0% found this document useful (0 votes)

34 views270 pages

HUAWEI USG6000, USG6000E, USG9500, NGFW Module Quick Configuration Guide (with Old Web UI)

The Quick Configuration Guide for HUAWEI USG6000 and USG9500 series provides detailed instructions for logging into the web configuration page and configuring various network access scenarios, including static IP, PPPoE, and multiple ISP networks. It includes step-by-step examples for setting up security policies, NAT, and VPN tunnels, along with verification procedures. The document is intended for users of version V500R001C50 and later, with content that may vary by version.

Uploaded by

wasedan0sewa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

34 views270 pages

HUAWEI USG6000, USG6000E, USG9500, NGFW Module Quick Configuration Guide (with Old Web UI)

Uploaded by

wasedan0sewa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 270

Quick Configuration Guide

HUAWEI USG6000, USG6000E, USG9500, NGFW Module

Issue: 05 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005

Example 1: Accessing the Internet Using a Static IP Address 008

Example 2: Accessing the Internet Using PPPoE 015

Example 3: Accessing the Internet Through Multiple ISP Networks 023

Example 4: NAPT-for-intranet-users-to-access-the-internet 032

Example 5: NAT Server for Internet Users to Access Intranet Servers 038

Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046

Example 7: Site-to-Site IPSec Tunnel 054

Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065

Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Contents
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093

Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104

Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115

Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126

Example 9.6: L2TP over IPSec Access from Clients (Android) 136

Example 9.7: L2TP over IPSec Access from Clients (iOS) 145

Example 10: SSL VPN Tunnel Access (Network Extension) 154

Example 11: Firewall Transparent Access for Load Balancing 169

Example 12: Active Standby Firewalls Attached to Layer-3 Devices 180

Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 196

Contents
Example 14: Active Standby Backup in In-path Deployment 218

Example 15: Load Balancing in In-path Deployment 231

Example 16: Configuring Source Address-based PBR 245

Example 17: User-specific Bandwidth Management 254

Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 264

Note:
This document is based on V500R001C50 and can be used as a reference for V500R001C50 and later versions.
Document content may vary according to version.
Logging In to the Web Configuration Page

Networking Diagram

192.168.0.* GE0/0/0
192.168.0.1/24

Network interface
User Firewall

Default Settings Support Browser Versions

Management Interface GE0/0/0 8.0 (or later versions)

IP Address 192.168.0.1/24 10.0 (or later versions)

The default username and password are available in

HUAWEI Security Products Default Usernames and
User Name/Password Passwords. If you have not obtained the access 17.0 (or later versions)
permission of the document, see Help on the website to
find out how to obtain it.
Logging In to the Web Configuration Page

Login Procedure (Internet Explorer for Example)

1
Set the IP address of the administrator 2
PC, within a range from 192.168.0.2 to
Open the browser on the administrator PC. In the
192.168.0.254.
address box, enter the default IP address of the
management interface (https://192.168.0.1:8443).

3
The browser displays an insecure
certificate warning. Select Continue to
this website (not recommended).

On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Logging In to the Web Configuration Page

5
4 Log In to the Web
Enter the user name Configuration Page.
and password.

Web UI functional areas

Buttons
Tabs

Operation
Navigation Area
Tree

CLI
Console
Example 1: Accessing the Internet Using a Static IP Address Networking Diagram

Trust Untrust
PC

1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router

All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.

Item Data Description

DNS server 1.2.2.2/24 Obtained from the carrier

Gateway IP address 1.1.1.254/24 Obtained from the carrier

Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces

2 1

4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service

3
2

4
Configure the DHCP
service for LAN interface
GE0/0/2 to assign IP
addresses to PCs on the
LAN.
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy

1
2

4
Permit intranet IP addresses
to access the Internet.
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT

1
2

4
Add a source NAT policy for
intranet users to access the Internet
using a public IP address.
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)

1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)

2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.

3
The PC on the LAN can use domain names to access the Internet.
Example 2: Accessing the Internet Using PPPoE Networking Diagram

Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet

PPPoE Client PPPoE Server

All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.

Item Data Description

GigabitEthernet 0/0/1 Security zone: Untrust Obtains an IP address and a DNS address from the PPPoE
server (deployed by the carrier) through dial-up.
Dial-up user name: user
Dial-up password: Password@

GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.

DNS server 1.2.2.2/24 Obtains the address from the carrier.

Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces

2 1

4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service

3
2

4
Configure the DHCP
service for LAN interface
GE0/0/2 to assign IP
addresses to PCs on the
LAN.
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy

1
2

4
Permit intranet IP addresses
to access the Internet.
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT

1
2

4
Add a source NAT policy for
intranet users to access the Internet
using a public IP address.
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route

2
3

4
Configure a default route to ensure that
intranet users are routable to the Internet.
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)

1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)

2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.

3
The PC on the LAN can use domain names to access the Internet.
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram

Trust Untrust
Student
Education
network GE1/0/3 network
PC 10.3.0.1/24
FW

PC GE1/0/4
Teacher 10.3.1.1/24
network
Untrust1

A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet only through the
education network, and PCs on the teacher network can access the Internet only through the ISP network.

Item pbr_1 pbr_2

Type Inbound Interface Inbound Interface

Inbound Interface GE1/0/3 GE1/0/4

Source Address 10.3.0.0/24 10.3.1.0/24

Action PBR PBR

Egress Type Single Single

Outbound Interface GE1/0/2 GE1/0/1

Next Hop 2.2.2.254 1.1.1.254

Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones

2
3

4
Create security zone untrust1
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)

2 1

5
4 6
Set WAN nterface parameters Set WAN interface parameters
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)

2 1

4 6
Set LAN nterface parameters Set LAN interface parameters
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies

2 1

4 5
Allow PCs on the student network Allow PCs on the teacher network
to access the Internet to access the Internet
Example 3: Accessing the Internet Through Multiple ISP Networks Step4 Configure source NAT address
pools

2
3

4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies

4 5
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes

2
3 PCs on the student network
access the Internet through PCs on the teacher network
GigabitEthernet 1/0/2 over access the Internet through
the education network. GigabitEthernet 1/0/1.
4 5
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations

PCs on the student network access the Internet through GigabitEthernet 1/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 1/0/1 over the ISP network.

Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram

PC_A
Source NAT policy

Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE1/0/1 GE1/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B

The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.

Item Data Description

Intranet segment that is allowed

10.1.1.0/24 -
to access the Internet

As private addresses far outnumber public addresses, one-to-

Public addresses mapped to
1.1.1.10 to 1.1.1.15 one mapping cannot be implemented. To translate all private
private addresses
addresses into public addresses, enable port translation.

Routing loops are made between the aggregation switch and

Black-hole routes on the Destination address: 1.1.1.10 to 1.1.1.15
egress gateway to prevent Internet users from accessing the
aggregation switch Next hop: NULL 0
after-NAT public addresses.

Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15

Configure a static route with a 32-bit destination address.
gateway Next hop: 10.1.2.1
As the post-NAT public addresses do not correspond to ports,
Destination address: 1.1.1.10 to 1.1.1.15 routing protocols cannot discover such routes. Therefore, you
Static routes on the ISP router
Next hop address: 1.1.1.1 must configure static routes to the public addresses on the
ISP router.
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW

2 1

5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW

1
2

4
Allow intranet users
to access the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW

2
3

4
Configure a NAT address
pool to provide public
addresses for intranet users.
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW

2
3

4
Configure a NAT policy for access
from the intranet to the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations

1
Intranet hosts can access the Internet.

2
The Source NAT policy table shows that the Source NAT policy has been matched.
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram

FTP Server
10.2.0.8/24 ISP1
GE1/0/2
10.1.2.1/24 untrust1
10.2.0.0/24
FW
ISP2
trust
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.

Item Data Description

Public IP address: 1.1.1.10
Private IP address: 10.2.0.8 When Internet users send traffic to 1.1.1.10, the FW
NAT Server1 Public port: 21 can forward the traffic to the FTP server based on this
Private port: 21 mapping entry.
Zone: untrust1
Public IP address: 2.2.2.20
Private IP address: 10.2.0.8 When Internet users send traffic to 2.2.2.10, the FW
NAT Server2 Public port: 21 can forward the traffic to the FTP server based on this
Private port: 21 mapping entry.
zone: untrust2
Destination address: 1.1.1.10 -
Static routes on the ISP1 router
Next hop address: 1.1.1.1
Destination address: 2.2.2.10 -
Static routes on the ISP2 router
Next hop address: 2.2.2.2
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW

2
3

Create security zones untrust1 and untrust2.

4
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)

2 1

4 6 5
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)

2 1

4
Set LAN interface parameters.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW

2 1

4
Allow Internet users to
access intranet servers.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW

3
Configure server mappings policy_ftp1 and policy_ftp2.
4
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP

2
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations

1
Internet users can access intranet servers through different ISP networks.

2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram

PC Trust Untrust
10.3.0.31/24 10.3.0.0/24

GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24

Firewall Router

FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.

Item Data Description

GigabitEthernet 0/0/2 Security zone: Trust FTP server uses 10.3.0.1 as the default gateway address.
IP address: 10.3.0.1/24
GigabitEthernet 0/0/1 Security zone: Untrust 1.1.1.1/24 is a public address provided by the ISP.
IP address: 1.1.1.1/24
FTP server Public IP address : 1.1.1.2 -
Public port: 2121
DNS server 1.2.2.2/24 Obtained from the ISP.
Gateway IP address 1.1.1.254/24 Obtained from the ISP.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces

2 1

4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy

1
2

4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool

2 3

5
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT

1
2 3

4 5
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping

3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG

2
4 By default, the NAT ALG
is enabled for FTP.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations

1. The PC on the LAN can access the Internet.

2. Internet users can access public IP address 1.1.1.2 and port 2121 of the FTP server.
3. Intranet users can access public IP address 1.1.1.2 and port 2121 of the FTP server.
4. Choose Policy > NAT Policy > Source NAT on the firewall to view the number of packets that match the configured source NAT policy.

5. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is 1.1.1.2. To
view the port translation information, click of the corresponding entry.
Example 7: Site-to-Site IPSec Tunnel Networking diagram

IPSec tunnel

Network A Network B

Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE1/0/3 GE1/0/1 GE1/0/1 GE1/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B can
proactively initiate connections to the peer network.

