Scribd
Upload
25 views9 pages

HQB Firewall

Uploaded by

Sekou Semega
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
25 views9 pages

HQB Firewall

Uploaded by

Sekou Semega
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

config system interface

edit "port1"
set vdom "root"
set mode static
set ip 192.168.4.160 255.255.255.0
set allowaccess ping http https
set type physical
set alias "Mgmt"
next
edit "port2"
set vdom "root"
set ip 10.92.102.20 255.255.255.0
set type physical
set alias "Internal"
set role lan
next
edit "port3"
set vdom "root"
set ip 172.18.102.20 255.255.255.0
set type physical
set alias "WAN"
set estimated-upstream-bandwidth 2000
set estimated-downstream-bandwidth 2000
set role wan
next
end

config firewall address


edit "LAN-BR"
set subnet 10.159.100.0 255.255.255.0
next
edit "LAN-SRV"
set subnet 10.84.84.0 255.255.255.0
next
edit "LAN-USR"
set subnet 10.84.100.0 255.255.255.0
next
edit "INTERNAL_HQ_B"
set subnet 10.92.102.0 255.255.255.0
next
edit "TUNNEL_ADD"
set subnet 10.1.1.4 255.255.255.252
next
end

config firewall addrgrp


edit "LAN-HQ"
set member "LAN-SRV" "LAN-USR" "INTERNAL_HQ_B"
next
edit "VPN_via_BGP"
set member "INTERNAL_HQ_B" "LAN-BR" "LAN-SRV" "LAN-USR" "TUNNEL_ADD"
next
end

config router bgp


set as 65100
set ebgp-multipath enable
config neighbor
edit "10.92.102.253"
set next-hop-self enable
set remote-as 65100
next
end
config network
edit 1
set prefix 10.92.102.0 255.255.255.0
next
end
end

config system sdwan


set status enable
config zone
edit "INTERNET"
next
end
config members
edit 1
set interface "port3"
set zone "INTERNET"
set gateway 172.18.102.1
next
end
end

config router static


edit 1
set distance 1
set sdwan-zone "INTERNET"
next
end

config firewall policy


edit 1
set name "INTERNET"
set srcintf "port2"
set dstintf "INTERNET"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

config system sdwan


config health-check
edit "CheckINTERNET"
set server "8.8.8.8"
set interval 500
set probe-timeout 500
set failtime 5
set recoverytime 5
set probe-count 30
set update-cascade-interface enable
set update-static-route enable
set members 1
config sla
edit 1
set latency-threshold 50
set jitter-threshold 50
set packetloss-threshold 2
next
end
next
end

config system sdwan


config service
edit 2
set name "INTERNET"
set mode sla
set dst "all"
set src "LAN-HQ"
set dscp-forward enable
set dscp-reverse enable
config sla
edit "CheckINTERNET"
set id 1
next
end
set priority-members 1
next
end
end

config vpn ipsec phase1-interface


edit "VPN_to_BR"
set interface "port3"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set nattraversal disable
set remote-gw 172.19.102.30
set psksecret 123456
next
end

config vpn ipsec phase2-interface


edit "VPN_to_BR"
set phase1name "VPN_to_BR"
set proposal des-md5 des-sha1
set src-addr-type name
set dst-addr-type name
set src-name "VPN_via_BGP"
set dst-name "VPN_via_BGP"
next
end

config system interface


edit "VPN_to_BR"
set vdom "root"
set ip 10.1.1.5 255.255.255.255
set type tunnel
set remote-ip 10.1.1.6 255.255.255.252
set interface "port3"
next
end

config router bgp


config neighbor
edit "10.1.1.6"
set soft-reconfiguration enable
set remote-as 65120
next
end
config network
edit 1
set prefix 10.92.102.0 255.255.255.0
next
end
end

config system sdwan


config zone
edit "VPN"
next
end
config members
edit 2
set interface "VPN_to_BR"
set zone "VPN"
set source 10.92.102.20
next
end
end

config system sdwan


config health-check
edit "CheckVPN"
set server "10.159.100.254"
set members 2
config sla
edit 1
set latency-threshold 20
set jitter-threshold 20
next
end
next
end
end

config firewall policy


edit 2
set name "VPN_IN"
set srcintf "VPN"
set dstintf "port2"
set srcaddr "LAN-BR"
set dstaddr "LAN-HQ"
set action accept
set schedule "always"
set service "ALL"
set ssl-ssh-profile "custom-deep-inspection"
next
edit 3
set name "VPN_OUT"
set srcintf "port2"
set dstintf "VPN"
set srcaddr "LAN-HQ"
set dstaddr "LAN-BR"
set action accept
set schedule "always"
set service "ALL"
set ssl-ssh-profile "custom-deep-inspection"
next
end

