#|华为 USG6000防火墙配置镜像模式双机热备

网络拓扑 #|华为 USG6000防火墙配置镜像模式双机热备
文章图片

要求: 企业前期是一台防火墙,为了提高网络可靠性,并且在不影响原先防火墙配置情况下,新增一台防火墙做双机热备。两台FW的业务接口都工作在三层,下行为三层核心交换机。上行为二层交换机连接运营商的接入点,运营商为企业分配的IP地址为100.1.1.1-100.1.1.6
配置思路: 两台防火墙型号必须要求一样,配置镜像模式前需要先完成双机热备的网络连接和基本配置,但是不需要配置业务接口和路由等。

  1. 在两台FW上分别完成双机热备基本配置,包括VGMP组监控业务接口(hrp track interface)、心跳口配置和启用双机热备功能。
  2. 在两台FW上启用镜像模式,并进行手工批量备份。
  3. 在其中一台FW完成网络配置,保证内网用户能够访问Internet。
  4. 镜像模式形成后,所有配置(包括接口和路由等配置)都只需在一台FW上配置即可,配置会自动备份到另外一台FW。
一、双机热备前配置 1、PC和server配置
#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

【#|华为 USG6000防火墙配置镜像模式双机热备】#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

2、接入层交换机SW5配置
system-view [Huawei]sysname SW5 [SW5]vlan batch 10 20[SW5]interfaceGigabitEthernet0/0/4 [SW5-GigabitEthernet0/0/4]port link-type access [SW5-GigabitEthernet0/0/4]port default vlan 10 [SW5-GigabitEthernet0/0/4]quit[SW5]interfaceGigabitEthernet0/0/5 [SW5-GigabitEthernet0/0/5]port link-type access [SW5-GigabitEthernet0/0/5]port defaultvlan20 [SW5-GigabitEthernet0/0/5]quit[SW5]interfaceGigabitEthernet0/0/2 [SW5-GigabitEthernet0/0/2]port link-type trunk [SW5-GigabitEthernet0/0/2]port trunkallow-passvlanall [SW5-GigabitEthernet0/0/2]quit[SW5]interfaceGigabitEthernet0/0/3 [SW5-GigabitEthernet0/0/3]port link-type trunk [SW5-GigabitEthernet0/0/3]port trunkallow-pass vlanall [SW5-GigabitEthernet0/0/3]quit

3、核心交换机配置
SW3
system-view [Huawei]sysname SW3 [SW3]vlan batch 10 20 30[SW3]interfaceVlanif 10 [SW3-Vlanif10]ip address 192.168.10.252 24 [SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW3-Vlanif10]vrrp vrid 10 priority 101 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif10]quit[SW3]interfaceVlanif20 [SW3-Vlanif20]ip address192.168.20.252 24 [SW3-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW3-Vlanif20]vrrp vrid 20 priority 101 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif20]quit[SW3]interfaceVlanif30 [SW3-Vlanif30]ip address192.168.30.252 24 [SW3-Vlanif30]vrrp vrid30 virtual-ip 192.168.30.254 [SW3-Vlanif30]vrrp vrid 30 priority 101 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif30]quit[SW3]interfaceEth-Trunk 1 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW3-Eth-Trunk1]port link-type trunk [SW3-Eth-Trunk1]port trunk allow-pass vlan all [SW3-Eth-Trunk1]quit[SW3]interfaceGigabitEthernet0/0/2 [SW3-GigabitEthernet0/0/2]port link-type trunk [SW3-GigabitEthernet0/0/2]port trunkallow-passvlanall [SW3-GigabitEthernet0/0/2]quit[SW3]interfaceGigabitEthernet0/0/1 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 30 [SW3-GigabitEthernet0/0/1]quit[SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

