fbpx
How To Simulate HUAWEI Firewall On ENSP

16 Apr 2021

How To simulate Huawei Firewall on eNSP

Universal Security Gateway (USG) is the product branding for Huawei next-generation AI-enabled application security firewall. It comes with several forms – modular and virtual appliance. Introducing AI-based threat response, software-defined network-security defense, and intelligent security policy optimization, Huawei network security through its series of USG products help mitigating network security risks as customers go digital.

To provide proof-of-concept kinds of network security solutions prior to the purchase, rollout and implementation of firewall, it will cost a bomb to purchase the real physical products and solutions to testify. Hence, the simulated solution environment with the real Huawei USG platform serves its purpose.

The next relevant questions arise are:

1) Where shall I obtain the virtualized USG image to perform the simulation?

2) How do I install the acquired image on the eNSP simulated environment?

3) How do I access the USG security firewall from my Windows 10 machine to configure the product?

Part 1: Where shall I obtain the USG image?

The USG image I plan to install, is a Huawei proprietary software image. It is only uniquely run on the eNSP software. Using a renown search engine to locate the software is the best approach to locate it.

Step 1.1: Open Chrome or Edge web browser to locate the required image. Follow the steps as shown below. Search for the keyword “ensp”.

Locate the download link of the image via web browser.

Step 1.2: The discovered link will lead me to a public Facebook link as shown below.

Click the link shown above for the direct download source folder.

Step 1.3: From the MegaNZ cloud shared folder, select the required image to download as shown below:
USG6000V.zip

Download the USG firewall image as shown

The downloaded zipped image file is ready for extraction prior to the installation

Part 2: How do I install the USG image on eNSP?

Prior to the USG image installation, the pre-requisite that I have my eNSP software is completely installed and running fine. If the eNSP software has not been installed, kindly refer to my first blog on “How To install Huawei eNSP on Windows 10” to get it started and running.

Step 2.1: Extract the downloaded zipped USG image.

Extract the USG6000.zip file

Choose a folder to store the extracted image file

Step 2.2 : Install the USG image file on eNSP. Locate the extracted image file named vfw_usg.vdi from the folder storing the file. Open up the eNSP application software to load the file to start.

Locate and identify the image for loading in eNSP

Open a new topology on eNSP platform as shown below.

A new topology is created for deploying USG image

Step 2.3: Add USG6000v device onto the new topology workspace. Then add a cloud image onto the same workspace too. The cloud image serves as a translator between physical machine and the virtual USG firewall. Follow the steps as shown below:

Adding the required components on the new topology workspace

The properties setting of Cloud1 requires a loopback adapter to connect.

Note: Cloud1 requires a loopback adapter. Install Microsoft network loopback adapter if your Windows 10 machine does not have one.

Step 2.4: Configure a local loopback adapter on Windows 10 machine. The loopback adapter is the network interface used to communicate to the virtual USG firewall on eNSP upon configuration completed. By default, Windows 10 machine does not come with pre-installed loopback adapter. Installing a loopback adapter with a local private IP address matching the firewall management address allowing us to manage the USG in graphical user interface view.

Step 2.4.1: Install a loopback network adapter on Windows 10. Go to Device Manager and add a new loopback network adapter as shown below:

Add Hardware Wizard to add a new loopback network adapter.

Next, proceed to choose and add a new hardware component, which is a network adapter as steps shown below:

Add a new network adapter

Adding loopback network adapter

Verify the loopback adapter was completely installed from the Device Manager applet.

Microsoft Loopback adapter installed.

Step 2.4.2: Configure the loopback adapter address manually. Follow the steps as displayed below:

Configure a manual IP address for the loopback adapter.

Configure an IP address for the loopback adapter to match the USG firewall management address at 192.168.0.0/24 subnet, for instance. The default firewall IP address is 192.168.0.1/24. We can change the default IP address to avoid address conflicts in your LAN. Otherwise we can proceed with the default address plan. In this example, I change the IP address plan for the illustration purposes.