Item Firewall_A Firewall_B

Scenario Site-to-Site Site-to-Site
Peer IP Address 1.1.5.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123
Local ID IP Address IP Address
Peer ID IP Address IP Address
Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A

2 1

5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A

2 1

4
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.

5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.

6
Permit Firewall_A to connect
to the public IP address of
Firewall_B.

7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A

2
3

4
Configure a route to private IP addresses on Network
B. In the example, the next-hop IP address from
Firewall_A to the Internet is 1.1.3.2.
Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A

In the example, all IPSec proposal parameters use

the default values. If you have specific requirements
1
3 on these parameters, change them, but ensure that
they are consistent with those on Firewall_B.

4
Select a scenario
2 and complete
basic settings.

The Pre-Shared Key

is Admin@123.
8
Configure an
IKE/IPSec proposal.

6
7 Add a data flow to be encrypted.
Example 7: Site-to-Site IPSec Tunnel Step5 Configure the interfaces on Firewall_B

2 1

5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 7: Site-to-Site IPSec Tunnel Step6 Configure security policies on Firewall_B

2 1

4
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.

5
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.

6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.

7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Example 7: Site-to-Site IPSec Tunnel Step7 Configure routes on Firewall_B

4
Configure a route to private IP addresses on Network A.
In the example, the next-hop IP address from Firewall_B
to the Internet is 1.1.5.2.
Example 7: Site-to-Site IPSec Tunnel Step8 Configure IPSec on Firewall_B

In the example, all IPSec proposal parameters use

the default values. If you have specific requirements
1
3 on these parameters, change them, but ensure that
they are consistent with those on Firewall_A.

4
Select a scenario
2 and complete
basic settings.

The Pre-Shared Key

is Admin@123.
8
Configure an
IKE/IPSec proposal.

7 6
Add a data flow to be encrypted.
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (1)

After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec tunnel.
Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or server on
Network A. The access also succeeds.

IPSec policy list and IPSec tunnel monitoring information on Firewall_A.

After the configuration is complete, if no IPSec tunnel is established,

click Diagnose to check for the cause and solution.
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (2)

IPSec policy list and IPSec tunnel monitoring information on Firewall_B.

Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Networking diagram

GE1/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE1/0/1
GE1/0/3 GE1/0/1 Untrust
branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B and
FW_B Firewall_C use dynamically obtained IP addresses to
PC2
Headquarters GE1/0/3 10.1.2.2/24 access the Internet.
10.1.3.1/24
Trust
FW_A
IPSec tunnels are established between Firewall_A and
PC1
10.1.1.2/24 GE1/0/1 Branch 2 Firewall_B and between Firewall_A and Firewall_C, so
Untrust

FW_C that PCs in branches 1 and 2 can initiate connections

PC3 to the headquarters (the headquarters is not allowed
IPSec Tunnel 2 10.1.3.2/24
to initiate connections to branches).

Item Firewall_A (Headquarters) Firewall_B (Branch 1) Firewall_C (Branch 2)

Scenario Site-to-Multisite Site-to-Site Site-to-Site

Peer IP Address - 1.1.3.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123 Admin@123
Local ID IP Address IP Address IP Address
Peer ID any IP Address IP Address
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A

2 1

4 6 5
Set WAN interface parameters. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A

1
2

3
4
Allow the private IP address
of the headquarters to access
the private IP addresses of
branches 1 and 2.

5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.

6
Allow the public IP addresses
of branches 1 and 2 to access
Firewall_A.

7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A

4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP address branch 2. In the example, the next-hop IP address
from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A

3 Configure an IPSec policy.

2
6
Add the data flow (from the
headquarters to branch 1)
to be encrypted.

7
Add the data flow (from the
headquarters to branch 2)
to be encrypted.

5
If the static routes to branches are not configured based on step 3, select Reverse Route Injection in
the Data Flow to Be Encrypted area, so that the private routes from the headquarters to branches are
automatically generated.

This example uses the default values of proposal parameters. You can change the values as required.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B

2 1

4 5
Configure the interface connecting
to the Internet. In this example, the 6
connection type is DHCP. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B

1
2

3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.

5
Allow private IP address of
the headquarters to access
the private IP address of
branch 1.

6
Allow the public IP address
of the headquarters to
access Firewall_B.

7
Allow Firewall_B to access
the public IP address of the
headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B

4
Configure a route to the private
address of the headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B

This example uses the default

values of proposal parameters.
1
You can change the values as
Select a scenario and
3 complete basic settings. required.
4

2
8
Configure an
IKE/IPSec
proposal.

6
5 Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
7
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C

2 1

1
2

3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.

5
Allow private IP address of
the headquarters to access
the private IP address of
branch 2.

6
Allow the public IP address
of the headquarters to
access Firewall_C.

7
Allow Firewall_C to access
the public IP address of the
headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C

4
Configure a route to the private
address of the headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C

This example uses the default

values of proposal parameters.
1
You can change the values as
Select a scenario and
3 required.
complete basic settings.
4

2 8
Configure an
IKE/IPSec
proposal.

5 6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.

7
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)

After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a PC
in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause and
solution.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (2)

Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (3)

Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram

The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly to
the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data for
identity authentication, and then IPSec is used to encrypt the data.

Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.1/24
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces

2 1

4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies

1
2

4
Permit LAC clients to
communicate with
the firewall.

5
Permits the firewall to
communicate with
LAC clients.

6
Permit LAC clients to
access the servers in
the headquarters.

7
Permit servers at the
headquarters to access
the Internet.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes

4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users

3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
2

4 In the example, the user name is user0001,

and the password is Password@123.

5
Add a L2TP user.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool

4
Add an IP address pool named pool,
the pool range is 172.16.1.1 to
172.16.1.100.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec

Configure the IKE/IPSec

proposal.
Set Scenario and 8
1 Peer Type, then
3 complete the basic
configuration.
4

In the example, the

pre-shared key is
Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure
a data flow rule.

7
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group

3
Enable L2TP.

2
4 In the example, the tunnel
password is Hello@123.

5
Create a L2TP group.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)

Set L2TP connection parameters.

The SecoClient is VPN remote access client software 3
provided by Huawei. It provides secure and convenient
access services for mobile office users to remotely access
resources in an enterprise network. Currently, you can
search and download the SecoClient on Huawei enterprise
support website http://support.huawei.com/enterprise.

Open the SecoClient.

4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)

Select Pre-shared Key, the pre-shared Complete the IKE Basic

key is Admin@123. Configuration.
3

1
Select Enable IPSec Protocol.

2
Complete the IPSec Configuration.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step9 Verify the configurations (1)

1
Choose the created
L2TP over IPSec
connection and click
Connect.
2
Enter the user name
and password.

After the VPN connection succeeds, the prompt message

negotiation is successed pops up at the lower right corner.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step9 Verify the configurations (2)

L2TP tunnel information displayed on the firewall.

IPSec tunnel information displayed on the firewall.

Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Networking diagram

Untrust Trust
L2TP over IPSec VPN Tunnel

Headquarters
GE1/0/1 GE1/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Windows XP (LNS)
(LAC Client)

Item Data

Group name: default

L2TP settings User name: vpdnuser
Password: Password@123

LNS Pre-shared key: Admin@123

IPSec settings Local ID: IP address
Peer ID: any peer ID

Address pool 10.1.2.2 to 10.1.2.100

User authentication name: vpdnuser

L2TP settings
Password: Password@123
LAC
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.2
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step1 Configure interfaces

2 1

4 6 5
Set WAN interface parameters. Set LAN interface parameters.
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step2 Configure security policies

2 1

4
Permit servers at the
headquarters to access
the Internet.

5
Permit LAC clients to
access the servers in the
headquarters.

6
Permit LAC clients to
communicate with the
firewall.

7
Permits the firewall to
communicate with LAC
clients.
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step 3 Configure L2TP users

Select L2TP/L2TP over IPSec for

Scenario and Local for User Location.
3
1

2 In the example, the user name is

4 vpdnuser, and the password is
Password@123.

5
Add a L2TP user.
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step4 Add an IP pool

4
Add an IP address pool named
pool, the pool range is 10.1.2.2
to 10.1.2.100.
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step5 Configure L2TP over IPSec

Set Scenario and Peer Configure the IKE/IPSec proposal.

Type, then complete 8
3 the basic configuration.
4

In the example, the

pre-shared key is
Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure a
data flow rule.
7
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (1)

4
5
1
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (2)

2
3

5
4

6
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step6 Configure the LAC client (3)

3
1

4
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step7 Verify the configurations (1)

The user name is vpdnuser, and

the password is Password@123.

1
Enter the user name
and password.

4
In Network Connections,
you can see the VPN
2
connection status.
Click Connect. A message is displayed,
indicating that the VPN connection succeeds.

3
Example 9.2: L2TP over IPSec Access from Clients (Windows XP) Step7 Verify the configurations (2)

L2TP tunnel information displayed on the firewall.

IPSec tunnel information displayed on the firewall.

Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Networking diagram

Untrust L2TP over IPSec VPN Tunnel Trust

Headquaters
GE1/0/1 GE1/0/3
PC 1.1.1.2/29 Firewall 10.1.1.1/24
Windows 7 (LNS)
(LAC)

Item Data

Group name: default

L2TP settings User name: vpdnuser
Password: Password@123

LNS Pre-shared key: Admin@123

IPSec settings Local ID: IP address
Peer ID: any peer ID

Address pool 10.1.2.2 to 10.1.2.100

User authentication name: vpdnuser

L2TP settings
Password: Password@123
LAC
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.2
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step1 Configure interfaces

2 1

4 6 5
Set WAN interface parameters. Set LAN interface parameters.
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step2 Configure security policies

2 1

4
Permit servers at the
headquarters to access
the Internet.

5
Permit LAC clients to
access the servers in the
headquarters.

6
Permit LAC clients to
communicate with the
firewall.

7
Permits the firewall to
communicate with
LAC clients.
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step 3 Configure L2TP users

3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.

In the example, the user name

2
4 is vpdnuser, and the password
is Password@123.

