Huawei Firewall Architecture: Security Zones, Stateful Policies, ASPF, and Virtual Systems

Overview

Firewalls function as specialized network security appliances designed to shield one network segment from threats originating in another. Typical deployement positions include enterprise internet edges, internal departmental boundaries, and data center perimeters. Available form factors encompass chassis-based, compact fixed-configuration, and software-defined instances, supporting seamless hybrid-cloud deployments.

From a hardware architecture perspective, firewall platforms extend beyond standard routers by integrating Service Processing Units (SPUs) in addition to Line Processing Units (LPUs) and switch fabrics. SPUs offload computationally intensive security tasks such as deep packet inspection and encryption.

Security Zones

A security zone (Zone) represents a logical grouping of interfaces that share uniform security requirements. The majority of firewall enforcement decisions reference these zones.

Default Zones

Huawei firewalls provision four built-in zones that cannot be deleted or have their priorities modified:

Zone Priority Function
untrust 5 External, untrusted networks
dmz 50 Semi-secure service networks
trust 85 Internal protected networks
local 100 The firewall device itself

Administrators may also create custom zones. Each zone must be assigned a priority value; a higher value denotes a more trusted domain.

Zone Configuration

[EdgeFW] firewall zone name PartnerNet
[EdgeFW-zone-PartnerNet] set priority 25
[EdgeFW-zone-PartnerNet] add interface GigabitEthernet 1/0/5

[EdgeFW] display zone

Security Policies

A security policy is an ordered set of rules that evaluates traffic attributes—zones, addresses, services, users, and time ranges—to determine whether to forward or discard packets and whether to apply content inspection.

Rule Structure

Each rule contains:

  • Match conditions: Source/destination zones, IP addresses, services, aplications, users, and schedules.
  • Action: permit or deny.
  • Security profiles (optional): Applied only when the action is permit. Profiles include antivirus, intrusion prevention, and URL filtering. If any profile blocks the flow, the firewall drops the traffic even when the policy action is permit.

For deny actions, the firewall can actively signal termination by sending TCP RST messages to the client or server, or ICMP unreachable notifications, thereby reducing wait times for blocked applications.

Matching Behavior

The firewall evaluates policies sequentially from top to bottom. The first matching rule is applied, and subsequent rules are ignored. A default implicit rule resides at the bottom of every policy list; it matches any traffic and denies it. Consequently, specific rules must precede general rules.

Policy Configuration Examples

[EdgeFW] security-policy
[EdgeFW-policy-security] rule name EmployeesToServices
[EdgeFW-policy-security-rule-EmployeesToServices] source-zone trust
[EdgeFW-policy-security-rule-EmployeesToServices] destination-zone dmz
[EdgeFW-policy-security-rule-EmployeesToServices] source-address 10.2.0.0 mask 255.255.0.0
[EdgeFW-policy-security-rule-EmployeesToServices] destination-address 10.1.10.0 mask 255.255.255.0
[EdgeFW-policy-security-rule-EmployeesToServices] service icmp ftp
[EdgeFW-policy-security-rule-EmployeesToServices] action permit

[EdgeFW-policy-security] rule name GuestAccess
[EdgeFW-policy-security-rule-GuestAccess] source-zone guest
[EdgeFW-policy-security-rule-GuestAccess] destination-zone untrust
[EdgeFW-policy-security-rule-GuestAccess] service http https
[EdgeFW-policy-security-rule-GuestAccess] action permit

Session Management

Firewalls leverage stateful inspection to accelerate forwarding. After examining the initial packet of a connection, the firewall installs a session entry. Subsequent packets belonging to the same flow are matched against this entry instead of repeating full policy lookups.

Session tables track TCP, UDP, and ICMP connections. Each entry ages out after a period of inactivity to reclaim resources. For applications with naturally long idle intervals—such as large file transfers over FTP or intermittent database queries—the long-connection feature extends the aging timer to prevent premature teardown.

