Source: Huawei Firewall Configuration Guide

While studying, organize the test notes and share them with you. The infringement will be deleted immediately. Thank you for your support!

Attached the summary: Play Huawei ENSP Simulator Series | Collection_COCOgsta's Blog-CSDN Blog_Huawei Simulator Experiment

Target

This section describes how to configure IPSec VPN when the router is connected upstream and downstream in a dual-system hot backup network for load balancing.

Networking requirements

like figure 1 As shown, the headquarters and branches of the company are connected to the Internet through the FW. FW_C and FW_D in the headquarters work in load balancing mode, and their service interfaces work at Layer 3 and run OSPF with the upstream and downstream routers. The enterprise expects the traffic of branch users to access the headquarters to be protected by the IPSec tunnel, and FW_C processes the traffic sent by FW_A to the headquarters, and FW_D processes the traffic sent by FW_B to the headquarters. When a device in FW_C or FW_D fails, all traffic sent from the branch to the headquarters is switched to another device that is running normally.

Configuration ideas

1. Configure FW_C and FW_D to work in load balancing mode.

1. Create two interfaces, Tunnel and Tunnel2, on FW_C, and also create two interfaces, Tunnel and Tunnel2, on FW_D. The Tunnel1 interface created on the two devices has the same IP address, and the Tunnel2 interface has the same IP address. Tunnel1 created on FW_C is the primary interface used to create the primary IPSec tunnel with FW_A; Tunnel1 created on FW_D is the backup interface used to create a backup IPSec tunnel with FW_A. Similarly, the Tunnel2 interface on FW_D is used to establish the primary IPSec tunnel with FW_B, and the Tunnel2 interface on FW_C is used to establish the backup IPSec tunnel with FW_B. As a result, FW_A and FW_B will each have two IPSec tunnels connected to the two hosts (FW_C and FW_D). When the two devices are running normally, FW_A and FW_B each use the primary IPSec tunnel to send traffic to the headquarters. When the dual-device operation is abnormal, FW_A or FW_B will enable the backup IPSec tunnel to send traffic to the headquarters.

1. Configure a routing policy on FW_C and FW_D to change the routing priority by changing the device status. When the dual-node operation is normal, the state is load-balance, the traffic returned from the headquarters to FW_A is diverted to FW_C for processing, and the traffic returned from the headquarters to FW_B is diverted to FW_D for processing. If the FW_C device in the dual-system fails, the device status of FW_C becomes Standby, and the status of FW_D device becomes Active, and the traffic returned by the headquarters to FW_A and FW_B will all be diverted to FW_D.

1. Apply the IPSec policy to the public network interfaces of FW_A and FW_B connected to the Internet, and establish IPSec tunnels with FW_C and FW_D respectively.

Steps

1. Configure the interface IP address of FW_C (the headquarters).

   1. Configure the IP address of GE1/0/1 and add the interface to the Untrust zone.

   2. <sysname> system-view
      [sysname] sysname FW_C
      [FW_C] interface gigabitethernet 1 / 0 / 1
      [FW_C-GigabitEthernet1/0/1] ip address 2.2.2.1  24
      [FW_C-GigabitEthernet1/0/1] quit
      [FW_C] firewall zone untrust
      [FW_C-zone-untrust] add interface gigabitethernet 1 / 0 / 1
      [FW_C-zone-untrust] quit
       copy code

   3. Configure the interface IP address of GE1/0/2 and add the interface to the corresponding security zone.

   4. [FW_C] interface gigabitethernet 1 / 0 / 2
      [FW_C-GigabitEthernet1/0/2] ip address 10.10.0.1  24
      [FW_C-GigabitEthernet1/0/2] quit
      [FW_C] firewall zone dmz
      [FW_C-zone-dmz] add interface gigabitethernet 1 / 0 / 2
      [FW_C-zone-dmz] quit
       copy code

   5. Configure the IP address of interface GE1/0/3 and add the interface to the Trust zone.

   6. [FW_C] gigabitethernet 1 / 0 / 3
      [FW_C-GigabitEthernet1/0/3] ip address 10.3.3.1  24
      [FW_C-GigabitEthernet1/0/3] quit
      [FW_C] firewall zone trust
      [FW_C-zone-trust] add interface gigabitethernet 1 / 0 / 3
      [FW_C-zone-trust] quit
       copy code

