设为首页收藏本站
开启辅助访问

华为 USG6000防火墙配置镜像模式双机热备

 您所在的位置:网站首页 防火墙接口模式 华为 USG6000防火墙配置镜像模式双机热备

华为 USG6000防火墙配置镜像模式双机热备

2024-01-20 05:26| 来源: 网络整理| 查看: 265

网络拓扑

要求:

企业前期是一台防火墙,为了提高网络可靠性,并且在不影响原先防火墙配置情况下,新增一台防火墙做双机热备。两台FW的业务接口都工作在三层,下行为三层核心交换机。上行为二层交换机连接运营商的接入点,运营商为企业分配的IP地址为100.1.1.1-100.1.1.6

配置思路:

两台防火墙型号必须要求一样,配置镜像模式前需要先完成双机热备的网络连接和基本配置,但是不需要配置业务接口和路由等。

在两台FW上分别完成双机热备基本配置,包括VGMP组监控业务接口(hrp track interface)、心跳口配置和启用双机热备功能。在两台FW上启用镜像模式,并进行手工批量备份。在其中一台FW完成网络配置,保证内网用户能够访问Internet。镜像模式形成后,所有配置(包括接口和路由等配置)都只需在一台FW上配置即可,配置会自动备份到另外一台FW。 一、双机热备前配置

1、PC和server配置

2、接入层交换机SW5配置

system-view [Huawei]sysname SW5 [SW5]vlan batch 10 20 [SW5]interface GigabitEthernet 0/0/4 [SW5-GigabitEthernet0/0/4]port link-type access [SW5-GigabitEthernet0/0/4]port default vlan 10 [SW5-GigabitEthernet0/0/4]quit [SW5]interface GigabitEthernet 0/0/5 [SW5-GigabitEthernet0/0/5]port link-type access [SW5-GigabitEthernet0/0/5]port default vlan 20 [SW5-GigabitEthernet0/0/5]quit [SW5]interface GigabitEthernet 0/0/2 [SW5-GigabitEthernet0/0/2]port link-type trunk [SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/2]quit [SW5]interface GigabitEthernet 0/0/3 [SW5-GigabitEthernet0/0/3]port link-type trunk [SW5-GigabitEthernet0/0/3]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/3]quit

3、核心交换机配置

SW3

system-view [Huawei]sysname SW3 [SW3]vlan batch 10 20 30 [SW3]interface Vlanif 10 [SW3-Vlanif10]ip address 192.168.10.252 24 [SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW3-Vlanif10]vrrp vrid 10 priority 101 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif10]quit [SW3]interface Vlanif 20 [SW3-Vlanif20]ip address 192.168.20.252 24 [SW3-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW3-Vlanif20]vrrp vrid 20 priority 101 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif20]quit [SW3]interface Vlanif 30 [SW3-Vlanif30]ip address 192.168.30.252 24 [SW3-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 [SW3-Vlanif30]vrrp vrid 30 priority 101 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif30]quit [SW3]interface Eth-Trunk 1 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW3-Eth-Trunk1]port link-type trunk [SW3-Eth-Trunk1]port trunk allow-pass vlan all [SW3-Eth-Trunk1]quit [SW3]interface GigabitEthernet 0/0/2 [SW3-GigabitEthernet0/0/2]port link-type trunk [SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW3-GigabitEthernet0/0/2]quit [SW3]interface GigabitEthernet 0/0/1 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 30 [SW3-GigabitEthernet0/0/1]quit [SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

