FS United States FREE SHIPPING on Orders Over US$79

FREE SHIPPING on Orders Over US$79

United States

Document Center





FS GPT

Search result for "188838"

Types

Sort by

Enterprise Branch Network Solution Delivery Manual

May 16, 2025 - Enterprise Branch Network Solution Delivery Manual Case Description The two firewalls at the branch exit of the campus form a dual-machine hot standby, serving as the exit gateway of the entire campus network, providing security filtering for business traffic in and out of the campus, and connecting to branch security tunnels through IPsec VPN. The two switches at the core layer form a cluster, serving as the core of the entire campus network, and serving as user gateways to assign IP addresses to users. The upstream link establishes dynamic routing with the firewall through OSPF and controls the traffic path through routing selection, while ensuring that traffic can be forwarded from the escape link in extreme cases. Specific business requirements are as follows： The headquarters routing is highly reliable and the traffic path is clear, which is convenient for later operation and maintenance and troubleshooting. External network users can access the internal network server, and internal network users can access the Internet normally. The branch and the headquarters need to communicate through the Internet, and the communication content needs to be secure. image.png Figure 1. Network diagram of firewall deployment with IPSec and connection to headquarters Device Requirements and Versions Site Location Equipment Version Headquarters Egress NSG-5220 Version 5.5R10 Core S5860-24MG-U 4.5.0E/3b574830da Access S5810-48TS-P 4.4.4/0e26c21685 Branches Egress/Core NSG-5220 Version 5.5R10 Access S5810-48TS-P 4.4.4/0e26c21685 Deployment Strategy Step Deployment Strategy Equipment 1 Configure VLANs and IP addresses, deploy DHCP Server, and implement intranet connectivity Branch: Access switch, egress firewall 2 Configure security policies to allow services to pass through the firewall Branch: egress firewall 3 Configure SNAT Outbound to allow intranet users to access the Internet Branch: egress firewall 4 Deploy MLAG+VRRP and LACP, configure VLANs and IP addresses, and deploy DHCP Server to achieve intranet connectivity in the campus Headquarters: Access switch, core switch 5 Configure interfaces, IP addresses, and routes to enable network connectivity Headquarters: core switch, egress firewall 6 Configure OSPF to implement dynamic route calculation, route optimization and backup Headquarters: core switch, egress firewall 7 Configure dual-machine hot standby and issue dual default routes to improve device-level reliability Headquarters: egress firewall 8 Configure security policies to allow services to pass through the firewall Headquarters: egress firewall 9 Configure SNAT Outbound to allow intranet users to access the Internet Headquarters: egress firewall 10 Configure DNAT Inbound so that external users can access the server Headquarters: egress firewall 11 Configure IPSec VPN to achieve secure communication between headquarters and branches Headquarters egress firewall, branch egress firewall Data Planning Table 1. Link Interface Planning Site Equipment Local Interface Peer Interface Headquarters FW1 FW1: e0/8 ISP1: e0/1 FW1: HA FW2: HA FW1: e0/2 CORE1: ge-1/1/11 FW1: e0/4 CORE2: ge-1/1/13 FW2 Escape Route CORE2 Escape Route FW2: e0/8 ISP2: e0/3 FW2: HA FW1: HA FW2: e0/2 CORE1: ge-1/1/12 FW2: e0/4 CORE2: ge-1/1/14 CORE1: ge-1/1/18 CORE2: ge-1/1/18 CORE2: ge-1/1/10 Server-02 CORE2: ge-1/1/13 FW1: e0/4 CORE2: ge-1/1/14 FW2: e0/4 CORE2: te-1/1/1 SW1: te-1/1/2 CORE2: te-1/1/2 SW2: te-1/1/2 CORE2: te-1/1/3 CORE1: te-1/1/3 CORE2: te-1/1/4 CORE1: