Firewall Configuration examples
Contents
1. IP Address 192 168 210 Session Lifetime d Init Sre IF Init Dest IP VERG Resp Sre IE Resp Desti YPN Frotocoal zee is WLAN J VLAN INLINE INLINE Operation 192 168 2 10 2048 192 168 3 11 768 192 168 3 11 0 192 166 3 1 1025 Configuring inter VLAN Layer 3 forwarding 1 Configuration description Configure the Device to forward packets through VLAN interfaces 2 Configuration procedure see Figure 1 Select Device Management gt Interface from the navigation tree Configure GigabitEthernet 0 1 as a Layer 2 access port assign the interface to VLAN 2 create VLAN interface 2 and assign IP address 192 168 2 1 24 to the VLAN interface Configure GigabitEthernet 0 2 as a Layer 2 access port assign the interface to VLAN 3 create VLAN interface 3 and assign IP address 192 168 3 1 24 to the VLAN interface Figure 23 Create VLAN interface 2 Interface Creation Interface Name lan interface w 2 He 4094 VID MTU TCP MSS IP Config None Static Address DHCP BOOTP PPP Negotiate Wnnumbered IP Address 192 168 2 1 Mask 24 255 255 255 0 v 5econdary IP Address List secondary IF Address Add Mask 24 255 255 255 0 Unnumbered Interface tems marked with an asteriski are required Hangzhou H3C Technologies Co Ltd www h3c com 17 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 24 Create VLAN int2. Figure 30 IPsec SAs a Local IP v Advanced Search Authentication Encryption Local IP Remote IP SPI Security Protocol Algorithm Algorithm 192 168 250 12 192 168 250 230 1105559047 ESP HMAC MD5 96 DES 192 168 250 230 192 168 250 12 4067445650 ESP HMAC MD5 96 DES Viewing Packet Statistics Select VPN gt IPSec gt Statistics from the navigation tree to view packet statistics as shown in Figure 31 Figure 31 Packet statistics Statistic ltem Statistic Value IPSec protected packetstinboundfouthbounds did IPSec protected bytestinbound outbound 336 336 IPSec protected packets discarded by device finboundfouthbound Dropped packetstlack of memory Dropped packetsino SA Dropped packets full queues Dropped packetsifailed authentication Dropped packetstwrong packet length Replayed packets Dropped packets excessive packet length Dropped packetstimproper SA a roo Aa A A A A A Reset Al IPsec Configuration Example 2 Working with NAT Network Requirements See Figure 32 Deploy IPsec tunnels between Device A and Device B to protect traffic between the branch and its headquarters Use IKE to maintain the IPsec tunnels Hangzhou H3C Technologies Co Ltd www h3c com 30 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Device A and Device B provides network access for the headquarters and the branch Device B connects to the public network through an ADSL line and acts as the PPPoE client The inter
3. New IP Address i any address we Multiple Address Y p Service 7 e Each service stands Mame any_serice v Multiple stream When creatin specify a service for il Filter Action Permit Sie aus Dee action that the firewal Time Range v Content Filtering Policy Template Using MAC Address Enable Syslog C Status Continue to add next rule tems marked with an asteriski are required wildcard must be reserved mask wildcard must be reserved mask Configuring NAT for the outbound interface e From the navigation tree select Firewall gt NAT Policy gt Dynamic NAT Then click Add Mmm Interface ACL Address Pool Index Address Transfer Global VPM Instance Operation Add e Configure NAT for interface GigabitEthernet 0 1 as follows and then click Apply Hangzhou H3C Technologies Co Ltd www h3c com 8 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Add Dynamic MAT Interaface GigabitEthernet0 1 ACL 2000 fZ000 3999 Address Transfer Easy IP yt Address Pool Index 0 31 3 Global YFN Instance tems marked with an asteriski are required Apply cance Configuring Attack Protection Configuring the Static Blacklist Function e From the navigation tree select Intrusion Detection gt Blacklist Then select the Enable Blacklist check box and click Apply to enable the blacklist function Global configuration Enable Blacklist e Click Add e Type th
4. Search Advanced Search C Interface Fai GigabitEthernett GigabitEthernetil2 C GigabitEthernetO 3 SigabitEthernetO 4 C NULLO The LANS should be separated by or For example 3 5 10 tems marked with an asteriski are required _ Apply Configuring Gratuitous ARP Introduction to gratuitous ARP In a gratuitous ARP packet the sender IP address and the target IP address are both the IP address of the device issuing the packet the sender MAC address is the MAC address of the device and the target MAC address is the broadcast address ff ff ff ff ff ff A device implements the following functions by sending gratuitous ARP packets e Determining whether its IP address is already used by another device e Informing other devices about the change of its MAC address so that they can update their ARP entries A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry exists in the cache Configuring sending of gratuitous ARP packets e Select Firewall gt ARP Anti Attack gt Send Gratuitous ARP from the navigation tree Select GigabitEthernet 0 0 leave the default sending interval unchanged or type a specific value click lt lt and then click Apply After that all devices on the internal network will record an ARP entry for the internal interface GigabitEthernet 0 0 Hangzhou H3C Technologies Co Ltd www h3c co
5. e Access PC 3 in the Trust zone from PC 2 in the DMZ zone and perform ping HTTP FTP DNS and Telnet operations Check the session list to view the result Verification results 1 The ping HTTP FTP DNS and Telnet operations are successful 2 Check the session list The destination IP address the translated address of the session response is an IP address in the address pool and the source port is translated Type 2 1 1 2 in the IP Address text box and click Search to display the search result as shown in the following figure Init YPN Resp PH YEN YPN Session Lifetime Init Sre IF Init Dest IP Resp Sre IP Resp DestiP Protocol d VLAN WLAN J Status 3 INLINE INLINE C 2 1 1 21044 172 1 1 2 321 F211 221 172 1 1 7 1025 TCP TCP EST 3590 Del Selected Del All Remarks Remove the configuration in this example before performing another configuration example No PAT Requirements Configuration steps 1 Create an address pool e Select Firewall gt NAT gt Dynamic NAT from the navigation tree as shown in the following figure Hangzhou H3C Technologies Co Ltd www h3c com 10 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Me Index Start IP Address End IP Address Priority Operation Interface ACL Address Pool Index Address Transfer Tracked VRRP Group Operation Add e Click Add in the Address Pool field to enter the Add NAT Address Pool page as shown in the following figu
6. Encapsulating Security Payload ESP IKE and algorithms for authentication and encryption AH and ESP provides security services and IKE performs key exchange For how IKE works refer to IKE Configuration IPsec provides two security mechanisms authentication and encryption The authentication mechanism allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered The encryption mechanism ensures data confidentiality and protects data from being eavesdropped en route IPsec is available with two security protocols e AH protocol 51 Provides data origin authentication data integrity and anti replay services For these purposes an AH header is added to each IP packet AH is suitable for transmitting non critical data because it cannot prevent eavesdropping even though it works fine in preventing data tampering AH supports authentication algorithms such as Message Digest MD5 and Secure Hash Algorithm SHA 1 e ESP protocol 50 Provides data encryption in addition to origin authentication data integrity and anti replay services ESP works by inserting an ESP header and an ESP tail in IP packets Unlike AH ESP encrypts data before it is encapsulated in the IP header to ensure data confidentiality ESP supports the encryption algorithms including Data Encryption Standard DES 3DES and Advanced Encryption Standard AES and authentication algorithms such as MD5 and SHA 1 algorithms
7. H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 34 Configure an IKE peer Peer Mame gate 1 15 Chars IKE Negotiation Mode O main Aggressive Local ID Type O IF Address Gateway Mame Local IF Address Remote Gateway IP Address Hostname Remote ID branch la 39 Chars Pre Shared Key 123456 1 128 Chars PKI Domain C Enable DPD Enable the MAT traversal function ifthe local end is the initiator only one remote IF address can be specified ifthe local end is the responser the remote IP address range mustinclude the local IP address of the initiator tems marked with an asterisk are required Apply Configure an IPsec proposal named proposal e Select VPN gt IPSec gt Proposal from the navigation tree and then click Add e Select Custom mode from the IPSec Proposal Configuration Wizard page e Type proposal as the IPsec proposal name and use the default settings for the proposal as shown in Figure 35 Figure 35 Configure an IPsec proposal Add IPSec Proposalilustom mode Proposal Name proposal 1 15 Chars Encapsulation Mode Tunnel v Security Protocol ESP vl ESF Authentication Algorithm MDS vl ESP Encryption Algorithm DES w tems marked with an asteriski are required Configure an IPsec policy template e Type 1 as the sequence number e Select gate as the IKE peer e Select IPsec proposal proposal an
8. IF Address Mask Security zone Status Operation GiqabitEthernetO o 192 168 103 153 255 255 252 0 Gigabitethernetoy GigabitEthernetole Gigabitethernetors Gigabitethernetol4 MULLO i records 15 per page page 111 record 1 6 e Click the a icon of GigabitEthernet 0 1 to enter the interface configuration page Then configure the interface as follows and click Apply to return to the interface management page Hangzhou H3C Technologies Co Ltd www h3c com 4 18 HSC SecPath Series Firewalls Attack Protection Configuration Example Mm Interface Name Interface Status Interface Type VID MTU TCP MSS Working Mode IP Configuration IP Address Mask Secondary IP Address Mask Unnumbered Interface GigabitEthemnetiy Connected 1500 46 1500 Default 1500 1460 128 2048 Default 1460 O Bridge Mode Router Mode ONone Static Address DHCP BOOTP PPP Negotiate Wnnumbered 1 0 0 1 24 255 255 255 0 secondary IP Address List Doo 24 255 255 255 0 M Add e Click the a icon of GigabitEthernet 0 2 to enter the interface configuration page Then configure the interface as follows and click Apply to return to the interface management page EA Interface Name Interface Status Interface Type VID MTU TCP MSS Working Mode IF Configuration IF Address Mask secondary IF Address Mask UAnumbered Interface Hangzh
9. IP Address 1 92 168 2 1 Mask 24 255 255 255 0 v Secondary IP Address Add Mask 24 255 255 255 0 Unnumbered Interface tems marked with an asteriski are required IP Config 5econdary IP Address List Figure 32 Create GigabitEthernet 0 1 2 Interface Creation Interface Name GigabitEthernet0 1 2o pe 4094 VID 103 1 4094 MTU sta 1 800 Default 1500 TCP MSS fe 20 2048 Default 1460 IP Config ONone Static Address DHCP BOOTP PPP Negotiate Unnumbered IP Address 192 168 3 1 Mask 24 255 255 255 0 5econdary IP Address List Secondary IF Address Add Mask 24 255 255 255 0 l WAnumbered Interface tems marked with an asteriski are required app J Back Select Device Management gt Zone from the navigation tree Add GigabitEthernet 0 1 and GigabitEthernet 0 1 1 to the Trust zone and GigabitEthernet 0 1 2 to the Untrust zone Hangzhou H3C Technologies Co Ltd www h3c com 22 31 HSC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 33 Add interfaces to the Trust zone O fone ID fone Mame Preference Share Virtual Device Interface Mame Tut i Bo eog Nov Root BR Interface Search Advanced Search C Interface VLAN C GigabitEthernet0 Pe GigabitEthernet0 1 1 es GigabitEthermnetOl2 O NULLO The WLANs should be separated by
10. 7 PFS Highlight e dh group14 dh group5 dh group2 and dh group7 are in the descending order of security and calculation time e When IPsec uses an IPsec policy configured with PFS to initiate negotiation an additional key exchange is performed in phase 2 for higher security e Two peers must use the same Diffie Hellman Otherwise negotiation will fail Select the ACL for the IPsec policy template to reference ACL The specified ACL must be created already and contains at least one rule ACL configuration supports VPN multi instance Time Type the SA lifetime which can be time based or traffic based SA Based NV Lifeti Y Highlight me Traffic Based When negotiating to set up IPsec SAs IKE uses the smaller one between the lifetime set locally and the lifetime proposed by the peer Configuring an IPsec Policy Select VPN gt IPSec gt Policy from the navigation tree to display existing IPsec policies as shown in Figure 11 Then click Add to enter the IPsec policy configuration page as shown in Figure 12 Figure 11 IPsec policy list Policy Name 4 Advanced Search Sequence Policy Mame Template IKE Peer IPSec Proposal Add Hangzhou H3C Technologies Co Ltd www h3c com 17 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 12 IPsec policy configuration page Add PSec Policy Policy Mame chars 1 15 Sequence Number 1 65535 Template v IKE Feer p
11. Displays the percentage of TCP packets to the total packets Displays the percentage of UDP packets to the total packets Displays the percentage of ICMP packets to the total packets Displaying Attack Prevention Logs Select Log Report gt Report gt Attack Prevention Log from the navigation tree to enter the page as shown in Figure 9 Figure 9 Attack prevention log configuration page P Search tem Time Keywords Search Time Type Interface Source F Source MAC Destination IF Destination MAC Speed Table 11 describes the attack prevention log configuration items Table 11 Attack prevention log configuration items Item Description Time Displays the time when attacks are detected Type Displays the attack type www h3c com 12 24 Hangzhou H3C Technologies Co Ltd H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Item Description Interface Displays the interface that receives the attack packets Source IP Displays the source IP address of the attack packets Source MAC Displays the source MAC address of the attack packets Destination IP Displays the destination IP address of the attack packets Destination MAC Displays the destination MAC address of the attack packets Speed Displays the connection speed of the attacks Displaying Blacklist logs Select Log Report gt Report gt Blacklist Log from the navigation tree to enter the page as shown in Figure 10 Figure 10 Blacklist log configura
12. Dropped packetsino 85A Dropped packetsifull queues Dropped packetstfailed authentication Dropped packetsiwrong packet length Replayed packets Dropped packets excessive packet length Dropped packetstimproper SA D oO fF A A A Oo A Reset Al Configuration Guidelines When configuring IPsec follow these guidelines e Typically IKE uses UDP port 500 for communication and AH and ESP use the protocol numbers 51 and 50 respectively Therefore you need to make sure that flows of these protocols are not denied on the interfaces with IKE and or IPsec configured e f you enable both IPsec and QoS on an interface traffic of an IPSec SA may be put into different queues by QoS causing some packets to be sent out of order As IPsec performs anti replay operation packets outside the anti replay window in the inbound direction may be discarded resulting in packet loss Therefore when using IPsec together with QoS ensure that they use the same classification rules IPsec classification rules depend on the referenced ACL rules References Protocols and Standards e RFC 2401 Security Architecture for the Internet Protocol e RFC 2402 IP Authentication Header e RFC 2406 IP Encapsulating Security Payload Related Documentation IPsec Configuration in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by an
13. H3C SecPath Series Firewalls Configuration Examples Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 6W100 20100715 Copyright 2010 Hangzhou H3C Technologies Co Ltd and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd Trademarks lt Aolyn cane TOPG H3C H3C Aolynk TEE H care YH tor G _ IRF NetPilot Neocean NeoVTL SecPro SecPoint SecEngine SecPath Comware Secware Storware NQA VVG VG V G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H38C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements information and recommendations in this document do not constitute the warranty of any kind express or implied Technical Support customer_service h3c com http www h3c com About This Manual Organization H3C SecPath Series Firewalls Configuration Examples is organized as follows SecPath Series Firewalls Configuration Maintenance Example secPath Series Firewalls ARP Attack Protection Configuration Example SecPath Series Firewalls IPsec Con
14. 2 1 1 2 7 D 65535 0 represents anyi 2000 3999 VRRP Group 1 255 Apply www h3c com 18 25 HSC Add Internal Serer Interface YEN Instance Protocol Type External IF Address Assign IP Address C Use IF Address of Interface Global Port Internal IF Internal Port AGL C Enable track to VRRP SecPath Seires Firewalls NAT Configuration Examples E CMP 172 1 1 60 F 0 655535 0 represents any 1 65535 2 1 1 2 7 O 65535 0 represents any 2000 2000 3999 VRRP Group 1 255 tems marked with an asteriski are required Cancel 5 Access PC 2 from PC 3 ping public address 172 1 1 60 Verification 2 is expected Verification results 1 The ping operation is successful Check the session list Type 172 1 1 2 in the IP Address text box and click Search to display the search results Query tem Init Sre IP IP Address 172 1 1 2 Init VPM VP d Init Sre IF Init Dest IPF VLAN INLINE Resp VPM YPN I session Lifetim Resp SrclP Resp Dest iP p P a fe a eS INLINE a aaan er ee enc oe ee 172 1 1 2 768 ICMP CLOSED 20 172 1 1 2 2048 172 1 1 60 768 Del Selected Del All 2 Because ACL 2000 denies all packets the ping operation fails and the internal server does not work Remarks Remove the configuration in this example before performing another configuration example Hangzhou H3C Technologies Co Ltd www h3c com 19 25 H3sC
15. 2 ka 4094 ve a MTU TCP MSS IP Contig ONone Static Address O DHCP BOOTP PPP Negotiate Wnnumbered IP Address 192168 21 Mask 24 255 255 255 0 secandary IP Address List Secondary IF Address Add Mask 24 255 255 255 0 Wnnumbered Interface tems marked with an asterisk are required aor JL sack Figure 36 Configure GigabitEthernet 0 2 Mm Interface Name GigabitEthernetol Interface Status Connected Interface Type VID MTU 1500 46 1500 Default 1500 TCP MSS 1460 128 2046 Default 1460 Working Mode Bridge Mode Router Mode eae None OStatic Address DHCP O BOOTP PPP Negotiate Unnumbered IF Address Mask Secondary IF Address Doo f Mask Unnumberegd Interface Hangzhou H3C Technologies Co Ltd www h3c com 25 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Select Device Management gt Zone from the navigation tree Add VLAN interface 2 to the Trust zone and GigabitEthernet 0 2 to the Untrust zone Figure 37 Add interfaces to the Trust zone zone ID zone Mame i Preference 85 1 100 Share Nao hal Virtual Device Interface Mame a Advanced Search Interface O NULLO Vian interface GigabitEtherneto The VLANs should be separated by or For example 3 6 10 tems marked with an asterisk are required Apply Figure 38 Add GigabitEtherne
16. 3101 3000 3994 for advanced ACLs l 4000 4999 for Ethernet frame header ACLS Watch Order Config tems marked with an asterisk are required Hangzhou H3C Technologies Co Ltd www h3c com 21 39 H3sC SecPath Series Firewalls IPsec Configuration Examples e Type 3101 as the ACL number e Select the match order of Config e Click Apply e From the ACL list select ACL 3101 and click the corresponding icon Then click Add to enter the ACL rule configuration page Create an ACL rule as shown in Figure 17 Figure 17 Configure a rule to permit packets from 192 168 1 0 24 to 172 16 0 0 24 ACL 3101 Add Advanced ACL Rule C Rule ID 0 65534 fno rule ID is entered the system will automatically assign one L Mor first Fragments Only C Logging IF Address Filtering Source IP Address 192 168 1 0 Source wildcard 0 0 0 255 Destination IP Address 172 16 0 0 Destination Wildcard 0 0 0 288 Protocal YPM Instance None Protocol WP ICMP Message CMP Type to 385 ICMP Code koa TCF Connection Established Source Operation Fort o F KOB5535 Destination Operation Fort H 65535 Precedence Filtering Tos Mone M Precedence None M DScrP None ne e Select Permit from the Operation drop down box e Select the Source IP Address check box and type 192 168 1 0 and 0 0 0 255 respectively in the following text boxes e Select the Destination IP Address chec
17. Adding the Interfaces to Zones ETE TTITITITITIPETT TITTLE LLL 5 Configuring ACL PTETITIT ETT 6 NAT Configuration Examples TTTITITITTI TITTLE ITT 6 Easy IP TETITI PTET TET 6 PAT nsonnonnnunnnnnnnNDNNNNNNNNNNDNNNNNSNNNNDNNNNNSNNANDHNNNNSNNNNDNNNNNSNDENDHNANNNNBANSNNNNNMNDANNNNNSNANDHNNNNNENANDHNNNNNNNNNNNNMNBHNNNESENANDNNNNNS 8 No PAT PETTITT TTT 1 0 Static NAT PETTITT TITTIES 12 Internal Server TTTTTTTETTTIT LETTE 17 NAT ona VLAN Interface TPE TTITITITITIT ELLIE 20 NAT Support for Multi VPN ETTITITITTLT TTT 21 PRET CRC COS ecceri E E a E a aE A 24 Protocols and Standards nonnnnnnnnnnnnnnnNDNNNNNNNNNNDNNNNNSNNNNDNNNNNSNNANDNNNNNSNNENBNNANNSANNANDNNANNNNNANNANNSNANBNNNNENENGNBHNNNNSENANDNNNNNS 24 Related Documentation nonununnnnnnDNNNNNDNNNNNNNNNNNNDNNNNNSNNANDNNNNNSNNANDNNNNNANNNNNNNNSNANDHNNNNSNNANDHNSUNNANNENGNDANNEANSENNNPHNNNNANNENDNNN 25 Hangzhou H3C Technologies Co Ltd www h3c com 2 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Feature Overview NAT translates an IP address in an IP packet header to another IP address In practice NAT is primarily used to allow users using private IP addresses to access public networks With NAT a small number of public IP addresses are used to enable large numbers of internal hosts to access the Internet Thus NAT effectively alleviates the depletion of IP addresses NAT provides privacy for the internal network and can provide specific services for users on the Internet as need
18. Algorithm e AES 128 Uses the AES algorithm in CBC mode and 128 bit keys for encryption e AES 192 Uses the AES algorithm in CBC mode and 192 bit keys for encryption e AES 256 Uses the AES algorithm in CBC mode and 256 bit keys for encryption Select the DH group to be used in key negotiation phase 1 e Group Uses the 768 bit Diffie Hellman group DH Group e Group2 Uses the 1024 bit Diffie Hellman group e Group5d Uses the 1536 bit Diffie Hellman group e Group14 Uses the 2048 bit Diffie Hellman group Hangzhou H3C Technologies Co Ltd www h3c com 9 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Item Description Type the ISAKMP SA lifetime of the IKE proposal Before an SA expires IKE negotiates a new SA As soon as set up the new SA takes effect immediately and the old one is cleared automatically when it expires SA Lifetime WY Highlight If the SA lifetime expires the system automatically updates the ISAKMP SA As DH calculation in IKE negotiation takes time especially on low end devices it is recommended to set the lifetime greater than 10 minutes to prevent the SA update from influencing normal communication Configuring an IKE Peer Select VPN gt IKE gt Peer from the navigation tree to display existing IKE peers as shown in Figure 5 Then click Add to enter the IKE peer configuration page as shown in Figure 6 Figure 5 IKE peer list R Advanced Search IKE Feer Name
19. Result B The ping operation succeeds Result C The ping operation succeeds VLAN and port type configuration on the forwarding interfaces does not impact inline Layer 2 forwarding 4 Configuration guidelines e Inline Layer 2 forwarding is implemented through inline forwarding groups and not MAC addresses e Inline Layer 2 forwarding can be configured on Layer 2 physical interfaces and subinterfaces only e In inline Layer 2 forwarding the ingress interface checks the VLAN tag of a packet to see if the packet s VLAN ID is configured in the security zone of the virtual device If yes it forwards the packet If the packet s VLAN ID matches a Layer 3 VLAN interface and the destination MAC Hangzhou H3C Technologies Co Ltd www h3c com 8 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples address matches the MAC address of the VLAN interface the firewall forwards the packet at Layer 3 e If the ingress interface is an access port the interface does not check the VLAN ID of incoming packets against its PVID upon receiving packets with different VLAN tags When general Layer 2 forwarding is implemented the interface accepts only untagged packets or packets whose VLAN ID matches its PVID e Inline Layer 2 forwarding on a trunk port is irrelevant to the permitted VLANs configured on the port In general Layer 2 forwarding a trunk port forwards a packet only if the packet s VLAN ID is permitted e In t
20. Search ter Name v Keywords search Mame Members Description Status Operation add g z add qos To configure a service resource and a service group resource select Resource gt Service gt Default Service from the navigation tree The default services include ping and ftp so you only need to create a service group containing the ping and ftp services To create a service group select Resource gt Service gt Service Group from the navigation tree and click Add Add a service group named ftp_ server and add the ping and ftp services to the group Hangzhou H3C Technologies Co Ltd www h3c com 13 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples pseann tem Fans keyworis Sear Members Description Status Operation fp_serer Out of Use e Policy configuration Select Firewall gt Security Policy gt Interzone Policy from the navigation tree and then click Add Add an interzone policy with source zone as Untrust and destination zone as VD1 mytrust and configure the other parameters as follows Item Value Select addz q for the source address group and destination Address group aa TESS ace a service group ftp_server Filter action deny Adopt the default settings for the other items and click Apply ETTET Source Zone Unt rust v Dest Zone YD1 mrtrust v Description l 1 31 Chars Source P Address O Hew IP Address wildcard must be reserved mas
21. Selecting and Remove a Virtual Device Requirements Create configure select and remove a virtual device Configuration procedures 1 Enter http 155 1 1 1 in the address bar on Host B to enter the login page Type username admin and password admin and click Login to log in to the web interface The current virtual device is root 2 From the navigation tree select Device Management gt Virtual Device to enter the virtual device management page Click Add to add a device and configure its ID as 2 and name as VD1 3 Enter the interface member configuration page and configure the member interfaces for the virtual device By default all interfaces belong to virtual device root Select the dropdown list right to GigabitEthernet 0 1 select VD1 and click Apply to add GigabitEthernet 0 1 to virtual device VD1 as shown in the following figure Interface Member AUKO Root GigabitEthemnet0lo Root GigabitEthernetiyt GigabitEthemnetil Root GigabitEthernetiys Root MLLLO Root 5 ES ES 141 414 4 Enter the VLAN member configuration page and configure the member interfaces for the virtual device Click the edit button in the Operation column corresponding to VD1 type 1 3 and 5 in the text box and click Apply to configure member VLANs for the virtual device Virtual Device VLAN Range Operation Root 1 4094 Ei 0 ae g JLAN range is from 1 to 4094 and only and are allowed to be used for division and tonnection
22. Wnnumbered Interface tems marked with an asteriski are required J Back Hangzhou H3C Technologies Co Ltd www h3c com 28 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 43 Create VLAN interface 100 Interface Creation Interface Name Vlan interface 100 a 4094 VID ss IP Config ONone Static Address DHCP BOOTP PPP Negotiate Wnnumbered IF Address 192 168 2 1 Mask 24 255 255 255 0 secondary IP Address List Secondary IP Address Add Mask d 255 255 255 0 M Wnnumbered Interface tems marked with an asterisk are required Cappy JC sack Figure 44 Create VLAN interface 103 Interface Creation Interface Name 1 4094 VID MTU IP Config ONone Static Address ODHCP BOOTP PPP Negotiate Unnumbered IF Address 192 168 3 1 Mask 24 255 255 255 0 Secondary IF Address Add Mask 24 255 255 255 0 v secondary IP Address List Wnnumbered Interface tems marked with an asterisk are required Select Device Management gt Zone from the navigation tree Add VLAN interface 100 to the Trust zone Add VLAN interface 103 to the Untrust zone Hangzhou H3C Technologies Co Ltd www h3c com 29 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 45 Add interfaces to the Trust zone zone ID Preference 85 1 100 ohare No
23. the Web page displays success of import e After the device is rebooted the configuration information and the imported configuration file are consistent Verifying configuration restoration to the factory defaults The system can automatically reboot delete the current configuration information and restore to the factory defaults Verifying software upgrade e The system displays upgrading during the software upgrade e f you select Reboot after the upgrade is finished the system will reboot after the upgrade finishes e f you do not select Reboot after the upgrade is finished you need to manually reboot the device Verifying device reboot e After clicking Apply the device automatically reboots e f you select Check whether the configuration is saved to the configuration file for next boot and click Apply the system gives prompt in the case that the configuration is not saved and the system does not reboot automatically Hangzhou H3C Technologies Co Ltd www h3c com 10 11 H3C SecPath Series Firewalls Configuration Maintenance Example MS The device is rebooting please login later Relogin Bicrosoft Internet Explorer a Start to check configuration with next startup configuration file please wait D0HE The current configuration and the saved configuration are different the system will not reboot Copyright 2010 Hangzhou H3C Technologies Co Ltd All rights reserved No part of this manual
24. 0 1024 Default 512 Clear Log Log Host IP Address Log Host 1 Port 1 65535 Default 514 Log Host 2 Port 1 655 Default 514 Log Host3 Port 1 865535 Default 514 Log Hast 4 Port 1 65535 Default 514 Refresh Refresh Period Manual v Table 1 describes the syslog configuration items Table 1 Syslog configuration items Item Description Log Buffer Size Set the number of syslogs that can be stored in the log buffer Hangzhou H3C Technologies Co Ltd www h3c com 3 24 HSC Item Clear Log Log Host 1 Log Host 2 Log Host 3 Log Host 4 Refresh Period SecPath Series Firewalls Log Management and SecCenter Configuration Example Description To clear the logs in the log buffer click this button Set the IP address and port number of the syslog log hosts The log information can be reported to the specified remote log hosts in the format of syslog and you can specify up to four syslog log hosts Set the refresh period on the log information displayed on the log report web interface e Manual You need to refresh the web interface when displaying log report information e Automatic You can select to refresh the Web page every 10 seconds 30 seconds 1 minute 5 minutes or 10 minutes Configuring User Logging User logs can be output in the following two formats and you can select either one e Output to the information center of the device in the format of system inform
25. 0 3 into the DMZ zone Hangzhou H8C Technologies Co Ltd www h3c com 5 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Figure 2 Add interfaces to zones Mame IF Address Wask Security zone GigabitEthernet 0 155 1 1 4 255 255 255 0 GigabitEthernetO4 172 1 1 1 255 255 255 0 Untrust GigabitEthemet0 2 1 1 1 1 255 255 255 0 Trust GigabitEthernet 3 2 1 1 1 255 255 255 0 DMZ Configuring ACL Configure ACL 2000 to match traffic from subnet 192 168 1 0 24 to subnet 172 16 0 0 24 Select Firewall gt ACL from the navigation tree and click Add to enter the following page 2000 2999 for Basic ACL ACL Number z000 2000 39994 for Advanced ACL 4000 4999 for Ethernet Frame Header ACL Match Order Contig v tems marked with an asteriski are required e Type 2000 for ACL number e Select the match order Config e Click Apply e Click the EH icon of ACL 2000 to enter the ACL rule page Click Add and configure as follows Figure 3 Configure the ACL Rule ID Operation Description Time Range Operation 0 permit source 2 1 1 0 0 0 0 255 None i 5 permit source 1 1 1 00 0 0 255 None Add NAT Configuration Examples Easy IP Requirements Use an ACL to permit only certain internal IP addresses to be NATed and use the public IP address of an interface as the translated source address Hangzhou H3C Technologies Co Ltd www h3c com 6 25 H3sC SecPath Seires Firewalls NAT Conf
26. 1 0 and GE 1 3 with VPN 1 interface GigabitEthernet1 0 port link mode route ip binding vpn instance vpnl ip address 100 1 1 1 255 255 255 0 arp max learning num 2048 interface LoopBack1 ip binding vpn instance vpnl Hangzhou H3C Technologies Co Ltd www h3c com 8 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples ip address 30 1 1 1 255 255 255 255 interface GigabitEthernet1 3 port link mode route ip binding vpn instance vpnl ip address 20 1 1 1 255 255 255 0 e Configuration on Device B interface GigabitEthernet0 0 port link mode route ip address 100 1 1 2 255 255 255 0 interface LoopBack1 ip address 31 1 1 1 255 255 255 255 Configuring Static Routes Requirements Configure static routes in multiple VPNs Configuration procedures Based on the basic configurations perform the following configuration on Device A Configure a static route to loopback 1 of Device B ip route static vpn instance vpn1 31 1 1 1 0 100 1 1 2 Verification On Device A execute the ping vpn instance vpn1 31 1 1 1 command The ping succeeds Configuring RIP Routes Requirements Configure RIP routes in multiple VPNs Configuration procedures After the basic configuration perform the following configuration on Device A and Device B Configuration on Device A rip 1 vpn instance vpnl network 100 0 0 0 network 30 0 0 0 Configuration on Device B rip network 100 0 0 0 network 31 0 0 0
27. 255 network 100 1 1 0 0 0 0 255 Verification On Device A execute the ping vpn instance vpn1 31 1 1 1 command The ping succeeds Hangzhou H3C Technologies Co Ltd www h3c com 10 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples On Device A display the routing table of the virtual firewall after VPN instances are associated with the interfaces DeviceA dis ip routing table vpn instance vpnl Routing Tables vpnl Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Direct 0 0 Oe l GE1 1 10 1 1 1 32 Direct 0 0 127 0 0 1 InLoopo0 20 la ls 0 24 Direct 0 0 ZO odie Tack GE1 3 20 1 1 1 32 Direct 0 0 127 0 0 1 InLoopo0 Os Lele Direct 0 0 a oe 0 tee sal InLoop0 Shaded 1732 OSPF 10 2 Usl re re GE1 0 100 1 1 0 24 Direct 0 0 TO odes sl gol GE1 0 100 111732 Direct 0 0 127 00 oak InLoopoO 127 0 0078 Direct 0 0 slay ee ae Orel InLoopo 127 ec 132 Direct 0 0 T2700 L InLoop0O The above output information shows that multi VPN instance through OSPF is effective Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 11 11 H3sC SecPath Series Firewalls Connection Limit Configuration Exampl
28. A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls As shown in Figure 14 the internal host access the Internet through a firewall The firewall records the session logs for the traffic passing through and sends the syslogs and session logs to the SecCenter for analysis Figure 14 Network diagram for log management and SecCenter configuration Trust Device Untrust GE1 4 GE1 0 Host 192 168 1 1 192 168 250 12 192 168 1 2 SecCenter 192 168 100 14 Hangzhou H3C Technologies Co Ltd www h3c com 17 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Configuration Considerations The major configurations comprise e Setting the logging policy on the firewall e Setting the SecCenter Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series Secpath F5000 A5 V300R002B01 R3206 series SecPath UTM 200 A 200 M 200 S firewall V500R001B01 R5116 series Configuration Procedures Configuring the Firewall to Send the Syslogs to the SecCenter Configure the firewall to send the syslogs to the SecCenter Perform the configuration as shown in Figure 15 and set the port number to 30514 Figure 15 Syslog Log Butter Log Butter Size 512 tems 0 1024 Default 512 Log Host IP Address LogHost1 192 168 100 1 Pot 30514 1 85535 Default 514 Log Hast 2 fs Part essas Default 514 Log Host 3 OoOo Port 1 B5535 Default 514 Log