Monitoring Sessions

<EdgeFW> display firewall session table
<EdgeFW> display firewall session table verbose

ASPF and Multi-Channel Protocols

Strict unidirectional policies disrupt protocols that negotiate secondary connections in the application layer, such as FTP active mode, where the server initiates a data channel back to the client.

ASPF (Application Specific Packet Filter) inspects control-channel payloads to predict required data channels. When ASPF identifies such a requirement, it provisions a Server-map entry—a lightweight pre-session describing the expected flow. Upon arrival of the predicted traffic, the firewall instantiates a full session from the Server-map and forwards the packets. In NAT scenarios, this capability is referred to as ALG.

ASPF Configuration

[EdgeFW] firewall interzone trust dmz
[EdgeFW-interzone-trust-dmz] detect ftp
[EdgeFW-interzone-trust-dmz] detect rtsp

Deployment Example: Edge Protection with NAT

This scenario connects internal users to internet resources, hosts an FTP server in a DMZ, and allows remote management of internal switches.

Addressing and Zones

  • Trust: GigabitEthernet1/0/1 (10.2.0.1/24)
  • DMZ: GigabitEthernet1/0/0 (10.1.10.1/29)
  • Untrust: GigabitEthernet1/0/2 (198.51.100.1/30)
  • Remote: GigabitEthernet1/0/6 (172.31.0.1/30)

Firewall Configuration

#
sysname EdgeFW
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.10.1 255.255.255.248
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 198.51.100.1 255.255.255.252
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 172.31.0.1 255.255.255.252
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/0
#
firewall zone name RemoteSite
 set priority 20
 add interface GigabitEthernet1/0/6
#
firewall interzone trust dmz
 detect ftp
#
ip route-static 0.0.0.0 0.0.0.0 198.51.100.2
ip route-static 10.1.20.0 255.255.255.0 GigabitEthernet1/0/0 10.1.10.2
ip route-static 10.2.1.0 255.255.255.0 GigabitEthernet1/0/1 10.2.0.2
#
security-policy
 rule name StaffToDMZ
  source-zone trust
  destination-zone dmz
  source-address 10.2.0.0 mask 255.255.0.0
  destination-address 10.1.20.0 mask 255.255.255.0
  service ftp
  service icmp
  action permit
 rule name RemoteToDMZ
  source-zone RemoteSite
  destination-zone dmz
  service telnet
  action permit
 rule name RemoteToTrust
  source-zone RemoteSite
  destination-zone trust
  service telnet
  action permit
 rule name StaffToInternet
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.0.0
  service icmp
  action permit
 rule name InternetToMgmt
  source-zone untrust
  destination-zone trust
  service telnet
  action permit
#
nat-policy
 rule name EasyInternet
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.0.0
  service icmp
  action source-nat easy-ip
#

Virtual Systems

Virtual Systems (VSYS) partition a single physical firewall into multiple autonomous logical devices. Each VSYS owns independent interfaces, routing tables, address objects, security policies, and administrators, making the technology well suited for multi-tenant data centers and large enterprises requiring strict departmental separation.

Key Characteristics

  • Administrative isolation: Each VSYS supports dedicated manager accounts, simplifying delegated administration.
  • Routing independence: Separate routing tables allow overlapping IP spaces across tenants without conflict.
  • Resource guarantees: Resource classes assign reserved and maximum limits for sessions, policies, and users, preventing resource starvation.
  • Traffic separation: Inter-VSYS traffic is blocked by default but can be explicitly permitted through controlled forwarding paths.

Root System and VSYS

Root System (public)
The root system is the default management context present even when virtualization is disabled. After enabling VSYS, the root retains responsibility for physical resource allocation, inter-VSYS routing, and global maintenance.

Virtual System (VSYS)
A logically independent partition with its own configuration database.

VPN Instances

While VSYS provides both service and routing isolation, certain non-virtualized features—such as dynamic routing protocols and multicast—require manually created VPN instances for route isolation within MPLS environments. Creating a VSYS automatically generates a VPN instance bearing the same name, but administrators may also instantiate manual VPN instances for advanced networking scenarios.

