HP Firewalls and UTM Devices System Management and Maintenance Configuration Guide Part number: 5998-4170 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Displaying device information ···································································································································· 1 Displaying device information ········································································································································· 2 Displaying system resource state ····································································································································· 2
Emptying the recycle bin ······································································································································ 27 Computing the digest of a specified file ············································································································· 27 Managing directories ···················································································································································· 27 Displaying directory i
Deleting the next-startup configuration file ········································································································· 56 Displaying and maintaining a configuration file ······························································································· 56 Configuring the information center ··························································································································· 58 Overview········································
Displaying interzone policy logs ······················································································································· 101 Displaying user logs (flow logging) ··················································································································· 102 Configuring NTP ····················································································································································· 105 Overview····················
SNMP operations ················································································································································ 144 SNMP protocol versions ····································································································································· 144 SNMP configuration task list ······································································································································· 144 Configuring SNMP
When the firewall acts as an Stelnet client for password authentication ······················································ 183 When the firewall acts as an Stelnet client for publickey authentication ······················································ 186 SFTP configuration examples ······································································································································ 188 When the firewall acts as an SFTP server for password authentication ·············
Basic CWMP functions ······································································································································· 224 CWMP mechanism ············································································································································· 225 CWMP configuration approaches ····························································································································· 227 Configuring ACS and CPE attrib
Displaying device information 1B When you log in to the Web interface, you are placed on the Device Info page. Figure 1 Device overview Select the refresh mode from the Refresh Period list. • If you select a specific period, the system periodically refreshes the Device Info page. • If you select Manual, click Refresh to refresh the page.
Displaying device information 20B Table 1 Field description Field Description Device Name Device name. Product Information Product information. Device Location Location of the device. Contact Information Contact information for device maintenance. SerialNum Serial number of the device. Software Version Software version of the device. Hardware Version Hardware version of the device. Bootrom Version BootWare version of the device.
To know more information about device interfaces, click the More hyperlink under the Device Interface Information area to enter the Device Management > Interface page to view and operate the interfaces. For more information, see Network Management Configuration Guide. The security zone to which the Layer 2 Ethernet interface belongs does not appear on the Device Info page. Displaying recent system logs 23B Table 4 Field description Field Description Time Time when the system logs are generated.
Using ping, tracert, and system debugging 2B Use the ping, tracert, and system debugging utilities to test network connectivity and identify network problems. Ping 24B The ping utility sends ICMP echo requests (ECHO-REQUEST) to the destination device. Upon receiving the requests, the destination device responds with ICMP echo replies (ECHO-REPLY) to the source device.
Figure 3 Ping operation result Configuring ping at the CLI 138B Using a ping command to test network connectivity 346B Execute ping commands in any view. Task Command Remarks • For an IPv4 network: Test the network connectivity to an IP address.
Figure 4 Network diagram 2. Configuration procedure # Use the ping command on Device A to test connectivity to Device C. ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=205 ms Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms --- 1.1.2.
1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 --- 1.1.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/11/53 ms The test procedure with the ping –r command (see Figure 4) is as follows: 720H 3.
Figure 5 Traceroute operation Tracert uses received ICMP error messages to get the IP addresses of devices. As shown in Figure 5, tracert works as follows: 721H 1. The source device (Device A) sends a UDP packet with a TTL value of 1 to the destination device (Device D). The destination UDP port is not used by any application on the destination device. 2.
Figure 6 Trace route configuration page 3. Enter the IP address or host name of the destination device in the Trace Route field, 4. Click Start. 5. View the result in the Summary box, as shown in Figure 7. 723H Figure 7 Trace route operation result Configuring tracert at the CLI 140B Prerequisites 348B Before you use a tracert command, perform the tasks in this section.
• Enable sending of ICMP timeout packets on the intermediate devices (devices between the source and destination devices). If the intermediate devices are HP devices, execute the ip ttl-expires enable command on the devices. For more information about this command, see System Management and Maintenance Command Reference. • Enable sending of ICMP destination unreachable packets on the destination device. If the destination device is an HP device, execute the ip unreachables enable command.
displayed on a terminal (including console or VTY). You can also send debugging information to other destinations. For more information, see "Configuring the information center." Figure 8 Relationship between the protocol and screen output switch Debugging a feature module 142B Output from debugging commands is memory intensive. To guarantee system performance, enable debugging only for modules that are in an exceptional condition.
Step 4. Command display debugging [ interface interface-type interface-number ] [ module-name ] [ | { begin | exclude | include } regular-expression ] Display the enabled debugging functions. Remarks Optional. Available in any view. Ping and tracert example 27B Network requirements 350B As shown in Figure 9, Firewall A failed to Telnet Firewall B. Determine whether Firewall A and Firewall B can reach each other. If they cannot reach each other, locate the failed nodes in the network.
3 * * * 4 * * * 5 The output shows that Firewall A and Firewall B cannot reach other, Firewall A and Device can reach each other, and an error occurred on the connection between Device and Firewall B. # Use the debugging ip icmp command on Firewall A and Firewall B to verify that they can send and receive the specific ICMP packets, or use the display ip routing-table command to verify the availability of active routes between Firewall A and Firewall B.
Optimizing IP performance 3B Optimization IP performance can be configured only at the CLI. This chapter describes multiple features for IP performance optimization. Enabling receiving and forwarding of directed broadcasts to a directly connected network 28B A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
To enable the device to forward directed broadcasts: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the interface to forward directed broadcasts. ip forward-broadcast [ acl acl-number ] Disabled by default. Receiving and forwarding directed broadcasts configuration example 145B Network requirements 352B As shown in Figure 10, the default gateway of the host is the IP address 1.1.1.
[FirewallB-GigabitEthernet0/2] ip address 2.2.2.1 24 [FirewallB-GigabitEthernet0/2] quit After the configurations, if you ping the subnet-directed broadcast address (2.2.2.255) on the host, the ping packets can be received by the interface GigabitEthernet 0/2 of Firewall B. However, if you cancel the ip forward-broadcast configuration on any firewall, the ping packets cannot be received by the interface GigabitEthernet 0/2 of Firewall B.
2. A router that fails to forward the packet because it exceeds the MTU on the outgoing interface discards the packet and returns an ICMP error message, which contains the MTU of the outgoing interface. 3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection. 4. The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS =path MTU–IP header length–TCP header length).
Configuring TCP timers 149B You can configure the following TCP timers: • synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created. • finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. { { If no FIN packet is received within the timer interval, the TCP connection is terminated.
If the device receives an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source. The device sends an ICMP timeout packet under the following conditions: { { If the device finds that the destination of a packet is not itself and the TTL field of the packet is 1, it sends a "TTL timeout" ICMP error message. When the device receives the first fragment of an IP datagram whose destination is the device itself, it starts a timer.
Step Command Remarks • Enable sending ICMP redirect packets: ip redirects enable Enable sending ICMP error packets. 2. • Enable sending ICMP timeout packets: ip ttl-expires enable • Enable sending ICMP destination unreachable packets: ip unreachables enable Disabled by default. When sending ICMP timeout packets is disabled, the device does not send "TTL timeout" ICMP error packets. However, "reassembly timeout" error packets are sent normally.
Step Command Remarks Required. 4. Add an interface to the security zone. import interface interface-type interface-number [ vlan vlan-id ] 5. Enter interface view. interface interface-type interface-number N/A 6. Enable IP virtual fragment reassembly. ip virtual-reassembly [ drop-fragments | max-fragments number | max-reassemblies number | timeout seconds ] * By default, the feature is disabled. By default, a security zone contains no interface.
Displaying and maintaining IP performance optimization 32B Task Command Remarks Display TCP connection statistics. display tcp statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display UDP statistics. display udp statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display statistics of IP packets (centralized devices). display ip statistics [ | { begin | exclude | include } regular-expression ] Available in any view.
Task Command Remarks Clear statistics of TCP connections. reset tcp statistics Available in user view. Clear statistics of UDP traffic. reset udp statistics Available in user view.
Managing the file system 4B You can manage the file system only at the CLI. Feature and hardware compatibility 3B Hardware Storage medium F1000-A-EI/F1000-S-EI flash0 F1000-E cfa0 F5000 cfa0 Firewall module cfa0 U200-A cfa0 U200-S cfa0 All examples in this chapter use the storage medium cfa0. Overview 34B This chapter describes how to manage the device's file system, including the storage media, directories, and files.
Table 5 File name formats Format Description Length Example file-name Specifies a file in the current working directory. 1 to 91 characters a.cfg indicates a file named a.cfg in the current working directory. 1 to 135 characters test/a.cfg indicates a file named a.cfg in the test folder in the current working directory. 1 to 135 characters cfa0:/test/a.cfg indicates a file named a.cfg in the test folder under the CF card's root directory.
Task Command Remarks Display the contents of a file. more file-url [ | { begin | exclude | include } regular-expression ] Only text files can be displayed. Renaming a file 160B Perform this task in user view. Task Command Rename a file. rename fileurl-source fileurl-dest Copying a file 16B Perform this task in user view. Task Command Copy a file. copy fileurl-source fileurl-dest Moving a file 162B Perform this task in user view. Task Command Move a file.