5
Add a L2TP user.
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step4 Add an IP pool

4
Add an IP address pool named
pool, the pool range is 10.1.2.2 to
10.1.2.100.
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step5 Configure L2TP over IPSec

1
Configure the IKE/IPSec proposal.
Set Scenario and Peer 8
Type, then complete the
3 basic configuration.
4

In the example,
the pre-shared key
is Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure
a data flow rule.
7
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (1)

4
1
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (2)

7
8
9
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step6 Configure the LAC client (3)

7
1
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step7 Verify the configurations (1)

After the connection succeeds, you

can see that the VPN connection
state becomes Connected.

2 3

1
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) Step7 Verify the configurations (2)

L2TP tunnel information displayed on the firewall.

IPSec tunnel information displayed on the firewall.

Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Networking diagram

Untrust L2TP over IPSec VPN Tunnel Trust

Headquaters
GE1/0/1 GE1/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Windows 10 (LNS)
(LAC Client)

Item Data

Group name: default

L2TP settings User name: vpdnuser
Password: Hello@123

LNS Pre-shared key: Admin@123

IPSec settings Local ID: IP address
Peer ID: any peer ID

Address pool 10.1.2.2 to 10.1.2.100

User authentication name: vpdnuser

L2TP settings
Password: Hello@123
LAC
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.2
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step1 Configure interfaces

2
1

4 6 5
Set WAN interface parameters. Set LAN interface parameters.
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step2 Configure security policies

2 1

4
Permit servers at the
headquarters to access
the Internet.

5
Permit LAC clients to
access the servers in the
headquarters.

6
Permit LAC clients to
communicate with the
firewall.

7
Permits the firewall to
communicate with LAC
clients.
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step 3 Configure L2TP users

3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.

In the example, the user

2 4 name is vpdnuser, and the
password is Hello@123.

5
Add a L2TP user.
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step4 Add an IP pool

4
Add an IP address pool named pool,
the pool range is 10.1.2.2 to 10.1.2.100.
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step5 Configure L2TP over IPSec

Set Scenario Configure the IKE/IPSec proposal.

and Peer Type, 8
1 then complete
the basic
configuration.
3
4

In the example, the

pre-shared key is
Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure a
data flow rule.
7
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step6 Configure the LAC client (1)

4
2

1
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step6 Configure the LAC client (2)

2 3

In Network Connections, you

can see the new connection.

5
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step6 Configure the LAC client (3)

2
1
Right-click and choose Properties
from the short-cut menu.
4
3
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step7 Verify the configurations (1)

The user name is vpdnuser, and the

password is Hello@123.

3
Enter the user name
and password.
2
Click Connect.

4
The VPN connection
succeeds.
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) Step7 Verify the configurations (2)

L2TP tunnel information displayed on the firewall.

IPSec tunnel information displayed on the firewall.

Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Networking diagram

Untrust L2TP over IPSec VPN Tunnel Trust

Headquaters
GE1/0/1 GE1/0/3
PC 1.1.1.2/24 Firewall 10.1.1.1/24
Mac OS X (LNS)
(LAC Client)

Item Data

Group name: default

L2TP settings User name: macuser
Password: Hello@123

LNS Pre-shared key: Admin@123

IPSec settings Local ID: IP address
Peer ID: any peer ID

Address pool 10.1.2.2 to 10.1.2.100

User authentication name: macuser

L2TP settings
Password: Hello@123
LAC
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.2
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step1 Configure interfaces

2
1

5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step2 Configure security policies

1
2

4
Permit servers at the
headquarters to access
the Internet.

5
Permit LAC clients to
access the servers in the
headquarters.

6
Permit LAC clients to
communicate with the
firewall.

7
Permits the firewall to
communicate with LAC
clients.
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step 3 Configure L2TP users

3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.

In the example, the user

2 4
name is macuser, and the
password is Hello@123.

5
Add a L2TP user.
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step4 Add an IP pool

4
Add an IP address pool named pool,
the pool range is 10.1.2.2 to 10.1.2.100.
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step5 Configure L2TP over IPSec

Set Scenario
and Peer Type, Configure the IKE/IPSec proposal.
1 then complete 8
the basic
configuration.
3
4

In the example, the

pre-shared key is
Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure a
data flow rule.

7
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step6 Configure the LAC client (1)

1
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step6 Configure the LAC client (2)

The password is Hello@123.

The pre-shared key is Admin@123.

The user name is macuser. 3

4
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step7 Verify the configurations (1)

2
After the connection
succeeds, the Status
value is updated to
Connected.
1
After the configuration is
complete, click Connect.
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) Step7 Verify the configurations (2)

L2TP tunnel information displayed on the firewall.

IPSec tunnel information displayed on the firewall.

Example 9.6: L2TP over IPSec Access from Clients (Android) Networking diagram

Untrust Trust

GE1/0/1 GE1/0/3
1.1.1.2/24 10.1.1.1/24

Headquaters

Android
L2TP over IPSec VPN Tunnel Firewall
( LAC )
( LNS )
3.3.3.3/24 Server

Item Data
Group name: default
L2TP settings User name: vpdnuser
Password: Hello@123

LNS Pre-shared key: Admin@123

IPSec settings Local ID: IP address
Peer ID: any peer ID

Address pool 10.1.2.2 to 10.1.2.100

IP Address 3.3.3.3/24

User authentication name: vpdnuser

L2TP settings
LAC Password: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.2
Example 9.6: L2TP over IPSec Access from Clients (Android) Step1 Configure interfaces

2
1

5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 9.6: L2TP over IPSec Access from Clients (Android) Step2 Configure security policies

2 1

4
Permit servers at the
headquarters to access
the Internet.

5
Permit LAC clients to
access the servers in the
headquarters.

6
Permit LAC clients to
communicate with the
firewall.

7
Permits the firewall to
communicate with LAC
clients.
Example 9.6: L2TP over IPSec Access from Clients (Android) Step 3 Configure L2TP users

3
Select L2TP/L2TP over IPSec
for Scenario and Local for User
Location.

2 4

In the example, the user name is vpdnuser,

and the password is Hello@123.

5
Add a L2TP user.
Example 9.6: L2TP over IPSec Access from Clients (Android) Step4 Add an IP pool

4
Add an IP address pool named
pool, the pool range is 10.1.2.2
to 10.1.2.100.
Example 9.6: L2TP over IPSec Access from Clients (Android) Step5 Configure L2TP over IPSec

1
Configure the IKE/IPSec proposal.
Set Scenario and Peer
8
Type, then complete the
basic configuration.
3
4

In the example,
the pre-shared key
is Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure
a data flow rule.

7
Example 9.6: L2TP over IPSec Access from Clients (Android) Step6 Configure the LAC client

Android 7.0 is used in this example.

4
Enter the IP address of the
WAN interface on the firewall
and the pre-shared key
(Admin@123 in this example).
2
1 Access the VPN page.
Access the Settings page.

3 5
Confirm information and
Add a VPN.
save the configuration.
Example 9.6: L2TP over IPSec Access from Clients (Android) Step7 Verify the configurations (1)

1
Select a VPN to be added.
After the connection succeeds,
Connected is displayed in the
VPN list, and the VPN connection
icon is displayed in the status bar
2 on the top of the screen.
Enter the user name and password. In
this example, the user name is vpdnuser,
and the password is Hello@123.

3
Confirm information
and click CONNECT.
Example 9.6: L2TP over IPSec Access from Clients (Android) Step7 Verify the configurations (2)

IPSec tunnel information displayed on the firewall.

L2TP tunnel information displayed on the firewall.

Example 9.7: L2TP over IPSec Access from Clients (iOS) Networking diagram

Untrust Trust

GE1/0/1 GE1/0/3
1.1.1.2/24 10.1.1.1/24

Headquaters

iOS
L2TP over IPSec VPN Tunnel Firewall
( LAC )
( LNS )
3.3.3.3/24 Server

Item Data
Group name: default
L2TP settings User name: vpdnuser
Password: Hello@123

LNS Pre-shared key: Admin@123

IPSec settings Local ID: IP address
Peer ID: any peer ID

Address pool 10.1.2.2 to 10.1.2.100

IP Address 3.3.3.3/24

User authentication name: vpdnuser

L2TP settings
LAC Password: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.2
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step1 Configure interfaces

2 1

5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step2 Configure security policies

1
2

4
Permit servers at the
headquarters to access
the Internet.

5
Permit LAC clients to
access the servers in
the headquarters.

6
Permit LAC clients to
communicate with the
firewall.

7
Permits the firewall to
communicate with
LAC clients.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step 3 Configure L2TP users

3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.

2 4
In the example, the user name is
vpdnuser, and the password is
Hello@123.

5
Add a L2TP user.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step4 Add an IP pool

4
Add an IP address pool named
pool, the pool range is 10.1.2.2
to 10.1.2.100.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step5 Configure L2TP over IPSec

Configure the IKE/IPSec proposal.

Set Scenario and Peer Type, then 8
3 complete the basic configuration.
4

In the example, the

pre-shared key is
Admin@123.

5
Add IP pool.

6
Add and set the following
parameters to configure
a data flow rule.
7
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step6 Configure the LAC client

iOS 10.0 is used in this example.

Confirm information and

save the configuration.
5

1
Access the Settings page.

2
Access the VPN page.

Enter the IP address of the

WAN interface on the firewall.

Enter the pre-shared key

3 configured on the firewall. It is
Add a VPN. Admin@123 in this example.

Enter the user name and password. In

this example, the user name is vpdnuser,
and the password is Hello@123.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step7 Verify the configurations (1)

2
Enable the VPN function.

After the connection succeeds, the

1
Select a VPN. Status value becomes Connected,
and the VPN connection icon is
displayed in the status bar on the
top of the screen.
Example 9.7: L2TP over IPSec Access from Clients (iOS) Step7 Verify the configurations (2)

IPSec tunnel information displayed on the firewall.

L2TP tunnel information displayed on the firewall.

