Understand Firewall Hot Standby Using the CLI - In Practice
Hello guys!
Today, I would like to present an introduction to Firewall Hot Standby.
About This Experiment
In this experiment, two or more firewalls are deployed at the egress of the network to ensure communication between the intranet and Internet.
Objectives:
Understand the basic principle of hot standby.
Understand the VGMP and HRP protocols.
Configure firewall hot standby on the CLI and web UI.
Ps: All addresses used in the example are false and used only in a lab environment for study purposes.
Experiment Networking
Experiment Planning
Security devices USGs are deployed on a service node. Upstream and downstream devices are switches. FW1 and FW2 work in active/standby mode.
| Device Name | Port | IP Address | Zone |
| FW1 | G1/0/1 | 10.1.2.1 | Trust |
| G1/0/3 | 30.1.1.1 | DMZ | |
| G1/0/4 | 40.1.1.1 | Untrust | |
| FW2 | G1/0/1 | 10.1.2.2 | Trust |
| G1/0/3 | 30.1.1.2 | DMZ | |
| G1/0/4 | 40.1.1.2 | Untrust | |
| PC1 | E0/0/1 | 10.1.2.100 | Trust |
| PC2 | E0/0/1 | 2.2.2.2 | Untrust |
Table 1 - Port addresses and zones
Experiment Tasks
| No. | Task | Subtask | Description |
| 1 | Complete basic configurations. | Configure security zones. | Add interfaces to security zones. |
| 2 | Configure host standby. | Configure host standby. | Set the hot standby mode to active/standby. USG6330-1 is active, and USG6330-2 is standby. |
| Configure virtual IP addresses. | Create VRRP groups 1 and 2. | ||
| 3 | Configure a security policy. | Configure an interzone security policy. | Permit the packets from the Trust zone to the Untrust zone. |
Experiment Task Configuration
Configuration Roadmap
1. Configure IP addresses for interfaces and add the interfaces to security zones. Configure a security policy to permit packets from the Trust zone to the Untrust zone.
2. Configure hot standby in active/standby mode. FW1 is active, and FW2 is standby.
Configuration Roadmap
Step 1 Complete the configuration of the upstream and downstream service interfaces on FW1. Configure IP addresses for the interfaces and add the interfaces to security zones.
Create VRRP group 1 on GigabitEthernet1/0/4, and add it to the active VGMP group.
Create VRRP group 2 on GigabitEthernet1/0/1, and add it to the active VGMP group.
Step 2 Configure the heartbeat link on FW1.
Configure an IP address for GigabitEthernet1/0/3.
Add GigabitEthernet1/0/3 to the DMZ.
Specify GigabitEthernet1/0/3 as the heartbeat interface.
Step 3 Configure a security policy to permit packets from the Trust zone to the Untrust zone.
Step 4 Enable HRP.
Step 5 Configure USG6330-2.
The configurations on FW2 are the same as those on FW1, except that:
1. The IP addresses of the interfaces on FW2 are different from those on FW1.
2. Add service interfaces GigabitEthernet1/0/1 and GigabitEthernet1/0/4 of USG6330-2 to the standby VGMP group.
Step 6 Configure the switches.
Add the three interfaces of each switch to the same VLAN (default VLAN). For configuration commands, refer to the relevant switch documents.
Verification
Checking the "display hrp":
With that our practical example was completed.
Cheers,
