Chapter 6 (1).pdf

Full Transcript

Firewall Hot Standby Technologies
 Foreword

⚫ With the rapid development of services such as mobile office, online shopping, instant messaging,
Internet finance, and Internet education, networks carry more and more important services. Therefore,
how to ensure uninterrupted service transmission on networks becomes an urgent problem to be
resolved during network development.
⚫ Hot standby technologies enable firewalls to be deployed at the network egress to ensure
communication reliability between internal and external networks.

2 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:
 Understand the hot standby fundamentals.
 Master the basic hot standby configurations.

3 Huawei Confidential
 Contents

1. Hot Standby Fundamentals
◼ VRRP

▫ VGMP Group

▫ HRP

▫ Firewall Hot Standby

2. Hot Standby Basic Networking and Configuration

4 Huawei Confidential
Background of Hot Standby Technologies
⚫ As shown in the figure on the left, all packets exchanged between intranet and Internet users pass through firewall A. If firewall A is faulty, all hosts
that use firewall A as the default gateway on the intranet cannot communicate with the Internet. As a result, communication reliability cannot be
ensured.

⚫ As a security device, a firewall is typically deployed between a network to be protected and an unprotected network, that is, on the network border. If
only one firewall is deployed on the network border, the system may face the risk of network interruptions caused by a single point of failure no
matter how highly reliable the firewall is. To prevent this problem, two firewalls can be deployed to implement hot standby.

Intranet Intranet

!
Firewall A
PC PC

!
Firewall A
Server Server
Firewall B

5 Huawei Confidential
VRRP-based Router Redundancy Deployment
⚫ Virtual Router Redundancy Protocol (VRRP) is a fault tolerance protocol that enables a backup router to automatically replace a faulty master
router — the next hop (default gateway) of a host. In this way, the backup router can forward packets if a fault occurs, thereby ensuring the
continuity and reliability of network communication. Routers in a VRRP group play two roles: master and backup.

⚫ When Router A is working properly:
 Router A functions as the master device in the VRRP group and is
responsible for forwarding data traffic.
Router A Router B
Master Backup ⚫ When Router A is faulty:

VRRP group  Router B detects VRRP heartbeat timeout and is elected as the new
master device.

Switch  Router B sends a gratuitous ARP packet. After receiving the packet, the
switch updates its MAC address table.

Intranet host  Router B responds to users' ARP requests and forwards traffic.

6 Huawei Confidential
VRRP Application in Multi-Zone Firewall Networking
⚫ When hot standby is required for firewalls in multiple zones, you need to configure multiple VRRP groups on each
firewall.

Untrust

VRRP group 3
Virtual IP Address
202.38.10.1

Firewall A Firewall B
Master Backup

VRRP group 1 VRRP group 2
Virtual IP Address Virtual IP Address
10.100.10.1 10.100.20.1

Trust DMZ

10.100.10.0/24 10.100.20.0/24

8 Huawei Confidential
Defects of VRRP in Firewall Applications
⚫ Traditional VRRP cannot ensure the state information consistency and VRRP status consistency between the master and backup
firewalls in multiple VRRP groups.

PC2
Untrust
4
⚫ When the VRRP status of Firewall A is the same as that of Firewall B:
3 5  When PC1 in the Trust zone accesses PC2 in the Untrust zone, the forward
VRRP group 3
and return paths of the packets are the same, Firewall A passes the stateful
inspection, and the communication is normal.
Session entry Firewall A Firewall B
Master Backup
⚫ When the VRRP status of Firewall A is different from that of Firewall B:

 The upstream link of Firewall A is faulty, and Firewall B becomes the new
2 VRRP group 1 VRRP group 2
master device of VRRP group 3.