Example 10: SSL VPN Tunnel Access (Network Extension) Networking diagram

Untrust Trust
SSL VPN

GE0/0/1 GE0/0/3
1.1.1.1/24 10.1.1.1/24

DNS Server

Enterprise
Teleworker FW
network
The enterprise requires that each teleworker have an intranet IP address to access intranet resources as if they were access the resources on the
LAN. For security reasons, certificate and local authentication (certificate challenge) should be configured to authenticate teleworkers.
Item Data

DNS server IP address: 10.1.1.2/24

Certificate challenge
Authentication mode
Auxiliary authentication mode: VPNDB
SSL VPN user User name: user
Password: Admin@123
Client certificate user.p12
Import the client certificate to the browser on the device for teleworking. The firewall verifies the user's identity based
on the client certificate (the CN field of the client certificate is used as the user name). When making the client
certificate, ensure that the CN field value is the VPN user name (user).
Client CA certificate ca.crt
The CA server that issues the client certificate has a CA certificate. After being imported to the firewall, this CA
certificate is used by the firewall to verify the validity of the client certificate.
Virtual IP address pool 10.1.1.50~10.1.1.100
of network extension After the device for teleworking connects to the enterprise network through SSL VPN and enables network extension,
the firewall will assign an IP address in the address pool to the device.
Example 10: SSL VPN Tunnel Access (Network Extension) Step1 Configure interfaces

2 1

Set WAN interface Set LAN interface

parameters. parameters.
4 6
Example 10: SSL VPN Tunnel Access (Network Extension) Step2 Create a user group and its users

3
4

5
Create a user group. Create a user.
6 8
Example 10: SSL VPN Tunnel Access (Network Extension) Step3 Upload the client CA certificate

2
3

4
After applying for or producing the client CA
certificate and client certificate, upload the client
CA certificate to the firewall.
Example 10: SSL VPN Tunnel Access (Network Extension) Step4 Configure an SSL VPN gateway (1)

3 1

4
Configure basic SSL VPN
gateway parameters based on
the networking requirements.
Example 10: SSL VPN Tunnel Access (Network Extension) Step4 Configure an SSL VPN gateway (2)

5
Select SSL versions
and encryption suites.
Example 10: SSL VPN Tunnel Access (Network Extension) Step4 Configure an SSL VPN gateway (3)

6
Select required functions.

To enable SSL VPN network extension, you do not need to configure any route from the virtual gateway
to the user's IP address. After the FW enables IP spoofing attack defense, the packets from the user to
the virtual gateway will be identified as IP spoofing attack packets and discarded. In such cases,
configure a static route from the virtual gateway to the user's IP address when you enable network
extension. The destination address is the IP address in the user address pool. The next hop is the next
hop IP address of the virtual gateway to the Internet.
Example 10: SSL VPN Tunnel Access (Network Extension) Step4 Configure an SSL VPN gateway (4)

7
Configure network extension.

8
Add an accessible private
network segment.
Example 10: SSL VPN Tunnel Access (Network Extension) Step4 Configure an SSL VPN gateway (5)

9
Add role authentication.
Example 10: SSL VPN Tunnel Access (Network Extension) Step5 Configure security policies

1 Do not set the source or destination zone for the policy. Set
the source address to the network extension address pool
2
and destination address to the IP address of the intranet
resource that teleworkers are allowed to access.

Permit employees working

at home to log in to the Permit teleworkers to
SSL VPN gateway. access intranet resources.
3 4
Example 10: SSL VPN Tunnel Access (Network Extension) Step6 Install the client certificate (1)

1 3

4
Open the Internet Explorer.

6
Example 10: SSL VPN Tunnel Access (Network Extension) Step6 Install the client certificate (2)

Select client certificate user.p12 If a private key password is specified

from the local device and import it in the certificate, enter the private key
to the PC. password in Password.
7 8

9
Click Next to complete
operations as prompted by
the browser.
Example 10: SSL VPN Tunnel Access (Network Extension) Step7 Verify the configurations (1)

1
Enter https://1.1.1.1 on the browser. Install controls as prompted by the browser upon the first login.

Enter a password and select a certificate.

2
Example 10: SSL VPN Tunnel Access (Network Extension) Step7 Verify the configurations (2)

3
Enable network extension. Install the virtual network adapter as prompted upon the first login.

4
Network extension status
after being enabled.
Example 10: SSL VPN Tunnel Access (Network Extension) Step7 Verify the configurations (3)

Virtual IP address and DNS

server address that the client
obtains from the firewall.

The client can access resources on the

enterprise network. For example, the client
can ping the DNS server (10.1.1.2) on the
enterprise network.
Example 11: Transparent Access for Load Balancing Networking diagram

Service interfaces on the two firewalls work at Layer 2 and connect to

routers in both upstream and downstream directions. Upstream and
downstream service interfaces on the firewalls are added to the same
10.3.0.2/24 OSPF 10.3.1.2/24 VLAN. OSPF runs between upstream and downstream routers. As
Layer-2 devices, the firewalls transparently transmit OSPF packets and
do not participate in routing protocol calculation.
GE1/0/1 VLAN2 GE1/0/2 GE1/0/1
In this example, the firewalls work in load balancing mode. In normal
10.10.0.2
FW_A FW_B situations, both FW_A and FW_B forward traffic. If one firewall fails, the
GE1/0/2
GE1/0/0 10.10.0.1 VLAN2 GE1/0/0 other is responsible for forwarding all services.

10.3.0.1/24 OSPF 10.3.1.1/24 Item FW_A FW_B

Working mode Load balancing Load balancing

GE1/0/2 GE1/0/2
Heartbeat interface
10.3.2.0/24 10.3.3.0/24 10.10.0.1/24 10.10.0.2/24

Service link Heartbeat link VLAN

Example 11: Transparent Access for Load Balancing Step 1 Configure Interfaces on FW_A (1)

2 1

Set parameters for the Set parameters for the

downstream interface. upstream interface.
4 6
Example 11: Transparent Access for Load Balancing Step 1 Configure Interfaces on FW_A (2)

2 1

Set parameters for the 3

heartbeat interface.
4
Example 11: Transparent Access for Load Balancing Step 2 Configure Interfaces on FW_B (1)

2
1

5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Example 11: Transparent Access for Load Balancing Step 2 Configure Interfaces on FW_B (2)

2 1

Set parameters for the 3

heartbeat interface.
4
Example 11: Transparent Access for Load Balancing Step 3 Configure FW_A to Work in Load Balancing Mode

3
Configure FW_A to work in
2 load balancing mode.
4

5
Configure VLAN monitoring:
Set the interface type to
VLAN, set the VLAN ID to 2,
and click Add.
Example 11: Transparent Access for Load Balancing Step 4 Configure FW_B to Work in Load Balancing Mode

3
Configure FW_B to work in
2 load balancing mode.
4

5
Configure VLAN monitoring:
Set the interface type to
VLAN, set the VLAN ID to 2,
and click Add.
Example 11: Transparent Access for Load Balancing Step5 Configure Security Policies on FW_A (1)

2
3

Configure a security policy to allow Configure a security policy to allow

OSPF packets to pass through the OSPF packets to pass through the
firewall. firewall.
4 5
Example 11: Transparent Access for Load Balancing Step5 Configure Security Policies on FW_A (2)

2
3

4
Configure a security policy to allow
intranet users to access public IP
addresses.
Example 11: Transparent Access for Load Balancing Step 6 Verify the Configuration (1)

After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A and FW_B are working in load
balancing mode and both firewalls forward traffic.

FW_A

FW_B
Example 11: Transparent Access for Load Balancing Step 6 Verify the Configuration (2)

Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.

FW_A: fails and switches to the standby device in active/standby mode.

FW_B: becomes the active device in active/standby mode and forwards traffic.
Example 12: Active/Standby Firewalls Attached to L3 Devices Networking diagram

Internet/WAN Two firewalls are attached to core switches in a DC to safeguard the DC

network. Traffic passing through the core switches is diverted to the
firewalls through static routes for security checks.
Data center
It is required that the two firewalls work in active/standby mode. In normal
core area
GE1/0/2 GE1/0/2 situations, FW_A forwards traffic. If FW_A fails, FW_B forwards traffic,
10.10.0.1/24 Heartbeat Link
10.10.0.2/24
ensuring non-stop services.
10.1.0.1/24 10.1.0.2/24
GE1/0/1 GE1/0/1 GE1/0/2 GE1/0/2 GE1/0/1 GE1/0/1
GE1/0/4
GE1/0/0 GE1/0/3 GE1/0/4 GE1/0/3 GE1/0/0
10.0.0.1/24 Switch1 Switch2 10.0.0.2/24 Item FW_A FW_B
FW_A FW_B
Working mode Active/standby backup Active/standby backup

Role Active Standby

Server area Heartbeat GE1/0/2 GE1/0/2

192.168.0.0/16 interface 10.10.0.1/24 10.10.0.2/24
Example 12: Active/Standby Firewalls Attached to L3 Devices Networking diagram

As shown in the following figure, configure the VRF function on core switches to Both firewalls and switches use VRRP for link backup.
virtualize each switch into a switch (root switch Public) connecting to the The following figure shows the VRRP group configuration
upstream and a switch (virtual switch VRF) connecting to the downstream. of the firewalls and switches.

OSPF

GE1/0/2 GE1/0/2
Public Public
Data center core area VLAN3
GE1/0/1 GE1/0/1
Active Standby
GE1/0/7 GE1/0/7 VRRP4 VLANIF3 VLANIF3
10.10.0.1/24 10.10.0.2/24 10.1.0.6/24 10.1.0.4/24 10.1.0.5/24
Active GE1/0/1 GE1/0/1 Standby
10.1.0.1/24 10.1.0.2/24 VRRP2
GE1/0/1 GE1/0/2 GE1/0/1 10.1.0.1/24 10.1.0.2/24
GE1/0/1 GE1/0/1 10.1.0.3/24
Public GE1/0/2 Public GE1/0/7
GE1/0/4 VRF 10.10.0.1/24
VRF
GE1/0/0 GE1/0/0 GE1/0/7
GE1/0/3 GE1/0/4 GE1/0/3 10.10.0.2/24
10.0.0.1/24 SW1 SW2 10.0.0.2/24 VRRP1
FW_A FW_B 10.0.0.3/24 GE1/0/0 GE1/0/0
Active 10.0.0.1/24 10.0.0.2/24 Standby
VRRP3
10.0.0.6/24 VLANIF2 VLANIF2
Active 10.0.0.4/24 10.0.0.5/24 Standby
GE1/0/3 GE1/0/3

VRF VLAN2 VRF

GE1/0/4 GE1/0/4
OSPF
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (1)

2 1

Set parameters for the Set parameters for the

downstream interface. upstream interface.
4 6
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (2)

2
1

Set parameters for the

heartbeat interface.
4
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (1)

2
1

5
Set parameters for the Set parameters for the
downstream interface. upstream interface.
4 6
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (2)

2 1

Set parameters for the 3

heartbeat interface.
4
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A

3
2 Configure an upstream static Configure a downstream static
route whose next hop is the route whose next hop is the
address of VRRP group 4 on address of VRRP group 3 on
the switch. the switch.
4 5
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B

3 Configure an upstream static

2 Configure a downstream static
route whose next hop is the route whose next hop is the
address of VRRP group 4 on address of VRRP group 3 on
the switch. the switch.
4 5
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Active/Standby Mode

4
Configure FW_A as
2 the active device in
active/standby mode.

Configure the virtual Configure the virtual

5 IP address for VRRP IP address for VRRP
group 1. group 2.
6 7
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Active/Standby Mode.