Emptying the recycle bin 164B Step 1. 2. Command Remarks Enter the original working directory of the file to be deleted in user view. cd { directory | .. | / } Skip this step if the original directory of the file is the current working directory. Empty the recycle bin. reset recycle-bin [ /force ] N/A Computing the digest of a specified file 165B Computing the digest of a specified file is used to verify the correctness and integrity of the file to prevent the file from being tampered with.
Task Command Change the current working directory. cd { directory | .. | / } Creating a directory 169B Perform this task in user view. Task Command Create a directory. mkdir directory Removing a directory 170B To remove a directory, you must delete all files and subdirectories in this directory. To delete a file, use the delete command. To delete a subdirectory, use the rmdir command. Removing a directory permanently deletes all its files in the recycle bin, if any. Perform this task in user view.
Partitioning a CF card 172B A CF card can be divided into several different logical devices, or, partitions. Operations on a partition do not affect the other partitions. The following partitioning modes are available for CF cards: • Simple—You specify the number of partitions, and the system divides the CF card into the specified number of partitions of the same size.
Hardware Feature compatible U200-S No The physical space of the NAND Flash memory is divided into multiple blocks, each of which is subdivided into multiple pages. The NAND Flash memory is erased on a block basis and read on a page basis; the memory spaces are allocated on a page basis. Displaying and repairing bad blocks 358B Bad block ratio varies with products of different vendors.
Setting the file system operation mode 39B The file systems support the following operation modes: • alert—The system warns you about operations that might cause problems such as file corruption and data loss. To prevent incorrect operations, use the alert mode. • quiet—The system does not prompt for any operation confirmation. To set the file system operation mode: Step Command Remarks N/A 1. Enter system view. system-view 2. Set the file system operation mode.
# Display the files and the subdirectories in the test directory. dir Directory of cfa0:/test/ 0 drw- - Feb 16 2006 15:28:14 2540 KB total (2519 KB free) # Return to the upper directory. cd .. # Display the current working directory.
Upgrading software 5B You can use the CLI, Boot menu, or Web interface to upgrade software. This chapter describes the CLI and Web approaches to software upgrade. Feature and hardware compatibility 41B Hardware Storage medium F1000-A-EI/F1000-S-EI flash0 F1000-E cfa0 F5000 cfa0 Firewall module cfa0 U200-A cfa0 U200-S cfa0 All examples in this chapter use the storage medium cfa0. Overview 42B Upgrading software includes upgrading the BootWare (called "bootrom" in CLI) and system software.
Figure 12 System startup process Start Select the Reboot option to reboot the device BootWare runs Press Ctrl+B Enter Boot menu to upgrade BootWare or system software Yes No Run system software image Enter CLI Finish Software upgrade methods 43B You can use one of the following methods to upgrade system software: Upgrading method Software types Remarks Upgrading from the CLI: Upgrading entire software • BootWare image • System software image (excluding patches) Installing hotfixes System s
To upgrade the BootWare image: Step 1. 2. Command Use FTP or TFTP to transfer the BootWare image to the root directory of the storage medium. See "Configuring FTP" or "Configuring TFTP." Enter system view. system-view Remarks Make sure the image file is saved in the root directory of the storage medium. If the storage medium has been partitioned, save the image file to the root directory of the first partition. N/A Optional. By default, the validity check function is enabled. 3.
Figure 13 Software upgrade configuration page 2. Configure upgrade parameters as described in Table 6. 3. Click Apply. 730H Table 6 Configuration items Item Description File Specify the filename of the local system software image file, which must have the extension .app or .bin. Specify the type of the next-startup system software image: File Type • Main—The main system software image has higher priority than the backup system software image at startup.
Step 3. Reboot the device. Command Remarks reboot N/A Installing hotfixes 46B Hotfixes (called "patches" in this document) repair software defects without requiring a system reboot. You can install hotfixes at the CLI. Basic concepts 176B This section describes the basic patch concepts. Patch, patch file, and patch package file 360B A patch fixes certain software defects. A patch file contains one or more patches.
IMPORTANT: Patch state information is saved in the patchstate file on the storage medium. To make sure the device can identify the patches, do not edit, delete, move the file, or change the file name. Figure 14 Impact of patch manipulation commands on patch state IDLE state 36B Patches that have not been loaded are in IDLE state. You cannot install or run these patches. As shown in Figure 15, the patch memory area can load up to eight patches. 732H The patch memory area supports up to 200 patches.
the version check and CRC check, they are loaded to the patch memory area and are in DEACTIVE state. In the patch memory area, patch states are as shown in Figure 16. 73H Figure 16 Patch states in the patch memory area after a patch file is loaded ACTIVE state 365B Patches in ACTIVE state run temporarily in the system and become DEACTIVE at a reboot. For the seven patches in Figure 16, if you activate the first five patches, their states change from DEACTIVE to ACTIVE.
Figure 18 Patches in RUNNING state Patch installation task list 178B Task Remarks Installing patches: Use either approach. • Installing and running a patch in one step • Installing a patch step by step Step-by-step patch installation allows you to control the patch status. Uninstalling a patch step by step Optional.
Step 1. Enter system view. Command Remarks system-view N/A • patch-location: Specifies the 2. patch install { patch-location | file patch-package } Install patches in one step. directory where the patch file is located. • file patch-package: Specifies a patch package file name. If you execute the patch install patch-location command, the directory specified for the patch-location argument replaces the directory specified with the patch location command after the upgrade is complete.
NOTE: If you execute the patch install patch-location command, the directory specified for the patch-location argument replaces the directory specified with the patch location command after the upgrade is complete. Loading a patch file 369B Loading the correct patch files is the basis of other patch installation operations. The system loads patches from the specified patch location. If no patch location has been specified, the system loads a patch file from the root directory of the storage medium.
Stopping running patches 372B When you stop running a patch, the patch state becomes DEACTIVE, and the system runs the way it did before it was installed with the patch. To stop running patches: Step Command 1. Enter system view. system-view 2. Stop running patches. patch deactive [ patch-number ] Removing patches from the patch memory area 37B After being removed from the patch memory area, a patch is still retained in IDLE state in the storage medium.
Figure 19 Network diagram FTP Server 2.2.2.2/24 Internet Telnet FTP Client User Firewall 1.1.1.1/24 Configuration procedure 375B 1. Configure the FTP server (the configuration varies with server vendors): # Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hello, and assign the FTP user the right to access the cfa0:/aaa directory).
Please wait... ... Done! # Specify soft-version2.bin as the main startup system software image. boot-loader file soft-version2.bin main # Reboot the firewall to complete the upgrade. reboot 3. Use the display version command to verify that the upgrade has succeeded. (Details not shown.) Installing patches from the CLI 184B Network requirements 376B Download a patch file from a TFTP server to fix bugs on the firewall in Figure 20.
Managing configuration files 6B You can use the CLI, Boot menu, or Web interface to manage configuration files. This chapter describes the CLI and Web interface approaches to configuration file management.
• After the device reboots, execute the display current-configuration command before making any configuration. Running configuration 380B Running configuration runs in a volatile storage medium and takes effect while the device is operating. It includes startup settings that have not been changed and new settings you have made. A new setting takes effect immediately after it is made but must be saved to a configuration file to survive a reboot.
• Only one administrator can save the configuration at a moment. If one administrator saves the configuration while the system is saving the configuration as required by another administrator, the system prompts the second administrator to try later. • The configuration of the device is the same when the device runs in different operation modes. If you save the configuration, the configuration overwrites the original configuration file.
Figure 22 Backing up the configuration 3. Click the upper Backup button. A file download dialog box appears. 4. Select to view the .cfg file or to save the file to the local host. 5. Click the lower Backup button. A file download dialog box appears. 6. Select to view the .xml file or to save the file to the local host. Restoring the next-startup configuration file 190B Configuration restoration allows you to: • Upload the .
{ 4. Click the lower Browse button to select the .xml file to be used. Click Apply. Resetting the configuration 19B This operation disables the next-startup configuration file to serve for the next startup, restores the device's factory defaults, and reboots the device. To reset the configuration: 1. Select Device Management > Maintenance from the navigation tree. 2. Click the Initialize tab. Figure 24 Resetting the configuration 3. Click Restore Factory-Default Settings.
4. Select the .cfg file to be imported as prompted. 5. Click Apply. Managing configuration files at the CLI 52B Saving the running configuration 193B To make configuration changes take effect at the next startup, save the running configuration to the startup configuration file to be used at the next startup before the device reboots. Complete the following tasks to save the running configuration: Task Remarks Optional.
Safe mode—Use the save command with the safely keyword. Safe mode is slower than fast mode, but more secure. In safe mode, the system saves configuration in a temporary file and starts overwriting the target next-startup configuration file after the save operation is complete. If a reboot or power failure occurs during the save operation, the next-startup configuration file is still retained. • Use the safe mode if the power source is not reliable or you are remotely configuring the device.
Configuring configuration archive parameters 386B Before archiving the running configuration, either manually or automatically, you must configure a file directory and file name prefix for configuration archives. Configuration archives are saved with the file name format prefix_serial number.cfg, for example, 20080620archive_1.cfg and 20080620archive_2.cfg. The serial number is automatically assigned from 1 to 1000, increasing by 1. After the serial number reaches 1000, it restarts from 1.
To enable automatic configuration archiving: Step Enter system view. 1. Enable automatic configuration archiving and set the archiving interval. 2. Command Remarks system-view N/A By default, this function is disabled. archive configuration interval minutes To view configuration archive names and their archiving time, use the display archive configuration command.
