HP SECBLADEII-CMW520-R3175 Release Notes © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be lia ble for technical or editorial errors or omissions contained herein.
Contents Version information·······························································································································1 Version number·······························································································································1 Version history·································································································································1 Hardware and software compatibility matrix ·······················
List of Tables Table 1 Version history ................................................................................................................... 1 Table 2 HP SecBlade product family matrix .................................................................................. 1 Table 3 Hardware and software compatibility matrix ................................................................... 2 Table 4 MIB updates .......................................................................................
This document describes the features, restrictions and guidelines, open probl ems, and workarounds for version R3175. Before you use this version in a live network, back up the configuration and test the version to avoid software upgrade affecting your live network. Use this document in conjunction with HP SECBLADEII-CMW520-R3175 Rel ease Notes (Software Feature Changes) and the documents listed in "Related documentation." Version information Version number HP SecBlade FW Comware software, Version 5.
Table 3 Hardware and software compatibility matrix Item Specifications Product family HP/H3C SecBlade FW series Memory 2 GB (minimum) Flash 4 MB BootWare v ersion Version 1.51 or higher (Note: Execute the command display v ersion command in any v iew to view the v ersion information. Please see Note 2) Host software SECBLADEII-CMW520-R3175.
no route to the global address, NAT sessions might be disconnected. To solve this problem, configure a sub address that is on the same subnet as the global address for that interface so the firewall can respond to ARP requests for the global address.
Item MIB file Modul e Description Modified / / / / / Firewall Added a MIB node to save the rate of created connections. You can obtain the rate of the connections that are created on the firewall. SECBLADEII-C MW520-F3174P10 New Modified / H3C-FIREW ALL-MIB Operation changes None. Restrictions and cautions 1. USB is not supported. 2. ICMP packets larger than 35000 bytes are discarded. 3. The W eb interface can display a maximum of 5000 sessions. 4.
HSD110063 Symptom: When configuration synchronization is enabled between active and standby firewalls, a change to the type of a physical port on the active firewall cannot be synchronized to the standby firewall in real-time backup state. Condition: This symptom occurs when configuration synchronization is enabled between active and standby firewalls. Workaround: Manually change the physical port type on the active and standby devices.
List of resolved problems Resolved problems in R3175 HSD106243 Symptom: When you modify an inter-zone policy that includes hundreds of rules through a remote desktop connection, you might lose the remote desktop connection. Condition: This symptom might occur when you modify an inter-zone policy that includes hundreds of rules through a remote desktop connection.
HSD111359 Symptom: The firewall restarts unexpectedl y after running for a relative long time. Condition: This symptom occurs if session logging is enabled on the firewall and service traffic is injected to initiate 100,000 connections per second.
After registering, you will receive email notification of product enhancem ents, new driver versions, firmware updates, and other product resources.
Appendix A Feature list Hardware features Table 5 SecBlade FW series hardware features SecBladeII SecBladeII SecBladeII SecBladeII SecBladeII SecBladeII (5800) (7500) (9500) (12500) (6600) (8800) Dimensions (H × W × D) 36.7 × 250.0 × 249.8 mm (1.44 × 9.84 × 9.83 in) 40.1 × 399.2 × 376.8 mm (1.58 × 15.72 × 14.83 in) 40.1 × 399.2 × 379.0 mm (1.58 × 15.72 × 14.92 in) 40.1 × 399.2 × 498.8 mm (1.58 × 15.72 × 19.64 in) 45.2 × 399.2× 434.6 mm (1.78 × 15.72 × 17.11 in) 40.1 × 399.2 × 379.0 mm (1.