4
Configure FW_B as
the standby device
2 in active/standby
mode.

Configure the virtual Configure the virtual

5 IP address for VRRP IP address for VRRP
group 1. group 2.
6 7
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 7 Configure a Security Policy on FW_A.

1
2
3

4
Configure a security policy to allow Internet
users to access servers in the DC (network
segment: 192.168.0.0/16; port: 80).
The security policy configured on FW_A will
be automatically backed up to FW_B.
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1

# Configure Switch 1.

[Switch1] ip vpn-instance VRF //Create a VRF.

[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit Only the configuration related to interconnection
[Switch1-vpn-instance-VRF] quit with the firewall is provided here.
[Switch1] vlan 2
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add interfaces to VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to the VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Configure VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The device with a higher priority is active.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add interfaces to VLAN3.
[Switch1-vlan3] quit
[Switch1] interface Vlanif 3
[Switch1-Vlanif3] ip address 10.1.0.4 24
[Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Configure VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The device with a higher priority is active.
[Switch1-Vlanif3] quit
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 1.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 8 Configure Core Switch 2

# Configure Switch 2.

[Switch2] ip vpn-instance VRF //Create a VRF.

[Switch2-vpn-instance-VRF] ipv4-family
[Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch2-vpn-instance-VRF-af-ipv4] quit
[Switch2-vpn-instance-VRF] quit
[Switch2] vlan 2
[Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add interfaces to VLAN2.
[Switch2-vlan2] quit
[Switch2] interface Vlanif 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to the VRF.
[Switch2-Vlanif2] ip address 10.0.0.5 24
[Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Configure VRRP group 3.
[Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The device with a lower priority is standby.
[Switch2-Vlanif2] quit
[Switch2] vlan 3
[Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add interfaces to VLAN3.
[Switch2-vlan3] quit
[Switch2] interface Vlanif 3
[Switch2-Vlanif3] ip address 10.1.0.5 24
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Configure VRRP group 4.
[Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The device with a lower priority is standby.
[Switch2-Vlanif3] quit
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 1.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (1)

After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A is active and FW_B is standby in
active/standby backup mode.

FW_A

FW_B
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (2)

Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.

FW_A: fails and switches to the standby device in active/standby mode.

FW_B: becomes the active device in active/standby mode and forwards traffic.
Example 12: Active/Standby Firewalls Attached to L3 Devices Step 9 Verify the Configuration (3)

After recovery, FW_A preempts to be the active device, and FW_B becomes standby. Traffic is forwarded through FW_A.

FW_A: preempts to be active.

FW_B: becomes standby.

Example 13: Load Balancing Firewalls Attached to L3 Devices Networking diagram

Two firewalls are attached to core switches in a DC to safeguard the DC

Internet/WAN
network. Traffic passing through the core switches is diverted to the
firewalls through static routes for security checks.
It is required that the firewalls work in load balancing mode. In normal
situations, both FW_A and FW_B forward traffic. If one firewall fails, the
Data center core area
other is responsible for forwarding all services.
GE1/0/2 GE1/0/2
10.10.0.1/24 Heartbeat link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/4
GE1/0/0 GE1/0/3 GE1/0/4 GE1/0/3 GE1/0/0 Item FW_A FW_B
10.0.0.1/24 Switch_2 10.0.0.2/24
Switch_1
FW_A FW_B

Working mode Load balancing Load balancing

GE1/0/2 GE1/0/2
Heartbeat interface
10.10.0.1/24 10.10.0.2/24
Server area
192.168.0.0/16
Example 13: Load Balancing Firewalls Attached to L3 Devices Networking diagram

As shown in the following figure, configure the VRF function on core switches to Both firewalls and switches use VRRP for link backup.
virtualize each switch into a switch (root switch Public) connecting to the upstream The following figure shows the VRRP group configuration
and a switch (virtual switch VRF) connecting to the downstream. of the firewalls and switches.

OSPF

GE1/0/2 GE1/0/2
Public Public
VLAN3
GE1/0/1 GE1/0/1 VRRP group 4
Data center core area
Active VLANIF3 VLANIF3 Standby 10.1.0.6/24
Standby 10.1.0.4/24 10.1.0.5/24 Active VRRP group 8
GE1/0/7 GE1/0/7 VRRP group 6 10.1.0.8/24
10.10.0.1/24 10.10.0.2/24 10.1.0.7/24 Standby Active
GE1/0/1 GE1/0/1
GE1/0/1 GE1/0/1 VRRP group 2 Active 10.1.0.1/24 10.1.0.2/24 Standby
GE1/0/1 GE1/0/2 GE1/0/1 10.1.0.3/24
10.1.0.1/24 10.1.0.2/24 GE1/0/7
Public GE1/0/2 Public 10.10.0.1/24
VRF GE1/0/4 VRF GE1/0/7
GE1/0/0 GE1/0/0 10.10.0.2/24
GE1/0/3 GE1/0/4 GE1/0/3 VRRP group 1
10.0.0.1/24 SW1 SW2 10.0.0.2/24 10.0.0.3/24 Active GE1/0/0 GE1/0/0 Standby
FW_A FW_B VRRP group 5 Standby 10.0.0.1/24 10.0.0.2/24 Active
10.0.0.7/24 VRRP group 7
Standby VLANIF2 VLANIF2 Active 10.0.0.8/24
Active 10.0.0.4/24 10.0.0.5/24 Standby VRRP group 3
GE1/0/3 GE1/0/3 10.0.0.6/24

VRF VLAN2 VRF

GE1/0/4 GE1/0/4
OSPF
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (1)

2 1

Set parameters for the Set parameters for the

downstream interface. upstream interface.
4 6
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 1 Configure Interfaces on FW_A (2)

2
1

Set parameters for the

heartbeat interface.
4
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (1)

2
1

Set parameters for the Set parameters for the

downstream interface. upstream interface.
4 6
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 2 Configure Interfaces on FW_B (2)

2 1

3
Set parameters for the
heartbeat interface.
4
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A (1)

2
3 Configure an upstream static
Configure an upstream static
route whose next hop is the
route whose next hop is the
address of VRRP group 4 on
address of VRRP group 8 on
the switch.
the switch.
4 5
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 3 Configure Static Routes on FW_A (2)

2
3 Configure a downstream Configure a downstream static
static route whose next hop is route whose next hop is the
the address of VRRP group 3 address of VRRP group 7 on
on the switch. the switch.
4 5
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 4 Configure Static Routes on FW_B (1)

1
3

4
Configure FW_A
2 to work in load
balancing mode.

Configure the virtual Configure the virtual

5 IP address for VRRP IP address for VRRP
group 1. group 2.
6 7
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 5 Configure FW_A to Work in
Load Balancing Mode (2)

Configure the virtual Configure the virtual

IP address for VRRP IP address for VRRP
group 5. group 6.
8 9
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Load Balancing Mode (1)

4
Configure FW_B
to work in load
2
balancing mode.

Configure the virtual Configure the virtual

5 IP address for VRRP IP address for VRRP
group 1. group 2.
6 7
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 6 Configure FW_B to Work in
Load Balancing Mode (2)

Configure the virtual Configure the virtual

IP address for VRRP IP address for VRRP
group 5. group 6.
8 9
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 7 Configure a Security Policy on FW_A

1
2
3

4
Configure a security policy to allow
Internet users to access servers in
the DC (network segment:
192.168.0.0/16; port: 80).
The security policy configured on
FW_A will be automatically backed
up to FW_B.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1 (1)

# Configure Switch 1.

[Switch1] ip vpn-instance VRF //Create a VRF.

[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both Only the configuration related to interconnection
[Switch1-vpn-instance-VRF-af-ipv4] quit with the firewall is provided here.
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add interfaces to VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to the VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Configure VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The device with the higher priority is active.
[Switch1-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //Configure VRRP group 7.
[Switch1-Vlanif2] vrrp vrid 7 priority 100 //Set the priority to 100. The device with the lower priority is standby.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add interfaces to VLAN3.
[Switch1-vlan3] quit
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 8 Configure Core Switch 1 (2)

# Configure Switch 1.

[Switch1] interface Vlanif 3

[Switch1-Vlanif3] ip address 10.1.0.4 24
[Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Configure VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The device with the higher priority is active.
[Switch1-Vlanif3] vrrp vrid 8 virtual-ip 10.1.0.8 //Configure VRRP group 8.
[Switch1-Vlanif3] vrrp vrid 8 priority 100 //Set the priority to 100. The device with the lower priority is standby.
[Switch1-Vlanif3] quit
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP addres s of VRRP group 1.
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //Configure a default route in the VRF with the next hop being the virtual IP addres s of VRRP group 5.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 6.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 9 Configure Core Switch 2 (1)

# Configure Switch 2.

[Switch2] ip vpn-instance VRF //Create a VRF.

[Switch2-vpn-instance-VRF] ipv4-family
[Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch2-vpn-instance-VRF-af-ipv4] quit
[Switch2-vpn-instance-VRF] quit
[Switch2] vlan 2
[Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add interfaces to VLAN2.
[Switch2-vlan2] quit
[Switch2] interface Vlanif 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch2-Vlanif2] ip address 10.0.0.5 24
[Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Configure VRRP group 3.
[Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The device with the lower priority is standby.
[Switch2-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //Configure VRRP group 7.
[Switch2-Vlanif2] vrrp vrid 7 priority 120 //Set the priority to 120. The device with the higher priority is active.
[Switch2-Vlanif2] quit
[Switch2] vlan 3
[Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add interfaces to VLAN3.
[Switch2-vlan3] quit
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 9 Configure Core Switch 2 (2)

# Configure Switch 2.

[Switch2] interface Vlanif 3

[Switch2-Vlanif3] ip address 10.1.0.5 24
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Configure VRRP group 4.
[Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The device with the lower priority is standby.
[Switch2-Vlanif3] vrrp vrid 8 virtual-ip 10.1.0.8 //Configure VRRP group 8.
[Switch2-Vlanif3] vrrp vrid 8 priority 120 //Set the priority to 120. The device with the higher priority is active.
[Switch2-Vlanif3] quit
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 1.
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //Configure a default route in the VRF with the next hop being the virtual IP address of VRRP group 5.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 2.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //Configure a static route in root switch Public with the next hop being the virtual IP address of VRRP group 6.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (1)

After the configuration is complete, check the hot standby status of FW_A and FW_B. You can see that FW_A and FW_B are working in load
balancing mode and both firewalls forward traffic.