SW4

system-view [Huawei]sysname SW4 [SW4]vlan batch 10 20 30 [SW4]interface Vlanif 10 [SW4-Vlanif10]ip address 192.168.10.253 24 [SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW4-Vlanif10]quit [SW4]interface Vlanif 20 [SW4-Vlanif20]ip address 192.168.20.253 24 [SW4-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW4-Vlanif20]quit [SW4]interface Vlanif 30 [SW4-Vlanif30]ip address 192.168.30.253 24 [SW4-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 [SW4-Vlanif30]quit [SW4]interface Eth-Trunk 1 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW4-Eth-Trunk1]port link-type trunk [SW4-Eth-Trunk1]port trunk allow-pass vlan all [SW4-Eth-Trunk1]quit [SW4]interface GigabitEthernet 0/0/3 [SW4-GigabitEthernet0/0/3]port link-type trunk [SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan all [SW4-GigabitEthernet0/0/3]quit [SW4]interface GigabitEthernet 0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 30 [SW4-GigabitEthernet0/0/1]quit [SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

4、防火墙FW1配置

system-view [USG6000V1]sysname FW1 [FW1]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]ip address 192.168.30.12 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]quit [FW1]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip address 100.1.1.1 29 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]quit 安全区域 [FW1]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 1/0/1 [FW1-zone-trust]quit [FW1]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/0 [FW1-zone-untrust]quit NAT地址池 [FW1]nat address-group nat_group [FW1-address-group-nat_group]section 0 100.1.1.3 [FW1-address-group-nat_group]quit NAT转发 [FW1]nat-policy [FW1-policy-nat]rule name nat_policy1 [FW1-policy-nat-rule-nat_policy1]source-zone trust [FW1-policy-nat-rule-nat_policy1]destination-zone untrust [FW1-policy-nat-rule-nat_policy1]source-address 192.168.10.0 24 [FW1-policy-nat-rule-nat_policy1]action source-nat address-group nat_group [FW1-policy-nat-rule-nat_policy1]return 域间安全策略 [FW1]security-policy [FW1-policy-security]rule name trust_untrust1 [FW1-policy-security-rule-trust_untrust1]source-zone trust [FW1-policy-security-rule-trust_untrust1]destination-zone untrust [FW1-policy-security-rule-trust_untrust1]source-address 192.168.10.0 24 [FW1-policy-security-rule-trust_untrust1]action permit [FW1-policy-security-rule-trust_untrust1]quit [FW1-policy-security]quit [FW1]ip route-static 192.168.10.0 24 192.168.30.254 [FW1]ip route-static 192.168.20.0 24 192.168.30.254 [FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.6

5、上行交换机SW6

system-view [Huawei]sysname SW6 [SW6]vlan 100 [SW6-vlan100]quit [SW6]interface GigabitEthernet 0/0/1 [SW6-GigabitEthernet0/0/1]port link-type access [SW6-GigabitEthernet0/0/1]port default vlan 100 [SW6-GigabitEthernet0/0/1]quit [SW6]interface GigabitEthernet 0/0/2 [SW6-GigabitEthernet0/0/2]port link-type access [SW6-GigabitEthernet0/0/2]port default vlan 100 [SW6-GigabitEthernet0/0/2]quit [SW6]interface GigabitEthernet 0/0/3 [SW6-GigabitEthernet0/0/3]port link-type access [SW6-GigabitEthernet0/0/3]port default vlan 100 [SW6-GigabitEthernet0/0/3]quit

6、运营商ISP

system-view [Huawei]sysname ISP [ISP]interface GigabitEthernet 0/0/1 [ISP-GigabitEthernet0/0/1]ip address 100.1.1.6 29 [ISP-GigabitEthernet0/0/1]quit [ISP]interface LoopBack 0 [ISP-LoopBack0]ip address 1.1.1.1 32 [ISP-LoopBack0]quit [ISP]interface GigabitEthernet 0/0/0 [ISP-GigabitEthernet0/0/0]ip address 10.1.1.2 24 [ISP-GigabitEthernet0/0/0]quit [ISP]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