SW4
system-view [Huawei]sysname SW4 [SW4]vlan batch 10 20 30[SW4]interfaceVlanif 10 [SW4-Vlanif10]ip address 192.168.10.253 24 [SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW4-Vlanif10]quit[SW4]interfaceVlanif20 [SW4-Vlanif20]ip address192.168.20.253 24 [SW4-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW4-Vlanif20]quit[SW4]interfaceVlanif30 [SW4-Vlanif30]ip address192.168.30.253 24 [SW4-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 [SW4-Vlanif30]quit[SW4]interfaceEth-Trunk 1 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW4-Eth-Trunk1]port link-type trunk [SW4-Eth-Trunk1]port trunk allow-pass vlan all [SW4-Eth-Trunk1]quit[SW4]interfaceGigabitEthernet0/0/3 [SW4-GigabitEthernet0/0/3]port link-type trunk [SW4-GigabitEthernet0/0/3]port trunkallow-passvlanall [SW4-GigabitEthernet0/0/3]quit[SW4]interfaceGigabitEthernet0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 30 [SW4-GigabitEthernet0/0/1]quit[SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

4、防火墙FW1配置
system-view [USG6000V1]sysname FW1[FW1]interface GigabitEthernet1/0/1 [FW1-GigabitEthernet1/0/1]ip address192.168.30.12 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]quit[FW1]interface GigabitEthernet1/0/0 [FW1-GigabitEthernet1/0/0]ip address100.1.1.1 29 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]quit安全区域 [FW1]firewall zonetrust [FW1-zone-trust]addinterfaceGigabitEthernet1/0/1 [FW1-zone-trust]quit [FW1]firewall zoneuntrust [FW1-zone-untrust]addinterfaceGigabitEthernet1/0/0 [FW1-zone-untrust]quitNAT地址池 [FW1]nat address-group nat_group [FW1-address-group-nat_group]section 0 100.1.1.3 [FW1-address-group-nat_group]quitNAT转发 [FW1]nat-policy [FW1-policy-nat]rule name nat_policy1 [FW1-policy-nat-rule-nat_policy1]source-zonetrust [FW1-policy-nat-rule-nat_policy1]destination-zoneuntrust [FW1-policy-nat-rule-nat_policy1]source-address 192.168.10.0 24 [FW1-policy-nat-rule-nat_policy1]action source-nataddress-group nat_group [FW1-policy-nat-rule-nat_policy1]return域间安全策略 [FW1]security-policy [FW1-policy-security]rule name trust_untrust1 [FW1-policy-security-rule-trust_untrust1]source-zone trust [FW1-policy-security-rule-trust_untrust1]destination-zone untrust [FW1-policy-security-rule-trust_untrust1]source-address 192.168.10.0 24 [FW1-policy-security-rule-trust_untrust1]action permit [FW1-policy-security-rule-trust_untrust1]quit [FW1-policy-security]quit[FW1]ip route-static 192.168.10.0 24 192.168.30.254 [FW1]ip route-static 192.168.20.0 24 192.168.30.254 [FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.6

5、上行交换机SW6
system-view [Huawei]sysname SW6[SW6]vlan100 [SW6-vlan100]quit[SW6]interfaceGigabitEthernet0/0/1 [SW6-GigabitEthernet0/0/1]port link-type access [SW6-GigabitEthernet0/0/1]port defaultvlan100 [SW6-GigabitEthernet0/0/1]quit [SW6]interface GigabitEthernet 0/0/2 [SW6-GigabitEthernet0/0/2]port link-type access [SW6-GigabitEthernet0/0/2]port defaultvlan100 [SW6-GigabitEthernet0/0/2]quit [SW6]interfaceGigabitEthernet0/0/3 [SW6-GigabitEthernet0/0/3]port link-type access [SW6-GigabitEthernet0/0/3]port defaultvlan100 [SW6-GigabitEthernet0/0/3]quit

6、运营商ISP
system-view [Huawei]sysname ISP [ISP]interfaceGigabitEthernet0/0/1 [ISP-GigabitEthernet0/0/1]ip address100.1.1.6 29 [ISP-GigabitEthernet0/0/1]quit[ISP]interfaceLoopBack 0 [ISP-LoopBack0]ip address1.1.1.1 32 [ISP-LoopBack0]quit[ISP]interfaceGigabitEthernet0/0/0 [ISP-GigabitEthernet0/0/0]ip address10.1.1.2 24 [ISP-GigabitEthernet0/0/0]quit[ISP]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