29. Address Address Sarica Range Action Description Status Log MAC MAC Operation Untrust DMZ 0 any address any address any service Permit 1 Out of Disabled Use Untrust Trust 0 any address any address any service Permit 2 Out of Disabled eS Use e Access PC 2 in the DMZ zone from PC 3 in the Trust zone and perform ping HTTP FTP DNS and Telnet operations e Check the session list Verification 2 is expected 4 Create ACL 2000 as follows Basic ACL 2000 Rule ID Operation Description Time Range Operation 1 permit source 172 1 1 0 0 0 0 255 None i Add e Apply ACL 2000 to the static NAT entry Hangzhou H3C Technologies Co Ltd www h3c com 15 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Add Static Address Mapping YPN Instance Internal IF Address oie el as ig Global IF Address 172 1 1 50 Network Mask ACL 2000 2000 3999 tems marked with an asterisk are required Cancel e Access PC 3 from PC 2 and ping IP address 172 1 1 2 Verification 3 is expected e Access PC 2 from PC 4 and ping IP address 172 1 1 50 Verification 4 is expected Verification results 1 The ping HTTP FTP DNS and Telnet operations are successful Check the session list Type 2 1 1 2 in the IP Address text box and click Search to display the search result as shown in the following figure Query item Init src IP IP Address 2 1 1 2 VPR VPM I Session
30. Hangzhou H3C Technologies Co Ltd www h3ce com 3 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Both AH and ESP provide authentication services However the authentication service provided by AH is stronger than that provided by ESP In practice you can choose either or both security protocols as required When both AH and ESP are used an IP packet is encapsulated first by ESP and then by AH Basic Concepts of IPsec Security association IPsec enables secure communication between two ends which are called IPsec peers Security associations SAs are fundamental to IPsec An SA is a set of elements including the protocols AH ESP or both encapsulation mode transport mode or tunnel mode encryption algorithm DES 3DES or AES shared key used for flow protection and key lifetime An SA can be created with IKE Encapsulation modes IPsec can work in the following two modes e Tunnel mode The whole IP packet is used to calculate the AH ESP header which will be encapsulated into a new IP packet together with the ESP encrypted data Generally tunnel mode is used for communication between two security gateways e Transport mode Only the transport layer data is used to calculate the AH ESP header which will be put after the original IP header and before the ESP encrypted data Generally transport mode is used for communication between two hosts or a host and a security gateway Figure 1 illustrates how
31. Hast 4 fs Port la ess3s Default 514 Refresh Refresh Period Configuring the Firewall to Send the Session Logs to the SecCenter Step1 Select Log Report gt Userlog from the navigation tree and input the IP address and receiving port number of the log host on the page as shown in Figure 16 The flow log receiving port number of the SecCenter is 30017 Hangzhou H3C Technologies Co Ltd www h3c com 18 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 16 Flow logging Version 10030 Source IP Address of Packets ee Log Host Configuration Log Host 1 VPN Instance E IP Address 192 168 100 14 Port 30017 0 65535 Log Host 2 YPN Instance IP Address Part 0 65535 L Output flow logs to information center WYvith this function enabled the system will not output flow logs to the specified userlog host tems marked with an asterisk are required Apply Statistics Step2 Select Log Report gt Session Log gt Log Policy from the navigation tree and configure the firewall to log the traffic between the trust zone and untrust zone on the page as shown in Figure 17 Figure 17 Session logging policy list Source Fone All zones Destination Zone AIl zones Search Source zone Destination zane ACL Operation Trust Untrust i Untrust Trust fe il Add 4 Note The log sending port numbers must be the same as the corresponding port numbers on the SecCenter T
32. Internet Protocol TCP IP Properties window Click on radio buttons next to Obtain an IP address automatically and Obtain DNS server address automatically Hangzhou H3C Technologies Co Ltd www h3c com 8 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Verification After the preceding configurations are complete you can see that client 2 obtains a fixed IP address 10 1 1 5 and client 1 obtains an IP address on subnet 10 1 1 0 24 1 View the detailed information of GigabitEthernet 0 1 on client 2 You can view the IP address that the interface has obtained Port Statistics GigabitEthernetO 1 current state UF Line protocol current state UF Description GigahitEtherneto 1 Interface The Maximum Transmit Unit is 1500 Hold timer is 10 sec Internet Address is 10 1 1 5 24 acquired via DHCP 2 Run the ipconfig all command in the Command Prompt window You can see configuration information including that the corresponding network interface card has obtained IP address 10 1 1 6 from the DHCP server Ethernet adapter AS HEE Fe 6 Connection specific DAS Suffix Description Realtek RIL81379 Family PCI Fast Ethe rnet AIC Physical Address a z H HA EB SB 8C F ee a a gt Y Autocont iguration Enabled gt a a TES IP Address a n i z a 110 1 1 6 Unet Mask 2 a 2 wwe wo mo deh ded ded oe N Default Gateway a a 16 1 1 1 DHC
33. Ltd www h3c com 3 15 H3sC SecPath Series Firewalls DHCP Configuration Examples As shown in Figure 1 two DHCP clients the client 2 and client 1 reside on the same subnet as the DHCP server Client 2 is connected to the DHCP server through GigabitEthernet 0 1 and client 1 is connected to the DHCP sever through a network interface card The IP address of the GigabitEthernet 0 1 of the DHCP server is 10 1 1 1 24 Configure the U200 S to allow the client 1 to obtain an IP address and other parameters dynamically from the DHCP server and to allow client 2 to obtain a fixed IP address and other parameters from the DHCP server Figure 1 Network diagram for DHCP configuration example Client 1 Client 2 GE0 1 GE0 1 10 1 1 1 24 DHCP Server Configuration Considerations e Configure the DHCP server e Configure client 1 and client 2 as DHCP clients Software Version Used SecPath F1000E V300R001B01 R3166 series and V300R001B01 F3166 series SecPath F5000 A5 V300R002B01 R3206 series SecPath UTM 200 A 200 M 200 S firewalls V500R001B01 R5116 series Configuration Procedures Basic Configuration Specify the IP address of GigabitEthernet 0 1 e Select Device Management gt Interface from the navigation tree Hangzhou H3C Technologies Co Ltd www h3c com 4 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Search Item Name Keywords4 search Name IP Address Mask Security Zone Status Operation Gigabit
34. PC 1 0 0 100 has been added to the blacklist e Because you selected Add a source IP to the blacklist when configuring scanning prevention the device also automatically adds scanning sources to the blacklist For details refer to Scanning Prevention Global Configuration vV Enable Blacklist Blacklist Configuration Booo IP Address Search J Advanced Search IP Address Add Method start Time Hold Time minutes Dropped Count Operation 1 0 0 10 Manual 20108 V2 16 12 20 5 0 Il 1 0 0 100 Auto 2010 1727 18 10 41 10 11 Il ICMP Flood Attack Protection e Use SmartBits to send ICMP packets with the destination address 2 0 0 2 to zone Trust at a rate higher than 1000 frames per second for three seconds changing the source address frequently Hangzhou H3C Technologies Co Ltd www h3c com 13 18 H3 C E4 Note SmartBits is a data protocol analyzer from Spirent Communications For ICMP flood UDP flood and SYN flood attacks the sampling interval of the device is one UDP Flood Attack Protection SecPath Series Firewalls Attack Protection Configuration Example second If the number of half open connections or the session establishment rate exceeds the threshold in three consecutive sampling intervals the device considers that an attack has occurred Therefore when using SmartBits to simulate a flood attack be sure to send attack packets for at least four seconds Select Intrusion Detection gt S
35. Select Log Report gt Session Log gt Global Setup from the navigation tree to enter the page for setting session logging thresholds as shown in Figure 6 Hangzhou H3C Technologies Co Ltd www h3c com 9 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 6 Global configuration page O Time Threshold minutes 10 120 it must be a multiple of 10 Traffic Packet Count megqa packets 1 1000 Threshold Byte Count mega bytes 11 1000 Table 7 describes the configuration items for setting session logging thresholds Table 7 Configuration items for setting session logging thresholds Item Description Set the time threshold for outputting session logging entries Time Threshold with this argument set log entries will be output for sessions whose lifetimes reach the specified time threshold Set the traffic threshold for outputting session logging entries It can be in number of packets or bytes With the traffic threshold set log entries will be output for sessions whose Traffic Threshold traffic reaches the specified threshold in number of bytes or packets Siz Y Highlight Support for this feature depends on your device model Return to Session logging configuration task list Log Report The log report module allows you to view the log information on the device and you can view the following logs through the Web interface e System logs e Connection limit logs e Atta
36. V500R001B01 R5116 series Basic Configurations CLI Configurations Interface configuration From the navigation tree select Device Management gt Interface to enter the interface management page GE 0 0 GE 0 1 GE 0 2 and GE 0 3 are Layer 3 interfaces Configure their IP addresses according to Figure 2 Security zone configuration On the web interface select Device Management gt Zone from the navigation tree and add the interfaces to corresponding security zones as shown in Figure 2 Add GE 0 0 to the management zone default Add GE 0 1 to the Trust zone of virtual device root Add GE 0 2 to the DMZ zone of virtual device root Add GE 0 3 to the Untrust zone of virtual device root Figure 2 Interface configuration Mame IF Address Wask Security zane Aux GigabitEthernetO o 188 1 1 1 255 255 255 0 GiqabitEthernetO 2 2 1 1 1 255 255 255 0 Dwiz GigabitEthernet 1 1 1 1 255 255 255 0 Trust NULLO GigabitEthernetiyls 21 1 1 255 255 255 0 Untrust Username and password configuration The device has the default username and password Please consult the factory default configuration You can also use the following commands to configure a new user and its password local user admin Hangzhou H3C Technologies Co Ltd www h3c com 5 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples password simple admin service type telnet level 3 Feature Configurations Creating Configuring
37. Verification After the preceding configurations are complete you can see that the PC obtains an IP address from the address pool configured on the DHCP server Device A Run the ipconfig all command in the Command Prompt window and you can see detailed configuration information Configuration Guidelines 1 When the DHCP server resides on a different network from the DHCP client the interface through which the DHCP server is connected to the DHCP relay agent can be configured with any IP address not belonging to the address pool whereas the interface through which the DHCP relay agent is connected to the DHCP client needs to be configured with an IP address from the address pool To ensure normal communication after the client obtains an IP address you need to configure the interface with the same mask as the address pool You can configure static bindings in a similar way as that of configuration example The DHCP server does not perform conflict detection on the IP address of a static binding Therefore to ensure the interconnection after the client obtains the IP address it is recommended that you specify the static binding with the IP address on the same network segment as the DHCP relay agent s interface Configure a reachable route between the DHCP server and the DHCP client otherwise the client may fail to communicate with the server after obtaining an IP address or the client cannot obtain an IP address because the server c
38. addresses This function also simplifies the configurations of ACL and security policy If you specify the same source address as the source or destination address in the rule command in ACL the IP address variance and the influence of interface status can be masked thus filtering flow logging packets Source IP Address of Packets You are recommended to use the IP address of the loopback interface as the source IP address of flow logging packets Hangzhou H3C Technologies Co Ltd www h3c com 6 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Item Description Set the IPv4 IPv6 addresses and port number and the VPN instance this Log Host 1 option is available only when you specify a log host with an IPv4 address of the Userlog log host to encapsulate flow logs in UDP packets and send them to the specified userlog log host The log host can analyze and display the flow logs to remotely monitor the device e Centralized device Up to two different userlog log hosts can be specified e Distributed device or Intelligent Resilient Framework IRF device Up Log Host 2 to two different userlog log hosts can be specified for each card NA Highlight To avoid collision with the common UDP port numbers you are recommended to use a UDP port number in the range from 1025 to 65535 Set to output flow logs to the information center in the format of system information NIZ Y Highlight Output f
39. and traffic threshold are configured a log entry is output for the session when it reaches whichever threshold and the statistics of the session will be cleared Hangzhou H3C Technologies Co Ltd www h3c com 8 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Configuring a Session Logging Policy Select Log Report gt Session Log gt Log Policy from the navigation tree to display existing session logging policies as shown in Figure 4 Then click Add to enter the session logging policy configuration page as shown in Figure 5 Figure 4 Session logging policy list Source Fone All zones Destination Zone All zones Search Source One Destination one Operation Untrust fe ii Trust fe il Add Figure 5 Create a session logging policy Add Session Log Policy Source one is ocal Destination Zone Raga v PIAL 2000 3999 Cancel Table 6 describes the configuration items for configuring a session logging policy Table 6 Configuration items for configuring a session logging policy Item Description Source Zone Specify the source zone and destination zone Destination Zone You can configure an optional security zone through System gt Zone Specify the ACL for filtering log entries and only log entries permitted by the AGE ACL will be output Return to Session logging configuration task list Setting Session Logging Thresholds
40. assigns an IP address to a client like a web server and DHCP conveys the assigned address to the client e Automatic allocation DHCP assigns a permanent IP address to a client e Dynamic allocation DHCP assigns an IP address to a client for a limited period of time which is called a lease Most DHCP clients obtain their addresses in this way IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence s The IP address manually bound to the client s MAC address or ID The IP address that was ever assigned to the client The IP address designated by the Option 50 field in the DHCP DISCOVER message A W N The first assignable IP address found in a proper common address pool The IP address that was a conflict or passed its lease duration O1 If no IP address is assignable the server does not respond Application Scenarios As many people need to take their laptops across networks the IP addresses need to be changed accordingly Therefore related configurations on hosts become more complex Built on a client server model DHCP provides dynamic address allocation to simplify host configuration DHCP Configuration Example Network Requirements 4 Note The U200 S is used in this configuration example This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls Hangzhou H3C Technologies Co
41. by the peer Applying an IPsec Policy Group Select VPN gt IPSec gt IPSec Application from the navigation tree to display the IPsec policy application situation as shown in Figure 13 Find the interface to which you want to apply an IPsec policy group and then click the corresponding i icon to enter the IPsec policy application page as shown in Figure 14 Hangzhou H3C Technologies Co Ltd www h3c com 19 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 13 IPsec policy application Interface Operation GigabitEthernetOio fe i GigabitEthernet ea il GigabitEthernethr2 il GigabitEthernetOr fe il GigabitEthernett fe i Figure 14 IPsec policy application page IPSec Application Setup Intertace Policy policy vl tems marked with an asterisk are required Table 9 describes the configuration items for applying an IPsec policy group Table 9 Configuration items for IPsec policy group application Item Description Interface Displays the interface to which you want to apply an IPsec policy group Policy Select the IPsec policy group to be applied 4 Note Only one IPsec policy group can be applied to an interface To apply another IPsec policy group to the interface remove the original application and then apply the new one to the interface An IPsec policy group can be applied to more than one interface IPsec Configuration Example 1 Basic Application Network Requirements Hang
42. com 7 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples When editing VLANs for a Layer 2 interface in a security zone pay attention to the VLANs you specify as the Layer 2 interface may be used by other security zones on the virtual device Configuring inline Layer 2 forwarding 1 Configuration description Add interfaces to an inline forwarding group 2 Configuration procedure see Figure 1 Select Network gt Forwarding from the navigation tree type 1 for Policy ID and select GigabitEthernet 0 1 and GigabitEthernet 0 2 as Port 1 and Port 2 respectively Note that you need to configure the two interfaces as Layer 2 interfaces in advance Figure 8 Create an inline forwarding policy Add INLINE Forwarding Policy Policy ID H 1 00 Policy Type Forward v Port 1 GigabitEthernet0 1 Port 2 GigabitEthernet0 2 tems marked with an asterisk are required Cancel Assign IP addresses for PCs 192 168 2 10 24 for PC1 and 192 168 2 11 24 for PC2 e Add GigabitEthernet 0 1 to the Trust zone and GigabitEthernet 0 2 to the Untrust zone Ping PC2 from PC1 Result A is obtained e Add GigabitEthernet 0 1 to VLAN 2 and GigabitEthernet 0 2 to VLAN 3 Ping PC2 from PC1 Result B is obtained e Configure GigabitEthernet 0 1 as an access port and GigabitEthernet 0 2 as a trunk port Ping PC2 from PC1 Result C is obtained 3 Verification Result A The ping operation succeeds
43. configure VLANs 102 and 103 on the Device Ping PC2 from PC1 Result D is obtained e Delete VLANs 102 and 103 and configure VLAN 1000 on the Device Ping PC2 from PC1 Result E is obtained Configuring Inter VLAN Layer 2 forwarding on a non default virtual device e Select Device Management gt Virtual Device gt Configuration from the navigation tree and click Add to create a virtual device named Device Figure 12 Create a virtual device Add Virtual Device Virtual Device ID Ro Virtual Device Mame tems marked with an asteriski are required e Select Device Management gt Virtual Device gt VLAN from the navigation tree and configure VLAN 1000 as the VLAN member of the virtual device Hangzhou H3C Technologies Co Ltd www h3c com 11 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 13 Configure the VLAN member for the virtual device Virtual Device VLAN Range Operation VLAN range is from 1 to 4094 and only and are allowed to be used for division and connection of multiple VLANs For example 3 5 10 Apply e Select Device Management gt Zone from the navigation tree Create security zones Device_ Trust and Device_Untrust for the virtual device Figure 14 Create security zone Device_ Trust Me Fone ID Bt 333 Zone Name Device Trust 1 20 Chars Preference 8B 100 ohare ie w tems marked with an asteriski are required Figure 15 Create security
44. connects the corporate network to the Internet The corporate network belongs to zone Trust while the external network belongs to zone Untrust Hangzhou H3C Technologies Co Ltd www h3c com 3 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example e Configure an interzone policy allowing internal host Public to access the external network at any time and denying all the other internal hosts access to the external network during working hours from 8 00 to 18 00 on working days Monday through Friday Figure 1 Network diagram for configuring interzone policies Untrust Trust 20 1 4 1 24 Device Configuration Considerations e Assign IP addresses to the interfaces e Configure zones e Configure a time range resource e Configure an address resource e Configure an interzone policy Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series SecPath F5000 A5 V300RO002B01 R3206 series SecPath UTM 200 A 200 M 200 S firewalls V500R001B01 R5116 series Configuration Procedures Assigning IP Addresses to Interfaces Configuring GigabitEthernet 0 2 e From the navigation tree select Device Management gt Interface to enter the interface management page Hangzhou H3C Technologies Co Ltd www h3c com 4 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Figure 2 Interface management page BR Name Search advanced Search Mame IP Addr
45. er ee ee eee eee eee Cee ee rere ee ee eer 4 Adding Interfaces to Zones Trerereer Cee eC re eee er Crre ee Cre Tr eRe CT ee ee Cor Tere Te CC ee rr Cre Ce ee cr tt 6 Configuring a Time Range ReSourCe vss sssestesesestesessesesessesesesssesesseesnesssnsnestsnesesesnesesnenessnneseessneneens g Configuring an Address Resource sssesssetestesettsseeesseseeneesesesnesessseseeneneeesneseeneneneessnenesenenennaseannenss 9 Configuring an Interzone Policy a a Cie ee ee er eee ee ee eee 10 Verification Tree TTC eee cr Ce re Cre Tee er rere CERT C Pe CREE CEC eT Cr Cr ee er err cre Cer e rrr crt 12 Accessing the External Network from Host Public in Working Hours srrrtttterrrrttttttseettettsseeeetettteeees 12 Accessing the External Network from Other Hosts in Working Hours vrrrrttsttsrsststttseettettseestetserenseenes 13 FRAIEFO NGOS tiie iiciaccscictiece tenis cea snmnadcacuiindecainwsaitesunandwce cuca aenddemandawndeduedunnemman Gucme nite aiedne sud amwan A a a EE 13 Protocols and Standards rer ree eee ee ee re er ee eT rer Te eee Tr Ce eer ee re ee ee eee er 13 Related Documentation CC te er ee Te eee eC ee ee CT Terre ree erect ee rer rerree tr cre Orr eer Cert cree err tt 13 Hangzhou H3C Technologies Co Ltd www h3c com 2 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Feature Overview Interzone policies based on access control lists ACLs are used for identification of traffic between zones An interzone policy references one
46. h3c com 2 39 H3sC SecPath Series Firewalls IPsec Configuration Examples IPsec Configuration IPsec Overview IP Security IPsec refers to a series of protocols defined by the Internet Engineering Task Force IETF to provide high quality interoperable and cryptology based security for IP packets By means of facilities including encryption and data origin authentication it delivers these security services at the IP layer e Confidentiality The sender encrypts packets before transmitting them over the Internet e Data integrity The receiver verifies the packets received from the sender to ensure they are not tampered during transmission e Data origin authentication The receiver authenticates the legality of the sender e Anti replay The receiver examines packets and rejects outdated or repeated packets IPsec delivers these benefits e Reduced key negotiation overheads and streamlined IPsec maintenance by supporting the Internet Key Exchange IKE protocol which provides automatic key negotiation and automatic IPsec security association SA setup and maintenance e Good compatibility IPsec can be applied to all IP based application systems and services without any modification to them e Encryption on a per packet rather than per flow basis This allows for flexibility and greatly enhances IP security Implementation of IPsec IPsec consists of a series of protocols for IP data security including Authentication Header AH
47. information 2 Notification Normal information that needs to be 5 Note A smaller value represents a higher severity level Displaying Connection Limit Logs Select Log Report gt Report gt Connection Limit Log from the navigation tree to enter the page as shown in Figure 8 Hangzhou H3C Technologies Co Ltd www h3c com 11 24 HSC Figure 8 Connection limit log configuration page Current ies IJDF MP Connection Percentage Percentage Percentage SecPath Series Firewalls Log Management and SecCenter Configuration Example Source Source Destination Destination Current Time Date ee ee IP Fone IF Rate Table 10 describes the connection limit log configuration items Table 10 Connection limit log configuration items Item Time Date Type Source Zone Source IP Destination Zone Destination IP Current Rate Current Connection TCP Percentage UDP Percentage ICMP Percentage Description Displays the time when the connection limit logs are generated Displays the types of the traffic alarms The number of source IP based connections exceeds the upper limit or the number of destination IP based connections exceeds the upper limit Displays the source zone of the connection Displays the source IP address of the connection Displays the destination zone of the connection Displays the destination IP address of the connection Displays the rate of the current connection Displays total number of the current connections
48. iw Interface Mame Booo A Advanced Search Interface O NULLO Vlan interface1 00 C GigabitEthernet GigabitEthermnet0 102 The LANS should be separated by or For example s 6 10 tems marked with an asteriski are required Figure 46 Add VLAN interface 103 to the Untrust zone Preference 5 kmo Share No Interface Mame l a Advanced Search Interace CO NULLO Vlan interface1 03 C GigabitEthernetOt C GigabitEthernetO 102 The WLANs should be separated by or For example s 5 10 tems marked with an asterisk are required Configure IP address 192 168 2 10 and default gateway 192 168 2 1 for PC1 and IP address 192 168 3 11 and default gateway 192 168 3 1 for PC2 e Ping the IP address of PC2 from PC1 Result A is obtained Hangzhou H3C Technologies Co Ltd www h3c com 30 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples e Select Firewall gt Security Policy gt Interzone Policy from the navigation tree Define a policy to permit all traffic from the Untrust zone to the Trust zone Ping the gateway of PC1 from PC2 Result B is obtained Figure 47 Define an inter zone policy Content Source Dest Source Destination Time Filter Filtering ae Source Destination L zone one Address Address Range Action Policy De opiem WAC MAC Template Operation C Untrust Trust 0 any address any address any service Permit e Configure La
49. k Keywords SSSSs d Search Time Date Jun 8 20 04 25 030 2010 Jun 8 20 04 20 023 2010 Jun 8 20 04 03 089 2010 Jun 8 20 03 43 261 2010 Source IP Reason 1 1 1 1 Vale 18 1 1 23 18 1 1 223 Manual insert Manual delete Auto insert Auto insert SecPath Series Firewalls Log Management and SecCenter Configuration Example Hold Time minutes Permanence Permanence 10 10 e Log Report gt Report gt InterZone Policy Log SOuUrCE Destination Policy Start Time End Time 2010 06 08 20 04 52 2010 06 08 20 04 12 2010 06 08 20 04 02 2010 06 06 20 03 42 permitted WOPEA T permitted WOPEA F Viewing the Logs on the SecCenter flow information 18 1 1 237 05 172 16 16 3 288 18 1 1 22 785 gt 172 16 16 3 288 On the management interface of the SecCenter select the Firewall tab and click links in the Event Auditing pane on the left to view various logs e Inter Zone Access Logs SOURCE Destination Policy Start Time End Time 2010 06 08 20 04 52 2010 06 08 20 04 12 2010 06 08 20 04 02 2010 06 06 20 03 42 permitted WOPEA T Trust Lntrust permitted WOPEA F e Blacklist Logs E Ee T Firewall gt Event Auditing gt Blacklist Logs flow infomation 18 1 1 237 05 172 16 16 3 288 18 1 1 22 785 gt 172 16 16 3 288 Help About Logout admin 6 Events Monitor i v amp Snap
50. n a 15 Scanning Prevention strsststsesesseseesseeeeneneeeeneenneneesneneeeneneenenensenecasneneceseneeaenecannenenenenecag 16 Packet Inspection ssssssrsrseesestesesteeeeteesneneeeeneeeeeeneeesneneeaenecennenecaanecaanenecasseceaenecaaneneeasaenecasnenenanas 17 Hangzhou H3C Technologies Co Ltd www h3c com 2 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Feature Overview Attack protection is an important firewall feature It allows a firewall to detect attacks by analyzing the contents and behavior characteristics of received packets and based on the analysis result takes countermeasures such as blacklisting the source IP addresses outputting alarm logs and or discarding packets The attack protection feature can detect kinds of Denial of Service DoS attacks scanning attacks and malformed packet attacks and take actions in response It does so by using blacklists matching packets against attack signatures and detecting traffic abnormalities The attack protection feature also provides attack statistics Application Scenarios The attack protection feature is usually deployed at the egress of a campus network or corporate network to detect and handle with possible attack packets between the internal network and external network so as to protect the security of the internal network Configuration Guidelines 1 Packet inspection and scanning prevention apply to only the inbound direction that is the
51. or For example 3 6 10 tems marked with an asteriski are required Configure IP address 192 168 2 10 and default gateway 192 168 2 1 for PC1 and IP address 192 168 3 11 and default gateway 192 168 3 1 for PC2 e Ping PC2 from PC1 Result A is obtained e Ping PC1 from PC2 Result B is obtained e Add GigabitEthernet 0 1 to the Untrust zone and then ping PC2 from PC1 Result C is obtained e Remove the VID specified for the Layer 3 subinterfaces of the Device and then ping PC2 from PC1 Result D is obtained Configure Layer 3 subinterface forwarding on a non default virtual device Create a virtual device named Device create Device Trust and Device Untrust zones for the virtual device and add subinterfaces GigabitEthernet 0 1 1 and GigabitEthernet 0 1 2 to the virtual device as interface members Select Device Management gt Virtual Device gt Interface from the navigation tree to display the page as shown in the following figure Hangzhou H3C Technologies Co Ltd www h3c com 23 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 34 Add interfaces to the virtual device internace Member Virtual Device GigabitEthernet0 GigabitEthemet0 GigabitEthernettvt 1 GigabitEthernet0 1 2 GigabitEthernet0 3 GigabitEthernet0 4 NULLO Vlan interace d e Add GigabitEthernet 0 1 1 to Device_Trust and GigabitEthernet 0 1 2 to Device_Untrust Ping PC2 from PC1 Result E is obtained 3 V
52. protocol wpe flow infomation Table 13 describes the inter zone policy log configuration items Table 13 Inter zone policy log configuration items Item Description Start Time Displays the time when the flows are created End Time Displays the time when the flows are removed Source Zone Displays the source zone of the flows Destination Zone Displays the destination zone of the flows Policy ID Displays the ID of the inter zone policy that the flows match Action Displays the actions taken against the flows permitted or denied Protocol Type Displays the protocol type of the flows Displays the flow information e lf the protocol type is TCP or UDP the displayed flow information is source IP address source port gt destination IP address destination port for example 1 1 1 2 1026 gt 1 1 2 10 69 Flow Information e lf the protocol type is ICMP the displayed flow information is source IP address gt destination IP address ICMP type ICMP code for example 1 1 1 2 gt 1 1 2 10 echo 8 e lf the protocol type is another type except these three the displayed flow information is source IP address gt destination IP address for example 1 1 1 2 gt 1 1 2 10 Displaying User Logs T note To display user logs through the Web interface configure outputting user logs to the information center Displaying flow logs Select Log Report gt Report gt Userlog from the navigation tree to enter the page for displaying flow
53. same network segment with the interface IP address which can be a primary IF address or some secondary IP address configured manually Configuring Fixed ARP Introduction to Fixed ARP Fixed ARP allows the device to change dynamic ARP entries including those generated automatically into static ARP entries thus effectively preventing attackers from modifying ARP entries Configuring Fixed ARP e Select Firewall gt ARP Anti Attack gt Fix from the navigation tree All dynamic and static ARP entries learnt by the firewall device are displayed including those obtained by ARP automatic scanning Figure 12 ARP entries d IF Address MAC Address WYLAN ID Interface Type YPN Instance E 192 168 251 2 OO01b 11b fd5e GigabitEthernett 0 Dynamic 192 168 251 10 O00Fe e fF89 GigabitEthernetv 0 Dynamic 192 168 251 254 O00Fe2ctal1 GigabitEthernet0 o Dynamic 192 168 1 13 ONO05 5d6a 53da GigabitEthernet0M Dynamic 192 168 103 181 000fe2e2 fr 9e GigabitEthernet0l Oynarmic Fix All Del All Fixed Del Fixed Mote Fix All and Del All Fixed will take effecttor all dynamic and static ARP entries in the system e Select one or multiple dynamic ARP entries you want to change into static and click Fix e Select one or multiple static ARP entries you want to remove and click Del Fixed e Tochange all dynamic ARP entries into static click Fix All e To delete all static ARP entries click Del All Fixed Hangzhou H3C Technologie
54. server through FTP 3 Packet filtering results in the case that the involved interfaces are in different zones with interzone policies configured Hangzhou H3C Technologies Co Ltd www h3c com 11 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples a The server can ping Host C The security zone with a higher precedence can access the security zone with a lower precedence Host C can ping the server because an interzone policy permit is configured for the access direction from zone Untrust to zone DMZ Host C can log into the server through FTP When Host C logs into the server display the session table There is a session from 3 1 1 2 to 2 1 1 2 Resp YPI YPN Frotocol Init WPM YEN Fesp Dest VLAN Resp ore iP INLINE Session Lifetime Init Sre IF Init Dest IF Operation IF VLANI Status fs INLINE 155 1 1 2 2076 155 1 1 1 80 155 1 1 1 560 155 1 1 2076 TCP EST 3600 3 1 1 21024 20 40 2521 gt Baloldal 311 210244 esse 1570 Ic MF 3 1 1 22048 21 1 20 21 1 20 3 1 1 2 0 BO OPEN UDF 2 1 1 21024 3 1 1 2 1025 31 1 41 025 J211 21024 aT OFEN ICMP 2 1 1 22048 3 1 1 2 0 3 1 1 2 0 21 1 20 BO OFEN UDF 198 19 1 2 1024 198 19 1 1 1025 0 0 0 0 0 0 0 0 0 0 1 OFEN Remarks After finishing this example remove the configuration made in this example Use reversed mask when setting an address resource Resource B
55. service group resources and configure the default interzone policy Configuration procedures 1 Enable FTP server on the server configure the route to network segment 3 1 1 0 24 and set the gateway address to 2 1 1 1 2 On Host C which acts as the FTP client configure the route to network segment 2 1 1 0 24 and configure the gateway address to 3 1 1 1 3 Enter http 155 1 1 1 in the address bar on Host B to enter the login page Type username admin and password admin and click Login to log in to the web interface The current virtual device is root Hangzhou H3C Technologies Co Ltd www h3c com 8 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples 4 For packet filtering within the same security zone add GE 0 2 and GE 0 3 to zone Trust and perform the following configuration as shown in the figure Result 1 is expected a An 2 PRR D H B5 kao Share No Interface Mame r Interface VLAKI Dewo GigabitEthernet01 PO GigabitEthemettr2 PO LC Gigabitethernetars OOOO my NULLo DO The YLANS should be separated by or For example 3 5 10 tems marked with an asterisk are required Cancel Copyright 2004 2010 Hangzhou HaC Technologies Co Ltd AU Fights Reserved 5 For packet filtering among different zones without interzone policies add GE 0 2 to zone DMZ and add GE 0 3 to zone Untrust The server and Host C ping each other and result 2 is expect