7、查看内网用户ping外网

二、双机热备配置

全程可以使pc长pingISP的1.1.1.1,发现不会丢包

1、FW1配置HRP,然后配置镜像模式

FW1配置心跳线接口,并加入对应安全区域 [FW1]interface GigabitEthernet 1/0/2 [FW1-GigabitEthernet1/0/2]ip address 172.16.1.1 30 [FW1-GigabitEthernet1/0/2]quit [FW1]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/2 [FW1-zone-dmz]quit 域间安全策略 [FW1]security-policy [FW1-policy-security]rule name ha_local_dmz [FW1-policy-security-rule-ha_local_dmz]source-zone local dmz [FW1-policy-security-rule-ha_local_dmz]destination-zone local dmz [FW1-policy-security-rule-ha_local_dmz]action permit [FW1-policy-security-rule-ha_local_dmz]quit [FW1-policy-security]quit 在FW1配置VGMP组监控上下行业务接口,默认为主设备 [FW1]hrp track interface GigabitEthernet 1/0/0 [FW1]hrp track interface GigabitEthernet 1/0/1 指定心跳口和对端IP地址,并启用双机热备功能 [FW1]hrp interface GigabitEthernet 1/0/2 remote 172.16.1.2 [FW1]hrp enable

2、FW2配置HRP

FW2配置心跳线接口,并加入对应安全区域 system-view [USG6000V1]sysname FW2 [FW2]interface GigabitEthernet 1/0/2 [FW2-GigabitEthernet1/0/2]ip address 172.16.1.2 30 [FW2-GigabitEthernet1/0/2]quit [FW2]firewall zone dmz [FW2-zone-dmz]add interface GigabitEthernet 1/0/2 [FW2-zone-dmz]quit 域间安全策略 [FW2]security-policy [FW2-policy-security]rule name ha_local_dmz [FW2-policy-security-rule-ha_local_dmz]source-zone local dmz [FW2-policy-security-rule-ha_local_dmz]destination-zone local dmz [FW2-policy-security-rule-ha_local_dmz]action permit [FW2-policy-security-rule-ha_local_dmz]quit 在FW2配置VGMP组监控上下行业务接口,并配置本设备为备用设备 [FW2]hrp track interface GigabitEthernet 1/0/0 [FW2]hrp track interface GigabitEthernet 1/0/1 [FW2]hrp standby-device 指定心跳口和对端IP地址,并启用双机热备功能 [FW2]hrp interface GigabitEthernet 1/0/2 remote 172.16.1.1 [FW2]hrp enable

