Configuring Hot Standby Using the CLI on Huawei Firewall USG6000

February 26, 2019

IT Network

, , ,

1. Overview

When doing the network architecture design with Huawei Firewall USG6000, we have to aware that the key places on the production network environment are usually require two network devices for high availability.

In this article, we will configure active/standby on Huawei firewall model USG6000. So, when one firewall unit fails, another firewall unit will take over services to ensure continuity of the services.

2. Prerequisites

In this document, it is supposed that:

a. You have already install Huawei eNSP on your computer. If you do not, you can refer to this link Huawei Network Device Simulation With eNSP.
b. You know how to configure NAT on Huawei Firewall USG6000 . If you do not, you can refer this link Configuring Network Address Translation (NAT) on Huawei Firewall USG6000

3. Lab Scenario Set up

We will set up a Lab to configure active/standby on Huawei firewall model USG6000 as show in the following diagram. There is one router in the LAN with the host name as “PC1” and this host is acting as an inside LAN client computer. Router with hostname “AR1” is gateway for client computer. FW1 will be the active firewall and F2 will be the standby firewall. There is one router act as the internet and another router with hostname “PC2” act as computer in the public network. Interface GE1/0/3 on FW1 is connected to interface GE1/0/3 on FW2 for heartbeat link.

Configuring Hot Standby Using the CLI on Huawei Firewall USG6000

The following is the basic configuration of each devices.

On PC1

First all, we can configure host name and IP as the following.

] sysname PC1
] int g0/0/0  
    ip add 20.0.0.10 255.255.255.0 
] ip route-static 0.0.0.0 0.0.0.0 20.0.0.1

On AR1

Then, let’s configure IP and OSPF routing protocol as the following.

] int Ethernet2/0/0
     ip add 20.0.0.1 255.255.255.0 
] int g0/0/0
     ip add 10.0.0.2 255.255.255.252 
     ospf network-type p2p
 
] int g0/0/1
     ip add 10.1.0.2 255.255.255.252 
     ospf network-type p2p

] ospf 10 router-id 172.16.0.3 
    area 0.0.0.0 
      network 10.0.0.0 0.0.0.3 
      network 10.1.0.0 0.0.0.3 
      network 20.0.0.0 0.0.0.255

On FW1

On FW1 let’s configure IP addresses for each interface as the following.

] sysname FW1 
] int g1/0/1
       undo shutdown
       ip address 10.0.0.1 255.255.255.252
       ospf network-type p2p
       undo service-manage enable 
] int g1/0/2
       undo shutdown
       ip address 200.1.1.1 255.255.255.248
       undo service-manage enable
] int g1/0/3
      undo shutdown
      ip address 10.10.10.1 255.255.255.252

Add interface interfaces to security zones as the following

] firewall zone trust
     add int g1/0/1
] firewall zone untrust
  add int g1/0/2
] firewall zone dmz
  add int g1/0/3

Configure OSPF and default route as the following 

] ospf 10 router-id 172.16.0.1
    default-route-advertise type 1
    area 0.0.0.0
       network 10.0.0.0 0.0.0.3
] ip route-static 0.0.0.0 0.0.0.0 200.1.1.4

On FW2

On FW2 let’s configure IP addresses for each interface as the following.

] sysname FW2
] int g1/0/1
       undo shutdown
       ip address 10.1.0.1 255.255.255.252
       ospf network-type p2p
       undo service-manage enable 
] int g1/0/2
       undo shutdown
       ip address 200.1.1.2 255.255.255.248
       undo service-manage enable
] int g1/0/3
      undo shutdown
      ip address 10.10.10.2 255.255.255.252

Add interface interfaces to security zones as the following

] firewall zone trust
     add int g1/0/1
] firewall zone untrust
  add int g1/0/2
] firewall zone dmz
  add int g1/0/3

Configure OSPF and default route as the following

] ospf 10 router-id 172.16.0.2
    default-route-advertise type 1
    area 0.0.0.0
       network 10.1.0.0 0.0.0.3
] ip route-static 0.0.0.0 0.0.0.0 200.1.1.4


On router acts as the Internet

We just need to configure IP address on each interface on the Internet router.

] sysname Internet 
] int g0/0/0
      ip add 200.1.1.4 255.255.255.248 
] int g0/0/1
      ip add 100.1.1.1 255.255.255.252

On router acts as a computer in public network

On PC router, let’s configure the basic configuration as the following.

