HP A-IMC Firewall Manager Configuration Guide Part number: 5998-2267 Document version: 6PW101-20110805
Legal and notice information © Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Overview ······································································································································································ 1 Introduction to HP A-IMC Firewall Manager··················································································································1 What HP A-IMC Firewall Manager can do ···················································································································1 Installatio
Security zones························································································································································ 56 Time ranges···························································································································································· 58 Services ··································································································································································
Overview Introduction to HP A-IMC Firewall Manager HP A-IMC Firewall Manager is a powerful system for comprehensive analysis and centralized management of firewall devices. It is an important component of the HP A-Intelligent Management Center (A-IMC). The Firewall Manager allows you to manage and control all HP firewall devices in your network.
Installation and uninstallation Installing the firewall manager The software and hardware requirements of the Firewall Manager are as follows: • Hardware: P4 2.0 CPU or above, 1.5G memory or more, 80G disk or more. • Operating system: Windows 2003 Server (recommended) or Windows XP, installed with the up-to-date patches. • Browser: IE 6.0 or above To install HP A-IMC Firewall Manager, you only need to run the executable file install.
Figure 2 Register your license After seeing the acknowledgement page, you can use the Firewall Manager to configure devices and perform other operations. CAUTION: HP A-IMC Firewall Manager is shipped with a trial license that is effective within one month, which is saved in a license file named A-IMC Firewall Manager Evaluation License.lic. Before you get a formal license, you can use the trial license to register.
System management The system management component is mainly used to configure the firewall devices to be managed by the Firewall Manager. To access the system management component, select the System Management tab. Then, you can perform: • Device management • Operator management • System configuration • License management The license management function allows you to apply for, register, and view a license. The license mechanism is used for enterprise identity authentication.
Figure 3 Device management page Table 1 Device management functions Function Description Device list Allows you to view details about devices, export configurations, and connect to the devices through web or Telnet. Adding a device Allows you to add devices to be managed. Allows you to delete devices from the list of managed devices. Deleting devices Follow these steps: 1. Select the check boxes before the devices to be deleted. 2. Click Delete. Refreshing device information 2.
Return to Device management functions. 3. Adding a device From the navigation tree of the system management component, select Device List under Device Management. The device management page appears, as shown in Figure 3. Then, click Add to add a device, as shown in Figure 4 and Table 4. Figure 4 Add a device Table 4 Device configuration items Item Description Required Host Name/IP Type the name or IP address of the device to uniquely identify the device in the system.
If you select Specify access parameters, specify the access parameters, including Web Username, Web Password, Web Port, Telnet Username, Telnet Password, SNMP Version, Community String for Reading, and Community String for Writing. Required Web Username Specify the username for managing the device through web. The username can comprise up to 20 characters. Required Web Password Specify the password for managing the device through web.
Password Encryption Protocol Required when you select the authentication protocol HMAC-MD5 or SMAC-SHA. Specify the authentication password to be used for communication with the device. Required when you select the authentication protocol HMAC-MD5 or SMAC-SHA. Specify the encryption protocol to be used for communication with the device. Required when you select the encryption protocol CBS-DES or AES-128. Password Specify the encryption password to be used for communication with the device.
Device software management Device software refers to the software that a firewall device runs to provide services. It can be regarded as the operating system of the device. The device software management function provides you with the software information of the firewall devices and allows you to perform a series of operations to the software of firewall devices, including deploying software to devices and backing up the software of devices.
multiple devices at a time. You can specify deployment parameters, such as the deployment sequence, policy, time, and error handling mode. A successfully created software deployment task is listed in the deployment task management module. How many boot files can be stored on a device depends on the device's disk space. Generally, two files, one main boot file and one backup boot file, are stored on the device.
(Parallel) or one by one (Serial). When the deployment sequence is serial, the icons adjusting the sequence. Error Handling are configurable for Required when the deployment mode is Serial. Specify the error handling scheme to be used when a deployment error occurs. Required Select the actions to be taken after deploying the software selected in the Deploy Software Version column. • Set the currently running software as the backup startup software—Specifies secpath1000fe-cmw520-b5002.