Commands or command settings that the device does not support cannot be added to the running configuration. • Specifying the next-startup configuration file 195B You can specify a .cfg configuration file as the startup configuration file to be used at the next startup when you use the save command to save the running configuration to it. Alternatively, perform the following task in user view to specify the next-startup configuration file: Task Specify the next-startup configuration file.
Step Verify that the specified configuration file has been set as the next-startup configuration file. 2. Command Remarks display startup Optional. Deleting the next-startup configuration file 198B CAUTION: This task permanently deletes the next-startup configuration file from the device. Before performing this task, back up the file as needed.
57
Configuring the information center 7B The information center can be configured only at the CLI. Overview 53B The information center collects and classifies system information as follows: • Receives system information including log, trap, and debug information from source modules. • Outputs the information to different information channels, according to output rules. • Outputs information to different destinations, based on channel-to-destination associations.
Severity Severity value Description Corresponding keyword in commands Alert 1 Action must be taken immediately to solve a serious problem. For example, traffic on an interface exceeds the upper limit. alerts Critical 2 Critical condition. For example, the device temperature exceeds the upper limit, the power module fails or the fan tray fails. critical Error 3 Error condition. For example, the link state changes or a storage card is unplugged. errors Warning 4 Warning condition.
Channel number Default channel name Default output destination System information received by default 1 monitor Monitor terminal Log, trap and debug information 2 loghost Log host Log, trap and debug information 3 trapbuffer Trap buffer Trap information 4 logbuffer Log buffer Log information 5 snmpagent SNMP module Trap information 6 channel6 Web interface Log information 7 channel7 Not specified Log, trap, and debug information 8 channel8 Not specified Log, trap, and debu
Destinatio n System informatio n source modules Log file All supported modules Trap Log Debug Output switch Severity Output switch Severity Output switch Severity Enabled Debug Enabled Debug Disabled Debug System information formats 204B The following matrix shows the feature and hardware compatibility: Hardware Outputting system information in china-unicom-nat444 or china-telecom format to the log host F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 No Firewall module Yes U200-A N
Output destination Format Example • HP format: <189>Oct 9 14:59:04 2009 Sysname %%10SHELL/5/SHELL_LOGIN(l): VTY logged in from 192.168.1.21. • HP format: timestamp Sysname %%vvmodule/level /digest: source content • unicom format: <186>Oct 13 16:48:08 2000 Sysname 10IFNET/2/210231a64jx073000020: log_type=port;content=Vlan-interface1 link status is DOWN.
Field Description • If the system information that is sent to a log host is in the UNICOM format, and Sysname (host name or host IP address) the info-center loghost source command is configured, or the vpn-instance vpn-instance-name option is provided in the info-center loghost command, the sysname field is displayed as the IP address of the device that generated the system information.
Table 12 Timestamp precisions and configuration commands Item Destined to the log host Destined to the console, monitor terminal, log buffer, and log file Precision Seconds Milliseconds Command used to set the timestamp format info-center timestamp loghost info-center timestamp Table 13 Description of the timestamp parameters Timestamp parameters boot date Description Example Time since system startup, in the format of xxx.yyy.
Task Remarks Outputting system information to the trap buffer Optional. Outputting system information to the log buffer Optional. Outputting system information to the SNMP module Optional. Outputting system information to the Web interface Optional. Saving system information to a log file Optional. Managing security logs and the security log file Optional. Enabling synchronous information output Optional. Disabling an interface from generating link up/down logging information Optional.
Step Command Remarks • Enable the display of debug information on the console: terminal debugging 9. Enable the display of system information on the console. • Enable the display of log information on the console: terminal logging • Enable the display of trap Optional. By default, the console displays log and trap information, and discards debug information.
Step Command Remarks The default setting is disabled. 8. Enable system information output to the monitor terminal. terminal monitor You must execute this command before you can enable the display of debugging, log, and trap information on the monitor terminal. • Enable the display of debug information on the monitor terminal: terminal debugging 9. Enable the display of system information on the monitor terminal.
Step Command Remarks • Set the format to unicom: info-center format unicom • Set the format to china-telecom: 7. Set the system information format. info-center format china-telecom Optional. Use any approach. HP by default. • Set the format to china-unicom-nat444: info-center format china-unicom-nat444 • Set the format to HP: The china-telnetcom and china-unicom-nat444 formats are available only for NAT444. For more information about NAT444, see NAT and ALG Configuration Guide.
Step Command 2. Enable the information center. info-center enable 3. Specify a name for a channel identified by its number. info-center channel channel-number name channel-name Configure an output channel for the trap buffer and set the buffer size. info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] * Configure an output rule for the trap buffer.
Step 5. Command Configure an output rule for the log buffer. info-center source { module-name | default } channel { channel-number | channel-name } [ debug { level severity | state state } * | log { level severity | state state } * | trap { level severity | state state } * ] * Configure the timestamp format. info-center timestamp { debugging | log | trap } { boot | date | none } Remarks Optional. See "Default output rules of system information." 784H Optional. 6.
Outputting system information to the Web interface 61B The Web interface only receives log information, and discards trap and debug information. This feature allows you to control whether to output system information to the Web interface and, if so, which system information can be output to the Web interface. The Web interface provides abundant search and sorting functions.
This feature enables the device to save generated log information to a log file. You can specify how often the log file is saved, or you can manually save the log file. Logs are saved into the log file buffer. The system writes the logs from the log file buffer to the log file at the specified interval (24 hours by default). You can also manually save the logs while the device is not busy. After saving logs from the log file buffer to the log file, the system clears the log file buffer.
Managing security logs and the security log file 63B Security logs are very important for locating and troubleshooting network problems. Generally, security logs are output together with other logs. It is difficult to identify security logs among all logs. To solve this problem, you can save security logs into a security log file without affecting the current log output rules. The security log file is managed by a privileged user.
Step Command Remarks Optional. 6. Set the alarm threshold of the security log file usage. info-center security-logfile alarm-threshold usage 80 by default. That is, when the usage of the security log file reaches 80%, the system informs the user. Managing the security log file 206B After passing the AAA local authentication, the security log administrator can log in to the device and perform the following operations: Task Command Remarks Display a summary of the security log file.
Task Command Remarks • Display the contents of the specified file: more file-url • Display information about all files and folders: dir [ /all ] [ file-url ] • Create a folder in a specified directory on the storage medium: mkdir directory • Change the current working directory: cd { directory | .. | / } • Display the current path: pwd • Copy a file: Perform these operations to the security log file.
Task Command Remarks • Establish a connection to an IPv4 SFTP server and enter SFTP client view: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * • Establish a connection to an (Optional) Uplo
output and a command prompt in command editing mode, or a [Y/N] string in interaction mode so you can continue your operation from where you were stopped. If system information, such as log information, is output before you input any information under the current command line prompt, the system does not display the command line prompt after the system information output.
Displaying and maintaining information center 6B Task Command Remarks Display information about information channels. display channel [ channel-number | channel-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information center configuration information. display info-center [ | { begin | exclude | include } regular-expression ] Available in any view.
system-view [Firewall] info-center enable # Use channel console to output log information to the console. (This step is optional because it is the default setting.) [Firewall] info-center console channel console # Disable all modules from outputting log, trap, and debug information to channel console.
[Firewall] info-center source default channel loghost debug state off log state off trap state off To avoid output of unnecessary information, disable all modules from outputting log, trap, and debug information to the specified channel (loghost in this example) before you configure the output rule. # Configure an output rule to output to the log host ARP and IP log information that has a severity level of at least informational.
Outputting log information to a Linux log host 209B Network requirements 394B Configure the firewall to send log information that has a severity level of at least informational to the Linux log host at 1.2.0.1/16. Figure 29 Network diagram Configuration procedure 395B Before the configuration, make sure the firewall and the log host can reach each other. (Details not shown.) 1. Configure the firewall: # Enable the information center.
NOTE: Be aware of the following issues while editing file /etc/syslog.conf: • Comments must be on a separate line and must begin with a pound sign (#). • No redundant spaces are allowed after the file name. • The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the firewall by using the info-center loghost and info-center source commands. Otherwise, the log information might not be output properly to the log host. d.
{ { 2. Create a local user seclog with the password 123123123123, and authorize this user as the security log administrator. That is, use the authorization-attribute command to set the user privilege level to 3 and specify the user role as security audit. In addition, specify the service types that the user can use by using service-type.
Password: # Display the summary of the security log file. display security-logfile summary Security-log is enabled. Security-log file size quota: 1MB Security-log file directory: cfa0:/seclog Alarm-threshold: 80% Current usage: 0% Writing frequency: 1 hour 0 min 0 sec The output shows that the directory for saving the security log file is cfa0:/seclog. # Change the directory where the security log file is saved to cfa0:/securitylog. mkdir securitylog .
Managing logs 8B This chapter describes how to manage various types of logs. Configuring syslog 68B Syslog can be configured only in the Web interface. The syslog module allows you to set parameters for the information center. The information center classifies and manages system information and it can output log information to the Web interface and log hosts.
Figure 31 Syslog 2. Configure syslog settings as described in Table 14. 3. Click Apply. 790H Table 14 Configuration items Item Description Log Buffer Size Set the number of syslogs that can be stored in the log buffer. Syslogs that can be stored in the log buffer include system logs, connection limit logs, attack prevention logs, blacklist logs, and interzone policy logs. The value range and default setting depend on the device model. For more information, see Table 15.