   7. Configure a VGMP group to monitor upstream and downstream service interfaces.

   8. [FW_C] hrp track interface GigabitEthernet  1 / 0 / 1
      [FW_C] hrp track interface GigabitEthernet  1 / 0 / 3
       copy code

   9. Configure two interfaces, Tunnel1 and Tunnel2, on the configuration FW_C.

   10. [FW_C] interface tunnel 1
       [FW_C_Tunnel1] tunnel-protocol ipsec
       [FW_C_Tunnel1] ip address 2.2.4.1  24
       [FW_C_Tunnel1] quit
       [FW_C] interface tunnel 2
       [FW_C_Tunnel2] tunnel-protocol ipsec
       [FW_C_Tunnel2] ip address 2.2.5.1  24
       [FW_C_Tunnel2] quit
       [FW_C] firewall zone untrust
       [FW_C-zone-untrust] add interface Tunnel  1
       [FW_C-zone-untrust] add interface Tunnel  2
       [FW_C-zone-untrust] quit
        copy code

1. Configure an interzone security policy on FW_C (headquarters).

   1. Configure interzone security policies for the Trust zone and the Untrust zone.

   2. [FW_C] security-policy
      [FW_C-policy-security] rule name 1
      [FW_C-policy-security-rule-1] source-zone untrust
      [FW_C-policy-security-rule-1] destination-zone trust
      [FW_C-policy-security-rule-1] source-address 10.1.3.0  24
      [FW_C-policy-security-rule-1] source-address 10.1.4.0  24
      [FW_C-policy-security-rule-1] destination-address 10.1.2.0  24
      [FW_C-policy-security-rule-1] action permit
      [FW_C-policy-security-rule-1] quit
      [FW_C-policy-security] rule name 2
      [FW_C-policy-security-rule-2] source-zone trust
      [FW_C-policy-security-rule-2] destination-zone untrust
      [FW_C-policy-security-rule-2] source-address 10.1.2.0  24
      [FW_C-policy-security-rule-2] destination-address 10.1.3.0  24
      [FW_C-policy-security-rule-2] destination-address 10.1.4.0  24
      [FW_C-policy-security-rule-2] action permit
      [FW_C-policy-security-rule-2] quit
      [FW_C-policy-security] rule name 3
      [FW_C-policy-security-rule-3] source-zone local dmz
      [FW_C-policy-security-rule-3] destination-zone local dmz
      [FW_C-policy-security-rule-3] action permit
      [FW_C-policy-security-rule-3] quit
       copy code

   3. Configure local policies in the Local and Untrust zones to allow IKE negotiation packets to pass through the FW_C normally.

   4. [FW_C-policy-security] rule name 4
      [FW_C-policy-security-rule-4] source-zone local
      [FW_C-policy-security-rule-4] destination-zone untrust
      [FW_C-policy-security-rule-4] source-address 2.2.0.0  16
      [FW_C-policy-security-rule-4] destination-address 1.1.0.0  16
      [FW_C-policy-security-rule-4] action permit
      [FW_C-policy-security-rule-4] quit
      [FW_C-policy-security] rule name 5
      [FW_C-policy-security-rule-5] source-zone untrust
      [FW_C-policy-security-rule-5] destination-zone local
      [FW_C-policy-security-rule-5] source-address 1.1.0.0  16
      [FW_C-policy-security-rule-5] destination-address 2.2.0.0  16
      [FW_C-policy-security-rule-5] action permit
      [FW_C-policy-security-rule-5] quit
       copy code

1. Configure static routes to FW_A (branch) and FW_B (branch) on FW_C (headquarters).

[FW_C] ip route- static  10.1.3.0  24 tunnel 1
[FW_C] ip route- static  10.1.4.0  24 tunnel 2
 copy code

1. Configure and run the OSPF dynamic routing protocol on FW_C (the headquarters).

In order for the traffic sent by FW_A to the headquarters to be forwarded along the path of FW_A<->Router1<->FW_C<->Router2; the traffic sent by FW_B to the headquarters along the path of FW_B<->Router1<->FW_D<->Router2, it is necessary to Configure routing policies on FW_C and FW_D to control the routing information of Router1 and Router2.