Table 8 Fields of the software backup result list Field Description Device Label Device name and IP address Software Name Name of the software backed up Size Size of the backup file for the software Start Time Start time of the backup operation Status Result of the backup operation Result Description of the operation result or failure reason Return to Device software management functions.
a device to another version. Synchronizing configurations Allows you to deploy new configuration settings to devices to make them take effect. Restarting devices Allows you to restart devices. Table 10 Fields of the device configuration management list Field Description Device Label Device name and IP address. You can click the link to view details about the device and modify the configuration.
3. Restoring a configuration file From the navigation tree of the system management component, select Device List under Device Management. The device management page appears, as shown in Figure 3. Then, select the Device Config Management tab to enter the device configuration management page, as shown in Figure 9. Select a device and click Restore to bring up the restoration configuration page, as shown in Figure 11.
Table 11 Tabs on the device configuration information management page and functions provided Tab Description Label A label represents a configuration file of a device. . Running Config Allows you to perform operations on running configuration files of different versions. Startup Config Allows you to view, back up, and delete the current startup configuration file of a device. The functions are the similar to those for management of running configuration files. Draft 5.
Figure 13 Compare two configuration files CAUTION: The label Currently indicates the configuration file is currently used by the device and the label Baseline indicates the baseline version. Configuration files with any of these labels cannot be deleted. Return to Tabs on the device configuration information management page and functions provided. 6.
Table 13 Fields of the running configuration list Field Description Version Uniquely identifies the running configuration file. The version number is assigned automatically by the system for each backup file. Backup Time Time when the running configuration file is backed up. Label Label for this version. Compare Allows you to compare two configuration files including the drafts to find the differences. Set Baseline Allows you to set the running configuration file as the baseline.
Description Remarks on the draft. Creation Time Time when the draft is created. Last Modify Time Last time when the draft is modified. Compare Allows you to compare the draft with a configuration file to find the differences. Allows you to set the draft as the configuration file for the device. Restore IMPORTANT: Do not set a draft as the startup configuration file. Return to Tabs on the device configuration information management page and functions provided.
Table 15 Device group management functions Function Description Device group list Allows you to view details about device groups and modify and delete device groups. Adding a device group Allows you to add a device group and configure the device group name and description. Device group list From the navigation tree of the system management component, select Device Group List under Device Management. The device group management page appears, as shown in Figure 17.
Optional Description Type a description for the device group. The description can comprise up to 40 characters. Return to Device group management functions. Managing events Configuration guide The event management function records the operations on managed devices and logs the events, allowing you to track the status of devices. From the navigation tree of the system management component, select Events under Device Management. The device event list page appears by default, as shown in Figure 19.
Table 20 describes the fields of the device event list. You can select the check boxes before events and then click Delete to delete the events.
Managing device access templates The device access template management function allows you to configure information such as the device login password. Configuration guide From the navigation tree of the system management component, select Access Template List under Device Management. The access template management page appears, as shown in Figure 21. Table 23 describes the template management functions.
Adding a template From the navigation tree of the system management component, select Access Template List under Device Management to enter the access template management page. Then, click Add to add a template as shown in Figure 22 and Table 25. Figure 22 Add a template Table 25 Template configuration items Item Template Name Description Required Type a name for the template, a string of 1 to 20 characters. Required Web Username Specify the username for managing the device through web.
The strength of the password must meet the password strength requirements of the device. SNMP Version Required Select an SNMP version, which can be SNMPv1, SNMPv2, or SNMPv3. Required Community String for Reading Specify the SNMP read community string to be used for communication with the device. It can be a string of up to 20 characters. Required Community String for Writing Specify the SNMP write community string to be used for communication with the device. It can be a string of up to 20 characters.
Figure 23 Device software database page Table 26 Device software database functions Function Description Importing device software Allows you to import device software from a file or from a device. Allows you to remove software that is no longer in use. Deleting device software Follow these steps: 1. Select the check box before software names. 2. Click Delete. Deploying software to device Allows you to deploy software to devices.
Figure 24 Device software import page Managing deployment tasks This function allows you to view all deployment task information. Configuration guide From the navigation tree of the system management component, select Deploy Task under Device Management to enter the deployment task list page, as shown in Figure 25. Figure 25 Deployment task list On the deployment task list, you can: • Execute deployment tasks immediately. • Cancel deployment tasks. • Delete deployment tasks.
