core (EPC).
Share
Application of the FW on the Mobile Core Network
Because public IPv4 addresses are limited, private addresses are generally allocated to mobile terminals on the
core network, and public addresses are normally not allocated. Therefore, where a mobile terminal needs to
access the Internet, address translation is required.
As shown in Figure 1-1, the FW is deployed at the Internet egress of a mobile core network (the Internet egress
of 2G/3G core networks is the Gi interface, and the Internet egress of 4G core networks is the SGi interface). The
FW provides NAT, inter-zone isolation, and border protection.
Traffic Model
Tra c on the FW comes mainly from the Gi/SGi interface. Some of the tra c is directly routed to the Internet;
other tra c is routed to the WAP gateway (and then forwarded by the WAP gateway to the Internet). The tra c
from the mobile terminal directly to the Internet is referred to as Internet tra c; the tra c from the mobile
terminal to the WAP gateway is referred to as WAP tra c. Internet tra c and WAP tra c are collectively referred
as Gi/SGi tra c.
In addition to the Gi/SGi tra c, Gn and Gp tra c sometimes also passes through the firewall. Gn tra c is the
tra c between the local GGSN (P-GW) and SGSN (S-GW).
Internet tra c
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone > Internet
Packets of the mobile terminal pass through the access/aggregation network and the core network and arrive
at the Gi/SGi interface. Then the FW performs NAT for the packets and forwards them to the Internet. In this
case, the FW processes the original TCP/UDP packets from the mobile terminal.
WAP tra c
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone > WAP gateway
A GRE tunnel is set up directly between the GGSN (P-GW) and WAP gateway. The tra c is sent to the WAP
gateway which serves as a proxy to forward the packets to the Internet. In this case, the FW processes GRE
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 2/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
packets. Such tra c shrinks on 4G networks.
MENU
Solution Design
Typical Networking
Translation
Networking Diagram
Favorite
Figure 1-2 shows the typical networking of the FW at the Gi/SGi egress of a mobile core network. The service
interface works at Layer 3, and the FW is connected to the backbone and GGSN/P-GW through routers. Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
Share
1. HRP is configured on the FWs so that the FWs work in active/standby mode, improving network reliability
and preventing single points of failure. A heartbeat link is connected between the two FWs for active/standby
negotiation and status backup.
If a great deal of data needs to be backed up, multiple heartbeat links are recommended. When a 10GE link
serves as an HRP backup channel, it can support 50,000/s new session rate or 5 million concurrent sessions or
carry 5G service tra c. The number of required interfaces is assessed based on the actual tra c volume. The
N+1 backup mode is recommended for the interfaces. For example, if there are 10 million concurrent sessions,
at least two 10GE links are required as HRP backup channels. During design, three 10GE interfaces are
bundled for backup.
2. OSPF is deployed between the FWs and their upstream and downstream devices. The FWs run in OSPF1
process with their upstream backbone network and in OSPF2 process with their downstream GGSN network.
The hrp adjust ospf-cost enable command is run to enable the function of adjusting the OSPF cost based on
the active/standby status for HRP-OSPF association. In normal cases, the cost of OSPF routes advertised by
the standby firewall increases by 65,500 so that the tra c is routed to the active firewall in priority. When an
interface of the FW or the FW itself fails, an active/standby switchover takes place, and the cost of OSPF
routes is adjusted. The cost of the OSPF route over the primary link increases by 65,500, and the cost of the
OSPF route over the backup link decreases, so that tra c is routed to the original standby firewall in priority,
ensuring service continuity.
3. The hrp track command is configured on the upstream and downstream interfaces of the FW to monitor
these interfaces.
4. Unforced delivery of default routes is configured in OSPF2 process to divert tra c to the backbone network
from the firewall.
5. The HRP track BFD function is configured to detect remote link faults, such as faults in the link between
RouterC and the backbone network.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 3/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
The bfd cfg-name bind peer-ip peer-ip [ interface interface-type interface-number ] command is used to bind
a BFD session with a peer IP address, and the link to be detected needs to be specified. The process-interface-
MENU
status command is used to associate the BFD session with the bound interface.