56. the interface Therefore you must re configure the IP address of the interface after configuring the command Configuring Route Exchange You can configure route exchange among different VPN instances by using static routes RIP OSPF IS IS EBGP or IBGP as needed Configuring Route Exchange by Using Static Routes Follow these steps to configure route exchange by using static routes To do Use the command Remarks Enter system svstem view view y ip route static dest address mask mask length gateway address interface type interface number mele gateway adadress vpn instance d vpn instance name Configured gateway address preference preference value tag tag on the Configure static value description description text firewall The routes fora l l configuration specified VPN ip route static vpn instance s vpn instance name amp lt 1 5 gt on the CE is instance dest address mask mask length gateway address the same as public interface type interface number gateway ordinary address vpn instance d von instance name gateway address preference preference value tag tag value description description text static route configuration Configuring Route Exchange by Using RIP One RIP process can belong to only one VPN instance If you do not bind a RIP process with any VPN instance it belongs to the public network Follow these steps to configure rout
57. this argument on the local device Then the local device sends its gateway name as identification to IKE Local Name its peer and the peer uses the locally configured remote gateway name to authenticate the local device Therefore make sure that the local gateway name configured here is identical to the remote gateway name configured on its peer By default the device name is used as the local gateway name Set the interval at which the ISAKMP SA sends NAT keepalive packets to its peer NAT Keepalive NAT mappings on a NAT gateway may get aged If no packet traverses an Interval IPsec tunnel in a certain period of time the NAT mapping will be deleted disabling the tunnel beyond the NAT gateway from transferring data To prevent NAT mappings from being aged an ISAKMP SA sends to its peer NAT keepalive packets at a certain interval to keep the NAT session alive Configuring an IKE Proposal Select VPN gt IKE gt Proposal from the navigation tree to display existing IKE proposals as shown in Figure 3 Then click Add to enter the IKE proposal configuration page as shown in Figure 4 Figure 3 IKE proposal list R IKE Proposal Number Advanced Search IKE Proposal Number 5A Authentication Wethod Authentication Algorithm Encryption Algorithm OH Group Lifetime Operation seconds Preshared Key SHAT DES CAC Group a640 Add T note Typically IKE proposal configuration is omitted and the default IKE proposal named d
58. vpn2 ip address 20 1 1 1 255 255 255 0 Hangzhou H3C Technologies Co Ltd www h3c com 7 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Create security zones v1_z1 v1_z2 v2_z1 and v2_z2 Add port GE 1 1 to v1_z1 GE 1 3 to v1_z2 GE 1 2 to v2_z1 and GE 1 4 to v2_z2 After the security zones are created the web interface shows the following information 10 vizi 60 no Root a il 11 viz 50 no Root a ii 12 v2_z 60 no Root fe if 13 v2 z2 50 no Root a ii After the ports are added to the security zones the web interface shows the following information Gigabitethemett 10 1 1 1 255 255 255 0 W1_21 O Ee GBigabitethernett 2 10 1 1 1 255 255 255 0 v_z o Ee Gigabitethernet ls 20 1 1 1 255 255 255 0 A O A Gigabitethernett 4 20 1 1 1 255 255 255 0 tie 2 O Ee Assign IP addresses to the PCs Assign 10 1 1 2 to PC 1 with the default gateway as 10 1 1 1 and 20 1 1 2 to PC 3 with the default gateway as 20 1 1 1 Assign 10 1 1 3 to PC 2 with the default gateway as 10 1 1 1 and 20 1 1 3 to PC 4 with the default gateway as 20 1 1 1 Verification PC 1 can ping PC 3 and PC 2 can ping PC 4 Configuring Routes on the Virtual Firewall Requirements Virtual firewalls in multiple VPNs have their own independent routing tables Configure static route RIP and OSPF in virtual firewalls Basic Configurations e Configuration on Device A Create interface loopback 1 on Device A and associate loopback 1 GE
59. zone Device_Untrust EER Zone ID Bt 333 Zone Name Device Untrust e1 20 Chars Preference SO bg 100 ss E Share No vl tems marked with an asteriski are required e Add GigabitEthernet 0 1 102 to Device_Trust and GigabitEthernet 0 1 103 to Device_Untrust Ping PC2 from PC1 Result F is obtained 3 Verification Result A The ping operation succeeds Result B The ping operation fails This is because PC2 resides in the Untrust zone whereas PC1 resides in the Trust zone which has a higher priority than the Untrust zone Result C The ping operation succeeds Packet forwarding is not affected after GigabitEthernet 0 1 is added to the Untrust zone Hangzhou H3C Technologies Co Ltd www h3c com 12 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Result D The ping operation succeeds After VLAN 1000 is deleted traffic can still be forwarded because the PVID of GigabitEthernet 0 1 102 and GigabitEthernet 0 1 103 is 1 Result E The ping operation fails No Layer 2 forwarding entry is created because VLANs 102 and 103 do not exist Result F The ping operation succeeds 4 Configuration guidelines To implement inter VLAN Layer 2 forwarding make sure that the VLAN with the same ID as the Layer 2 subinterface ID exists On a physical port working in bridge mode Layer 2 subinterfaces are configured to implement inter VLAN Layer 2 forwarding Packets are forwarded betwee
60. 1 192 168 250 230 8081 192 168 100 14 3303 TCP SYN io m 214 2 1395 172 1 1 2 80 172 1 1 2 80 mario TCP TCP EST 3600 E 172 1 1 1 21 172 1 1 212292 172 4 4 212292 1721 1 1 21 TCP TCP EST 3592 C 192 168 100 14 3346 192 168 250 230 161 192 168 250 230 161 192 168 100 14 3346 UDP UDP OPEN 24 E 192 168 96 15 4352 192 168 250 241 30 192 168 250 241 80 192 168 96 15 4352 TCP TCP EST 3600 m 211 2 1392 17211221 3 17211 22 72111 1100 TCP TCP EST 3597 fi records 15 per page page 11 record 1 6 1 Del Selected Del All e Type 2 1 1 2 in the IP Address text box and click Search to display the search result as shown in the following figure Query Iter Init sre IP IP Address 2 1 1 2 Init VPM Resp VPN l i WEB YPN Session Lifetime Protocol L Init Src IF Init Dest IP WLAN I ResporciP Resp Dest iP VLAN f Stats is INLINE INLINE C 2 4 1 2 1043 172 1 1 2 21 172 1 1 2 21 172 1 1 1 1027 TOP TCP EST 3538 Del Selected Del All Remarks Remove the configuration in this example before performing another configuration example PAT Requirements Translate the source address of a packet into an IP address in the NAT address pool and translate the source port of the packet Configuration steps 1 Create an address pool e Select Firewall gt NAT gt Dynamic NAT from the navigation tree to enter the following page Hangzhou H3C Technologies Co Ltd www h3c com 8 25 H3sC SecPath Seire
61. 1rtrtrtttrrttttetttteettteettteeeeees 5 Limiting the Number of Connections ona Per Source Basis eee eee reer eee eee eee eee eee eee eee eee 5 Limiting the Number of Connections ona Per Destination Basis eee ree reer rete errr tree eee etree eee eee eee 6 Removing the Connection M100 loi eee eee 6 Hangzhou H3C Technologies Co Ltd www h3c com 2 7 H3sC SecPath Series Firewalls Connection Limit Configuration Examples Overview An internal user that initiates a large quantity of connections through a device to external networks in a short period of time occupies large amounts of system resources of the device making other users unable to access network resources normally An internal server that receives large numbers of connection requests within a short time cannot process those requests in time or accept other normal connection requests To avoid these problems you can configure connection limit policies to limit the number of connections Application Scenarios The connection limit feature can limit the number of concurrent connections from internal users to external networks or the number of connections from external users to an internal server Connection Limit Configuration Example Network Requirements T note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls An F5000 A5 firewall is used in this configuration example for illustration As shown in Figu
62. 3 version you need to use the lacp enable command in interface view to enable LACP Configuration on the Device Create Layer 3 aggregate interface Route Aggregation1 assign an IP address for it and set the dynamic aggregation mode interface Route Aggregationl link aggregation mode dynamic ip address 10 1 1 1 255 255 255 0 Assign interfaces GE1 6 and GE1 7 to aggregation group 1 which corresponds to Route Aggregation1 interface GigabitEthernet1 6 port link mode route port link aggregation group 1 interface GigabitEthernet1 7 port link mode route port link aggregation group 1 Configure source IP based load sharing link aggregation load sharing mode source ip Log in through the Web interface and add GE1 6 GE1 7 and the aggregate interface to the Trust Zone Hangzhou H3C Technologies Co Ltd www h3c com 6 11 HSC SecPath Series Firewalls Link Aggregation Configuration Examples fone ID fone Mame Preference Share Virtual Device Operation Trust 85 no Root fe il he Interface GigabitEthernethi GiqabitEthernett s GigabitEthemnett Configure OSPF This part is the same as any common OSPF configuration process Configuration on the S9505 switch Create aggregation group 1 and configure the aggregation group to operate in static aggregation mode link aggregation group 1 mode static Assign interfaces GE4 1 1 and GE4 1 2 to aggregation group 1 interface GigabitEthernet4 1 1 po
63. 3600 1843200 kbytes 2560 4294987295 Default 1943200 tems marked with an asterisk are required Table 7 describes the configuration items for creating an IPsec policy template Table 7 Configuration items for an IPsec policy template Item Template Name Sequence Number IKE Peer IPSec Proposal Description Type the name for the IPsec policy template Type the sequence number for the IPsec policy template In an IPsec policy template group an IPsec policy template with a smaller sequence number has a higher priority Select the IKE peer for the IPsec policy template to reference Available IKE peers are those configured by selecting VPN gt IKE gt Peer from the navigation tree Select up to six IPsec proposals for the IPsec policy template to reference The IKE negotiation process will search for and use the exactly matching IPsec proposal If no matching IPsec proposal is found the expected SAs cannot be established and the packets that need to be protected will be discarded Hangzhou H3C Technologies Co Ltd www h3c com 16 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Item Description Enable and configure the Perfect Forward Secrecy PFS feature or disable the feature e dh group1 Uses the 768 bit Diffie Hellman group dh group2 Uses the 1024 bit Diffie Hellman group dh group5 Uses the 1536 bit Diffie Hellman group dh group14 Uses the 2048 bit Diffie Hellman group 7
64. 6 SecPath F5000 A5 V300R002B01 R3206 secPath UTM 200 A 200 M 200 S V500R001B01 R5116 Configuring Layer 3 Link Aggregation in Static Mode Static aggregation is stable The aggregation state of the member ports is not affected by their peers which also means that the member ports cannot change their aggregation state in consistent with their peers The administrator must manually maintain link aggregations Hence static aggregation is inflexible Configuration on the Device Create Layer 3 aggregate interface Route Aggregation1 and assign an IP address for it interface Route Aggregationl ip address 10 1 1 1 255 255 255 0 Hangzhou H3C Technologies Co Ltd www h3c com 4 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples Assign interfaces GE1 6 and GE1 7 to aggregation group 1 which corresponds to Route Aggregation1 interface GigabitEthernet1 6 port link mode route port link aggregation group 1 interface GigabitEthernet1 7 port link mode route port link aggregation group 1 Configure source IP based load sharing link aggregation load sharing mode source ip Log in through the Web interface and add GE1 6 GE1 7 and the aggregate interface to the Trust zone fone ID fone Mame Preference Share Virtual Device Operation Trust 85 no Root fe il 2 GigabitEthemnetll Interface GigabitEtherneti G GigabitEtherneti r Configure OSPF This part is the same as any common OSPF configu
65. ACL 2000 Z0U00 3999 Address Transfer Easy IP v Address Pool Index 0 255 4 Enable track to RRP VRRP Group 1 255 tems marked with an asterisk are required e Access PC 3 from PC 2 and perform ping HTTP FTP DNS and Telnet operations e Check the session list to view the result Verification results e The ping HTTP FTP DNS and Telnet operations are successful e Check the session list Type 2 1 1 2 in the IP Address text box and click Search to display the search result as shown in the following figure Query Item Init src IP IP Address 2 1 1 2 Init YPN Resp VPM YPR R GIP R Desti VPM session Lifetim Init Dest IP eSport BSp OES Protocol ele VLAN J VLAN J Status is INLINE IMLINE l lC MF F 2 1 1 22045 172 1 1 2 94 172 1 1 20 172 1 1 1 1024 IE MP CLOSED 14 Del Selected Del All Remarks Remove the configuration in this example before performing another configuration example NAT Support for Multi VPN Requirements Easy IP is used in this example Perform the configuration at the CLI and web interface Configuration steps 1 Configure VPNs e Configure multi VPN e Bind an interface to multi VPN Hangzhou H3C Technologies Co Ltd www h3c com 21 25 HSC Configure VPN routes Configure a VPN ACL View Device Device vpn instance vpn1 Device vpn instance vpn1 Device vpn instance vpn1 Device vpn instance vpn1 Device Device GigabitEthernet0 3 De
66. ACL for a pair of source zone and destination zone This ACL contains a group of ACL rules each of which permits or denies packets matching the match criteria Interzone policies can reference address resources and service resources to define the packet match criteria and reference time range resources to specify the effective time ranges of the rules Application Scenarios The interzone policies can be used for identifying traffic monitoring traffic and setting a firewall between zones Configuration Guidelines The number of an ACL referenced by an interzone policy is assigned automatically by the system When you create the first rule for two zones the system automatically creates an ACL and assigns it an ACL number that is one more than the last assigned ACL number starting from 6000 If you remove all rules of the interzone policy the system automatically removes the ACL Rules for a pair of source zone and destination zone are listed in match order on the web page A rule listed earlier has a higher priority and is matched earlier By default the rules are in the order they are created and you can manually adjust the order Interzone Policy Configuration Example Network Requirements T note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls A UTM 200 S firewall is used in this configuration example for illustration e As shown in Figure 1 Device
67. Configuring an IKE Proposal nonununnnnnnnnnnnNDNNNNNSNNNNDNNNNNNNNNNNNDNNNANDNNNNNSNNNNDHNNNNSNNANMNRNNNNSBHNNNNSNNMNBHNNNSSNNABNNNRANDNNN 8 Configuring an IKE Peer nonununonnnnnnnnNNNNNNNDANNNNDNNNNNNNNNNNNDNNNNNSNNNNDNNNNNSNNANDHNNNNANANNNNNNSNANDHNNNNSNNANBHNNNESNNNNSNNNNDNNN 10 Configuring an IPsec Proposal nonunnnnnnnnDNNNNNSNNNNDNNNSNDNDNNNUNSNNNNDNNNNNANNANDHNNNNSNNNNDNNNNNNSNSNNUNSNNANDHNNNESENANDHNNNANENNNGNNNNN 13 Configuring an IPsec Policy Template eteteettettteettteetttettteettestrteertestteetreetttenrtetitetteenrteetneenteetteenneenneents 15 Configuring an IPsec Policy nonunnnnnnnnnnNNNNDNNNNNNNNNNDNNNNNSNNNNDNNNNNSNNGNDANNNNDNNNNNSNNANDHNNNNANNANDNNNNESNMNNNGNNNNBNNNNBHNNNNSNNNNDNNN 17 Applying an IPsec Policy Group PETTITT PETITE ieee 19 IPsec Configuration Example 1 Basic Application hi li i si sali ip i av E ne 20 Network Requirements nonununnnnnnDNNNNNNNNNNDNNNNNNNNNNMNDNNNNNANNNNNSNNNNDNNANNNNNENMNDHNNNNSNNANDHNNNNNANDENMNBNNNANDHNNNNSNNEPHNNNEBHNANNENNNND 20 Software Version Used nonunnnnnnnnnnnNnNDNNNNNSNNNNDNNNNNSNNNNDNNNNNSNNANDNNANNNNNENNNSNNNANDHNNNSNSNANDHNNNNNENANDHNNNNSNNANDHNNNSNNANESNNENDNNN 21 Configuration Procedures PETTITTE TTT ELLE LEE EEE 21 Verification nonununnnnnnnNNNNNNNNSNDNNNNNSNNNNDNNNNNSNNNNNNNNANDNNNNNNNNNNDNDANNNNNNNANDNNNNNNSNANDHNNUNDHNNNNSNNANDHNANNSNNANNNNANANNNNNNENENBNBANNNNNNNN 30 Viewing IPsec SAs nonnonnnununSnnnNDNNNNNNNNNNNNDNNNNNSNNANDNNNNNDHNNNNNANNANDNRANNNNNENGNDHNNNNSNNANDHNSNNNNDENMNNNENANDNN
68. Discard packets when the specified attack is detected Apply In the UDP Flood Configuration area click Add and add host address 2 0 0 2 as an object to be protected UDF Flood Configuration IF Address Connection Rate Threshold Operation 2 0 0 2 1000 fe il Add Hangzhou H8C Technologies Co Ltd www h3c com 10 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Configuring SYN Flood Attack Protection e From the navigation tree select Intrusion Detection gt Traffic Abnormality gt SYN Flood Then select security zone Trust and select Discard packets when the specified attack is detected and click Apply Secu Zore Tust Attack Prevention Policy Discard packets when the specified attack is detected Add protected IP entry to TCP Proxy Apply e Inthe SYN Flood Configuration area click Add and add host address 2 0 0 2 as an object to be protected SYN Flood Configuration IF Address Connection Rate Threshold TENTS GEIS eu ut e eUii Operation Threshold 2 0 0 2 1000 10000 a ill Add Configuring Scanning Prevention e From the navigation tree select Intrusion Detection gt Traffic Abnormality gt Scanning Detection Then select security zone Untrust and select Enable Scanning Detection and Add a source IP to the blacklist and click Apply Security Zone Untrus Enable Scanning Detection Scanning Threshold 400 1 10000 connections per second Add a sourc
69. EEE EERE OES ES SESE EERE EES 4 Configuring Route Exchange by Using Static Routes sssssssessstsseseseeessesessesesesesnesessseeneseseseeneeaeeen 4 Configuring Route Exchange by Using RIP ssssssssssssssesssessssssestssesnssesesnesesssnsnseesneneseseneensneeennanes 4 Configuring Route Exchange by Using OSPF sssssssssssssssssssssesesesssesesesnessssseseseseseeeseseseeneseeesneneneaeeen 5 AD DlIC ALON Scenario Seesiencosieioininnanni nonkonira abis aioin na 5 Configuration Example Reece Ce eaa aana 5 Network Requirements wee ee EE ERRORS EEE EERE ORES E SESE ESSERE EEE ES SEER EES 5 Configuration Considerations nnuunnuuunununnNNNNNNNNNENNNNSNNNNNNNNNNNNNNNNNNNNENNNENNENNNENNNNSNNNNNNNENNNENNNENNNNENNNNNNENNNENNNENNNNENNNENENE 6 Software Versjon Used sssssssssssssssununnnnnunnnnunnnnnunnunuunnnuunnununnnnuunnnunnununnnnnunnnnunnnnnnnnununnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 6 Basic Configurations suunnunnnunnnnNNnNNNNNNNENNNNNNNNSNNNSNNNSNNNNNNNNNNNSNNNSNNNENNNENNNNSNNNSNNNSNNNENNNSNNNNNNNNSNNSNNNENNNNENNNENNNNENNNENNNENNNE 6 Configuring Forwarding within the Same Virtual Firewall ssssesssesessssesesesseeeseeseseeessesessseseeeseeeseeneseeesnens 7 Requirements nuunnunnnnnunnNNNNNNNNNNNNNNNNNNSNNNENNNENNNNNNNNSNNNNNNNNNNNANNNNSNNNSNNENNNENNNSNNNNNNNNSNNNENNNENNNENNNNSNNNENNNNNENNNNNNEENNNNN 7 Basic Configurations we EEE ERTS EEE EEE OES E SORES RE OREO EE SEES ES EERE EEE 7 Verificatjon tre ttre etter eee ee eee eeeeeeeeeeenaeeeeeanoneeeeaaaaeeeseaaaa
70. ES SEE EE EEO EE ORES 24 Related Documentation s sssrssssssssssssuusnnnunnnnuunnnnunnununnnnuunnununnnnuunununnununnnnnnnnununnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 24 Hangzhou H3C Technologies Co Ltd www h3c com 2 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Feature Overview The log management feature enables you to store the system messages or logs generated by actions such as packet filtering to the log buffer or send them to the log hosts The analysis and archiving of the logs can enable you to check the security holes of the firewall when and who try to disobey security policies and the types of the network attacks The real time logs can also be used to detect the ongoing attacks Configuring Syslog The syslog module allows you to set the related parameters of the information center Acting as the system information hub the information center classifies and manages the system information offering a powerful support for network administrators and developers in monitoring the network performance and diagnosing network problems The information center can output the log information to the Web interface for users to view the logs Meanwhile it can also output the log information to the specified syslog log host based on your configuration Select Log Report gt Syslog from the navigation tree to enter the page as shown in Figure 1 Figure 1 Syslog Log Butter Log Buffer Size 5 2 Items
71. Ethemet d 192 168 100 1 255 255 255 0 Ee i Gigabitetherneto4 Untrust oO i GigabitEtherneto 4 a il GigabitEthernet0 3 Untrust O a i GigahitEthemet0ve 192 168 250 212 255 255 255 0 O Ee Il Gigabitethemet0 5 Trust Le i NULLO eA i 7 records AA p 4 1 record 1 7 First Prev Next Last i GO e Click the a icon of GigabitEthernet 0 1 to enter the Edit Interface page Configure the interface as shown in the figure below and then click Apply to return the Interface page Edit Interface Interface Name GigabitEthernet 1 Interface Type None zf VID MTU s00 46 1500 Default 1500 TCP MSS ia60 O 128 2048 Default 1460 Working Mode Bridge Mode Router Mode None Static Address DHCP BOOTP PPP Negotiate IP Configuration Unnumbered IP Address 110 1 1 1 Mask 24 255 255 255 0 Secondary IP Address L secondary IP i Address Add Remove Mask 24 255 255 255 0 Unnumbered oe ann g atace GigabitEthemet0 0 Add GigabitEthernet 0 1 to the Trust zone e Select Device Management gt Zone from the navigation tree Hangzhou H3C Technologies Co Ltd www h3c com 5 15 H3sC SecPath Series Firewalls DHCP Configuration Examples fone ID zone Name Preference ohare Virtual Device Operation Management Local Trust DMZ Untrust e Click the a icon of the Trust zone to enter the Modify Zone page Add GigabitEthernet 0 1 to the Trust z
72. Ethernet 0 1 as a Layer 2 interface Mom Interface Name GigabitEthernet interface Status Connected interface Type VID MTU Working Mode Bridge Mode Router Mode IP Configuration Mone Static Address DHCP BOOTF FFF Negotiate Unnumbered Hangzhou H3C Technologies Co Ltd www h3c com 5 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 4 Configure GigabitEthernet 0 2 as a Layer 2 interface i Interface Name GigqabitEthernetuy Interface Status Connected Interface Type VID hs MTU ss TCP MSS sid Working Mode Bridge Mode Router Made IP Configuration Mone Static Address ODHCF BOOTP FFF Megotiate Unnumbered e Select Network gt VLAN gt VLAN from the navigation tree create VLAN 2 and assign GigabitEthernet 0 1 and GigabitEthernet 0 2 to VLAN 2 Figure 5 Add interfaces to VLAN 2 ID Description VLAN 0002 1 32 Chars Port Untagged Member Tagged MWlember Mota Member GigabitEthernetOv1 O O O GigabitEtherneti2 O Assign IP addresses for PCs 192 168 2 10 24 for PC1 and 192 168 2 11 24 for PC2 e Select Device Management gt Zone from the navigation tree and edit the Trust zone of the root virtual device Add GigabitEthernet 0 1 to the Trust zone and GigabitEthernet 0 2 to the Untrust zone Ping PC2 from PC1 Result A is obtained e Edit the Trust zone and modify the VLAN for GigabitEthernet 0 1 from the defa
73. Hangzhou H3C Technologies Co Ltd www h3c com 25 39 H3sC SecPath Series Firewalls IPsec Configuration Examples e Select the IKE peer of peer e Select the IPsec proposal of proposal and click lt lt e Type 3101 as the ACL e Click Apply Apply the IPsec policy to interface GigabitEthernet 0 0 e Select VPN gt IPSec gt IPSec Application from the navigation tree and then click the icon of interface GigabitEthernet 0 0 Perform the configurations shown in Figure 23 Figure 23 Apply the IPsec policy to interface GigabitEthernet 0 0 IPSec Application Setup Interface Policy policy v tems marked with an asterisk are required e Select the policy of policy e Click Apply Configure Device B Assign IP addresses to the interfaces and then add them to their target zones Omitted Define an ACL to permit traffic from subnet 172 16 0 0 24 to subnet 192 168 1 0 24 e Select Firewall gt ACL from the navigation tree and then click Add e Type 3101 as the ACL number e Select the match order of Config e Click Apply e From the ACL list select ACL 3101 and click the corresponding icon Then click Add to enter the ACL rule configuration page Configure a rule for ACL 3101 as shown in the following figure Figure 24 Configure a rule for ACL 3101 Advanced ACL3101 FulelD Operation Description permit ip source 172 16 0 0 0 0 0 24255 destination 192 168 1 0 0 0 0 255 Configure a stat
74. Hangzhou H3C Technologies Co Ltd www h3c com 9 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Verification On Device A execute the ping vpn instance vpn1 31 1 1 1 command The ping succeeds On Device B execute the ping 30 1 1 1 command The ping succeeds On Device A display the routing table of the virtual firewall after VPN instances are associated with the interfaces Device A dis ip routing table vpn instance vpnl Routing Tables vpnl Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface Le heh 0 24 Direct 0 0 Ms decane A GE1 1 MO ed elt oe Direct 0 0 127 0 0 1 InLoopo0 Z0vlel0 24 Direct 0 O 20 Lele GE1 3 20 1 1 1 32 Direct 0 0 127 0 0 1 InLoopo0 SUs lels 1 32 Direct 0 0 2 Oe Ok InLoop0 3120502076 RIP 100 l OL GE1 0 100 1 1 0 24 Direct 0 0 Os bathe GE1 0 TOU Led soe Direct 0 0 127 0 0 1 InLoopO 1s 04078 Direct 0 0 ll gree nO bree InLoopo 19 Ogee ds 32 Direct 0 0 Te eon 0 ed eae InLoopO The above route entries are not in the public routing table Configuring OSPF Routes Requirements In the firewall configure OSPF routes in multiple VPNs Configuration procedures After the basic configuration perform the following configuration on Device A and Device B Configuration on Device A ospf 1 vpn instance vpnl area 0 0 0 0 network 100 1 1 0 0 0 0 255 network 30 1 1 0 0 0 0 255 Configuration on Device B ospf 1 area 0 0 0 0 network 31 1 1 0 0 0 0
75. IKE Negotiation Mode Select the local ID type for IKE negotiation phase 1 e P Address Uses an IP address as the ID in IKE negotiation e Gateway Name Uses a gateway name as the ID in IKE negotiation Local ID Type D Y Highlight In main mode only the ID type of IP address can be used in IKE negotiation and SA establishment Hangzhou H3C Technologies Co Ltd www h3c com 11 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Item Description Type the IP address of the local security gateway By default it is the primary IP address of the interface referencing the security policy Configure this item when you want to specify a special address for the local security gateway l7 Local IP Address Y Highlight Normally you do not need to specify the local IP address You only need to do so when you want to specify a special address such as the loopback interface address For the local peer to act as the initiator you need to configure the remote security gateway name or IP address so that the local peer can find the remote peer during the negotiation Type the IP address or host name of the remote security gateway IP Address You can specify an IP address or a range of IP addresses for the remote gateway If the local end is the initiator of IKE negotiation it can have only one remote IP address and its remote IP address must match the local IP address configured on its peer If the local end is Rem
76. Lifetime Protocal d Init Sre IF Init Dest IF VLAN f ResporcilP Resp DestiP LANs Statue is INLINE INLINE C 2 1 1 21054 172 1 1 2 21 172 1 1 2 21 172 1 1 50 1054 TCP TCP EST 3538 Del Selected Del All 2 The ping HTTP FTP DNS and Telnet operations are successful Check the session list The destination IP address is translated to the internal address but the destination port number keeps unchanged Type 172 1 1 2 in the IP Address text box and click Search to display the search results 3 PC 2 cannot access PC 3 because ACL 2000 only permits packets from 172 1 1 0 and thus denies packets from subnet 2 1 1 0 4 PC 3 can access PC 2 because ACL 2000 permits packets from subnet 172 1 1 0 Hangzhou H3C Technologies Co Ltd www h3c com 16 25 H3sC SecPath Seires Firewalls NAT Configuration Examples aUer tem Init Src IP IF Address 172 1 1 2 Search Init YFM Resp VPM VPN WPN Session Lifetime Resp Sre IP Resp DestIF l Fi Init Sre IF Init Dest IF VLANI H VLAN Protocol Sate is INLINE INLINE C 1721 1 2 2082 1721 1 50 21 2 1 1 2 21 172 1 1 2 2082 TOP TOP EST 3593 Del Selected Del All Remarks Remove the configuration in this example before performing another configuration example Internal Server Requirements Configure an internal server that provides services to external hosts Upon receiving a request from an external host that wants to access the internal server NAT on the firewall translates
77. NNNSNANESNNNNDNNN 30 Viewing Packet Statistics nonunnnnnnnnnNNNNNNNNNNDNNNNNDNNNNNSNNANDNNNNNNNNANDNNNNNSNNANDNNNNNSNNANDANNANDHNNNNSNNANDHNNNNSENANSENANDNNNNNA 30 IPsec Configuration Example 2 Working with NAT eirroccsarnosrsodannsoioisnonnnadian a a 30 Network Requirements nonununnnnnnDNNNNNSNNNNDNNNNNNNNNNMNDNNNNNSNANNNSANNENDNNANNNNNENANDHNNNNSNNANDHNNNNNANDENMNBNNNANDHNNNNSNNAPHNNNEBNNANNNNNNNN 30 Configuration Considerations nonununnnnnnnNNNNNSNNNNNNNNNNNNDNNNNNNNNNNDNNNNNSNNSNANNNSNANDNNNNNSNNANDHNNNNNANNSNMNDANNNNPHNNNNSNNENBNNNNNNNNNND 31 Configuration Procedures PETTITT ITEC 31 Verification TETITI PETITE TET 38 Viewing IPSec SAS nonununnnnnnnSnnnNDNNNNNNNNNNNNDNNNNNSNNANDNNNNNSANNANDNNANNANGNNNNNNSNANDHNNNNSNNANDHNNNNNNDENMNDNNNNNNNNANNSNANNSNNENDNNN 38 Viewing Packet Statistics nonunnnnnnnNnNNNNNNNNNNDNNNNNDNNNNNNNNANDNNNNNNNNANDNNNNSNNNMNDNNNNSNNNANDANNANPHNNNNSNNANDHNNNNSNNANSNNANDNNNNNA 38 Configuration GuidelineS ssssssssssssrsssennsuunnnnuunnnnunnnnunnnnunnnnnunnnnuunnnunnnnunnnnnnnnnnunnnnnnnnnnunnnnnnnnnnnnnnnnnnnnnnn nnen 39 Referents soirsissriocinsisp nuana pna aa aaa a Aaaa Aa AA aa 39 Protocols and Standards nonnnnnnnunnnnnnnNDNNNNNSNNNNDNNNNNSNNANDNNNNNANNNNDNNNNNSNNANDHNNNNANNNNMNNNNNNNNANNNNSNNMNDNNNNNNSNANBNNNNNSNNANDNNNNNS 39 Related Documentation nonunnnnnnnnDNNNNNDNNNNNNNNNNDNDNNNNNANNMNDNNNNNSNNANDNNNNNSNSNNNNNNSNANDHNNNNANNANDHNNNNNNNSNMNBANNNNSNNNNBNNNNESNNANDNNN 39 Hangzhou H3C Technologies Co Ltd www
78. Negotiation Remote IP Address penal u MAT Hostname Gateway Name Traversal ere Add Hangzhou H3C Technologies Co Ltd www h3c com 10 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 6 Add an IKE peer i Peer Name H015 Chars IKE Negotiation Mode Main Aggressive Local ID Type IF Address Gateway Name Local IP Address Remote Gateway IP Address f Hostname Remote ID 1 32 Chars Pre Shared Key 1 128 Chars PKI Domain C Enable DPD Enable the MAT traversal function ifthe local end is the initiator only one remote IF address can be specified ifthe local end is the responser the remote IP address range must include the local IP address of the initiator tems marked with an asteriski are required Table 4 describes the configuration items for creating an IKE peer Table 4 IKE peer configuration items Item Description Peer Name Type a name for the IKE peer Select the IKE negotiation mode for phase 1 which can be Main or Aggressive NI D Highlight If one end of an IPsec tunnel is configured to obtain an IP address dynamically the IKE negotiation mode must be Aggressive In this case SAs can be established as long as the username and password are correct e The specified negotiated mode is used when the local peer is the negotiation initiator When acting as the responder the negotiation mode of the initiator is used
79. P SePyeP a a a n LB 1 1 DHS Servers a a 186 1 1 11 Primary WINS Serye gt LAL1 1 10 Lease Obtained 2009 F4 468 14 34 59 Lease Expires a I e974 ADA 14 34 57 Configuration Guidelines 1 When a DHCP client resides on the same subnet as the DHCP server to ensure communication between them after the client obtains an IP address it is recommended that you configure the interface through which the server is connected to the client with an IP address from the address pool and with the same mask as the address pool 2 To configure a valid static binding you need to bind an IP address to a MAC address or a client ID In this example you can also bind the MAC address of the PC to the IP address so that the PC can obtain a fixed IP address 3 If you bind an IP address to both a client ID and a MAC address the IP to client ID binding is preferential 4 You can use the display shcp client verbose command on a DHCP client to view the client ID 5 Currently a static DHCP address pool supports one static binding only That is each static binding is a static address pool Hangzhou H3C Technologies Co Ltd www h3c com 9 15 H3sC SecPath Series Firewalls DHCP Configuration Examples 6 The DHCP server does not perform address conflict detection on the IP address in a static binding To ensure communication after the client obtains the IP address it is recommended that you s
80. P addresses and the destination IP address 192 168 0 2 or 192 168 0 3 to interface GE 1 1 Up to 100 sessions with the destination IP address of 192 168 0 2 or 192 168 0 3 can be set up Remarks After finishing the example remove the configuration made in this example Limiting the Number of Connections on a Per Source Basis Requirements Allow up to 100 connections to be sourced from each host on a specified network segment Configuration steps 1 Create a connection policy and configure a rule for it connection limit policy 0 limit O source ip 192 168 0 0 16 destination any protocol udp max connections 100 per source 2 Apply the connection limit policy connection limit apply policy 0 Hangzhou H3C Technologies Co Ltd www h3c com 5 7 H3sC SecPath Series Firewalls Connection Limit Configuration Examples Verification result Use the SmartBits to send 1000 UDP flows with the source IP address 192 168 0 2 and different destination addresses to interface GE 1 4 Use the SmartBits to send 1000 UDP flows with the source IP address 192 168 0 3 and different destination addresses to GE 1 4 Up to 100 sessions with the source IP address of 192 168 0 2 can be set up and up to 100 sessions with the source IP address of 192 168 0 3 can be set up Remarks After finishing the example remove the configuration made in this example Limiting the Number of Connections on a Per Destination Basis Requirements Allow up to 100 connectio
81. S K 28 2048 Default 1460 Working Mode Bridge Mode Router Mode IP Configuration ONone Static Address DHCP BOOTP PPP Negotiate Wnnumbered IP Address 192 168 2 1 Mask 24 255 255 255 0 5econdary IP Address List Secondary IF Address Mask 24 255 255 255 0 v Wnnumbered Interface Hangzhou H3C Technologies Co Ltd www h3c com 14 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 17 Configure GigabitEthernet 0 2 Mm Interface Name GigabitEthenetlle Interface Status Connected Interface Type VID E MTU 46 1 500 Default 1500 TCP MSS fe 28 2048 Default 1460 Working Mode Bridge Mode Router Mode IP Configuration O None Static Address DHEP BOOTP PPP Negotiate Unnumbered IP Address 192 168 3 1 Mask 24 455 256 2550 D secandary IP Address List Secondary IF Address Mask 24 255 255 255 0 v WINnumbered Interface Select Device Management gt Zone from the navigation tree Add GigabitEthernet 0 1 to the Trust zone and GigabitEthernet 0 2 to the Untrust zone Figure 18 Add GigabitEthernet 0 1 to the Trust zone Preference 85 at o0 Share Mo hal Interface Mame s mee R Interface v search advanced Search d Interface VLAN GigabitEthernet0 O NULLO The VLANS should be separated bw or For example s 6 10 tems marked with an asteriski
82. Search Serer Group IO IP Address Operation 0 2411 i Add Interface Config a Interface Name he Advanced Search Interface Mame DHCP Relay State Operation GigabitEtherneto o Disabled GigabitEthernetis Disabled GigabitEthernetil Disabled GigabitEthernetiss Disabled GigabitEthernetil4 Disabled e On the Interface Config field click the a icon of GigabitEthernet 0 1 Click on the Enable radio button next to DHCP Relay select 0 for Server Group ID and click Apply Hangzhou H3C Technologies Co Ltd www h3c com 12 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Interface Mame GigabitEtherneti DHCP Relay Enable Disable Address Match Check Enable Disable tems marked with an asterisk are required Cancel Configuration on DHCP Client Configure the PC running Window XP in the example as a DHCP client Right click Network Neighborhood on the desktop and select Properties from the shortcut menu to enter the Network Connections window Right click Local Area Connection and select Properties from the shortcut menu to enter the Local Area Connection Properties window Select a proper network interface card for Connect using and select Internet Protocol TCP IP Click Internet Protocol TCP IP and then click Properties to enter the Internet Protocol TCP IP Properties window Click on radio buttons next to Obtain an IP address automatically and Obtain DNS server address automatically