Creation Time Time when the deployment task is created Creator Creator of the deployment task Start Time Time when the deployment task starts End Time Time when the deployment task ends Copy Allows you to create a deployment task based on the selected one. Operator management The operator management function allows you to manage operators and operation logs, and to change operator passwords. Managing operators This function allows you to manage the rights of web users.
Table 32 Operator management functions Function Description Operator list Allows you to view details about operators, modify operator information, and delete operators. Adding an operator Allows you to add operators. Operator list From the navigation tree of the system management component, select Operators under Operator Management. The operator management page appears, as shown in Figure 26.
Table 34 Operator configuration items Item Description Login Name Type a name for the operator, a string of up to 40 characters. Specify a password for the operator to use at login. Login Password The password must comprise 6 to 20 alphanumeric characters, and its strength must meet the password strength requirements of the device. Confirm Password Type the password again, which must be the same as that for Login Password.
Table 36 Fields of the operation log list Field Description Operator Name of the operator IP Address IP address of the PC used by the operator to log in Time Time when the operation occurred Operation What the operator did Result Whether the operation succeeded or failed Details Operation details Changing your login password This function allows you to change your login password.
System configuration Configuring system parameter Configure the system parameter to allow non-SNMP devices in the system. Configuration guide From the navigation tree of the system management component, select System Parameter under System Config. The system parameter configuration page appears, as shown in Figure 30. Select the check box for the parameter and click Apply.
Type the port for receiving NAT logs. The port number must be in the range from 1 to 65534. Required Syslog Port Type the port for receiving syslogs. The port number must be in the range from 1 to 65534. Required NetStream V9 Logs Port Type the port for receiving NetStream V9 logs. The port number must be in the range from 1 to 65534. Configuring the mail server This module allows you to configure the mail server information, so that the system emails alarm information to the specified server.
Type the username for identity authentication on the mail server. The password can comprise up to 80 characters. Password Sender’s Mail Address Optional Type the password for identity authentication on the mail server. Required Type the mail address of the sender. Managing filters A filter is used to filter the information of IPS devices to present only information that you are interested in through reports. By configuring filters, you can specify filtering conditions flexibly.
Field Description Operation Click the icon of a filter to modify the settings of the filter. Return to Filter management functions. Adding a filter From the navigation tree of the system management component, select Filter Management under System Config to enter the filter management page. Then, click Add to enter the page for adding a filter, as shown in Figure 34. Table 42 describes the filter configuration items.
Specify the source ports that you want the system to collect statistics on. Destination Port Protocol Event Optional Specify the destination ports that you want the system to collect statistics on. Optional Select the protocols that you want the system to collect statistics on. Optional Specify the events that you want the system to collect statistics on. CAUTION: The configuration items given in the previous table can be used to define query conditions. For example, you can enter source IP address 1.1.1.
Table 44 Fields of the LDAP server list Field Description Server Name Name of the LDAP server Server IP Address IP address of the LDAP server Server Version Version information of the LDAP server Operation Click the Import Users The device does not support importing users. icon of a LDAP server to modify the settings of the filter. Return to LDAP server management functions.
Admin Password Username Attribute Base DN Required Type the administrator password for the LDAP server. Required Type a username attribute for the LDAP server. Required Type a base DN for the LDAP server. Return to LDAP server management functions. Managing log retention time This function allows you to configure the period of time during which the system keeps the firewall logs and SSL VPN logs for query.
Figure 38 Disk space alarm configuration page Table 46 Alarm configuration items of the disk space for logs Item Description Required Warning Disk Space Set the minimum free disk space required. An alarm is generated once the actual free disk space is lower than this value. Optional Send a report by email Selecting the check box will make the system send generated alarms to the specified mail box.
Figure 39 Free disk space monitoring page Managing subsystems The subsystem management allows you to manage and monitor multiple Firewall Managers effectively. By adding different systems as the subsystems, you can access these subsystems by simply clicking their URL links instead of entering the URLs, usernames and passwords repeatedly.