If the peer device does not support BFD, IP-link can be used to carry out an active/standby switchover in case
of a fault.
Translation
Availability Analysis
Figure 1-3 shows the switchover upon failure of the active firewall FW_A. The specific process is as follows: Favorite
Solution Design
Typical Networki
ng
Service Planning
Share
Figure 1-4 shows the switchover upon failure of the link connecting the active firewall FW_A fails (the link to the
backbone or GGSN/P-GW). The specific process is as follows:
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 4/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Figure 1-4 Link failure
MENU
Translation
Favorite
Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
Service Planning
To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using
an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be
installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That
is, the member interfaces of the Eth-Trunk interface are on di erent LPUs. The inter-board Eth-Trunk improves Share
reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk,
it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.
The upstream and downstream physical links must have the same bandwidth that is greater than the peak tra c.
Otherwise, services are a ected due to tra c congestion in case of tra c burst.
Table 1-1 describes the planning of interfaces and security zones on the FWs.
a. GE2/0/2 a. GE2/0/2
b. GE2/0/3 b. GE2/0/3
IP address: 1.1.1.1/24 IP address: 1.1.2.1/24
Security zone: untrust Security zone: untrust
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 5/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
a. GE2/0/4 a. GE2/0/4
b. GE2/0/5 b. GE2/0/5 Translation
IP address: 10.14.1.1/24 IP address: 10.14.2.1/24
Security zone: trust Security zone: trust Favorite
Download
Security Policies
Page navigation
Table 1-2 describes the planning of security policies on the FW.
Local - Trust Local Trust The security policy for access of the FW to the trust Solution Design
zone, which may be set to permit all packets. If a fine-
Typical Networki
grained policy is required, note that OSPF packets ng
should be permitted.
Service Planning
Trust Local The security policy for access from the Trust zone to
the FW, which may be set to:
Permit packets for login and device management,
including SSH and HTTPS packets.
Permit OSPF packets.
Share
Local - Untrust Local Untrust The security policy for access of the FW to the untrust
zone, which may be set to permit all packets. If a fine-
grained policy is required, note that OSPF packets
should be permitted.
Untrust Local The security policy for access from the untrust zone to
the FW, which may be set to:
Permit packets for login and device management,
including SSH and HTTPS packets.
Permit OSPF packets.
Local - Local hrpzone Security policy between the backup interfaces of the
hrpzone active and standby firewalls, which can be used for the
login switching between the firewalls.
Trust - Untrust Trust Untrust Configure a rule that permits packets whose source
address is a private address of a mobile terminal,
and configure NAT for the private address.
Configure packet filtering for the start GGSN and
WAP-side end router of a GRE tunnel.
Untrust Trust Configure packet filtering for the start GGSN and
WAP-side end router of a GRE tunnel.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 6/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Routes
MENU
The route planning is as follows:
1. Black-hole routes are configured for NAT addresses, and static routes are advertised to avoid routing loops.
2. The firewall learns the default route from the Internet-side device and advertises the default route to the core
network-side device in the way of unforced delivery of OSPF routes. Routing policies also need to be Translation
configured. When the firewall and Internet-side device import static routes, only the routes to addresses in
the NAT address pool are advertised, and the routes to the other private addresses are not advertised. Favorite
3. The firewall learns the addresses of intranet servers and terminal IP addresses from the core network side
Download
device and advertises the routes of the servers to the Internet side device. Filtering policies are configured for
the firewall and the core network side device, and the firewall does not need to learn the default route from
the core network side device.
Page navigation
Table 1-3 describes the planning of routes on the FWs.
Introduction
Table 1-3 Planning of routes
Solution Overvi
FW_A FW_B Description ew
Destination address: Destination address: Default routes learned through OSPF.
Solution Design
0.0.0.0/0 0.0.0.0/0
Typical Networki
Next hop: Next hop: ng
1.1.1.2 (IP address of 1.1.2.2 (IP address of
Service Planning
RouterC) RouterD)
Destination address: Destination address: The route to the GGSN side learned
10.20.0.0/16 10.20.0.0/16 through OSPF.