te-1/1/4 CORE2: ge-1/1/18 CORE1: ge-1/1/18 Escape Route CORE2: ge-1/1/18 CORE1: ge-1/1/18 Branch FW3 FW3: e0/4 ISP: e0/5 FW3: e0/2 SW3: ge-1/1/1 SW3 SW3: ge-1/1/1 FW3: e0/2 Table 2. VLAN Planning Site Equipment Data Item Headquarters CORE1&2 Create vlan10 and vlanif10 as the gateway of vlan10 Create vlan20 and vlanif20 as the gateway of vlan20 Create vlan30 and vlanif30 as the addresses of mlag peerlink Create vlan100 and vlanif100 as the gateway address of the server SW1 sw1 creates vlan10 and used by department A SW2 sw2 creates vlan20 and used by department B Branch SW3 sw3 creates vlan200 and uses by branch Table 3. IP Address Planning Site Equipment Data Item Note Headquarters FW1 e0/8: 100.1.1.1 Integrating with Public Internet Address e0/2: 10.1.11.2 Integrating with CORE1 e0/4: 10.1.13.2 Integrating with CORE2 FW2 e0/8: 100.3.1.1 Public Network Address for Integration e0/2: 10.1.12.2 Integrating with CORE1 e0/4: 10.1.14.2 Integrating with CORE2 CORE1 vlanif10: 10.10.1.210 VRRP Virtual Address: 10.10.1.200 vlan10 gateway vlanif20：10.20.1.210 VRRPVirtual Address: 10.20.1.200 vlan20 gateway vlanif100:10.100.1.110 VRRP Virtual Address: 10.100.1.200 vlan100 gateway ge-1/1/11: 10.1.11.1 Integrating with FW1 ge-1/1/12: 10.1.12.1 Integrating with FW2 ge-1/1/18: 10.1.18.1 Integrating with CORE2 (Escape Route) CORE2 vlanif10: 10.10.1.220 VRRP Virtual Address: 10.10.1.200 vlan10 gateway vlanif20: 10.20.1.220 VRRP Virtual Address: 10.20.1.200 vlan20 gateway vlanif100: 10.100.1.120 VRRP Virtual Address: 10.100.1.200 vlan100 gateway ge-1/1/13: 10.1.13.1 Integrating with FW1 ge-1/1/14: 10.1.14.1 Integrating with FW2 ge-1/1/18: 10.1.18.2 Integrating with CORE1 (Escape Route) SW1 vlanif10: 10.10.1.1 PC of Department A SW2 vlanif20: 10.20.1.1 PC of Department B Server vlanif100: 10.100.1.1 Headquarters Server Branch FW3 e0/2: 100.5.1.1 Integrating with Public Internet Address e0/4: 10.200.1.254 Gateway of Department C SW3 vlanif200: 10.200.1.1 PC of Department C Deployment Steps Headquarters Network Access Switch Configuration Configure SW1 1.#1 Configure and create aggregation interface ae1, and configure it to lacp mode, mode trunk and allow vlan10 2.set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true 3.set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad "ae1" 4.set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad "ae1" 5.set interface aggregate-ethernet ae1 family ethernet-switching port-mode "trunk" 6.set vlans v lan-id 10 l3-interface "v lan-10" 7.set interface aggregate-ethernet ae1 family ethernet-switching vlan members 10 8.#2 Use ip routing function 9.set ip routing enable true 10.#3 Configuring a reserved VLAN 11.set vlans reserved-vlan "500-550" 12.set l3-interface vlan-interface vlan-10 address 10.10.1.1 prefix-length 24 13.#4 Specify the default route to point to the core layer gateway [VRRP virtual address] 14.set protocols static route 0.0.0.0/0 next-hop 10.10.1.200 15.#5 Add the physical interface to VLAN to test the DHCP server 16.set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 10 Configure SW2 1.#1 Configure and create aggregation interface ae1, and configure it to lacp mode, mode trunk and allow vlan20 2.set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true 3.set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad "ae1" 4.set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad "ae1" 5.set interface aggregate-ethernet ae1 family ethernet-switching port-mode "trunk" 6.set vlans v lan-id 20 l3-interface "v lan-20" 7.set interface aggregate-ethernet ae1 family ethernet-switching vlan members 20 8.#2 Enable ip routing function 9.set ip routing enable true 10.#3 Configure reserved VLAN 11.set vlans reserved-vlan "500-550" 12.set l3-interface vlan-interface vlan-20 address 10.20.1.1 prefix-length 24 13.