83. SecPath Seires Firewalls NAT Configuration Examples NAT on a VLAN Interface Requirements Easy IP is used in this example Configuration steps 4 Note Step 1 and 2 are configured at the CLI 1 Specify interfaces GigabitEthernet 0 0 GigabitEthernet 0 2 and GigabitEthernet 0 3 as Layer 3 interfaces Specify GigabitEthernet 0 1 as a Layer 2 access interface and add it to VLAN 3 lt Device gt system view System View return to User View with Ctrl Z Device vlan 3 Device vlan3 quit Device interface GigabitEthernet0 1 Device GigabitEthernet0 1l port link mode bridge Device GigabitEthernet0 l port access vlan 3 2 Create VLAN interface 3 and specify an IP address for VLAN interface 3 Device interface Vlan interface3 Device Vlan interface3 ip address 172 1 1 1 255 255 255 0 3 Add GigabitEthernet 0 0 to the Management zone GigabitEthernet 0 1 and VLAN interface 3 to the Untrust zone of the root device and GigabitEthernet 0 3 to the DMZ zone of the root device e Select Firewall gt NAT gt Dynamic NAT from the navigation tree click Add in the Dynamic NAT field to enter the Add Dynamic NAT page as shown in the following figure Select GigabitEthernet0 1 for Interface type 2000 for ACL select Easy IP for Address Transfer and then click Apply Hangzhou H3C Technologies Co Ltd www h3c com 20 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Add Dynamic MAT Interaface Vlan interface3 w
84. TLE A O E A E E a eee 6 Configuration on DHCP Clients a TTT eeeeeiririreeeeeii titi 8 Verification TUTTE TETTTTTTTT TTT TTT LETTE EEL E EE E eee eee 9 Configuration Guidelines TTTTTTEETTTTTTT E E ieeeeeeeiriri ieee reir eee 9 Troubleshooting san EE A EE AE EE wide E E E AS T E E E E A E E E 10 DHCP Configuration Example E A E EE E a T A E E E E E T E SE 10 Network Requirements a a a A a A eee 10 Configuration Considerations a a E a eit 11 Software Version Used Anana NA VO E E E E n i 11 Configuration Procedure DnE A a R A E E NEA 11 Configuration on the DHCP Server TTITETITTTTTTITTI a a a A a a 11 Configuration on the DHCP Relay a E trite iti 12 Configuration on DHCP Client a a a a a a 13 Verification PADASAN SEN An NA E A A R E a a E a a a 13 Configuration Guidelines A A E A 13 Troubleshooting A r E E E E E a r E T 14 PRET CROC OS asinine ainsi cis ec tcieieesirmtrns eile r a aA E EAA 14 Protocols and Standards EER a a E TTT TTT eerie eerie 14 Related Documentation E eee EEE ririeeteeeeeiieeteeeeeee eee 15 Hangzhou H3C Technologies Co Ltd www h3c com 2 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Feature Overview DHCP Overview A DHCP client sends a configuration request and then a DHCP server returns a reply to send configuration parameters such as an IP address to the client Address Allocation Mechanisms DHCP supports three mechanisms for IP address allocation e Manual allocation The network administrator
85. VPN instance when configuring an internal server Add Internal Server Interface GigabitEthernet0 v YPN Instance vpn l Protocol Type TACMP External IP Address Assign IP Address 172 1 1 50 O Use IF Address of Interface Global Port 0 65535 0 represents any 1 65535 Internal IP 2 1 1 2 Internal Port D 65535 0 represents any ACL 2000 3999 C Enable track to VRRP VRRP Group 1 255 tems marked with an asterisk are required Apply cance References Protocols and Standards e RFC1631 e RFC1918 Hangzhou H3C Technologies Co Ltd www h3c com 24 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Related Documentation NAT Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 25 25 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Keywords Transparent mode routing mode hybrid mode VLAN Abstract This document presents configuration examples for the SecPath series firewalls operating in transparent mode routi
86. ack packets e Because you selected Add a source IP to the blacklist when configuring scanning prevention the device automatically adds scanning sources to the blacklist You can see the source address used in the attack packets is on the blacklist Hangzhou H3C Technologies Co Ltd www h3c com 16 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Fone Untrust v Attack Type Attack Count Dropped Packet count Fraggle ICMP Redirect ICMP Unreachable Land Large ICMP Route Record D 0 eS A A oS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ocan source Route Smurf TCP Flag Tracert Winhkuke SYN Flood IMP Flood UOP Flood Mumber of connections per source IF exceeds the threshold Humber of connections per destiP exceeds the threshold D 2 2 A A A Oo Ad m 0 Packet Inspection e Construct test packets as described in the following table This table lists the types of attacks that the device can detect and protect against No Attack type Packet characteristics ICMP packets with an increasing TTL starting from 1 on 1 Tracert Windows system or UDP packets with a large destination port number and an increasing TTL starting from 1 2 Large_ ICMP ICMP packets larger than the allowed size ICMP packets whose destination address is a broadcast address or a subnet address 3 Smurf ICMP Redirect ICMP redirect packets type 5 5 ICMP Unreachable ICMP unreachable p
87. ackets type 3 6 Fraggle UDP packets with the destination port number of 19 or 7 TCP packets with the destination port number of 139 with the WHIEINUISE URG bit set and with a non null urgent pointer 8 TCP Flag TCP packets with improper flags TCP SYN packets whose source address is on the 127 0 0 0 9 Land segment or is the same as the destination address D Hangzhou H3C Technologies Co Ltd www h3c com 17 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example No Attack type Packet characteristics 10 Route Record IP data packets with the Route Record option 0x07 selected IP data packets with the Source Route option select and with 11 Source Route the code field set to loose source routing 0x83 or strict source routing 0x89 e Select Intrusion Detection gt Statistics from the navigation tree and then select zone Untrust you can view the counts of kinds of attacks and the counts of dropped attack packets Dropped Packet count Attack Type Attack Count ICMP Redirect ICMP Unreachable Land Large ICMP Foute Record ocan source Route SYN Flood ICMP Flood UDF Flood Mumber of connections per source IP exceeds the threshold Mumber of connections per destIF exceeds the threshold Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangz
88. all gt Security Policy gt Interzone Policy from the navigation tree as shown below gt Search Item Source Zone Y Keywords Source Dest Source Destination Time Filter Source Destination O Zone Zone E Address Address aenta Range Action KOAD p p MA Cc Operation e Click Add to enter the Add ACL Rule page and perform the configuration as shown in the figure below Hangzhou H3C Technologies Co Ltd www h3c com 14 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Mom Source Zone Untrust Dest Zone Dhl vi Description 1 31 Chars Source F Address Mew IP Address l Source IP Address any_address v Multiple Destination IP Address New IP Address I any address hultiole Address ee p Service e Each service stands for an ir Meme cany_sevice M Multiple need to specife a service for e Filter action can be Perrnit o1 wildcard must be reserved mask wildcard must be reserved mask Filter Action Permit v iMeceleciidsenice Time Range Using MAC Address Enable Syslog L Status Continue to add next rule tems marked with an asterisk are required Apply e Inthe same way create an ACL rule to control the access from the Untrust zone to the Trust zone The configured ACL rules are shown as follows gt Search Item Source Zone Keywords search Source Dest Source Destination Time Filter seit Source Destination O zone zone Ip
89. alls IPsec Configuration Examples Item Description Enable the NAT traversal function for Psec IKE The NAT traversal function must be enabled if a NAT security gateway exists in an I Psec IKE VPN tunnel In main mode IKE does not support NAT traversal and therefore this item is unavailable Enable the NAT si traversal function W Highlight To save IP addresses ISPs often deploy NAT gateways on public networks to allocate private IP addresses to users In this case one end of an IPsec IKE tunnel may have a public address while the other end may have a private address and therefore NAT traversal must be configured at both the private network side and public network side to set up the tunnel Configuring an IPsec Proposal Select VPN gt IPSec gt Proposal from the navigation tree to display existing IPsec proposals The Web interface provides two modes for configuring an IPsec proposal suite mode and custom mode e Suite mode This mode allows you to select a pre defined encryption suite Figure 7 shows the IPsec proposal configuration in suite mode Figure 7 IPsec proposal configuration in suite mode Add IPSec Proposal Suite mode Proposal Mame 1 15 Chars Encryption Suite Tunne ESF DES MD5 i tems marked with an asterisk are required Apply Table 5 describes the configuration items in this mode Table 5 IPsec proposal configuration items in suite mode Item Description Proposal Name Type the name fo
90. am m 1 655359 PFS ACL 3101 3000 3999 L Aggregation SA Lifetime Time Based 3600 lseconds 180 604800 Default 3600 Traffic Based 1843200 Kbytes 2560 4294987295 Default 1843200 tems marked with an asterisk are required Apply e Type policy as the policy name e Type 1 as the sequence number e Select the IKE peer of peer e Select the IPsec proposal of proposal and click lt lt e Type 3101 as the ACL e Click Apply Apply IPsec policy policy to GigabitEthernet 0 0 e Select VPN gt IPSec gt IPSec Application from the navigation tree and then click the F icon of interface GigabitEthernet 0 0 e Select the policy of policy e Click Apply Figure 29 Apply the IPsec policy to GigabitEthernet 0 0 IPSec Application Setup Interface Policy policy v tems marked with an asterisk are required Hangzhou H3C Technologies Co Ltd www h3c com 29 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Verification After configuration packets to be exchanged between subnet 192 168 1 0 24 and subnet 172 16 0 0 24 will trigger the negotiation of SAs by IKE After IKE negotiation succeeds and the IPsec SAs are established traffic between subnet 192 168 1 0 24 and subnet 172 16 0 0 24 will be protected by IPsec Viewing IPsec SAs Select VPN gt IPSec gt IPSec SA from the navigation tree to display brief information about established IPsec SAs as shown in Figure 30
91. amic MAT lnteraface ACL 2000 2000 3999 Address Transter Easy IP v Address Pool Index 0 255 4 Enable track to VRRP VRRP Group 1 255 tems marked with an asterisk are required Apply Cancel e Access PC 3 from PC 2 and perform ping HTTP FTP DNS and Telnet operations e Check the session list to view the result Verification results e The ping HTTP FTP DNS and Telnet operations are successful e Check the session list Type 2 1 1 2 in the IP Address text box and click Search to display the search result as shown in the following figure Query Item Init src IP IP Address 2 1 1 2 Init Resp a Init Sre IP Init Dest IP VPN VLAN Resp Src IP Resp DestIP yPNysVLAN Protocol a INLINE INLINE E 2 1 1 2 1632 17211221 vpn 1 1721 1221 172 1 1 4 1025 vpn 1 TCP TCP EST ICMP y 1 Fj 3 1 E h C 2 1 1 2 2048 172 1 1 2 768 vpn 1 1721 1 20 172 1 1 1 1050 vpn 1 ICMP e Remarks Remove the configuration in this example before performing another configuration example lt 0 e Specify a VPN instance when configuring a static NAT entry as shown below Hangzhou H3C Technologies Co Ltd www h3c com 23 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Add Static Address Mapping VPM Instance Internal IF Address 2 1 1 4 ig Global lP Address 172 1 1 40 be Network Mask ACL 2000 3999 tems marked with an asterisk are required Cancel e Specify a
92. ams to show how to configure Layer 2 and Layer 3 forwarding on the H3C SecPath series firewalls including the SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S Network Requirements Figure 1 Network diagram for Layer 2 and Layer 3 forwarding configuration example I GE0 1 GE0 2 PC1 Device PC2 Figure 2 Network diagram for Layer 2 and Layer 3 forwarding configuration example II Device GE0 1 GE1 0 16 PC1 Switch PC2 Configuration Considerations e Configure the operating mode for interfaces e Add interfaces to security zones e Configure NAT entries ACLs routes and other necessary information Software Version Used Model Version Release secPath F1000E V300R001B01 R3166 V300R001B01 F3166 Hangzhou H3C Technologies Co Ltd www h3c com 4 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Model Version Release SecPath F5000 A5 V300R002B01 R3206 SecPath UTM 200 A 200 M 200 S V500R001B01 R5116 Configuration Procedures Transparent Mode Configuring general Layer 2 forwarding 1 Configuration description Configure hosts in the same VLAN with IP addresses on the same network segment so that the hosts can communicate with each other 2 Configuration procedure see Figure 1 e Select Device Management gt Interface from the navigation tree Configure GigabitEthernet 0 1 and GigabitEthernet 0 2 as Layer 2 interfaces Figure 3 Configure Gigabit
93. annot forward the DHCP OFFER message to the client In this example static routes are configured on the server and the client You can use other routing protocols as well Hangzhou H3C Technologies Co Ltd www h3c com 13 15 H3sC SecPath Series Firewalls DHCP Configuration Examples 4 When multiple DHCP relay agents exist you need to configure the interface address relay agent mode and the corresponding next server group for each DHCP relay agent and ensure that the route is reachable You can also select the DHCP server address as the server group and ensure the route to the DHCP server is reachable To enhance security you can enable the invalid IP address check feature on the interface through which the DHCP relay agent is connected to the client With this feature enabled the DHCP relay agent checks whether a requesting client s security entry exists on the DHCP relay agent If not the client cannot access outside networks via the DHCP relay agent Note that the security entry of a client is added in the user information Troubleshooting Symptom The DHCP client PC cannot obtain an IP address Analysis The network connection fails the routes are unreachable or the interface enabled with DHCP relay agent does not belong to the DHCP address pool configured on the DHCP server Solutioin Check that the IP address of GigabitEthernet 0 1 of the DHCP relay agent Device B belongs to the DHCP address pool 2 Check th
94. are required Configure an IKE peer named gate e Select VPN gt IKE gt Peer from the navigation tree and then click Add e Type gate as the peer name e Select Aggressive as the negotiation mode e Select IP Address as the gateway name Hangzhou H3C Technologies Co Ltd www h3c com 35 39 H3sC SecPath Series Firewalls IPsec Configuration Examples e Type 100 1 1 1 as the IP address of the remote gateway This step is to configure the IP address of Device A on Device B e Type head as the remote ID e Select Pre Shared Key and type 123456 as the pre shared key e Select the Enable NAT traversal function check box e Click Apply Figure 42 Configure an IKE peer a Peer Name gate 1 15 Chars IKE Negotiation Mode O tain Aggressive Local ID Type OIF Address Gateway Name Local IP Address Remote Gateway IP Address 100 1 1 1 Hostname Remote ID head 2 Chars Pre Shared Key 123456 1 128 Chars PKI Domain C Enable DPD Enable the NAT traversal function ifthe local end is the initiator only one remote IF address can be specified ifthe local end is the responser the remote IP address range mustinclude the local IF address of the initiator tems marked with an asterisk are required Apply Configure an IPsec proposal named proposal e Select VPN gt IPSec gt Proposal from the navigation tree and then click Add e Select Custom mode from the IPSec P
95. are required Hangzhou H3C Technologies Co Ltd www h3c com 15 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 19 Add GigabitEthernet 0 2 to the Untrust zone Preference 5 a1 00 ohare No Intertace Mame R Interface search Advanced Search Interface GigabitEthernetOl2 C NULLO The LANS should be separated by n or For example s 5 10 tems marked with an asterisk are required Apply Select Firewall gt NAT Policy gt Dynamic NAT from the navigation tree Apply ACL 3000 to GigabitEthernet 0 2 and enable Easy IP ACL 3000 allows packets from 192 168 2 0 24 to pass Figure 20 Configure dynamic NAT oo Interface AGL Address Pool Index Address Transfer Global VPM Instance Operation Gigabitethernetole S000 Easy IP ae i Figure 21 Configure ACL 3000 Advanced ACL3000 ACL3000 Rule ip Operation Description Time Range Operation g permit io source 192 168 2 0 0 0 0 23533 ore Ti 3 Verification Configure IP address 192 168 2 10 24 and gateway 192 168 2 1 for PC1 and IP address 192 168 3 11 24 and gateway 192 168 3 1 for PC2 Ping PC2 from PC1 The ping operation succeeds and the session information displayed on the Device is as follows Hangzhou H3C Technologies Co Ltd www h3c com 16 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 22 Session information Query tem orc IP Address
96. ased Packet Filtering Among Different Virtual Devices Requirements Configure packet filtering among different virtual devices for which the destination virtual device must contain a shared zone By default there is an interzone policy permit between a zone on the source virtual device and the shared zone on the destination virtual device Configure an interzone policy on the source virtual device as needed Configuration procedures 1 2 3 4 Enter http 155 1 1 1 in the address bar on Host B to enter the login page Type username admin and password admin and click Login to log in to the web interface The current virtual device is root Enable FTP server on the server configure the route to network segment 3 1 1 0 24 and set the gateway address to 2 1 1 1 On Host C which acts as the FTP client configure the route to network segment 2 1 1 0 24 and configure the gateway address to 3 1 1 1 Configure packet filtering among different virtual devices without shared zone Add GE 0 2 to zone mytrust in virtual device VD1 and add GE 0 3 to zone Untrust in virtual device root Zones mytrust and Untrust are private security zones The server and Host C ping each other Result 1 is expected Hangzhou H3C Technologies Co Ltd www h3c com 12 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Configure packet filtering among different virtual devices with a shared zone Add GE 0 2 to
97. at the DHCP service is enabled on Device B 3 Check that routes between devices are reachable You can manually configure an IP address for the PC and ping the DHCP server and relay agent to check connectivity 4 Check that the invalid IP address check feature is disabled on GigabitEthernet 0 2 If the feature is enabled remove the configuration or add a static security entry for the server on the DHCP relay agent so as to ensure the normal packet exchange between the server and the client 5 View the server group information on the DHCP relay agent and make sure that the relay agent interface address is not used as the IP address of the server group 6 Run the debug command on the server and the relay agent respectively to verify that the packet exchange process is normal References Protocols and Standards Routing TCP IP Volume I RFC 2131 Dynamic Host Configuration Protocol RFC 2132 DHCP Options and BOOTP Vendor Extensions RFC 1542 Clarifications and Extensions for the Bootstrap Protocol Hangzhou H3C Technologies Co Ltd www h3c com 14 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Related Documentation H3C MSR 20 30 50 Series Routers User Manual Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this documen
98. ation and the information center then decides the output destination e Output to the specified userlog log host in UDP packets in binary format Configuring Flow Logging 4 Note Flow logs refer to session logs only To generate flow logs you need to configure session logging Introduction Flow logging records users access information to the external network The device classifies and calculates flows through the 5 tuple information which includes source IP address destination IP address source port destination port and protocol number and generates user flow logs Flow logging records the 5 tuple information of the packets and number of the bytes received and sent With flow logging administrators can track and record accesses to the network facilitating the availability and security of the network Two versions are available with flow logging version 1 0 and version 3 0 which are slightly different in packet format For more information see Table 2 and Table 3 Table 2 Packet format in flow logging version 1 0 Field SourcelP Description Source IP address Hangzhou H3C Technologies Co Ltd www h3c com 4 24 HSC Field DestIP SrcPort DestPort StartTime EndTime Prot Operator Reserved SecPath Series Firewalls Log Management and SecCenter Configuration Example Description Destination IP address TCP UDP source port number TCP UDP destination port number Start time of a flow in secon
99. ation guides of the H3C SecPath series security products guides you to perform configurations for the H3C SecPath firewalls on the H3C SecPath Series High End Firewalls User Manual web interface describes how to configure some F3166 auxiliary functions of the H3C SecPath firewalls on the command line interface Obtaining Documentation You can access the most up to date H3C product documentation on the World Wide Web at this URL http www h3c com The following are the columns from which you can obtain different categories of product documentation Products amp Solutions Provides information about products and technologies Technical Support amp Document gt Technical Documents Provides several categories of product documentation such as installation and configuration Technical Support amp Document gt Software Download Provides the documentation released with the software version Documentation Feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments H3SC SecPath Series Firewalls Configuration Maintenance Example secPath Series Firewalls Configuration Maintenance Example Keywords Configuration maintenance backup Abstract The configuration maintenance module is used to save the configuration with without encryption back up the configuration restore the configuration and restore the configuration to the factory defaults You can easily implemen
100. bles Packets coming in through one interface of an interface pair are directly forwarded out of another interface of the interface pair Support for inline Layer 2 forwarding depends on your firewall model Inter VLAN Layer 2 Forwarding Inter VLAN Layer 2 forwarding enables inter VLAN communications at the data link layer and is deployed typically on firewall cards and sometimes on box type firewall devices To configure inter VLAN Layer 2 forwarding on a SecPath series firewall collaborating with a switch e Assign the ingress and egress interfaces of traffic on the switch to different VLANs e Configure the Ethernet interfaces at both ends of the link that connects the switch and the firewall as trunk ports e Configure multiple subinterfaces on the firewall s Ethernet interface that connects the switch and assign each subinterface to a different VLAN Each VLAN on the firewall corresponds to a VLAN on the switch Application Scenarios Various Layer 2 and Layer 3 forwarding modes including Layer 2 Layer 3 Layer 2 and Layer 3 hybrid inline and inter VLAN forwarding are commonly used in packet switching and routing networks to forward packets while providing necessary security mechanisms Hangzhou H3C Technologies Co Ltd www h3c com 3 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Configuration Examples 4 Note The following examples use UTM firewalls Device in the network diagr
101. c policies to interfaces to finish IPsec tunnel configuration Perform the tasks in Table 1 to configure IPsec Hangzhou H3C Technologies Co Ltd www h3c com 5 39 HSC Table 1 IPsec configuration task list Task Configuring ACLs Configuring IKE Configuring an IPsec Proposal Configuring an IPsec Policy Template Configuring an IPsec Policy Applying an IPsec Policy Group Hangzhou H3C Technologies Co Ltd SecPath Series Firewalls IPsec Configuration Examples Remarks Required One important function of ACLs is identifying traffic based on matching criteria They are widely used in scenarios where traffic identification is desired such as QoS and IPsec l7 Y Highlight This document covers only referencing ACLs in IPsec To create ACLs select Firewall gt ACL from the navigation tree Required IKE provides automatic key negotiation and SA establishment services for IPsec simplifying the application management configuration and maintenance of IPsec dramatically Required An IPsec proposal defines a set of security parameters for IPsec SA negotiation including the security protocol encryption authentication algorithms and encapsulation mode l7 P Highlight Changes to an IPsec proposal affect only SAs negotiated after the changes Required when an IPsec policy needs to reference an IPsec policy template group An IPsec policy template group is a collection of IPsec policy templates with
102. cedures epi A cep k ee A a eau hema R Res Raine ee sk neaneeeRnenn nae aneenacEehness Dak aene E E 4 Specifying Interface Addresses Tie eerie rie it re ere eee tr eee ee eee ee eee Cee ee eer ee ere 4 Adding Interfaces to Zones VTeCerCrrT ee CLT RT Cre eee ere ere re er eRe CT eC ee Cer Tere ee CC ere Cre Cr ee reer tT 6 Configuring Gratuitous ARP Pe Tree rect r ere a a T 8 Configuring ARP Automatic Scanning ssssssssssssssesesetesesssesesssesessessneesesesesesneesesessssessneneseneaeaneens 9 Configuring Fixed ARP Trier ite reer ee Cire Tee Tre eee Ee eee ee Cet er er Ce eee ere ee cee 10 Verification eT Cree TC re CeCe Ce Te Te CET CLC CeT LECT eC CIT eT RT CE Ce CC Tee Cr ee er Cr er ee Cer rrr tet 1 1 FALCON COS aiinctcccaiiiccis deh cesiedemenaeneniesecnemudeaedndendemenenmenmaceneiane aaa aAA AAAA 13 Protocols and Standards cre Lelie rer ie Tee re tT erie eee eee ee eee cer ee Cee Cee ere eee 13 Related Documentation Tee tT eT eee CRT Tee Te Te Tere eee Ce ERIE Ee TCE CT ERP CRC TT Ce er er rer tre 13 Hangzhou H3C Technologies Co Ltd www h3c com 2 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Feature Overview Although ARP is easy to implement it provides no security mechanism and thus is prone to network attacks Currently ARP attacks and viruses are threatening LAN security The device provides multiple features to detect and prevent such attacks Application Scenarios ARP attack protection is applicabl
103. ck prevention logs e Blacklist logs e Inter zone policy logs e User logs Displaying System Logs Select Log Report gt Report gt System Log from the navigation tree to enter the page as shown in Figure 7 Hangzhou H3C Technologies Co Ltd www h3c com 10 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 7 System logs P Search tem Time Date Keywords Search User IP ae Time Date ner a Source Level Description A session logging policy was added Source zone DMZ Jun 8 17 12 07 835 2010 admin 18 1 1 2 SESSION Notification e ic Ace none A session logging policy was s DRK added Source zone Trust duns 17 12 01 0885 2010 admin 185 1 1 2 SESSION Notification Destination Zone Untrust ACL 2007 Table 8 describes the system log configuration items Table 8 System log configuration items Item Description Time Date Displays the time when the system logs are generated Source Displays the module that generates the system logs Lev l Displays the severity level of the system logs For more information about severity levels see Table 9 Description Displays the contents of the system logs Table 9 System log severity level noticed Informational information to be recorded O Informational Information generated during debugging NJ Debugging Emergency The system is unavailable 0 Alert Information that demands prompt reaction Critical Critical
104. d Static C 192 168 1 11 0023 89e2 7cha GigabitEthernet ri Static C 192 168 1 78 0023 89e2 7cHa GigabitethernetOd otatic Fix All Del All Fixed Del Fixed Mote Fix All and Del All Fixed will take effect for all dynamic and static ARP entries in the system Verfiy deletion of fixed ARP entries e On the Firewall gt ARP Anti Attack gt Fix page select the static ARP entries containing 192 168 1 2 192 168 1 11 and 192 168 1 78 and click Del Fixed A message box is displayed as shown in the figure below Click OK After that the static ARP entries are removed The entries are displayed when they are learnt again or an ARP scan is carried out on corresponding interfaces Hangzhou H3C Technologies Co Ltd www h3c com 12 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 17 Verify deletion of fixed ARP entries YPN Instance 192 168 1 2 0023 89e2 7c A Gigabitethernet o Static 192 168 1 11 0023 69e2 7c a GigabitEthernet i Static 192 168 1 78 inaki Static Mote Fix All and Del A References Protocols and Standards e RFC 826 An Ethernet Address Resolution Protocol Related Documentation ARP Attack Protection Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co Ltd All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzh
105. d click lt lt Hangzhou H3C Technologies Co Ltd www h3c com 32 39 H3sC SecPath Series Firewalls IPsec Configuration Examples e Click Apply Figure 36 Add an IPsec policy template Add lPSec Template Template Mame template 1 5 Chars Sequence Number 1 1 65535 IKE Peer gate b IPSec Proposal PFS ACL 3000 3999 SA Lifetime Time Based 3600 lseconds 180 604800 Default 3600 Traffic Based 1843200 kbytes 2560 4294967295 Default 1843200 tems marked with an asterisk are required Apply Configure an IPsec policy named policy_nat e Select VPN gt IPSec gt Policy from the navigation tree and then click Add Perform the configurations shown in Figure 37 Hangzhou H3C Technologies Co Ltd www h3c com 33 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 37 Configure an IPsec policy Add IPSec Policy Policy Mame policy _nat Chars 1 15 Sequence Number 1 1 665 35 Template template IKE Peer IPSec Proposal PFS ACL 3000 3999 Aggregation SA Lifetime Time Based 3 seconds 180 604800 Default 3600 Traffic Based li kbytes 2560 4294967 295 Default 1643200 tems marked with an asterisk are required Apply Apply the IPsec policy to interface GigabitEthernet 0 0 Figure 38 Apply the IPsec policy IPSec Application Setup Interface L Policy policy nat tems marked with an asteriski are req
106. data are encapsulated by different security protocols in tunnel and transport modes Here the term data refers to the transport layer data Figure 1 Encapsulation by security protocols in different modes Transport Tunnel Protocol os Goes DAREA AH o eepe e e e aese IR a ESP ona Ese feaa Ese ie om ese Authentication algorithms and encryption algorithms 1 Authentication algorithms Authentication algorithms are implemented through hash functions A hash function takes a message of arbitrary length and generates a message digest of fixed length IPsec peers calculate the message digests respectively If the resulting digests are identical the packet is considered intact and not tampered Hangzhou H3C Technologies Co Ltd www h3c com 4 39 H3sC SecPath Series Firewalls IPsec Configuration Examples There are two types of IPsec authentication algorithms e MD5 Takes a message of arbitrary length and generates a 128 bit message digest e SHA 1 Takes a message less than the 64th power of 2 in bits and generates a 160 bit message digest Slower than MD5 SHA 1 provides higher security 2 Encryption algorithms Most encryption algorithms depend on symmetric key systems which decrypt data by using the same keys for encryption Currently three encryption algorithms are available for IPsec on the device e DES Data encryption standard encrypts a 64 bit block of plain text with a 56 bit key e 3DES Triple DES e
107. dress of GigabitEthernet 0 2 1 Select Device Management gt Interface from the navigation tree Figure 4 Interfaces z Advanced Search Mame IF Address Mask Security zone status Operation GiqabitEthernett a 192 168 1 1 155 255 255 0 Trust O e il GiqabitEthermetO 1 a ill GiqabitEthernettl2 192168103171 255 255 252 0 Untrust O A i GiqabitEthernet0 3 O a il GigabitEthernet0 4 O sa il NULLO i a il Click the a icon of GigabitEthernet 0 2 to enter the Edit Interface page Configure the interface as shown in Figure 5 and then click Apply to return to the Interface page Hangzhou H3C Technologies Co Ltd www h3c com 5 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 5 Edit interface GigabitEthernet 0 2 TEREE ice Name GigahbitEthenetiyl ce Status Connected ice Type 1500 46 1500 Default 1500 SS 1460 128 2048 Default 1460 ng Mode Bridge Mode Router Mode Ficus ea bor ONone Static Address DHEP BOOTP PPP Negotiate Unnumbered Mask 22 255 255 2520 ni O Address Add Mask 24 255 255 255 0 secondary IP Address List Unnumbered Interface Adding Interfaces to Zones Add GigabitEthernet 0 0 to the Trust zone e Select Device Management gt Zone from the navigation tree Figure 6 Security zones zone ID Zone Mame Preference Share Virtual Device Operation 0 Management 100 no fs i 1 Local 100 no Root a i 2 Trust a5 no R
108. ds counted from 1970 1 1 0 0 End time of a flow in seconds counted from 1970 1 1 0 0 Protocol carried over IP Indicates the reason why a flow has ended For future applications Table 3 Packet format in flow logging version 3 0 Field Prot Operator lpVersion Tos IPv4 SourcelP SrcNatIP DestIP DestNatIP SrcPort SsrcNatPort DestPort DestNatPort StartTime EndTime InTotalPkg InTotalByte OutTotalPkg OutTotalByte Reserved Reserved2 Description Protocol carried over IP Indicates the reason why a flow has ended IP packet version TOS field of the IPv4 packet Source IP address Source IP address after Network Address Translation NAT Destination IP address Destination IP address after Network Address Translation NAT TCP UDP source port number TCP UDP source port number after NAT TCP UDP destination port number TCP UDP destination port number after NAT Start time of a flow in seconds counted from 1970 1 1 0 0 Start time of a flow in seconds counted from 1970 1 1 0 0 Number of packets received Number of bytes received Number of packets sent Number of the bytes sent e Reserved in version 0x02 FirewallV200R001 e In version 0x03 FirewallV200R005 the first byte is the source VPN ID the second byte is the destination VPN ID and the third and forth bytes are reserved For future applications Hangzhou H3C Technologies Co Ltd www h3c com 5 24 H3sC SecPath Series Firewalls Log Management and SecCenter Conf
109. e click the edit button right corresponding to mytrust and configure the preference share attribute and interfaces of the zone as follows e Preference 60 e Share No Hangzhou H3C Technologies Co Ltd www h3c com 7 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples e Interface name GigabitEthernet0 1 Zone ID lf Sti i S fone Mame nytrust Preference E a 100 Share io g virtual Device mooo E ee b Search tem Interface w Keywords SC Sear Interface VLAN GigabitEthernetO1 The LANS should be separated by or For example 3 5 10 tems marked with an asterisk are required After the above configuration click Apply 4 To remove the security zone click Remove corresponding to mytrust on the security zone configuration page Verification The security zone can be create configured and removed successfully Remarks e After finishing this example remove the configuration made in this example e The default security zone can exist in virtual device root only and cannot be removed e It is not allowed to add interfaces to the local zone It is only allowed to configure interfaces for the management zone and the zone does not belong to any virtual device Resource Based Packet Filtering Within the Same Virtual Device Requirements For resource based packet filtering configure address resources address group resources service resources and
110. e IP to the blacklist Lifetime 10 1 1000 minutes Configuring Packet Inspection Packet inspection is used to detect single packet attacks which has nothing to do with traffic and sessions Packet inspection is implemented by checking whether a packet has the specified signatures e From the navigation tree select Intrusion Detection gt Packet Inspection Then select security zone Untrust and the types of attacks to be detected and click Apply Hangzhou H3C Technologies Co Ltd www h3c com 11 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example ine o 5 O Discard Packets when the specified attack is detected Enable Fraggle Attack Detection Enable Land Attack Detection Enable Winhuke Attack Detection Enable TOP Flag Attack Detection Enable ICMP Unreachable Packet Attack Detection Enable ICMP Redirect Packet Attack Detection Enable Tracert Packet Attack Detection Enable Smurf Attack Detection Enable IF Packet Carring Source Route Attack Detection lt lt s s lt I sl x s is I Enable Route Record Option Attack Detection Enable Large ICMP Packet Attack Detection Max Facket Length 4000 38 5534 Bytes lt Verification On PC 2 use a packet constructing tool to simulate various attacks targeting the host or server of the internal network Static Blacklist e Before the static blacklist entry expires or is cleared PC 2 cannot ping the IP addr