NAT
If the IP address obtained by a mobile terminal is a private address, NAT is required on the FW. The public
address obtained through NAT is used for Internet access. NAT reduces the use of public addresses and improves
the intranet security.
The usual NAT mode for FWs is NAT PAT. Empirically, one NAT address supports the NAT for 5000 to 10,000
private IP addresses. Table 1-4 describes the planning of the NAT address pool. The configuration is the same for
the active and standby firewalls.
ID 1 1
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 7/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Match All packets from the 10.10.0.0/16 All packets from the 10.10.0.0/16 network
condition network segment segment Introduction
Solution Overvi
Action source-nat source-nat
ew
NAT is performed by the FW for FTP, RTSP, and PPTP tra c from mobile terminals to the Internet. It is necessary Service Planning
to configure ASPF between the zone where the Gi/SGi interface resides and the Untrust zone to ensure normal
functioning of these applications.
Attack Defense
Attack defense should be enabled on the FW for security defense. The recommended configuration is as follows:
firewall defend land enable
Share
firewall defend smurf enable
firewall defend fraggle enable
The Simple Network Management Protocol (SNMP) is the most widely used network management protocol on
TCP/IP networks. An SNMP proxy should be configured on the FW so that the FW can be managed through an
NMS server.
Log (eLog)
The eLog server is used to collect NAT session logs for source tracing. Configure the FW to output session logs to
the eLog server, including the log output format, source address, and source port.
Precautions
Hot Standby
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 8/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Hot standby supports only OSPF and BGP route adjustment, but not IS-IS route adjustment. If OSPF or BGP
route adjustment
MENUis configured, configure an interzone policy to permit OSPF or BGP packets.
In hot standby networking, if the upstream device runs BGP, the downstream device runs OSPF, and OSPF uses
default-route-advertise to generate a default route, ,perform the following configurations to avoid loops:
Change the BGP route priority to a value larger than 10 and smaller than 150.
The default priority of an intra-area route is 10 (highest priority). The default route is an external route, and Translation
its default priority is 150. The default priority of a BGP route is 255 (lowest priority). If the default priority is
used, the BGP route cannot take e ect. Favorite
Configure route filtering to prevent the learning of the default downstream OSPF route.
Download
If the upstream device learns the default downstream route, the tra c of the upstream device cannot reach
the extranet.
HRP is associated with routing protocols for cost adjustment. Table 1-6 describes the support for routes. Page navigation
Table 1-6 Routing protocols for cost adjustment associated with HRP
Introduction
Item Supported or Not
Solution Overvi
BGP routes that can be By route type
ew
a. BGP IPv4 unicast routes
associated with HRP b. BGP VPNv4 routes Solution Design
c. BGP IPv6 unicast routes
Typical Networki
ng
By route origin a. Routes learned from IBGP peers Service Planning
b. Routes learned from EBGP peers
c. Routes learned from other routing
protocols
d. Advertised default routes
OSPF routes that can be By route origin a. Direct routes advertised using the
associated with HRP network command Share
b. Imported external routes
c. Advertised default routes
Security Policies
Considering security, interzone security policies are designed based on the security policy planning. Do not open
all interzone security policies.
Attack Defense
NAT
When planning the NAT address pool, keep the ratio of public addresses to private addresses at about 1:5,000.
If servers on the core network provide extranet access services, use port-based mapping, but not one-to-one IP
address mapping, when configuring the NAT server.
The recommended NAT mode is 5-tuple NAT. If customers require to use triplet NAT, contact service or R&D
engineers to reassess the solution.
In load balancing scenarios, both devices process service tra c. If NAT is configured, the devices may have
conflicting public ports in the NAPT mode. To prevent such conflicts, configure respective NAT port resources
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 9/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
for the devices. You can run the hrp nat resource primary-group command on the active device. The standby
device will automatically
MENU generate the hrp nat resource secondary-group command.
You are advised to configure blackhole routes for the NAT address pool to prevent such issues as routing loops.
GRE
When the following conditions are met, you are recommended to enable the function of using GRE inner packets Translation
for selecting the SPU. In this way, tra c is evenly distributed on multiple CPUs.