#4 Specify the default route to point to the core layer gateway [VRRP virtual address] 14.set protocols static route 0.0.0.0/0 next-hop 10.20.1.200 15.#5 Add the physical interface to VLAN to test the DHCP server 16.set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 20 Core Switch configuration Configuring CORE1 Global Configuration 1.#1 Due to the characteristics of S5860-24MG-U, the speed needs to be manually switched to 4x10g when the downlink is 10G. This is only configured when the downlink is 10G. 2.set interface gigabit-ethernet te-1/1/1 mtu 1500 3.set interface gigabit-ethernet te-1/1/1 ether-options flow-control true 4.set interface gigabit-ethernet te-1/1/1 speed "10000" 5.set interface gigabit-ethernet te-1/1/2 mtu 1500 6.set interface gigabit-ethernet te-1/1/2 ether-options flow-control true 7.set interface gigabit-ethernet te-1/1/2 speed "10000" 8.set interface gigabit-ethernet te-1/1/3 mtu 1500 9.set interface gigabit-ethernet te-1/1/3 ether-options flow-control true 10.set interface gigabit-ethernet te-1/1/3 speed "10000" 11.set interface gigabit-ethernet te-1/1/4 mtu 1500 12.set interface gigabit-ethernet te-1/1/4 speed "10000" 13.#2 Use the ip routing function and configure the reserved VLAN 14.set ip routing enable true 15.set vlans reserved-vlan "500-550" 16.#3 Create a vlan and configure the corresponding vlanif address 17.set vlans v lan-id 10 l3-interface "v lan-10" 18.set vlans v lan-id 20 l3-interface "v lan-20" 19.set vlans v lan-id 30 l3-interface "v lan-30" 20.set vlans v lan-id 100 l3-interface "v lan-100" 21.set l3-interface vlan-interface vlan-30 address 10.30.1.1 prefix-length 24 22.set l3-interface vlan-interface vlan-20 address 10.20.1.210 prefix-length 24 23.set l3-interface vlan-interface vlan-10 address 10.10.1.210 prefix-length 24 24.set l3-interface vlan-interface vlan-100 address 10.100.1.110 prefix-length 24 Downlink Access Switch Configuration 25.#4 Create VRRP Active-Active Gateway 26.set protocols vrrp interface vlan-10 vrid 1 ip 10.10.1.200 27.set protocols vrrp interface vlan-20 vrid 2 ip 10.20.1.200 28.set protocols vrrp interface vlan-100 vrid 3 ip 10.100.1.200 29.set protocols vrrp interface v lan-10 vrid 1 load-balance disable false 30.set protocols vrrp interface v lan-20 vrid 2 load-balance disable false 31.set protocols vrrp interface v lan-30 vrid 3 load-balance disable false 32.#5 Creating the MLAG Configuration 33.set interface aggregate-ethernet ae2 family ethernet-switching port-mode "trunk" 34.set interface aggregate-ethernet ae2 family ethernet-switching vlan members 10,20,30 35.set interface gigabit-ethernet te-1/1/3 ether-options 802.3ad "ae2" 36.set interface gigabit-ethernet te-1/1/4 ether-options 802.3ad "ae2" 37.set protocols m lag domain 1 node 0 38.set protocols mlag domain 1 peer-ip 10.30.1.2 peer-link "ae2" 39.set protocols mlag domain 1 peer-ip 10.30.1.2 peer-vlan 30 40.#6 Add Aggregated Interface to MLAG Group 41.set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true 42.set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad "ae1" 43.set interface aggregate-ethernet ae1 family ethernet-switching port-mode "trunk" 44.set interface aggregate-ethernet ae1 family ethernet-switching vlan members 10 45.set protocols m lag domain 1 interface ae1 link 1 46.set interface aggregate-ethernet ae3 aggregated-ether-options lacp enable true 47.set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad "ae3" 48.set interface aggregate-ethernet ae3 family ethernet-switching port-mode "trunk" 49.set interface aggregate-ethernet ae3 family ethernet-switching vlan members 20 50.set protocols m lag domain 1 interface ae3 link 2 51.set interface aggregate-ethernet ae10 aggregated-ether-options lacp enable true 52.set interface gigabit-ethernet ge-1/1/10 ether-options 802.3ad "ae10" 53.set interface aggregate-ethernet ae10 family ethernet-switching port-mode "trunk" 54.set interface aggregate-ethernet ae10 family ethernet-switching vlan members 100 55.set protocols m lag domain 1 interface ae10 link 3 Uplink Firewall Configuration 56.