111. e address to be blacklisted and specify the lifetime of the blacklist entry Then click Apply IP Address 1 1 1 10 Ee Hold Time f4 10003 minutes Permanence Configuring the Dynamic Blacklist Function e From the navigation tree select Intrusion Detection gt Blacklist Then select the Enable Blacklist check box and click Apply to enable the blacklist function Global configuration V Enable Blacklist Hangzhou H3C Technologies Co Ltd www h3c com 9 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Configuring ICMP Flood Attack Protection e From the navigation tree select Intrusion Detection gt Traffic Abnormality gt ICMP Flood Then select security zone Trust and select Discard packets when the specified attack is detected and click Apply Security zone WEN Attack Prevention Policy Discard packets when the specified attack is detected Apply In the ICMP Flood Configuration area click Add and add host address 2 0 0 2 as an object to be protected IMP Flood configuration IP Address Connection Rate Threshold Operation 2 0 0 2 1000 fe if Add Configuring UDP Flood Attack Protection e From the navigation tree select Intrusion Detection gt Traffic Abnormality gt UDP Flood Then select security zone Trust and select Discard packets when the specified attack is detected and click Apply Security Zone WEN Attack Prevention Policy
112. e exchange by using RIP To do Use the command Remarks Enter system view system view Required Create RIP instance and rip process id vpn instance Configured on the firewall On the enter RIP view vpn instance name CE configure an ordinary RIP instance Hangzhou H3C Technologies Co Ltd www h3c com 4 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Configuring Route Exchange by Using OSPF An OSPF process that is bound with a VPN instance does not use the public network router ID configured in system view Therefore you need to configure a router ID when starting the OSPF process or all OSPF processes to be bound must have an interface configured with IP address One OSPF process can belong to only one VPN instance If you do not bind an OSPF process with a VPN instance the process belongs to the public network Follow these steps to configure route exchange by using OSPF To do Use the command Remarks Enter system view system view Required ospf process id router id Create OSPF instance and enter OSPF view router id vpn instance vpn Configured on the firewall instance name On the CE configure an ordinary OSPF instance Application Scenarios This feature is applicable to intranets of enterprises and schools You can divide the firewall into multiple virtual firewalls to make a large complex security network into multiple logical networ
113. e management zone default Hangzhou H3C Technologies Co Ltd www h3c com 6 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Configuring Forwarding within the Same Virtual Firewall Requirements To verify the forwarding configuration within the same virtual firewall as shown in Figure 1 Add GE 1 1 to security zone v1_z1 and GE 1 3 to security zone v1_z2 and associate GE 1 1 and GE 1 3 with VPN 1 Add GE 1 2 to security zone v2_z1 and GE 1 4 to security zone v2_z2 and associate GE 1 2 and GE 1 4 with VPN 2 Basic Configurations Create and configure VPNs VPN 1 and VPN 2 ip vpn instance vpnl route distinguisher 100 1 vpen target 100 1 export extcommunity vpen target 100 1 import extcommunity ip vpn instance vpn2 route distinguisher 200 1 vpn target 200 1 export extcommunity vpn target 200 1 import extcommunity Associate ports GE 1 1 and GE 1 3 with VPN 1 interface GigabitEthernet1 1 port link mode route ip binding vpn instance vpnl ip address 10 1 1 1 255 255 255 0 interface GigabitEthernet1 3 port link mode route ip binding vpn instance vpnl ip address 20 1 1 1 255 255 255 0 Associate ports GE 1 2 and GE 1 4 with VPN 2 and set their IP addresses the same as ports GE 1 1 and GE 1 3 interface GigabitEthernet1 2 port link mode route ip binding vpn instance vpn2 ip address 10 1 1 1 255 255 255 0 interface GigabitEthernet1 4 port link mode route ip binding vpn instance
114. e network segment 192 168 0 0 16 to interface GE 1 4 Up to 100 sessions can be set up Following is the log information Hangzhou H3C Technologies Co Ltd www h3c com 4 7 H3sC SecPath Series Firewalls Connection Limit Configuration Examples Source IP 192 168 0 016 Source YPN ID Destination Jul 29 09 16 56 7 504 2009 DPCONLAT Vrarning IP 0 0 0 0 0 Destination VPM D Currant JOP amount F already reached on upper limit Maximum amount 100 Source IP 192 168 0 016 Source VPM ID Destination Jul 29 09 18 57 192 2009 DPCOMLMT Warning IP 0 0 0 0 0 Destination VPM IDO Current UDP amount F already reached on upper limit Maximum amount 00 Source 1P 192 168 0 0 16 Source YPN IDO Destination Jul 29 09 16 57 005 2009 DPCOMLMT Warning IP 0 0 0 0 0 Destination YPN ID Current UDP amount F already reached on upper limit Maximum amount 100 Remarks After finishing this example remove the configuration made in this example Limiting the Number of UDP Sessions Based on a Network Segment Requirements Allow up to 100 sessions to be set up to a specified network segment Configuration steps 1 Create a connection limit policy and configure a rule for the policy connection limit policy 0 limit O source ip any destination ip 192 168 0 0 16 protocol udp max connections 100 2 Apply the connection limit policy connection limit apply policy 0 Verification Use the SmartBits to send 1000 UDP flows with different source I
115. e the factony default settings and reboot Upgrading the software Select Device Management gt Software Upgrade from the navigation tree and click the Browse button Specify the upgrade file and click Open software Upgrade File DAUTMW200S bin Erve _ File Type Main if a file with the sarme name already exists overnsrite it without any prompt Reboot after the upgrade is finished Mote Do not perform any operation when upgrade is in process The filename cannot exceed 54 and must end with an extension of app or bin items marked with an astensk are required Rebooting the device Select Device Management gt Reboot from the navigation tree and click Apply Rebooting Device The unsaved configuration will be lost after reboot Check whether the configuration is saved to the configuration file for next boot Hangzhou H8C Technologies Co Ltd www h3c com 9 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Verification Verifying configuration saving e When the current configuration is saved the configuration information is not lost when you reboot the device e If the saved configuration file is encrypted the configuration information in the file is displayed in cipher text Verifying configuration backup You can back up the saved configuration file to a PC or other storage media Verifying configuration restoration e After the configuration file is imported
116. e to campus and enterprise networks Configuration Guidelines e Sending of gratuitous ARP packets takes effect on an interface only when the link of the interface goes up and an IP address has been assigned to the interface e f you change the interval for sending gratuitous ARP packets the configuration is effective at the next sending interval e Donot enable gratuitous ARP on an interface configured with a VRRP group e You are recommended not to perform other operations during an ARP automatic scan e Fixed ARP changes dynamic ARP entries into static only when these entries are learnt on a Layer 3 Ethernet interface Layer 3 Ethernet subinterface or VLAN interface ARP Attack Protection Configuration Example Network Requirements 4 Note The U200 S is used in this configuration example This example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls Figure 1 Network diagram for ARP attack protection configuration example GE0 0 192 168 1 1 24 GE0 2 192 168 103 171 22 Internet Device Hangzhou H3C Technologies Co Ltd www h3c com 3 13 HSC Configuration Considerations Specify interface addresses Add interfaces to security zones Configure gratuitous ARP Configure ARP automatic scanning Configure fixed ARP Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series secPath F5000 A5 V300R002B01 R3206 ser
117. ect Firewall gt ARP Anti Attack gt Fix from the navigation tree to view all ARP entries For example you can view the ARP entries for network segment 192 168 1 0 24 as shown in the figure below Hangzhou H3C Technologies Co Ltd www h3c com 11 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 15 ARP entries IF Address MAC Address VLAN ID YPN Instance Type Operation 182 168 251 2 O01b 11b7 fdoc GigabitEthernetO o Dynamic i 192 168 251 10 OO0Fe2e2 f789 GigabitEthernetO 0o Dynamic i 192 168 251 254 000f e2cfa117 GigabitEthenetiio Dynamic i 192 168 1 13 0005 5d6a 53da GigabitEthernetii Dynamic i 192 168 103 181 000f e2e2 7 8e GigabitEthemnetore Dynamic i Del Selected Delete Static and Dynamic Delete Static Delete Dynamic Mote Fix AN and Del All Fixed will take effectfor all dynamic and static ARP entries in the system You can setup to 1024 sending interfaces Dont perform other operations during this configuration Verify fixed ARP e On the Firewall gt ARP Anti Attack gt Fix page select the ARP entries containing 192 168 1 2 192 168 1 11 and 192 168 1 78 and click Fix When a dynamic ARP entry is changed into static it is displayed on the beginning of the ARP table Figure 16 Verify fixed ARP b Search Item IP Address Keywords geamh IF Address MAC Address VLAN ID Interface Type YEN Instance Ey 19216812 O0235 d9e2 cha GigabitethernetO
118. ect Forward Secrecy PFS feature or disable the feature e dh groupt1 Uses the 768 bit Diffie Hellman group e dh group2 Uses the 1024 bit Diffie Hellman group dh group5 Uses the 1536 bit Diffie Hellman group dh group14 Uses the 2048 bit Diffie Hellman group 7 17 PFS Highlight e dh group14 dh group5 dh group2 and dh group1 are in the descending order of security and calculation time e When IPsec uses an IPsec policy configured with PFS to initiate negotiation an additional key exchange is performed in phase 2 for higher security e Two peers must use the same Diffie Hellman Otherwise negotiation will fail Select the ACL for the IPsec policy to reference ACL The specified ACL must be created already and contains at least one rule ACL configuration supports VPN multi instance Select this check box to specify to protect traffic in aggregation mode If you do not select check box the standard mode is used This setting takes effect only when you specify an ACL for the IPsec policy to l f l Aggregation S ia Y Highlight When configuring devices supporting both the standard mode and aggregation mode be sure to configure the two ends of a tunnel to work in the same mode R Time Type the SA lifetime which can be time based or traffic based Based p Y Highlight e Traffic When negotiating to set up IPsec SAs IKE uses the smaller one between the Based lifetime set locally and the lifetime proposed
119. ecurity Protocol ESP yl ESP Authentication Algorithm MDS w ESP Encryption Algorithm DES tems marked with an asteriski are required Table 6 describes the configuration items in this mode Table 6 IPsec proposal configuration items in custom mode Item Description Proposal Name Type the name for the IPsec proposal select the IP packet encapsulation mode for the IPsec proposal Encapsulation Mode e Tunnel Uses the tunnel mode e Transport Uses the transport mode Select the security protocol for the proposal e AH Uses the AH protocol e ESP Uses the ESP protocol e AH ESP Uses ESP first and then AH Security Protocol Hangzhou H3C Technologies Co Ltd www h3c com 14 39 HSC Item AH Authentication Algorithm ESP Authentication Algorithm ESP Encryption Algorithm SecPath Series Firewalls IPsec Configuration Examples Description Select an authentication algorithm for AH when the security protocol is AH or AH ESP Available authentication algorithms include MD5 and SHA1 Select an authentication algorithm for ESP when the security protocol is ESP or AH ESP You can select MD5 or SHA or leave it null so the ESP performs no authentication l7 Y Highlight The ESP authentication algorithm and ESP encryption algorithm cannot be both null Select an encryption algorithm for ESP when the security protocol is ESP or AH ESP e DES Uses the DES algorithm and 56 bit keys for encrypti
120. ed The SecPath series high end firewalls use a multi core CPU featuring excellent service processing capability and performance They can be used as the security gateways of large scale enterprise networks to provide one to many one to one and internal server address translation functions In addition they support multiple VPNs and address translation of VLAN interfaces Application Scenarios e Using a small number of public IP addresses to enable a large number of internal hosts to access the Internet e Providing privacy for the internal network e Providing specific services for users on the Internet as needed Configuration Guide NAT basic configuration can be performed through the web interface NAT support for multi VPN such as multi VPN routing and multi VPN access control list ACL can be configured only through the command line interface CLI You can configure the following NAT features through the web interface e Easy IP e PAT e No PAT e Static NAT e NAT server Devices Supporting NAT SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series SecPath F5000 A5 V300RO002B01 R3206 series SecPath UTM 200 A 200 M 200 S firewalls V500R001B01 R5116 series Hangzhou H3C Technologies Co Ltd www h3c com 3 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Configuration Saving Save
121. ed GigabitEthernetDi 21 1 1 255 255 255 0 DMZ s i GigabitEthernetDi3 31 1 1 255 255 255 0 Unitrust t a 6 For packet filtering among different zones with interzone policies configured add GE 0 2 to zone DMZ add GE 0 3 to zone Untrust and configure an interzone policy with source zone as Untrust and destination zone as DMZ so that Host C can access the server The following detailed configurations cover resource configuration and policy configuration e Resource configuration Configure address resources select Resource gt Address gt IP Address from the navigation tree and then click Add Add the two following address resource Resource IP address wildcard add_q02 2 1 1 0 0 0 0 255 add_q03 3 1 1 0 0 0 0 255 Hangzhou H3C Technologies Co Ltd www h3c com 9 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Hast Fange Search Item Name v Keywords search Mame Subnet Exclude IF Address Description Status Operation add_q02 211 0F000 255 add_403 3 110 0 00 255 Configure an address group resource Select Resource gt Address gt Address Group from the navigation tree and then click Add Add an address group named addz_q and add address resources add_q0Q2 and add_q03 to the group IP Address Group MAC Address Group Search tem Name v keywords search al Name Members Description Status Operation adiz add g02 add q03 Out of Use A jj Configure service re
122. ed Key and type 123456 as the pre shared key e Click Apply Hangzhou H3C Technologies Co Ltd www h3c com 27 39 H3sC SecPath Series Firewalls IPsec Configuration Examples The default IKE proposal is used Configure an IPsec proposal e Select VPN gt IPSec gt Proposal from the navigation tree and then click Add e Select Custom mode from the IPSec Proposal Configuration Wizard page Perform the configurations shown in Figure 27 Figure 27 Configure an IPsec proposal Add IPSec Proposal Custom mode Proposal Name proposal 1 15 Chars Encapsulation Wade Tunnel v Security Protocol ESP v ESP Authentication Algorithm MDS v ESP Encryption Algorithm DES w tems marked with an asterisk are required e Type proposal as the name of the IPsec proposal e Select Tunnel as the packet encapsulation mode e Select ESP as the security protocol e Select MD5 as the ESP authentication algorithm e Select DES as the ESP encryption algorithm e Click Apply Configure IPsec policy policy e Select VPN gt IPSec gt Policy from the navigation tree and then click Add Perform the configurations shown in Figure 28 Hangzhou H3C Technologies Co Ltd www h3c com 28 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 28 Configure an IPsec policy Add IPSec Policy Policy Mame policy Chars 1 15 Sequence umber 1 Template E IKE Feer peer v IPSec Proposal Ba
123. ed mA 10 1 1 412 IP Address IF Address tems marked with an asteriski are required E ET e Select the IP Address option e Type public as the name e Type 10 1 1 12 as the IP address Then click Add to add the address to the IP address list e Click Apply Configuring an Interzone Policy Configure an access rule for host public to access the external network at any time e Select Firewall gt Security Policy gt Interzone Policy from the navigation tree and then click Add Perform the configurations shown in Figure 13 Hangzhou H3C Technologies Co Ltd www h3c com 10 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Figure 12 Allow host public to access the external network at any time Source zone Trust v Dest Zone Untrust v Description 1 31 Chars Source IP Address New IP I wildcard must be reserved mask Address tyr Address public Multiple Destination IP Address New IP I wildcard must be reserved mask Address Destination IP any address v Multiple Address i mmml Seice e Each serice stands for an industry isie eaa standard IF stream hen creating a any_service v Multiple firewall policyyou need to specify a service for it Filter action can be Permit or Deny which stands forthe action that the firewall adopts for the selected service Filter Action Permit v Time Range v Content Filtering Policy Template ea LJ Us
124. ee ee er ee err eee eee Lee re ei er er ee er reir eee ee re ee Cee ee eo ee 5 Basic Configurations OIC Cee eer Cee eere reer eee Tee ee er er ere eee eee ee Cie re cee cr ee errr re reer err 5 CLI Configurations a cee eee ee ee ee eerie eee eerie ie eee ee 5 Feature Configurations CCC CCT TTT ee RC CECT RT CCE Ce Ce ee CCC Cer Cee eee er cer re eee ee eer ect 6 Creating Configuring Selecting and Remove a Virtual Device ssssetstetetesesteeeseeestesseseneseseseens 6 Creating Configuring and Removing a Security ZOMG ssssssterttertetee eset esses tees sees eetsee essen eneeenssnens 7 Resource Based Packet Filtering Within the Same Virtual Device ss srttrrrtterrtttttrttttteetttteeeettteteteteees 8 Resource Based Packet Filtering Among Different Virtual Devices s st11rrtrtterrrttettereetttttetettttteeeees 12 ASPF Filtering for ICMP Packets and Non SYN TCP Initial Packets s rrrsssterststsrrstetsreetetsreeeneeeens 15 Related DOCUMENTA OM istacniesaictatatactetietaiccasauatandanatdcendiedaicensaianesaiaddindaceuduaeacun dendeadaddindacctaiaeniaadieniaddidaaseeanacnen 16 Hangzhou H3C Technologies Co Ltd www h3c com 2 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Feature Overview e A firewall device can be divided into multiple parts logically each of which can function as a separate virtual device A firewall product is required to support virtual devices in its most firewall features Each virtual de
125. ee ne ee He 192 168 100 10 80 oe ae created nf 16 1 1 2 oes neno Data a o ICMP 192 168 251 21 gt WD 1 60 ne ea 19216810010 A one created 18 1 1 2 4828 ay Jun 8 17 31 56 807 192 168 251 21 1027 2010 06 08 2010 06 08 see TCP ee 1315610 11 1578 farses Napa 192 169 100 10 8084 18 1 1 2 4827 Ay Jun 8 47 31 56 806 192 168 251 21 1026 2010 06 08 2010 06 08 P TCP ue 1415973 1412696 oa ae oe 192 168 100 10 8084 18 1 1 2 48928 SaR Jun 8 17 31 55 2384 192168 251 21 1027 2010 06 08 2010 06 08 TCP oro 1 48 re ek flow 2010 ear akas eceen 192 168 100 10 8084 18 1 1 2 4827 e Data Jun 47 31 55 031 192 168 251 21 1026 2010 06 08 2010 06 08 TCP oo 1148 aes tae flow 2010 Waves bees Fi 192 166 100 10 8051 8 records 15 per page page 111 record 1 8 m jeg Table 14 and Table 15 describe the flow logging 1 0 and 3 0 configuration items respectively Hangzhou H3C Technologies Co Ltd www h3c com 15 24 HSC SecPath Series Firewalls Log Management and SecCenter Configuration Example Table 14 Flow logging 1 0 configuration items Item Time Date Protocol Type Flow Information Start Time End Time Flow Action Description Displays the time and date when a flow log was generated Displays the protocol type of a flow log Displays the flow information e f the protocol type is TCP or UDP the displayed flow information is source IP address source port gt destination IP address destination
126. eeds the threshold Mumber of connections per destiP exceeds the threshold 0 0 SYN Flood Attack Protection e Use SmartBits to send TCP SYN packets from zone Untrust to 2 0 0 2 in zone Trust at a rate higher than 1000 frames per second changing the source address frequently e Select Intrusion Detection gt Statistics from the navigation tree and then select zone Trust You can view the number of SYN flood attacks and the number of dropped SYN flood attack packets Hangzhou H3C Technologies Co Ltd www h3c com 15 18 HSC Attack Type Fraggle ICMP Redirect ICMP Unreachable Land Large ICMP Route Record Scan source Route Smurf TEF Flag Tracert Winkie SYN Flood ICMP Flood UDF Flood Number of connections per source IF exceeds the threshold Mumber of connections per dest IF exceeds the threshold Scanning Prevention SecPath Series Firewalls Attack Protection Configuration Example Dropped Packet Attack Count eatin 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 to 99402 157016 43392 ha b i 0 e Use SmartBits to send packets from zone Untrust to zone Trust at a rate higher than 500 frames per second keeping the source address the same and changing the destination address frequently e Select Intrusion Detection gt Statistics from the navigation tree and then select zone Untrust You can view the number of scanning attacks and the number of dropped scanning att
127. eeeeeaaaaeeeeesaaaaeeeesaaaaeeessaaaeessagaaeeessaaaareneas 8 Configuring Routes on the Virtual Firewall s ssesesesesessecesesseseeesesesneseeeesesesneseeessessenssesesesesesneneeesnenen g Requirements wee EEE EE EERE ERRORS REESE ESSERE ESSE SEE EE SESE EEEES 8 Basic Configurations wee EE EERE ERRORS OREO R EEE EERE EERE EE OREO RE SESS EE SEES EE SESE EEEEE 8 Configuring Static ROUTES tt erect eee eeeeeeseeeeeeeaeeaeeeeeaeaaeeeeeaeaaaaeeeeaaaaeeeesaaaaeeeesasaaeeessagaaeeessaaaeeeeesaaaaees 9 Configuring RIP ROUTES setter ttt rcs etter ee eeeee esses seeeeeeeeeeeeeeaeaeaeeeeeaaoneeeeeaaoneeesaaaaeeessaaaaeeessagaaeeeeesaaeeeeseaaanees 9 Configuring OSPF ROUTES terre terre este ee ee eeeeeeeeeeeeaeeeeeeeaeaaeeeeeaoaeeeseaaaaeeessaaneeessaaaaeeeeesanaaseessaaaaeeneaaas 10 Hangzhou H3C Technologies Co Ltd www h3c com 2 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Feature Overview Virtual firewalls are most commonly implemented by separating a single physical firewall into multiple logical firewalls each of which has its own routing table VPN instances are used to separate VPN routes from public network routes and separate routes among different VPNs The following describes how to create a VPN instance associate it with an interface and make VPN instances to work with routing protocols Creating a VPN Instance A VPN instance is associated with a site rather than a VPN It is a collection of the VPN member
128. eer v proposal IPSec Proposal L PES O ACL g000 3999 C aggregation SA Lifetime Time Based 3600 seconds 180 604800 Default 3600 Traffic Based 1843200 kbytes 2560 4294967295 Default 1843200 tems marked with an asterisk are required Table 8 describes the configuration items for creating an IPsec policy Table 8 Psec policy configuration items Item Description Policy Name Type the name for the IPsec policy Type the sequence number for the IPsec policy Sequence Number In an IPsec policy group an IPsec policy with a smaller sequence number has a higher priority Select the IPsec policy template to be referenced l7 Template Y Highlight If you select an IPsec policy template all subsequent configuration items are unavailable but the aggregation setting Select the IKE peer for the IPsec policy to reference IKE Peer Available IKE peers are those configured by selecting VPN gt IKE gt Peer from the navigation tree Select up to six IPsec proposals for the IPsec policy to reference The IKE negotiation process will search for and use the exactly matched IPsec proposal If no IPsec proposal is found exactly matched the expected SAs cannot be established and the packets that need to be protected will be discarded IPSec Proposal Hangzhou H3C Technologies Co Ltd www h3c com 18 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Item Description Enable and configure the Perf
129. efault is used Hangzhou H3C Technologies Co Ltd www h3c com 8 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 4 Add an IKE proposal IKE Proposal Configuration IKE Proposal Number B5535 Authentication Method Preshared Key v Authentication Algorithm SHAT v Encryption Algorithm DES CEC l DH Group Group1 vl SA Lifetime lseconds 60 604800 Default 86400 tems marked with an asteriski are required Table 3 describes the configuration items for creating an IKE proposal Table 3 IKE proposal configuration items Item Description Type the IKE proposal number IKE Proposal The number also stands for the priority of the IKE proposal with a smaller Number value meaning a higher priority During an IKE negotiation the system matches IKE proposals in order of proposal number starting from the smallest one Select the authentication method to be used by the IKE proposal Authentication Method e Preshared Key Uses the pre shared key method e RSA Signature Uses the RSA digital signature method Select the authentication algorithm to be used by the IKE proposal Authentication Algorithm e SHA1 Uses HMAC SHAT1 e MD5 Uses HMAC MD5 Select the encryption algorithm to be used by the IKE proposal e DES CBC Uses the DES algorithm in CBC mode and 56 bit keys for encryption e 3DES CBC Uses the 3DES algorithm in CBC mode and 168 bit keys for Encryption encryption
130. ent A rule with the permit keyword identifies a data flow to be protected by IPsec while a rule with the deny keyword identifies a data flow that does not need to be protected by IPsec To configure ACLs select Firewall gt ACL to enter the ACL configuration page and perform the following configurations 1 Create an ACL 2 Configure rules for the ACL T note Ensure that all permit statements applied in the inbound direction are for IPsec protected traffic flows only This is to avoid normal incoming packets from being dropped because of permit statement hits Configuring IKE An SA can be created with IKE This section describes how to configure IKE Configuring Global IKE Parameters Select VPN gt IKE gt Global from the navigation tree to enter IKE global configuration page as shown in Figure 2 Figure 2 IKE global configuration IKE Global Configuration IKE Local Name te chars NAT Keepalive Interval 20 gecands 5 300 Default 20 tems marked with an asterisk are required Table 2 describes the configuration items for configuring global IKE parameters Hangzhou H8C Technologies Co Ltd www h3c com 7 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Table 2 Global IKE configuration items Item Description Type a name for the local security gateway If the local device needs to act as the IKE negotiation initiator and use the local gateway name for IKE negotiation you need to configure
131. erface 3 Interface Creation Interface Name lan interface w a ka 4094 VID MTU TCP MSS IP Config None Static Address DHCP O BOOTP FFF Negotiate Wnnumbered IPF Address 192 168 3 1 Mask 24 255 255 255 0 v 5econdary IP Address List Secondary IP Address Add Wask 24 255 255 255 0 vi Unnumbered Interface tems marked with an asteriski are required Select Device Management gt Zone from the navigation tree Add VLAN interface 2 to the Trust zone and VLAN interface 3 to the Untrust zone Hangzhou H3C Technologies Co Ltd www h3c com 18 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 25 Add interfaces to the Trust zone aver Bo o o i y Aaa Preference tty Share No nae ne nerace Name BR Interface M Search advanced Search C Interface A NULLO Ylan interface lan interface3 GigabitEthernetOM GigabitEthernetOre The LANS should be separated by or For example g 6 10 tems marked with an asteriski are required Figure 26 Add interface to the Untrust zone ee male Preference Sty Share Wo Eaa interface Mame Ro interface search advanced Search d Interface VLAN O NULLO Vlan interface 3 ai a GigabitEthernetOl The LANS should be separated by or For example 3 6 10 tems marked with an asterisk are required Apply Hangzh
132. erification Result A The ping operation succeeds Result B The ping operation fails Result C The ping operation succeeds Result D The ping operation fails The VID is needed to specify the tag type and VLAN Result E The ping operation succeeds 4 Configuration guidelines e After Layer 3 subinterfaces are configured on a physical port working in router mode packets are forwarded between security zones according to the security zones where Layer 3 subinterfaces reside e To implement Layer 3 subinterface forwarding in a non default virtual device you need to configure the subinterfaces used for forwarding packets as the interface members of the virtual device Hybrid Mode Configuring general hybrid mode 1 Configuration description Configure VLAN virtual interfaces and Layer 3 interfaces on the Device to forward packets 2 Configuration procedure see Figure 1 Select Device Management gt Interface from the navigation tree Configure GigabitEthernet 0 1 as a Layer 2 access port assign the interface to VLAN 2 create VLAN interface 2 and assign IP address 192 168 2 1 24 to the VLAN interface Configure the route mode for GigabitEthernet 0 2 and assign IP address 192 168 3 1 24 to it Hangzhou H3C Technologies Co Ltd www h3c com 24 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 35 Create VLAN interface 2 Interface Creation Interface Name lan interface w
133. ernetOss GigabitEthernethl4 NUCLEO IP Address Wask Security zone Status Operation 192 166 2517 20 255 255 255 0 20 1 1 1 255 255 255 0 10 1 1 1 255 255 255 0 e Click the a icon of interface GigabitEthernet 0 1 to enter the page for configuring the interface Configure the interface as shown in the following figure and then click Apply The interface management page appears displaying the configuration result Figure 5 Interface configuration Interface Name Interface Status Interface Type VID MTU TCP MSS Working Mode IP Configuration IF Address Mask Secondary IP Address Mask Unnumbered Interface GigabitEtherneti Connected 1500 46 1500 Default 1500 460 128 2048 Default 1460 Bridge Mode Router Mode ONone Static Address DHCP O BOOTP PPP Negotiate Wnnumbered 20 4 1 1 24 255 255 255 0 Ad 24 255 255 255 0 secondary IP Address List Adding Interfaces to Zones Adding GigabitEthernet 0 2 to the Trust zone e Select Device Management gt Zone from the navigation tree to display the zone list Hangzhou H3C Technologies Co Ltd www h3c com 6 13 HSC Figure 6 Zone list fone ID SecPath Series Firewalls Interzone Policy Configuration Example one Mame Preference Share Virtual Device Operation Management 100 no fe j Local 100 no Root se il Trust B5 no Root fe j DMZ 50 no Root fe j Untrust 5 no Root es j Cl
134. es SecPath Series Firewalls Connection Limit Configuration Examples Keywords web TCP IP Abstract The document describes the connection limit feature and presents some configuration examples for the SecPath series firewalls Acronyms Acronym Full spelling HTTP Hypertext Transfer Protocol TCP Transfer Control Protocol IP Internet Protocol Hangzhou H3C Technologies Co Ltd www h3c com 1 7 H3sC SecPath Series Firewalls Connection Limit Configuration Examples Table of Contents ON gl Ce Ee ee ee ee ee ee 3 Application SCOTIA OS ese n ete csea tec ce ta ce ese entire cce seen cc sate wcativneteneaeeannctcete seen teaese oen ea 3 Connection Limit Configuration Example sressssseseraseisdeiiessc enanitos 3 Network Requirements wee EEE EERE REESE EERE ORES ES OES ES OES EO ESO EE SESS ESE EE OES 3 Configuration ON the DevyjCQ sssssssssssssssssssununnnununnnnuunnnnunnnnuunnununnnunnnnnunnununnnnunnnnnunnnnunnnununnnunnnnnnnnnnnnnnnnnnnnnnnnn 4 CLI Configuration PEPE Pete tert et rete er reer reer e errr etree rere rete eee eee eee 4 Web Configuration wee EEE ERRORS REESE E EERE EEE ESE OREO ES ESSE ESE EE EES 4 Configuration Procedures crtttt ttt rte tett tresses eee eeeeseeeeeeeeseeeeeeasaoeeeeeasaaeeeeeaaaaeeeeeeagaaeeessaaaaeeessaaaaeessaaarenssasaneeneas 4 Limiting the Number of UDP Sessions Based on a Network SEQMent s 1rrtterrtttrrttteettttettteettteee tees 4 Limiting the Number of UDP Sessions Based on a Network SEQMent s
135. escribes the attack protection functions of the H3C UTM firewalls including SYN flood attack protection UDP flood attack protection ICMP flood attack protection scanning attack protection single packet attack protection static blacklist and dynamic blacklist This document also presents the configuration and verification methods in detail through examples Acronyms Acronym Full spelling DDOS Distributed Denial of Service HTTP Hypertext Transfer Protocol ICMP Internet Control Message Protocol IP Internet Protocol TCP Transfer Control Protocol UDP User Datagram Protocol Hangzhou H3C Technologies Co Ltd www h3c com 1 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Table of Contents Feature CV Gri OW ecen a a beaten esl weiesaieidia tesa 3 Application SS COI ATO Secere a E E E 3 Configuration GUIGELINES 2seceeeeeeeeeeseeeeeeeseeneeeaseeeeeaseeseeaaseeseaasneseaseeseeaaseeeesaseesecasnesetaasssesesaseesesaaseessaaens 3 Configuralion Example Per ee ee eee 3 Network Requirements trrrtrteetsseststessseneesseeeneneenenecesneneeaenecennenecasnenecasnecannecasenecasnenenecaanenasaenacagas 3 Configuration Considerations sttttrtttsiesistesieieesneneeneneeenecnneneneneneenenecesnenecaenecasnenenaenecannenieannenag 4 COT WATE Var on Uceda 4 Configuration Procedures ssrtttittttitstteteeeieteeisneneeeeteeenenecenenneenecesneneenenecaenenaenenecaanenenaenenecasnenenannenag 4 Basic Contigurations trt
136. esource based packet filtering within the same virtual device e Configuring object based packet filtering among different virtual devices e ASPF filtering for ICMP packets and non SYN TCP initial packets Configuration Examples Network Requirements E4 Note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S and uses the F1000E to show how to configure the virtual device and security zone As shown in Figure 1 the interfaces of the Device connect to different other devices GE 0 1 connects to Host A in zone Trust GE 0 2 connects to the devices in the DMZ zone and GE 0 3 connects to Host C in zone Untrust Use the following network diagram to test how to create edit and remove virtual devices and security zones Figure 1 Network diagram Host C 3 1 1 2 24 Untrust 2 1 1 0 24 Device DMZ A 155 1 1 1 24 A S 155 1 1 2 24 GE0 1 erver 1 1 1 1 24 1 1 1 2 24 Trust Host A Hangzhou H3C Technologies Co Ltd www h3c com 4 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Configuration Considerations Create and configure a virtual device Remove a virtual device Create and configure a security zone Remove a security zone Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series secPath F5000 A5 V300R002B01 R3206 series secPath UTM 200 A 200 M 200 S
137. ess 1 0 0 1 of the UTM device s interface GigabitEthernet 0 1 es C2 FINDOWS system icad exe C 5 Documents and Settings 165064 gt ping 1 6 6 1 Pinging 1 6 6 1 with 32 bytes of data timed out timed out timed out timed out Ping statistics for 1 0 6 1 Packets Sent 4 Received Lost 4 188 loss C Documents and Settings 14H5664 gt _ e When PC 2 is not in the blacklist PC 2 can ping the IP address 1 0 0 1 of the UTM device s interface GigabitEthernet 0 1 Hangzhou H3C Technologies Co Ltd www h3c com 12 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example co C WINDOWS system3 cad exe C2sDocuments and Settings lLA5H64 gt ping 1 8 8 1 Pinging 1 6 6 1 with 32 bytes of data Reply from 1 86 8 hytes 32 timetims TTL 255 Reply from 1 6 8 hbytes 32 timetims TTL 255 1 6 8 hbytes 32 timetims TTL 255 1 0 0 hbytes 32 time lt ims TTL 255 Reply from Reply from fe ft Ping statistics for 1 6 8 1 Packets Sent 4 Received 4 Lost Approximate round trip times in milli second Minimum Ams Maximum Ams Average C Documents and Settings 1lH5H64 gt _ Dynamic Blacklist e Use a PC 1 0 0 100 for example in the external network to log in to the server in the internal network inputting the correct username but a wrong password for five times e Selecting Intrusion Detection gt Blacklist from the navigation tree you can see that the IP address of the
