Thursday, January 8, 2015

ZoneBasedFirewall Huawei Eudemon

The huawei Eudemon  firewall meets the true definition of a ZoneBasedFirewall.

It's similar to  netscreen/SRX/PaloAlto  and uses a combination of ZBF  features such as security concepts and acls.

Here in this example, we will build a basic classic 3 zone  security concept ( untrust/dmz/trust ) and assign interfaces into the zones


zone =  utrust ( public internet )
zone =  trust ( inside )
zone =  dmz ( dmz services )

1st we build the interfaces



interface GigabitEthernet0/0/0

 description UNTRUSTED

 ip address  192.0.2.1 255.255.255.0

#
interface GigabitEthernet0/0/1
 description TRUST-zone
 ip address 192.168.100.1 255.255.255.0
  Vrrp vrid 11 virtual-ip 192.168.100.254 master
#

interface GigabitEthernet0/0/2
 description  DMZprimario

 ip address 192.168.101.1 255.255.255.0

  Vrrp vrid 12 virtual-ip 192.168.101.254 master


Next we assign the interfaces to our zones;


firewall zone untrust
  add interface GigabitEthernet0/0/0

    set priority 5
firewall zone trust
  add interface GigabitEthernet0/0/1
  set priority 100


firewall zone dmz
  add interface GigabitEthernet0/0/2
  set prior 50


 Finally we put the few misc items;
#

 ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 description uplink_to_world

#


#

ip address-set LAN1 type group

 description         LANnetwork     

 address 0 192.168.100.0 mask 24

#

#

ip address-set DMZ1 type group

 description         DMZnetwork     

 address 0 192.168.101.0 mask 24

#



#

policy interzone trust untrust outbound

  policy 0

  action permit

  policy source address-set LAN1

#
policy interzone trust dmz outbound

 policy 0

  action permit

  policy source 192.168.101.0 0.0.0.255

#  my SNAT pool
nat adress-group 1 192.0.0.1 192.0.0.2
#

# SNAT for local LAN1 outbound 

nat-policy interzone trust untrust outbound

 policy 0

  action source-nat

  policy source address-set LAN1

  address-group 1
                                
         
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \
Posted by at

1 comment:

  1. Jealous GuyJuly 27, 2016 at 1:33 AM

    Dear Felix,
    It is the only config I found in internet of huawei firewall. Thanks for sharing.

    Could you please help me in creating user defined service set and use it in policy?

    Best Regards.
    Banik

    ReplyDelete

Subscribe to: Post Comments (Atom)