Scribd
Upload
126 views12 pages

Lab - Firewall Hot Standby

This document describes configuring firewall hot standby on two USG6330 firewalls. Key steps include: 1. Configuring interfaces and zones on each firewall and adding them to active/standby VRRP groups. 2. Creating virtual IP addresses for the VRRP groups and configuring heartbeat monitoring between the firewalls. 3. Configuring a security policy to allow traffic from the trust zone to the untrust zone. Verification includes checking VRRP and HRP states, pinging the virtual IP address, and verifying session backup occurs from the active to standby firewall.

Uploaded by

Ahsan Nawaz913
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
126 views12 pages

Lab - Firewall Hot Standby

This document describes configuring firewall hot standby on two USG6330 firewalls. Key steps include: 1. Configuring interfaces and zones on each firewall and adding them to active/standby VRRP groups. 2. Creating virtual IP addresses for the VRRP groups and configuring heartbeat monitoring between the firewalls. 3. Configuring a security policy to allow traffic from the trust zone to the untrust zone. Verification includes checking VRRP and HRP states, pinging the virtual IP address, and verifying session backup occurs from the active to standby firewall.

Uploaded by

Ahsan Nawaz913
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Firewall Hot Standby

Experiment Overview
About This Experiment
In this experiment, two or more firewalls are deployed at the egress of the network to
ensure communication between the intranet and Internet.

Objectives
Understand the basic principle of hot standby.
Understand the VGMP and HRP protocols.
Configure firewall hot standby on the CLI and web UI.

Experiment Networking
Firewall hot standby topology

Experiment Planning
Security devices USGs are deployed on a service node. Upstream and downstream devices
are switches. USG6330-1 and USG6330-2 work in active/standby mode.
Port addresses and zones
Device Port IP Address Zone
Name

USG6330- G1/0/1 10.1.2.1 Trust


1
G1/0/3 30.1.1.1 DMZ
G1/0/4 40.1.1.1 Untrust
USG6330- G1/0/1 10.1.2.2 Trust
2
G1/0/3 30.1.1.2 DMZ
G1/0/4 40.1.1.2 Untrust
PC1 E0/0/1 10.1.2.100 Trust
PC2 E0/0/1 2.2.2.2 Untrust

Experiment Tasks
No. Task Subtask Description

1 Complete Configure security Add interfaces to security zones.


basic zones.
configurations
.
2 Configure hot Configure hot standby. Set the hot standby mode to
standby. active/standby. USG6330-1 is active,
and USG6330-2 is standby.
Configure virtual IP Create VRRP groups 1 and 2.
addresses.
3 Configure a Configure an interzone Permit the packets from the Trust zone
security security policy. to the Untrust zone.
policy.

Experiment Task Configuration


Configuration Roadmap
Configure IP addresses for interfaces and add the interfaces to security zones. Configure a
security policy to permit packets from the Trust zone to the Untrust zone.
Configure hot standby in active/standby mode. USG6330-1 is active, and USG6330-2 is
standby.
Configuration Procedure on the CLI
Complete the configuration of the upstream and downstream service interfaces on
USG6330-1. Configure IP addresses for the interfaces and add the interfaces to security
zones.
<USG6330-1> system-view
[USG6330-1] interface GigabitEthernet 1/0/1
[USG6330-1-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
[USG6330-1-GigabitEthernet1/0/1] quit
[USG6330-1] interface GigabitEthernet 1/0/4
[USG6330-1-GigabitEthernet1/0/4] ip address 40.1.1.1 255.255.255.0
[USG6330-1-GigabitEthernet1/0/4] quit
[USG6330-1] firewall zone trust
[USG6330-1-zone-trust] add interface GigabitEthernet 1/0/1
[USG6330-1-zone-trust] quit
[USG6330-1] firewall zone untrust
[USG6330-1-zone-untrust] add interface GigabitEthernet 1/0/4
[USG6330-1-zone-untrust] quit

Create VRRP group 1 on GigabitEthernet1/0/4, and add it to the active VGMP group.
[USG6330-1] interface GigabitEthernet 1/0/4
[USG6330-1-GigabitEthernet1/0/4] vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0
active
[USG6330-1-GigabitEthernet1/0/4] quit

Create VRRP group 2 on GigabitEthernet1/0/1, and add it to the active VGMP group.
[USG6330-1] interface GigabitEthernet 1/0/1
[USG6330-1-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.1.2.3 active
[USG6330-1-GigabitEthernet1/0/1] quit

Configure the heartbeat link on USG6330-1.