138. ess Mask Security zone Status Operation GigabitEthernet0 0 192 168 251 20 255 255 255 0 i GigabitEthemet0i1 il GigabitEthemet0 2 il GigabitEthernetO 3 O il GigabitEthernet0 4 il NULLO il records 15 Y per page page 11 record 1 6 Add e Click the icon of interface GigabitEthernet 0 2 to enter the page for configuring the interface Configure the interface information as shown in the following figure and then click Apply The interface management page appears displaying the configuration result Figure 3 Configure interface GigabitEthernet 0 2 Mm Interface Name GigabitEthemneti Interface Status Connected Intertace Type VID MTU 1 500 46 1 500 Default 1500 TCP MSS 1460 128 2048 Default 1460 Working Mode Bridge Mode Router Mode IP Configuration ONone Static Address DHCP BOGTP PPP Negotiate Wnnuimbered IP Address 1 0 1 1 1 Mask 24 255 255 255 0 v a a Address Add Mask 24 255 255 255 0 v Wnnumbered Interface secandary IP Address List roo IC Back Configuring GigabitEthernet 0 1 e From the navigation tree select Device Management gt Interface to enter the interface management page Hangzhou H3C Technologies Co Ltd www h3c com 5 13 HSC SecPath Series Firewalls Interzone Policy Configuration Example Figure 4 Interface management page GigahitEthernetOso Gigabitethernetiyt GiqabitEthernethe GigabitEth
139. ess destination port for example 1 1 1 2 1026 gt 1 1 2 10 69 e lf the protocol type is another type except TCP or UDP the displayed flow information is source IP address gt destination IP address for example 1 1 1 2 gt 1 1 2 10 Displays the number of received packets bytes Displays the number of packets bytes sent Displays the source VPN of the packets www h3c com 16 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Item Description Destination VPN Displays the destination VPN of the packets Start Time Displays the time when a flow was created End Time Displays the time when a flow was removed Displays the operator field of a flow e 1 Normal over The flow ended normally e 2 Aged for timeout Timer timed out e 3 Aged for reset or config change Flow aging due to configuration change e 4 Aged for no enough resource Flow aging due to insufficient resource e 5 Aged for no pat of NAT One to one NAT In this case only the source IP address the source IP address after translation and the time fields are available e 6 Active data flow timeout The life time of the flow reached the limit e 8 Data flow created Record for the flow when it was created e 254 Other Other reasons Flow Action Configuration Example Network Requirements 4 Note This configuration example uses an F5000 A5 firewall This configuration example is applicable to SecPath F5000
140. face connecting to the public network uses a private address dynamically assigned by the ISP Figure 32 Network diagram for configuring IPsec to work with NAT 192 168 1 1 ADSL Line 100 1 1 1 172 16 0 1 Internet Headquarters GE0 3 GE0 0 Device B PPPoE Client DENICE A Configuration Considerations The IKE negotiation mode must be aggressive because Device B uses a dynamic IP address Configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a public IP address while the other end uses a private IP address In addition you must configure the local peer to use the gateway name as the ID type Configuration Procedures Configuring DeviceA Assign IP addresses to the interfaces and add the interfaces to their target zones Omitted Configure the IKE local name as head Figure 33 IKE global configuration IKE Global Configuration IKE Local Name head K 32 Chars MAT Keepalive Interval 20 seconds 5 300 Default 20 tems marked with an asterisk are required Configure the IKE peer e Select VPN gt IKE gt Peer from the navigation tree and then click Add e Type gate as the peer name e Select Aggressive as the negotiation mode e Type branch as the host name of the remote gateway e Select Pre Shared Key and type 123456 as the pre shared key e Select the Enable NAT traversal function check box e Click Apply Hangzhou H3C Technologies Co Ltd www h3c com 31 39
141. ffic information and can output the records in a specific format to a log host allowing administrators to perform security auditing Session logging records an entry for a session if it reaches the specified threshold Session logging supports two categories of thresholds e Time threshold When the lifetime of a session reaches this threshold a log entry is output for the session e Traffic threshold The traffic threshold can be in units of the number of bytes or the number of packets When the traffic of a session reaches the specified number of bytes or packets a log entry is output for the session T note e For more information about session management see Session Management e Session logs are output in the format of flow logs To view session logs you also need to configure flow logging Perform the tasks in Table 5 to configure session logging Table 5 Session logging configuration task list Task Remarks Required Configuring a Session Configure a session logging policy specifying the source zone and Logging Policy destination zone of the sessions and the ACL for filtering log entries By default no session logging policy exists Required Configure the time threshold or and traffic threshold for session logging By default both the time threshold and traffic threshold are 0 meaning Setting Session that no session logging entries should be output Logging Thresholds Ny P Highlight If both the time threshold
142. figuration Examples SecPath Series Firewalls DHCP Configuration Examples SecPath Series Firewalls NAT Configuration Examples SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples SecPath Series Firewalls Attack Protection Configuration Example SecPath Series Firewalls Interzone Policy Configuration Example SecPath Series Firewalls Link Aggregation Configuration Examples SecPath Series Firewalls Log Management and SecCenter Configuration Example SecPath Series Firewalls Virtual Firewall Configuration Examples SecPath Series Firewalls Connection Limit Configuration Examples SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Conventions The manual uses the following conventions Command conventions Convention Boldface italic xly xly xy xly amp lt 1 n gt GUI conventions Convention Boldface Description The keywords of a command line are in Boldface Command arguments are in italic Items keywords or arguments in square brackets are optional Alternative items are grouped in braces and separated by vertical bars One is selected Optional alternative items are grouped in square brackets and separated by vertical bars One or none is selected Alternative items are grouped in braces and separated by vertical bars A minimum of one or a maximum of all can be selected Optional alternative items are grouped in s
143. firewall into multiple logical firewalls Creating virtual devices allows for lease services of firewalls e Security zone application allows a high end firewall that can provide multiple physical interfaces to connect to multiple logical network segments in different modes for example within an internal network across internal networks and the public network and within DMZ zone In a network configured with security zones it is not necessary to configure a security policy for each interface thus reducing the workload of the network administrator for maintaining security policies and the risks due to frequent configurations e ASPF policies are configured among zones During packet processing the session management module provides such information as whether a connection is in correct state whether a packet is the initial packet and whether a packet is an ICMP error packet Based on such information ASPF also according to the ASPF policies determines whether a packet is allowed to pass Configuration Guidelines Configure the virtual device security zone session management ASPF and packet filtering on the web interfaces The configuration contents include e Creating configuring selecting and remove a virtual device Hangzhou H3C Technologies Co Ltd www h3c com 3 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples e Creating configuring and removing a security zone e Configuring r
144. gies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 7 7 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples secPath Series Firewalls Virtual Device and Security Zone Configuration Examples Keywords web TCP IP Abstract This document describes the features of the SecPath firewall virtual device security zone session management ASPF and packet filtering and their configuration procedures in detail Acronyms Acronym Full spelling HTTP Hypertext Transfer Protocol TCP Transfer Control Protocol IP Internet Protocol Hangzhou H3C Technologies Co Ltd www h3c com 1 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Table of Contents Feature COV Ci CW is cicns win caine state cta ss i ea a mre eid minum eleneiie den aa 3 Application Scenarios eeseeeeeeeseeeeeesseeeeenseneeeaaeenseeaseesenanesenaasessesaseesesaseesseaaseesesaseesecaeesesaaseesesaseesesaeeees 3 Configuration GUIGELINES 2seceeeeeeeeeeseeeeeeeseeeeeensneeeeaseeseeaseneeeaaseeseaeeesseaaseeetsaseesecaeesesaassensesaseesenaseessaases 3 Configuralion Example Re ee ee ree 4 Network Requirements eC eT TT ri re ee tr Cer ce eer re ee eee err er cere ee Te ee eer eee ce 4 Configuration Considerations CT TCC Te CC er CCC CE CeCe eC eee er eee Cee eC ee Cee er Cre ce 5 Software Version Used or ee
145. guration encrypts the saved file at the same time The saved file is displayed in cipher text You can also back up and restore the configuration information on the configuration maintenance page Besides you can upgrade the system software and restart the system through the web interface Application Scenarios Configuration maintenance is used for routine device maintenance When the configuration is changed you can save the configuration in case of configuration loss due to power interruption You can also back up the configuration for future configuration restoration To clear the configuration that you have made you can restore the device to the factory defaults Configuration Guidelines e When upgrading the software select a time range with small traffic to avoid affecting users e To save the current configuration enter the save command on the command line interface or log in to the web interface select Device Management gt Maintenance from the navigation tree click the Save tab and click Apply The current configuration is saved to two configuration files startup cfg and system xml e When performing configuration file backup or restoration back up and restore the two files startup cfg and system xml together Configuration Maintenance Example Network Requirements 4 Note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls A UTM200 S firewall i
146. h service stands for an industr standard IF Mame Multiple Stream Ahen creating a firewall policy you need to specify a serice for it e Filter action can be Permitor Deny which stands for Filter Action the action thatthe firewall adopts forthe selected Service Time Range LJ Using MAC Address Enable Syslog L Status Continue to add next rule The server and Host C ping each other Result 3 is expected Verification 1 Packet filtering results in the case that the involved interfaces are in the same zone e The server and Host C can ping each other e Host C can log into the server through FTP e Select Firewall gt Session Table gt Session Summary from the navigation tree On the session table list you can see the session from 2 1 1 2 to 3 1 1 2 Init VPN fet O mitSreiP Init Dest IP TO eee ee Ne MeN ertaral ere E Roneration VLAN Ip Status s INLINE VLAN INLINE E AAAA AALEN MAM 3144 241024 TCP TCP EST 3581 A O 15544 22006 1551441 80 15514 4880 1551 1 22006 Tep lTer estT aam A D 2 Packet filtering results in the case that the involved interfaces are in different zones without interzone policies configured e The server can ping Host C The security zone with a higher precedence can access the security zone with a lower precedence e Host C cannot ping the server The security zone with a lower precedence can access the security zone with a higher precedence e Host C cannot log into the
147. he default port numbers on the SecCenter are as shown in Figure 18 Hangzhou H3C Technologies Co Ltd www h3c com 19 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 18 Management ports Bandwidth Management Behavior Auditing IPS Management Firewall Management A eee cout admin System Management gt System Config gt Management Ports Management Ports ACG Stream Logs Port NAT Logs Port Syslog Port NetStream V5 Logs Port NetStream V9 Logs Port Trush Mail Port i Tip Please ensure that the ports are valid and available Enabling SNMP Agent on the Firewall to Connect to the SecCenter for Management Device snmp agent community read public Device snmp agent community write private Device snmp agent sys info version all Adding a device to the SecCenter Input hito 192 168 100 14 SecCenter into the address bar of your browser to log in to the management interface of SecCenter Select the System Management tab and then select Device List under Device Management to enter the device management page Then click Add to enter the page for adding a device as shown in Figure 19 On the page add the device under test to the device list Hangzhou H3C Technologies Co Ltd www h3c com 20 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 19 Add device Bandwidth Management Behavior Auditing IPS Management Firewall Management STU cou
148. he external network is denied Figure 15 Interzone policy log 2010 01 28 14 32 17 Advanced Search Start Time End Time Somes SSSI Paley Action AE flow infomation One Zone IL type 10 1 1 13 2011 201 0 01 28 2010 01 28 4 32 47 14 3247 ee mune a 20 1 4 3 80 References Protocols and Standards TCP IP Routing Volume I Related Documentation Interzone Policy Configuration in the web configuration manual Address Resource Configuration in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H8C Technologies Co Ltd www h3c com 13 13 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples secPath Series Firewalls Link Aggregation Configuration Examples Keywords Link aggregation Abstract This document presents some link aggregation configuration examples for the SecPath series firewalls Acronyms Acronym Full spelling Hangzhou H3C Technologies Co Ltd www h3c com 1 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples Table of Contents Fe eatu ure OVEl VICW iisctccnsttieniadewneisienianioseanssnieniadenconiemin E mesdedna nian a a 3 Application SS CONAN OS iicia cette
149. he navigation tree click the Restore tab and click the Browse button to specify the configuration file Hangzhou H3C Technologies Co Ltd www h3c com 7 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Save Backup Initialize Restore the Configuration File DAU TM startup ctg Browse ithe file with the extension cfg OUTM system xml Browse ithe file with the extension xml Note The restored configuration will take effect after reboot tems marked with an asterisk are required Apply 2 Click Apply to import the configuration file The page will display the following prompt after finishing the import The restored configuration file takes effect at next startup cave Backup Initialize Restore the Configuration File Startup cy Restore the Configuration File system xml Succeeded in backing up the configuration file The restored configuration will take effect after reboot Apply Restoring to the factory defaults Select Device Management gt Maintenance from the navigation tree click the Initialize tab and then click the Restore Factory Default Settings button to restore the factory default settings and reboot the device Hangzhou H3C Technologies Co Ltd www h3c com 8 11 H3C SecPath Series Firewalls Configuration Maintenance Example Backup Restore Initialize Restore Factory Detault settings Note Click Restore Factory Default Settings to restore and initializ
150. his example GigabitEthernet 0 2 the egress interface transparently transmits packets without removing their VLAN tags That is packets are received on one interface of the inline forwarding group and after being processed by the security module are forwarded through the other interface transparently Configuring inter VLAN Layer 2 forwarding 1 Configuration description Configure hosts in different VLANs but with IP addresses on the same network segment to communicate with each other 2 Configuration procedure see Figure 2 e Configure devices through CLI On the switch it interface GigabitEthernet1 0 1 port access vlan 102 it interface GigabitEthernet1 0 10 port access vlan 103 it interface GigabitEthernet1 0 16 port link type trunk undo port trunk permit vlan 1 port trunk permit vlan 102 to 103 it On the Device it vlan 102 to 103 it vlan 1000 it interface GigabitEthernet0 1 port link mode bridge port link type trunk port trunk permit vlan 1 102 to 103 it Hangzhou H3C Technologies Co Ltd www h3c com 9 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples e Configure the Device through the web interface Select Device Management gt Interface from the navigation tree and create Layer 2 subinterfaces GigabitEthernet 0 1 102 and GigabitEthernet 0 1 103 Figure 9 Create GigabitEthernet 0 1 102 Interface Creation Interface Name GigabitEthernet0 1
151. hnologies Co Ltd www h3c com 37 39 HSC Figure 45 Apply the IPsec policy to an interface SecPath Series Firewalls IPsec Configuration Examples IPSec Application Setup Interface Policy policy nat v tems marked with an asterisk are required Verification After configuration packets to be exchanged between subnet 192 168 1 2 and subnet 172 16 1 2 will trigger the negotiation of SAs by IKE After IKE negotiation succeeds and the IPsec SAs are established traffic between subnet 172 16 1 2 and subnet 172 16 1 2 will be protected by IPsec Viewing IPSec SAs Select VPN gt IPSec gt IPSec SA from the navigation tree to display brief information about established IPsec SAs as shown in Figure 46 Figure 46 IPsec SAs a Local IP x Advanced Search Authentication Encryption Local IP Remote IP SPI Security Protocol Algorithm Algorithm 100 1 1 1 140 0 0 7 2342415508 ESP HMAC MD5 96 DES Viewing Packet Statistics Select VPN gt IPSec gt Statistics from the navigation tree to view packet statistics as shown in Figure 47 Hangzhou H3C Technologies Co Ltd www h3c com 38 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 47 Packet statistics Statistic term Statistic Value IPSec protected packetstinboundfouthound 1810925970 IPSec protected bytesinboundoutbound 41 748241471120 IPSec protected packets discarded by device finboundouthound Dropped packetstlack of memory a
152. hou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 18 18 H3sC SecPath Series Firewalls Interzone Policy Configuration Example SecPath Series Firewalls Interzone Policy Configuration Example Keyword interzone policy Abstract Interzone policies based on ACLs are used for identification and monitoring of traffic between ZONES Acronyms Acronym Full name ACL Access Control List Hangzhou H3C Technologies Co Ltd www h3c com 1 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Table of Contents Feature CV Gri OW ecen a a beaten esl weiesaieidia tesa 3 Application SS COI ATO Secere a E E E 3 Configuration GUIGELINES 2seceeeeeeeeeeneeeeeeneeeeeeeneneeeeaseeseeaaeneseaaseeseaeesssaaseeeeaaseesesaaeesetagssseseeaseesesaneessaases 3 Interzone Policy Configuration Example cscccscsescescescesnesneseeseeceeesecseesessesseessessessessessesseaseesanseasaneaeeaes 3 Network Requirements Tir Ce re iP eer ere eee Cree ie ee eee ee eee ee eee ee ee eee eee ee ee ene 3 Configuration Considerations PTC TT ret eT TC CECT CeCe Ce eT eee Ce eT Ce Eee Cr ere rT Cre rrr Ce ret tt 4 Software Version Used Torre re ee ee ee eee ere ee ee ee re rrr a a er rr rr 4 Configuration Procedures ip etpe Ree eiae ee enaceeennetaan TaReee E nena naeaneenacEehness oak atnn E E 4 Assigning IP Addresses to Interfaces a a
153. ic route to Host A e Select Network gt Routing Management gt Static Routing from the navigation tree and then click Add Perform the configurations shown in Figure 25 Hangzhou H3C Technologies Co Ltd www h3c com 26 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 25 Configure a static route to Host A Add a Static Route Destination IP Address 192 168 1 0 Mask 255 255 255 0 Next Hop 197 166 250 12 Outbound Interface int Ooo ew tems marked with an asteriski are required Apply Configure IKE peer peer e Select VPN gt IKE gt Peer from the navigation tree and then click Add Perform the configurations shown in Figure 26 Figure 26 Configure an IKE peer Mam Peer Name peer 1 15 Chars IKE Negotiation Mode Main Aggressive Local ID Type P Address Gateway Name Local IP Address Remote Gateway paddress 192 168 250 12 Al O Hostname Remote ID ka Chars Pre Shared Kev 123456 4 128 Chars O PKI Domain C Enable DPD Enable the MAT traversal function fthe local end is the initiator only one remote IP address can be specified ifthe local end is the responser the remote IP address range must include the local IF address ofthe initiator tems marked with an asterisk are required Apply e Type peer as the peer name e Select Main as the negotiation mode e Type 192 168 250 12 as the IP address of the remote gateway e Select Pre Shar
154. ick the a icon of zone Trust to enter the page for modifying the zone Add interface GigabitEthernet 0 2 to zone Trust as shown in the following figure and then click Apply Figure 7 Add GigabitEthernet 0 2 to the Trust zone Me zone ID Zone Name Preference Share Virtual Device Interface Mame Betty Mo Ro Interface w search Advanced Search Interface C GigabitEtherneti1 GigabitEthernett 2 C GigabitEthernetOl3 C GigabitEthernetil4 O NULLO The VLANS should be separated by S ar For example s 5 10 tems marked with an asterisk are required Adding GigabitEthernet 0 1 to the Untrust zone e Select Device Management gt Zone from the navigation tree to display the zone list Hangzhou H3C Technologies Co Ltd www h3c com 7 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Figure 8 Zone ilst fone ID fone Mame Virtual Device Operation Management Local Trust Dh Wntrust Add e Click the a icon of the zone Untrust to enter the zone modification page Add interface GE 0 1 to the zone Untrust and click Apply Figure 9 Modify the zone configuration Mir fone ID zone Name Untrust Preference Bo leg 003 ohare No w Virtual Device 4 as Interface Mame Interface GigabitEthernetO GigabitEthernetoss GigabitEthernetos4 MULLO The VLANS should be separated by or For example s 5 10 tems marked
155. ies SecPath UTM 200 A 200 M 200 S firewalls V500R001B01 R5116 series Configuration Procedures Specifying Interface Addresses Specify the IP address of GigabitEthernet 0 0 Select Device Management gt Interface from the navigation tree Figure 2 Interfaces a Advanced Search GiqabitEthernetO o 192 168 1 1 255 255 255 0 Trust Gigabitethernetot GigabitEthernethy 192 168 103 171 255 255 252 0 Untrust Gigabitethernethys Gigabitethernethy4 PLECO Mame IPF Address Wask Security zone Status oo Oo 0 0 SecPath Series Firewalls ARP Attack Protection Configuration Example Operation a i e il a i a i a i a Click the a icon of GigabitEthernet 0 0 to enter the Edit Interface page Configure the interface as shown in Figure 3 and then click Apply to return to the Interface page Hangzhou H8C Technologies Co Ltd www h3c com 4 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 3 Edit interface GigabitEthernet 0 0 Interface Name GigabitEthermnetiso Interface Type vD MTU 46 1500 Default 1500 TCP MSS 1460 li 28 2048 Default 1460 Working Mode Bridge Mode Router Mode IP Configuration ONone Static Address DHCP BOOTP PPP Negotiate Unnumbered IP Address 192 168 1 1 Mask 24 255 255 255 0 v Secondary IP Address List Secondary IF Address Add Mask 24 255 255 255 0 Wnnumbered Interface Specify the IP ad
156. igabitEthernet0s2 GigabitEthernetOr3 GigabitEthernetOl4 O NULLO The LANS should be separated by or For example s 5 10 tems marked with an asterisk are required Configuration Maintenance Saving the current configuration 1 Select Device Management gt Maintenance from the navigation tree click the Save tab and click Apply to save the current configuration The page displays a prompt that the system is saving the configuration Hangzhou H3C Technologies Co Ltd www h3c com 6 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Backup Restore initialize This operation will save your configuration to device Are you sure to save the current configuration L Encrptthe configuration file Coen Backup Restore initialize 2 To encrypt the saved configuration file select Encrypt the configuration file before clicking Apply Backing up the current configuration 1 Select Device Management gt Maintenance from the navigation tree click the Backup tab and then click the Backup button as shown in the following figure Save Restore Initialize Configuration File Backup Backup the configuration file with the extension cty Backup the configuration file with the extension ymi Backup 2 Specify the path and file for storing the configuration on the popup dialog box and click Save Restoring the configuration 1 Select Device Management gt Maintenance from t
157. iguration Example Field Description Reserved3 For future applications Configuring flow logging Select Log Report gt Userlog from the navigation tree to enter the page as shown in Figure 2 Figure 2 Flow logging Version 1003 0 Source IP Address of Packets Log Host Configuration Log Host 1 VPM Instance IP Address Port 0 65535 Log Host 2 YPN Instance IP Address i Port K 0 65535 d Output flow logs to information center vith this function enabled the system will not output flow logs to the specified userlog hast tems marked with an asterisk are required Apply Statistics Table 4 describes the configuration items of flow logging Table 4 Flow logging configuration items Item Description Set the version of flow logging including 1 0 and 3 0 NIZ Y Highlight Configure the flow logging version according to the capacity of the log receiving device If the log receiving device does not support flow logging of a certain version the device cannot resolve the logs received Version Set the source IP address of flow logging packets After the source IP address is specified when Device A sends flow logs to Device B it uses the specified IP address instead of the actual egress address as the source IP address of the packets In this way although Device A sends out packets to Device B through different ports Device B can judge whether the packets are sent from Device A according to their source IP
158. iguration Examples Configuration steps 1 Select Firewall gt NAT gt Dynamic NAT from the navigation tree as shown in the following figure Address Pool _ Pool Index Start IP Address End IP Address Priority Operation Add ETE Interface ACL Address Pool Index Address Transfer Tracked YRRP Group Operation aaae ie maa m maaa aaaaaaaaaaaaaaaasssi 2 Click Add in the Dynamic NAT field to enter the Add Dynamic NAT page e Select GigabitEthernet0 1 for Interface type 2000 for ACL select Easy IP for Address Transfer and then click Apply Add Dynamic MAT Interaface sigabitEthernetO1 w ACL 2000 2000 39994 Address Transfer Easy IP v Address Pool Index 0 255 4 Enable track to VRRP VRRP Group 1 255 tems marked with an asterisk are required e Access PC 3 in the Trust zone from PC 2 in the DMZ zone and perform ping HTTP FTP DNS and Telnet operations e Check the session list to view the results Verification results 1 The ping HTTP FTP DNS and Telnet operations are successful 2 Check the session list e Select Firewall gt Session Table gt Session Summary from the navigation tree to enter the following page Hangzhou H3C Technologies Co Ltd www h3c com 7 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Init YPM Resp YPM e O Init Sre iF Init Dest IP nie Resp Src IP Resp Dest IP rok ee a INLINE INLINE E 192 168 100 14 3303 192 168 250 230 808
159. in Firewall gt Event Auditing gt Other Logs v v amp Snapshot of Events Content sd Device Group Severity Level All he 5 Recent List Start Time 2010 06 08 00 00 E End Time 2010 06 08 23 59 5 amp Device Monitoring Other Logs List 24 Export 1 to 34 of 34 Page 1 Page Size 10 50 100 500 Ge Event Overview Time Content Severity Level amp Event Details ea DRVMSG 3 Temp2High I DEV _TYPE SECP 4TH PN 2102354314A08B000004 Temperature Point 0 0 Too High Error Event Export Tasks ahi DRVMSG 3 TempOK I DEV_TYPE SECPATH PN 2102354314408B000004 Temperature Point 0 Recovered from OT 2010 06 08 DEV 4 BOARD TEMP TOOHIGH DEV_TYPE SECPATH PN 210235431 44085000004 Board temperature is too high on uo 20 00 41 Chassis 0 Slot 0 type is RPU g Inter Zone Access Logs ana DRVMSG 3 Temp2High I DEY _TYPE SECP TH PN 2102354314A08B000004 Temperature Point 0 0 Too High Error amp Abnormal Traffic Logs 2010 06 08 DEV 4BOARD TEMP NORMAL I DEY_TYPE SECPATH PN 21 0235431 44088000004 Board temperature changes to Warning amp Blacklist Logs ti normal on Chassis 0 Slot 0 type is RPU Operation Logs Pee DRVMSG 3 TempOK I DEV_TYPE SECPATH PN 21 0235431 4408B000004 Temperature Point 00 Recovered from OT 5 Other Logs 2010 06 08 DEV 4 BOARD TEMP TOOHIGH DEV_TYPE SECPATH PN 2102354314A08B000004 Board temperature istoo high on o 20 00 29 Chassis 0 Slot 0 type is RPU g SE NAT Loga 2010 06 08 amp MPLS Log
160. in the figure below DHCP Service Enable Disable Address Pool Pool Static Dynamic Client NetBIOS Pool IP a a A M a Ds mis Se Name Address Mask Lease Time Domain Gateway cover Semer Mode Name Type 1 10 1 1 0 255 255 255 0 1daysOhoursOminutes 110 1 1 1 10 1 1 12 e Add a static route to the network segment 10 1 1 0 Select Network Management gt Routing Management gt Static Routing from the navigation tree click Add and then perform the operations as shown in the figure below Hangzhou H3C Technologies Co Ltd www h3c com 11 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Add a Static Route Destination IP Address Outbound Interface v Pry a tems marked with an asteriski are required Apply cancel Configuration on the DHCP Relay e Specify the IP address of GigabitEthernet 0 2 on the Device B as 2 1 1 2 24 and that of GigabitEthernet 0 1 as 10 1 1 1 24 e Add GigabitEthernet 0 1 and GigabitEthernet 0 2 to the security zones as needed For more information about the configurations see Basic Configuration e Select Network gt DHCP gt DHCP Relay from the navigation tree click on the Enable radio button and then click Apply Create a server group with IP address 2 1 1 1 that is the IP address of GigabitEthernet on the DHCP server as shown in the figure below DHEP Servite Enable Disable Display Advanced Configuration Apply R Server Group ID Advanced
161. ing MAC Address Enable Syslog Status Continue to add nest rule tems marked with an asterisk are required e Select Trust as the source zone and Untrust as the destination zone e Select public as the source address e Select Permit as the filter action e Select the Enable Syslog check box e Select the Status check box e Select the Continue to add next rule check box e Click Apply Configuring a rule to deny access of all the other hosts to the external network during working time e After the last configuration step the interzone policy rule configuration page appears with the source and destination zones selected for the last rule Perform the configurations shown in Figure 13 Hangzhou H3C Technologies Co Ltd www h3c com 11 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Figure 13 Deny all the other hosts access to the external network during working time Source Zone Trust v Dest Zone Untrust v Description 1 31 Chars Source IP Address Mew IP l wildcard must be reserved mask Address Destination IP Address O New IP i wildcard must be reserved mask Address any address Multiple Address any_address v p Service e Each service stands for an industry Kania lany sevice 8 8 Standard IP stream When creating a Sees v Multiple firewall policy you need to specify a service for it Filter action can be Permit or Deny whith stands forthe action that the firewall ad
162. ing Syslog wee EERE EEE EERE OREO R ERE S OREO EE SEES ESSER SESS ES ESSE ESSER EEE EEE EES 3 Configuring User Logging we ERRORS ORES REE EERE OREO E EERE OES EE SEE EEE ESOS 4 Configuring Flow Logging we EEE ERE EERE OREO R SORES REESE EERE EE OEE EES 4 Session Logging nuunnunnnununnNNnNNNNNNNNNNNNNNNNNNNENNNNNNNNNNNNNNNNSNNNENNNSNNNNNNSNNNNNNNNNNNNNNNNNNNNNNNNNSNNNSNNNENNNENNNNNNNNNNNNENNNENNNENNNEENN 8 TalicelelOleii e ithettt Eee oreo rer 8 Configuring a Session Logging Policy sssssssssesssesessssestssssesnesssesnesssessesesneseeesensaesnanesesnaneenenes 9 Setting Session Logging Phresholds sssssssssssssssssussnnunnnnnunnnnuunnnunnununnnnnunnununnnnunnnununnnnunnnnnunnnnunnnnnnnnnnnnn 9 Log Report snuunnuuunununnnNnNNNNNNENNNNNNNNENNNENNNNNNNNNNNNNNNNENNNNNNNENNNNSNNSNNNENNNNNNNENNNNSNNNENNNENNNNNNNENNNESNNNENNNNNNNNESNNNENNNENNNENNNEENN 10 Displaying System Logs ween eee REE EERE EEE EES EERE E EERE EERE EERE 10 Displaying Connection Limit Logs wee eee EEE EEE EEO R ESR E SEES ORES EE EEE SEES 11 Displaying Attack Prevention Logs nnunununnnununnNnNNNNNNNENNNNNNNNNNNNENNNENNNENNNNNNNNNNNSNNNENNNENNNNNNNENNNNNNNNENNENNNENNNNEENE 12 Displaying Blacklist logs nununuunnnnnnnNNNNNNNNNNNNNNNSNNNENNNNNNNNNNNNSNNSNNNNNNNSNNNNSNNNSNNNENNNENNNNNNNNSNNNNNNNENNNNNNNNNENNENNNENNNE 13 Displaying Inter Zone Policy Logs ween ee EEE EEE EE ERRORS REESE EEE EEE EES 13 Displaying User Logs wee ERRORS EEE EERE OREO RE SESS ES SESS EE EOE ESSERE OEEEES 14 Config
163. initial packets to pass Send ICMP error packets and non SYN TCP initial packets with source IP address as 3 1 1 2 and destination IP address as 2 1 1 2 to port A of the SMB through port A Result 1 is expected Configure ASPF policy between zones Trust and Untrust Select Firewall gt Session Table gt Advanced from the navigation click the ASPF tab to enter the ASPF policy list page and then click Add to add an ASPF policy Select Discard ICMP error packets and Discard non SYN initial TCP packets and click Apply Send ICMP error packets and non SYN TCP initial packets with source IP address as 3 1 1 2 and destination IP address as 2 1 1 2 to port A of the SMB through port A Result 2 is expected Hangzhou H3C Technologies Co Ltd www h3c com 15 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Verification 1 Port B cannot receive the packets 2 Port B cannot receive the packets Display the ASPF statistics from zone Trust to zone Untrust and you can see there are no allowed packets but denied packets Remarks After finishing this example remove the configuration made in this example Related Documentation Test Report for Virtual Device Security Zone Session Management and Packet Filtering Virtual Device Management in the Web configuration documentation set Session Management in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co Lid All right
164. internal zone When deployed in the outbound direction that is the external zone they do not take effect 2 The flood attack protection functions apply to only the outbound direction When deployed in the inbound direction they do not take effect Configuration Example Network Requirements E4 Note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls A UTM200 S firewall is used in this configuration example for illustration Hangzhou H3C Technologies Co Ltd www h3c com 3 18 HSC Figure 1 Network diagram for attack protection configuration SecPath Series Firewalls Attack Protection Configuration Example Trust Untrust SMB 1 0 0 2 24 Server 2 0 0 1 24 2 0 0 2 24 Device PC1 PC2 2 0 0 10 24 1 0 0 10 24 Configuration Considerations e Add the interface connecting the internal network that is GigabitEthernet 0 2 to zone Trust e Add the interface connecting the external network that is GigabitEthernet 0 1 to zone Untrust Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series SecPath F5000 A5 V300R002B01 R3206 series SecPath UTM 200 A 200 M 200 S V500R001B01 R5116 series Configuration Procedures Basic Configurations Assigning IP addresses to interfaces e From the navigation tree select Device Management gt Interface to enter the interface management page a Advanced Search