When FW_C and FW_D are in the load grading state, both FW_C and FW_D advertise the directly connected route to the interface of Tunnel1 to Router1, and advertise the private network route (static route) to FW_A to Router2 at the same time. In order to forward different traffic according to different routes, route control needs to be performed on the directly connected routes and static routes advertised by FW_C and FW_D.

According to requirements, when FW_C works in the load balancing state, Router1 sends the traffic of FW_A to Tunnel1 interface of FW_C instead of Tunnel1 interface of FW_D. Therefore, when FW_C advertises the route to Tunnel1, it needs to reduce the cost value by 10; when FW_D advertises the route to Tunnel1, it needs to add 10 to the cost value, so that Router1 will choose to send the traffic of FW_A to FW_C according to the route cost.

At the same time, Router2 sends the reverse traffic of FW_A to FW_C instead of FW_D. Therefore, when FW_C advertises a private network route (static route) to FW_A, it needs to reduce the cost of the route by 10; when FW_D advertises a route to the private network route (static route) of FW_A, it needs to add 10 to the cost value. In this way, Router2 will choose to send the reverse traffic of FW_A to FW_C according to the routing cost.

When FW_D fails and FW_C works in the active state, FW_C reduces the directly connected routes and static routes advertised externally by 10, and FW_D adds 10 to the directly connected routes and static routes advertised externally, so that FW_A and FW_B will all be sent to the FW_C processing.

When FW_C fails and the device works in the standby state, FW_C adds 10 to the directly-connected routes and static routes advertised to the outside world, and FW_D subtracts 10 from the directly-connected routes and static routes advertised to the outside world. In this way, FW_A and FW_B will all be sent to the FW_D processing.

[FW_C] ospf 1
[FW_C-ospf-1] import -route direct route-policy rp
[FW_C-ospf-1] import -route static route-policy rp
[FW_C-ospf-1] area 0.0.0.0
[FW_C-ospf-1-area-0.0.0.0] network 10.3.3.0  0.0.0.255
[FW_C-ospf-1-area-0.0.0.0] network 2.2.2.0  0.0.0.255
[FW_C-ospf-1-area-0.0.0.0] quit
[FW_C-ospf-1] quit
[FW_C] route-policy rp permit node 1
[FW_C-route-policy] if -match acl 2000
[FW_C-route-policy] if -match backup-status load-balance
[FW_C-route-policy] apply cost - 10
[FW_C-route-policy] quit
[FW_C] route-policy rp permit node 2
[FW_C-route-policy] if -match acl 2001
[FW_C-route-policy] if -match backup-status load-balance
[FW_C-route-policy] apply cost + 10
[FW_C-route-policy] quit
[FW_C] route-policy rp permit node 3
[FW_C-route-policy] if -match acl 2002
[FW_C-route-policy] if -match backup-status active
[FW_C-route-policy] apply cost - 10
[FW_C-route-policy] quit
[FW_C] route-policy rp permit node 4
[FW_C-route-policy] if -match acl 2002
[FW_C-route-policy] if -match backup-status standby
[FW_C-route-policy] apply cost + 10
[FW_C-route-policy] quit
[FW_C] acl 2000
[FW_C-acl-basic-2000] rule permit source 2.2.4.0  0.0.0.255
[FW_C-acl-basic-2000] rule permit source 10.1.3.0  0.0.0.255
[FW_C-acl-basic-2000] quit
[FW_C] acl 2001
[FW_C-acl-basic-2001] rule permit source 2.2.5.0  0.0.0.255
[FW_C-acl-basic-2001] rule permit source 10.1.4.0  0.0.0.255
[FW_C-acl-basic-2001] quit
[FW_C] acl 2002
[FW_C-acl-basic-2002] rule permit source 2.2.4.0  0.0.0.255
[FW_C-acl-basic-2002] rule permit source 10.1.3.0  0.0.0.255
[FW_C-acl-basic-2002] rule permit source 2.2.5.0  0.0.0.255
[FW_C-acl-basic-2002] rule permit source 10.1.4.0  0.0.0.255
[FW_C-acl-basic-2002] quit
 copy code

1. Configure IPSec on FW_C (headquarters).

   1. Define the data flow to FW_A, FW_B.

   2. [FW_C] acl 3005
      [FW_C-acl-adv-3005] rule permit ip source 10.1.2.0  0.0.0.255 destination 10.1.3.0  0.0.0.255
      [FW_C-acl-adv-3005] quit
      [FW_C] acl 3006
      [FW_C-acl-adv-3006] rule permit ip source 10.1.2.0  0.0.0.255 destination 10.1.4.0  0.0.0.255
      [FW_C-acl-adv-3006] quit
       copy code