Figure 40 Subsystem information Table 47 Fields of the subsystem list Field Description Server IP IP address of the server for the subsystem. Port Port for connecting to the subsystem. User Name Username for logging in to the subsystem. Password Password for logging in to the subsystem. Link URLs of the subsystem. Click a link to log in to the subsystem. Adding a subsystem From the navigation tree of the system management component, select Subsystem Management under System Config.
Required User Name Type the username for logging in to the subsystem. The username can comprise up to 40 characters. Required Password Specify the password for logging in to the subsystem.
Firewall management The Firewall Manager enables centralized management of firewall devices in the network, centralized event collection and analysis, realtime monitoring, event snapshot, comprehensive analysis, event details, and log auditing. It provides abundant reports, which can be exported periodically. To access the firewall management component, select the Firewall tab.
Figure 42 Snapshot of events Table 49 Event snapshot query options Option Description Select a device, a device group, or All devices from the Device drop-down list. The system will display the relevant event information. All devices and device groups that are under your management will appear in the drop-down list. Device IMPORTANT: • Selecting a device group: Specifies all devices in the device group. • Selecting a device name: Specifies the single device.
• In the Detail column of a TopN list, you can click the icon of an attack event to enter the attack event details page. For more information, see “Event details.” Recent events list The firewall management component presents firewall attack events not only through graphs but also in a table list.
Device monitoring In addition to the attack event information of the entire network, the firewall management component also allows you to view the attack event information of every firewall device. Configuration guide From the navigation tree of the firewall management component, select Device Monitoring under Events Monitor to enter the device monitoring page, as shown in Figure 44.
Figure 45 Attack event overview Table 53 Query options on the attack event overview page Option Description Select a device, a device group, or All devices from the Device drop-down list. The system will display the relevant event information. All devices and device groups that are under your management will appear in the drop-down list.
Figure 46 Top 10 attack events contrast graph You can click the provides. link to export all the analysis reports that the event overview function CAUTION: Logs are aggregated at 3 o’clock every day. When you query event information of the current month, the system displays only the data collected from the first day of the month to the day before the current day.
Figure 47 Attack event details Table 54 Event details query options Option Description Select a device, a device group, or All devices from the Device drop-down list. The system will display the relevant event information. All devices and device groups that are under your management will appear in the drop-down list.
Table 55 Fields of the attack event details list Field Description Time Time when the attack event occurred Src IP Attack source IP address Dest IP Attack destination IP address Event Name of the event Dest Port Attack destination port Protocol Protocol used by the attack Event Count Number of events that occurred at the time CAUTION: Logs are aggregated at 3 o’clock every day.
Table 57 Fields of the report export task list Field Description Report Task Name of the report export task Creation Time Time when the task was created Period Reports export interval specified in the export task Send Mail Whether the report export file is to be sent to the specified mail box. Generate Report icon of a task to display all generated report files of the task and Click the the file creation time. These files have the same suffix, which is xls.
Return to Report export task management functions. Adding a report export task From the navigation tree of the firewall management component, select Event Export Tasks under Event Analysis to enter the report export task management page, as shown in Figure 48. Then, click Add to enter the page for adding a report export task, as shown in Figure 50. Table 60 describes the configuration items of a report export task.
The event auditing function does not support cross-day query. If the query period spans a day or the query start time is later than the end time, the end time will automatically change to 23:59 of the same day as the start time. Inter-zone access log auditing Configuration guide From the navigation tree of the firewall management component, select Inter-Zone Access Logs under Event Auditing to enter the inter-zone access log auditing page, as shown in Figure 51.
Figure 52 Abnormal traffic log auditing Blacklist log auditing Configuration guide From the navigation tree of the firewall management component, select Blacklist Logs under Event Auditing to enter the blacklist log auditing page, as shown in Figure 53. Blacklist filters packets by source IP address. It can effectively filter out packets from a specific IP address. The blacklist log auditing page lists the blacklist logs of HP firewalls.
Figure 54 Operation log auditing Other log auditing Configuration guide From the navigation tree of the firewall management component, select Other Logs under Event Auditing to enter the page for auditing other logs, as shown in Figure 55. The page lists the logs in order of time, with the most recent log at the top. Each log records the log time, content, and alarm severity level. You can query the logs by content, device group, severity level, and time, so as to get an idea of other logs.