165. ion group 1 int vlan interface 10 ip address 10 1 1 1 24 Configure source IP based load sharing link aggregation load sharing mode source ip Log in through the Web interface and add GE1 6 GE1 7 and the aggregate interface to the Trust zone fone ID fone Name Preference Share Virtual Device Operation Trust 85 no Root fe il 2 GigabitEthernetii Interface GigqabitEthemnett s GigabitEthemnett sf Configure OSPF This part is the same as any common OSPF configuration process Configuration on the 9505 typically V3 switch Create aggregation group 1 and configure the aggregation group to operate in manual aggregation mode link aggregation group 1 mode manual Assign interfaces GE4 1 1 and GE4 1 2 to aggregation group 1 interface GigabitEthernet4 1 1 Hangzhou H3C Technologies Co Ltd www h3c com 8 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples port access vlan 10 port link aggregation group 1 interface GigabitEthernet4 1 2 port access vlan 10 port link aggregation group 1 Create VLAN interface 10 and assign IP address 10 1 1 2 to it interface Vlan interfacel0 ip address 10 1 1 2 255 255 255 0 Configure OSPF Configure OSPF as needed Configuring Layer 2 Link Aggregation in Dynamic Mode Configuration on the Device Create Layer 2 aggregate interface Bridge Aggregation1 and assign it to VLAN 10 interface Bridge Aggregationl port access vlan 10
166. k i Source IP Address addz_q v Multiple Destination IP Address Hew IF Address wildcard must be reserved mask i Destination IP Address addz_q Multiple Service Each service stands for an industry standard IF Mame ftp_server Ww Multiple stream When creating a firewall policy you need ta specify a service for it Fiter action can be Permit or Deny which stands for Fitter Action Dery Ww the action that the firewall adopts for the selected i Service Time Range vi Fj Using MAC Address Table Syslog O Status Continue to add next rule ems marked with an asteriski are required Apply Cancel Host C tries to logs into the server and Host C and the server ping each other Result 3 is expected verification 1 The server and Host C cannot ping each other because the zones not shared between two virtual devices cannot access each other 2 The verification concludes Hangzhou H3C Technologies Co Ltd www h3c com 14 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples The server cannot ping Host C because a private security zone cannot be accessed by the security zones of other virtual devices Host C can ping the server because the server belongs to the shared zone which can be accessed by the security zones of other virtual devices Host C can log into the server through FTP because the server belongs to the shared zone After Host C logs in s
167. k box and type 172 16 0 0 and 0 0 0 255 respectively in the following text boxes e Click Apply Hangzhou H3C Technologies Co Ltd www h3c com 22 39 H3sC SecPath Series Firewalls IPsec Configuration Examples 4 Note If you configure NAT for internal addresses on an outbound interface with IPsec configured GigabitEthernet 0 0 in this example the target traffic is translated first and therefore cannot be IPsec protected To solve this problem add an additional rule to the ACL so that the NAT module does not translate the source addresses of the target traffic For example if ACL 3901 has only rule 5 which identifies traffic sourced from 192 168 1 0 24 you must add another rule rule 1 to ACL 3901 as shown in Figure 18 so that traffic from 192 168 1 0 24 to 172 16 0 0 24 is not translated and can be protected by IPsec Figure 18 Add an ACL rule Advanced ACL34901 RulelD Operation Description deny ip source 192 168 1 0 0 0 0 255 destination 172 16 0 0 0 0 0 255 permit ip source 192 168 1 0 0 0 0 255 add Configure a static route to Host B e Select Network gt Routing Management gt Static Routing from the navigation tree and then click Add Create a static route as shown in Figure 19 Figure 19 Configure a static route to Host B Add a Static Route Destination IP Address 172 16 0 0 Mask 255 255 255 0 Next Hop 192 168 250 230 Outbound Interface ity 5 tems marked with an asteriski are required A
168. ks facilitating networking management and maintenance Configuration Examples Network Requirements E4 Note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM series firewalls and uses the SecPath F5000 A5 to show how to configure the virtual firewall Support for link aggregation depends on the firewall version As shown in Figure 1 PC 1 and PC 3 are in VPN 1 and PC 2 and PC 4 are in VPN 2 VPN 1 constructs virtual firewall 1 and VPN 2 constructs virtual firewall 2 Hangzhou H3C Technologies Co Ltd www h3c com 5 11 H3s3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Figure 1 Virtual firewall network diagram A PC1 vpn GE1 1 GE1 3 PC3 vpn PC2 vpn2 PC4 vpn2 Figure 2 Virtual firewall network diagram B GE1 0 GE0 0 100 1 1 1 24 100 1 1 2 24 Device A Device B Configuration Considerations e Configure multiple VPN instances e Associate the VPN instances with interfaces e Configure routing among different VPN instances Software Version Used secPath F1000E V300R001B01 R3166 series and V300R001B01 F3166 series SecPath F5000 A5 V300R002B01 R3206 series SecPath UTM 200 A 200 M 200 S V500R001B01 R5116 series Basic Configurations e Interface Configure M GEO 0 as the management interface Interface Physical Protocol IP Address M GigabitEthernet0 0 up up Toos dy Jw e Security zone by selecting Device Management gt Zone Add M GE 0 0 to th
169. lick Apply Add Static Address Mapping YPN Instance v Internal IF Address 2 1 1 2 ig Global IF Address se ll a Network Mask ACL 2000 3999 tems marked with an asterisk are required 2 Enable static address translation e Select Firewall gt NAT gt Static NAT from the navigation tree as shown in the following figure Static Address Mapping Internal IP Address Global IP Address Network Mask YPN Instance ACL Operation Add Interface Static Translation Interface Name Tracked VRRP Group Operation Add e Click Add in the Static Address Mapping field to enter the Enable Interface Static Translation page Select GigatbitEthernet0 1 for Interface Name and click Apply Hangzhou H3C Technologies Co Ltd www h3c com 13 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Enable Interface Static Translation Interface Mame sigabitEthernet0s1 v Enable track to RRP VRRP Group 1 255 e Access PC 3 from PC 2 and perform ping HTTP FTP DNS and Telnet operations e Check the session list Verification result 1 is expected 3 Create an ACL to control the access from the Untrust zone to the DMZ zone T note By default the SecPath firewalls allow hosts in higher priority security zones to access hosts in lower priority security zones but not vice versa To allow an external host to access an internal host you need to configure an interzone policy e Select Firew
170. link aggregation mode dynamic Assign interfaces GE1 6 and GE1 7 to aggregation group 1 which corresponds to Route Aggregation1 interface GigabitEthernet1 6 port link mode bridge port access vlan 10 port Jink aggregation group 1 interface GigabitEthernet1 7 port link mode bridge port access vlan 10 port link aggregation group 1 int vlan interface 10 ip address 10 1 1 1 24 Configure source IP based load sharing link aggregation load sharing mode source ip Log in through the Web interface and add GE1 6 GE1 7 and the aggregate interface to the Trust zone Hangzhou H3C Technologies Co Ltd www h3c com 9 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples fone ID fone Mame Preference Share Virtual Device Operation Trust 85 no Root fe il he Interface GigabitEthernethi GiqabitEthernett s GigabitEthemnett Configure OSPF This part is the same as any common OSPF configuration process Configuration on the S9505 typically V3 switch Create aggregation group 1 and configure the aggregation group to operate in static aggregation mode link aggregation group 1 mode static Assign interfaces GE4 1 1 and GE4 1 2 to aggregation group 1 interface GigabitEthernet4 1 1 port access vlan 10 port link aggregation group 1 interface GigabitEthernet4 1 2 port access vlan 10 port link aggregation group 1 Create VLAN interface 10 and assign IP address 10 1 1 2 to it i
171. logs If you select the 1 0 radio box the flow logging information will be displayed as shown in Figure Hangzhou H3C Technologies Co Ltd www h3c com 14 24 HSC 12 if you select the 3 0 radio box the flow logging 3 0 information will be displayed as shown in Figure 13 SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 12 Flow logging 1 0 log report Version 1 0 03 0 Yikeyworts Starch Search ttem Time Date Time Date Protocol Type Flow Information Start Time EndTime Flow Action Jun 817 30 51 031 2010 TCP 19 1 1 2 4426 gt 192 168 100 10 80 eae eee Normal over Jun 8 17 30 02 283 2010 ICMP 18 1 1 2 192 168 100 10 o ee foals for Jun 8 17 29 45 785 2010 TCP 19 1 1 2 4426 192 169 100 10 80 oes eye ee ow 2010 06 08 2010 06 08 Data flow June 17 29 32 531 2010 ICMP 188 1 1 2 gt 192 168 100 710 17 29 33 17 29 33 created Figure 13 Flow logging 3 0 log report Version O10 3 0 P Search item Time Date v keywords search TimeiDate Protocal Fiai normato Received Send Source Destination Start End Type Packets Bytes Packets Bytes VPM VPN Time Time ction ae ee TCR 192 168 251 21 1029 41890 5036 fee ue ers Normal 192 168 100 10 80 wae me over Jun 841 7 32 29 786 Tones 2010 06 08 2010 06 08 e d aa e ICMP 192 168 251 21 gt 1 80 1 60 ae ee pees Si 19216810010 ad as timeout EENEN 18 1 1 2 4839 anes ana Data a ENRE TCP 192 168 251 21 1029 oo 1 48 e
172. lows logs to e With this function enabled flow logs will not be output to the specified information center userlog log host e Outputting flow logs to the information center occupies the storage space of the device Therefore you are recommended to output flow logs to the information center in case that there are a small amount of flow logs Displaying flow logging statistics If you set to send flow logs in UDP packets to the specified userlog log host you can view the related statistics including the total number of flow logs sent to the log host the total number of UDP packets and the total number of flow logs stored on the device cache If you click the Statistics expansion button on the Flow Log page you can view the information as shown in Figure 3 e Centralized device You can clear all the flow logging statistics of the device and the flow logs in the cache by clicking Reset e Distributed or IRF device You can clear all the flow logging statistics of a card and the flow logs in the cache by clicking Reset Figure 3 View flow logging statistics Statistics VPM Instance IP of Lag Host Port of Log Host Logs SentllOP Packets for Logs Logs in Bufer Operation Hangzhou H3C Technologies Co Ltd www h3c com 7 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Session Logging Introduction Session logging records users access information IP address translation information and tra
173. m 8 13 H3s3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 10 Configure sending of gratuitous ARP packets Send Gratuitous ARP Set Sending Interval GigabitEthernetL1 2000 msf200 200000 GigabitEthermetl 2 sigabitEthernetl s GigabitEthernetO 4 Mote You can setup to 1024 sending interfaces Dont perform other operations during this configuration tems marked with an asterisk are required Configuring ARP Automatic Scanning Introduction to ARP automatic scanning With ARP automatic scanning enabled on an interface the device scans neighbors on the interface requests their MAC addresses and creates dynamic ARP entries Configuring ARP automatic scanning e Select Firewall gt ARP Anti Attack gt Scan from the navigation tree Select GigabitEthernet 0 0 and type the start IP address and the end IP address as shown in the figure below If no start IP address and end IP address are specified the system scans the network segment according to the mask of the interface address Hangzhou H3C Technologies Co Ltd www h3c com 9 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 11 Configure ARP scanning Interface GigabitEthernetO 0 vh Start IF Address 192 168 1 2 End IP Address 192 168 1 254 Also scan IF addresses of dynamic ARP entries tems marked with an asteriski are required Mote The start IF address and the end IP address must be in the
174. may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 11 11 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example SecPath Series Firewalls ARP Attack Protection Configuration Example Keywords ARP Abstract ARP provides no security mechanism and thus is prone to network attacks The device provides multiple features to detect and prevent ARP attacks This document describes a configuration example using these features Acronyms Acronym Full spelling ARP Address Resolution Protocol Hangzhou H3C Technologies Co Ltd www h3c com 1 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Table of Contents Feature CV Gri OW ecen a a beaten esl weiesaieidia tesa 3 Application SS COI ATO Secere a E E E 3 Configuration GUIGELINES 2seceeeeseeeeeaeeeeeeeeeeneeeasenseeaseeseeasseeeeaaseeseaseeeseaaseeesaaseesesaseesetaassseseeaeesesageesssaasns 3 ARP Attack Protection Configuration Example E O E E E eee E E A E E E E 3 Network Requirements et Tir i Cee re E E eee ee eee a eee eee Eaa 3 Configuration Considerations PTC TTC tr eT TC ECCT Cree Ce eT EEE CCT ee Ce eee Cr eee rT Cr errr Ce ret tt 4 Software Version Used Torre re ee ee ee eee ere ee ee ee re rrr a a er rr rr 4 Configuration Pro
175. n security zones according to the zones permitted on the Layer 2 subinterfaces rather than the security zone where the physical interface resides To implement inter VLAN Layer 2 forwarding make sure that you add the PVID of the subinterface to the VLAN range of the security zone If no VLAN is configured for a subinterface the PVID is 1 and therefore you need to add VLAN 1 in the VLAN range of the security zone When configuring inter VLAN Layer 2 forwarding do not set the PVID of a subinterface to the subinterface ID Otherwise the downstream switches may fail to learn the MAC address of the subinterface properly This problem is listed as a defect Routing Mode Configuring Layer 3 interface forwarding 1 Configuration description Configure the Device to route packets between hosts on different network segments 2 Configuration procedure see Figure 1 Select Device Management gt Interface from the navigation tree Configure the route mode for GigabitEthernet 0 1 and specify the IP address as 192 168 2 1 24 Configure the route mode for GigabitEthernet 0 2 and specify the IP address as 192 168 3 1 24 Hangzhou H3C Technologies Co Ltd www h3c com 13 31 HSC Figure 16 Configure GigabitEthernet 0 1 Mm SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Interface Name GigabitEthernetoy Interface Status Connected Interface Type Vib Bo MTU 46 1 500 Default 1500 TCP MS
176. n tree and then click Add e Select Custom mode from the IPSec Proposal Configuration Wizard page Make the configuration as shown in Figure 21 Hangzhou H3C Technologies Co Ltd www h3c com 24 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 21 Configure an IPsec proposal Add PSec Proposal Custom mode Proposal Name proposal 1 15 Chars Encapsulation Wade Tunnel Security Protocol ESP v ESP Authentication Algorithm MMOS ESF Encryption Algorithm DES wl tems marked with an asterisk are required e Type proposal as the name of the IPsec proposal e Select Tunnel as the packet encapsulation mode e Select ESP as the security protocol e Select MD5 as the ESP authentication algorithm e Select DES as the ESP encryption algorithm e Click Apply Configure an IPsec policy e Select VPN gt IPSec gt Policy from the navigation tree and then click Add Perform the configurations shown in Figure 22 Figure 22 Configure an IPsec policy Add IPSec Policy Policy Mame policy chars 1 15 Sequence Number 1 665535 Template E IKE Feer peer v IPSec Proposal PF amp ACL 3101 3000 3999 Aggregation SA Lifetime Time Based 3600 seconds 180 604800 Default 3600 Traffic Based 1843200 Kbytes 2560 4294967296 Default 1843200 tems marked with an asterisk are required Apply e Type policy as the policy name e Type 1 as the sequence number
177. ncrypts a plain text with three 56 bit DES keys which total up to 168 bits e AES Advanced encryption standard encrypts a plain text with a 128 bit 192 bit or 256 bit key AES 3DES and DES are in descending order in terms of security Higher security means more complex implementation and lower speed DES is enough to meet general requirements Application Scenarios IPsec is a VPN technology that delivers the security services of confidentiality data integrity and origin authentication at the IP layer IPsec can use IKE to update keys periodically enhancing system security IPsec is widely used for transmitting sensitive data in VPN networks Configuring IPsec At present the device supports IPsec tunnel setup with IPsec polices In this approach ACLs are used in IPsec policies to identify data flows to be protected The use of ACLs adds flexibility to IPsec policies IPsec policies can take effect only after they are applied to physical interfaces The following is the generic IPsec policy configuration procedure 1 Configure ACLs for identifying data flows to be protected 2 Configure IPsec proposals to specify the security protocols authentication and encryption algorithms and encapsulation mode 3 Configure IPsec policies to associate data flows with IPsec proposals and specify the SA negotiation mode peer IP addresses namely the start and end points of the IPsec tunnel required keys and SA lifetime 4 Apply the IPse
178. nfiguration on the S9505 typically V3 Switch s ss e esesseseseeeseeeseeeseseeeeeseseseeeseseeeeseseeesneeneaeee g Configuring Layer 2 Link Aggregation in Dynamic Moderssssssssssstssssesestsseseseesesssesesneseseseseseseseeseseeesnens 9 Configuration on the Device unununununuuunNNNNNNNNNNENNNNNNNNNNNNENNNENNNNNNNNENNNNNNENNNENNNNNNNNENNNENNNENNNENNNNENNENNNENNNNNNNNNENNNEN 9 Configuration on the S9505 typically V3 SWitCh setsetteetttettetttertterreerreertenreenntenreenneenreennennentnenneennenns 10 Hangzhou H3C Technologies Co Ltd www h3c com 2 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples Feature Overview Link aggregation aggregates multiple physical Ethernet ports into an aggregation group thus increasing the link speed beyond the limits of any one single port To upper layer entities such as applications running on the network they look like a single logical link Link aggregation increases bandwidth by distributing traffic across the member ports in an aggregation group Because these member ports can dynamically back up one another it improves connectivity reliability in addition Application Scenarios Typically you use link aggregation to increase bandwidth or reliability of the network Configuration Examples Network Requirements E4 Note The following examples use an F5000 A5 firewall Device in the network diagram below to show how to configure link aggregation on the H3C SecPath se
179. ng mode and hybrid mode respectively Acronyms Acronym Full spelling UTM Unified Threat Management VLAN Virtual Local Area Network Hangzhou H3C Technologies Co Ltd www h3c com 1 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Table of Contents Feature OVER VOW eien a a aE 9 General Layer 2 and Layer 3 Forwarding vrrrttttttttttr reer eni ene eneecseeneeneeenncnnieeiias 3 Inline Forwardinges stress etter ence neeneeceeeneecnscnneeenaecaseeeceecnaenassencasoensoeenacneasonnigs 3 Inter VLAN Layer 2 Forwarding srt stern tetas ecn tence ennecenseeeneenascenneennenseeenaeneeneeneneoenias 3 Application SCENO eee ee ee ee eee tT ene ee eee ee ee ee ee ee ee re ee ee ee ee 3 Configuration Example Saes a a ea Eaa e E A E S E E A 4 Network Requirements eteeteetettertettttsttetttttttsttstnttntnntnntnntnntnnnnnnnnnntnntnnnnnnnnnntnnennnnnnnnnnnnnnnnnntnnennnnnnnnnnnnnnnnnnenne 4 Configuration Consideratjons eteettetettettertttttttttsttstttttttsttttntnntnntnnenntnnenntnnnnnnntuntnnennnnnnnnnnnnnnnnnnennunnnnnnnnnnnen 4 Software Version Used t tsrtsrrsrsseresrressensensensensennennensensunsenseneuneunnunnnnnnnnnnnnnnnnsnnnnnnnnnansnnnensunnenennnenneunnnnnnnnnnnnne 4 Configuration Procedures sseetsettertetsttettettttsttttsttstnttntnstnntnnnsnntnntnnennnnnnntnnenntnntunennnnnnnnnntnntnnennnnennennnannnnnnen 5 Transparent Mode 5stsetstettettetsttsttttttstrttnstnstnnnsnntnntnntnnnntnnnnntnnennnnnnntnntnntnntunennunnnnn
180. nnnnnennennnnnennnnnnnnnnnenne 5 Routing Mode Matinee Cee oreo 13 Hybrid Mode sesrtsttrtttrtttr terete ete ete etn cena ene ecnseeeneecascenseeeneeseeesaeseaseenseenacseasoeeseeennaseeennaneenseennyy 24 Hangzhou H3C Technologies Co Ltd www h3c com 2 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Feature Overview Layer 2 and Layer 3 forwarding falls into the following types general Layer 2 general Layer 3 inline and inter VLAN Layer 2 General Layer 2 and Layer 3 Forwarding A SecPath series firewall operates either in route or bridge mode When operating in route mode the firewall supports Layer 3 forwarding only When operating in bridge mode the firewall supports Layer 2 Layer 3 by using VLAN interfaces and Layer 2 and Layer 3 hybrid forwarding When the destination MAC address of an incoming packet matches the MAC address of the receiving VLAN interface the firewall forwards the packet through the receiving VLAN interface at Layer 3 If the destination MAC address of the packet matches a Layer 2 MAC address table entry the firewall forwards the packet through a Layer 2 Ethernet interface By default the firewall operates in route mode Inline Forwarding The SecPath series firewalls support inline Layer 2 forwarding where you specify interface pairs as the ingress and egress interfaces for packets With the inline forwarding mode packet forwarding does not rely on the MAC address ta
181. ns to be destined to each host address on the specified network segment Configuration steps 1 Create a connection limit policy and configure a rule for it connection limit policy 0 limit 0 source ip any destination 192 168 0 0 16 protocol udp max connections 100 per destination 2 Apply the connection limit policy connection limit apply policy 0 Verification result Use the SmartBits to send 1000 UDP flows with the destination IP address 192 168 0 2 and different source addresses to interface GE 1 1 Use the SmartBits to send 1000 UDP flows with the destination IP address 192 168 0 3 and different source addresses to GE 1 1 Up to 100 sessions with the destination IP address of 192 168 0 2 can be set up and up to 100 sessions with the destination IP address of 192 168 0 3 can be set up Remarks After finishing the example remove the configuration made in this example Removing the Connection Limits Requirements Remove the connection limits Configuration steps 1 Remove the connection limit policy undo connection limit apply policy 0 Hangzhou H3C Technologies Co Ltd www h3c com 6 7 H3sC SecPath Series Firewalls Connection Limit Configuration Examples Verification result Connections are no longer limited Copyright 2010 Hangzhou H3C Technologies Co Ltd All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technolo
182. nterface Vlan interfacelO ip address 10 1 1 2 255 255 255 0 Configure OSPF Configure OSPF as needed E4 Note The firewall supports two link aggregation load sharing criteria source and destination IP addresses which you can use the following command to configure Device link aggregation load sharing mode destination ip Destination IP address source ip Source IP address Hangzhou H3C Technologies Co Ltd www h3c com 10 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples Copyright 2010 Hangzhou H3C Technologies Co Lid All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 11 11 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example secPath Series Firewalls Log Management and SecCenter Configuration Example Keywords syslog Abstract This document describes the log management function of SecPath series firewalls and presents configuration examples for cooperation with SecCenter Acronyms Acronym Full spelling Syslog Hangzhou H3C Technologies Co Ltd www h3c com 1 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Table of Contents gel OVC LO ee en ee ne ec ere 3 Configur
183. o 192 168 103 153 255 255 252 0 GigabitEthernetiyt Giqabitethernetol Giqabitethernetols Giqabitethernetis4 MILLO Hi records 15 per page page 11 record 1 6 Add 2 Click a of GigabitEthernet 0 1 to enter the Edit Interface page Configure GigabitEthernet 0 1 and click Apply as shown in the following figure ee Interface Name GigabitEthernetiy interface Status Connected Interface Type VID MTU 1600 46 1500 Default 1500 TCP MSS 1460 128 2048 Default 1460 Working Mode Bridge Mode Router Mode een a ONone Static Address DHCP BOOTP PPP Negotiate Unnumbered IF Address E l Mask 24 255 255 255 0 cecondary IP Address List fo Address Add Mask 24 255 255 255 0 Wnnumbered Interface Adding GigabitEthernet 0 1 to Trust zone 1 Select Device Management gt Zone from the navigation tree Hangzhou H3C Technologies Co Ltd www h3c com 5 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Zone ID Zone Mame Preference Share Virtual Device Operation 0 Management 100 no g i 1 Local 100 no Root ff il 2 Trust 85 no Root ff i 3 DMZ 50 no Root fe ii 4 Untrust 5 no Root fe i Add 2 Click a of Trust to enter the Modify Zone page Add interface GigabitEthernet 0 1 to the Trust zone and click Apply to return to the Zone page Preference tt Share No Interface Mame EO O O o l iis Advanced Search Interface G
184. of multiple VLANs For example 3 5 10 5 To select the virtual device enter the virtual device selection page and select the option button in the Operation column corresponding to VD1 Hangzhou H8C Technologies Co Ltd www h3c com 6 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Virtual Device Name Operation Root VO 6 To remove the virtual device enter the virtual device configuration page and click Remove corresponding to VD1 It is not allowed to remove virtual device root Verification The virtual device can be created configured selected and removed successfully Remarks After finishing this example remove the configuration made in this example Creating Configuring and Removing a Security Zone Requirements Create configure and remove a security zone Configuration procedures 1 Enter http 155 1 1 1 in the address bar on Host B to enter the login page Type username admin and password admin and click Login to log in to the web interface The current virtual device is root 2 From the navigation tree select Device Management gt Zone to enter the security zone configuration page Click Add and configure the zone as follows e Security ID 6 e Zone name mytrust e Preference 80 e Share Yes Zone ID 6 PBA gone nai 1 20 Chars PnSeTe nee a0 trt0 share tems marked with an asterisk are required 3 On the security zone configuration pag
185. on e 3DES Uses the 3DES algorithm and 168 bit keys for encryption e AES128 Uses the AES algorithm and 128 bit keys for encryption e AES192 Uses the AES algorithm and 192 bit keys for encryption AES256 Uses the AES algorithm and 256 bit keys for encryption e Leave it null so the ESP performs no encryption Highlight e Higher security means more complex implementation and lower speed DES is enough to meet general requirements Use 3DES when there are very high confidentiality and security requirements e The ESP authentication algorithm and ESP encryption algorithm cannot be both null Configuring an IPsec Policy Template Select VPN gt IPSec gt Policy Template from the navigation tree to display existing IPsec policy templates as shown in Figure 9 Then click Add to enter the IPsec policy template configuration page as shown in Figure 10 Figure 9 IPsec policy template list Template Mame Sequence Humber Template Name Advanced Search IKE Peer IPSec Proposal DH Group Add Hangzhou H3C Technologies Co Ltd www h3c com 15 39 HSC SecPath Series Firewalls IPsec Configuration Examples Figure 10 IPsec policy template configuration page Add IPSec Template Template Mame Sequence Number IKE Peer IPSec Proposal PFS ACL SA Lifetime Time Based Trafic Based 1 15 Chars a 1 65535 C0003399 3600 pees 180 604800 Default
186. on of zone Trust to enter the security zone modification page Then add interface GigabitEthernet 0 2 to the zone as follows and click Apply to return to the security zone management page Hangzhou H3C Technologies Co Ltd www h3c com 6 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example fone Mame Preference tty ohare No w Virtual Device niertace Neme FR imertace Search J Advanced Search Interface C GigabitEthernet GigabitEthernethl C GigabitEthernetOl3 C GigabitEthernetl4 E NULLO The LANS should be separated by or For example 3 5 10 Apply _ Cancel tems marked with an asterisk are required e Add interface GigabitEthernet 0 1 to zone Untrust in the same way Configuring interzone policies e From the navigation tree select Firewall gt Security Policy gt Interzone Policy Content Source Dest Source Destination Time Filter Filtering T Source Destination O Zone Zone I Address Address Tomie Range Action Policy DIES SHEMET SLE HOS LC MAC MAC Template Operation e Click Add and then configure an interzone policy from Untrust to Trust as follows Hangzhou H3C Technologies Co Ltd www h3c com 7 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Source Fone Untrust v Dest Zone Trust Description 1 31 Chars Source IP Address O New IP Address l any address k Multiple Address l Y p Destination IP Address
187. one as shown in the figure below and then click Apply to return to the Zone page Preference ty Share Mo w Interface Mame R Advanced Search Interface VLAN T nu SY The VLANS should be separated by or For exarmple s 5 10 tems marked with an asterisk are required Apply Configuration on the DHCP Server 1 Enable DHCP Select Network gt DHCP gt DHCP Server from the navigation tree and then click on the Enable radio button as shown in the figure below Hangzhou H3C Technologies Co Ltd www h3c com 6 15 H3sC SecPath Series Firewalls DHCP Configuration Examples DHCP Service Enable Disable Address Pool Fool Static Dynamic Client MAC Client NetBIOS Pool IP E E ae 7 DNS WINS i ieee Hame See Mask Address Client ao Gateway eee e Node Operation ID Name Type 2 Create a dynamic DHCP address pool On the DHCP Server page click on the Dynamic radio button and click Add to enter the page shown below IF Address 10 1 1 0 ask 255 255 255 0 Lease Duration Unlimited 1 _ daysea ges 0 hoursto 230 bninutesto 59 Client Domain Mame ee Chars Gateway Address Up to 8 addresses separated by comma DNS Server Address Up to 8 addresses separated by comma WINS Serer Address Upto 8 addresses separated by comma NetBIOS Node Type tems marked with an asterisk are required 3 Create a static DHCP address pool On the DHCP Server page click on the Static radio bu
188. onnected to the network where the DHCP client PC resides through GigabitEthernet 0 1 and is connected to the DHCP server Device A through GigabitEthernet 0 2 The IP address of GigabitEthernet 0 1 on Device A is 2 1 1 1 24 and that of GigabitEthernet 0 2 on Device B is 2 1 1 2 24 Device B serves as a DHCP relay agent to forward DHCP messages so that the DHCP client can obtain an IP address and other parameters from the DHCP server Hangzhou H3C Technologies Co Ltd www h3c com 10 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Figure 2 Network diagram for DHCP configuration example I DHCP server DHCP relay DHCP client GE0 1 GE0 2 2 1 1 1 24 2 1 1 2 24 10 1 1 1 24 Device A Device B PC Configuration Considerations e Configure Device A as the DHCP server e Configure Device B as the DHCP replay e Configure the PC as the DHCP client Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series SecPath F5000 A5 V300RO002B01 R3206 series SecPath UTM 200 A 200 M 200 S firewall V500R001B01 R5116 series Configuration Procedure Configuration on the DHCP Server e Specify the IP address of GigabitEthernet 0 1 on Device A as 2 1 1 1 24 and add the interface to the Trust zone For more information see Basic Configuration e Select Network gt DHCP gt DHCP Server from the navigation tree click on the Enable radio button and configure a dynamic DHCP address pool as shown
189. oot i 3 DMZ 50 na Root ay il 4 Untrust 5 no Root a i Click the icon of the Trust zone to enter the Modify Zone page Add GigabitEthernet 0 0 to the Trust zone as shown in Figure 7 and then click Apply to return to the Zone page Hangzhou H3C Technologies Co Ltd www h3c com 6 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 7 Add GigabitEthernet 0 0 to the Trust zone fone ID Preference ttt ohare No v sca nterface Name pO interface Search advanced Search Interface GigabitEthernetO o GigabitEtherneti GigabitEtherneti 3 GigabitEtherneti 4 C NULLO The LANS should be separated by or For example s 5 10 tems marked with an asteriski are required Apply Add GigabitEthernet 0 2 to the Untrust zone 1 Select Device Management gt Zone from the navigation tree Figure 8 Security zones zone ID fone Name Management Local Trust Ch Untrust 2 Click the a icon of the Untrust zone to enter the Modify Zone page Add GigabitEthernet 0 2 to the Untrust zone as shown in Figure 9 and then click Apply to return to the Zone page Hangzhou H3C Technologies Co Ltd www h3c com 7 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 9 Add GigabitEthernet 0 2 to the Untrust zone fone ID a fone Mame Preference 5 1 100 ohare hl a meee Root Interface Name RO Interface
190. opts forthe selected Service Filter Action Deny Time Range worktime v Content Filtering Policy w Template E F Using MAC Address Enable Syslog Status Continue to add next rule C tems marked with an asteriski are required Lappy JL cancel e Select Deny as the filter action e Select worktime as the time range e Select the Enable Syslog check box e Select the Status check box e Click Apply Verification Accessing the External Network from Host Public in Working Hours You are allowed to access the external network from host Public in working hours Select Log Report gt Report gt Interzone Policy Log to enter the interzone policy log page The log shows that access to the external network is permitted Figure 14 Interzone policy log 22010 01 28 14 14 30 Advanced Search Start Time n jie Source Destination Policy rai protocol Zone Zone ID type flaw infomation 2010 01 28 2010 01 28 10 1 1 12 1852 Trust ntrust permitted TORE 14 14 30 14 14 58 20 1 1 3 50 Hangzhou H3C Technologies Co Ltd www h3c com 12 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Accessing the External Network from Other Hosts in Working Hours In working hours you cannot access the external network from any other hosts for example a host at 10 1 1 13 24 Select Log Report gt Report gt Interzone Policy Log to enter the interzone policy log page The log shows that access to t
191. ote the responder of IKE negotiation it can have more than one remote Gateway IP address and one of its remote IP addresses must match the local IP address configured on its peer e The host name of the remote gateway is the only identifier of the IPsec peer in the network The host name can be resolved into an IP address by the DNS server If host name is used the local end can serve as the initiator of IKE negotiation Hostname Type the name of the remote security gateway If the local ID type configured for the IKE negotiation initiator is Gateway Name the initiator sends its gateway name IKE Local Name to the Remote ID responder for identification The responder then uses the locally configured remote gateway name Remote ID to authenticate the initiator Therefore make sure that the remote gateway name configured here is identical to the local gateway name IKE Local Name configured on its peer Configure one of these two items according to the authentication method Pre Shared Key e f the authentication method is pre shared key select Pre Shared Key and then type the pre shared key in the following text box e f the authentication method is RSA signature select PKI Domain PA GOMAN and then select the PKI domain to which the certificate belongs in the following drop down box Enable DPD Select the IKE DPD to be applied to the IKE peer Hangzhou H3C Technologies Co Ltd www h3c com 12 39 H3sC SecPath Series Firew
192. ou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 13 13 H3sC SecPath Series Firewalls IPsec Configuration Examples SecPath Series Firewalls IPsec Configuration Examples Keywords IKE IPsec Abstract This document describes basic concepts of IKE and IPsec and provides configuration examples for SecPath series firewalls Acronyms Acronym Full spelling IKE Internet Key Exchange IPsec IP Security Hangzhou H3C Technologies Co Ltd www h3c com 1 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Table of Contents IPSEC CONMFIQUIATION 22 eeeeeeeeeeeseeeeeeeeeeeeanseeneeaseesenaeneenaaseeseeasenseeasneseeaasessenaseesesaseeeecaaesessaasersesaseesenaaseessoages 3 IPsec Overview TETTTITTTTIT EET 3 Implementation of IPsec TTTTTTTIETI TITTLE 3 Basic Concepts of IPsec TTTTTITITTT TITTLE 4 Application SCONTO Cee cee ee en ee ee ne ee ee ee ee ee ee ee er 5 Configuring UC aia cries E A E 5 Configuring ACLs nonununnnnnnnNNNNNNNNNNDNNNNNSNNNNNSNNANDNNNNNSNNNNDNNNNNSNNSNDNNNNNSNNNNMNNNNNMNDANNNANSNNMNDNNNNNSSNMNBNNNNNSNNNNSNNANDNNNNNN 7 Configuring IKE nonunnnnnnnnnNNNNNSNNNNNNNNNNDNNNNNONNANDNNNNNSNNANDNNNNNSNNNNDNNNNNSANANNNSANNNNMNNANNNRNNNANBANNANSNNMNDNNNNESEANNNSNANDHNNNNSNNNNDNNNNNS 7 Configuring Global IKE Parameters sssrsstssesssssessssssesesesnssssnsesesesnesesesnesssnsseassnenesesnenssessesssneneaennenss 7