] sysname PC2 
] int g0/0/0
      ip add 100.1.1.2 255.255.255.252 
] ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

4. Configure Firewall USG6000 Active/Standby

Configure HRP for active/standby as the following on FW1

] hrp enable
] hrp interface GigabitEthernet1/0/3 remote 10.10.10.2
] undo hrp adjust ospfv3-cost enable
] undo hrp adjust bgp-cost enable
] hrp track interface GigabitEthernet1/0/1

Configure HRP for active/standby as the following on FW2

] hrp enable
] hrp standby-device
] hrp interface GigabitEthernet1/0/3 remote 10.10.10.1
] undo hrp adjust ospfv3-cost enable
] undo hrp adjust bgp-cost enable
] hrp track interface GigabitEthernet1/0/1


On FW1, configure the firewall rules to allow traffic as the following. We don’t need to configure this rule on FW2. This rule be replicated from FW1 to FW2 automatically. 

] security-policy
  rule name rule_ospf
   source-zone local
   action permit
  rule name rule_public
   source-zone trust
   destination-zone untrust
   action permit
  rule name acl_trushlocal
   source-zone trust
   destination-zone local
   action permit

Now on FW1 let configure the NAT policy for client internet access as the following. We don’t need to configure this policy on FW2. This rule be replicated from FW1 to FW2 automatically. 

] nat-policy
    rule name nat_internet
      source-zone trust
      destination-zone untrust
      action nat easy-ip

6. Verify and Testing

all the configuration for active/standby on Huawei firewall model USG6000 should be ready. let verify the configuration as the following FW1 

>dis hrp state ver
  Role: active, peer: standby
  Running priority: 45000, peer: 45000
  Core state: normal, peer: normal
  Backup channel usage: 0.00%
  Stable time: 0 days, 2 hours, 26 minutes
  Last state change information: 2019-02-26 2:32:01 HRP core state changed, old_s
 tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
 ty = 45000.
 Configuration:
  hello interval:              1000ms
  preempt:                     60s
  mirror configuration:        off
  mirror session:              off
  track trunk member:          on
  auto-sync configuration:     on
  auto-sync connection-status: on
  adjust ospf-cost:            on
  adjust ospfv3-cost:          off
  adjust bgp-cost:             off
  nat resource:                off
 Detail information:
                        GigabitEthernet1/0/1: up
                                   ospf-cost: +0

And verify the configuration as the following FW2

] dis hrp state
  Role: standby, peer: active
  Running priority: 45000, peer: 45000
  Core state: normal, peer: normal
  Backup channel usage: 0.00%
  Stable time: 0 days, 2 hours, 30 minutes
  Last state change information: 2019-02-26 2:29:56 HRP core state changed, old_s
 tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
 ty = 45000.
 HRP_Sdis hrp state ver
  Role: standby, peer: active
  Running priority: 45000, peer: 45000
  Core state: normal, peer: normal
  Backup channel usage: 0.00%
  Stable time: 0 days, 2 hours, 30 minutes
  Last state change information: 2019-02-26 2:29:56 HRP core state changed, old_s
 tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
 ty = 45000.
 Configuration:
  hello interval:              1000ms
  preempt:                     60s
  mirror configuration:        off
  mirror session:              off
  track trunk member:          on
  auto-sync configuration:     on
  auto-sync connection-status: on
  adjust ospf-cost:            on
  adjust ospfv3-cost:          off
  adjust bgp-cost:             off
  nat resource:                off
 Detail information:
                        GigabitEthernet1/0/1: up
                                   ospf-cost: +65500

Now, let test ping from PC1 router to PC2 router on the internet as the following.

ping 100.1.1.2
   PING 100.1.1.2: 56  data bytes, press CTRL_C to break
     Request time out
     Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=252 time=50 ms
     Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=252 time=60 ms
     Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=252 time=50 ms
     Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=252 time=40 ms
 --- 100.1.1.2 ping statistics ---
     5 packet(s) transmitted
     4 packet(s) received
     20.00% packet loss
     round-trip min/avg/max = 40/50/60 ms

Now we can test shutdown FW1, we should still get the following successful result when trying to ping PC2 on the internet from PC1 router in the LAN.

Configuring Network Address Translation (NAT) on Huawei Firewall USG6000
<PC1>ping 100.1.1.2
   PING 100.1.1.2: 56  data bytes, press CTRL_C to break
     Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=252 time=40 ms
     Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=252 time=50 ms
     Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=252 time=40 ms
     Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=252 time=50 ms
     Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=252 time=50 ms
 --- 100.1.1.2 ping statistics ---
     5 packet(s) transmitted
     5 packet(s) received
     0.00% packet loss
     round-trip min/avg/max = 40/46/50 ms

6. Conclusion

That’s all about configuring high availability active/standby on Huawei firewall model USG6000 from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments

Related posts:

Security Hardening Cisco ASA FirewallSecurity Hardening Cisco ASA Firewall Configuring High Availability Site-to-Site IPSec VPN Using VRRP With Huawei Routers Upgrading Stand Alone Cisco ASA From Version 9.8.2 to 9.9.2 Upgrading Active/Standby Clustering Cisco ASA From Version 9.8.2 to 9.9.2