NAT log auditing Configuration guide From the navigation tree of the firewall management component, select NAT Logs under Event Auditing to enter the NAT log auditing page, as shown in Figure 56. The page lists NAT logs of HP firewalls. Each log records the source IP:port and destination IP:port before and after network address translation, as well as the NAT session start time and end time.
Figure 57 MPLS log auditing NOTE: If the IP address/port number is null in the database, NA will be displayed in the IP address or port field. Security policy management This function allows you to configure security policies for the firewall devices, so that the devices can automatically identify and filter network traffic that travel through the devices.
Adding a security zone Allows you to add a security zone. Importing security zones from a device Allows you to import security zones from a device. Allows you to delete security zones. Deleting security zones Follow these steps: 1. Select the check boxes before the security zones to be deleted. 2. Click Delete. CAUTION: • Security zones Local, Trust, DMZ, and Untrust are system predefined security zones and cannot be deleted. • Security zones that have been referenced cannot be deleted.
Table 63 Security zone configuration item Item Security Zone Description Type a name for the security zone. A security zone name cannot contain any of these characters: ^'<>&:;"/\ Return to Security zone management functions. Importing security zones from a device From the navigation tree of the firewall management component, select Security Zones under Security Policy Management to enter the security zone management page, as shown in Figure 58.
Deleting a time range Allows you to click the icon of a time range to delete the time range. Time range list The time range list is on the time range management page, as shown in Figure 61. Figure 62 describes the fields of the list. Table 65 Fields of the time range list Field Description Name Name of the time range Description Time periods that the time range covers Referenced Whether the time range is referenced by a security policy or not Operation Click the icon to delete the time range.
and then select the days of the week during which the time period applies. By default, the periodic time period is from 0:0 to 24:0 every day. • Absolute—Select the start time and end time for the absolute time period. By default, the absolute time period is a 24-hour period starting from the full hour of the current time. An absolute time range takes effect only once. Return to Time range management functions.
Protocol Protocol used by the service Protocol Parameters Parameters configured for the protocol Return to Service management functions. User-defined services From the navigation tree of the firewall management component, select Services under Security Policy Management. Click the User-Defined Services tab to enter the user-defined service management page, as shown in Figure 64. Table 69 describes the fields of the service list.
Figure 65 Add a user-defined service Table 70 User-defined service configuration items Item Description Required Type a name for the user-defined service. Name Valid characters for the name: letters, digits, underscores (_), periods (.), slashes (/), and hyphens (-), where underscores can’t appear at the beginning or end of the name. Optional Type some descriptive information for the user-defined service.
To delete user-defined services, select them and click Delete on the user-defined service management page. Return to Service management functions. Service groups From the navigation tree of the firewall management component, select Services under Security Policy Management. Click the Service Groups tab to enter the service group management page, as shown in Figure 66. Table 71 describes the fields of the service group list.
Figure 67 Add a service group Table 72 Service group configuration items Item Description Required Name Type a name for the service group. Valid characters for the name: letters, digits, underscores (_), periods (.), slashes (/), and hyphens (-), where underscores can’t appear at the beginning or end of the name. Optional Description Type some descriptive information for the service group.
IP addresses Configuration guide From the navigation tree of the firewall management component, select IP Addresses under Security Policy Management to enter the IP address management page, as shown in Figure 68. Table 73 describes the functions of the tabs. Figure 68 IP address management page Table 73 IP address management functions Function Description Host addresses Allows you to manage all host addresses in the system. Address ranges Allows you to manage all address ranges in the system.
Figure 69 Add a host address Table 75 Host address configuration items Item Description Required Type a name for the host address. Name Valid characters for the name: letters, digits, underscores (_), periods (.), slashes (/), and hyphens (-), where underscores can’t appear at the beginning or end of the name. IMPORTANT: The name must be unique in the system. It cannot be the same as the name of an existing host address, address range, subnet address, or IP address group.
Address ranges From the navigation tree of the firewall management component, select IP Addresses under Security Policy Management. Click the Address Ranges tab to enter the address range management page, as shown in Figure 70. Table 76 describes the fields of the address range list.