Category Features Packet filter Access control based on security zones Time-based access control ASPF Firewall Virtual firewall Anti-DoS/DDoS URL Filter Static and dynamic blacklist P2P HTTP/SMTP/POP3/FTP/Telnet packet content filtering Attack log Blacklist log Security management Session log Binary format log Traffic measurement and analysis Security ev ents statistics Address pool ACL-based NAT Easy IP NAT NAT Server NAT with ALG, including FTP, DNS, QQ, MSN, H323, NBT, ILS, RTSP, SQLNET, SIP, and R
Category Features Static routing RIP-1/RIP-2 IP routing OSPF BGP Policy-based routing ICMPv 6 TCP6 UDP6 RAWIP6 Ping6 Basic protocol DNS6 TraceRT6 Telnet6 FIB6 DHCPv 6 client DHCPv 6 relay RIPng OSPFv 3 IPv 6 BGP4+ Routing & Multicast Static routing Policy-based routing PIM-SM PIM-DM NAT-PT IPv 6 tunneling IPv 6 packet filter Security RADIUS DS-Lite IPv 6 ASPF IPv 6 ALG (ICMP6, FTP) IPv 6 security policy group VRRP VRRP Session failover High av ailability Stateful failover IPSec failov er Asymm
Category Features Console AUX Telnet, SSH, FTP, and TFTP Command line interfaces Command lev el configuration Detailed debug information Tracert and ping Configuration management Log and file management User interface Web Login and authentication Web configuration SNMPv3/v 1/v2C NTP 12
Appendix B Upgrading software This chapter describes how to upgrade system software while the HP SecBlade firewall card is operating normally or when the firewall card cannot correctly start up. Hardware compatibility Table 7 describes the compatibility of the firewall card and network devices.
System software images System software images are used at startup. The firewall card supports three t ypes of system software images: Main syst em software image—Used by default. Backup system software image—Used when the main system software image is invalid. Secure system software image—Used when the backup system software image is invalid. If the secure system software image is also invalid, the syst em displays a failure prompt. A system software image is a .bin file such as main.bin.
Copy the upgrade file to the file server and correctly set the working directory on the TFTP or FTP serv er. Mak e sure that the upgrade has minimal impact on the network services. During the upgrade, the firewall card cannot provide any services. Figure 1 Set up the upgrade environment Ethernet cable Console cable TFTP/FTP server Upgrading from the CLI You can use the TFTP or FTP commands on the firewall card to access the TFTP or FTP server to back up or download files.
The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[cfa0:/startup.cfg] (To leave the existing filename unchanged, press the enter key): cfa0:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait.... Configuration is saved to device successfully. 2.
tftp 192.168.0.2 put system.xml File will be transferred in binary mode Sending file to remote TFTP server. Please wait... | TFTP: 10324 bytes sent in 0 second(s). File uploaded successfully. Upgrading the system software This configuration example was created and verified on Feature 3174P10 for the system software image file fw_card.bin. 1. Execute the tftp get command in user view to download the system software image file, for example, fw_card.
Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P. HP SecBlade FW uptime is 0 week, 0 day, 1 hour, 30 minutes CPU type: RMI XLR732 1000MHz CPU 2048M bytes DDR2 SDRAM Memory 4M bytes Flash Memory 247M bytes CF0 Card PCB Version:Ver.A Logic Version: Basic 3.0 BootWare Version: 1.28 Extend BootWare Version: 1.38 [FIXED PORT] CON (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/1 (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/2 (Hardware)Ver.A, (Driver)1.
File system type of cfa0: FAT32 This example uses the default system software image file name main.bin and the default configuration file names startup.cfg and system.xml. 3. Execute the ftp command in user view to access the FTP server. ftp 192.168.0.2 Trying 192.168.0.2 ... Press CTRL+K to abort Connected to 192.168.0.2. 220 3Com 3CDaemon FTP Server Version 2.0 User(192.168.0.2:(none)):user123 331 User name ok, need password Password: 230 User logged in 4.
125 Using existing data connection 226 Closing data connection; File transfer successful. FTP: 19790016 byte(s) received in 88.243 second(s), 224.00K byte(s)/sec. [ftp] 2. Execute the quit command in FTP client view to return to user view. [ftp] quit 221 Service closing control connection 3. Execute the boot-loader command in user view to load the file fw_card.bin and specify the file as the main image file at the next reboot. boot-loader file fw_card.
