拓撲:
FW1配置:
===========================================================
#
sysname BJ-ZHX-FW
#
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
hrp enable
hrp interface GigabitEthernet1/0/1 remote 172.16.1.3
hrp mirror session enable
#
update schedule location-sdb weekly Sun 04:31
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 03:05
update schedule av-sdb daily 03:05
update schedule sa-sdb daily 03:05
update schedule cnc daily 03:05
update schedule file-reputation daily 03:05
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%ZQ;m-9q/q'<BPPLOT|'8sr^0,V;(0@Pf_ArO2V>gbe5'r^3s@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%{/`5=)V.0<nJO8P"!QCJl^#/xmJEY)8`n:tl]l,!wpf2^#2l@%@%
level 15
manager-user admin
password cipher @%@%gA7vWvz;k09AYt4NY\a-Bz]T%i0@&bR:>(Ln$f.=(F'Gz]WB@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.1.2 255.255.255.224
vrrp vrid 10 virtual-ip 172.16.1.1 active
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.10.1.2 255.255.255.224
vrrp vrid 20 virtual-ip 10.10.1.1 active
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 61.135.142.2 255.255.255.224
vrrp vrid 30 virtual-ip 61.135.142.1 active
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 61.135.142.4
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name trust-to-untrust
source-zone trust
destination-zone untrust
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
FW2配置:
===========================================================
sysname BJ-ZHX-FW
#
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
hrp enable
hrp interface GigabitEthernet1/0/1 remote 172.16.1.2
hrp mirror session enable
#
update schedule location-sdb weekly Sun 23:56
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 03:35
update schedule av-sdb daily 03:35
update schedule sa-sdb daily 03:35
update schedule cnc daily 03:35
update schedule file-reputation daily 03:35
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%KDw1,0Q'17)qsb=]pt'6VpAPhlUmN1Z%]2diT+:'!S(3pASV@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%6u4-!!(D^Ma>^y-Ucwd~&CG\r5u2"8FA9HkfX<$bjin*CG_&@%@%
level 15
manager-user admin
password cipher @%@%fFX,:}VC-#)3wk-.Vbl<dN|xS>cH3fbdz8wBodLAFi}MN|{d@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.1.3 255.255.255.224
vrrp vrid 10 virtual-ip 172.16.1.1 standby
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.10.1.3 255.255.255.0
vrrp vrid 20 virtual-ip 10.10.1.1 standby
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 61.135.142.3 255.255.255.224
vrrp vrid 30 virtual-ip 61.135.142.1 standby
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 61.135.142.4
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name trust-to-untrust
source-zone trust
destination-zone untrust
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
在BJ-ZXH-FW上查看防火牆的主備狀態
===========================================================
HRP_M<BJ-ZHX-FW>display hrp state
2019-04-27 06:45:53.230
Role: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 16 minutes
Last state change information: 2019-04-27 6:27:04 HRP link changes to up.
HRP_S<BJ-ZHX-FW>display hrp state
2019-04-27 06:46:14.280
Role: standby, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 16 minutes
Last state change information: 2019-04-27 6:27:05 HRP link changes to up.
HRP_S<BJ-ZHX-FW>