#7 Configure the two ports of t he upstream firewall as layer 3 interfaces and configure IP addresses 57.set interface gigabit-ethernet ge-1/1/11 routed-interface name "rif-11" 58.set interface gigabit-ethernet ge-1/1/11 routed-interface enable true 59.set l3-interface routed-interface rif-11 address 10.1.11.1 prefix-length 30 60.set interface gigabit-ethernet ge-1/1/12 routed-interface name "rif-12" 61.set interface gigabit-ethernet ge-1/1/12 routed-interface enable true 62.set l3-interface routed-interface rif-12 address 10.1.12.1 prefix-length 30 63.#8 Configure Escape Route 64.set interface gigabit-ethernet ge-1/1/18 routed-interface name "rif-18" 65.set interface gigabit-ethernet ge-1/1/18 routed-interface enable true 66.set l3-interface routed-interface rif-18 address 10.1.18.1 prefix-length 30 67.#9 Start OSPF and Advertise Sub nets 68.set protocols ospf router-id 1.1.1.1 69.set protocols ospf area 0 70.set protocols ospf network 10.1.11.1/32 area 0 71.set protocols ospf network 10.1.12.1/32 area 0 72.set protocols ospf network 10.1.18.1/30 area 0 73.set protocols ospf redistribute connected 74.#10 Adjust OSPF Route Cost for Path Preference 75.set protocols ospf auto-cost reference-bandwidth 10000 76.set protocols ospf interface rif-12 cost 100 77.set protocols ospf interface rif-18 cost 120 DHCP 78.#11 Start DHCP Server 79.set protocols dhcp server pool pool1 network 10.10.1.0/24 80.set protocols dhcp server pool pool2 network 10.20.1.0/24 81.set protocols dhcp server pool pool1 dns-server 8.8.8.8 82.set protocols dhcp server pool pool2 dns-server 8.8.8.8 83.set protocols dhcp server pool pool1 default-router 10.10.1.200 Configuring CORE2 Global Configuration 1.#1 Due to the characteristics of S5860-24MG-U, the speed needs to be manually switched to 4x10g when the downlink is 10G. This is only configured when the downlink is 10G. 2.set interface gigabit-ethernet te-1/1/1 mtu 1500 3.set interface gigabit-ethernet te-1/1/1 ether-options flow-control true 4.set interface gigabit-ethernet te-1/1/1 speed "10000" 5.set interface gigabit-ethernet te-1/1/2 mtu 1500 6.set interface gigabit-ethernet te-1/1/2 ether-options flow-control true 7.set interface gigabit-ethernet te-1/1/2 speed "10000" 8.set interface gigabit-ethernet te-1/1/3 mtu 1500 9.set interface gigabit-ethernet te-1/1/3 ether-options flow-control true 10.set interface gigabit-ethernet te-1/1/3 speed "10000" 11.set interface gigabit-ethernet te-1/1/4 mtu 1500 12.set interface gigabit-ethernet te-1/1/4 speed "10000" 13.#2 Use the ip routing function and configure the reserved VLAN 14.set ip routing enable true 15.set vlans reserved-vlan "500-550" 16.#3 Create a vlan and configure the corresponding vlanif address 17.set vlans v lan-id 10 l3-interface "v lan-10" 18.set vlans v lan-id 20 l3-interface "v lan-20" 19.set vlans v lan-id 30 l3-interface "v lan-30" 20.set vlans v lan-id 100 l3-interface "v lan-100" 21.set l3-interface vlan-interface vlan-30 address 10.30.1.2 prefix-length 24 22.set l3-interface vlan-interface vlan-20 address 10.20.1.220 prefix-length 24 23.set l3-interface vlan-interface vlan-10 address 10.10.1.220 prefix-length 24 24.set l3-interface vlan-interface vlan-100 address 10.100.1.120 prefix-length 24 Downlink Access Switch Configuration 25.