Item Description Log Host 1 Log Host 2 Log Host IP Address Log Host 3 Log Host 4 Set the address (IPv4 address, host name, or IPv6 address), port number and the VPN instance (this option is available only when you specify a log host with an IPv4 address or a host name) of the syslog log host. You can report log information to log hosts in the format of syslog. You can specify up to four syslog log hosts. IMPORTANT: Support for the IPv6 log host depends on the device model.
Table 16 Packet format in user logging version 1.0 Field Description SourceIP Source IP address. DestIP Destination IP address. SrcPort TCP/UDP source port number. DestPort TCP/UDP destination port number. StartTime Start time of the flow, in seconds, counted from 1970/1/1 0:0. EndTime End time of the flow, in seconds, counted from 1970/1/1 0:0. Prot Protocol. Operator Indicates the reason why the flow ended. Reserved For future applications.
Configuring user logging in the Web interface 70B Configuring user logging 21B To configure user logging: 1. Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 32. 796H Figure 32 User logging 2. Configure user logging settings as described in Table 18. 3. Click Apply. 79H Table 18 Configuration items Item Description Set the user logging version, 1.0 or 3.0.
Item Description Set the source IP address of user logging packets. Source IP Address of Packets After you specify the source IP address, when Device A sends user logs to Device B, it uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses.
Figure 33 Viewing user logging statistics Clearing user logs and user logging statistics 213B 1. Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 32. 2. Click the Statistics expansion button on the page to display the information as shown in Figure 33. 3. Click Reset. 80H 801H The system clears all user logging statistics for the device and user logs in the cache.
Step Command Remarks Optional. The default version is 1.0. Configure the user logging version. 2. userlog flow export version version-number Although the device supports two versions, only one can be active at one time. Therefore, if you configure the user logging version multiple times, the most recent configuration takes effect. Configuring the source address for user logging packets 216B A source IP address is usually used to uniquely identify the sender of a packet.
To export user logs to an IPv4 log server: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the IPv4 address and UDP port number of the log server. userlog flow export [ vpn-instance vpn-instance-name ] host ipv4-address udp-port Not configured by default. To export user logs to an IPv6 log server: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the IPv6 address and UDP port number of the log server.
Displaying and maintaining user logging 218B Task Command Remarks Display the configuration and statistics about user logging. display userlog export [ | { begin | exclude | include } regular-expression ] Available in any view. Clear statistics about user logging. reset userlog flow export Available in user view. Clear user logs in the cache. reset userlog flow logbuffer Available in user view.
Export Version 3 logs to log server : enabled Source address of exported logs : 2.2.2.2 Address of log server : 1.2.3.6 (port: 2000) total Logs/UDP packets exported : 112/87 Logs in buffer : 6 Troubleshooting user logging 20B Symptom 1: No user log is exported 40B • Analysis: No export approach is specified. • Solution: Configure user logging to export user logs to the information center or to the log server.
Task Remarks Required. Configure the time threshold or/and traffic threshold for session logging. Setting session logging thresholds 810H By default, both the time threshold and traffic threshold are 0, meaning that no session logging entries are output. IMPORTANT: If both the time threshold and traffic threshold are configured, a log entry is output for the session when it reaches whichever threshold and the statistics of the session will be cleared. Configuring a session logging policy 2B 1.
Item Description Specify the ACL for filtering log entries, and only log entries permitted by the ACL will be output. ACL The rules of the specified ACL can be configured on the page entered by selecting Firewall > ACL. Setting session logging thresholds 23B 1. Select Log Report > Session Log > Global Setup from the navigation tree to enter the page for setting session logging thresholds, as shown in Figure 37. 814H Figure 37 Global configuration page 2.
Except that the user logs can be viewed at both the Web interface and the CLI, all other types of log information can only be viewed in the Web interface. Displaying system logs 24B Select Log Report > Report > System Log from the navigation tree to enter the page as shown in Figure 38. Table 21 describes the configuration items. 816H 817H Figure 38 Operation log configuration page Table 21 Configuration items Item Description Time/Date Time when the system log was generated.
Severity level Description Value Information Informational information to be recorded. 6 Debug Debug information. 7 Note: A smaller value represents a higher severity level. Displaying connection limit logs 25B Select Log Report > Report > Connection Limit Log from the navigation tree to enter the page as shown in Figure 39. Table 23 describes the configuration items.
Displaying attack prevention logs 26B Select Log Report > Report > Attack Prevention Log from the navigation tree to enter the page as shown in Figure 40. Table 24 describes the configuration items. 821H 82H Figure 40 Attack prevention log configuration page Table 24 Configuration items Item Description Time Time when the attack was detected. Type Attack type. Interface Interface that receives the attack packet. Source IP Source IP address of the attack packet.
Figure 41 Blacklist log configuration page Table 25 Configuration items Item Description Time/Date Time when the log was generated. Mode Whether the log is added or removed. Source IP Source IP address. Reason why the source IP address was added to the blacklist: • Auto insert—The source IP address was automatically added to the blacklist by the system. Reason • Manual insert—The source IP address was manually added to the blacklist through the Web interface. Hold Time Hold time.
Item Description Policy ID ID of the interzone policy that the flow matched. Action Action taken against the flow, permitted or denied. Protocol Type Protocol type of the flow. Flow information: • If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69.
Figure 44 User logging 3.0 log report Table 27 User logging 1.0 configuration items Item Description Time/Date Time and date when the user log was generated. Protocol Type Protocol type of the flow log. Flow information: • If the protocol type is TCP or UDP, the displayed flow information is source IP Flow Information address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69.
Table 28 Flow logging 3.0 configuration items Item Description Time/Date Time and date when the flow log was generated. Protocol Type Protocol type of the flow. Flow information: • If the protocol type is TCP or UDP, the displayed flow information is source IP Flow Information address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69.
Configuring NTP 9B NTP can be configured only at the CLI. You must synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network. Various tasks, including network management, charging, auditing, and distributed computing depend on an accurate system time setting, because the timestamps of system messages and logs use the system time.
• Prior to the time synchronization, the time of Device A is set to 10:00:00 am and that of Device B is set to 11:00:00 am. • Device B is used as the NTP server. Device A is to be synchronized to Device B. • It takes 1 second for an NTP message to travel from Device A to Device B, and from Device B to Device A. Figure 45 Basic work flow of NTP The synchronization process is as follows: • Device A sends Device B an NTP message, which is timestamped when it leaves Device A.
NTP uses two types of messages: clock synchronization messages and NTP control messages. NTP control messages are used in environments where network management is needed. Because NTP control messages are not essential for clock synchronization, they are not described in this document. A clock synchronization message is encapsulated in a UDP message, as shown in Figure 46.
• Precision—An 8-bit signed integer that indicates the precision of the local clock. • Root Delay—Roundtrip delay to the primary reference source. • Root Dispersion—The maximum error of the local clock relative to the primary reference source. • Reference Identifier—Identifier of the particular reference source. • Reference Timestamp—The local time at which the local clock was last set or corrected.
Symmetric peers mode 407B Figure 48 Symmetric peers mode In symmetric peers mode, devices that operate in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode). Then the device that operates in symmetric active mode periodically sends clock synchronization messages, with the Mode field in the messages set to 1 (symmetric active).
Multicast mode 409B Figure 50 Multicast mode In multicast mode, a server periodically sends clock synchronization messages to the user-configured multicast address, or, if no multicast address is configured, to the default NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast mode). Clients listen to the multicast messages from servers.
Figure 51 Network diagram NTP configuration task list 75B Task Remarks Configuring NTP operation modes Required. Configuring the local clock as a reference source Optional. Configuring optional parameters for NTP Optional. Configuring access-control rights Optional. Configuring NTP authentication Optional. 83H 834H 835H 836H 837H Configuring NTP operation modes 76B Devices can implement clock synchronization in one of the following modes: • Client/server mode—Configure only clients.
Step 1. 2. Command Remarks Enter system view. system-view N/A By default, no NTP server is specified. Specify an NTP server for the device. ntp-service unicast-server [ vpn-instance vpn-instance-name ] { ip-address | server-name } [ authentication-keyid keyid | priority | source-interface interface-type interface-number | version number ] * You can configure multiple servers by repeating the command. The clients will select the optimal reference source.
Configuring a broadcast client 410B Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number This command enters the view of the interface for sending NTP broadcast messages. 3. Configure the device to operate in NTP broadcast client mode. ntp-service broadcast-client N/A Command Remarks Configuring the broadcast server 41B Step 1. Enter system view. system-view N/A 2. Enter interface view.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number This command enters the view of the interface for sending NTP multicast messages. 3. Configure the device to operate in NTP multicast server mode. ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] * A multicast server can synchronize broadcast clients only when its clock has been synchronized.
Configuration guidelines 41B • The source interface for NTP unicast messages is the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command. • The source interface for NTP broadcast or multicast messages is the interface where you configure the ntp-service broadcast-server or ntp-service multicast-server command. Configuration procedure 415B To specify the source interface for NTP messages: Step Enter system view. 1. Specify the source interface for NTP messages.