3、查看同步状态

4、在FW1上配置镜像模式(重点)。双机关系建立之后,该配置会自动备份到FW2

HRP_M[FW1]hrp mirror config enable

5、在FW1先手动同步一下配置文件

6、在FW2查看到FW1开启热备之前的配置已经被同步过来

HRP_S[FW2]display current-configuration 2020-05-28 02:27:57.980 !Software Version V500R005C10SPC300 # sysname FW2 # l2tp domain suffix-separator @ # ipsec sha2 compatible enable # undo telnet server enable undo telnet ipv6 server enable # hrp enable hrp mirror config enable hrp interface GigabitEthernet1/0/2 remote 172.16.1.1 hrp track interface GigabitEthernet1/0/0 hrp track interface GigabitEthernet1/0/1 # update schedule location-sdb weekly Sun 03:14 # firewall defend action discard # banner enable # user-manage web-authentication security port 8887 undo privacy-statement english undo privacy-statement chinese page-setting user-manage security version tlsv1.1 tlsv1.2 password-policy level high user-manage single-sign-on ad user-manage single-sign-on tsm user-manage single-sign-on radius user-manage auto-sync online-user # web-manager security version tlsv1.1 tlsv1.2 web-manager enable web-manager security enable # firewall dataplane to manageplane application-apperceive default-action drop # undo ips log merge enable # decoding uri-cache disable # update schedule ips-sdb daily 06:38 update schedule av-sdb daily 06:38 update schedule sa-sdb daily 06:38 update schedule cnc daily 06:38 update schedule file-reputation daily 06:38 # ip vpn-instance default ipv4-family # time-range worktime period-range 08:00:00 to 18:00:00 working-day # ike proposal default encryption-algorithm aes-256 aes-192 aes-128 dh group14 authentication-algorithm sha2-512 sha2-384 sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # aaa authentication-scheme default authentication-scheme admin_local authentication-scheme admin_radius_local authentication-scheme admin_hwtacacs_local authentication-scheme admin_ad_local authentication-scheme admin_ldap_local authentication-scheme admin_radius authentication-scheme admin_hwtacacs authentication-scheme admin_ad authorization-scheme default accounting-scheme default domain default service-type internetaccess ssl-vpn l2tp ike internet-access mode password reference user current-domain manager-user audit-admin password cipher @%@%PufuDg5YR*D@[x~Nqi|~n=5DHjpMOk,OqAV)gT$TQJP5=5Gn@%@% service-type web terminal level 15 manager-user api-admin password cipher @%@%`f5K#iULL!(vQ6M@lpCB'H,@{QzA=M{5O*as_2+Uk}J7H,C'@%@% level 15 manager-user admin password cipher @%@%ZFDu3)yV"LfTPj'O3+7437VT3h:D@nUDCO]h[qWQRb1Q7VW3@%@% service-type web terminal level 15 role system-admin role device-admin role device-admin(monitor) role audit-admin bind manager-user audit-admin role audit-admin bind manager-user admin role system-admin # l2tp-group default-lns # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH # interface GigabitEthernet1/0/0 undo shutdown ip address 100.1.1.1 255.255.255.248 service-manage ping permit # interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.30.12 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/2 undo shutdown ip address 172.16.1.2 255.255.255.252 # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/4 undo shutdown # interface GigabitEthernet1/0/5 undo shutdown # interface GigabitEthernet1/0/6 undo shutdown # interface Virtual-if0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 100.1.1.6 ip route-static 192.168.10.0 255.255.255.0 192.168.30.254 ip route-static 192.168.20.0 255.255.255.0 192.168.30.254 # undo ssh server compatible-ssh1x enable ssh authentication-type default password ssh server cipher aes256_ctr aes128_ctr ssh server hmac sha2_256 sha1 ssh client cipher aes256_ctr aes128_ctr ssh client hmac sha2_256 sha1 # firewall detect ftp # user-interface con 0 authentication-mode aaa user-interface vty 0 4 authentication-mode aaa protocol inbound ssh user-interface vty 16 20 # pki realm default # sa # location # nat address-group nat_group 0 mode pat section 0 100.1.1.3 100.1.1.3 # multi-linkif mode proportion-of-weight # right-manager server-group # device-classification device-group pc device-group mobile-terminal device-group undefined-group # user-manage server-sync tsm # security-policy rule name ha_local_dmz source-zone dmz source-zone local destination-zone dmz destination-zone local action permit rule name trust_untrust source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit # auth-policy # traffic-policy # policy-based-route # nat-policy rule name nat_policy1 source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 action source-nat address-group nat_group # quota-policy # pcp-policy # dns-transparent-policy # rightm-policy # return 三、配置服务器映射

在开启双机热备的情况下,在active上操作的任何步骤都过自动同步到standby

1、在FW1为server1添加映射,让外网用户能访问

HRP_M[FW1]nat server policy_web protocol tcp global 100.1.1.2 80 inside 192.168. 20.1 80 unr-route

在FW2查看已经被同步配置

2、配置域间安全测试,允许外网访问内网服务器

HRP_M[FW1]security-policy HRP_M[FW1-policy-security]rule name untrust_trust HRP_M[FW1-policy-security-rule-untrust_trust]source-zone untrust HRP_M[FW1-policy-security-rule-untrust_trust]destination-zone trust HRP_M[FW1-policy-security-rule-untrust_trust]destination-address 192.168.20.0 24 HRP_M[FW1-policy-security-rule-untrust_trust]action permit HRP_M[FW1-policy-security-rule-untrust_trust]return

3、client1访问服务器映射(访问域名,状态200表示成功)

 



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3