Configure an IP address for GigabitEthernet1/0/3.
[USG6330-1] interface GigabitEthernet1/0/3
[USG6330-1-GigabitEthernet1/0/3] ip address 30.1.1.1 255.255.255.0
[USG6330-1-GigabitEthernet1/0/3] quit

Add GigabitEthernet1/0/3 to the DMZ.


[USG6330-1] firewall zone dmz
[USG6330-1-zone-dmz] add interface GigabitEthernet1/0/3
[USG6330-1-zone-dmz] quit

Specify GigabitEthernet1/0/3 as the heartbeat interface.


[USG6330-1] hrp interface GigabitEthernet1/0/3 remote 30.1.1.2

Configure a security policy to permit packets from the Trust zone to the Untrust zone.
HRP_A[USG6330-1] security-policy
HRP_A[USG6330-1-policy-security] rule name policy_sec
HRP_A[USG6330-1-policy-security-rule-policy_sec] source-zone trust
HRP_A[USG6330-1-policy-security-rule-policy_sec] destination-zone untrust
HRP_A[USG6330-1-policy-security-rule-policy_sec] action permit
HRP_A[USG6330-1-policy-security-rule-policy_sec] quit

Enable HRP.
[USG6330-1] hrp enable

Configure USG6330-2.
The configurations on USG6330-2 are the same as those on USG6330-1, except that:
The IP addresses of the interfaces on USG6330-2 are different from those on USG6330-1.
Add service interfaces GigabitEthernet1/0/1 and GigabitEthernet1/0/4 of USG6330-2 to
the standby VGMP group.
Configure the switches.
Add the three interfaces of each switch to the same VLAN (default VLAN). For
configuration commands, refer to the relevant switch documents.
----End

Configuration Procedure on the Web UI


Configure interfaces on USG6330-1.

Choose Network > Interface. Click next to the interface to be configured. Set
parameters, and then click OK. The following figure shows the configuration of
GigabitEthernet1/0/1.

The configuration of GigabitEthernet1/0/3 and GigabitEthernet1/0/7 is similar to that of


GigabitEthernet1/0/1.
Configure VRRP group 1 and VRRP group 2 on USG6330-1.
Choose System > High Availability > Dual-System Hot Standby. Click Configure,
select the Enable check box of Dual-System Hot Standby, and set the following
parameters.
The configuration of USG6330-2 is similar to that of USG6330-1, and is omitted here.
On the Dual-System Hot Standby page, view the status of dual-system hot standby.

Configure a security policy on USG6330-1 to permit packets from the Trust zone to the
Untrust zone.
Choose Policy > Security Policy > Security Policy. Click Add. Set the parameters one by
one. Click OK. The following figure shows the security policy that permits packets from
the Trust zone to the Untrust zone.
----End

Verification
Checking the Configuration
Run the display vrrp command on USG6330-1 to check the status of interfaces in VRRP
groups. If the following information is displayed, the VRRP groups are successfully
created.
HRP_A<USG6330-1>display vrrp
GigabitEthernet1/0/4 | Virtual Router 1
State : Master
Virtual IP : 2.2.2.1
Master IP : 40.1.1.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled

GigabitEthernet1/0/1 | Virtual Router 2


State : Master
Virtual IP : 10.1.2.3
Master IP : 10.1.2.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled

Run the display hrp state command on USG6330-1 to check the current HRP status. If
the following information is displayed, HRP is successfully configured.
HRP_A<USG6330-1>display hrp state
The firewall's config state is: ACTIVE
Current state of virtual routers configured as active:
GigabitEthernet1/0/1 vrid 2 : active
GigabitEthernet1/0/4 vrid 1 : active

Ping the virtual IP address 10.1.2.3 of VRRP group 2 on PC1 in the Trust zone and check
the session table on USG6330-1.
HRP_A<USG6330-1>display firewall session table
Current Total Sessions : 1
icmp VPN:public --> public 10.1.2.100:1-->10.1.2.3:2048

The virtual IP address of VRRP group 2 can be pinged on PC1.