FW_A

FW_B
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (2)

Once FW_A fails, it switches to the standby devices in active/standby mode, and FW_B becomes the active device in active/standby mode.
FW_B forwards traffic.

FW_A: fails and switches to the standby device in active/standby mode.

FW_B: becomes the active device in active/standby mode and forwards traffic.
Example 13: Load Balancing Firewalls Attached to L3 Devices Step 10 Verify the Configuration (3)

After FW_A recovers, FW_A and FW_B start to work in load balancing mode again and forward traffic together.

FW_A: restores to work in load balancing mode.

FW_B: becomes to work in load balancing mode.

Example 14: Active/Standby Backup in In-path Deployment Networking diagram

On the network shown in this figure, the service interfaces of two

firewalls work at Layer 3 and directly connect to Layer 2 switches in both
upstream and downstream directions. The upstream switch connects to
the interface provided by the carrier who has assigned 1.1.1.1 to the
Router enterprise.
1.1.1.10/24 It is required that the two firewalls work in active/standby mode. In
normal situations, FW_A forwards traffic. If FW_A fails, FW_B forwards
VRRP group 1 traffic, ensuring non-stop services.
GE1/0/1 1.1.1.1/24 GE1/0/1
10.2.0.1/24 GE1/0/2 10.2.0.2/24
Item FW_A FW_B
10.10.0.1/24
FW_A FW_B
GE1/0/2 Working Mode Active/standby backup Active/standby backup
10.10.0.2/24 GE1/0/3
GE1/0/3
10.3.0.1/24 VRRP group 2 10.3.0.2/24
10.3.0.3/24 Role Active Standby

Heartbeat GE1/0/2 GE1/0/2

Service link interface 10.10.0.1/24 10.10.0.2/24
Intranet
Heartbeat link
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_A (1)

2 1

5
Set parameters for the Set parameters for the
upstream interface. downstream interface.
4 6
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_A (2)

2 1

Set parameters for the 3

heartbeat interface.
4
Example 14: Active/Standby Backup in In-path Deployment Step 1 Configure interfaces on FW_B (1)

2 1

Set parameters for the Set parameters for the

upstream interface. downstream interface.
4 6
Example 14: Active/Standby Backup in In-path Deployment Step 2 Configure interfaces on FW_B (2)

2
1

4
Set parameters for the
heartbeat interface.
Example 14: Active/Standby Backup in In-path Deployment Step 3 Configure FW_A as the Active Device

1
3 Configure FW_A as the active device
in active/standby backup mode.
4

Configure the virtual Configure the virtual

5 IP address of the IP address of the
VRRP group 1. VRRP group 2.
6 7
Example 14: Active/Standby Backup in In-path Deployment Step 4 Configure FW_B as the Standby Device

Permit private IP addresses on

3 Network B to connect to the private
IP addresses on Network A.
4

Configure the virtual Configure the virtual

IP address of the IP address of the
5
VRRP group 1. VRRP group 2.
6 7
Example 14: Active/Standby Backup in In-path Deployment Step 5 Configure a security policy on FW_A

1
2
3

4
Configure a security policy to
allow intranet users to access
public IP addresses.
The security policy configured
on FW_A will be automatically
synchronized to FW_B.
Example 14: Active/Standby Backup in In-path Deployment Step 6 Configure a route on FW_A

4
Configure the default route on FW_A.
Example 14: Active/Standby Backup in In-path Deployment Step 7 Configure a route on FW_B

4
Configure the default route on FW_B.
Example 14: Active/Standby Backup in In-path Deployment Step 8 Verify the configuration (1)

After the configuration is complete, view the running status of FW_A and FW_B. You can see that FW_A and FW_B are working in active/standby
mode. FW_A is active, while FW_B is standby.

FW_A is active.

FW_B is standby.
Example 14: Active/Standby Backup in In-path Deployment Step 8 Verify the configuration (2)

If FW_A fails, FW_B automatically becomes active.

Example 14: Active/Standby Backup in In-path Deployment Step 8 Verify the configuration (3)

After FW_A restores:

FW_A becomes active again through resource preemption.

FW_B becomes standby.

Example 15: In-path Deployment in a Load Balancing Scenario Networking diagram

Service interfaces of the two FW devices work at Layer 3, having

upstream and downstream connections to Layer-2 switches.
Now the FW devices are supposed to work in load sharing mode.
Normally, both FW_A and FW_B forward traffic. If either FW fails, the
Router
other FW forwards all traffic to ensure service continuity.
1.1.1.10/24

VRRP group 2
1.1.1.4/24
GE1/0/1 VRRP group 1 Item FW_A FW_B
GE1/0/1
10.2.0.1/24 1.1.1.3/24
GE1/0/2 10.2.0.2/24
10.10.0.2/24
FW_A FW_B Working Mode Active/standby backup Active/standby backup
GE1/0/2
GE1/0/3 10.10.0.1/24 GE1/0/3
VRRP group 3
10.3.0.1/24 10.3.0.2/24
10.3.0.3/24 Heartbeat GE1/0/2 GE1/0/2
VRRP group 4 interface 10.10.0.1/24 10.10.0.2/24
10.3.0.4/24

Service link
Intranet Heartbeat link
Example 15: In-path Deployment in a Load Balancing Scenario Step 1 Configure interfaces on FW_A (1)

2 1

5
Set parameters for the Set parameters for the
upstream interface. downstream interface.
4 6
Example 15: In-path Deployment in a Load Balancing Scenario Step 1 Configure interfaces on FW_A (2)

2 1

Set parameters for the 3

heartbeat interface.
4
Example 15: In-path Deployment in a Load Balancing Scenario Step 2 Configure interfaces on FW_B (1)

2
1

Set parameters for the Set parameters for the

upstream interface. downstream interface.
4 6
Example 15: In-path Deployment in a Load Balancing Scenario Step 2 Configure interfaces on FW_B (2)

2
1

4
Set parameters for the
heartbeat interface.
Example 15: In-path Deployment in a Load Balancing Scenario Step 3 Configure load balancing on FW_A (1)

1
3 Configure FW_A to work in the load
balancing mode.
4

Configure the virtual Configure the virtual

5 IP address of the IP address of the
VRRP group 1. VRRP group 2.
6 7
Example 15: In-path Deployment in a Load Balancing Scenario Step 3 Configure load balancing on FW_A (2)

Configure the virtual Configure the virtual

IP address of the IP address of the
VRRP group 3. VRRP group 4.
8 9
Example 15: In-path Deployment in a Load Balancing Scenario Step 4 Configure load balancing on FW_B (1)

1
3 Configure FW_B to work in the load
balancing mode.
4

Configure the virtual Configure the virtual

5 IP address of the IP address of the
VRRP group 1. VRRP group 2.
6 7
Example 15: In-path Deployment in a Load Balancing Scenario Step 4 Configure load balancing on FW_B (2)

Configure the virtual Configure the virtual

IP address of the IP address of the
VRRP group 3. VRRP group 4.
8 9
Example 15: In-path Deployment in a Load Balancing Scenario Step 5 Configure a route on FW_A

2
3

4
Configure the default route on FW_A.
Example 15: In-path Deployment in a Load Balancing Scenario Step 6 Configure a route on FW_B

1
Configure default routes on intranet devices.
Set the next-hop address of the default
routes to the virtual IP address (10.3.0.3) of
VRRP group 3 for some devices and to the
virtual IP address (10.3.0.4) of VRRP group
2
4 for the other devices.
3

4
Configure the default route on FW_B.
Example 15: In-path Deployment in a Load Balancing Scenario Step 7 Configure a security policy on FW_A

1
2
3

4
Configure a security policy to
allow intranet users to access
public IP addresses.
The security policy configured
on FW_A will be automatically
synchronized to FW_B.
Example 15: In-path Deployment in a Load Balancing Scenario Step 8 Verify the configuration (1)

Check the hot standby status on FW_A and FW_B. You can find that FW_A and FW_B work in the load balancing mode.

FW_A

FW_B
Example 15: In-path Deployment in a Load Balancing Scenario Step 8 Verify the configuration (2)

When FW_A fails, FW_A switches to the standby state, and FW_B switches to the active state. This indicates that FW_B forwards traffic.

FW_A becomes the standby device in the active/standby mode.

FW_B becomes the active device in the active/standby mode.

Example 16：Configuring Source Address-based PBR Networking diagram

An enterprise has a marketing department and an R&D department. The

FW is deployed at the intranet egress. Two links, IPS-A and IPS-B,

ISP_A ISP_B connect to the Internet.