7、查看内网用户ping外网
#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

二、双机热备配置 全程可以使pc长pingISP的1.1.1.1,发现不会丢包
1、FW1配置HRP,然后配置镜像模式
FW1配置心跳线接口,并加入对应安全区域 [FW1]interface GigabitEthernet1/0/2 [FW1-GigabitEthernet1/0/2]ip address172.16.1.1 30 [FW1-GigabitEthernet1/0/2]quit[FW1]firewall zonedmz [FW1-zone-dmz]addinterfaceGigabitEthernet1/0/2 [FW1-zone-dmz]quit域间安全策略 [FW1]security-policy [FW1-policy-security]rule name ha_local_dmz [FW1-policy-security-rule-ha_local_dmz]source-zonelocal dmz [FW1-policy-security-rule-ha_local_dmz]destination-zonelocal dmz [FW1-policy-security-rule-ha_local_dmz]action permit [FW1-policy-security-rule-ha_local_dmz]quit [FW1-policy-security]quit在FW1配置VGMP组监控上下行业务接口,默认为主设备 [FW1]hrptrack interfaceGigabitEthernet1/0/0 [FW1]hrptrack interfaceGigabitEthernet1/0/1指定心跳口和对端IP地址,并启用双机热备功能 [FW1]hrp interfaceGigabitEthernet1/0/2 remote 172.16.1.2 [FW1]hrpenable

2、FW2配置HRP
FW2配置心跳线接口,并加入对应安全区域 system-view [USG6000V1]sysname FW2[FW2]interface GigabitEthernet1/0/2 [FW2-GigabitEthernet1/0/2]ip address172.16.1.2 30 [FW2-GigabitEthernet1/0/2]quit[FW2]firewall zonedmz [FW2-zone-dmz]add interface GigabitEthernet1/0/2 [FW2-zone-dmz]quit域间安全策略 [FW2]security-policy [FW2-policy-security]rule name ha_local_dmz [FW2-policy-security-rule-ha_local_dmz]source-zonelocal dmz [FW2-policy-security-rule-ha_local_dmz]destination-zone local dmz [FW2-policy-security-rule-ha_local_dmz]action permit [FW2-policy-security-rule-ha_local_dmz]quit在FW2配置VGMP组监控上下行业务接口,并配置本设备为备用设备 [FW2]hrptrackinterfaceGigabitEthernet 1/0/0 [FW2]hrptrackinterfaceGigabitEthernet 1/0/1 [FW2]hrpstandby-device 指定心跳口和对端IP地址,并启用双机热备功能 [FW2]hrpinterfaceGigabitEthernet1/0/2 remote 172.16.1.1 [FW2]hrpenable