Broadcast or multicast mode—Static associations are created on the server, and dynamic associations are created on the client. • A single device can have a maximum of 128 concurrent associations, including static associations and dynamic associations. To configure the allowed maximum number of dynamic sessions: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the maximum number of dynamic sessions allowed to be established locally.
Step Configure the NTP service access-control right for a peer device to access the local device. 2. Command Remarks ntp-service access { peer | query | server | synchronization } acl-number The default is peer. Configuring NTP authentication 80B Enable NTP authentication for a system running NTP in a network where there is a high security demand.
Step Associate the specified key with an NTP server. 5. Command Remarks ntp-service unicast-server { ip-address | server-name } authentication-keyid keyid You can associate a non-existing key with an NTP server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the NTP server. Configuring NTP authentication for a server 417B Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication.
Step Command Remarks By default, no NTP authentication key is configured. 3. Configure an NTP authentication key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value 4. Configure the key as a trusted key. ntp-service reliable authentication-keyid keyid By default, no authentication key is configured to be trusted. ntp-service unicast-peer { ip-address | peer-name } authentication-keyid keyid You can associate a non-existing key with a passive peer.
Step 3. 4. Command Configure an NTP authentication key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value Configure the key as a trusted key. ntp-service reliable authentication-keyid keyid Remarks By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. Configuring NTP authentication for a broadcast server 421B Step Command Remarks 1.
Step 3. 4. Command Configure an NTP authentication key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value Configure the key as a trusted key. ntp-service reliable authentication-keyid keyid Remarks By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. Configuring NTP authentication for a multicast server 423B Step Command Remarks 1.
NTP configuration examples 82B Configuring NTP client/server mode 249B In this example, Device A is the Firewall. Network requirements 42B Perform the following configurations to synchronize the time between Device B and Device A: • As shown in Figure 52, the local clock of Device A is to be used as a reference source, with the stratum level 2. • Device B operates in client/server mode and Device A is to be used as the NTP server of Device B.
Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 1.05 ms Peer dispersion: 7.81 ms Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22) The output shows that Device B has synchronized to Device A. The stratum level of Device B is 3, and that of Device A is 2. # Display NTP session information for Device B, which shows that an association has been set up between Device B and Device A.
2. Configure Firewall A: # Specify the local clock as the reference source, with the stratum level 2. system-view [FirewallA] ntp-service refclock-master 2 3. Configure Firewall B: # Specify Firewall A as the NTP server of Firewall B. system-view [FirewallB] ntp-service unicast-server 3.0.1.31 4. Configure Firewall C (after Firewall B is synchronized to Firewall A): # Specify the local clock as the reference source, with the stratum level 1.
Configuring NTP broadcast mode 251B Network requirements 428B As shown in Figure 54, Firewall C functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices. 843H • Firewall C's local clock is to be used as a reference source, with the stratum level 2. • Firewall C operates in broadcast server mode and sends broadcast messages from GigabitEthernet 0/1.
system-view [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] ntp-service broadcast-client Firewall A and Firewall B get synchronized upon receiving a broadcast message from Firewall C. # Take Firewall A as an example. Display the NTP status of Firewall A after clock synchronization. [FirewallA-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 64.0000 Hz Actual frequency: 64.
Figure 55 Network diagram GE0/1 3.0.1.31/24 Firewall B NTP multicast server GE0/1 1.0.1.11/24 GE0/1 1.0.1.10/24 Firewall A NTP multicast client GE0/2 3.0.1.30/24 Device GE0/1 3.0.1.32/24 Firewall C NTP multicast client Configuration procedure 431B 1. Set the IP address for each interface as shown in Figure 55. (Details not shown.) 2. Configure Firewall B: 846H # Specify the local clock as the reference source, with the stratum level 2.
Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) The output shows that Firewall C has synchronized to Firewall B. The stratum level of Firewall C is 3, and that of Firewall B is 2. # Display NTP session information for Firewall C, which shows that an association has been set up between Firewall C and Firewall B.
source reference stra reach poll now offset delay disper ************************************************************************** [1234] 3.0.1.31 127.127.1.0 2 255 64 26 -16.0 40.0 16.6 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 For more information about how to configuration IGMP and PIM, see Network Management Configuration Guide.
# Set an authentication key. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key as a trusted key. [DeviceA] ntp-service reliable authentication-keyid 42 # Display the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.
Figure 57 Network diagram Configuration procedure 435B 1. Set the IP address for each interface as shown in Figure 57. (Details not shown.) 2. Configure Firewall A: 850H # Configure Firewall A to operate in NTP broadcast client mode and receive NTP broadcast messages on GigabitEthernet 0/1. system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ntp-service broadcast-client 3. Configure Firewall B: # Enable NTP authentication on Firewall B.
[FirewallA-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID: 3.0.1.31 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) The output shows that Firewall A has synchronized to Firewall C. The stratum level of Firewall A is 4, and that of Firewall C is 3.
Clock status: synchronized Clock stratum: 4 Reference clock ID: 3.0.1.31 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) The output shows that Firewall B has synchronized to Firewall C.
Configuring RMON 10B RMON can be configured only at the CLI. Overview 83B Remote Monitoring (RMON) is an enhancement to SNMP for remote device management and traffic monitoring. An RMON monitor, typically the RMON agent embedded in a network device, periodically or continuously collects traffic statistics for the network attached to a port, and when a statistic crosses a threshold, logs the crossing event and sends a trap to the management station.
History group 437B The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the history record table (ethernetHistoryTable). The statistics include bandwidth utilization, number of error packets, and total number of packets. The history statistics table record traffic statistics collected for each sampling interval. The sampling interval is user-configurable.
Private alarm group 40B The private alarm group calculates the values of alarm variables and compares the results with the defined threshold for a more comprehensive alarming function. The system handles the private alarm entry (as defined by the user) in the following ways: • Periodically samples the private alarm variables defined in the private alarm formula. • Calculates the sampled values based on the private alarm formula.
• The device supports up to 100 history control entries. • You can successfully create a history control entry, even if the specified bucket size exceeds the history table size supported by the device. However, the effective bucket size will be the actual value supported by the device. To configure the RMON history statistics function: Step Command 1. Enter system view. system-view 2. Enter Ethernet interface view. interface interface-type interface-number 3.
Table 29 RMON configuration restrictions Entry Parameters to be compared Maximum number of entries Event Event description (description string), event type (log, trap, logtrap or none) and community name (trap-community or log-trapcommunity) 60 Alarm Alarm variable (alarm-variable), sampling interval (sampling-interval), sampling type (absolute or delta), rising threshold (threshold-value1) and falling threshold (threshold-value2) 60 Prialarm Alarm variable formula (alarm-variable), sampling inter
Figure 59 Network diagram Configuration procedure 42B # Configure the RMON statistics group on the RMON agent to gather statistics for GigabitEthernet 0/1. system-view [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] rmon statistics 1 owner user1 # Display statistics collected by the RMON agent for GigabitEthernet 0/1. display rmon statistics gigabitethernet 0/1 EtherStatsEntry 1 owned by user1-rmon is VALID. Interface : Gigabitethernet0/1
Configuration procedure 4B # Configure the RMON history group on the RMON agent to gather traffic statistics every one minute for GigabitEthernet 0/1. Retain up to eight records for the interface in the history statistics table. system-view [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] rmon history 1 buckets 8 interval 60 owner user1 # Display the history data collected for GigabitEthernet 0/1.
packets : 9 , broadcast packets : 2 multicast packets : 6 , CRC alignment errors : 0 undersize packets : 0 , oversize packets : 0 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0 Sampled values of record 7 : dropevents : 0 , octets : 766 packets : 7 , broadcast packets : 0 multicast packets : 6 , CRC alignment errors : 0 undersize packets : 0 , oversize packets : 0 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0 Sampled values of record 8 : drop
[Firewall] snmp-agent trap enable [Firewall] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname public # Configure the RMON statistics group to gather traffic statistics for GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] rmon statistics 1 owner user1 [Firewall-GigabitEthernet0/1] quit # Create an RMON event entry and an RMON alarm entry so the RMON agent sends traps when the delta sampling value of node 1.3.6.1.2.1.16.1.1.1.4.
Configuring SNMP 1B SNMP can be configured only at the CLI. This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview 90B SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.
Figure 63 MIB tree A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible. A MIB view can have multiple view records each identified by a view-name oid-tree pair. You control access to the MIB by assigning MIB views to SNMP groups or communities.
Configuring SNMP basic parameters 92B SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are described in separate sections. Configuring SNMPv3 basic parameters 263B Step 1. Enter system view. Command Remarks system-view N/A Optional. By default, the SNMP agent is disabled. 2. 3. Enable the SNMP agent. snmp-agent Configure system information for the SNMP agent.
Step Command 6. Configure an SNMPv3 group. snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * Convert a plaintext key to a ciphertext (encrypted) key. snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | md5 | sha } { local-engineid | specified-engineid engineid } Optional. 8. Add a user to the SNMPv3 group.
Step Command Remarks Optional. By default, the MIB view ViewDefault is predefined and its OID is 1. 5. Create or update a MIB view. snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ] Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB subtree masks multiple times, the last configuration takes effect. Except for the four subtrees in the default MIB view, you can create up to 16 unique MIB view records. • (Approach 1.
