Solution of Multiple VR Deployment
Solution of Multiple VR
Deployment
——WAF Transparent Bypass Environment, WAF only need to handle the traffic of HTTP and HTTPS
Hillstone Networks Inc.
July, 2015
Author
Junli Li, Wei Gu
Auditor Version
V1
Date
2015-07-30
Contents
Create security zone of New VR.................................................................... 6
1 Background
Because of the limitation of environment, the WAF device can be only deployed as transparent mode in the network, and WAF does not have forwarding function but only need to filtering the traffic of HTTP and HTTPS, if all the traffic goes through WAF for the filtering that might cause the slow network. Also, when the WAF device has been deployed as transparent mode, if connected with the same firewall, then its two interfaces must connect to two different VR.
2 Requirement Analysis
Server Gateway in the Layer-3 Switch Server Gateway in the Hillstone Firewall
WAF in series is transparent deployment, so it must perform by multiple VR via drainage. Because multiple
VR of same device cannot send networking traffic, so two different interfaces connect to the different VR, and create OSPF neighbor link via switch. Http traffic goes through VR1 and get into WAF, then goes through VR2 to get to the server. Non-HTTP traffic goes through VR1 and get to VR2 according to the routing of routing list, and then get to server. The firewall interfaces of e0/3 and e0/4 are connect with layer-3 switch respectively, the sub-interface e0/3.100 belongs to VR1, the subinterface e0/4.100 belongs to VR2, create OSPF neighbor by the layer-2 environment of switch. The interface of e0/4.200 communicate with layer-3 of switch. VR1 build OSPF neighbor with VR2, in VR2, republish the static routing(the routing to server) to
OSPF. The traffic of HTTP can goes through VR1 and then
When the server gateway is in the firewall, because the directly routing is prior to PBR in the previous
StoneOS version, it might cause the failure of PBR drainage. Now the problem has been solved since after StoneOS 5.0R4P8 version.
Disable the Directly Routing Priority Command
Core(config-vrouter)# fib-lookup connect-firstdisable
get into VR2 then finally get to the server. But non-http traffic gets into VR1 then will be forwarding to VR2 according to the routing and then get to the server.
3 Solution
3.1
Physical Topology
3.2
Logic Topolocy
4 Implementation
(
Hillstone Configuration
)
4.1
Verified Environment
Device Mode
StoneOS Version
SG-6000-M2105
SG6000-M-5.0R4P6.bin
4.2
Enable Multiple VR function
Firewall(config)# exec vrouter enable
4.3
Create a new VR
Firewall(config)#ip vrouter trust-vr1
4.4
Create security zone of New VR
Firewall(config)#zone trust1
Firewall(config-zone-trust1)#vrouter trust-vr1
Firewall(config-zone-trust1)#exit
Firewall(config)#zone untrust1
Firewall(config-zone-untrust1)# vrouter trust-vr1
Firewall(config-zone-untrust1)#exit
4.5
Interface Configuration
Firewall(config)#interface ethernet0/0
Firewall(config-if-eth0/0)#zone trust
Firewall(config-if-eth0/0)#ip address 192.168.1.1 255.255.255.0
Firewall(config-if-eth0/0)#manage ping
Firewall(config-if-eth0/0)#exit
Firewall(config)#interface ethernet0/1
Firewall(config-if-eth0/1)#zone trust1
Firewall(config-if-eth0/1)#ip address 192.168.1.2 255.255.255.0
Firewall(config-if-eth0/1)#manage ping
Firewall(config-if-eth0/1)#exit
Firewall(config)#interface ethernet0/2
Firewall(config-if-eth0/2)#zone trust
Firewall(config-if-eth0/2)#ip address 1.1.1.1 255.255.255.0
Firewall(config-if-eth0/2)#bind pbr-policy "waf"
Firewall(config-if-eth0/2)#manage ping
Firewall(config-if-eth0/2)#exit
Firewall(config)#interface ethernet0/3.100
Firewall(config-if-eth0/3.100)#zone trust
Firewall(config-if-eth0/3.100)#ip address 172.16.1.1 255.255.255.252
Firewall(config-if-eth0/3.100)#manage ping
Firewall(config-if-eth0/3.100)#exit
Firewall(config)#interface ethernet0/4.100
Firewall(config-if-eth0/4.100)#zone "trust1"
Firewall(config-if-eth0/4.100)#ip address 172.16.1.2 255.255.255.252
Firewall(config-if-eth0/4.100)#manage ping
Firewall(config-if-eth0/4.100)#exit
Firewall(config)#interface ethernet0/4.200
Firewall(config-if-eth0/4.200)#zone "trust1"
Firewall(config-if-eth0/4.200)#ip address 172.16.3.1 255.255.255.0
Firewall(config-if-eth0/4.200)#manage ping
Firewall(config-if-eth0/4.200)#exit
4.6
Policy Configuration
Firewall(config)# policy-global
Firewall(config-policy)# rule from any to any service any permit
4.7
Routing Configuration
4.7.1
Configure VR’ Routing
Firewall(config)# interface loopback1
Firewall(config-if-loo1)#zone trust
Firewall(config-if-loo1)# ip address 3.3.3.3 255.255.255.255
Firewall(config)# interface loopback2
Firewall(config-if-loo2)#zone trust1
Firewall(config-if-loo2)# ip address 3.3.3.4 255.255.255.255
Firewall(config)# ip vrouter trust-vr
Firewall(config-vrouter)#ip route 0.0.0.0/0 1.1.1.2
Firewall(config-vrouter)#router ospf
Firewall(config-router)# router-id 3.3.3.3
Firewall(config-router)# network 172.16.1.0/30 area 0.0.0.0
4.7.2
Configure VR1’s Routing
Firewall(config)# ip vrouter trust-vr1
Firewall(config-vrouter)# ip route 10.0.0.0/8 172.16.3.2
Firewall(config-vrouter)#router ospf
Firewall(config-router)# router-id 3.3.3.4
Firewall(config-router)# network 172.16.1.0/30 area 0.0.0.0
Firewall(config-router)#redistribute static
Firewall(config-router)#exit
4.8
Configure Drainage
Firewall(config)# pbr-policy waf vrouter trust-vr
Firewall(config-pbr)# match id 1
Firewall(config-pbr-match)#src-addr any
Firewall(config-pbr-match)#dst-addr any
Firewall(config-pbr-match)#service HTTP
Firewall(config-pbr-match)#service HTTPS
Firewall(config-pbr-match)#nexthop 192.168.1.2
Firewall(config-pbr-match)#exit
4.9
Hillstone Configuration File
configure.txt