Favorite
All tra c is encapsulated over one or more GRE tunnels.
The number of CPU sessions over a single GRE tunnel is more than 1,000,000. Download
You can run the firewall gre inner hash enable command to enable the function of selecting a CPU based on the
hash value calculated according to GRE inner packet information. Page navigation
Performance
Introduction
In load-balancing hot standby scenarios, ensure that the tra c does not exceed 70% of the interface bandwidth
utilization and SPU CPU processing capability after being switched to a device. You can run the display interface Solution Overvi
command to check the interface bandwidth utilization and the display cpu-usage command to check the SPU ew
CPU processing capability.
Solution Design
Typical Networki
Solution Configuration ng
Service Planning
Configuration Procedure
Procedure
<FW_A> system-view
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] description To_FW_B
[FW_A-Eth-Trunk0] ip address 192.168.3.1 24
[FW_A-Eth-Trunk0] undo service-manage enable
[FW_A-Eth-Trunk0] quit
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 10/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
[FW_A-GigabitEthernet2/0/1] Eth-Trunk 0
[FW_A-GigabitEthernet2/0/1]
MENU quit
# Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.
<FW_B> system-view
[FW_B] interface Eth-Trunk 0
[FW_B-Eth-Trunk0] description To_FW_A
[FW_B-Eth-Trunk0] ip address 192.168.3.2 24
[FW_B-Eth-Trunk0] undo service-manage enable
[FW_B-Eth-Trunk0] quit
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 11/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
[FW_B-Eth-Trunk2] undo service-manage enable
[FW_B-Eth-Trunk2]
MENU quit
# Add GigabitEthernet1/0/1 and GigabitEthernet2/0/1 to Eth-Trunk 0.
[FW_A] security-policy
[FW_A-policy-security] rule name local_trust_outbound
[FW_A-policy-security-rule-local_trust_outbound] source-zone local
[FW_A-policy-security-rule-local_trust_outbound] destination-zone trust
[FW_A-policy-security-rule-local_trust_outbound] source-address 10.14.1.0 24
[FW_A-policy-security-rule-local_trust_outbound] action permit
[FW_A-policy-security-rule-local_trust_outbound] quit
[FW_A-policy-security] rule name local_trust_inbound
[FW_A-policy-security-rule-local_trust_inbound] source-zone trust
[FW_A-policy-security-rule-local_trust_inbound] destination-zone local
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 12/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
[FW_A-policy-security-rule-local_trust_inbound] destination-address 10.14.1.0 24
[FW_A-policy-security-rule-local_trust_inbound]
MENU action permit
[FW_A-policy-security-rule-local_trust_inbound] quit
# Configure the security policy between the local and untrust zones.
# Configure the security policy between the Trust and Untrust zones, permitting tunnel packets from
mobile terminals to the WAP gateway. Configure more refined security policies based on site
requirements.
# Configure the security policy between the trust and untrust zones, permitting packets from mobile
terminals to the Internet. All packets from the 10.10.0.0/16 network segment are matched. In practice,
you can add rules as needed.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 13/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
