Huawei USG Firewall and NGFW high availability planning and implementation

Source: Internet
Author: User

USG planning and implementation of high availability for firewalls and NGFW

Course Objectives:

the lesson Regulation regulation for the volume b, it immediately after the basic content described in volume A, began to enter the firewall of the high-availability of planning and implementation, this course volume B 's core objectives are: first, from the real sense to understand the firewall of the two-machine hot standby principle; Enable engineers to implement a two-machine hot standby based on different firewall operating modes and combine the practice of the environment for troubleshooting; Thirdly, the content of the firewall's dual-machine hot standby is understood only in the course of safety certification learning. In the environment of practice, the dual-machine hot-standby technology of firewalls and the problems that may arise are far more than the content described in the study of security authentication.

USG Firewall and NGFW 18

Course Location:

Note: If you need the technical content of the Firewall Foundation section, refer to:

 usg design of unified security Border Gateway , demonstration, experience verification evaluation - Volume a

location of the full course:

Group: 195228906

Don't answer the question without source!

do not answer no environment, the description of the unclear questions!

Only answer the question of the mail!

Summary of course contents and knowledge points:

Lesson One: Explaining the teaching and learning of the firewall high availability course and introducing a dual-machine hot standby

this lesson mainly on the  Firewall dual-machine hot standby as a teaching and learning of the decomposition, first explain why the firewall of the dual-machine hot standby needs to be independent for a whole volume to describe, and in other courses describe the firewall of the dual-machine hot standby also 1-2 hours of the course is completed. In which the general description of the firewall dual-machine hot standby Technology classic topology environment, explain the classical topological environment of teaching and learning in the logic of the advantages and disadvantages, then how this course will apply these advantages to compensate for the shortcomings of the relevant problems, and at the beginning of this volume of the course to use the targeted program, : summed up the most common problems in recent years to learn about firewall dual-machine hot-standby technology, and the whole course will face these typical questions for the introduction of the cable to describe. The whole volume course is suitable for beginners to start from scratch, but also suitable for a certain two-machine hot-standby base of the crowd to strengthen.

Lesson two : High Availability and VRRP, VGMP of the first knowledge firewall

   This lesson will describe a classic component of a firewall dual-machine hot standbyVRRP, and outlined thatVRRPissues that can cause state inconsistencies in the regular number-pass device (Rs) and the consequences of not having the same effect on the safety device, put forwardVgmpHow to make up the safety deviceVRRPdefects with inconsistent state. The final knot always out for beginners common typical questions:1,Vgmpwhat is the basis for taking over?VRRPstate-managed? 2,Vgmpwith theVRRPHave to be elected to determine the master and slave equipment, if they exist at the same time, will the election conflict? 3, ifVgmpwith theVRRPexist at the same time, thenVRRPwhat is the only meaning? 4,Vgmpwhether it can be independent ofVRRPuse? 5, can theVgmpas a more advancedVRRPor aVRRPthe extension? The equivalent of the next lesson.

lesson Three: Stepping into the deep understanding of firewall dual-machine hot standby VRRP and vgmp message and transmission location and difference

This lesson will be raised in the above class of questions, to analyze in the firewall dual-machine hot standby, the conventional The structure of the VRRP message and the location of the related fields and messages, and explains that the fields in the standard multi-group VRRP messages are the key reasons for the inconsistency of the state, and then analyze the VGMP message and the transmission location and the structure of the message, through the key field of VGMP shows Vgmp exactly what it takes to take over the VRRP state consistency problem. there is still the existence of VRRP standard message after VGMP message , but the meaning of VRRP standard message only exists at this time. Finally, answer the questions left by the last lesson.

Fourth Lesson: Further understanding of dual standby hot spare, heartbeat line,HRP The role and significance of

This lesson will be in front of the foundation, formally to understand the two-machine hot standby and planning the limitations of dual-machine heat preparation, heartbeat line, the role and significance of HRP, dual-machine hot preparation of the typical components and different hot preparation forms, the role of the heart line, operating in the heartbeat line of data information, How to maintain and detect the heartbeat interface between master and slave devices and link health, understand the role of HRP and package form,HRP can synchronize the two firewalls between the data information, about The complete embodiment of the HRP message form.

Lesson Fifth: the difference the relationship between HRP and VRRP,vgmp and dynamic routing protocols

This lesson is to further distinguish between the protocols, messages, and terminology of dual-machine hot-standby, since in the previous course there are three kinds of messages that are referred to HRP,VRRP,Vgmp, But according to the general description they sometimes separate work, and sometimes like a whole, but in the different header of the middle layer, which they existed before a kind of relationship, the difference is where, each message when the independent appearance, and when the layer leads to subsequent encapsulation. And what is the relationship between them and the dynamic routing protocol? Why sometimes users use Protocol analyzer can not clearly get Vgmp and HRP messages, firewall dual hot standby and Dynamic routing protocol has a relationship between the connection form of the heartbeat line HRP Messages are delivered as unicast or multicast.

Lesson Sixth: Two ways to hot standby (master - slave and load-balancing )

This lesson mainly points out that simple dual-machine hot standby has low utilization of the problem, then how to improve the utilization rate in the case of dual-machine hot standby, to achieve the effect of load balance. Load-balanced dual-machine hot spares are limited to which business scenarios. This paper summarizes the planning principles and precautions of dual-machine hot preparation, and prepares for the formal implementation of dual-machine hot preparation.