[FIXED PORT] CON (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/1 (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/2 (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/3 (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/4 (Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] XGE0/0 (Hardware)V er.A, (Driver)1.0, (Cpld)3.0 Upgrading from the Web CAUTION: Do not perform any operation in the Web when the upgrading is in process.
Figure 2 Upgrading the software 6. Specify the software upgrading configuration items as described in Table 9 . Table 9 Configuration items Item Description File Click Browse to set the path to the system software image file. The file name must end with .bin. Set the file type. File Type If a file with the same name already exists, overwrite it without any prompt If you do not select the option, the message "The file already exists.
Accessing the BootWare menu 1. Power on the firewall card, and you can see the following information: System start booting... Booting Normal Extend BootWare........ **************************************************************************** * * * HPA Series SecBlade FW Module BootWare, Ve rsion 1.50 * * * **************************************************************************** Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P.
|<6> Skip Current System Configuration | |<7> BootWare Operation Menu | |<8> Clear Super Password | |<9> Storage Device Operation | |<0> Reboot | ============================================================================= Enter your choice(0-9): Table 10 BootWare menu options Item Description <1> Boot System Boot the system software image.
============================================================================ Enter your choice(0-5): Table 11 Ethernet submenu options Item Description <1> Download Application Program To SDRAM And Run Download a system software image to the SDRAM and run the image. <2> Update Main Application File Upgrade the main system software image. <3> Update Backup Application File Upgrade the backup system software image. <4> Update Secure Application File Upgrade the secure system software image.
Field Description Gateway IP Address Set a gateway IP address if the firewall card is on a different network from the serv er. FTP User Name Set the username for accessing the FTP serv er. This username must be the same as configured on the FTP server. This field is not av ailable for TFTP. FTP User Password Set the password for accessing the FTP server. This password must be the same as configured on the FTP server. This field is not av ailable for TFTP. 3.
|<0> Exit To Main Menu | ============================================================================ Enter your choice(0-5): Table 13 Serial submenu options Item Description <1> Download Application Program To SDRAM And Run Download an application to SDRAM through the serial port and run the program. <2> Update Main Application File Upgrade the main system software image. <3> Update Backup Application File Upgrade the backup system software image.
Figure 3 Disconnecting the terminal connection 5. Sel ect File > Properties, and in the Properties dialog box, click Configure. Figure 4 Properties dialog box 6. Sel ect 115200 from the Bits per second list and click OK.
Figure 5 Modifying the baud rate 7. Sel ect Call > Call to reestablish the connection. Figure 6 Reestablishing the connection 8. Press Enter.
9. Enter 0 to return to the Serial submenu. ====================================================== |Note:the operating device is cfa0 | |<1> Download Application Program To SDRAM And Run | |<2> Update Main Application File | |<3> Update Backup Application File | |<4> Update Secure Application File | |<5> Modify Serial Interface Parameter | |<0> Exit To Main Menu | ============================================================================ Enter your choice(0-5): 10.
Figure 8 File transfer progress 13. When the Serial submenu appears after the file transfer is complete, enter 0 at the prompt to return to the BootWare menu. Download successfully! 19790016 bytes downloaded! Input the File Name:main.bin Updating File cfa0:/main.bin.............................................. .....................................................
Managing files from the BootWare menu To change the type of a system software image, retrieve files, or delete files, enter 4 in the BootWare menu.
Changing the type of a system software image System software image file attributes include main (M), backup (B), and secure (S). You can store only one main image, one backup image, and one secure image on the firewall card. A system software image can have any combination of the M, B, and S attributes. If the file attribute you are assigning has been assigned to an image, the assignment removes the attribute from that image. The image is marked as N/A if it has only that attribute.
|3 1271 |4 19790016 |0 Exit Feb/03/2012 10:39:26 M+B Feb/02/2012 11:01:50 M cfa0:/startup.cfg cfa0:/main.bin | | | ============================================================================ Enter file No: 2. Enter the number of the file to delete. 3. When the following prompt appears, enter Y. The file you selected is cfa0:/logfile/~/logfile.log,Delete it? [Y/N]Y Deleting..............