[FW_B] security-policy
MENU
[FW_B-policy-security] rule name local_trust_outbound
[FW_B-policy-security-rule-local_trust_outbound] source-zone local
[FW_B-policy-security-rule-local_trust_outbound] destination-zone trust
[FW_B-policy-security-rule-local_trust_outbound] source-address 10.14.2.0 24
[FW_B-policy-security-rule-local_trust_outbound] action permit
Translation
[FW_B-policy-security-rule-local_trust_outbound] quit
[FW_B-policy-security] rule name local_trust_inbound
Favorite
[FW_B-policy-security-rule-local_trust_inbound] source-zone trust
[FW_B-policy-security-rule-local_trust_inbound] destination-zone local
Download
[FW_B-policy-security-rule-local_trust_inbound] destination-address 10.14.2.0 24
[FW_B-policy-security-rule-local_trust_inbound] action permit
[FW_B-policy-security-rule-local_trust_inbound] quit
Page navigation
# Configure the security policy between the local and untrust zones.
Introduction
[FW_B-policy-security] rule name local_untrust_outbound
[FW_B-policy-security-rule-local_untrust_outbound] source-zone local Solution Overvi
[FW_B-policy-security-rule-local_untrust_outbound] destination-zone untrust ew
[FW_B-policy-security-rule-local_untrust_outbound] source-address 1.1.2.0 24
Solution Design
[FW_B-policy-security-rule-local_untrust_outbound] action permit
[FW_B-policy-security-rule-local_untrust_outbound] quit Typical Networki
[FW_B-policy-security] rule name local_untrust_inbound ng
[FW_B-policy-security-rule-local_untrust_inbound] source-zone untrust Service Planning
[FW_B-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_B-policy-security-rule-local_untrust_inbound] destination-address 1.1.2.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the local and hrpzone zones.
# Configure the security policy between the Trust and Untrust zones, permitting tunnel packets from
mobile terminals to the WAP gateway. Configure more refined security policies based on site
requirements.
# Configure the security policy between the trust and untrust zones, permitting packets from mobile
terminals to the Internet. All packets from the 10.10.0.0/16 network segment are matched. In practice,
you can add rules as needed.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 14/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
3. Configure routes.
Favorite
Download
Specify di erent router IDs for the active and standby firewalls to support the OSPF process to
prevent OSPF route flapping. Page navigation
Introduction
a. Configure the OSPF routes of FW_A.
# Configure routing policies to advertise only addresses in the NAT address pool but not VPN addresses Solution Overvi
when static routes are imported to the side of the FW_A connecting the backbone. ew
# Configure route filtering policies for the side of the FW_A connecting the core network so as not to
learn the default route.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 15/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
# Enable HRP.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 16/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
# Configure the NAT policy. The source addresses of all packets from the 10.10.0.0/16 network segment
are translated. In practice, you can add rules as needed.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name trust_untrust_outbound
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-zone trust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-address 10.10.0.0 0.0.255.255
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addre
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] quit
HRP_M[FW_A-policy-nat] quit
After hot standby is enabled, the attack defense configuration of FW_A is automatically synchronized
to FW_B.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 17/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Configure attack defense for FW_A.
MENU
HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend ip-fragment enable
HRP_M[FW_A] firewall defend tcp-flag enable Translation
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable Favorite
HRP_M[FW_A] firewall defend teardrop enable
HRP_M[FW_A] firewall defend route-record enable Download
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable
Page navigation
7. Configure network management (SNMP).
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 18/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Favorite
8. Configure the LogCenter.
Download
Page navigation
For the configuration on the LogCenter log server, see the product manual of the LogCenter. Only the
configuration on the FW is described.
Introduction
After hot standby is enabled, the LogCenter configuration of FW_A is automatically synchronized to
FW_B. However, the source address and source port for log export need to be configured on FW_B. Solution Overvi
ew
# Enable the session log function in the security policy as required. Configure this function depending on
the actual situation.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_untrust
HRP_M[FW_A-policy-security-rule-trust_untrust] session logging
Share
HRP_M[FW_A-policy-security-rule-trust_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_untrust] quit
HRP_M[FW_A-policy-security] quit
Configure the log output format, concurrent mode, and source address/port (3.3.3.3/ 6000) of the logs.
b. Configure FW_B.
Configure the source address and source port for log export (3.3.3.4/6000).
Verification
1. Run the display hrp state command on FW_A to view the current HRP state. The following information
indicates that HRP is successfully set up.
