在ensp上做防火墙的双机热备

搭建网络拓扑图

配置服务器和客户机的IP地址

主防火墙

<USG6000V1>
<USG6000V1>u t  m   //关闭消息推送
<USG6000V1>system-view 	//进入系统视图
[USG6000V1]sysname FW4    //将名称改为FW4
[FW4]

//添加接口IP地址
[FW4]int g1/0/0  //进入接口
[FW4-GigabitEthernet1/0/0]ip add 10.1.10.4 24   //添加IP地址
[FW4-GigabitEthernet1/0/0]q    //退出
[FW4]int g1/0/1
[FW4-GigabitEthernet1/0/1]ip add 10.1.20.4 24
[FW4-GigabitEthernet1/0/1]q
[FW4]int g1/0/6
[FW4-GigabitEthernet1/0/6]ip add 10.1.45.4 24
[FW4-GigabitEthernet1/0/6]q
[FW4]

//将接口地址加入相应的安全区域
[FW4]firewall zone trust       //进入trust区域
[FW4-zone-trust]add int g1/0/0  //将接口加入该安全区域
[FW4-zone-trust]q
[FW4]
[FW4]firewall zone untrust
[FW4-zone-untrust]add int g1/0/1
[FW4-zone-untrust]q
[FW4]
[FW4]firewall zone name hrp_zone    //创建一个名称为hrp_zone的安全区域
[FW4-zone-hrp_zone]set priority 20   //设定安全级别为20
[FW4-zone-hrp_zone]add int g1/0/6   //将接口加入该安全区域
[FW4-zone-hrp_zone]q
[FW4]

//进入接口，配置vrrp
[FW4]
[FW4]int g1/0/0   //进入接口
[FW4-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 active  
                                                                             //配置vrrp，名称为vrid1，虚拟IP为10.1.10.254，角色为active
[FW4-GigabitEthernet1/0/0]q
[FW4]int g1/0/1
[FW4-GigabitEthernet1/0/1]
[FW4-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.20.254 active
                                                                             //配置vrrp，名称为vrid2，虚拟IP为10.1.20.254，角色为active
[FW4-GigabitEthernet1/0/1]q
[FW4]

备份防火墙

<USG6000V1>u t m
<USG6000V1>system-view 	
[USG6000V1]sysname FW5
[FW5]

[FW5]int g1/0/0
[FW5-GigabitEthernet1/0/0]ip add 10.1.10.5 24
[FW5-GigabitEthernet1/0/0]q
[FW5]int g1/0/1
[FW5-GigabitEthernet1/0/1]ip add 10.1.20.5 24 
[FW5-GigabitEthernet1/0/1]q
[FW5]int g1/0/6
[FW5-GigabitEthernet1/0/6]ip add 10.1.45.5 24
[FW5-GigabitEthernet1/0/6]q
[FW5]firewall zone trust
[FW5-zone-trust]add int g1/0/0
[FW5-zone-trust]q

[FW5]firewall zone untrust
[FW5-zone-untrust]add int g1/0/1
[FW5-zone-untrust]q
[FW5]firewall zone name hrp_zone 
[FW5-zone-hrp_zone]set priority 20
[FW5-zone-hrp_zone]add int g1/0/6
[FW5-zone-hrp_zone]q
[FW5]

[FW5]
[FW5]int g1/0/0
[FW5-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 standby
[FW5-GigabitEthernet1/0/0]q
[FW5]int g1/0/1
[FW5-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.20.254 standby
[FW5-GigabitEthernet1/0/1]q
[FW5]

配置心跳线

[FW4]hrp int g1/0/6 remote 10.1.45.5
[FW4]hrp enable
HRP_S[FW4]
HRP_S[FW4]

[FW5]hrp int g1/0/6 remote 10.1.45.4
[FW5]hrp enable
HRP_S[FW5]
HRP_S[FW5]

将FW5设置成备份防火墙后，FW4会变成主防火墙

查看vrrp

HRP_M[FW4]
HRP_M[FW4]dis vrrp brief

HRP_S[FW5]
HRP_S[FW5]dis vrrp brief

配置安全策略

在主防火墙上配置，备防火墙会自动备份
在主防火墙上配置

HRP_M[FW4]security-policy (+B)
HRP_M[FW4-policy-security]rule name 123 (+B)
HRP_M[FW4-policy-security-rule-123]source-zone trust (+B)
HRP_M[FW4-policy-security-rule-123]destination-zone untrust (+B)
HRP_M[FW4-policy-security-rule-123]action permit (+B)
HRP_M[FW4-policy-security-rule-123]dis this
#
 rule name 123
  source-zone trust
  destination-zone untrust
  action permit
#
return
HRP_M[FW4-policy-security-rule-123]q
HRP_M[FW4-policy-security]q

在备防火墙上查看

HRP_S[FW5]dis security-policy all 

验证结果

关闭FW4的g1/0/1接口后，主防火墙变成了备防火墙，备防火墙变成了主防火墙。