#4 Creating a VRRP Gateway 26.set protocols vrrp interface vlan-10 vrid 1 ip 10.10.1.200 27.set protocols vrrp interface vlan-20 vrid 2 ip 10.20.1.200 28.set protocols vrrp interface vlan-100 vrid 3 ip 10.100.1.200 29.#5 Creating the MLAG Configuration 30.set interface aggregate-ethernet ae2 family ethernet-switching port-mode "trunk" 31.set interface aggregate-ethernet ae2 family ethernet-switching vlan members 10,20,30 32.set interface gigabit-ethernet te-1/1/3 ether-options 802.3ad "ae2" 33.set interface gigabit-ethernet te-1/1/4 ether-options 802.3ad "ae2" 34.set protocols m lag domain 1 node 1 35.set protocols mlag domain 1 peer-ip 10.30.1.1 peer-link "ae2" 36.set protocols mlag domain 1 peer-ip 10.30.1.1 peer-vlan 30 37.#6 Add Aggregated Interface to MLAG Group 38.set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true 39.set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad "ae1" 40.set interface aggregate-ethernet ae1 family ethernet-switching port-mode "trunk" 41.set interface aggregate-ethernet ae1 family ethernet-switching vlan members 10 42.set protocols m lag domain 1 interface ae1 link 1 43.set interface aggregate-ethernet ae3 aggregated-ether-options lacp enable true 44.set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad "ae3" 45.set interface aggregate-ethernet ae3 family ethernet-switching port-mode "trunk" 46.set interface aggregate-ethernet ae3 family ethernet-switching vlan members 20 47.set protocols m lag domain 1 interface ae3 link 2 48.set interface aggregate-ethernet ae10 aggregated-ether-options lacp enable true 49.set interface gigabit-ethernet ge-1/1/10 ether-options 802.3ad "ae10" 50.set interface aggregate-ethernet ae1 family ethernet-switching port-mode "trunk" 51.set interface aggregate-ethernet ae1 family ethernet-switching vlan members 100 52.set protocols m lag domain 1 interface ae1 link 3 53.set interface aggregate-ethernet ae10 aggregated-ether-options lacp enable true 54.set interface gigabit-ethernet ge-1/1/10 ether-options 802.3ad "ae10" 55.set interface aggregate-ethernet ae10 family ethernet-switching port-mode "trunk" 56.set interface aggregate-ethernet ae10 family ethernet-switching vlan members 100 57.set protocols m lag domain 1 interface ae10 link 3 Uplink Firewall Configuration 58.#7 Configure the two ports of t he upstream firewall as layer 3 interfaces and configure IP addresses 59.set interface gigabit-ethernet ge-1/1/13 routed-interface name "rif-13" 60.set interface gigabit-ethernet ge-1/1/13 routed-interface enable true 61.set l3-interface routed-interface rif-13 address 10.1.13.1 prefix-length 30 62.set interface gigabit-ethernet ge-1/1/14 routed-interface name "rif-14" 63.set interface gigabit-ethernet ge-1/1/14 routed-interface enable true 64.set l3-interface routed-interface rif-14 address 10.1.14.1 prefix-length 30 65.#8 Configure Escape Route 66.set interface gigabit-ethernet ge-1/1/18 routed-interface name "rif-18" 67.set interface gigabit-ethernet ge-1/1/18 routed-interface enable true 68.set l3-interface routed-interface rif-18 address 10.1.18.2 prefix-length 30 69.#8 Start OSPF, Advertise Networks, and Optimize Routing 70.set protocols ospf router-id 2.2.2.2 71.set protocols ospf area 0 72.set protocols ospf network 10.1.13.1/32 area 0 73.set protocols ospf network 10.1.14.1/32 area 0 74.set protocols ospf network 10.1.18.2/30 area 0 75.set protocols ospf redistribute connected 76.