2. Users can browse web pages and receive and send multimedia messages using mobile terminals.
4. Run the shutdown command on GigabitEthernet2/0/0 of FW_A to simulate a link fault. The active/standby
switchover is normal without services interrupted.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 19/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Configuration Scripts
MENU
FW_A
#
Translation
sysname FW_A
#
Favorite
info-center source default channel 2 log level warning
info-center loghost 10.2.0.10 Download
#
firewall log session log-type syslog
firewall log session multi-host-mode concurrent Page navigation
firewall log source 3.3.3.3 6000
firewall log host 1 2.2.2.2 514
# Introduction
nat address-group 1
mode pat
Solution Overvi
ew
status active
section 0 1.1.10.10 1.1.10.15 Solution Design
#
Typical Networki
hrp enable
ng
hrp interface Eth-Trunk 0 remote 192.168.3.2
hrp adjust ospf-cost enable Service Planning
hrp preempt delay 300
hrp track interface Eth-Trunk 1
hrp track interface Eth-Trunk 2
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
Share
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
interface Eth-Trunk0
description To_FW_B
ip address 192.168.3.1 255.255.255.0
undo service-manage enable
#
interface Eth-Trunk1
description To_Backbone
ip address 1.1.1.1 255.255.255.0
undo service-manage enable
#
interface Eth-Trunk2
description To_GI
ip address 10.14.1.1 255.255.255.0
undo service-manage enable
#
interface GigabitEthernet1/0/1
eth-trunk 0
#
interface GigabitEthernet2/0/1
eth-trunk 0
#
interface GigabitEthernet2/0/2
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 20/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
FW_A
MENU
eth-trunk 1
#
interface GigabitEthernet2/0/3
eth-trunk 1
#
Translation
interface GigabitEthernet2/0/4
eth-trunk 2
Favorite
#
interface GigabitEthernet2/0/5
Download
eth-trunk 2
#
firewall zone trust
Page navigation
set priority 85
add interface Eth-Trunk2
# Introduction
firewall zone untrust
set priority 5 Solution Overvi
ew
add interface Eth-Trunk1
# Solution Design
firewall zone hrpzone
set priority 65 Typical Networki
ng
add interface Eth-Trunk0
# Service Planning
firewall interzone trust untrust
detect rtsp
detect ftp
detect pptp
#
security-policy
rule name local_trust_outbound
Share
source-zone local
destination-zone trust
source-address 10.14.1.0 24
action permit
rule name local_trust_inbound
source-zone trust
destination-zone local
destination-address 10.14.1.0 24
action permit
rule name local_untrust_outbound
source-zone local
destination-zone untrust
source-address 1.1.1.0 24
action permit
rule name local_untrust_inbound
source-zone untrust
destination-zone local
destination-address 1.1.1.0 24
action permit
rule name local_hrpzone_outbound
source-zone local
destination-zone hrpzone
source-address 192.168.3.0 24
action permit
rule name local_hrpzone_inbound
source-zone hrpzone
destination-zone local
destination-address 192.168.3.0 24
action permit
rule name trust_untrust_outbound1
source-zone trust
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 21/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
FW_A
MENU
destination-zone untrust
action permit
rule name trust_untrust_inbound1
source-zone untrust
destination-zone trust
Translation
action permit
rule name trust_untrust_outbound2
Favorite
source-zone trust
destination-zone untrust
Download
source-address 10.10.0.0 16
action permit
rule name trust_untrust
Page navigation
session logging
action permit
# Introduction
nat-policy
rule name trust_untrust_outbound Solution Overvi
ew
source-zone trust
destination-zone untrust Solution Design
source-address 10.10.0.0 16
action source-nat address-group addressgroup1 Typical Networki
ng
#
ip ip-prefix natAddress permit 1.1.10.10 32 Service Planning
ip ip-prefix natAddress permit 1.1.10.11 32
ip ip-prefix natAddress permit 1.1.10.12 32
ip ip-prefix natAddress permit 1.1.10.13 32
ip ip-prefix natAddress permit 1.1.10.14 32
ip ip-prefix natAddress permit 1.1.10.15 32
ip ip-prefix no-default deny 0.0.0.0 0
ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
Share
#
route-policy PS_NAT permit node 10
if-match ip-prefix natAddress
#
ospf 1 router-id 1.1.1.1
import-route static route-policy PS_NAT
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
ospf 2 router-id 10.14.1.1
default-route-advertise
filter-policy ip-prefix no-default import
area 0.0.0.0
network 10.14.1.0 0.0.0.255
#
ip route-static 1.1.10.10 255.255.255.255 NULL0
ip route-static 1.1.10.11 255.255.255.255 NULL0