1  When PC1 in the Trust zone accesses PC2 in the Untrust zone, the forward
and return paths of the packets are inconsistent, Firewall B fails the stateful
inspection, and packet loss occurs.
PC1 Server

Trust DMZ

9 Huawei Confidential
 Contents

1. Hot Standby Fundamentals
▫ VRRP
◼ VGMP Group

▫ HRP

▫ Firewall Hot Standby

2. Hot Standby Basic Networking and Configuration

11 Huawei Confidential
VGMP Basic Principles (1)
⚫ To ensure the consistent VRRP group status, the VRRP Group
Management Protocol (VGMP) is introduced based on VRRP. Multiple Untrust
VRRP groups on a firewall are added to the same VGMP group. The
VGMP group manages the status of all VRRP groups in a unified
VGMP active VGMP standby
manner to ensure the consistent VRRP group status. VRRP group
2
 The VGMP group state of firewalls can be load-balance, active, or standby.
Firewall A Hello Firewall B
 A VGMP group notifies its running status by sending VGMP packets, and elects VRRP VRRP
the VGMP active and standby devices based on Hello priority. The VGMP group master Hello backup
state of the VGMP active device is active, and that of the VGMP standby device VRRP group
1
is standby.

 When the VGMP group state of a firewall is active/standby, all VRRP groups in
the VGMP group are in active/standby state. Trust

⚫ The figure shows the process of electing the VGMP active and standby
devices.
Elect the
Switch the
Configure VGMP active
Enable VGMP. VRRP group
VRRP. and standby
status.
devices.

12 Huawei Confidential
VGMP Basic Principles (2)
⚫ When a fault occurs, VGMP switches the status of VRRP groups 1 and 2. When a VGMP group is in active state, the state of all VRRP
groups in the VGMP group is master. When a VGMP group is in standby state, the state of all VRRP groups in the VGMP group is
backup.

Untrust Untrust

VGMP active VGMP standby VGMP standby VGMP active
VRRP group VRRP group
2 2

Firewall A Firewall B Firewall A Firewall B
VRRP VRRP VRRP VRRP
master VRRP group backup backup VRRP group master
1 1

Trust Trust

14 Huawei Confidential
VGMP Group Management
⚫ Status consistency management
 A VGMP group controls the status switchover of all VRRP groups in a unified manner. After a VRRP group is added to a VGMP
group, the status of the VRRP group cannot be switched independently.

⚫ Preemption management
 When the original active device recovers, the priority of its VGMP group is also restored. In this case, the original active device
preempts to be the active device.
 After a VRRP group is added to a VGMP group, the preemption function of the VRRP group becomes ineffective, and the VGMP
group determines whether to perform preemption.

⚫ Channel management
 Channel management determines available interfaces between two firewalls in hot standby mode. The VGMP and HRP modules
automatically select available interfaces to send VGMP and HRP packets.

16 Huawei Confidential
 Contents

1. Hot Standby Fundamentals
▫ VRRP

▫ VGMP Group
◼ HRP

▫ Firewall Hot Standby

2. Hot Standby Basic Networking and Configuration

17 Huawei Confidential
Basic HRP Concepts
⚫ The Huawei Redundancy Protocol (HRP) dynamically backs up status data and
key configuration commands between the active and standby firewalls.

⚫ Backup direction Untrust

 Configuration commands that can be backed up can be executed only on the active
device. These commands are automatically backed up to the standby device, for VGMP active VGMP standby
example, security and NAT policy configuration commands. VRRP group
2
 In active/standby networking, only the active device processes services, generates Heartbeat
link
service entries, and backs up the service entries to the standby device. In load balancing Firewall A Firewall B
VRRP VRRP
networking, both devices process services, generate service entries, and back up the master VRRP group backup
service entries to the peer device. 1

⚫ Backup channel
 The network administrator needs to specify a backup channel interface to back up
Trust
configuration and status data. Generally, the directly connected ports on two firewalls
set up the backup channel, which is also called the heartbeat link (VGMP uses this
channel for communication).

18 Huawei Confidential
Configuration and Status Backup
⚫ To ensure smooth service switchover between two devices, the two devices need to back up their configurations and status
information.
Backup Mode Backup Content