3、查看同步状态
#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

4、在FW1上配置镜像模式(重点)。双机关系建立之后,该配置会自动备份到FW2
HRP_M[FW1]hrpmirrorconfig enable

#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

5、在FW1先手动同步一下配置文件
#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

6、在FW2查看到FW1开启热备之前的配置已经被同步过来
HRP_S[FW2]displaycurrent-configuration 2020-05-28 02:27:57.980 !Software Version V500R005C10SPC300 # sysname FW2 # domain suffix-separator @ # ipsec sha2 compatible enable # undo telnet server enable undo telnet ipv6 server enable # hrp enable hrp mirror config enable hrp interface GigabitEthernet1/0/2 remote 172.16.1.1 hrp track interface GigabitEthernet1/0/0 hrp track interface GigabitEthernet1/0/1 # update schedule location-sdb weekly Sun 03:14 # firewall defend action discard # banner enable # user-manage web-authentication security port 8887 undo privacy-statement english undo privacy-statement chinese page-setting user-manage security version tlsv1.1 tlsv1.2 password-policy level high user-manage single-sign-on ad user-manage single-sign-on tsm user-manage single-sign-on radius user-manage auto-sync online-user # web-manager security version tlsv1.1 tlsv1.2 web-manager enable web-manager security enable # firewall dataplane to manageplane application-apperceive default-action drop # undo ips log merge enable # decoding uri-cache disable # update schedule ips-sdb daily 06:38 update schedule av-sdb daily 06:38 update schedule sa-sdb daily 06:38 update schedule cnc daily 06:38 update schedule file-reputation daily 06:38 # ip -instance default ipv4-family # time-range worktime period-range 08:00:00 to 18:00:00 working-day # ike proposal default encryption-algorithm aes-256 aes-192 aes-128 dh group14 authentication-algorithm sha2-512 sha2-384 sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # aaa authentication-scheme default authentication-scheme admin_local authentication-scheme admin_radius_local authentication-scheme admin_hwtacacs_local authentication-scheme admin_ad_local authentication-scheme admin_ldap_local authentication-scheme admin_radius authentication-scheme admin_hwtacacs authentication-scheme admin_ad authorization-scheme default accounting-scheme default domain default service-type internetaccess ssl-ike internet-access mode password reference user current-domain manager-user audit-admin password cipher @%@%PufuDg5YR*D@[x~Nqi|~n=5DHjpMOk,OqAV)gT$TQJP5=5Gn@%@% service-type web terminal level 15 manager-user api-admin password cipher @%@%`f5K#iULL!(vQ6M@lpCB'H,@{QzA=M{5O*as_2+Uk}J7H,C'@%@% level 15 manager-user admin password cipher @%@%ZFDu3)yV"LfTPj'O3+7437VT3h:D@nUDCO]h[qWQRb1Q7VW3@%@% service-type web terminal level 15 role system-admin role device-admin role device-admin(monitor) role audit-admin bind manager-user audit-admin role audit-admin bind manager-user admin role system-admin # -group default-lns # interface GigabitEthernet0/0/0 undo shutdown ip binding -instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH # interface GigabitEthernet1/0/0 undo shutdown ip address 100.1.1.1 255.255.255.248 service-manage ping permit # interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.30.12 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/2 undo shutdown ip address 172.16.1.2 255.255.255.252 # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/4 undo shutdown # interface GigabitEthernet1/0/5 undo shutdown # interface GigabitEthernet1/0/6 undo shutdown # interface Virtual-if0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 100.1.1.6 ip route-static 192.168.10.0 255.255.255.0 192.168.30.254 ip route-static 192.168.20.0 255.255.255.0 192.168.30.254 # undo ssh server compatible-ssh1x enable ssh authentication-type default password ssh server cipher aes256_ctr aes128_ctr ssh server hmac sha2_256 sha1 ssh client cipher aes256_ctr aes128_ctr ssh client hmac sha2_256 sha1 # firewall detect ftp # user-interface con 0 authentication-mode aaa user-interface vty 0 4 authentication-mode aaa protocol inbound ssh user-interface vty 16 20 # pki realm default # sa # location # nat address-group nat_group 0 mode pat section 0 100.1.1.3 100.1.1.3 # multi-linkif mode proportion-of-weight # right-manager server-group # device-classification device-group pc device-group mobile-terminal device-group undefined-group # user-manage server-sync tsm # security-policy rule name ha_local_dmz source-zone dmz source-zone local destination-zone dmz destination-zone local action permit rule name trust_untrust source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit # auth-policy # traffic-policy # policy-based-route # nat-policy rule name nat_policy1 source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 action source-nat address-group nat_group # quota-policy # pcp-policy # dns-transparent-policy # rightm-policy # return

三、配置服务器映射 在开启双机热备的情况下,在active上操作的任何步骤都过自动同步到standby
1、在FW1为server1添加映射,让外网用户能访问
HRP_M[FW1]nat server policy_web protocol tcp global 100.1.1.2 80 inside 192.168. 20.1 80 unr-route

#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

在FW2查看已经被同步配置
#|华为 USG6000防火墙配置镜像模式双机热备
文章图片

2、配置域间安全测试,允许外网访问内网服务器
HRP_M[FW1]security-policy HRP_M[FW1-policy-security]rule name untrust_trust HRP_M[FW1-policy-security-rule-untrust_trust]source-zoneuntrust HRP_M[FW1-policy-security-rule-untrust_trust]destination-zone trust HRP_M[FW1-policy-security-rule-untrust_trust]destination-address 192.168.20.0 24 HRP_M[FW1-policy-security-rule-untrust_trust]action permit HRP_M[FW1-policy-security-rule-untrust_trust]return

3、client1访问服务器映射(访问域名,状态200表示成功)
#|华为 USG6000防火墙配置镜像模式双机热备
文章图片


    推荐阅读