网络安全-防火墙双机热备-ensp练习

拓扑

步骤

开启hrp

接口remote对方地址

创建备份组

将对应接口加入安全区域

安全策略trust-untrust

代码：

[USG6000V1]hrp en

HRP_M[USG6000V1]hrp interface GigabitEthernet 1/0/1 remote 192.168.12.2

HRP_M[USG6000V1-GigabitEthernet1/0/1]ip a 192.168.12.1 24

HRP_M[USG6000V1-GigabitEthernet1/0/0]ip a 192.168.1.2 24

HRP_M[USG6000V1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 192.168.1.254 24 act
ive

HRP_M[USG6000V1-GigabitEthernet1/0/2]ip a 192.168.2.2 24

HRP_M[USG6000V1-GigabitEthernet1/0/2]vrrp vrid 2 virtual-ip 192.168.2.254 24 act
ive

HRP_M[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2

HRP_M[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0

HRP_M[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/1

HRP_M[USG6000V1-policy-security]rule name t_un

同理配置fw2

HRP_M[USG6000V1-policy-security]rule name t_un (+B)

HRP_M[USG6000V1-policy-security-rule-t_un]source-zone trust (+B)

HRP_M[USG6000V1-policy-security-rule-t_un] destination-zone untrust (+B)

HRP_M[USG6000V1-policy-security-rule-t_un]action permit (+B)

fw1

与fw2进行hrp同步成功

HRP_M[USG6000V1]security-policy (+B)
HRP_M[USG6000V1-policy-security]dis th
#
security-policy
rule name t_un
source-zone trust
destination-zone untrust
action permit
#
return
HRP_M[USG6000V1-policy-security]dis cu
!Software Version V500R001C10
#
sysname USG6000V1
#
undo l2tp sendaccm enable
l2tp domain suffix-separator @
#
undo telnet server enable
undo telnet ipv6 server enable
#
hrp enable
hrp interface GigabitEthernet1/0/1 remote 192.168.12.2
#
firewall packet-filter basic-protocol enable
#
firewall detect ftp
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
isp name "china mobile"
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom"
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom"
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet"
isp name "china educationnet" set filename china-educationnet.csv
#
snmp-agent session history-max-number enable
snmp-agent session trap threshold 4000
snmp-agent session-rate trap threshold 24000
#
web-manager security version tlsv1 tlsv1.1
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
update schedule ips-sdb daily 03:11
update schedule av-sdb daily 03:11
update schedule sa-sdb daily 03:11
update schedule cnc daily 03:11
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type l2tp ike
reference user current-domain
manager-user password-modify enable
manager-user audit-admin
password cipher @%@%"Snm%p2oiQ;k/J#ekcKT56^t78-p59f!^;lc4'%urC356^w5@%@%
service-type web terminal
level 15

manager-user api-admin
password cipher @%@%uw956wrVt>L$CK*M~ccM7dX%hZXf)EXxNK'ob)D%.EgGdX(7@%@%
service-type api
level 15

manager-user admin
password cipher @%@%mzq<@2|MG~xL/,E:i:oM3z0NqhvN1S]O_Yw]/w;[YOW/z0Q3@%@%
service-type web terminal
level 15

role system-admin
dashboard read-write
monitor read-write
policy read-write
object read-write
network read-write
system read-write
role device-admin
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-write
object read-write
network read-write
system read-write high-reliability
system none configuration vsys license update-center mail-send feedback
role device-admin(monitor)
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-only
object read-only
network read-only
system read-only high-reliability
system none configuration vsys license update-center mail-send feedback
role audit-admin
dashboard read-only
monitor read-write log-audit
monitor read-only log log-traffic log-threat log-syslog log-policy-matching re
port traffic-map threat-map
monitor none session statistic statistic-acl diagnose
policy none
object none
network none
system none
bind manager-user audit-admin role audit-admin
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.254 active
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.12.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.254 active
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local