⚫ Automatic backup: This function can automatically back up ⚫ Device configuration
configuration commands in real time and periodically back up status
information. This function is enabled by default and applies to various  Policies: include security policy, NAT policy, authentication policy,
networks that require hot standby. attack defense, and ASPF.
⚫ Manual batch backup needs to be manually triggered by the  Objects: include address, region, service, application, user,
administrator. Each time the manual batch backup command is authentication server, time range, address pool, URL category,
executed, the active device immediately synchronizes the keyword group, mail address group, signature, and security profile.
configuration commands and status information to the standby device.
 Networks: include logical interface, security zone, DNS, static route
⚫ Automatic configuration synchronization between the active and (static routes can be backed up only after the hrp auto-sync config
standby firewalls after device restart: The device that is successfully static-route command is configured), IPsec, and SSL VPN.
restarted automatically synchronizes the configuration from the
firewall that is carrying services.  System: includes the administrator, virtual system, and log
configuration.
⚫ Quick session backup: This function applies to the load balancing
scenario where the forward and return paths of packets are ⚫ Status information: includes session table, server-map table, blacklist,
inconsistent. whitelist, address mapping table, MAC address table, user table, IPsec
SA, and tunnel.

19 Huawei Confidential
HRP Heartbeat Link
⚫ In hot standby networking, two firewalls learn each other's status and back up configuration commands as well as various entries
by exchanging messages through a heartbeat link.
 The interfaces at both ends of a heartbeat link are called heartbeat interfaces.

 A heartbeat interface can be a physical interface (GE interface) or a logical interface (Eth-Trunk) that is formed by bundling multiple physical
interfaces.
A physical interface functions as a
heartbeat interface.
GE1/0/1 GE1/0/1

Firewall Firewall
An Eth-Trunk interface functions as
a heartbeat interface

GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
GE1/0/3 GE1/0/3
Heartbeat interface
Firewall Firewall
Eth-Trunk1 HRP data packets
Eth-Trunk1

20 Huawei Confidential
Heartbeat Interface Status
⚫ An HRP heartbeat interface has five states: Invalid, Down, Peerdown, Ready, and Running.

A physical interface functions as a
heartbeat interface.

GE1/0/1 Invalid Peerdown GE1/0/1
Firewall Firewall
1.1.1.1 1.1.1.2

GE1/0/2 Peerdown Down
GE1/0/2
2.2.2.1 2.2.2.2
Running Running
GE1/0/3 GE1/0/3
3.3.3.1 3.3.3.2

GE1/0/4 Ready Ready GE1/0/4
4.4.4.1 4.4.4.2

Heartbeat interface
Heartbeat link
HRP heartbeat link
detection packets
HRP data packets

21 Huawei Confidential
 Contents

1. Hot Standby Fundamentals
▫ VRRP

▫ VGMP Group

▫ HRP
◼ Firewall Hot Standby

2. Hot Standby Basic Networking and Configuration

23 Huawei Confidential
Application Scenario of Firewall Hot Standby in Active/Standby
Mode
⚫ Application scenario
 Firewall hot standby applies to scenarios that require high reliability, such as enterprise
office scenarios. To improve network reliability, two firewalls can be deployed at the
egress of an enterprise network to implement hot standby. To meet service requirements,
the firewalls work in active/standby mode. Switch C Switch D
⚫ Configuration analysis
VRRP group 2
 VGMP group status of firewalls: Firewall A is the master firewall, and its VGMP group
status is active. Firewall B is the backup firewall, and its VGMP group status is standby. Firewall A GE0/0/1 GE0/0/1 Firewall B
Master Heartbeat link Backup
 VRRP group: VRRP group 1 is configured in the downstream direction of the firewalls, and
VRRP group 2 is configured in the upstream direction of the firewalls. In VRRP groups 1
VRRP group 1
and 2, Firewall A is configured as the master device, and Firewall B as the backup device.
 Backup mode: By default, the automatic backup mode is used. Switch A Switch B
 Backup interface: Interfaces GE0/0/1 of the firewalls are the heartbeat interfaces and are
connected through the heartbeat link.
 Preemption: This function is enabled by default. The default preemption delay is 60s.

Host A Host B
Intranet

24 Huawei Confidential
Working Process of Firewall Hot Standby in Active/Standby
Mode
⚫ Firewall status: Firewall A is the master device, its VGMP group status is active, and
its status in VRRP groups 1 and 2 is master. Firewall B is the backup device, its
VGMP group status is standby, and its status in VRRP groups 1 and 2 is backup.