   3. Configure IPSec security proposals.

   4. [FW_C] ipsec proposal tran1
      [FW_C-ipsec-proposal-tran1] encapsulation-mode tunnel
      [FW_C-ipsec-proposal-tran1] transform esp
      [FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
      [FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
      [FW_C-ipsec-proposal-tran1] quit
       copy code

   5. Configure an IKE security proposal.

   6. [FW_C] ike proposal 10
      [FW_C-ike-proposal-10] authentication-method pre-share
      [FW_C-ike-proposal-10] authentication-algorithm sha2- 256
      [FW_C-ike-proposal-10] quit
       copy code

   7. Configure IKE peers.

   8. [FW_C] ike peer ngfw_a
      [FW_C-ike-peer-b] ike-proposal 10
      [FW_C-ike-peer-b] remote-address 1.1.1.1
      [FW_C-ike-peer-b] pre-shared-key Admin @ 123
      [FW_C-ike-peer-b] undo version 2
      [FW_C-ike-peer-b] quit
      [FW_C] ike peer ngfw_b
      [FW_C-ike-peer-c] ike-proposal 10
      [FW_C-ike-peer-c] remote-address 1.1.2.1
      [FW_C-ike-peer-c] pre-shared-key Admin @ 123
      [FW_C-ike-peer-c] undo version 2
      [FW_C-ike-peer-c] quit
       copy code

   9. Configure two non-template IPSec policies.

   10. [FW_C] ipsec policy map1 10 isakmp
       [FW_C-ipsec-policy-isakmp-map1-10] security acl 3005
       [FW_C-ipsec-policy-isakmp-map1-10] proposal tran1
       [FW_C-ipsec-policy-isakmp-map1-10] ike-peer ngfw_a
       [FW_C-ipsec-policy-isakmp-map1-10] quit
       [FW_C] ipsec policy map2 10 isakmp
       [FW_C-ipsec-policy-isakmp-map2-10] security acl 3006
       [FW_C-ipsec-policy-isakmp-map2-10] proposal tran1
       [FW_C-ipsec-policy-isakmp-map2-10] ike-peer ngfw_b
       [FW_C-ipsec-policy-isakmp-map2-10] quit
        copy code

   11. Apply the IPSec policy on the Tunnel interface.

   12. [FW_C] interface Tunnel  1
       [FW_C-Tunnel1] ipsec policy map1 master
       [FW_C-Tunnel1] quit
       [FW_C] interface Tunnel  2
       [FW_C-Tunnel2] ipsec policy map2 slave
       [FW_C-Tunnel2] quit
        copy code

1. Enable the dual-server configuration of FW_C (headquarters).

[FW_C] hrp interface gigabitethernet 1 / 0 / 2
[FW_C] hrp enable
HRP_M[FW_C] hrp load balance device
HRP_M[FW_C] hrp auto-sync config
HRP_M[FW_C] hrp mirror session enable
 copy code

1. Configure FW_D (headquarters). After the dual-system configuration is enabled on FW_D, the ACL s, security policies, and IPSec services configured on FW_C are automatically backed up on FW_D. Only interface configuration and routing information will not be backed up, so you need to manually configure them on FW_D.

   1. Configure the interface IP address of FW_D and add the interface to the security zone. For details about the configuration process, see FW_C.
   2. Configure routing data for FW_D.