Sep 14 2018 06:31:58 USG6000V1 %%01POLICY/4/POLICYACCFAIL(l)[7]:Policy accelerat
ion failed, the device doesn't have enough memory. set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
l2tp-group default-lns
#
undo ssh server compatible-ssh1x enable
#
user-interface con 0
authentication-mode password
set authentication password cipher $1a$D#IOQiBeqC$a,nt/[Rv^@ucZs7zkX~6L4L`7SEV5
5%[q=FB3MQN$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
sa
#
location
#
multi-interface
mode proportion-of-weight
#
security-policy
rule name t_un
source-zone trust
destination-zone untrust
action permit
#
traffic-policy
#
policy-based-route
#
nat-policy
#
pcp-policy
#
dns-transparent-policy
#
return

fw2

同步成功后不可操作

HRP_S[USG6000V1]service-quality
^
Error:Incomplete command found at '^' position.
HRP_S[USG6000V1]
Sep 14 2018 06:31:58 USG6000V1 %%01POLICY/4/POLICYACCFAIL(l)[7]:Policy accelerat
ion failed, the device doesn't have enough memory.
HRP_S[USG6000V1]

网络安全-防火墙双机热备-ensp练习相关推荐

华为eNSP下防火墙双机热备的实现以及在HRP配置错误时的现象
华为防火墙双机热备基础教程 [华为官方视频] https://ilearningx.huawei.com/courses/course-v1:HuaweiX+EBGTC00000189+2018.9/ ...
防火墙双机热备配置实例（三）
今天继续给大家介绍HCIE安全系列相关内容.本文以华为eNSP模拟器为例,实现了配置防火墙双击热备技术配置实例,采用的是上下行交换机配置VRRP的主备模式. 阅读本文,您需要有一定的防火墙配置基础和防 ...
防火墙双机热备配置实例（一）
今天继续给大家介绍HCIE安全.本文以华为eNSP模拟器为例,实现了配置防火墙双击热备技术配置实例,采用的是上下行交换机配置VRRP的主备模式. 阅读本文,您需要有一定的防火墙配置基础和防火墙双机热备 ...
防火墙双机热备，DHCP服务器，核心交换机负载分担及冗余设计
文章目录目录: 一.防火墙双机热备技术概念二.配合使用的相关技术指导三.设计要求及拓扑图四:配置过程及相应命令总结一.防火墙热备概述: 一般而言,防火墙部署于公司网络的出口 ...
防火墙双机热备三大协议（VRRP-VGMP-HRP）原理
防火墙双机热备技术双机热备概述: 为什么需要要双机热备? 解决单点故障,实现业务的平滑过渡(会话表需要同步的) 双机热备的两种部署方式: 主备方式负载分担分时. 防火墙双机热备产生的原因,详细内容 ...
防火墙双机热备+负载分担
防火墙双机热备+负载分担实验步骤防火墙双机热备+负载分担实验以及两者之间的区别,通过实验.配置思路加深理解负载分担: 防火墙双击热备和负载分担的区别就在于在双机热备模式下,fw1既是pc1的网关, ...
配置华为防火墙双机热备
Web配置防火墙双机热备: 命令行配置防火墙双机热备: FW1 [FW1]int g1/0/1 //进入接口 [FW1-GigabitEthernet1/0/1]vrrp vrid 1 virtual ...
Eudemon防火墙双机热备配置及实现
Eudemon防火墙双机热备配置及实现,上下联为两台二层交换机#上联地址 int g 0/0/1ip addr 192.168.10.253 24 vrrp vrid 10 virtual-ip 19 ...
华为防火墙双机热备技术：HRP、VGMP、VRRP，三大技术值得一学！
防火墙双机热备,主要是提供冗余备份的功能,在网络发生故障的时候避免业务出现中断.防火墙双机热备组网根据防火墙的模式, 分路由模式下的双机热备组网和透明模式下的双机热备组网,下面分别根据防火墙的不同模式 ...

网络安全-防火墙双机热备-ensp练习

拓扑

步骤

代码：

fw1

fw2

网络安全-防火墙双机热备-ensp练习相关推荐

最新文章

热门文章