PC2 functions as the server and is located in the Untrust zone. PC1 can ping through the
server in the Untrust zone. Check sessions on USG6330-1 and USG6330-2.
HRP_A<USG6330-1>display firewall session table
Current Total Sessions : 1
icmp VPN:public --> public 10.1.2.100:1-->2.2.2.2:2048

HRP_S<USG6330-2>display firewall session table


Current Total Sessions : 1
icmp VPN:public --> public Remote 10.1.2.100:1-->2.2.2.2:2048

You can see a session marked with Remote on USG6330-2. This indicates that the session
has been backed up to the peer after hot standby is enabled.
Run the ping 2.2.2.2 -t command on PC1, remove the network cable from GE1/0/1 on
USG6330-1, and then check whether an active/standby switchover is performed and
whether ping packets are discarded. Insert the network cable into GE1/0/1 on USG6330-1
and check whether an active/standby switchover is performed and whether ping packets
are discarded.

Lab : Hot Standby

Step 1 Complete the configuration of the upstream and downstream

service interfaces on USG-1. Configure IP addresses for the

interfaces and add the interfaces to security zones.

FW1:

sysname FW1

interface GigabitEthernet 1/0/1

ip address 10.1.2.1 255.255.255.0

quit

interface GigabitEthernet 1/0/4

ip address 40.1.1.1 255.255.255.0

quit

firewall zone trust

add interface GigabitEthernet 1/0/1

quit

firewall zone untrust

add interface GigabitEthernet 1/0/4

quit

Create VRRP group 1 on GigabitEthernet1/0/4, and add it to the active VGMP group.

interface GigabitEthernet 1/0/4

vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 active

quit
Create VRRP group 2 on GigabitEthernet1/0/1, and add it to the active VGMP group.

interface GigabitEthernet 1/0/1

vrrp vrid 2 virtual-ip 10.1.2.3 active

quit

Step 2 Configure the heartbeat link on USG6330-1. Configure an IP address for GigabitEthernet1/0/3.

interface GigabitEthernet1/0/3

ip address 30.1.1.1 255.255.255.0

quit

Add GigabitEthernet1/0/3 to the DMZ.

firewall zone dmz

add interface GigabitEthernet1/0/3

quit

Specify GigabitEthernet1/0/3 as the heartbeat interface.

hrp interface GigabitEthernet1/0/3 remote 30.1.1.2

Step 3 Configure a security policy to permit packets

from the Trust zone to the Untrust zone.

security-policy

rule name policy_sec

source-zone trust

destination-zone untrust
action permit

quit

Step 4 Enable HRP.

hrp enable

FW2:

Step 1 Complete the configuration of the upstream and downstream

service interfaces on USG-2. Configure IP addresses for the

interfaces and add the interfaces to security zones.

sysname FW2

interface GigabitEthernet 1/0/1

ip address 10.1.2.2 255.255.255.0

quit

interface GigabitEthernet 1/0/4

ip address 40.1.1.2 255.255.255.0

quit

firewall zone trust

add interface GigabitEthernet 1/0/1

quit

firewall zone untrust

add interface GigabitEthernet 1/0/4

quit

Create VRRP group 1 on GigabitEthernet1/0/4, and add

it to the active VGMP group.

interface GigabitEthernet 1/0/4


vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 standby

quit

Create VRRP group 2 on GigabitEthernet1/0/1, and add it

to the active VGMP group.

interface GigabitEthernet 1/0/1

vrrp vrid 2 virtual-ip 10.1.2.3 standby

quit

Step 2 Configure the heartbeat link on USG6330-2. Configure an IP address for GigabitEthernet1/0/3.

interface GigabitEthernet1/0/3

ip address 30.1.1.2 255.255.255.0

quit

Add GigabitEthernet1/0/3 to the DMZ.

firewall zone dmz

add interface GigabitEthernet1/0/3

quit

Specify GigabitEthernet1/0/3 as the heartbeat interface.

hrp interface GigabitEthernet1/0/3 remote 30.1.1.1


Step 3 Enable HRP.

hrp enable

Verification:

display vrrp

display hrp state

PC1: ping 2.2.2.2 -T

USG: display firewall session table

disable eth 0/0/3 interface of SW1.

int eth 0/0/3

shutdown

traffic shifts

You might also like