Notice:

Under normal circumstances, the firewall will have a management port when it is just purchased , with its own IP address. In Huawei equipment, only the GigabitEthernet0/0/0 port of the firewall is a trusted port by default, and the ip address is 192.168.0.1

Start firewall FW1

After successful startup, you will be prompted to enter Username and Password

The Huawei default username and password are:

Username：admin

Password：Admin@123

登录成功后提示修改密码

The password needs to be changed. Change now? [Y/N]: y
Please enter old password: 
Please enter new password: 
Please confirm new password: 

 Info: Your password has been changed. Save the change to survive a reboot. 
*************************************************************************
*         Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************


<USG6000V1>
Mar 17 2023 08:22:41 USG6000V1 SNMPADAPT/4/UPDATE_SUCCESS:OID 1.3.6.1.4.1.2011.6
.122.76.2.1 Succeed in updating database. (Module= "LOCATION-SDB", Pre-UpdateVer
sion= "0", UpdateVersion= "2018061815")
<USG6000V1>

Find the default IP address of firewall 0/0/0 port

<USG6000V1>system-view 
Enter system view, return user view with Ctrl+Z.
[USG6000V1]int g 0/0/0	
[USG6000V1-GigabitEthernet0/0/0]display this 
2023-03-17 08:25:48.180 
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default ---- VPN的设置，单独隔离出来的一个口
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
#
return
[USG6000V1-GigabitEthernet0/0/0]

Change the address and the address of the loopback port to the same network segment

[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.160.1 24
[USG6000V1-GigabitEthernet0/0/0]
Mar 17 2023 08:45:36 USG6000V1 %%01FRAG/4/FRAG_PKT_EXCEED_THRESHOLD(l)[13]:The t
otal number of cached packet fragments on SPU 11 CPU 0 is 64, exceeding threshol
d value 64.

Release strategy, RTPS protocol

[USG6000V1-GigabitEthernet0/0/0]service-manage all permit

test

Enter the access address of the graphical interface

Log in with the username and password you just set

2. Configure the untrust zone

Click on the network to enter the interface

Configure GE1/0/0 interface

Notice:

If you write the gateway, the default route will appear. In general, if you don’t write it , you can configure it yourself.

R1 configuration

<Huawei>sys	
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[ISp]sysname ISP
[ISP]int g 0/0/0	
[ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 24
Mar 17 2023 18:04:30-08:00 ISP %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[ISP-GigabitEthernet0/0/0]q
[ISP]int g 0/0/1
[ISP-GigabitEthernet0/0/1]ip address 200.1.1.1 24
Mar 17 2023 18:04:56-08:00 ISP %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
 on the interface GigabitEthernet0/0/1 has entered the UP state. 
[ISP-GigabitEthernet0/0/1]

Configuration of server2 in R1

Open http service

Test --- ping 100.1.1.1 firewall

[ISP]ping 100.1.1.1
  PING 100.1.1.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 100.1.1.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

[ISP]

Unable to ping:

Reason --- the default is not allowed (no release)

How to test:

Configure GE0/0/1 port

[ISP]ping 100.1.1.1
  PING 100.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 100.1.1.1: bytes=56 Sequence=1 ttl=255 time=20 ms
    Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=255 time=10 ms
    Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
    Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
    Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms

  --- 100.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/12/20 ms

Configure route default

new build

2. Configure the trust area

Configure GE1/0/1 interface

LSW1 configuration

<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname LSW1
[LSW1]
Mar 17 2023 18:23:07-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 4, the 
change loop count is 0, and the maximum number of records is 4095.
[LSW1]vlan 2
[LSW1-vlan2]
Mar 17 2023 18:24:47-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 5, the 
change loop count is 0, and the maximum number of records is 4095.
[LSW1-GigabitEthernet0/0/1]port default vlan 2
[LSW1-GigabitEthernet0/0/1]
Mar 17 2023 18:40:31-08:00 LSW1 %%01IFNET/4/IF_STATE(l)[2]:Interface Vlanif1 has
 turned into DOWN state.
Mar 17 2023 18:40:31-08:00 LSW1 %%01IFNET/4/IF_STATE(l)[3]:Interface Vlanif2 has
 turned into UP state.
Mar 17 2023 18:40:31-08:00 LSW1 %%01IFNET/4/LINK_STATE(l)[4]:The line protocol I
P on the interface Vlanif2 has entered the UP state.
[LSW1-vlan2]q
[LSW1]int g 0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access 
Mar 17 2023 18:25:47-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 6, the 
change loop count is 0, and the maximum number of records is 4095.
[LSW1-GigabitEthernet0/0/1]q
[LSW1]int Vlanif 2
[LSW1-Vlanif2]ip address 10.1.255.1 24
[LSW1-Vlanif2]q
Mar 17 2023 18:26:57-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 7, the 
change loop count is 0, and the maximum number of records is 4095.

