介绍了两台防火墙业务接口工作在三层,工作在镜像模式下时如何配置双机热备功能。
操作步骤
- 在FW上配置心跳口和双机热备管理口。
这里只需要配置心跳口和双机热备管理口即可,不需要配置业务接口。因为后面启用镜像模式后,业务接口的相关配置会自动备份。
双机热备管理口用于连接日志主机和网管设备等。
FW_A
FW_B
# 在FW上配置心跳口和双机热备管理口地址,并将他们加入安全区域。
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 172.16.1.1 24 [FW_A-GigabitEthernet0/0/2] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/2 [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit
<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit [FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 172.16.1.2 24 [FW_B-GigabitEthernet0/0/2] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/2 [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit
# 在FW上配置local区域与双机热备管理口所在安全区域间的安全策略的动作为允许。
[FW_A] security-policy [FW_A-policy-security] rul name ha_local_to_dmz [FW_A-policy-security-rule-ha_local_to_dmz] source-zone local dmz [FW_A-policy-security-rule-ha_local_to_dmz] destination-zone local dmz [FW_A-policy-security-rule-ha_local_to_dmz] action permit [FW_A-policy-security-rule-ha_local_to_dmz] quit [FW_A-policy-security] quit
[FW_B] security-policy [FW_B-policy-security] rule name ha_local_to_dmz [FW_B-policy-security-rule-ha_local_to_dmz] source-zone local dmz [FW_B-policy-security-rule-ha_local_to_dmz] destination-zone local dmz [FW_B-policy-security-rule-ha_local_to_dmz] action permit [FW_B-policy-security-rule-ha_local_to_dmz] quit [FW_B-policy-security] quit
- 在FW上配置双机热备。
FW_A
FW_B
# 在FW_A配置VGMP组监控上下行业务接口。在FW_B上配置VGMP组监控上下行业务接口,并配置本设备为备用设备。
[FW_A] hrp track interface GigabitEthernet 0/0/1 [FW_A] hrp track interface GigabitEthernet 0/0/3
[FW_B] hrp track interface GigabitEthernet 0/0/1 [FW_B] hrp track interface GigabitEthernet 0/0/3 [FW_B] hrp standby-device
# 指定心跳口并启用双机热备功能。
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable
- 在FW_A上配置镜像模式和双机热备管理接口。双机关系已建立,该配置会自动备份到FW_B。
HRP_M[FW_A] hrp mirror config enable HRP_M[FW_A] hrp mgt-interface GigabitEthernet 0/0/2 HRP_M[FW_A] quit
- 进行手工批量备份。将FW_A的配置同步到FW_B。
镜像模式要求两台设备的配置完全一致,在启用镜像的时候可能两台设备的配置不一致,通过执行命令hrp sync config可以将两台设备的配置同步。
HRP_M<FW_A> hrp sync config
- 在FW_A上完成网络配置,保证内网用户访问Internet。以下配置会自动备份到FW_B。
镜像模式配置完成后,在其中一台设备上的配置会自动备份到另外一台设备。而且与传统的双机热备相比,镜像模式下的双机热备还可以备份接口和路由等配置。
# 配置各接口的IP地址。
HRP_M<FW_A> system-view HRP_M[FW_A] interface GigabitEthernet 0/0/1 HRP_M[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24 HRP_M[FW_A-GigabitEthernet0/0/1] quit HRP_M[FW_A] interface GigabitEthernet 0/0/3 HRP_M[FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24 HRP_M[FW_A-GigabitEthernet0/0/3] quit
# 将各接口加入相应的安全区域。
HRP_M[FW_A] firewall zone trust HRP_M[FW_A-zone-trust] add interface GigabitEthernet 0/0/3 HRP_M[FW_A-zone-trust] quit HRP_M[FW_A] firewall zone untrust HRP_M[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 HRP_M[FW_A-zone-untrust] quit
# 配置一条缺省路由,下一跳为1.1.1.10。
HRP_M[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
# 配置安全策略,允许内网用户访问Internet。
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name trust_to_untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24 HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit HRP_M[FW_A-policy-security] quit
# 配置NAT策略,当内网用户访问Internet时,将源地址由10.3.0.0/24网段转换为地址池中的地址(1.1.1.2-1.1.1.5)。
HRP_M[FW_A] nat address-group group1 HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5 HRP_M[FW_A-address-group-group1] route enable HRP_M[FW_A-address-group-group1] quit HRP_M[FW_A] nat-policy HRP_M[FW_A-policy-nat] rule name policy_nat1 HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1
结果验证
-
在FW_A和FW_B上执行display hrp state verbose命令,检查当前VGMP组的状态,显示以下信息表示双机热备建立成功。
FW_A
FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(standby), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: on mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1: up GigabitEthernet0/0/3: up
HRP_S<FW_B> display hrp state verbose Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(standby), new_state = normal(standby), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: on mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1: up GigabitEthernet0/0/3: up
-
Router位于untrust区域,在Trust区域的PC端能够ping通untrust区域的Router,分别在FW_A和FW_B上检查会话。
FW_A
FW_B
HRP_M<FW_A> display firewall session table Current Total Sessions : 1 icmp VPN: public --> public 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048
HRP_S<FW_B> display firewall session table Current Total Sessions : 1 icmp VPN:public --> public Remote 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048
可以看出FW_B上存在带有Remote标记的会话,表示配置双机热备功能后,会话备份成功。
-
在PC上执行ping 1.1.1.10 -t,然后将FW_A GE0/0/1接口shutdown,观察防火墙状态切换及ping包丢包情况;再将FW_A GE0/0/1接口undo shutdown,观察防火墙状态切换及ping包丢包情况。