#9 Adjust OSPF Route Cost for Path Preference 77.set protocols ospf auto-cost reference-bandwidth 10000 78.set protocols ospf interface rif-13 cost 100 79.set protocols ospf interface rif-18 cost 120 Firewall Configuration Note 1: Firewall 2 only needs to configure HA, and other configurations are synchronized from the main firewall. Note 2: The OSPF process needs to configure a local attribute router-id to issue different default routes, and the rest of t he configuration is synchronized from the main firewall. Firewall Deployment and Configuration Strategy Configure High Availability (HA) for Redundancy Create a track instance to track the uplink interface Enable peer-AA mode Create HA port/ha link data interface Configure peer-link peer IP address Set group priority Group group tracking track instance Configure Interfaces for FW1/FW2 Configure interface area/ip address/protocols allowed to pass Configure Routes Configure the default route to the ISP Configure the tunnel route Configure OSPF Distribute the default route to OSPF Configure policy and NAT Configure intercommunication policy Configure SNAT Configure DNAT Establish an IPsec VPN Create ipsec tunnel 1 Create ipsec tunnel 2 Bind tunnl1 Bind tunnl2 Configuring FW1 1.#Configure High Availability (HA) for Redundancy 2.#Track the upstream interface and bind it to the tracking instances track1 and track2. Pay attention to the local parameter, which is best added. 3.track "track1" 4.interface ethernet0/8 5.Exit 6.track "track2" 7.interface ethernet0/8 8.exit 9.#HA Configuration with Associated Tracking 10.ha link interface HA0 11.ha link data interface ethernet0/12 12.ha link ip 1.1.1.1 255.255.255.0 13.ha group 0 14.priority 50 15.preempt 1 16.monitor track "track1" 17.Exit 18.ha group 1 19.preempt 1 20.monitor track "track2" 21.Exit 22.ha traffic enable 23.ha cluster 1 peer-mode node 0 24.#Interface Configuration 25.interface ethernet0/ 26.zone "trust" 27.ip address 10.1.11.2 255.255.255.252 28.manage ping 29.manage traceroute 30.interface ethernet0/4 31.zone "trust" 32.ip address 10.1.13.2 255.255.255.252 33.manage ping 34.manage traceroute 35.interface ethernet0/8 36.zone "untrust" 37.ip address 100.1.1.1 255.255.255.0 38.manage ping 39.manage traceroute 40.interface ethernet0/2:1 41.zone "trust" 42.ip address 10.1.12.2 255.255.255.252 43.manage ping 44.manage traceroute 45.interface ethernet0/4:1 46.zone "trust" 47.ip address 10.1.14.2 255.255.255.252 48.manage ping 49.manage traceroute 50.interface ethernet0/8:1 51.zone "untrust" 52.ip address 100.3.1.1 255.255.255.0 53.manage ping 54.manage traceroute 55.interface MGT0:1 56.zone "mgt" 57.ip address 192.168.1.4 255.255.255.0 58.manage https 59.#IPsec configuration 60.isak mp peer "gate1" 61.isak mp-proposal "psk-sha256-aes128-g2" 62.pre-share Admin@123 63.peer 100.5.1.1 64.interface ethernet0/8 65.Exit 66.isak mp peer "gate2" 67.isak mp-proposal "psk-sha256-aes128-g2" 68.pre-share Admin@123 69.peer 100.5.1.1 70.interface ethernet0/8:1 71.Exit 72.tunnel ipsec "gate1" auto sa-index 2 73.ipsec-proposal "esp-sha256-aes128-g2" 74.Auto-connect 75.isak mp-peer "gate1" 76.Exit 77.tunnel ipsec "gate2" auto sa-index 3 78.ipsec-proposal "esp-sha256-aes128-g2" 79.Auto-connect 80.isak mp-peer "gate2" 81.Exit 82.#Bind the tunnel port to the IPSec channel 83.interface tunnel1 84.zone "trust" 85.manage ping 86.manage traceroute 87.tunnel ipsec "gate1" 88.interface tunnel1:1 89.zone "trust" 90.manage ping 91.manage traceroute 92.tunnel ipsec "gate2" 93.#Enter routing configuration view 94.ip vrouter "trust-vr" 95.#When configuring SNAT, note that node1 and node0 need to configure two 96.snatrule id 1 from-zone "trust" to-zone "untrust" from address-book "private_network" to address- book "Any" service "Any" trans-to eif-ip mode dynamicport group 1 97.snatrule id 2 from-zone "trust" to-zone "untrust" from address-book "private_network" to address- book "Any" service "Any" trans-to eif-ip mode dynamicport 98.