ip route-static 1.1.10.12 255.255.255.255 NULL0
ip route-static 1.1.10.13 255.255.255.255 NULL0
ip route-static 1.1.10.14 255.255.255.255 NULL0
ip route-static 1.1.10.15 255.255.255.255 NULL0
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF000077D0
snmp-agent sys-info version v3
snmp-agent sys-info contact Mr.zhang
snmp-agent sys-info location Beijing
snmp-agent group v3 NMS1 privacy
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname %$%$Lch*5Z>Q0:B
private-netmanager
snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,5ykB"H'lF&kd[REP
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 22/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
FW_A
MENU
privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
#
return
Translation
Favorite
Other Solutions
Download
As shown in Figure 1-5, the service interfaces of both firewalls work at Layer 3, connecting to the backbone Introduction
through routers and to the GGSN/P-GW through Layer 2 switches. OSPF runs between the firewall and router,
and VRRP is enabled on the interface connecting the firewall to the switch. Solution Overvi
ew
The two firewalls work in active/standby mode. Normally, tra c is forwarded by FW_A. When FW_A fails, tra c
is forwarded by FW_B. This ensures that the services are not interrupted. Solution Design
Figure 1-5 Active/standby backup with OSPF+VRRP running on the FW Typical Networki
ng
Service Planning
Share
When the link to the backbone fails, the priority of FW_A is lowered through the HRP track function
configured on the interface to trigger an active/standby switchover. The active route is switched to FW_B that
becomes the active device in the VRRP group, and thereby the tra c is switched over.
The upstream and downstream interfaces of the FW are bound to the same link group, and the HRP track
function is configured to monitor these interfaces. The switchover mode in case of a fault in the link to the
GGSN/P-GW is the same as that in case of a fault in the link to the backbone network.
Configuration Difference
Item FW_A
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 23/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Item FW_A
MENU
Interfaces
#
interface Eth-Trunk0
description TO-FW-B
ip address 192.168.3.1 255.255.255.240 Translation
#
interface Eth-Trunk1 Favorite
ip address 1.1.1.1 255.255.255.0
# Download
interface Eth-Trunk2
description TO-GI
ip address 10.14.1.1 255.255.255.0 Page navigation
vrrp vrid 20 virtual-ip 10.14.1.3 active
#
Introduction
Solution Overvi
Routes
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2//Configure a default route to the publi ew
ip route-static x.x.x.x x.x.x.x 10.14.1.5//Configure a route to the private add
Solution Design
Typical Networki
ng
Service Planning
OSPF (Load Balancing)
Networking Diagram
As shown in Figure 1-6, the service interfaces of both firewalls work at Layer 3 and connect to both the backbone
and GGSN/P-GW through routers. OSPF runs between the firewall and router.
The two firewalls work in active/standby mode. Normally, tra c is forwarded by FW_A. When FW_A fails, tra c Share
is forwarded by FW_B. This ensures that the services are not interrupted.
The two firewalls are expected to work in load balancing mode. Normally, FW_A and FW_B forward tra c
together. When one firewall fails, the other firewall forwards all tra c. The services are not interrupted.
When FW_A fails, the OSPF route is switched to FW_B through hot standby so that the tra c is switched over.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 24/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
When FW_B fails, the OSPF route is switched to FW_A through hot standby so that the tra c is switched over.
MENU
Configuration Difference
Item FW_A
Translation
Hot
hrp enable
standby Favorite
hrp interface Eth-Trunk0 remote 192.168.3.2
hrp mirror session enable Download
hrp preempt delay 120
hrp adjust ospf-cost enable
hrp track interface Eth-Trunk1 Page navigation
hrp track interface Eth-Trunk2
hrp nat resource primary-group //Set the NAT port segment of the dual firewalls
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
About Huawei
About Huawei About Huawei Enterprise
Share
Branch Office News Room
How to Buy
Get Pricing eDeal Ordering System
Find a Reseller
Partner
Become a Partner Get Permissions
Partner Training
Resources
Webinar eBlog
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 25/26
5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
Others MENU
Support Community HUAWEI CLOUD
Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 26/26