• Get operation—The agent logs the IP address of the NMS, name of the accessed node, and node OID. • Set operation—The agent logs the NMS' IP address, name of accessed node, node OID, variable value, and error code and index for the Set operation. The SNMP module sends these logs to the information center as informational messages. You can configure the information center to output these messages to certain destinations, for example, the console and the log buffer.
Step Command Remarks Enable traps globally.
Step Command Remarks Optional. By default, standard linkUp/linkDown traps are used. 4. Extend the standard linkUp/linkDown traps. snmp-agent trap if-mib link extended Extended linkUp/linkDown traps add interface description and interface type to standard linkUp/linkDown traps. If the NMS does not support extended SNMP messages, use standard linkUp/linkDown traps. Optional. 5. Configure the trap queue size. The default trap queue size is 100.
Task Command Remarks Display SNMPv1 or SNMPv2c community information. display snmp-agent community [ read | write ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display MIB view information. display snmp-agent mib-view [ exclude | include | viewname view-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. SNMP configuration examples 96B In this section, Agent is the firewall that runs routing protocols.
# Configure the SNMP version for the NMS as v1 or v2c, create a read-only community and name it public, and create a read and write community and name it private. For information about configuring the NMS, see the NMS manual. NOTE: The SNMP settings on the agent and the NMS must match. 3. Verify the configuration: # Try to get the count of sent traps from the agent. The attempt succeeds. Send request to 1.1.1.1/161 ... Protocol version: SNMPv1 Operation: Get Request binding: 1: 1.3.6.1.2.1.11.29.
# Assign the NMS read and write access to the objects under the snmp node (OID 1.3.6.1.2.1.11), and deny its access to any other MIB object. system-view [Agent] undo snmp-agent mib-view ViewDefault [Agent] snmp-agent mib-view included test snmp [Agent] snmp-agent group v3 managev3group read-view test write-view test # Set the username to managev3user, authentication algorithm to MD5, authentication key to authkey, encryption algorithm to DES56, and privacy key to prikey.
1: 1.3.6.1.2.1.1.5.0 Response binding: 1: Oid=sysName.0 Syntax=noSuchObject Value=NULL Get finished # Execute the shutdown or undo shutdown command on an idle interface on the agent. You can see the interface state change traps on the NMS: 1.1.1.1/3374 V3 Trap = linkdown SNMP Version = V3 Community = managev3user Command = Trap 1.1.1.
%Nov 23 16:10:09:482 2011 Agent SNMP/6/SNMP_GET: -seqNO=27-srcIP=1.1.1.2-op=GET-node=sysUpTime(1.3.6.1.2.1.1.3.0)-value=-node=ifHCOutO ctets(1.3.6.1.2.1.31.1.1.1.10.1)-value=; The agent received a message. Use the NMS to set a MIB variable on the agent. The following is a sample log message displayed on the configuration terminal: %Nov 23 16:16:42:581 2011 Agent SNMP/6/SNMP_SET: -seqNO=37-srcIP=1.1.1.2-op=SET-errorIndex=0-errorStatus=noError-node=sysLocation(1.3. 6.1.2.1.1.6.
Configuring RSH 12B RSH can be configured only at the CLI. Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. The RSH daemon supports authentication of an RSH client by the username. Figure 67 shows a network diagram for the typical RSH application.
Figure 68 Network diagram Configuration Procedure 45B 1. Check that the RSH daemon has been installed and started properly on the remote host: a. From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 69 Administrative Tools folder b. Double-click the Services icon to display the Services window. Figure 70 Services window c.
d. Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. e. Double-click the Remote Shell Daemon service row, and then in the popped up Remote Shell Daemon Properties window, click Start to start the service, as shown in Figure 71. 870H Figure 71 Remote Shell Daemon Properties window 2. Configure the firewall: # Configure a route to the remote host. (Details not shown.) # Set the time of the host remotely.
Configuring SSH 13B Overview 10B Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description Key exchange The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for identifying the SSH connection. In this stage, the client authenticates the server as well. Authentication The SSH server authenticates the client in response to the client's authentication request.
In a password authentication process, if the remote AAA server requires the user for a password secondary authentication, it sends the SSH server an authentication response with a prompt. The prompt is transparently transmitted to the client, and displayed on the client to notify the user to enter a specified password. After the user enters the correct password and passes validity check by the remote AAA server, the device returns an authentication success message to the client.
Task Remarks Configuring a client's host public key Required if publickey authentication is configured for users and the clients directly send the public keys to the server for validity check. 87H See VPN Configuration Guide. Configuring the PKI domain of the client certificate Required if publickey authentication is configured for users and the clients send the public keys to the server through digital certificates for validity check.
When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time. To enable the SSH server function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SSH server function. ssh server enable Disabled by default. Enabling the SFTP server function 276B This SFTP server function enables clients to log in to the SFTP server through SFTP.
Step Command Remarks Optional. Configure the user interface to support SSH login. 4. protocol inbound { all | ssh } By default, Telnet and SSH are supported. For more information about this command, see Getting Started Command Reference. Configuring a client's host public key 278B This configuration task is only necessary if publickey authentication is configured for users and the clients directly send the public key to the server for authentication.
Step 5. 6. Command Remarks Return to public key view and save the configured host public key. public-key-code end When you exit public key code view, the system automatically saves the public key. Return to system view. peer-public-key end N/A Importing a client public key from a public key file 456B Step Command 1. Enter system view. system-view 2. Import the public key from a public key file.
• If publickey authentication, whether with password authentication or not, is used, the command level accessible to the user is set by the user privilege level command on the user interface. If only password authentication is used, the command level accessible to the user is authorized by AAA. • SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or all.
Step Command Remarks Optional. 2. Enable the SSH server to support SSH1 clients. ssh server compatible-ssh1x enable 3. Set the RSA server key pair update interval. ssh server rekey-interval hours By default, the interval is 0, and the RSA server key pair is not updated. 4. Set the SSH user authentication timeout period. ssh server authentication-timeout time-out-value Optional. By default, the SSH server supports SSH1 clients. Optional. 60 seconds by default. Optional. 3 by default. 5.
Hardware Feature compatible U200-S No By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server as the source IP address to communicate with the Stelnet server. You can change the source IP address or specify a source interface for the client.
Disabling first-time authentication 459B Step Command Remarks 1. Enter system view. system-view N/A 2. Disable first-time authentication. undo ssh client first-time Enabled by default. 3. Configure the server host public key. See "Configuring a client's host public key" The method for configuring the server host public key on the client is similar to that for configuring client public key on the server. 4. Specify the host public key name of the server.
Task Command Remarks • Establish a connection to an IPv4 server: { In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 |des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * { Establish
Task Remarks Displaying help information Optional. Terminating the connection with the SFTP server Optional.
Hardware Feature compatible F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No You can launch the SFTP client to establish a connection to an SFTP server, and specify the public key algorithm, the preferred encryption algorithm, preferred HMAC algorithm, and preferred key exchange algorithm. After the connection is established, you can directly enter SFTP client view on the server to perform directory and file operations.
Working with SFTP directories 28B SFTP directory operations include: • Changing or displaying the current working directory • Displaying files under a specified directory or the directory information • Changing the name of a specified directory on the server • Creating or deleting a directory To work with the SFTP directories: Step Command Remarks 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." N/A 2.
Step Command Remarks Change the name of a specified file on the SFTP server. rename old-name new-name Optional. Download a file from the remote server and save it locally. get remote-file [ local-file ] Optional. 4. Upload a local file to the SFTP server. put local-file [ remote-file ] Optional. 5. Display the files under a specified directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] 6. Delete one or more directories from the SFTP server.
SCP client configuration task list 29B Task Remarks Enabling and disabling first-time authentication Optional. Transferring files with an SCP server Required. 896H 897H Transferring files with an SCP server 293B Task Command Remarks • Upload a file to the SCP server: Connect to the SCP server, and transfer files with the server.
Task Command Remarks Display information about one or all SSH users on an SSH server. display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the public keys of the local key pairs. display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the public keys of the SSH peers.
[Firewall] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function.
Figure 74 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the command-line interface of the server.
Configuration considerations 463B In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports a variety of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY Version 0.58 on the Stelnet client. Configuration procedure 46B 1. Generate an RSA key pair on the Stelnet client: a. Launch PuTTYGen.exe, select SSH-2 RSA and click Generate.
Figure 77 Generating process a. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
c. Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. d. Click Yes and enter the name of the file for saving the key (private.ppk in this case). e. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Firewall] public-key local create rsa The range of public key size is (512 ~ 2048).
[Firewall] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: a. Launch PuTTY.exe on the Stelnet client to enter the following interface. b. In the Host Name (or IP address) field, enter the IP address of the Stelnet server 192.168.1.40. Figure 79 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d.
Figure 80 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. When the firewall acts as an Stelnet client for password authentication 296B Network requirements 465B As shown in Figure 81, you can log in to the router through the Stelnet client running on the firewall.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
[Firewall] quit { If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
# Specify the host public key for the Stelnet server (192.168.1.40) as key1. [Firewall] ssh client authentication server 10.165.87.136 assign publickey key1 [Firewall] quit # Establish an SSH connection to SSH server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort Connected to 192.168.1.40... Enter password: After you enter the correct username and password, you can log in to the router successfully.