   3. [FW_D] ip route- static  10.1.3.0  24 tunnel 1
      [FW_D] ip route- static  10.1.4.0  24 tunnel 2
      [FW_D] ospf 1
      [FW_D-ospf-1] import -route direct route-policy rp
      [FW_D-ospf-1] import -route static route-policy rp
      [FW_D-ospf-1] area 0.0.0.0
      [FW_D-ospf-1-area-0.0.0.0] network 10.3.4.0  0.0.0.255
      [FW_D-ospf-1-area-0.0.0.0] network 2.2.3.0  0.0.0.255
      [FW_D-ospf-1-area-0.0.0.0] quit
      [FW_D-ospf-1] quit
      [FW_D] route-policy rp permit node 1
      [FW_D-route-policy] if -match acl 2000
      [FW_D-route-policy] if -match backup-status load-balance
      [FW_D-route-policy] apply cost + 10
      [FW_D-route-policy] quit
      [FW_D] route-policy rp permit node 2
      [FW_D-route-policy] if -match acl 2001
      [FW_D-route-policy] if -match backup-status load-balance
      [FW_D-route-policy] apply cost - 10
      [FW_D-route-policy] quit
      [FW_D] route-policy rp permit node 3
      [FW_D-route-policy] if -match acl 2002
      [FW_D-route-policy] if -match backup-status active
      [FW_D-route-policy] apply cost - 10
      [FW_D-route-policy] quit
      [FW_D] route-policy rp permit node 4
      [FW_D-route-policy] if -match acl 2002
      [FW_D-route-policy] if -match backup-status standby
      [FW_D-route-policy] apply cost + 10
      [FW_D-route-policy] quit
       copy code

   4. Apply the IPSec policy on the Tunnel interface.

   5. [FW_D] interface Tunnel  1
      [FW_D-Tunnel1] ipsec policy map1 master
      [FW_D-Tunnel1] quit
      [FW_D] interface Tunnel  2
      [FW_D-Tunnel2] ipsec policy map2 slave
      [FW_D-Tunnel2] quit
       copy code

1. Enable the dual-server configuration of FW_D (headquarters).

[FW_D] hrp enable
HRP_S[FW_D] hrp load balance device
HRP_S[FW_D] hrp auto-sync config
HRP_S[FW_D] hrp mirror session enable
 copy code

1. Configure FW_A (branch).

   1. Configure the IP address of the interface and add the interface to the corresponding security zone.

   2. <sysname> system-view
      [sysname] sysname FW_A
      [FW_A] interface gigabitethernet 1 / 0 / 1
      [FW_A-GigabitEthernet1/0/1] ip address 1.1.1.1  24
      [FW_A-GigabitEthernet1/0/1] quit
      [FW_A] interface gigabitethernet 1 / 0 / 2
      [FW_A-GigabitEthernet1/0/2] ip address 10.1.3.1  24
      [FW_A-GigabitEthernet1/0/2] quit
      [FW_A] firewall zone untrust
      [FW_A-zone-untrust] add interface gigabitethernet 1 / 0 / 1
      [FW_A-zone-untrust] quit
      [FW_A] firewall zone trust
      [FW_A-zone-trust] add interface gigabitethernet 1 / 0 / 2
      [FW_A-zone-trust] quit
       copy code

   3. Configure firewall policies.

      1. Configure forwarding policies in the Trust zone and the Untrust zone to allow packets before and after decapsulation to pass through FW_A.

      2. [FW_A] security-policy
         [FW_A-policy-security] rule name 1
         [FW_A-policy-security-rule-1] source-zone trust
         [FW_A-policy-security-rule-1] destination-zone untrust
         [FW_A-policy-security-rule-1] source-address 10.1.3.0  24
         [FW_A-policy-security-rule-1] destination-address 10.1.2.0  24
         [FW_A-policy-security-rule-1] action permit
         [FW_A-policy-security-rule-1] quit
         [FW_A-policy-security] rule name 2
         [FW_A-policy-security-rule-2] source-zone untrust
         [FW_A-policy-security-rule-2] destination-zone trust
         [FW_A-policy-security-rule-2] source-address 10.1.2.0  24
         [FW_A-policy-security-rule-2] destination-address 10.1.3.0  24
         [FW_A-policy-security-rule-2] action permit
         [FW_A-policy-security-rule-2] quit
          copy code

      3. Configure local policies in the Local and Untrust zones to allow IKE negotiation packets to pass through FW_A normally.