Configure the gateway of PC1 on LSW1

[LSW1]vlan 3
[LSW1-vlan3]q
Mar 17 2023 18:27:57-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 8, the 
change loop count is 0, and the maximum number of records is 4095.la	
[LSW1]int Vlanif 3
[LSW1-Vlanif3]ip address 10.1.3.1 24
[LSW1-Vlanif3]q
Mar 17 2023 18:28:17-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 9, the 
change loop count is 0, and the maximum number of records is 4095
[LSW1]int g 0/0/2	
[LSW1-GigabitEthernet0/0/2]port link-type access 
[LSW1-GigabitEthernet0/0/2]por	
[LSW1-GigabitEthernet0/0/2]port
Mar 17 2023 18:28:47-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 10, the
 change loop count is 0, and the maximum number of records is 4095. def	
[LSW1-GigabitEthernet0/0/2]port default vla	
[LSW1-GigabitEthernet0/0/2]port default vlan 3
[LSW1-GigabitEthernet0/0/2]
Mar 17 2023 18:28:54-08:00 LSW1 %%01IFNET/4/IF_STATE(l)[0]:Interface Vlanif3 has
 turned into UP state.
Mar 17 2023 18:28:54-08:00 LSW1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol I
P on the interface Vlanif3 has entered the UP state.
Mar 17 2023 18:28:57-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 11, the
 change loop count is 0, and the maximum number of records is 4095.
[LSW1-GigabitEthernet0/0/2]

PC1 configuration

test

open ping

[LSW1]ping 10.1.255.2
  PING 10.1.255.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.255.2: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 10.1.255.2: bytes=56 Sequence=2 ttl=255 time=40 ms
    Reply from 10.1.255.2: bytes=56 Sequence=3 ttl=255 time=50 ms
    Reply from 10.1.255.2: bytes=56 Sequence=4 ttl=255 time=50 ms
    Reply from 10.1.255.2: bytes=56 Sequence=5 ttl=255 time=40 ms

  --- 10.1.255.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/46/50 ms

[LSW1]

Configure return routing

test

3. Configure the DMZ area

Configure GE1/0/2 interface

Notice:

GE1/0/3 interface configuration is the same as GE1/0/2

Interface aggregation configuration

Notice:

Generally, one gateway is selected: Access, and two gateways are selected: Truck

Configure interface aggregation on LSW2

[DMZ]int Eth-Trunk 1
[DMZ-Eth-Trunk1]tru	
[DMZ-Eth-Trunk1]trunkport g 0/0/1
[DMZ-Eth-Trunk1]
[DMZ-Eth-Trunk1]trunkport g 0/0/2
[DMZ-Eth-Trunk1]port link-type trunk 
[DMZ-Eth-Trunk1]
[DMZ-Eth-Trunk1]port trunk allow-pass vlan 10 to 11
[DMZ-Eth-Trunk1]
[DMZ-Eth-Trunk1]vla	
[DMZ-Eth-Trunk1]vlan 10
[DMZ-vlan10]vla	
[DMZ-vlan10]vlan 11
[DMZ-vlan11]q
[DMZ]int g 0/0/4
[DMZ-GigabitEthernet0/0/4]port link-type access 
[DMZ-GigabitEthernet0/0/4]port default vlan 10
[DMZ-GigabitEthernet0/0/4]
[DMZ-GigabitEthernet0/0/4]int g 0/0/3
[DMZ-GigabitEthernet0/0/3]port link-type access 
[DMZ-GigabitEthernet0/0/3]port default vlan 11
[DMZ-GigabitEthernet0/0/3]

Create a Layer 3 port on the DMZ on the firewall

test

4. Inter-regional communication

Configure Routing Policy

5. Configure the interface pair

Configure GE1/0/4 port

Notice:

GE1/0/5 port is the same as GE1/0/4 port

create interface pair

6. Firewall security policy configuration (trust-to-untrust)

Create a new security policy

Configure the original address

Configure return packet routing on AR1

[ISP]ip router-static 0.0.0.0 0 100.1.1.1

LSW1 configures return packet routing

[LSW1]ip route-static 0.0.0.0 0 10.1.255.2

firewall security policy

firewall security policy

Experimental diagram

1. Configure the firewall graphical interface

Add the UDP port first

Add network segment network card

Start firewall FW1

Find the default IP address of firewall 0/0/0 port

Change the address and the address of the loopback port to the same network segment

Release strategy, RTPS protocol

test

Enter the access address of the graphical interface

Log in with the username and password you just set

2. Configure the untrust zone

Click on the network to enter the interface

Configure GE1/0/0 interface

R1 configuration

Configuration of server2 in R1

Test --- ping 100.1.1.1 firewall

Configure route default

new build

2. Configure the trust area

Configure GE1/0/1 interface

LSW1 configuration

Configure the gateway of PC1 on LSW1

PC1 configuration

test

Configure return routing

test

3. Configure the DMZ area

Configure GE1/0/2 interface

Interface aggregation configuration

Configure interface aggregation on LSW2

Create a Layer 3 port on the DMZ on the firewall

test

4. Inter-regional communication

Configure Routing Policy

5. Configure the interface pair

Configure GE1/0/4 port

create interface pair

6. Firewall security policy configuration (trust-to-untrust)

Create a new security policy

Configure the original address

Configure return packet routing on AR1

LSW1 configures return packet routing

test

7. Firewall security policy configuration (trust-to-DMZ)

Define address groups

Create a security policy (trust-to-dmz)

test

8. Firewall security policy configuration (untrust-to-DMZ)

define address

Create Security Policy (untrust-to-dmz)

test

total test

Guess you like