# Export the DSA public key to file key.pub. [Firewall] public-key local export dsa ssh2 key.pub [Firewall] quit Then, you transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
# Specify the authentication method for user client002 as publickey, and assign the public key ClientKey to the user. [Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
+++++ ++++++++ # Generate a DSA key pair. [Firewall] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function. [Firewall] ssh server enable # Enable the SFTP server.
Figure 84 SFTP client interface When the firewall acts as an SFTP client for publickey authentication 29B Network requirements 472B As shown in Figure 85, you can log in to the router through the SFTP client that runs on the firewall. The router acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm. 905H Figure 85 Network diagram Configuration considerations 473B In the server configuration, the client public key is required.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Export the host public key to file pubkey. [Firewall] public-key local export rsa ssh2 pubkey [Firewall] quit Then, you transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2.
# Set the authentication mode of the user interface to AAA. [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it RouterKey.
sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename the directory new1 to new2 and check that the directory name has been changed successfully.
Network requirements 30B As shown in Figure 86, the firewall acts as an SCP client and the router acts as an SCP server. A user can securely transfer files with the router through firewall. The router uses the password authentication method and the client's username and password are saved on the router. 906H Figure 86 Network diagram Configuration procedure 301B 1. Configure the SCP server: system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048).
# Enable the user interface to support SSH. [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh. [Router] local-user client001 [Router-luser-client001] password simple aabbcc [Router-luser-client001] service-type ssh [Router-luser-client001] quit # (Optional.) Configure the SSH user client001 with service type as scp and authentication method as password.
Configuring virtual firewalls 14B Feature and hardware compatibility 109B Hardware Virtual firewall compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 10B The virtualization technology can virtualize a physical device into multiple logical devices called "virtual devices (VDs).
service, and session resources, its own security zones and security zone-based security policies, and its own connection limits, blacklist, and port scanning and flood attack detection policies and information. VD applications 30B The VD technology can be widely used for, for example, device renting, service hosting, and student labs. As shown in Figure 88, LAN 1, LAN 2, and LAN 3 are three companies' LANs.
Configuring VDs in the Web interface 1B Recommended configuration procedure 305B Step Description Required. Creating a VD 1. 910H You can create a VD and assign session resources and resources for load balancing to the VD. The root VD exists by default. You do not need to create it, and it cannot be removed. Required. Assigning interfaces to VDs 2. 91H By default, all Layer 3 interfaces belong to the root VD, and the other VDs have no Layer 3 interface to use.
Hardware Fields compatible F1000-E No F5000 Yes Firewall module No U200-A No U200-S No 2. Click Add. The page for adding a VD appears. Figure 90 Adding a VD 3. Configure the parameters as described in Table 32. 4. Click Apply. 914H Table 32 Configuration items Item Virtual Device ID Description Enter a globally unique VD ID. The value range depends on the device model. For more information, see Table 33. 915H Virtual Device Name Enter a VD name that is globally unique.
Item Description Set the maximum number of real services for load balancing, including IPv4 real services and IPv6 real services for load balancing. Max. LB Real Services For the root VD, this number also includes the number of logical links for link load balancing. Support for IPv6 real services depends on the device model. For more information, see Table 34. 917H Set the maximum number of virtual services for load balancing, including IPv4 virtual services and IPv6 virtual services for load balancing.
load balancing, the number of existing real services for load balancing, or the number of virtual services for load balancing. For more information about the load balancing feature, see "Configuring load balancing." Assigning interfaces to VDs 307B 1. Select Device Management > Virtual Device > Interface from the navigation tree. A list appears, showing the interfaces and the VDs that the interfaces belong to. Figure 91 Assigning interfaces to VDs 2. Select the target VDs for the interfaces. 3.
The device selection page appears. 2. Select a VD. 3. Click the Login link. The Web interface of the target VD appears, where you can perform operations. Figure 93 Selecting a VD VD configuration example 310B Network requirements 475B Divide the firewall into two VDs, and rent them to Customer A and Customer B. For layer 3 networking, Customer A and Customer B have their own Layer 3 Ethernet interfaces.
Figure 95 Creating VD_A Only fields that your device supports are displayed in the Web page. The following matrix shows the fields Max.LB Real Service Groups, Max. LB Real Services, and Max. LB Virtual Services and hardware compatibility: Hardware Fields compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes Firewall module No U200-A No U200-S No a. Enter the VD ID 2. b. Enter the VD name VD_A. c. Set the maximum number of sessions to 100000. d.
Figure 96 Creating VD_B a. Enter the VD ID 3. b. Enter the VD name VD_B. c. Set the maximum number of sessions to 100000. d. Set the maximum number of real service groups for load balancing to 0. e. Set the maximum number of real services for load balancing to 0. f. Set the maximum number of virtual services for load balancing to 0. g. Click Apply. 3. Assign interfaces to the VDs: a. Select Device Management > Virtual Device > Interface from the navigation tree. b.
b. Click the c. icon for VD_A, and enter VLAN ranges 100-205, 300-310. Click Apply. Figure 98 Assigning VLANs to VD_A 5. Assign VLANs to VD_B: a. Select Device Management > VD > VLAN from the navigation tree. b. Click the c. icon for VD_B, and enter VLAN ranges 50-80,400,500-530. Click Apply.
Creating a VD 312B All non-default VDs are created manually. A non-default VD cannot use the name Root or the ID 1. When creating a VD on a device, you must specify a VD name and a VD ID that are respectively unique on the device. To enter the view of an existing VD, you can specify the VD name, or specify both the VD name and the VD ID. If you specify both the VD name and the VD ID, make sure the two arguments identify the same VD. To create a VD: Step Command Remarks 1. Enter system view.
Step Command Remarks 2. Enter VD view. vd vd-name [ id vd-id ] N/A 3. Assign a VLAN to the VD. allocate vlan vlan-list By default, all VLANs belong to the default VD, and a non-default VD has no VLAN to use. A VLAN can be assigned to only one VD. Assigning a VLAN to a second VD is the same as reclaiming the VLAN and assigning it to the second VD. Setting the maximum number of sessions for a VD 314B You can put a limit on the maximum of sessions that can be set up on a VD.
Step Set the maximum number of concurrent sessions for the default VD. 2. Command Remarks session max-entries max-entries By default, the maximum number of concurrent sessions for the default VD equals the maximum number of sessions supported by the physical device. To set the maximum number of concurrent sessions for a non-default VD: Step Command Remarks 1. Enter system view. system-view N/A 2. Log in to the VD. switchto vd vd-name Optional.
# Assign interface GigabitEthernet 1/1 to VD vda. [Firewall-vd-vda] allocate interface gigabitethernet 1/1 # Assign VLAN 100 to VLAN 205 to VD vda. [Firewall-vd-vda] allocate vlan 100 to 205 # Set the maximum number of sessions to 100000 for VD vda. [Firewall-vd-vda] limit-resource session max-entries 100000 [Firewall-vd-vda] quit # Create a VD with the name vdb and ID 3. [Firewall] vd vdb id 3 # Assign interface GigabitEthernet 1/2 to VD vdb.
Configuring FTP 15B NOTE: FTP is not supported in FIPS mode. File Transfer Protocol (FTP) can be configured only at the CLI. FTP is an application layer protocol based on the client/server model. It is used to transfer files from one host to another over a TCP/IP network. FTP server uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959. FTP supports the following transfer modes: • Binary mode—Used to transfer image files, such as .
Establishing an FTP connection 318B Before you can access the FTP server, use the ftp command in user view or use the open command in FTP client view to establish a connection to the FTP server. You can use the ftp client source command to specify a source IP address or source interface for the FTP packets sent by the device. If a source interface (typically, a loopback or dialer interface) is specified, its primary IP address is used as the source IP address for the FTP packets sent by the device.
Task Log in to the remote FTP server from FTP client view. Command Remarks Support for these two commands depends on the device model. For more information, see System Management and Maintenance Command Reference. c. ftp ipv6 d. open ipv6 server-address [ service-port ] [ -i interface-type interface-number ] Managing directories on the FTP server 319B After the device establishes a connection to an FTP server, you can create or delete folders in the authorized directory on the FTP server.
Task Command Remarks Query a directory or file on the FTP server. ls [ remotefile [ localfile ] ] The ls command displays the name of a directory or file only, while the dir command displays detailed information such as the file size and creation time. Delete the specified file on the FTP server permanently. delete remotefile N/A Set the file transfer mode to ASCII. ascii By default, ASCII mode is used. Set the file transfer mode to binary. binary By default, ASCII mode is used.
Task Command Remarks Terminate the FTP connection without exiting FTP client view. • disconnect • close Use either command in FTP client view. Terminate the FTP connection and return to user view. • bye • quit Use either command in FTP client view. FTP client configuration example 324B Network requirements 482B As shown in Figure 102, the firewall acts as the FTP client and the PC acts as the FTP server. The firewall and the PC can reach each other.
# Set the file transfer mode to ASCII, and upload the configuration file config.cfg from the firewall to the PC for backup. [ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye 221 Server closing. # Specify newest.bin as the main system software image file for the next startup.
To configure basic parameters for the FTP server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the FTP server. ftp server enable By default, the FTP server is disabled. 3. Use an ACL to control FTP access to the server. ftp server acl acl-number Optional. By default, no ACL is used for access control. Optional. The default idle-timeout timer is 30 minutes. Configure the idle-timeout timer. ftp timeout minutes Set the file update mode for the FTP server.