#When configuring DNAT, note that node1 and node0 need to configure two 99.dnatrule id 1 from address-book "Any" to ip 200.3.1.1/24 service "Any" trans-to ip 10.100.1.1/24 track-ping 100.dnatrule id 2 from address-book "Any" to ip 200.3.1.1/24 service "Any" trans-to ip 10.100.1.1/24 track-ping group 1 101.#The default route points to the ISP 102.ip route 0.0.0.0/0 100.1.1.2 103.#Tunnel Routing 104.ip route 10.200.1.0/24 "tunnel1" 105.#Default route 2 points to ISP 106.ip route 0.0.0.0/0 100.3.1.2 107.#Tunnel Routing 108.ip route 10.200.1.0/24 "tunnel1:1" 109.#OSPF Configuration 110.router ospf 1 111.router-id 3.3.3.3 local 112.default-information originate 113.network 10.1.11.0/30 area 0.0.0.0 114.network 10.1.12.0/30 area 0.0.0.0 115.network 10.1.13.0/30 area 0.0.0.0 116.network 10.1.14.0/30 area 0.0.0.0 117.Exit 118.Exit 119.#Policy configuration, all pass is placed here for easy testing 120.rule id 1 121.action permit 122.src-zone "Any" 123.dst-zone "Any" 124.src-addr "Any" 125.dst-addr "Any" 126.service "Any" 127.name "policy1" Configuring FW2 1.#1HA Configuration 2.ha link interface HA0 3.ha link data interface ethernet0/12 4.ha link ip 1.1.1.2 255.255.255.0 5.ha group 0 6.preempt 1 7.monitor track "track1" 8.Exit 9.ha group 1 10.priority 50 11.preempt 1 12.monitor track "track2" 13.Exit 14.ha traffic enable 15.ha cluster 1 peer-mode node 1 16.#OSPF Local Configuration 17.ip vrouter "trust-vr" 18.router ospf 1 19.router-id 3.3.3.3 local Branch Network Access Switch Configuration 1.#1 Configure the interface to mode trunk and allow vlan200 to pass 2.set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode "trunk" 3.set interface gigabit-ethernet ge-1/1/1 family ethernet-switching vlan members 200 4.#2 Enable IP Routing 5.set ip routing enable true 6.#3 Configure vlanif 7.set vlans v lan-id 200 l3-interface "v lan-200" 8.set l3-interface vlan-interface vlan-200 address 10.200.1.1 prefix-length 24 9.#4 Configure Default Gateway 10.set protocols static route 0.0.0.0/0 next-hop 10.200.1.254 Firewall Configuration Configuring FW3 1.#Interface Configuration 2.interface ethernet0/2 3.zone "trust" 4.ip address 10.200.1.254 255.255.255.0 5.manage ping 6.manage traceroute 7.Exit 8.interface ethernet0/4 9.zone "untrust" 10.ip address 100.5.1.1 255.255.255.0 11.manage ping 12.manage traceroute 13.#IPSec Configuration 14.isak mp peer "gate1" 15.isak mp-proposal "psk-sha256-aes128-g2" 16.pre-share Admin@123 17.peer 100.1.1.1 18.interface ethernet0/4 19.Exit 20.isak mp peer "gate2" 21.isak mp-proposal "psk-sha256-aes128-g2" 22.pre-share Admin@123 23.peer 100.3.1.1 24.interface ethernet0/4 25.Exit 26.tunnel ipsec "gate1" auto sa-index 2 27.ipsec-proposal "esp-sha256-aes128-g2" 28.Auto-connect 29.isak mp-peer "gate1" 30.Exit 31.tunnel ipsec "gate2" auto sa-index 3 32.ipsec-proposal "esp-sha256-aes128-g2" 33.Auto-connect 34.isak mp-peer "gate2" 35.Exit 36.#ipces bind tunnl 37.interface tunnel1 38.zone "trust" 39.manage ping 40.manage traceroute 41.tunnel ipsec "gate1" 42.Exit 43.interface tunnel2 44.zone "trust" 45.manage ping 46.manage traceroute 47.tunnel ipsec "gate2" 48.Exit 49.#Routing Configuration 50.ip vrouter "trust-vr" 51.ip route 0.0.0.0/0 100.5.1.2 52.ip route 10.0.0.0/8 "tunnel1" 53.ip route 10.0.0.0/8 "tunnel2" 54.Exit 55.#Policy configuration, all pass is placed here for easy testing 56.rule id 1 57.action permit 58.src-zone "Any" 59.dst-zone "Any" 60.src-addr "Any" 61.dst-addr "Any" 62.service "Any" 63.name "policy1" Validating Results #After the configuration is complete, you can run the show ipsec sa active command to view the security association information established by IKE. Taking FW1 as an example, the security association information established by IKE is as follows. NSG-5220(M0D1)# show ipsec sa active Total: 2 S - Status, I - Inactive, A - Active; Id VPN Peer IP Port Algorithms SPI Life(s) S 2 gate1 >100.5.1.1 