Basic configuration of virtual system
Start the virtual system
执行vsys enable(系统视图下)命令启用虚拟系统功能
vsys enable ----------------虚拟系统开启
Planning resources
Because the virtual systems created on NGFW will share the resources of NGFW, in order to avoid the fact that a certain virtual system takes up a lot of resources, other virtual systems cannot obtain resources and the business cannot run normally, a single virtual system needs to be allowed to use Resource Constraint
The resource allocation of the virtual system is achieved by planning the number of resources in the resource class and then binding the resource class to the virtual system. A resource class can be bound by multiple virtual systems at the same time
When the resource requirements of multiple virtual systems are the same, the root system administrator only needs to configure one resource class for these virtual systems. The resource class ro is bound to the root system by default and cannot be deleted or the name can not be changed.
The “number of policies” shown in the parameter refers to the total number of all policies, including security policies, NAT policies, bandwidth policies, authentication policies, audit policies, and policies Route
creation resource class
resource-class vsysa -------------默认的资源是R0
resource-item-limit session reserved-number 0 maximum 10000
resource-item-limit policy reserved-number 1000
resource-item-limit online-user reserved-number 0 maximum 1000
New virtual system
<NGFW> system-view
[NGFW] vsys name vsysa //创建名为vsysa的虚拟系统
[NGFW-vsysa] assign resource-class r0 //绑定资源类
Assign interface or VLAN
According to the actual network planning, assign interface or VLAN to the virtual system. In "interface assignment", assignable interfaces include Layer 3 Ethernet interfaces and sub-interfaces that are not used by other virtual systems. In "VLAN assignment", the Layer 2 interface or VLANIF be allocated will be included in the VLAN with VLAN assigned to the corresponding virtual system
virtual system resources bindings
vsys name vsysa 1
assign resource-class vsysa
Virtual system distribution interface
vsys name vsysa 1
assign interface GigabitEthernet0/0/2
Note on the virtual interface: You can not configure the IP address, but you must draw the ZONE
configuration virtual firewall command:
switch vsys vsysa --------------进入虚拟系统防火墙
interface GigabitEthernet0/0/2
ip address 10.1.1.10 255.255.255.0
firewall zone trust
add interface GigabitEthernet0/0/2
firewall zone untrust
set priority 5
add interface Virtualif1 ------------虚拟接口一定加入ZONE,可以不配置IP地址。
Interface and VLAN allocation principles
Layer 3 is based on interface traffic distribution and determines which virtual system traffic enters
based on the binding relationship between the interface and the virtual system Layer 2 is based on VLAN traffic distribution and determines which virtual system processing traffic enters based on the binding relationship between the VLAN and the virtual system
Create Administrator
If the virtual system needs to be managed by a special administrator, enter the virtual system to create a virtual system administrator
The user name of the virtual system administrator must be suffixed with "@ Virtual system name". If a third-party authentication server is used to authenticate the virtual system administrator, the user name configured on the authentication server does not need to be suffixed with "@ Virtual system name". For example, when the authentication server needs to authenticate the administrator admin @ vsysa of the virtual system VSYSA, the user name configured on the authentication server should be admin
In the command line interface, in addition to the basic configuration shown above, the configuration of the trusted host is bound by Set ACL to achieve, at the same time, you can also bind the system administrator role for the administrator. Configuration examples are as follows
[NGFW] switch vsys vsysa
[NGFW-vsysa] aaa
[NGFW-vsysa-aaa] manager-user admin@vsysa
[NGFW-vsysa-aaa-manager-user-admin@vsysa] password cipher Vsysadmin@123
[NGFW-vsysa-aaa-manager-user-admin@vsysa] level 3
[NGFW-vsysa-aaa-manager-user-admin@vsysa] service-type telnet
[NGFW-vsysa] acl 2001
[NGFW-vsysa-acl-basic-2001] rule permit source 10.3.0.99 0.0.0.0
[NGFW-vsysa-acl-basic-2001] quit
[NGFW-vsysa] aaa
[NGFW-vsysa-aaa] manager-user admin@vsysa
[NGFW-vsysa-aaa-manager-user-admin@vsysa] acl-number 2001 //绑定信任主机
[NGFW-vsysa-aaa] bind manager-user admin@vsysa role system-admin //将虚拟系统管理员绑定为系统管理员角色
Communication between the virtual system and the root system
The virtual system accesses the external network through the root system
Route
A. Consider the route from the virtual firewall to the root wall
ip route-static X.XX.X X.X.X.X public
B. Consider returning packets, firewall back to the virtual system
ip route-static X.X.X.X X.X.X.X ***-instance 虚拟系统的名字
Security strategy
- The virtual system independently releases the security, and the root firewall independently releases the security strategy
- No, the security strategy between the virtual system and the root firewall is not required (no need to consider the security strategy between the virtual interfaces)
Message forwarding process
The access request sent by the user first looks up the routing table in the VSYSA system and forwards the message to Root system, the root system finds its own routing table and forwards it to the Internet
Routing configuration
a) Configure a static route in VSYSA, the destination address is 3.3.3.3, and the destination virtual system selects root
b) Configure a static route in the root system , The destination address is 3.3.3.3, the outgoing interface is GE1 / 0/1, and the next hop is the gateway address provided by the operator. Complete the configuration of the forward route
c) Configure a static route in the root system, the destination address is 10.3.0.0/24, the destination virtual system selects VSYSA
d) Configure a static route in VSYSA, the destination address is 10.3.0.0/24, The outgoing interface is GE1 / 0/2. Complete the reverse route configuration to
enter the virtual system, configure the route to the external network and the route to the virtual system user resources[NGFW] switch vsys vsysa [NGFW-vsysa] ip route-static 3.3.3.3 32 public [NGFW-vsysa] ip route-static 10.3.0.0 24 GigabitEthernet 1/0/2
Configure the route to the server and the virtual system in the root system
[NGFW] ip route-static 3.3.3.3 32 1.1.1.254 [NGFW] ip route-static 10.3.0.0 24 ***-instance vsysa
The configuration method of the security policy is as follows
a) In VSYSA, add the interface GE1 / 0/2 to the Trust zone and Virtualif1 to the Untrust zone, and configure the security policy that allows the Trust zone to access the Untrust zone
b) In the root system, add the interface GE1 / 0/1 joins the Untrust zone, Virtualif0 joins the Trust zone, and configures the security policy that allows the Trust zone to access the Untrust zone.