⚫ Configuration and status backup: The configuration and status of Firewall A are
Switch C Switch D
backed up to Firewall B through the heartbeat link in real time.
VRRP group 2
⚫ Traffic forwarding path: Firewall A sends gratuitous ARP packets to Switch A and
Switch C to update the MAC address tables of the switches. When Host A accesses Firewall A Firewall B
the Internet, it queries the gateway MAC address (MAC address of the VRRP virtual Master Backup
IP address) through ARP. Firewall A replies with the VRRP virtual MAC address. Host
VRRP group 1
A then sends service packets to Switch A. Switch A forwards the traffic to Firewall A
based on the MAC address table, and then Firewall A forwards the traffic to the
Switch A Switch B
Internet. The traffic forwarding process is similar in the return direction.

Traffic from Host A
to the Internet

Host A Host B Traffic from Host B
Intranet to the Internet

25 Huawei Confidential
Active/Standby Switchover of Firewall Hot Standby (1)
⚫ Service port/line fault
 As shown in the figure, when the service interface or service line of
Firewall A is faulty, the priority of the VGMP group on Firewall A
decreases and Firewall A sends a VGMP request packet. Switch C Switch D
 After receiving the VGMP request packet, Firewall B compares the
VRRP group 2
VGMP group priority in the packet with its own VGMP group priority
Firewall A Firewall B
and sends a VGMP response packet. Backup Master
 After receiving the response packet, Firewall A switches its VGMP
VRRP group 1
group status to standby, and the status of VRRP groups 1 and 2 to
backup. Switch A Switch B

 Firewall B switches its VGMP group status to active, and the status of
VRRP groups 1 and 2 to master. Firewall B sends gratuitous ARP
packets to Switch B and Switch D.
Host A Host B

Intranet

26 Huawei Confidential
Active/Standby Switchover of Firewall Hot Standby (2)
⚫ Device fault
 Firewall A is faulty and does not send HRP Hello packets.
Firewall B does not receive HRP Hello packets from
Switch C Switch D
Firewall A within five packet transmission intervals and
becomes the master device. Firewall B then changes its VRRP group 2

VGMP group status to active and the status of VRRP Firewall A Firewall B
! Master
groups 1 and 2 to master.
VRRP group 1

Switch A Switch B

Host A Host B

Intranet

27 Huawei Confidential
Active/Standby Switchover of Firewall Hot Standby (3)
⚫ Heartbeat link fault
 If the heartbeat link is faulty and Firewall B does not
receive HRP Hello packets from Firewall A within five
Switch C Switch D
packet transmission intervals, Firewall B becomes the
master device and changes its VGMP group status to active VRRP group 2

and the status of VRRP groups 1 and 2 to master. In this Firewall A Firewall B
Master Heartbeat link Master
case, the dual-active situation occurs.
VRRP group 1

Switch A Switch B

Host A Host B

Intranet

28 Huawei Confidential
Active/Standby Switchback of Firewall Hot Standby
⚫ After Firewall A recovers, the priority of its VGMP group is
restored. After 60s, Firewall A sends a VGMP request packet.

⚫ After receiving the VGMP request packet, Firewall B compares
Switch C Switch D
the VGMP group priority in the packet with its own VGMP
group priority. If Firewall B finds that its VGMP group priority is VRRP group 2

the same as or lower than that of Firewall A, Firewall B returns Firewall A Firewall B
Master Backup
a VGMP response packet and switches its VGMP group status
to standby and the status of VRRP groups 1 and 2 to backup. VRRP group 1

⚫ After receiving the response packet, Firewall A switches its Switch A Switch B

VGMP group status to active and the status of VRRP groups 1
and 2 to master.

Host A Host B

Intranet

29 Huawei Confidential
 Contents

1. Hot Standby Fundamentals

2. Hot Standby Basic Networking and Configuration

30 Huawei Confidential
Example for Configuring Firewall Hot Standby in Active/Standby
Mode (1)
⚫ Requirements:
 The service interfaces of Firewalls A and B work at Layer 3 and are connected
to Layer 2 switches in both upstream and downstream directions. The
upstream switch connects to the interface provided by the carrier who has
assigned the IP address 1.1.1.1 to the enterprise. Firewalls A and B are
required to work in active/standby mode. In normal cases, traffic is forwarded VRRP group 1
by Firewall A. If Firewall A fails, traffic is forwarded by Firewall B to ensure 10GE 0/0/1 10GE 0/0/1
service continuity. 10GE0/0/7 10GE0/0/7
Firewall A Firewall B
 Virtual IP address of VRRP group 1: 1.1.1.1/24 Master Backup
10GE0/0/3 10GE0/0/3
 Virtual IP address of VRRP group 2: 10.3.0.3/24
VRRP group 2
 IP address of the heartbeat interface 10GE0/0/7 on Firewall A: 10.10.0.1/24