Seventh Lesson: Demo: The firewall is in the three-tier mode up and down link is the most common two-machine hot standby of two layers

This lesson is based on the theoretical basis of the firewall dual-machine hot standby, mainly for the firewall in the three-layer mode up and down links are two layers of the most common two-machine hot standby environment for configuration demonstration, including: Master, from the firewall three interface + Heartbeat line + VRRP+VGMP+HRP The complete implementation process, observe the master-slave firewall configuration files and session synchronization process, and the dual-machine hot standby in various states, when the dual-machine hot standby, the default only the main device to slave device synchronization, if the need for master-slave firewall device synchronization with each other how to do? Finally , it summarizes the considerations of configuring the heartbeat line, and explains the problems related to the hot standby of the two machineson the simulator ENSP, ENSP is capable of completing most of the two-machine hot-standby types, and many times it is the result of the novice's incomplete thinking and mis-configuration.

Eighth Lesson: Demo: The firewall is in the three layer mode up and down link is the router's dual-machine hot standby

This lesson mainly describes and demonstrates: when the firewall's business interface in three-tier mode, the upper and lower links are the router's firewall dual-machine hot standby complete process, through this demonstration can see how HRP for different Vgmp Group to automatically control the measure of the routing protocol, so that the traffic is forwarded by the main device, until the main equipment failure and then the state automatic switch to the slave device, but also complete the route of the state convergence, in this process must pay attention to dynamic routing convergence delay, must be greater than preemption delay. At the same time, in the whole process of dual-machine hot-standby based on routing protocol, it can be seen that HRP can directly monitor the interface of the device.

Nineth Lesson: Demo: Firewall in two-tier mode up and down links for dual-machine hot standby of routers or switches

This course mainly describes the firewall work in Layer two mode and its business interface are all two layer interfaces, at this time using HRP to monitor the VLAN and its VLAN interface changes to complete the firewall of the dual-machine hot standby, and understand The significance of Link-group, and how the dual-machine hot standby works with Link-group to accelerate the convergence of routing protocols

Lesson Tenth: Understanding and demonstrating: in the firewall dual-machine hot standby environment and issues related to NAT integration

This course mainly describes the problems related to the integration of the Firewall with the NAT service after the two-machine hot-standby , such as: What are the limitations of the dual standby and Nat service integration, when the client requests the Nat Gateway mac Address, the master-slave device will use the virtual mac to answer, this will cause conflict, then in the dual-machine hot standby +nat Environment How to resolve the related conflicts and fully demonstrate its configuration process

Lesson 11th: The experience of planning firewall dual-machine hot standby in industrial environment and other cooperative technologies

This lesson is mainly for the front of the typical environment of the firewall dual-machine hot standby experience, because the front of the classroom to tell the truth it has certain ideals, such as the existence of the following several typical problems: first, the dual-machine hot standby in the heart jumper is still a single point of failure; Only the local fault in the dual-machine hot standby environment is demonstrated, if the firewall is non-local (the remote node is faulty), how to switch the two-machine hot standby; third, only in the main - standby mode of the dual-machine hot standby, so that the utilization of the firewall is too low, how to the dual-machine hot standby environment to introduce load The combination of firewalls and other more technologies in the switching network. It also describes some typical error planning and design in the process of fire-proof heat preparation.

12th Lesson: Demo: Firewall dual Standby and Ip-link linkage of technology

This course mainly describes and forensics the Basic working principle of ip-link, and corresponding industrial environment, when the link fault occurs in the non-dual-machine hot standby environment local, but the remote fault, the firewall dual-machine hot standby can linkage The Ip-link technology detects remote faults and performs failover, demonstrating the complete detection and failover process. Affirm The limitations of ip-link when performing remote detection.

13th Lesson: Demo: Firewall dual Standby and BFD linkage of technology

This course mainly describes what is the basic principle of BFD and forensics BFD, it has a better openness, and protocol-independent detection mechanism, can be any of the media to perform detection of any protocol layer, Then a complete demonstration of the firewall dual-standby hot and BFD technology linkage.

14th Lesson: Demo: The synergy between the firewall dual standby and the Ethernet channel technology

This course will help students understand how to use the Ethernet channel to strengthen the stability of the firewall dual-machine hot standby environment, including how to deploy the use of Ethernet channel technology to enhance the stability of the heartbeat line and the upstream and downstream business links, to prevent single link failure. And a complete demonstration of the whole process was made.

15th Lesson: Demo: Firewall dual-machine hot standby VRRP+VGMP+HRP the Load balancer

This lesson starts mainly to describe the load balance in the firewall dual-machine hot standby, explains some limitations of the load balance mode under the dual-machine hot standby, and then fully demonstrates a case of load balancing of VRRP+VGMP+HRP in a firewall dual-machine hot standby, In order to establish multiple VGMP groups to implement load balancing instances, we can detect the effect of load balancing and failover.

16th Lesson: Demo: Firewall dual-machine hot standby vgmp+hrp+ load balancing for dynamic routing

This lesson is mainly for the firewall dual-machine hot standby vgmp+hrp+ dynamic routing load balance description, in the course of the implementation of a firewall dual-machine hot standby vgmp+hrp+ Dynamic routing of load balancing ideal and non-ideal network environment, and then describe whether the environment is the measure of the dynamic routing protocol to achieve dual-machine hot standby load balancing effect, and indicate in this process must pay attention to participate in the dual-machine hot standby Two firewalls on the session fast synchronization function.

17th Lesson: Demo: Load balancing of dual-machine hot standby in two-tier mode

     This lesson is mainly for the firewall is in the two-tier mode of dual-machine hot standby load balancing to describe, In fact, its real technical significance and planning principles to understand the two-layer and three-layer dual-machine hot standby is to develop multiple vgmp vlan vlan interface The upper and lower line business interface joins the same link-group down Down

This article from the "Nameless Christ" blog, declined to reprint!

 USG Firewall and NGFW high availability planning and implementation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.