C) After completing the above routing and security policy configuration, normal packet forwarding can be achieved, but the hosts on the intranet use private The network address is 10.3.0.0/24, so if the hosts on the internal network want to access the Internet normally, they must also configure a NAT policy in VSYSA or root to convert public and private network addresses. Which virtual system configures the NAT policy depends on which virtual system's administrator manages and uses public network addressesAccess between virtual system and virtual system
When there is a business access requirement between two virtual systems, the mutual access needs to be completed through the transfer of the root system. After understanding the configuration of the mutual access between the virtual system and the root system, the mutual access between the virtual systems is easy to understand. You only need to configure the mutual access between the two virtual systems and the root system.
Message forwarding process
To access the server in VSYSB, users in VSYSA need to access the root system through VSYSA, and then access VSYSB through the root system. achieve. The root system is equivalent to a router, which is responsible for connecting two virtual systems and transferring messages between the virtual systems. The routing table to be searched during packet forwarding is VSYSA routing table, root system routing table, and VSYSB routing table.
The routing configuration method is as follows:
a) Configure a static route in VSYSA. The destination address is 10.3.1.3, and the destination virtual The system selects root
b) Configures a static route in the root system with a destination address of 10.3.1.3, and the destination virtual system selects VSYSB
c) Configures a static route in VSYSB with a destination address of 10.3.1.3 and an outgoing interface of GE1 / 0 / 3. Complete the configuration of the forward route
d) Configure a static route in VSYSB, the destination address is 10.3.0.0/24, the destination virtual system selects root
e) Configure a static route in the root system, the destination address is 10.3.0.0/24, The destination virtual system selects VSYSA
f) Configure a static route in VSYSA, the destination address is 10.3.0.0/24, and the outgoing interface is GE1 / 0/2. Complete the reverse route configuration and
configure the route from vsysa to the external network and the route to the user resources of the virtual system[NGFW-vsysa] ip route-static 10.3.1.0 24 public [NGFW-vsysa] ip route-static 10.3.0.0 24 GigabitEthernet 1/0/2
Configure the route from vsysa to the external network and the route to user resources of the virtual system
[NGFW-vsysb] ip route-static 10.3.0.0 24 public [NGFW-vsysb] ip route-static 10.3.1.0 24 GigabitEthernet 1/0/3
Configure the routing between VSYSA and VSYSB in the root system
[NGFW] ip route-static 10.3.0.0 24 ***-instance vsysa [NGFW] ip route-static 10.3.1.0 24 ***-instance vsysb
The configuration method of the security policy is as follows:
a) In VSYSA, add the interface GE1 / 0/2 to the Trust zone and Virtualif1 to the Untrust zone, and configure the security policy that allows the Trust zone to access the Untrust zone
b) In VSYSB, add the interface GE1 / 0/3 joins the Trust zone and Virtualif2 joins the Untrust zone. Configure the security policy that allows the Untrust zone to access the Trust zone.