For the ease of management, it is required that the marketing
department access the Internet through ISP_A and that the R&D
Untrust
department access the Internet through ISP_B.
Router_A Router_B
10.10.1.2/24 10.20.1.2/24
FW Item pbr_1 pbr_2

GE1/0/2 GE1/0/4 Type Source Zone Source Zone

10.10.1.1/24 10.20.1.1/24
Source Zone trust trust
GE1/0/3
Source Address 10.1.1.0/24 10.1.2.0/24
Main IP: 10.1.1.1/24
Sub IP: 10.1.2.1/24 Action PBR PBR

Egress Type Single Single

Trust
Outbound Interface GE1/0/2 GE1/0/4
Inside network
Next Hop 10.10.1.2 10.20.1.2
Market Research
Reliability Detection Binding IP-Link Binding IP-Link
department department
10.1.1.0/24 10.1.2.0/24 IP-Link Name pbr_1 pbr_2
Example 16：Configuring Source Address-based PBR Step1 Configure the interfaces (1)

2 1

4 6
Set WAN interface parameters Set LAN interface parameters
Example 16：Configuring Source Address-based PBR Step1 Configure the interfaces (2)

8
Set WAN interface parameters.
Example 16：Configuring Source Address-based PBR Step2 Configure a security policy

2 1

4
Allow intranet users to
access extranet resources.
Example 16：Configuring Source Address-based PBR Step3 Configure IP-link

5 6
Detect the ISP-A link status. Detect the ISP-B link status.
Example 16：Configuring Source Address-based PBR Step 4 Configure PBR routes

3
The packet of the marketing The packet of the R&D
department received from department received from
2 the Trust zone is sent to the Trust zone is sent to
next hop 10.10.1.2. next hop 10.20.1.2.
4 5

Bind IP-Link pbr_1 and the Bind IP-Link pbr_2 and the
PBR route. When the ISP_A PBR route. When the ISP_B
link is unreachable, the PBR link is unreachable, the PBR
route does not take effect. route does not take effect.
Example 16：Configuring Source Address-based PBR Step 5 Configure default routes

1
Routes need to be configured on
intranet hosts. Configure them
as required.

4 5
When the ISP_B link is When the ISP_A link is
unreachable, all traffic is unreachable, all traffic is
forwarded over ISP_A link. forwarded over ISP_B link.
Example 16：Configuring Source Address-based PBR Step 6 Verify the configurations (1)

The traffic sent from the marketing department (10.1.1.0/24) is forwarded by GigabitEthernet 1/0/2 and reaches the Internet over ISP_A link.
The traffic sent from the R&D department (10.1.2.0/24) is forwarded by GigabitEthernet 1/0/4 and reaches the Internet over ISP_B link.

Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access extranet hosts (10.30.1.1).
Example 16：Configuring Source Address-based PBR Step 6 Verify the configurations (2)

When the ISP_A link is unreachable, the traffic sent from the marketing department (10.1.1.0/24) and R&D department (10.1.2.0 /24) is forwarded
by GigabitEthernet1/0/4 and reaches the Internet over ISP_B link.
When the ISP_B link is unreachable, the traffic sent from the marketing department (10.1.1.0/24) and R&D department (10.1.2.0/24) is forwarded
by GigabitEthernet1/0/2 and reaches the Internet over the ISP_A link.

Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access an extranet host (10.30.1.1) in case
of ISP_A link unreachability

Session table information when a marketing employee (10.1.1.1) and an R&D employee (10.1.2.1) access an extranet host (10.30.1.1) in case of
ISP_B link unreachability
Example 17: User-specific Bandwidth Management Networking diagram

• The highest download traffic rate and maximum number of users are subject to
the actual specifications.
Trust
10.3.0.0/24 • The web configuration for limiting the upload traffic rate is similar to that for file
downloading. This example describes how to limit the file download traffic rate.

Manager

Untrust

Product 1 Service download GE1/0/3 GE1/0/1

10.3.0.1/24 1.1.1.1/24

Product 2
Research Firewall ISP Router
· upload
·
·

Marketing

A firewall is deployed as an egress gateway at the border of an enterprise network. Due to the bandwidth resource is limited for enterprise, when
the number of users online is too much, it is likely to cause congestion, which may affect important flows. Limiting the user traffic rate effectively
prevents network congestion.
Example 17: User-specific Bandwidth Management Data planning

Data must be planned based on the global bandwidth that the operator rents to
the enterprise and the number of users who need to access the Internet.

Item Data Description

Total network 1Mbps=1000kbps=125KB/

20Mbps
bandwidth s

• Global guaranteed downlink bandwidth: 2Mbps

• Global maximum downlink bandwidth: 6Mbps
• Group
Senior manager -
Group name: manager / Parent group: default
• User
User name: user_0001 / Group: manager / Authentication type: local authentication

• Global maximum downlink bandwidth for product groups 1 and 2: 2Mbps

• Global maximum downlink bandwidth: 5Mbps
• Group
Group name: research / Parent group: default
The R&D department has
R&D employee Group name: research_product1 / Parent group: research
two product groups.
Group name: research_product2 / Parent group: research
• User
User name: user_0002 / Group: research_product1 / Authentication type: local authentication
User name: user_0003 / Group: research_product2 / Authentication type: local authentication

• Global maximum downlink bandwidth: 5Mbps

• Per-user maximum downlink bandwidth: 2Mbps
Marketing • Group
-
employee Group name: marketing / Parent group: default
• User
User name: user_0004 / Group: marketing / Authentication type: local authentication
Example 17: User-specific Bandwidth Management Step1 Configure interfaces

To allow users on the enterprise network to access the Internet, you

2 need to configure a Source NAT policy. For detailed configurations, see
1
Example 1: Accessing the Internet Using a Static IP Address.

4
Set parameters for the interface 6
connecting to the Internet.

5
Set interface bandwidth parameters. 7
Limit the total bandwidth to 20 Mbps. Set parameters for the interface connecting
to the enterprise network.
Example 17: User-specific Bandwidth Management Step2 Configure user groups

2 8
You can create multiple group as required. Create a user group for
product group 2.

4 7
Create a user group Create a user group for
for senior managers. product group 1.

5 6
Create a user group for Create a user group for
the marketing department. the R&D department.
Example 17: User-specific Bandwidth Management Step3 Configure users

7
You can create multiple users Create a user for
product group 2.
for each user group as required.
3

5 6
4 Create a user for the Create a user for
Create a senior manager user. marketing department. product group 1.
Example 17: User-specific Bandwidth Management Step4 Configure a security policy

2 1

4
Configure a security policy
to allow users in subnet
10.3.0.0/24 of the Trust
zone to access the Internet.
Example 17: User-specific Bandwidth Management Step5 Configure traffic profiles for intranet users

1
3

2 You can set uplink bandwidth

parameters based on service
requirements, for example,
limiting the file upload traffic. 7
5 Configure a traffic profile to limit
Configure a traffic profile to limit
the global downlink bandwidth. the global maximum downlink
bandwidth to 2 Mbps.

6 8
Configure a traffic profile to Configure a traffic profile to limit
limit the global maximum the global maximum downlink
4 downlink bandwidth to 5 Mbps. bandwidth to 2 Mbps.
Configure a traffic profile to limit the
per-user maximum downlink
bandwidth to 2 Mbps.
Example 17: User-specific Bandwidth Management Step6 Configure traffic policies for intranet users

2
Configure the bandwidth policy
based on service requirements. For
example, if you want to limit traffic
based on IP addresses, specify

3 source and destination address

region, not users or user groups.
5 Configure a traffic policy for 7 Configure a traffic policy for
the marketing department. product group 1.

4 Configure a traffic policy for 6 Configure a traffic policy for 8 Configure a traffic policy for
senior managers. the R&D department. product group 2.
Example 17: User-specific Bandwidth Management Step7 Verify the configuration (1)

1. A senior manager uses FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed 6 Mbps.
FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 6 Mbps (946.8 KB/s = 7.5744 Mbps).
After the configuration, the download traffic rate for the same file ranges from 2 to 6 Mbps (567.0 KB/s = 4.536 Mbps).

Before the configuration

After the configuration

2. Marketing employees use FileZilla and FTP tools to download files from the Internet. The per-user download traffic rate should not exceed 2
Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8 KB/s = 7.5744
Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (177.7 KB/s = 1.4216 Mbps).

Before the configuration

After the configuration

Example 17: User-specific Bandwidth Management Step7 Verify the configuration (2)

3. Employees in product group 1 use FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed 2
Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8 KB/s = 7.5744
Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (175.8 KB/s = 1.4064 Mbps).

Before the configuration

After the configuration

4. Employees in product group 2 use FileZilla and FTP tools to download files from the Internet. The download traffic rate should not exceed 2
Mbps. FileZilla-based download is used as an example. Before the configuration, the download traffic rate exceeds 2 Mbps (946.8 KB/s = 7.5744
Mbps). After the configuration, the download traffic rate for the same file does not exceed 2 Mbps (190.8 KB/s = 1.5264 Mbps).

Before the configuration

After the configuration

Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Networking Diagram

QQ
Trust Untrust
10.3.0.0/24

GE1/0/1 GE1/0/3
10.3.0.1/24 1.1.1.1/24
Firewall

P2P

An enterprise allows employees to access the Internet, but requires to disable chatting software for productivity, such as QQ, and limit the P2P
download traffic to 3 Mbps.

Item Data Description

P2P traffic limiting Maximum bandwidth: 3 Mbps 1M=1000kbps=125KB/s

Security policy Block the QQ protocol. -

Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step1 Configure Interfaces

2 To enable intranet users to access the Internet, configure Source NAT policies. For
1
configurations, see Example 1: Accessing the Internet Using a Static IP Address.

4 6
Configure LAN interfaces. Configure WAN interfaces.
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step2 Configure Traffic Profile

2 3

4
Set the maximum global downlink
bandwidth to 3 Mbps.
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step3 Configure Traffic Policy

2
3

4
Create a traffic policy to
limit P2P download
bandwidth within 3 Mbps.

• FileShare_P2P indicates P2P download, and such

P2P applications include BT, eDonkey/eMule, and
Thunder.
• You can limit specific P2P services as required,
such as permitting BT download but denying
eMule download.
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step4 Configure Security Policy

When multiple security policies exist in the same interzone, the device will match the flow to the

2 1 policies one by one in the list, from top to bottom. Once the flow matching to a security policy,
the matching process will stop. So, in the case of multiple security policies, to ensure that the
security policy configurations take effect, you need to adjust the priority of the security policies,
3 which means move the most exactly matching security policy in front of the broad ones.

Deny QQ for enterprise Allow enterprise employees

employees. to access the Internet.
4 5
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) Step5 Verify the Configurations

1. Enterprise employees can access the

Internet but cannot log in to QQ. The system
displays “Network time out. It may be caused
by wrong configuration. ”

2. Enterprise employees use tools, such as BT, Before configuration

eDonkey/eMule, and Thunder to download files
from the Internet, and the download rate does
not exceed 3 Mbps.
For example, before configuration, the BT
download rate exceeds 3 Mbps (846.6
KB/s=6.77 Mbps). After the configuration is
After configuration
complete, the file download rate is controlled
within 3 Mbps (268.5 KB/s=2.148 Mbps).
Copyright© Huawei Technologies Co., Ltd. 2021. All rights reserved.

FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
100% (2)
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
53 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
91% (11)
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
100% (1)
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
147 pages
Checkpoint Lab Guide
100% (2)
Checkpoint Lab Guide
78 pages
How To Setup FortiGate Firewall To Access Manual
100% (1)
How To Setup FortiGate Firewall To Access Manual
15 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
100% (1)
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
147 pages
Chapter 3 - Lab Environment Settings
No ratings yet
Chapter 3 - Lab Environment Settings
42 pages
Checkpoint R75 Lab Manual
100% (1)
Checkpoint R75 Lab Manual
87 pages
ENISA Report - Cybersecurity For SMES Challenges and Recommendations
No ratings yet
ENISA Report - Cybersecurity For SMES Challenges and Recommendations
62 pages
How To Configure A Firewallú Deployment and Advanced Settings
No ratings yet
How To Configure A Firewallú Deployment and Advanced Settings
47 pages
IPSG (IP and MAC Address Binding) : Application Scenario & Implementation
No ratings yet
IPSG (IP and MAC Address Binding) : Application Scenario & Implementation
3 pages
Fortigate Administratior 7.4 Lab Guide
50% (4)
Fortigate Administratior 7.4 Lab Guide
250 pages
reti_lezione15
No ratings yet
reti_lezione15
23 pages
Chapter 3 - Lab Environment Settings
No ratings yet
Chapter 3 - Lab Environment Settings
42 pages
Tech Note - PAN - L3-Config Guide
No ratings yet
Tech Note - PAN - L3-Config Guide
32 pages
Chapter 4 - LAB
No ratings yet
Chapter 4 - LAB
35 pages
How To Configure WAN Load Sharing and Failover For Two ISPs
No ratings yet
How To Configure WAN Load Sharing and Failover For Two ISPs
11 pages
01-02 Classic Edition
No ratings yet
01-02 Classic Edition
598 pages
CCNA2RS-NAT and DHCP
No ratings yet
CCNA2RS-NAT and DHCP
6 pages
CCNA2RS - DHCP and NAT
No ratings yet
CCNA2RS - DHCP and NAT
6 pages
01-03 Internet Access
No ratings yet
01-03 Internet Access
59 pages
21 Aggregate Interfaces
No ratings yet
21 Aggregate Interfaces
7 pages
Initial+Working+Lab
No ratings yet
Initial+Working+Lab
7 pages
Example For Configuring The NAT Function
No ratings yet
Example For Configuring The NAT Function
140 pages
NEW Switch Configuration Procedure
No ratings yet
NEW Switch Configuration Procedure
17 pages
Huawei USG6000E Configuration Guide (5)
No ratings yet
Huawei USG6000E Configuration Guide (5)
5 pages
DRAUP_Embedded_Engineering Talent Analysis_Sample Report
No ratings yet
DRAUP_Embedded_Engineering Talent Analysis_Sample Report
64 pages
Fortigate configure WAN1 (PPPoE), WAN2, LACP, VLAN and SDWAN.
No ratings yet
Fortigate configure WAN1 (PPPoE), WAN2, LACP, VLAN and SDWAN.
6 pages
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)
No ratings yet
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)
280 pages
Sophos Control Center Startup
No ratings yet
Sophos Control Center Startup
8 pages
StoneOS Cookbook V5.5R10
No ratings yet
StoneOS Cookbook V5.5R10
496 pages
Transparent Firewall - Filtering Bridge - William Tarrh
No ratings yet
Transparent Firewall - Filtering Bridge - William Tarrh
11 pages
PA Initial Configuration:: Created by Ahmad Ali E-Mail:, Mobile: 056 430 3717
No ratings yet
PA Initial Configuration:: Created by Ahmad Ali E-Mail:, Mobile: 056 430 3717
8 pages
Task Summary
No ratings yet
Task Summary
4 pages
Final Year Project - Proposal Defence PDF
No ratings yet
Final Year Project - Proposal Defence PDF
23 pages
020012_1_5.0189816
No ratings yet
020012_1_5.0189816
10 pages
Dec30023 Computer Networking Fundamentals Pw4
No ratings yet
Dec30023 Computer Networking Fundamentals Pw4
11 pages
01-02 Comprehensive Configuration Examples PDF
No ratings yet
01-02 Comprehensive Configuration Examples PDF
330 pages
FG Security & Infrastructure Course - New
No ratings yet
FG Security & Infrastructure Course - New
158 pages
StoneOS CLI User Guide Complete Book 5.5R10
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R10
2,509 pages
Huawei Firewall Technology Basis
No ratings yet
Huawei Firewall Technology Basis
15 pages
HUAWEI USG6310&6320 Unified Security Gateway Quick Start - (V100R001 03)
No ratings yet
HUAWEI USG6310&6320 Unified Security Gateway Quick Start - (V100R001 03)
4 pages
Example for Configuring a Layer 2 Switch to Work With a Router for Internet Access_014914
No ratings yet
Example for Configuring a Layer 2 Switch to Work With a Router for Internet Access_014914
7 pages
CoC3 Step PDF
No ratings yet
CoC3 Step PDF
14 pages
WS1 Certificate Authority Integrations
No ratings yet
WS1 Certificate Authority Integrations
121 pages
htmlpurifier_org_live_smoketests_xssAttacks_php
No ratings yet
htmlpurifier_org_live_smoketests_xssAttacks_php
12 pages
RAOTM 2017 - L07 - Micro800 PLC Programming With Connected Components Workbench Software - Manual
100% (3)
RAOTM 2017 - L07 - Micro800 PLC Programming With Connected Components Workbench Software - Manual
154 pages
Communications Management Function (CMF) 2B - 21 - 10: INTRODUCTION
No ratings yet
Communications Management Function (CMF) 2B - 21 - 10: INTRODUCTION
91 pages
FortiGate Infrastructure 6.0 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 6.0 Lab Guide-Online
148 pages
Fortigate Infra 6.2 Lab Guide
No ratings yet
Fortigate Infra 6.2 Lab Guide
143 pages
CNE Tutorial 02 - Real - LAN and LAN With Packet Tracer
No ratings yet
CNE Tutorial 02 - Real - LAN and LAN With Packet Tracer
18 pages
Huawei AR Series Quick Configuration
No ratings yet
Huawei AR Series Quick Configuration
39 pages
Skillkart Proposal
No ratings yet
Skillkart Proposal
12 pages
CS306 Computer Networks
No ratings yet
CS306 Computer Networks
2 pages
Ix-All Subject Paractical Center Comprehensive Paper PC - MR - Afridi Group
No ratings yet
Ix-All Subject Paractical Center Comprehensive Paper PC - MR - Afridi Group
25 pages
lab4CN4 (1)
No ratings yet
lab4CN4 (1)
5 pages
Drop Box
No ratings yet
Drop Box
7 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
PANv11 FE Lab 14
No ratings yet
PANv11 FE Lab 14
8 pages
openSIS-CE Installation Guide
No ratings yet
openSIS-CE Installation Guide
10 pages
DHI-ITC413-PW4D_Series_datasheet_CO_20241125
No ratings yet
DHI-ITC413-PW4D_Series_datasheet_CO_20241125
4 pages
UM-OMS Lite 1.44 - 20150331
No ratings yet
UM-OMS Lite 1.44 - 20150331
56 pages
HCIP-Security V4.0 Lab Guide
No ratings yet
HCIP-Security V4.0 Lab Guide
378 pages
Cyber Crime Portal
No ratings yet
Cyber Crime Portal
2 pages
PAN9 EDU210 Lab 14
No ratings yet
PAN9 EDU210 Lab 14
12 pages
CarlyJohnson AntoniaSousa LoveBeautyandPlanet
No ratings yet
CarlyJohnson AntoniaSousa LoveBeautyandPlanet
145 pages
EMP TECH Q2 Multimedia and ICT
100% (1)
EMP TECH Q2 Multimedia and ICT
12 pages
Osint NSA Surveillance For Hipsters
100% (1)
Osint NSA Surveillance For Hipsters
39 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
140 pages
Chapter 5
No ratings yet
Chapter 5
18 pages
Swagger UI
No ratings yet
Swagger UI
26 pages
NetworkEthics-Brochure
No ratings yet
NetworkEthics-Brochure
8 pages
Boobie Goods
No ratings yet
Boobie Goods
1 page
SEVENTEEN - Left & Right Lyrics Color Coded Lyrics - Lyrics at CCL
No ratings yet
SEVENTEEN - Left & Right Lyrics Color Coded Lyrics - Lyrics at CCL
4 pages
Fortigate Firewall How To Internet
No ratings yet
Fortigate Firewall How To Internet
8 pages
Documento Huawei USG6000 Como DHCP-ingles
No ratings yet
Documento Huawei USG6000 Como DHCP-ingles
17 pages
6.2.2.5 Lab - Configuring VLANs and Trunking WB
No ratings yet
6.2.2.5 Lab - Configuring VLANs and Trunking WB
11 pages
Deploy Cisco Webex Calling v2 VAR Channel - PDF
No ratings yet
Deploy Cisco Webex Calling v2 VAR Channel - PDF
71 pages
Marketing Committee Report
No ratings yet
Marketing Committee Report
6 pages
Configuração Do Sentora Durante A Instalação
No ratings yet
Configuração Do Sentora Durante A Instalação
1 page
Tibetan Grammar
No ratings yet
Tibetan Grammar
123 pages
Fortigate
No ratings yet
Fortigate
28 pages
ICT-10 Q3M2 Activity
No ratings yet
ICT-10 Q3M2 Activity
7 pages
AIQS Academy
No ratings yet
AIQS Academy
7 pages
Crim Check Report
No ratings yet
Crim Check Report
1 page
Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN
From Everand
Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN
Lin Song
5/5 (1)
Evaluation of Some Cloud Based Virtual Private Server (VPS) Providers
From Everand
Evaluation of Some Cloud Based Virtual Private Server (VPS) Providers
Dr. Hidaia Mamood Alassouli
No ratings yet
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassouli
No ratings yet
Evaluation of Some Cloud Based Virtual Private Server (VPS) Providers
From Everand
Evaluation of Some Cloud Based Virtual Private Server (VPS) Providers
Dr. Hidaia Mahmood Alassouli
No ratings yet
Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release Build
From Everand
Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release Build
Slava Gomzin
No ratings yet