      4. [FW_A-policy-security] rule name 3
         [FW_A-policy-security-rule-3] source-zone local
         [FW_A-policy-security-rule-3] destination-zone untrust
         [FW_A-policy-security-rule-3] source-address 1.1.0.0  16
         [FW_A-policy-security-rule-3] destination-address 2.2.0.0  16
         [FW_A-policy-security-rule-3] action permit
         [FW_A-policy-security-rule-3] quit
         [FW_A-policy-security] rule name 4
         [FW_A-policy-security-rule-4] source-zone untrust
         [FW_A-policy-security-rule-4] destination-zone local
         [FW_A-policy-security-rule-4] source-address 2.2.0.0  16
         [FW_A-policy-security-rule-4] destination-address 1.1.0.0  16
         [FW_A-policy-security-rule-4] action permit
         [FW_A-policy-security-rule-4] quit
         [FW_A-policy-security] quit
          copy code

   4. Configure a default route. Assume that the next hop of the route to the public network is 1.1.1.2.

   5. [FW_A] ip route- static  0.0.0.0  0.0.0.0  1.1.1.2
       copy code

   6. Configure access control lists to define data flows that need to be protected.

   7. [FW_A] acl 3000 
      [FW_A-acl-adv-3000] rule permit ip source 10.1.3.0  0.0.0.255 destination 10.1.2.0  0.0.0.255
      [FW_A-acl-adv-3000] quit
       copy code

   8. Configure an IPSec security proposal named tran1.

   9. [FW_A] ipsec proposal tran1
      [FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
      [FW_A-ipsec-proposal-tran1] transform esp
      [FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
      [FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
      [FW_A-ipsec-proposal-tran1] quit
       copy code

   10. Configure an IKE security proposal with sequence number 10.

   11. [FW_A] ike proposal 10
       [FW_A-ike-proposal-10] authentication-method pre-share
       [FW_A-ike-proposal-10] authentication-algorithm sha2- 256
       [FW_A-ike-proposal-10] quit
        copy code

   12. Configure IKE peers.

   13. [FW_A] ike peer ngfw_c
       [FW_A-ike-peer-c] ike-proposal 10
       [FW_A-ike-peer-c] remote-address 2.2.4.1
       [FW_A-ike-peer-c] pre-shared-key Admin @ 123
       [FW_A-ike-peer-c] undo version 2
       [FW_A-ike-peer-c] quit
        copy code

   14. Configure the IPSec security policy group map1.

   15. [FW_A] ipsec policy map1 10 isakmp
       [FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
       [FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
       [FW_A-ipsec-policy-isakmp-map1-10] ike-peer ngfw_c
       [FW_A-ipsec-policy-isakmp-map1-10] quit
        copy code

   16. Apply the security policy group map1 to the outbound interface GE1/0/1.

   17. [FW_A] interface gigabitethernet 1 / 0 / 1
       [FW_A-GigabitEthernet1/0/1] ipsec policy map1
       [FW_A-GigabitEthernet1/0/1] quit
        copy code

1. Configure FW_B (branch). The configuration method of FW_B and FW_A is the same. Please refer to FW_A to configure FW_B.

Result verification

1. After the configuration is complete, run the display hrp state command on FW_C to check the current HRP status. If the following information is displayed, the HRP is successfully established.

[FW_C] display hrp state
 Role: active, peer: active                                                    
 Running priority: 47002, peer: 47002                                         
 Core state: normal, peer: normal                                    
 Backup channel usage: 0.00%                                                    
 Stable time: 0 days, 0 hours, 18 minutes
 copy code

1. Run the display ipsec sa command on FW_A and FW_B to display the establishment of IPSec SAs. Taking FW_A as an example, if the following display is displayed, the IPSec SA is successfully established.

<FW_A> display ipsec sa brief
Current ipsec sa num:2

Spu board slot 1, cpu 1 ipsec sa information:                                   
Number of SAs:2                                                              
    Src address   Dst address      SPI        VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
    2.2.4.1         1.1.1.1       4001819557        ESP      E:AES-256 A:SHA2-256-128
    1.1.2.1         2.2.4.1       3923280450        ESP      E:AES-256 A:SHA2-256-128
 copy code

1. Verify that the dual-machine switchover is normal.

   1. When FW_A and FW_B are running normally, use the user PC s under FW_A and FW_B to access the resources of the headquarters respectively. If the access is successful, the configuration is OK.
   2. DOWN to switch off the FW_C device, and then check whether the two branches can still access the resources of the headquarters normally. If the access is successful, it means that the traffic can be switched from the FW_C to the FW_D device normally.
   3. Restore the FW_C device, and then DOWN switch the FW_D device to check whether the two branches can still access the resources of the headquarters normally. If the access is successful, it means that the traffic can be switched from the FW_D to the FW_C device normally.
   4. In the above three scenarios, if both branches can access the resources of the headquarters normally, it indicates that the configuration of the business scenario is OK.