Traffic Diversion

Before processing, packets must be classified into the correct VSYS. Three diversion methods exist:

  • Interface-based: Layer 3 interfaces bound directly to a VSYS.
  • VLAN-based: Trunk ports carry multiple VLANs; assign vlan maps specific VLANs to a VSYS.
  • VNI-based: VXLAN Network Identifiers mapped via assign vni for SDN fabrics.

Note that Layer 2 physical interfaces cannot be assigned directly; they inherit VSYS membership through VLAN allocation. Management ports remain exclusive to the root system.

Resource Allocation

Resource classes define guaranteed and peak limits. Items such as security policies, sessions, and users support manual allocation, whereas other resources are shared across all VSYS on a first-come basis.

Inter-VSYS Communication

Huawei supports four inter-VSYS patterns:

  1. VSYS to Root
  2. Direct VSYS to VSYS
  3. VSYS to VSYS via Root
  4. VSYS to VSYS via a shared VSYS

Virtual System Configuration

[EdgeFW] vsys enable

[EdgeFW] resource-class GoldClass
[EdgeFW-resource-class-GoldClass] resource-item-limit session reserved-number 500 maximum 1000
[EdgeFW-resource-class-GoldClass] resource-item-limit policy reserved-number 300

[EdgeFW] vsys name Finance
[EdgeFW-vsys-Finance] assign resource-class GoldClass
[EdgeFW-vsys-Finance] assign vlan 100

[EdgeFW] switch vsys Finance
[EdgeFW-Finance] firewall zone trust
[EdgeFW-Finance-zone-trust] add interface GigabitEthernet1/0/3

Deployment Example: Department Isolation Using VSYS

Objective

  • Finance department hosts (192.168.100.0/24) require internet access.
  • Engineering department restricts internet access to hosts 192.168.200.2 through 192.168.200.50; all other Engineering addresses are denied.

Root System Setup

#
sysname EdgeFW
#
vlan batch 100 200
#
vsys enable
#
resource-class GoldClass
 resource-item-limit session reserved-number 500 maximum 1000
 resource-item-limit policy reserved-number 300
 resource-item-limit user reserved-number 200
 resource-item-limit user-group reserved-number 10
#
vsys name Finance
 assign resource-class GoldClass
 assign vlan 100
#
vsys name Engineering
 assign resource-class GoldClass
 assign vlan 200
#
interface GigabitEthernet1/0/0
 portswitch
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 200
#
interface GigabitEthernet1/0/1
 portswitch
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 200
#

Finance VSYS

#
switch vsys Finance
#
ip address-set Finance-Hosts type object
 address 0 range 192.168.100.2 192.168.100.254
#
aaa
 manager-user admin@@Finance
  password cipher $c$3$EncryptedString
  service-type web telnet ssh
  level 15
 bind manager-user admin@@Finance role system-admin
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
security-policy
 rule name AllowInternet
  source-zone trust
  destination-zone untrust
  source-address address-set Finance-Hosts
  action permit
 rule name DenyRest
  source-zone trust
  destination-zone untrust
  action deny
#

Engineering VSYS

#
switch vsys Engineering
#
ip address-set Eng-Authorized type object
 address 0 range 192.168.200.2 192.168.200.50
#
aaa
 manager-user admin@@Engineering
  password cipher $c$3$EncryptedString
  service-type web telnet ssh
  level 15
 bind manager-user admin@@Engineering role system-admin
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
security-policy
 rule name AllowInternet
  source-zone trust
  destination-zone untrust
  source-address address-set Eng-Authorized
  action permit
 rule name DenyRest
  source-zone trust
  destination-zone untrust
  action deny
#

Tags: Huawei firewall Security Zone Security Policy Session Table

Posted on Wed, 13 May 2026 15:26:26 +0000 by burgessm

Hot Tags

©2026 Freaks City