Configure IP address of the loopback adapter to manage the USG firewall as shown.

Step 2.5: Open up eNSP application and load a new topology. Select ‘Cloud1’ and ‘USG6000V’ for the subsequent required configurations.

Step 2.5.1: Install the USG firewall image by loading it onto the virtual device upon starting it for the first time. Upon starting up the USG6000V for the first time (no installed image), it prompts for the import of the image file as shown in the steps below.

Loading USG firewall image

Step 2.5.2: Power up USG6000V and verify the device is working properly by accessing its console as shown below.

USG6000V access console

Note: The default username and password for the USG6000V is admin and Admin@123 respectively. We need to change the default password upon login it.

Default information relating to the USG6000V firewall as follows:

Default System Name USG6000V1
Default IP Address 192.168.0.1
Default Subnet Mask 255.255.255.0
Built-in Username admin
Default Password Admin@123
Default settings in USG6000V

Step 2.5.3: Check USG6000V default IP address from the console access.
Use the command ‘display ip interface brief’ as shown below.

Verify the default management IP address of USG6000V.

Step 2.5.4 (Optional): Change the default management IP address of the USG firewall to the segment same as my loopback address plan at 192.168.1.0/24. I plan to use the management IP address of the USG firewall at 192.168.1.1/24 while my loopback address at 192.168.1.100/24.

Change the management IP address of the USG firewall as follows:

Step 2.5.5: Configure Cloud1 (representing your Windows 10 host machine) to communicate with the virtual USG6000V firewall. Follow the steps below closely to configure Windows 10 host to communicate with the firewall for the subsequent firewall security management tasks.
Prior to this cloud 1 setting, the local PC loopback address has been assigned in the previous step 2.4.2.
Right click on Cloud1 to start setting the required configuration parameters as shown below:
i. Right click on Cloud1 icon and select ‘Properties’
ii. Select ‘GE’ from Port Type; add two options a) Loopback adapter (as in my case Ethernet3) and b) UDP for the BindingInfo.
iii. For the port map setting, choose ‘GE’ for Port Type and assign Remote Port Number as 2 and check the Two-way Channel box; then add into the port mapping table as shown below:

Cloud1 setting for local PC loopback adapter setup

Step 2.5.6 : Configure the firewall management interface for administration and not for data forwarding. Clear up the current default management interface configuration, followed by reconfiguring the interface for system administration only.

A) Clear up the current default management interface configuration.

Right click on Cloud1 and FW1 to start up, wait till the green dot status on the port shown above.

Double click FW1 to open up the USG firewall device after booting up completely. [Wait for the green dot sign as shown in the diagram above].

Issue the following command to clear the default management interface configuration.
undo ip binding vpn-instance default

Configure the changed IP address for the management interface gi0/0/0 and enable service administration function.

ip address 192.168.1.1 24
service-manage enable
service-manage https permit

Step 2.5.6 : Test drive accessing the web UI administration from your own PC browser as shown below:

Enter the url address as https://192.168.1.1:8443 on the browser to access the web UI administration of the USG firewall as shown below.

USG Firewall Web UI interface

Login the web portal with user account Admin and your currently changed user password.

Enter your login credentials to access

Once the login is successful, you can start to configure your firewall functions.

Finally, come to the conclusion of the whole installation process, it is expected to work fine with your eNSP simulator as well from the guide. If you like the technical guide blog, kindly like and share the blog to benefit more. Your constructive feedback is much appreciated for my motivation to produce future blogs.

Leave a Reply

Your email address will not be published. Required fields are marked *

AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                                                                                                           AWS Authorized Training Provider                               ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                               Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                               ·                               Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                               ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         

AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                                                                                                           AWS Authorized Training Provider                               ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                                 Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                                 ·                               Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                               ·                               Only VEEAM Authorized Training Provider in Malaysia                                                                         AWS Authorized Training Provider                               ·                                 Only VEEAM Authorized Training Provider in Malaysia