500 esp:aes/sha256/- dc45e43e 28581 A 2 gate1 <100.5.1.1 500 esp:aes/sha256/- 50baa936 28581 A 3 gate2 >100.5.1.1 500 esp:aes/sha256/- e045e43e 28581 A 3 gate2 <100.5.1.1 500 esp:aes/sha256/- 296ceb2c 28581 A #After the configuration is complete, you can run the show ipsec sa active command to view the security association information established by IKE. Taking FW3 as an example, the security association information established by IKE is as follows. NSG-5220(M0D1)# show ipsec sa active Total: 2 S - Status, I - Inactive, A - Active; Id VPN Peer IP Port Algorithms SPI Life(s) S 2 gate1 >100.1.1.1 500 esp:aes/sha256/- 50baa936 28493 A 2 gate1 <100.1.1.1 500 esp:aes/sha256/- dc45e43e 28493 A 3 gate2 >100.3.1.1 500 esp:aes/sha256/- 296ceb2c 28493 A 3 gate2 <100.3.1.1 500 esp:aes/sha256/- e045e43e 28493 A #Verify the connectivity between the headquarters and branches through the ping command. 1.Headquarters PC1: 2.admin@PICOS# run ping 10.200.1.1 3.PING 10.200.1.1 (10.200.1.1) 56(84) bytes of data. 4.64 bytes from 10.200.1.1: icmp_seq=1 ttl=61 time=12.3 ms 5.64 bytes from 10.200.1.1: icmp_seq=2 ttl=61 time=6.33 ms 6.64 bytes from 10.200.1.1: icmp_seq=3 ttl=61 time=4.94 ms 7.64 bytes from 10.200.1.1: icmp_seq=4 ttl=61 time=8.04 ms 8.64 bytes from 10.200.1.1: icmp_seq=5 ttl=61 time=7.10 ms 9.--- 10.200.1.1 ping statistics --- 10.5 packets transmitted, 5 received, 0% packet loss, time 4041ms 11.rtt min/avg/max/mdev = 4.938/7.738/12.286/2.489 ms 1.Branch PC3： 2.admin@PICOS# run ping 10.10.1.1 3.PING 10.10.1.1 (10.10.1.1) 56(84) bytes of data. 4.64 bytes from 10.10.1.1: icmp_seq=1 ttl=61 time=11.4 ms 5.64 bytes from 10.10.1.1: icmp_seq=2 ttl=61 time=7.35 ms 6.64 bytes from 10.10.1.1: icmp_seq=3 ttl=61 time=3.95 ms 7.64 bytes from 10.10.1.1: icmp_seq=4 ttl=61 time=7.06 ms 8.64 bytes from 10.10.1.1: icmp_seq=5 ttl=61 time=6.11 ms 9.--- 10.10.1.1 ping statistics --- 10.5 packets transmitted, 5 received, 0% packet loss, time 4047ms 11.rtt min/avg/max/mdev = 3.948/7.174/11.384/2.483 ms #SNAT verification, headquarters access ISP address: 1.admin@PICOS# run ping 100.3.1.2 2.PING 100.3.1.2 (100.3.1.2) 56(84) bytes of data. 3.64 bytes from 100.3.1.2: icmp_seq=1 ttl=62 time=4.06 ms 4.64 bytes from 100.3.1.2: icmp_seq=2 ttl=62 time=3.96 ms 5.64 bytes from 100.3.1.2: icmp_seq=3 ttl=62 time=3.92 ms 6.64 bytes from 100.3.1.2: icmp_seq=4 ttl=62 time=3.96 ms 7.64 bytes from 100.3.1.2: icmp_seq=5 ttl=62 time=3.85 ms 8.--- 100.3.1.2 ping statistics --- 9.5 packets transmitted, 5 received, 0% packet loss, time 4035ms 10.rtt min/avg/max/mdev = 3.854/3.950/4.063/0.068 ms #DNAT verification, ISP accesses the headquarters server: 200.3.1.1 corresponds to the server mapping address 10.100.1.1 1.Switch> ping 200.3.1.1 2.PING 200.3.1.1 (200.3.1.1) 56(84) bytes of data. 3.64 bytes from 200.3.1.1: icmp_seq=1 ttl=63 time=3.96 ms 4.64 bytes from 200.3.1.1: icmp_seq=2 ttl=63 time=5.05 ms 5.64 bytes from 200.3.1.1: icmp_seq=3 ttl=63 time=13.4 ms 6.64 bytes from 200.3.1.1: icmp_seq=4 ttl=63 time=4.34 ms 7.64 bytes from 200.3.1.1: icmp_seq=5 ttl=63 time=8.93 ms 8.--- 200.3.1.1 ping statistics --- 9.5 packets transmitted, 5 received, 0% packet loss, time 4005ms 10.rtt min/avg/max/mdev = 3.962/7.144/13.424/3.604 ms

Next-Generation Firewalls Data Sheet

Mar 31, 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

NSG-3230 and NSG-5220 Firewall Quick Start Guide V1.0

Mar 31, 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

FS Next-Generation Firewall WebUI Configuration Guide

Sep 04, 2024 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Next-Generation Firewall Visio Stencils

May 28, 2024 - For details, please click the attachment icon below to view or download for a good reading experience or resources.