Table 77 Address range configuration items Item Description Required Type a name for the address range. Name Valid characters for the name: letters, digits, underscores (_), periods (.), slashes (/), and hyphens (-), where underscores can’t appear at the beginning or end of the name. IMPORTANT: The name must be unique in the system. It cannot be the same as the name of an existing host address, address range, subnet address, or IP address group.
Subnet Subnet address and mask Excluded Addresses Addresses excluded from the subnet Description Descriptive information about the subnet address Referenced Whether the subnet address is referenced or not Operation Click the icon to modify the subnet address. To add a subnet address, click Add on the subnet address management page to enter the Add Subnet Address page and configure the subnet address as shown in Figure 73 and Table 79.
Specify a subnet address. The IP address must be in dotted decimal notation. Wildcard Required Select a wildcard mask for the subnet address. Required Specify the IP addresses to be excluded from the subnet. Excluded Addresses • Input an IP address and click Add next to the text box to add the IP address to the excluded IP addresses list. You can also select an IP address on the list and click Delete to remove the IP address from the list. • The IP addresses must be in dotted decimal notation.
Figure 75 Add an IP address group Table 81 IP address group configuration items Item Description Required Type a name for the IP address group. Name Valid characters for the name: letters, digits, underscores (_), periods (.), slashes (/), and hyphens (-), where underscores can’t appear at the beginning or end of the name. IMPORTANT: The name must be unique in the system. It cannot be the same as the name of an existing host address, address range, subnet address, or IP address group.
Interzone rules Configuration guide From the navigation tree of the firewall management component, select Interzone Rules under Security Policy Management to enter the interzone rule management page, as shown in Figure 76. Table 82 describes the functions available on the page. Figure 76 Interzone rule management page Table 82 Interzone rule management functions Function Description Interzone rule list Allows you to view all interzone rules in the system.
Dest IP Query interzone rules by destination IP. Time Range Query interzone rules by time range. Policy Query interzone rules by policy.
Figure 77 Add an interzone rule Table 85 Interzone rule configuration items Item Src Zone Dest Zone Description Required Select a source zone for the interzone rule. Required Select a destination zone for the interzone rule. Optional Description Type some descriptive information for the interzone rule. Valid characters for the description: letters, digits, blank spaces, colons (:), underscores (_), commas (,), periods (.
Required Add source IP addresses for the interzone rule. • Available IP addresses are listed in the left box. The right box lists the source Src IP IP addresses to be added to the interzone rule. • You can select one or more items in the left box and then click Add>> to add them to the right box. You can also select one or more items in the right box and click <
Optional Enable this rule Select this option to enable the interzone rule. By default, this option is not selected. Optional Continue to add another rule Select this option to add another rule after finishing this rule. By default, this option is not selected. Return to Interzone rule management functions.
Table 87 Fields of the interzone policy list Filed Description Policy Name Name of the interzone policy Description Descriptive information about the interzone policy Device Name of the device to which the interzone policy is deployed Referenced Whether the interzone policy is referenced or not Rules icon to enter the page for managing the policy’s rules (see “Rule Click the management”). Return to Interzone policy management functions.
Figure 80 Rule management page Table 89 Fields of the policy’s rule list Filed Description ID of the interzone rule ID When you create an interzone rule, the system automatically assigns an ID to the rule according to the number of existing rules for the source zone and destination zone pair, starting from 0. For example, the first rule created for the source zone Trust and the destination zone DMZ is numbered 0, the second rule created for the same source zone and destination zone pair is numbered 1.
Figure 81 Add interzone rules to the policy Return to Interzone policy management functions. Sorting interzone rules On an interzone policy’s rule management page, you can click the icon of a rule to change the position of the rule among the policy’s rules for the same source zone and destination zone. For example, on the page shown in Figure 80, you can click the icon of rule 0 to bring up the page shown in Figure 82, select after, select rule 1 from the drop-down list, and click Apply to move rule 0.
Interzone policy applications Configuration guide From the navigation tree of the firewall management component, select Apply Interzone Policy under Security Policy Management to enter the interzone policy application management page, as shown in Figure 84. Table 90 shows the functions available on the page.