C) After understanding the mutual access between VSYSA and root, configure the security policy and routing from root to VSYSB to complete VSYSA Mutual access with VSYSB
d) It should be noted that the root system only forwards access packets between virtual systems according to the routing table, and does not process other security functions, so there is no need to configure these packets under the root system. security strategyConfiguration case
create a virtual wall vsysa, vsysb, virtual wall internal network can communicate with each
configure the number of sessions vsysb resources to ensure maximum value is 10000 50000 New Virtual Administrator userb
root wall NAT configuration allows the virtual wall and the internal network to access the internet
first Step 1: Basic configuration (IP ZONE routing NAT)
Step 2: Configure the virtual system
A. Enable the virtual system functionvsys enable
B. Create a resource class, the default is R0
resource-class vsysa resource-item-limit session reserved-number 0 maximum 10000 resource-item-limit policy reserved-number 1000 resource-item-limit online-user reserved-number 0 maximum 1000 # resource-class vsysb resource-item-limit session reserved-number 10000 maximum 50000
an examination:
[FW1]display resource resource-usage 16:14:03 2019/07/27 Resource usage information table:root (r0) ---------------------------------------------------------------------------- Reserved-Number Maximum Actual-Usage Global-Number session 0 500000 14 500000 policy 0 3000 2 3000 online-user 0 2000 0 2000 user 0 2000 1 2000 user-group 0 256 1 256 security-group 0 5000 17 5000 bandwidth-ingress 0 10000000 0 10000000 ssl-***-concurrent 0 100 0 100 session-rate 0 30000 0 30000 dhcps-dynamic-lease 0 15000 1 15000 dhcps-static-lease 0 5000 0 5000 ---------------------------------------------------------------------------- Resource usage information table:vsysa (vsysa) ---------------------------------------------------------------------------- Reserved-Number Maximum Actual-Usage Global-Number session 0 200000 11 500000 policy 0 3000 2 3000 online-user 0 1000 0 2000 user 0 2000 0 2000 user-group 0 256 0 256 security-group 0 5000 0 5000 bandwidth-ingress 0 10000000 0 10000000 ssl-***-concurrent 0 100 0 100 session-rate 0 30000 0 30000 dhcps-dynamic-lease 0 15000 0 15000 dhcps-static-lease 0 5000 0 5000 ---------------------------------------------------------------------------- Resource usage information table:vsysb (vsysb) ---------------------------------------------------------------------------- Reserved-Number Maximum Actual-Usage Global-Number session 10000 50000 17 500000 policy 0 3000 3 3000 online-user 0 2000 0 2000 user 0 2000 0 2000 user-group 0 256 0 256 security-group 0 5000 0 5000 bandwidth-ingress 0 10000000 96 10000000 ssl-***-concurrent 0 100 0 100 session-rate 0 30000 0 30000 dhcps-dynamic-lease 0 15000 0 15000 dhcps-static-lease 0 5000 0 5000 ------------------------------------------------------------------------
C. Create a virtual system, bind resources, and assign interfaces
vsys name vsysa 1 -------------------------------取名,对应自动生成***-instance assign resource-class vsysa ----------------------绑定资源 assign interface GigabitEthernet0/0/2 -------------接口分配,在根墙会自动绑定***-instance # vsys name vsysb 2 assign resource-class vsysb assign interface GigabitEthernet0/0/3
The third step: entering Virtual System Configuration
Example: VSYSA
switch vsys vsysa -------------------进入虚拟系统vsysa
A. Configure IP address, ZONE
interface GigabitEthernet0/0/2
ip address 10.1.1.10 255.255.255.0
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
firewall zone untrust
set priority 5
add interface Virtualif1
Note: The virtual interface may not need to configure IP address, but be sure to add ZONE
B. configure routing
virtual system to access the root system
ip route-static 0.0.0.0 0.0.0.0 public
Note: It also solves routing problems to other virtual systems
C. Configure security
security-policy
rule name trust_untrsut
source-zone trust
destination-zone untrust
action permit
Note: Only the
fourth step of accessing the root system can be solved : the root wall configuration
root wall virtualif0 also needs to add ZONE
firewall zone trust
add interface Virtualif0
Configure routing to their respective virtual systems
ip route-static 10.1.1.0 255.255.255.0 ***-instance vsysa
ip route-static 10.1.2.0 255.255.255.0 ***-instance vsysb
Step 5: Test the respective virtual system to access the Internet through the root firewall
[FW1-vsysa]display firewall session ta
10:11:09 2019/12/08
Current Total Sessions : 4
udp ***:vsysa --> vsysa 10.1.1.1:63268-->180.163.26.34:8000
https ***:vsysa --> vsysa 10.1.1.1:49329-->54.213.71.156:443
udp ***:vsysa --> vsysa 10.1.1.1:58639-->180.163.26.34:8000
http ***:vsysa --> vsysa 10.1.1.1:49489-->180.163.21.35:80
[FW1-vsysb]display firewall session ta
10:14:09 2019/12/08
Current Total Sessions : 3
https ***:vsysb --> vsysb 10.1.2.1:49319-->13.35.50.72:443
netbios-name ***:vsysb --> vsysb 169.254.232.174:137-->169.254.255.255:137
http ***:vsysb --> vsysb 10.1.2.1:49252-->104.85.245.85:80
Step Six: mutual visits between the virtual
route has been resolved (to configure the default route)
Security policy issues
both virtual systems need to configure security policy from the outside to content
security-policy
rule name untrust_trust
source-zone untrust
destination-zone trust
action permit