 IP address of the heartbeat interface 10GE0/0/7 on Firewall B: 10.10.0.2/24

Intranet

31 Huawei Confidential
Example for Configuring Firewall Hot Standby in Active/Standby
Mode (2)
⚫ Configuration roadmap: Start

 Complete basic network configurations, including configuring IP addresses for
interfaces of two firewalls, adding interfaces to security zones, and configuring Complete basic network configurations.

default routes.
Configure a VRRP group.
 Configure a VRRP group on the two firewalls.

 Configure a security policy to allow heartbeat interfaces to exchange HRP
Configure a security policy.
packets.
 Specify heartbeat interfaces, configure the authentication key, and enable hot Specify a heartbeat interface and enable hot
standby. standby.

 Configure a security policy to allow intranet users to access the Internet.
Configure a security policy and a NAT policy.
 Configure a NAT policy to allow intranet users to access the Internet.

End

32 Huawei Confidential
Example for Configuring Firewall Hot Standby in Active/Standby
Mode (3)
⚫ Configure VRRP group 1 on the upstream service interface 10GE0/0/1 of Firewall A and set the status to active.

[FWA] interface 10ge0/0/1
[FWA-10GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 active
[FWA-10GE0/0/1] quit

[FWA] interface 10ge0/0/3
[FWA-10GE0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active
[FWA-10GE0/0/3] quit

⚫ Configure VRRP group 1 on the upstream service interface 10GE0/0/1 of Firewall B and set the status to standby.
[FWB] interface 10ge0/0/1
[FWB-10GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 standby
[FWB-10GE0/0/1] quit

[FWB] interface 10ge0/0/3
[FWB-10GE0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby
[FWB-10GE0/0/3] quit

33 Huawei Confidential
Example for Configuring Firewall Hot Standby in Active/Standby
Mode (4)
⚫ Specify a heartbeat interface on Firewall A, configure the authentication key, and enable hot standby.
[FWA] hrp interface 10ge0/0/7 remote 10.10.0.2
[FWA] hrp authentication-key Admin@123
[FWA] hrp enable

⚫ Specify a heartbeat interface on Firewall B, configure the authentication key, and enable hot standby.
[FWB] hrp interface 10ge0/0/7 remote 10.10.0.1
[FWB] hrp authentication-key Admin@123
[FWB] hrp enable

34 Huawei Confidential
 Quiz

1. (True/False) The HRP technology implements configuration synchronization between the active and
standby firewalls and ensures that the configuration is not lost after a firewall restart. Then no
information needs to be configured on the standby firewall. ( )

A. True

B. False

2. (True/False) Firewall quick session backup applies to the load balancing scenario. ( )

A. True

B. False

35 Huawei Confidential
 Summary

⚫ This course describes the application scenarios, technical principles, packet forwarding process, and
active/standby switchover logic of hot standby, as well as the key configurations and configuration
processes of hot standby in different networking modes.
⚫ Upon completion of this course, you will be able to understand the application scenarios of hot standby,
independently configure hot standby for Huawei firewalls based on the lab in the actual environment,
and master how to deploy firewalls in hot standby scenarios.

36 Huawei Confidential
 Recommendations

⚫ Huawei official websites
 Enterprise service: https://e.huawei.com/en/
 Technical support: https://support.huawei.com/enterprise/en/index.html
 Online learning: https://learning.huawei.com/en/

37 Huawei Confidential
Acronyms and Abbreviations

Acronym and Abbreviation Full Name
GE Gigabit Ethernet
HRP Huawei Redundancy Protocol
USG Universal Service Gateway
VGMP VRRP Group Management Protocol
VRRP Virtual Router Redundancy Protocol

38 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2022 Huawei Technologies Co., Ltd.
All Rights Reserved.

The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.