Application Result Application result of the interzone policy Remarks Displays the security zones that are covered by some of the policy’s rules but not configured on the device. Rules that cover these security zones will not be deployed to the device. Operation • Click the icon to apply policies to the device (see ”Applying interzone policies”) • Click the icon to view the rules applied to the device (see “Applied rules list”). Return to Interzone policy application management functions.
Figure 86 List of rules applied to a device Table 93 Applied rule list query options Option Description Src Zone Query interzone rules by source zone. Dest Zone Query interzone rules by destination zone. Action Query interzone rules by filtering action. Src IP Query interzone rules by source IP. Dest IP Query interzone rules by destination IP. Time Range Query interzone rules by time range. Policy Query interzone rules by policy.
Policies that the interzone rule is in. Policy You can click a policy name to enter the page for managing the policy's rules. See “Rule management.” Return to Interzone policy application management functions. Firewall device management Managing firewall devices With the management right on devices, you can add or delete devices, view the detailed information of the devices, and change the device groups and labels of the devices.
Firewall device list From the navigation tree of the firewall management component, select Device Management under Device Management. The firewall device list is at the lower part of the page. See Figure 87. Table 97 describes the fields of the list. Table 96 Query options on the firewall device management page Option Description Device IP Query a firewall device by its IP address. Query a firewall device by its label.
Return to Firewall management functions. Viewing device statistics The device statistics function can collect statistics on devices by day, week, and month. You can select the statistics period as needed and view the statistics report, which provides statistics on each firewall device, including the total number of events, number of blocked events, destination IP address count, source IP address count, and destination port count.
Figure 90 Device configuration segment management page Table 99 Configuration segment management functions Function Description Configuration segment list Allows you to view information about all configuration segments. Adding a configuration segment Allows you to add a configuration segment. Importing a configuration segment Allows you to import a configuration segment from a locally saved file. On the configuration segment management page, click the Import button.
Description Detailed description of the configuration segment • Click the icon of a configuration segment to rename the configuration segment file. • Click the Operation icon of a configuration segment to modify the description and configurations of the segment. • Click the icon of a configuration segment to copy the segment. • Click the icon of a configuration segment to export the segment.
Table 101 Configuration segment configuration items Item File Type Description Required Select the configuration segment type, cfg or xml. Required Type a filename for the configuration segment. Filename Description Configurations A filename must be unique in the system. Leading spaces and ending spaces in the filename will be removed and the filename cannot contain any of these characters: '"<>&%:;/\ Optional Type some descriptive information for the configuration segment.
Deploying a configuration segment On the configuration segments list, click the icon of a configuration segment to configure a deployment task for the segment, as shown in Figure 93. 1. Select devices—Click Add Device and select the devices you want to deploy the configuration segment to, and then click Next. Figure 93 Select the devices you want to deploy the configuration segment to 2. Configure parameters—Type the SNMP version and community string and click Next. Figure 94 Configure parameters 3.
Figure 95 Configure deployment task attributes 4. Confirm your configuration. You can click the icon in the device list to view the configuration content to be deployed. To modify your configuration, click Previous. Check that everything is OK and click Finish. Figure 96 Confirm your configuration Return to Configuration segment management functions.
Managing deployment tasks Configuration guide From the navigation tree of the firewall management component, select Deployment Tasks under Policy Management to enter the deployment task management page, as shown in Figure 97. On this page, you can select a task status to display all deployment tasks in the status, select tasks to execute them immediately, or cancel, delete, or modify tasks.
Table 103 Fields of the deployment task list Field Description Execution Status Execution status of the task Task Name Name of the task Task Type Type of the task Creation Time Creation date and time of the task Creator Administrator who created the task Start Time Time when the task started. End Time Time when the task ended.
SSL VPN auditing As Virtual Private Network (VPN) is much cheaper and more flexible to use than leased lines, more and more companies are establishing VPNs over public networks such as the Internet, so as to allow employees working at home or traveling on business, employees of branch offices, and partners to access the internal networks. SSL VPN is an emerging VPN technology, and has been widely used for secure remote web-based access.