Step 4. 5. Command Remarks Assign FTP service to the user account. service-type ftp By default, no service type is specified. If the FTP service is specified, the root directory of the device is by default used. Configure authorization attributes. authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id | work-directory directory-name } * Optional.
Directory of cfa0:/ 0 -rw- 38352332 May 14 2012 09:59:48 f1000-a-ei.bin 1 drw- - May 14 2012 10:02:46 seclog 2 -rw- 233912 May 25 2012 09:49:26 system.xml 3 -rw- 891 May 14 2012 10:03:02 default_ca.cer 4 -rw- 1411 May 14 2012 10:03:02 default_local.cer 5 -rw- 3000185 May 25 2012 09:49:24 config.cwmp 6 -rw- 1023456 May 24 2012 10:02:22 aaa.dat 7 -rw- 811520 May 24 2012 10:03:38 bbb.dat 8 -rw- 217542 May 25 2012 09:50:12 startup.
# Specify newest.bin as the main system software image file for the next startup. boot-loader file newest.bin main IMPORTANT: The system software image file used for the next startup must be saved in the root directory of the storage medium. If the storage medium is partitioned, the file must be saved in the root directory of the first partition. You can copy or move the file to the required place. # Reboot the firewall and the system software image file is updated at the system reboot.
Configuring TFTP 16B NOTE: TFTP is not supported in FIPS mode. TFTP can be configured only at the CLI. Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for connection establishment and data transmission. In contrast to TCP-based FTP, TFTP requires no authentication or complex message exchanges, and is easier to deploy. TFTP supports the following transfer modes: • Binary mode—Used to transfer image files, such as .
The tftp client source command setting applies to all TFTP sessions. When you set up a TFTP session with the tftp command, you can also specify a different source IP address for the TFTP session. IMPORTANT: To avoid TFTP connection failures, when you specify a source interface for TFTP packets, make sure the interface has been assigned a primary IP address. To use the device as a TFTP client: Step 1. Enter system view. Command Remarks system-view N/A Optional.
TFTP client configuration example 19B Network requirements 486B Configure the PC in Figure 105 as a TFTP server, and use TFTP to download the system software image file newest.bin from the PC to the firewall and upload the configuration file config.cfg from the firewall to the PC for backup. 92H Figure 105 Network diagram Configuration procedure 487B This configuration procedure assumes that the PC and the firewall can reach each other. 1. 2. Configure the PC (TFTP server): { Enable the TFTP server.
Configuring CWMP (TR-069) 17B CWMP (TR-069) can be configured only at the CLI. The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
• ACS—Autoconfiguration server, the management device in the network. • CPE—Customer premises equipment, the managed device in the network. • DNS server—Domain name system server. CWMP defines that an ACS and a CPE use URLs to identify and access each other. DNS is used to resolve the URLs. • DHCP server—Assigns IP addresses to CPEs, and uses the options field in the DHCP packet to issue configuration parameters to the CPE. Your device can work as the CPE but not the ACS.
To back up important data, a CPE can upload the current configuration file to the specified server according to the requirement of an ACS. The device supports uploading only the vendor configuration file or log file. NOTE: The device can download only system software images and configuration files from the ACS, and does not support digital signatures. CPE status and performance monitoring 491B An ACS can monitor the parameters of a CPE connected to it.
• Download—The ACS requires a CPE to download a specific file from the specified URL, ensuring upgrading of CPE software and auto download of the vendor configuration file. • Upload—The ACS requires a CPE to upload a specific file to the specified location. • Reboot—The ACS remotely reboots the CPE when the CPE encounters a failure or completes a software upgrade. How CWMP works 493B The following example illustrates how CWMP works. Suppose there are two ACSs in an area: main and backup.
9. The setting succeeds and the CPE sends a response. 10. The ACS sends an empty message to notify the CPE that it has no other requests. 11. The CPE closes the connection. After this, the CPE initiates a connection to the backup ACS. CWMP configuration approaches 12B To use CWMP, you must enable CWMP at the CLI. After that, you can configure ACS and CPE attributes at the CLI.
• 35 3637 38 corresponds to the password 5678. • 20 is the end delimiter. For more information about DHCP, DHCP Option 43, and the option command, see Network Management Configuration Guide. Configuring CWMP at the CLI 3B Some tasks in this section can also be performed on the ACS or DHCP server. For a CWMP parameter, the setting assigned by the ACS has the same priority as the CLI setting, and the setting issued by the DHCP server has lower priority than the CLI setting.
To enable CWMP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter CWMP view. cwmp N/A 3. Enable CWMP. cwmp enable By default, CWMP is enabled. Configuring ACS attributes 124B ACS attributes include ACS URL, username and password. When the CPE initiates a connection to the ACS, the ACS URL, username and password are carried in the connection request.
Step Command Remarks Optional. 4. Configure the ACS password for connection to the ACS. cwmp acs password [ cipher | simple ] password You can specify a username without a password for authentication, but must make sure that the ACS has the same authentication setting as the CPE. By default, no ACS password is configured for connection to the ACS. Configuring CPE attributes 125B CPE attributes include CPE username and password, which a CPE uses to authenticate the validity of an ACS.
Step Command 1. Enter system view. system-view 2. Enter CWMP view. cwmp 3. Set the interface that connects the CPE to the ACS. cwmp cpe connect interface interface-type interface-number Sending Inform messages 38B Inform messages need to be sent during the connection establishment between a CPE and an ACS. You can configure the Inform message sending parameter to trigger the CPE to initiate a connection to the ACS.
Step Command Configure the maximum number of attempts that the CPE can make to retry a connection. 3. Remarks Optional. cwmp cpe connect retry times By default, the CPE regularly sends connection requests to the ACS until a connection is set up.
Specifying an SSL client policy for HTTPS connection to ACS 342B CWMP uses HTTP or HTTPS for data transmission. If the ACS uses HTTPS for secure access, its URL begins with https://. You must configure an SSL client policy for the CPE to authenticate the ACS for establishing an HTTPS connection. For more information about configuring SSL client policies, see Network Management Configuration Guide.
Configuring host traffic statistics 18B Host traffic statistics can be configured only in the Web interface. Feature and hardware compatibility 127B Hardware Virtual firewall compatible F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No Firewall module No U200-A Yes U200-S Yes Overview 128B The host traffic statistics module monitors the traffic of hosts in a LAN, and sends statistics reports in the syslog format to the specified log host.
Specifying a service type 130B 1. Select Network > Statistics > Host Traffic Statistics from the navigation tree. 2. Click the Service Configuration tab. The Service Configuration page appears. Figure 108 Service configuration page 3. Click Add. Figure 109 Adding a service type 4. Select a service type whose statistics will be collected. The valid options include default service, customized service, and service group.
3. Click Apply. Table 35 Configuration items Item Description Enable host traffic statistics Enable/disable the host traffic statistics function. Specify the aging time of hosts. Host Aging Time Log Sending Interval If a host accesses a specified network service, the device periodically collects traffic statistics for the host. If no traffic statistics is updated because no packets pass through the host within the aging time, the device stops collecting traffic statistics for the host.
Figure 112 Specifying the IP address of the log host 2. Configure customized service resources: a. Select Resource > Service > Customized Service from the navigation tree. b. Click Add. c. Enter tcp-des80 for Name, select the TCP option, specify the Source Port range as 0 to 65535, and specify the Destination Port range as 80 to 80. d. Click Apply.
Figure 113 Configuring customized service resource e. Click Add. f. 3. Enter tcp-des8080 for Name, select the TCP option, specify the Source Port range as 0 to 65535, specify the Destination Port range as 8080 to 8080, and click Apply. Configure the service group resource: a. Select Resource > Service > Service Group from the navigation tree. b. Click Add. c.
4. Configure test as the service type to implement host traffic statistics: a. Select Network > Statistics > L2 Statistics from the navigation tree. b. Click the Service Configuration tab. c. Click Add. d. Select test for Service Type, and click Apply. Figure 115 Configure the service type for host traffic statistics 5. Enable the host traffic statistics function: a. Click the Basic Configuration tab. b. Select the Enable host traffic statistics box and click Apply.
Support and other resources 19B Contacting HP 134B For worldwide technical support information, see the HP support website: http://www.hp.
Conventions 136B This section describes the conventions used in this documentation set. Command conventions 496B Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ...
Network topology icons 49B Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples 50B The port numbers in this document are for illustration only and might be unavailable on your device.
Index 0B ACDEFHILMNOPRSTU 35H 356H 357H 358H 359H 360H 361H 362H 36H 364H 365H 36H 367H 368H 369H 370H Disabling an interface from generating link up/down logging information,77 A 980H Alarm group configuration example,141 Displaying and maintaining CWMP,233 947H 981H C Displaying and maintaining FTP,219 982H Displaying and maintaining information center,78 Configuration guidelines,239 983H 948H Displaying and maintaining IP performance optimization,22 Configuration prerequisi
Installing hotfixes,37 P 10H L Performing batch operations,30 Log report,97 Ping,4 1038H 1039H 10H Ping and tracert example,12 M 104H Prerequisites,220 104H Managing configuration files at the CLI,51 R 102H Managing configuration files in the Web interface,47 103H Recommended configuration procedure,234 Managing directories,27 1042H 104H Related information,240 Managing files,25 1043H 105H Managing security logs and the security log file,73 RSH configuration example,156 Managing