config system sdwan


config service
edit 3
set name "VPN_SCTP"
set mode sla
set protocol 132
set dst "LAN-BR"
set src "LAN-HQ"
config sla
edit "CheckVPN"
set id 1
next
end
set priority-members 2
next
edit 4
set name "VPN_DHCP"
set mode sla
set protocol 17
set start-port 67
set end-port 67
set dst "LAN-BR"
set src "LAN-HQ"
config sla
edit "CheckVPN"
set id 1
next
end
set priority-members 2
next
edit 5
set name "VPN_DNS"
set mode sla
set protocol 17
set start-port 53
set end-port 53
set dst "LAN-BR"
set src "LAN-HQ"
config sla
edit "CheckVPN"
set id 1
next
end
set priority-members 2
next
edit 6
set name "VPN_CAPWAP"
set mode sla
set protocol 6
set start-port 5246
set end-port 5247
set dst "LAN-BR"
set src "LAN-HQ"
config sla
edit "CheckVPN"
set id 1
next
end
set priority-members 2
next
edit 7
set name "VPN_RADIUS"
set mode sla
set protocol 6
set start-port 1812
set end-port 1813
set dst "LAN-BR"
set src "LAN-HQ"
config sla
edit "CheckVPN"
set id 1
next
end
set priority-members 2
next
edit 1
set name "VPN"
set mode sla
set dst "LAN-BR"
set src "LAN-HQ"
config sla
edit "CheckVPN"
set id 1
next
end
set priority-members 2
next
end
end

config router route-map


edit "comm2"
config rule
edit 1
set match-community "20:2"
set set-local-preference 200
next
edit 2
set match-community "20:5"
set set-local-preference 150
next
end
next
end
config router bgp
config neighbor
edit "10.1.1.6"
set route-map-in "comm2"
next
end
end

config system sdwan


config service
edit 3
set name "VPN_SCTP"
set dscp-forward enable
set dscp-reverse enable
set dscp-forward-tag 101110
set dscp-reverse-tag 101110
next
edit 4
set name "VPN_DHCP"
set dscp-forward enable
set dscp-reverse enable
set dscp-forward-tag 101110
set dscp-reverse-tag 101110
next
edit 5
set name "VPN_DNS"
set dscp-forward enable
set dscp-reverse enable
set dscp-forward-tag 101110
set dscp-reverse-tag 101110
next
edit 6
set name "VPN_CAPWAP"
set dscp-forward enable
set dscp-reverse enable
set dscp-forward-tag 101110
set dscp-reverse-tag 101110
next
edit 7
set name "VPN_RADIUS"
set dscp-forward enable
set dscp-reverse enable
set dscp-forward-tag 101110
set dscp-reverse-tag 101110
next
edit 1
set name "VPN"
set dscp-forward enable
set dscp-reverse enable
set dscp-forward-tag 100010
set dscp-reverse-tag 100010
next
end
end

config firewall shaping-policy


edit 1
set name "Critical_Apps"
set service "ALL_ICMP" "BGP" "DHCP" "DNS" "RADIUS" "SMTP" "CAPWAP" "SCTP"
set dstintf "VPN"
set traffic-shaper "high-priority"
set traffic-shaper-reverse "high-priority"
set srcaddr "TUNNEL_ADD" "LAN-HQ"
set dstaddr "LAN-BR" "TUNNEL_ADD"
next
edit 2
set name "Business_Apps"
set service "ALL"
set dstintf "VPN"
set traffic-shaper "medium-priority"
set traffic-shaper-reverse "medium-priority"
set srcaddr "LAN-HQ"
set dstaddr "LAN-BR"
next
edit 3
set name "Secure_Internet"
set service "ALL"
set dstintf "INTERNET"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
set srcaddr "all"
set dstaddr "all"
next
end

config firewall shaping-profile


edit "All_Service"
set default-class-id 4
config shaping-entries
edit 1
set class-id 2
set priority critical
set guaranteed-bandwidth-percentage 90
set maximum-bandwidth-percentage 100
next
edit 2
set class-id 3
set guaranteed-bandwidth-percentage 8
set maximum-bandwidth-percentage 100
next
edit 3
set class-id 4
set priority low
set guaranteed-bandwidth-percentage 2
set maximum-bandwidth-percentage 100
next
end
next
end

config system interface


edit "port3"
set outbandwidth 2000
set egress-shaping-profile "All_Service"
next
end

You might also like