Online users trends The online user trend graph displays the number of online SSL VPN users during a day, week, month, or a customized period of time. Configuration guide From the navigation tree of the SSL VPN auditing component, select Online Users Trends under Comprehensive Analysis to enter the online user trend analysis page, where the online user trend graph is listed, as shown in Figure 99.
Figure 100 Daily user statistics NOTE: The User Count field shows the count of login times on that day. Device monitoring In addition to the SSL VPN user statistics of the entire network, the SSL VPN auditing component also allows you to view SSL VPN access statistics by firewall device and log in to a device as an administrator or user.
SSL VPN log auditing The SSL VPN log auditing function allows you to audit user access records, operation logs, resource accesses, and authentication failures. You can also export and save the reports as an Excel file.
Figure 103 Operation log auditing Resource access auditing The resource access auditing allows you to audit operations of SSL VPN users based on the information of username, operations related to resource access, operation time, and IP address of the firewall device. It also supports flexible operation log query.
Figure 105 Authentication failure auditing 98
Configuration example 1 Network requirements The HP A-IMC Firewall Manager works with HP firewall devices. The Firewall Manager collects attack events and logs sent by the firewall devices, processes and analyzes the collected data, and presents the information to the Firewall Manager operators. You need to ensure that there is a reachable route between the Firewall Manager server and each managed HP firewall device.
2. Select the Firewall Management component, and then select Device Management under Device Management from the navigation tree to enter the device management page. Click Add to enter the page for adding devices to the firewall management component, as shown in Figure 107.
Configuration example 2 Network requirements The FW device connects the internal network 4.1.1.0/24 through GigabitEthernet 0/4 and connects the external network through GigabitEthernet 0/1. Configure the FW device to send logs to the syslog server with IP address 192.168.96.15 in the external network. Figure 108 Network diagram for configuring FW and Firewall Manager Configuration procedures Configuring the firewall device 1.
Select Firewall > ACL, configure rules for ACL 3000 to permit packets sourced from 4.1.1.0/24. Figure 111 Configure ACL 3000 3. Configure a static route Select Network > Routing Management > Static Routing, add a default static route with the next hop being 192.168.250.254, which is the IP address of the gateway for accessing the internet. Figure 112 Configure a default static route 4.
Figure 113 Add the FW device to the Firewall Manager 192.168.250.214 A-F1000-E Configuring intrusion detection in firewall and sending logs to Firewall Manager Enable logging and send logs to Firewall Manager The log management feature enables you to store the system messages or logs generated by actions such as packet filtering to the log buffer or send them to the log hosts. 1.
Figure 114 Configure a log host The port number should be in accordance with the management port number set in Firewall Manager, which can be seen in System Management > System Config > Management Ports Figure 115 Management Ports 2. Configure User Log Flow logging records users’ access information to the external network.
Figure 116 Userlog NOTE: At present, flow logs refer to session logs only. To generate flow logs, you need to configure session logging according to the following illustration. 3. Configure a session logging policy Select Log Report > Session Log > Log Policy from the navigation tree, then click Add to create policies as below.
• Scanning detection • Blacklist • URPF check 106
NOTE: After configuring all the policies, please remember to click Apply to make them take effect. Verification Firewall logs and Firewall Manager analysis Displaying log report on the firewall webpage The internal PC send some attack packets to the external PC, or from outside to inside, such as land attack, Winnuke attack, the firewall will detect them and log.
• Intrusion Policy Log • User log Displaying firewall management statistics on Firewall Manager As we have configured the firewall to send logs to Firewall Manager, we can see the statistics and analysis in Firewall module on Firewall Manager webpage.
• Recent list • Inter-zone access logs 109
• Blacklist logs • Operation Logs 110
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFIMNORSTUVW Managing deployment tasks,26 A Managing device access templates,22 Abnormal traffic log auditing,52 Managing device groups,18 Adding devices to the firewall manager,99 Managing devices,4 Authentication failure auditing,97 Managing events,20 B Managing filters,33 Blacklist log auditing,53 Managing firewall devices,83 C Managing LDAP servers,35 Managing log retention time,37 Changing your login password,30 Managing operation logs,29 Configuring intrusion detection in f
User access records auditing,96 W V Websites,111 Viewing device statistics,85 115
