3.9 Firewall policy
3.9.1 Security policy, NAT policy
Figure 36 Configure firewall device topology diagram
Configuration steps: Configure corresponding interface addresses for interfaces G1/0/1 and G1/0/2 that connect the firewall to the external network, then add the interfaces to the corresponding security zone, configure security policies for the firewall, and add NAT policies to the firewall. , you need to configure the NAT address pool on the firewall according to the NAT address planning table , and configure the source NAT policy.
FW5 configuration:
interface GigabitEthernet1/0/1
undo shutdown
ip address 59.39.177.2 255.255.255.248
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 58.252.2.210 255.255.255.248
firewall zone name isp1 id 4
set priority 6
add interface GigabitEthernet1/0/1
#
firewall zone name isp2 id 5
set priority 7
add interface GigabitEthernet1/0/2
nat address-group isp1 0
mode pat
section 0 59.39.177.5 59.39.177.6
#
nat address-group isp2 1
mode pat
section 0 58.252.2.211 58.252.2.212
nat-policy
rule name nat
source-zone trust
destination-zone isp1
rule name nat2
source-zone trust
destination-zone isp2
FW6 configuration:
firewall zone name isp1 id 4
set priority 6
add interface GigabitEthernet1/0/1
#
firewall zone name isp2 id 5
set priority 7
add interface GigabitEthernet1/0/2
nat address-group isp1 0
mode pat
section 0 59.39.178.5 59.39.178.6
#
nat address-group isp2 1
mode pat
section 0 58.252.1.211 58.252.1.212
#
multi-interface
mode proportion-of-weight
nat-policy
rule name ipsec
source-zone trust
destination-zone isp2
action no-nat
rule name nat
source-zone trust
destination-zone isp1
rule name nat2
source-zone trust
destination-zone isp2
3.9.2 IP-link linkage default route
Configuration steps: Enable the IP-link function on FW5, create an ip-link named ISP1, configure the destination address to be detected as 59.39.177.1, create an ip-link named ISP2, and configure the destination address to be detected as 58.252.2.209. Configure the static route 59.39.177.1 of ISP1. If ip-link detects that the isp1 link fails, this route will fail and switch to the backup route. Configure the static route 58.252.2.209 of ISP2. If ip-link detects that the isp2 link fails, this route will fail and switch to the backup route.
Enable the IP-link function on FW6, create an ip-link named ISP1, configure the destination address to be detected as 59.39.178.1, create an ip-link named ISP2, configure the destination address to be detected as 58.252.1.209, configure the destination address of ISP1 Static route 59.39.178.1. If ip-link detects that the isp1 link fails, this route will fail and switch to the backup route. Configure the static route 58.252.1.209 of ISP2. If ip-link detects that the isp2 link fails, this route will fail and switch to the backup route.
FW5 configuration command:
ip route-static 0.0.0.0 0.0.0.0 59.39.177.1 preference 50 track ip-link isp1
ip route-static 0.0.0.0 0.0.0.0 58.252.2.209 track ip-link isp2
#
FW6 configuration command:
ip route-static 0.0.0.0 0.0.0.0 59.39.178.1 preference 50 track ip-link isp1
ip route-static 0.0.0.0 0.0.0.0 58.252.2.209track ip-link isp2
#
IP-link linkage default route