Got it

Firewall interzone config

Created: May 12, 2021 17:02:05Latest reply: May 13, 2021 06:28:04 216 4 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello Guys,


I am new to Huawei equipment. So there is a huawei firewall installed at a client site which I need to maintain and configure. Can some one please explain to me the meaning and purpose of the following commands. 


 acl number 3001
 description OAM_IN
 rule 5 permit ip source 10.10.13.0 0.0.0.255
 rule 10 permit ip source 10.10.14.0 0.0.0.255
#
acl number 3002
 description OAM_OUT
 rule 5 permit ip
#

firewall zone local
 set priority 100
#

firewall zone name oam_management    
 set priority 90
 add interface GigabitEthernet1/0/9
 add interface GigabitEthernet2/0/9

firewall interzone local oam_management
 packet-filter 3001 inbound
 packet-filter 3002 outbound

So what exactly does the firewall interzone command achieve in this scenario. I am confused since the  zone LOCAL has no interface assigned to it.. Does this acl control traffic destined to the firewall interface ?


Also the following commands. 

 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound

Are these commands there by default or they need to be added manually and the purpose ?


Forgive me to ask basic questions but been searching the internet and did not find any explanation ..


Thanks


  • x
  • convention:

Featured Answers
chenhui
Admin Created May 13, 2021 04:00:00

Posted by DDSN at 2021-05-13 01:27Hi user_4225125,What is your equipment? What is the device version? The command line is different be ...

Hello!


Please refer to the explanation below:


firewall interzone local oam_management    //defines an interzone and enters the interzone view to set the interzone secrity policy.


packet-filter 3001 inbound
packet-filter 3002 outbound


For the explanation of the interzone, you could refer to the below link:


https://support.huawei.com/hedex/hdx.do?docid=EDOC1100149308&id=EN-US_CONCEPT_0178932935&lang=en.


firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound


These commands are used to configure the default packet filtering rule between the security zones on the virtual firewall. By default, the packets of the USG2110-X/2100/2200/5100/5500 are permitted in the outbound direction from the Local zone to other security zones and in both directions between the Trust zone and the Local zone. 


The packets in all directions of the other interzones are denied. The packets of the USG2100/2200/USG5100 BSR/HSR in all directions of all interzones are permitted.


For more information about this command, please refer to the below link:


https://support.huawei.com/hedex/hdx.do?docid=EDOC1000132495&id=firewall_packet_filter_default&lang=en.

View more
  • x
  • convention:

All Answers
ariase88
ariase88 Admin Created May 12, 2021 17:07:51

Thanks for contacting the Huawei community!

We are checking your question and will provide an answer to you shortly...
View more
  • x
  • convention:

DDSN
DDSN Admin Created May 13, 2021 01:27:35

Hi user_4225125,
What is your equipment? What is the device version? The command line is different between different devices and different versions.
View more
  • x
  • convention:

chenhui
chenhui Admin Created May 13, 2021 04:00:00

Posted by DDSN at 2021-05-13 01:27Hi user_4225125,What is your equipment? What is the device version? The command line is different be ...

Hello!


Please refer to the explanation below:


firewall interzone local oam_management    //defines an interzone and enters the interzone view to set the interzone secrity policy.


packet-filter 3001 inbound
packet-filter 3002 outbound


For the explanation of the interzone, you could refer to the below link:


https://support.huawei.com/hedex/hdx.do?docid=EDOC1100149308&id=EN-US_CONCEPT_0178932935&lang=en.


firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound


These commands are used to configure the default packet filtering rule between the security zones on the virtual firewall. By default, the packets of the USG2110-X/2100/2200/5100/5500 are permitted in the outbound direction from the Local zone to other security zones and in both directions between the Trust zone and the Local zone. 


The packets in all directions of the other interzones are denied. The packets of the USG2100/2200/USG5100 BSR/HSR in all directions of all interzones are permitted.


For more information about this command, please refer to the below link:


https://support.huawei.com/hedex/hdx.do?docid=EDOC1000132495&id=firewall_packet_filter_default&lang=en.

View more
  • x
  • convention:

DDSN
DDSN Admin Created May 13, 2021 06:28:04

Hi user_4225125,
The acl number 3001/3002 command is used to create an access control list 3001/3002 and enter the ACL view.
The description OAM_IN/OAM_OUT command is used to describe ACL 3001 and 3002 respectively.
rule 5 permit ip source 10.10.13.0 0.0.0.255
rule 10 permit ip source 10.10.14.0 0.0.0.255

The rule command is used to create ACL rules. For example, the meaning of rule 5 permit ip source 10.10.13.0 0.0.0.255 is to allow data packets with a source IP address of 10.10.13.0/24 to pass. You can refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1000086439&id=rule_acl_view&lang=en.
The firewall zone zone name command is used to create a firewall zone and enter the zone view.
The set priority command is used to set the priority of the area.
The firewall interzone local oam_management command is used to create an interzone between the local zone and oam_management and enter the security interzone view.
The packet-filter 3001 inbound and packet-filter 3002 outbound commands apply the packet filtering rules  3001 and 3002 respectively in the inbound and outbound directions of interzone.
The Local area defines the device itself, including the interfaces of the device itself. All messages constructed and actively sent by the device can be considered to be sent from the Local zone, and all messages that require the device to respond and process (not only detect or forward directly) can be considered to be accepted by the Local zone. The user cannot change any configuration of the Local zone itself, including adding interfaces to it.
The firewall packet-filter default command is used to configure the default packet filtering in the interzone.
For example, the firewall packet-filter default permit interzone local trust direction inbound command means to configure the default packet filtering rule for the inbound direction of interzone between the local and trust security zones as permit. You can refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1000086439&id=firewall_packet_filter_default&lang=en.
Different devices have different default inter-domain rules. By default, the packets of the USG2110-X/2100/2200/5100/5500 are permitted in the outbound direction from the Local zone to other security zones and in both directions between the Trust zone and the Local zone, and the packets in all directions of other interzones are denied. The packets of the USG2100/2200/USG5100 BSR/HSR in all directions of all interzones are permitted.

I hope it helps!

View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.