Back up the firewall , Also known as firewall HA, Realize the high availability of the company's total export .

1 Experimental requirements and network topology

（1） The following network topology is used in this experiment .

（2） The roles and functions of the network equipment of each host are as follows ：
Real machine ： Do not participate in the experiment , Just for remote management firewall , Manage the firewall by opening a web page .
winxp： As the intranet host of the company , You can access servers in the isolation zone and the extranet zone .
win2003： a , One is in the external network area PC.
A firewall ： This experiment uses the firewall of Tianrongxin topgate, Two firewalls ,topgate1 To be active ,topgate2 For backup .

（3） The main content of this experiment is collocation high availability HA A firewall ,inside Regional employees can access the Internet normally , When the active firewall fails , It still does not affect the employees' access to the Internet . Be careful , There are some differences between backing up the firewall and configuring hot backup for the previous routers and core switches . The interface configuration of the two firewalls is in addition to the heartbeat line IP The address is inconsistent , The rest are the same . The principle of hot backup routing protocol and hot backup experiment demonstration of routers and core switches are shown in 《HSRP- Principle and experimental demonstration of hot backup routing protocol — be based on Cisco Packet Tracer》 and 《 Core switch configuration hot backup details and experimental demonstration — be based on Cisco Packet Tracer》. When one of the firewalls is active , Another firewall and PC Your interface will be logical down fall , The connectors at both ends of the core jumper are open .

（4） heartbeat ： Complete the communication between the two firewalls ： Judge whether the other party crashes 、 Synchronous data （ It is divided into static synchronization and dynamic synchronization ）、 Complete hot backup VRRP. Optical fiber is generally used .

（5）VRRP： An active / A backup mode 、 Both active modes .

2 Experimental demonstration process — Build high availability HA

Configure the firewall HA when , Do not configure the firewall , First, let the two firewalls establish an active / standby relationship , Once the master-slave relationship is established , The configuration on the active firewall can be synchronized to the backup firewall through the heartbeat line . If the configuration on the active firewall is manually configured （ Such as strategy 、IP）, Engineers are required to manually synchronize the configuration on the active firewall to the backup firewall ; If the configuration on the active firewall is dynamically generated （ Such as PAT And the session state in the state detection table ）, The data can be dynamically synchronized between the two firewalls .

2.1 Build a network structure

（1） Build the network structure according to the above topology , Will each PC Bridge to respective VMnet in , And configuration IP And gateway （win2003-outside Does not refer to gateway ）. The virtual machine IP Configuration details refer to 《 IP Address details and related concepts 》

（2） Connect two firewall bridges to VMnet And open . There is... On the equipment 5 Block NIC , Corresponding to interfaces respectively eth0~4, The first three pieces are needed for this experiment , Bridge to VMnet1 to VMnet3 On .

（3） The real machine VMnet1 Enable and configure IP（ The real machine does not need to be configured with a gateway ）→ With a real machine ping A firewall IP, can ping through .

2.2 Firewall configuration

Because there are two firewalls , When the real machine browser enters https://192.168.1.254:8080/ When you open the firewall management page , I don't know which firewall is open . At this time, you can unplug the network cable of one of the firewalls （ In reality console The firewall to be plugged in is the firewall to be configured ）.
（1） by topgate1 The firewall is configured with a heartbeat line interface IP. This is because the two firewalls need to establish an active / standby relationship first , Then you have to do it first topgate1 Firewall core jumper interface IP Match well , First of all, will topgate2 Unplug the network cable （ About to network card 1 close ）, Then the real machine browser inputs https://192.168.1.254:8080/, For the first topgate1 The firewall is provided with a heartbeat line IP Address . Be careful , The configuration of the two firewalls is different from that of the heartbeat line IP The address is inconsistent , The rest are the same , Therefore, the heartbeat line needs to check the asynchronous address , Other interfaces are not checked .

（2） by topgate1 Firewall configuration hot backup （ Here is the high availability configuration ）. High availability → Set this machine and the opposite end IP、 Set the tracking interface → Enable . When enabled , The working status will be updated to “ Work ”

（3） by topgate2 The firewall is configured with a heartbeat line interface IP And configuring hot backup （ Here is the high availability configuration ）. Close the original firewall configuration page → Pull out topgate1 The Internet cable （ About to network card 1 close ）→ take topgate2 Network card of 1 Reconnect the → open topgate2 Firewall configuration web page → Set the heartbeat line IP Address → Set high availability as follows and enable , You can see that the firewall is active （ Because the first firewall now has ports disconnected ）.

（4） by topgate1 Create a firewall zone 、 Configure other interfaces IP route 、 Write strategy 、 do DNAT And so on . Close the original firewall configuration page → take topgate1 Network card of 1 Reconnect the → Open the firewall configuration web page with a real computer → After logging in, the active firewall corresponds to the web page （ From the heartbeat line IP The address determines which one it is ）→ Create area 、 Configure other interfaces IP、 Write strategy 、 do DNAT And so on . When creating an area , Consider dividing the heartbeat line interface into intranet independent zones 、 Extranet area 、 The heartbeat area outside the isolation area , There is no need to configure policies for this zone . Create area 、 Configure other interfaces IP、 Write strategy 、 do DNAT For details of basic configurations, please refer to 《 Tian Rong Xin Topgate Firewall basic configuration case 》.

（5） Synchronize the configuration of the active firewall to the backup firewall . You will be prompted if the synchronization is successful .

2.3 verification

Give Way winXP always ping Hosts in the extranet zone ,ping -t 100.1.1.1, To break off topgate1 Any interface of firewall , See if you can always ping through . At the moment of disconnection, some bags will be lost , Then switch to the backup firewall in time and resume normal operation . Refresh the web page configuration of the firewall , After re login, it will be automatically updated to topgate2 The page of .

tips:
1） When two core switches are arranged in the intranet 、 Two firewalls , Two core switches are connected to two firewalls 8 All interfaces are set as layer-2 interfaces , It can greatly reduce the difficulty of network configuration and easy to check errors .

3 summary

（1） Understand the working principle and process of firewall .
（2） Understand how dynamic routing hot backup works , And with HA Compare the working principle of .
（3） Master the configuration method of firewall high availability .

Reference article

[1] 《 Firewall deployment experiment （IP、 Strategy 、NAT、HA）—— be based on topgate Web page deployment method of firewall 》
[2] Video gate