193. ou H3C Technologies Co Ltd GigabitEthernetiye Connected I 500 46 1500 Default 1500 1 460 128 2048 Default 1460 Bridge Mode Router mode ONone Static Address OODHCP O BOOTP PPP Negotiate Wnnumbered 2 0 0 1 24 255 255 255 0 v 24 255 255 255 0 5econdary IP Address List www h3c com 5 18 H3sC SecPath Series Firewalls Attack Protection Configuration Example Configuring the ACL e From the navigation tree click Firewall gt ACL to enter the ACL management page Then click Add to create ACL 2000 2000 2999 for Basic ACL ACL Number 2000 3000 3994 for Advanced ACL i 4000 4999 for Ethernet Frame Header ACL Matth Order Config v tems marked with an asteriski are required e On the ACL management page click the a icon of ACL 2000 and then click Add to create a rule that allows all packets to pass ACL 7000 Add Basic ACL Rule Rule ID i ko 65534 If no rule ID is entered the system will automatically assign one Operation Permit vl Time Range None Cl Non first Fragments Only Logging C Source IP Address Source Wildcard Doo O O YPN Instante Mone w e Click Apply Adding interfaces to zones e From the navigation tree select Device Management gt Zone to enter the security zone management page fone ID one Mame Virtual Device Operation Managerment Local Trust DMZ Wntrust Add e Click the a ic
194. ou H3C Technologies Co Ltd www h3c com 19 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Select Firewall gt NAT Policy gt Dynamic NAT from the navigation tree Apply ACL 3000 to VLAN interface 3 and enable Easy IP ACL 3000 allows packets from 192 168 2 0 24 to pass Figure 27 Configure dynamic NAT Mmm Interace ACL Address Pool Index Address Transter Global PM Instance Operation Vilan interfaces S000 Easy IP el T Figure 28 Configure ACL 3000 Advanced ACL3000 ACL3000 Rule iD Ooeration Description Time Range Operation E permit io source 192 168 2 0 0 0 0 23533 ore i 3 Verification Configure IP address 192 168 2 10 24 and gateway 192 168 2 1 for PC1 and IP address 192 168 3 11 24 and gateway 192 168 3 1 for PC2 Ping PC2 from PC1 The ping operation succeeds and the session information displayed on the Device is as follows Figure 29 Session information Query item orc IP Address IP Address 192 168 2 10 Init Resp WPN EA Session Lifetime C Init Sre IF Init Dest IP YFM Resp Sre IF RespDestiIP YPM Frotocal Operation Status si Configuring Layer 3 subinterface forwarding 1 Configuration description Configure the Device to forward packets through Layer 3 subinterfaces 2 Configuration procedure see Figure 2 e Configure the switch interface GigabitEthernet1 0 1 port access vlan 102 it interface GigabitEthernet1 0 10 port acces
195. pecify the static binding with the IP address on the same network segment as the server s interface 7 To exclude specific IP addresses from dynamic allocation use the dhcp server forbidden ip command in system view Troubleshooting Symptom The client 2 in the preceding example obtains no IP address Analysis The network connection fails or the interface of the DHCP server does not reside on the network segment of the DHCP address pool Solution 1 Check that the interface through which the DHCP server is connected to the client resides in the address pool 2 Check that the dhcp enable command is configured on the DHCP server 3 Configure the interface of client 2 with an IP address from the address pool and ping from the IP address to the DHCP server to ensure the network connectivity 4 Use the debug command on the DHCP server and the client respectively to verify that the packet exchange process is normal DHCP Configuration Example Il No matter whether a relay agent exists or not the DHCP server and client interact with each other in a similar way The DHCP relay agent works as follows 1 A DHCP client broadcasts a DHCP DISCOVER message 2 The DHCP relay agent forwards the message to the designated DHCP server in unicast mode 3 The DHCP server returns an IP address and other configuration parameters to the relay agent which conveys them to the client Network Requirements As shown in Figure 2 Device B is c
196. port for example 1 1 1 2 1026 gt 1 1 2 10 69 e If the protocol type is another type except these three the displayed flow information is source IP address gt destination IP address for example 1 1 1 2 gt 1 1 2 10 Displays the time when a flow was created Displays the time when a flow was removed Displays the operator field of a flow e 1 Normal over The flow ended normally e 2 Aged for timeout Timer timed out e 3 Aged for reset or config change Flow aging due to configuration change e 4 Aged for no enough resource Flow aging due to insufficient resource e 5 Aged for no pat of NAT One to one NAT In this case only the source IP address the source IP address after translation and the time fields are available e 6 Active data flow timeout The life time of the flow reached the limit 7 Data flow deleted Record for the flow when it was deleted e 8 Data flow created Record for the flow when it was created 254 Other Other reasons Table 15 Flow logging 3 0 configuration items Item Time Date Protocol Type Flow Information Received Packets Bytes Send Packets Bytes Source VPN Hangzhou H3C Technologies Co Ltd Description Displays the time and date when a flow log was generated Displays the protocol type of a flow Displays the flow information e f the protocol type is TCP or UDP the displayed flow information is source IP address source port gt destination IP addr
197. pply e Type 172 16 0 0 as the destination IP address e Type 255 255 255 0 as the mask e Type 192 168 250 230 as the next hop e Select GigabitEthernet0 1 as the outbound interface e Click Apply Configure the IKE peer Hangzhou H3C Technologies Co Ltd www h3c com 23 39 H3sC SecPath Series Firewalls IPsec Configuration Examples e Select VPN gt IKE gt Peer from the navigation tree and then click Add Perform the configurations shown in Figure 20 Figure 20 Configure an IKE peer oe Peer Marne peer 1 5 Chars IKE Negotiation Mode tain Aggressive Local ID Type IF Address Gateway Mame Local IP Address Remote Gateway Hostname Remote ID 1 32 Chars Pre Shared Key 123456 J 1 128 Chars PKI Domain C Enable DPD Enable the MAT traversal function fthe local end is the initiator only one remote IF address can be specified ifthe local end is the responser the remote IP address range mustinclude the local IF address of the initiator tems marked with an asterisk are required Apply e Type peer as the peer name e Select Main as the negotiation mode e Type 192 168 250 230 as the IP address of the remote gateway e Select Pre Shared Key and type 123456 as the pre shared key e Click Apply The default IKE proposal is used Configure an IPsec proposal named proposal as follows e Select VPN gt IPSec gt Proposal from the navigatio
198. quare brackets and separated by vertical bars Many or none can be selected The argument s before the ampersand amp sign can be entered 1 to n times A line starting with the sign is comments Description Window names button names field names and menu items are in Boldface For example the New User window appears click OK Convention Description Multi level menus are separated by angle brackets For example File gt Create j gt Folder Symbols Convention Description Means reader be extremely careful Improper operation may cause bodily A Warning injury Means reader be careful Improper operation may cause data loss or damage to Ay Caution equipment ze Note Means a complementary description Related Documentation In addition to this manual each SecPath series firewalls documentation set includes the following Manual Description Describes the H3C SecPath firewall products F1000 E and F1000 S EI overview software and hardware maintenance troubleshooting installation installation preparations interface cards and modules H3C SecPath F1000 E Firewall Installation Manual Describes the HSC firewall F5000 A5 overview software and hardware maintenance troubleshooting installation installation preparations interface cards and modules H3C SecPath F5000 A5 Firewall Installation Manual H3C SecPath Series Security Products User Manual Describes features working principles and R3201 configur
199. r the IPsec proposal Hangzhou H3C Technologies Co Ltd www h3c com 13 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Item Description Select the encryption suite for the proposal An encryption suite specifies the IP packet encapsulation mode security protocol and authentication and encryption algorithms to be used Following are the available encryption suites of which Tunnel means that a security protocol encapsulates IP packets in tunnel mode e Tunnel ESP DES MD5 Uses the ESP security protocol the DES encryption algorithm and the MD5 authentication algorithm Tunnel ESP 3DES MD5 Uses the ESP security protocol the 3DES encryption algorithm and the MD5 authentication algorithm e Tunnel AH MD5 ESP DES Uses the ESP and AH security protocols successively making ESP use the DES encryption algorithm and perform no authentication and making AH use the MD5 authentication algorithm e Tunnel AH MD5 ESP 3DES Uses the ESP and AH security protocols successively making ESP use the 3DES encryption algorithm and perform no authentication and making AH use the MD5 authentication algorithm Encryption Suite e Custom mode This mode allows you to configure IPsec proposal parameters discretionarily Figure 8 shows the IPsec proposal configuration in custom mode Figure 8 IPsec proposal configuration in custom mode Add IPSec Proposal Custom mode Proposal Mame 4 15 Chars Encapsulation Mode Tunnel S
200. ranslated address of the session response is an IP address in the address pool and the source port is not changed Type 2 1 1 2 in the IP Address text box and click Search to display the search result as shown in the following figure Queryttem InitsrclP IP Address 2 1 1 2 Init VPM Resp PH l l VPM I YPN Session Lifetime Protacal d Init Sre IF Init Dest IF VLAN J Resm aie EE m RESNE VLANI Status is INLINE INLINE 2 4 1 21043 172 1 1 2 321 172 1 1 2 321 172 1 1 1 1043 TCP TCP EST 3538 Del Selected Del All Remarks Remove the configuration in this example before performing another configuration example Static NAT Requirements Configure a static one to one NAT entry that does not translate the source or destination port When an ACL is specified the static NAT entry only translates packets permitted by the ACL Configuration steps 1 Configure static address translation Hangzhou H3C Technologies Co Ltd www h3c com 12 25 H3sC SecPath Seires Firewalls NAT Configuration Examples e Select Firewall gt NAT gt Static NAT from the navigation tree as shown in the following figure ET internal IP Address Global IP Address Network Mask YPN Instance ACL Operation Add interface Static Translation Interface Name Tracked VRRP Group Operation Add e Click Add in the Static Address Mapping field to enter the Add Static Address Mapping page Type the internal and global IP addresses and c
201. ration process Configuration on the S9505 switch Create aggregation group 1 and configure the aggregation group to operate in manual aggregation mode link aggregation group 1 mode manual Assign interfaces GE4 1 1 and GE4 1 2 to aggregation group 1 interface GigabitEthernet4 1 1 port access vlan 10 port link aggregation group 1 interface GigabitEthernet4 1 2 port access vlan 10 port link aggregation group 1 Create VLAN interface 10 and assign IP address 10 1 1 2 to it interface Vlan interfacelo0 ip address 10 1 1 2 255 255 255 0 Configure OSPF Hangzhou H3C Technologies Co Ltd www h3c com 5 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples Configure OSPF as needed E4 Note When the firewall is connected with an 87500 or S9500 series switch of the V3 version use the manual keyword to configure the firewall to operate in static aggregation mode Configuring Layer 3 Link Aggregation in Dynamic Mode In dynamic aggregation mode the peer systems maintain the aggregation state of the member ports automatically but because the aggregation state of member ports is susceptible to network changes aggregation is instable If you configure the Device firewall to operate in dynamic aggregation mode you must configure the S9505 to operate in dynamic mode too If the S9505 is of the V5 version LACP is automatically enabled when you enable dynamic aggregation If the S9505 is of the V
202. re Type the address pool index start IP address and end IP address and then click Apply Add WAT Addr Index 300s 0 285 Start IP Address 172 1 1 20 End IF Address 172 1 1 30 F Low priority fused for Dual Systerm Hot Backup only tems marked with an asterisk are required 2 Configure No PAT e Select Firewall gt NAT gt Dynamic NAT from the navigation tree to enter the page as shown in the following figure EET ccc Index Start IP Address End IP Address Priority Operation Interface ACL Address Pool Index Address Transfer Tracked VRRP Group Operation e Click Add in the Dynamic NAT field to enter the Add Dynamic NAT page Select GigabitEthernet0 1 for Interface type 2000 for ACL select No PAT for Address Transfer and then click Apply Hangzhou H3C Technologies Co Ltd www h3c com 11 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Add Dynamic MAT Interatace SigabitEthernetO1 ACL 2000 Z000 3999 Address Transfer No PAT v Address Pool Index 30 0 255 4 Enable track ta RRP VRRP Group 1 255 tems marked with an asterisk are required Cancel e Access PC 3 in the Trust zone from PC 2 in the DMZ zone and perform ping HTTP FTP DNS and Telnet operations e Check the session list to view the result Verification results 1 The ping HTTP FTP DNS and Telnet operations are successful 2 Check the session list The destination IP address the t
203. re 1 GE 1 1 Is in the Trust zone and GE 1 4 is in the Untrust zone It s required to limit the number of sessions between the Untrust zone and the Trust zone Figure 1 Network diagram GE1 1 GE1 4 S Device SmartBits Hangzhou H3C Technologies Co Ltd www h3c com 3 7 H3sC SecPath Series Firewalls Connection Limit Configuration Examples Configuration on the Device CLI Configuration Configure interfaces GE 1 1 and GE 1 4 so that Interface Physical Protocol IP Address GigabitEthernet1 1 up up LOZ cB Ue GigabitEthernet1 4 up up 200 1 1 1 Web Configuration On the device s web configuration page select Device Management gt Zone from the navigation tree add interface GE 1 1 to the Trust zone and add GE 1 4 to the Untrust zone The configuration steps are omitted Configuration Procedures T note Limit on connection numbers applies to connections of TCP UDP DNS HTTP and IP UDP connection is described in this example Limiting the Number of UDP Sessions Based on a Network Segment Requirements Allow up to 100 sessions sourced from a specified network segment Configuration steps 1 Create a connection limit policy and configure a rule for the policy connection limit policy 0 limit 1 source ip 192 168 0 0 16 destination ip any protocol udp max connections 100 2 Apply the connection limit policy connection limit apply policy 0 Verification Use the SmartBits to send 1000 UDP flows with th
204. ries firewalls including the SecPath F5000 A5 SecPath F1000E and SecPath UTM Support for link aggregation depends on your firewall model As shown in Figure 1 an S9505 switch and the Device are connected through two GE links which are aggregated into one logical link The S9505 is the downstream switch GE1 6 and GE1 7 of the Device form aggregation group 1 Layer 2 link aggregation is configured on the S9505 switch Source IP based link aggregation load sharing is configured on the Device OSPF is enabled between the switch and Device Configure the following types of link aggregation e Layer 3 link aggregation dynamic and static e Layer 2 link aggregation dynamic and static Hangzhou H3C Technologies Co Ltd www h3c com 3 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples Figure 1 Network diagram for link aggregation omartBits GE4 1 1 GE4 1 2 GE1 7 S9505 Device Configuration Considerations Configure the Device firewall by following these general steps e Create aggregation group 1 e Assign interfaces GE1 6 and GE1 7 to aggregation group 1 e Add the physical and aggregate interfaces to a security zone e Configure OSPF Currently you cannot configure link aggregation on the Web configuration interface To configure link aggregation you need to use the command line interface CLI Software Version Used Model Version Release SecPath F1000E V300R001B01 R3166 V300R001B01 F316
205. roposal Configuration Wizard page e Type proposal as the proposal name and use the default settings for the proposal as shown in Figure 43 Hangzhou H3C Technologies Co Ltd www h3c com 36 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 43 Configure an IPsec proposal Add IPSec Proposalilustam mode Proposal Name proposal f1 15 Chars Encapsulation Mode Tunnel Ww Security Protocol ESE ESP Authentication Algorithm MOS ow hl ESP Encryption Algorithm DES ha tems marked with an asteriski are required Configure an IPsec policy named policy_nat e Select VPN gt IPSec gt Policy from the navigation tree and then click Add Perform the configurations shown in Figure 44 Figure 44 Configure an IPsec policy Add PSec Policy Policy Mame policy _nat chars 1 15 Sequence Number 1 65535 Pp Template IKE Peer Gate v IPSec Proposal PFS v ACL 3101 3000 3999 Aggregation SA Lifetime Time Based 3600 seconds 180 604800 Default 3600 Traffic Based 1843200 Kbytes 2560 4294967295 Default 1943200 tems marked with an asterisk are required Apply e Type policy_nat as the policy name e Type 1 as the sequence number e Select gate as the IKE peer e Select proposal for the IPsec policy and click lt lt e Type 3101 in the ACL text box e Click Apply Apply IPsec policy policy_nat to interface Dialer 1 Hangzhou H3C Tec
206. rt access vlan 10 port link aggregation group 1 interface GigabitEthernet4 1 2 port access vlan 10 port link aggregation group 1 Create VLAN interface 10 and assign IP address 10 1 1 2 to it interface Vlan interfacel0 ip address 10 1 1 2 255 255 255 0 Configure OSPF Configure OSPF as needed E4 Note When the firewall is connected with an S7500 or S9500 series switch of the V3 version use the static keyword to configure the firewall to operate in dynamic aggregation mode Configuring Layer 2 Link Aggregation in Static Mode Static aggregation is stable The aggregation state of the member ports is not affected by their peers which also means that the member ports cannot change their aggregation state in consistent with Hangzhou H3C Technologies Co Ltd www h3c com 7 11 H3sC SecPath Series Firewalls Link Aggregation Configuration Examples their peers The administrator must manually maintain link aggregations Hence static aggregation is inflexible Configuration on the Device Create Layer 2 aggregate interface Bridge Aggregation1 and assign it to VLAN 10 interface Bridge Aggregationl port access vlan 10 Assign interfaces GE1 6 and GE1 7 to aggregation group 1 which corresponds to Bridge Aggregation1 interface GigabitEthernet1 6 port link mode bridge port access vlan 10 port link aggregation group 1 interface GigabitEthernet1 7 port link mode bridge port access vlan 10 port link aggregat
207. s Co Ltd www h3c com 10 13 H3sC SecPath Series Firewalls ARP Attack Protection Configuration Example Figure 13 Configure fixed ARP d IF Address MAC Address VLAN ID Interface YPN Instance 192 168 251 2 0016 116 7 fd5c GigabitEthernetO Dynamic 192 168 251 10 O00Feze2 T789 GigabitEthemnetQO Dynamic C 192 168 251 254 O00Fe2ctal1 GigabitEthernetaio Dynamic 192 168 1 13 0005 5d6a 53da GigabitEthemnet0 Dynamic H 192 168 103 181 dO0te2e2 1F8e GigabitEthemetie Dynamic Fix All Del All Fixed Del Fixed Mote Fix Al and Del All Fixed will take effecttor all dynamic and static ARP entries in the system You can setup to 1024 sending interfaces Dont perform other operations during this configuration Verification Verify gratuitous ARP e Capture packets on the internal network 192 168 1 0 24 A gratuitous ARP packet sent from GigabitEthernet 0 0 is captured every two seconds Figure 14 Capture gratuitous ARP packets No Time Source Destination Protocol Info 1 Hangzhou 52 05 55 Broadcast Who has 192 168 11 17 Gratuitous AFP 2 2 000086 Hangzhou _S2 d5 55 Broadcast ARP Who has 192 168 1 17 Gratuitous ARP 3 4 000183 Hangzhou _S2 d5 355 Broadcast ARP Who has 192 168 1 17 Gratuitous ARP 4 6 000281 Hangzhou _S2 d5 355 Broadcast ARP Who Has 192 168 1 17 Gratuitous ARP Verfiy automatic ARP scanning e After an automatic ARP scan is complete all ARP entries of the internal network are displayed in the ARP table Sel
208. s FEKRR DRVMSG 3 Temp2High I DE _TYPE SECP 4TH PN 2102354314A08B000004 Temperature Point 0 0 Too High Error 2010 06 08 DEV 4 BOARD TEMP NORMAL I DEV_TYPE SECP 4TH PN 21 0235431 4408B000004 Board temperature changes to ae an nr a gt mavmal an Chanaia N Cleat O hma in DNI I g e NAT Logs TAn ee Help About Logout admin Firewall gt Event Auditing gt HAT Logs amp Snapshot of Events sre IP i Dest IP i Src IP after NAT i Dest IP after NAT S Recent List Src Pot DestPot Src Port after NAT Dest PortatternaT amp Device Monitoring User Name Start Time 2010 06 08 20 00 E End Time 2010 06 08 20 59 75 G HAT Logs List 24 Export I Event Overview itoz Page 1 Page Size 10 50 100 500 Event Details Src IP Port Dest IP Port Src IP Port after NAT Dest IP Port after NAT Session Start Time Session End Time amp Event Export Tasks 18 11 22 785 172 16 16 3 288 192 168 251 21 1034 17216 16 3 288 2010 06 08 20 03 43 2010 06 08 20 04 13 TEARS 172 16 16 3 288 192 168 251 21 1035 172 16 16 3 288 2010 06 08 20 04 03 2010 06 08 20 04 33 Inter Zone Access Logs amp Abnormal Traffic Logs amp Blacklist Logs I Operation Logs SJ Other Logs Hangzhou H3C Technologies Co Ltd www h3c com 23 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example References Protocols and Standards RFC 3164 The BSD syslog Protocol Related Documen
209. s Firewalls NAT Configuration Examples Mm Index Start IP Address End IP Address Priority Operation Interface ACL Address Pool Index Address Transfer Tracked VRRP Group Operation Add e Click Add in the Address Pool field to enter the Add NAT Address Pool page as shown in the following figure Type the address pool index start IP address and end IP address and then click Apply Add WAT Addr Index 200 288 Start IF Address ITAS End IF Address 172 414 1410 F Low priority used for Dual System Hot Backup only tems marked with an asterisk are required 2 Configure NAT PAT e Select Firewall gt NAT gt Dynamic NAT from the navigation tree to enter the page as shown in the following figure Index Start IP Address End IP Address Priority Operation Add ETE Interface ACL Address Pool Index Address Transfer Tracked VRRP Group Operation Add e Click Add in the Dynamic NAT field to enter the Add Dynamic NAT page Select GigabitEthernet0 1 for Interface type 2000 for ACL select PAT for Address Transfer and then click Apply Hangzhou H3C Technologies Co Ltd www h3c com 9 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Add Dynamic MAT Interaface GigabitEthemet1 v ACL 2000 Mian0d 3999 Address Transfer PAT vl Address Pool Index 20 0 255 Enable track to RRP VRRP Group 1 255 tems marked with an asterisk are required Cancel
210. s reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 16 16
211. s used in this configuration example for illustration Hangzhou H3C Technologies Co Ltd www h3c com 3 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Figure 1 Network diagram for configuration maintenance GEO 1 V 1 1 1 1 24 L PC1 Device 1 1 1 10 24 T note By default the management port of Device is GigabitEthernet 0 0 and the IP address of the port is 192 168 0 1 24 You can assign an IP address that is in the same network segment as GigabitEthernet 0 0 to the network interface card NIC of your PC connect the NIC to port GigabitEthernet 0 0 and then enter http 192 168 0 1 in the address bar of the web browser to log in to the web interface of Device to perform configurations Configuration Considerations Interface GigabitEthernet 0 1 in the internal network is assigned with IP address 1 1 1 1 24 and resides in the Trust zone Software Version Used SecPath F1000E V300R001B01 R3166 series and V800R001B01 F3166 series SecPath F5000 A5 V300R002B01 R3206 series SecPath UTM 200 A 200 M 200 S V500R001B01 R5116 series Configuration Procedures Basic Configuration Assigning an IP address to an interface 1 Select Device Management gt Interface from the navigation tree Hangzhou H3C Technologies Co Ltd www h3c com 4 11 H3SC SecPath Series Firewalls Configuration Maintenance Example BS Neme Search Advanced Search IPF Address Mask Security zone status Operation GigabitEthemneti
212. s vlan 103 it interface GigabitEthernet1 0 16 Hangzhou H3C Technologies Co Ltd www h3c com 20 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples port link type trunk undo port trunk permit vlan 1 port trunk permit vlan 102 to 103 e Configure the Device Select Device Management gt Interface from the navigation tree Configure the route mode for GigabitEthernet 0 1 Create subinterface GigabitEthernet 0 1 1 and specify the VID as 102 and the IP address as 192 168 2 1 24 Create subinterface GigabitEthernet 0 1 2 and specify the VID as 103 and the IP address as 192 168 3 1 24 Figure 30 Configure GigabitEthernet 0 1 Interface Name GigabitEthernetiyt Interface Status Connected Interface Type VID MTU 1500 48 1500 Default 1500 TCP MSS 1460 128 2048 Default 1480 Working Mode Bridge Mode Router Mode See None StaticAddress ODHCP O BOOTP PPP Negotiate Unnumbered IP Address Mask secondary IF Address f Mask Unnumbered Interface Hangzhou H3C Technologies Co Ltd www h3c com 21 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 31 Create GigabitEthernet 0 1 1 Interface Creation Interface Name fsigabitEthermnet01 1a 4094 VID 102 61 4094 MTU 46 1500 Default 1500 TCP MSS K 28 2048 Default 1460 ONone Static Address DHCP BOOTP FFF Negotiate Unnumbered
213. ship and routing rules of its associated site A VPN instance takes effect only after you configure a routing distinguisher RD for it Before configuring an RD for a VPN instance you can configure no parameters for the instance other than a description A VPN instance description is a piece of descriptive information about the VPN instance You can use it to keep information such as the relationship of the VPN instance with a VPN Follow these steps to create and configure a VPN instance To do Use the command Remarks a AA E ip vpn instance vpn instance name Required ala an RD tor the VPN route distinguisher route distinguisher Required Configure a description for the VPN instance description fext Optional Associating a VPN Instance with an Interface After creating and configuring a VPN instance you associate the VPN instance with the connected interface Follow these steps to associate a VPN instance with an interface To do Use the command Remarks Enter interface view interface interface type interface number Required Associate the current interface with a VPN ip binding vpn instance von instance name No VPN instance is instance associated with an interface by default Hangzhou H3C Technologies Co Ltd www h3c com 3 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples 4 Note When configured on an interface the ip binding vpn instance command clears the IP address of
214. shot of Events Source IP Operate Mode Reason Severity Level Al i 3 Device Recent List Start Time 2010 06 08 00 00 75 End Time 2010 06 08 23 59 7 rahi All oo I Device Monitoring Blacklist Logs List Ri Export i to1 of 1 l l Page 1 Page Size 10 50 100 500 Event Overview Time Source IP Operate Mode Reason Severity Level Hold Time minutes Event Details 2010 06 08 20 00 53 18 112 add Auto insert Warning 10 amp Event Export Tasks 3 Inter Zone Access Logs amp Abnormal Traffic Logs e Operation Logs Hangzhou H3C Technologies Co Ltd www h3c com 22 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example E few z SSL VPN Help About Logout admin Firewall gt Event Auditing gt Operation Logs i i i NE Device amp Recent List Start Time 2010 06 08 00 00 75 End Time 2010 06 08 23 59 T ON amp Device Monitoring Operation Logs List fagjex ort ito E Page 1 Page Size 10 50 100 500 amp Event Overview Time Username User IP Operation Severity Level Event Details 2010 06 08 20 03 47 i NA dis cur Warning Event Export Tasks 2010 06 08 20 03 41 NA sy Warning 2010 06 08 20 03 41 NA dir Warning 2010 06 08 20 03 35 z NA dir Warning amp Inter Zone Access Logs 2010 06 08 20 03 35 Console NA Console login from conO SHELL Warning amp Abnormal Traffic Logs amp Blacklist Logs e Other Logs aiana ian Help About Logout adm
215. sources and a service group resource Select Resource gt Service gt Default Service from the navigation tree The default services include ping and ftp so you only need to create a service group containing the ping and ftp services To create a service group select Resource gt Service gt Service Group from the navigation tree and click Add Add a service group named ftp_ server and add the ping and ftp services to the group P Search tem Mane Keywords zr J F Name Members Description Status Operation C fip_server tp ping Out of Use fe ill e Policy configuration Select Firewall gt Security Policy gt Interzone Policy from the navigation tree and then click Add Add an interzone policy with source zone as Untrust and destination zone as DMZ and configure the other parameters as follows Item Value Address group eae apie for the source address group and destination service group ftp_server Filter action permit Adopt the default settings for the other items and click Apply Hangzhou H3C Technologies Co Ltd www h3c com 10 16 H3sC SecPath Series Firewalls Virtual Device and Security Zone Configuration Examples Source Zone Unt rust v Dest zone DMZ Description 1 31 Chars Source IF Address O New IP i wildcard must be reserved mask Address addz Ww Multiple Address p Destination IF Address O New IP i wildcard must be reserved mask Address Destination IP Multiple Address Semice e Eac
216. sssssrsesitesseesesseesneneeneneceeneeeenesecasnenecnnenesnenecassenenaenenaeneranensenenannena 4 Configuring Attack Protection etteeseetrtsrerrerrrrrreresrsrsrererennrrnrennnnnrnnennnnnrennnennnnnnennnnnnenennnnnnenennnnenenneneneena 9 Configuring the Static Blacklist Function sseseresssetesesesteseeeeseseseeneseeesseseenenesesnenesesnesesnsnenesneneneanenss 9 Configuring the Dynamic Blacklist Function eteeeetetteetteettestterttesrtesreenreenneenneenrenntenntenneenneennennneentennns 9 Configuring ICMP Flood Attack Protection eeteeteettetteettetteetreerresttesteenreenreennesntentnennienntenneenneenneennenns 10 Configuring UDP Flood Attack Protection s ssssssssssesesestesssesneesssesnssesssesneseseseenesesessseeseseeeseeneneenn 10 Configuring SYN Flood Attack Protection ssssssssssstssesessssssesesssesesesnesesssesneseeesesneseseeeseeeseeesnaneaeeen 11 Configuring Scanning Prevention s s sesssesesssecessssesesesesneseeesessseeneseessessensneassnenseesnessensnesennaaes 11 Configuring Packet Inspection s stttrttesteetesteitteeeteneneneneeeneneneenenenneneeenenesnenennenecaaneneeannnecaa 11 Varie Oea i AET EEEE EN eee 12 Dao BACK MIGt nna a a 12 Dynamic Blacklist sssretteetesteseteeesseeteeteesneneesneneenenecesnenaenenecasnenesaenecasnenecasnenaeassenanaenecasnenenanas 13 ICMP Flood Attack Protection tt tt ii tt itil lili a ooo aand a aia 13 UDP Flood Attack Protection ttt aeann in HII II nn nnn nnn Eaa EEEE a E EER 14 SYN Flood Attack Protection re
217. t admin System Management gt Device Management gt Device List gt Add Device Add Device Host Hame iF 197 168 250 12 Device Label FS000 4 Time Calibration Greenwich Mean Time Select access template Specify access parameters Device Access Parameters Verification The PC accesses the Internet through the firewall The firewall generates NAT session logs and inter zone policy logs On the web interface of the firewall you can display the logs stored in the log buffer Alternatively you can view the corresponding logs on the SecCenter When the firewall uses the UTC time the SecCenter uses the GMT time When the firewall uses the GMT 8 time the SecCenter uses the local time GMT 8 time Viewing the Logs on the Firewall e Log Report gt Report gt System Log User IF ae Time Date Nears Nene SOUrCe Level Description Board temperature is too high Jun 8 20 01 04 456 2010 DEV warning on Chassis 0 Slot 0 type is RPU Jun amp 20 01 01 3139 2010 DRVMSG Error cae POETS Vers Board temperature changes to Jun 8 20 00 59 656 2010 DEY Warning normal on Chassis 0 Slot 0 tpe is RFI Jun 8 20 00 57 3189 2010 DRVMSG Error WEGA RS e N OE Recovered from OT Board temperature is too high Jun 8 20 00 45 7256 2010 DEW Warning on Chassis O Slot d type is RPL Hangzhou H3C Technologies Co Ltd www h3c com 21 24 HSC e Log Report gt Report gt Blacklist Log gt Search Item Time Date
218. t 0 2 to the Untrust zone fone ID i fone Name ir Preference Str ohare No w vua Device Root Interface Mame H Interface search Advanced Search Interface GigabitEthernetl 2 O NULLO GigabitEthernet The LANs should be separated by or For example 5 10 tems marked with an asterisk are required Apply Hangzhou H3C Technologies Co Ltd www h3c com 26 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Select Firewall gt NAT Policy gt Dynamic NAT from the navigation tree Apply ACL 3000 to GigabitEthernet 0 2 and enable Easy IP ACL 3000 allows packets from 192 168 2 0 24 to pass Figure 39 Configure dynamic NAT Interface AGL Address Pool Index Address Transfer Global VPM Instance Operation Gigabitethernetoe 3000 Easy IP ae i Figure 40 Configure ACL 3000 Advanced ACL3000 ACL3000 Rule iD Ooeration Description Time Range Operation E permit io source 192 168 2 0 0 0 0 23533 ore i 3 Verification Configure IP address 192 168 2 10 24 and gateway 192 168 2 1 for PC1 and IP address 192 168 3 11 24 and gateway 192 168 3 1 for PC2 Ping PC2 from PC1 The ping operation succeeds and the session information displayed on the Device is as follows Figure 41 Session information Query Item orc IP Address IP Address 192 168 2 10 Session Lifetime d Init Src IF Init Dest IF YPM Resp Sre iP Resp Dest IF VPA Protocol Shi
219. t configuration maintenance and management on the Web interface Hangzhou H3C Technologies Co Ltd www h3c com 1 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Table of Contents Feature CV Gri OW ecen a a beaten esl weiesaieidia tesa 3 Application SS COI ATO Secere a E E E 3 Configuration GUIGELINES 2seceeeeseeeeeseeeeeeeeeeeeneaeeeeeeaseeseeaaeeeseaaseeseasneeseaaseeseaaseesesaeesetaasssesesaseesenasesesaages 3 Configuration Maintenance Example scscssssecseceecseeseeseeseesnecsesneeneesesneesessansaesaesaesneaseasensansansessaneaneaes 3 Network Requirements cre TT eer ee ie ee ere ee er Cree eee ee eer eee eee ee eee ee eee eee ee ee een 3 Configuration Considerations a rete eT TC ECCT CeCe Ce eT REET CT Ce eee Cr err Cr rrr Ce tert rt 4 Software Version Used Torre re ee ee ee eee ere ee ee ee re rrr a a er rr rr 4 Configuration Procedures Asie Pana a a E E a ean aenn E E 4 Basic Configuration cei ee Te ie Ce rer ee ee re ee a eee Cee ere re ree ee een 4 Configuration Maintenance Terre eT n eee eee re eee ee CCRT Le Cer Ce ee eC rer CCT Cer Cer re erect rt tie 6 Verification ee ec erie eee eee eee eer eee ee Lr eee et cer eer eee ce er Cetin ri ren 1 0 Hangzhou H3C Technologies Co Ltd www h3c com 2 11 H3SC SecPath Series Firewalls Configuration Maintenance Example Feature Overview The configuration maintenance page has four tabs Save Backup Restore and Initialize Saving the confi
220. t is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 15 15 H3sC SecPath Seires Firewalls NAT Configuration Examples SecPath Series Firewalls NAT Configuration Examples Keywords NAT PAT private address public address address pool Abstract This document describes the characteristics application scenarios and configuration examples of the network address translation NAT features of SecPath series firewalls Acronyms Acronym Full spelling NAT Network Address Translation ALG Application Level Gateway ACL Access Control List VPN Virtual Private Network PAT Port Address Translation No PAT No Port Address Translation Hangzhou H3C Technologies Co Ltd www h3c com 1 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Table of Contents Feature CV Gri OW ecen a a beaten esl weiesaieidia tesa 3 Application SS COI ANOS cee cnie etdetotacidan a E E 3 HC eleecll eC eC er re creer 3 Devices Supporting NAT ceeeeseeseeesseeeeessseeeeaaseeeeeaeeseeasseseeaaseesesaseeseeaaneeseaasnesesaeestaaserstsasaseessagseessaaseeseeas 3 Software Version Used ERTITITTTITTT ETL 3 Configuration Saving TTTTTTETTTIT TET 4 Configuration Examples scssssesccecesnesnesseseeseecnecneeseeneenessesseeseesseesessessesseaseesaesaeseenesnessessessessessessessaesaeeaes 4 Networking Scenarios PETTITT ITIP TITTLE 5 Device Basic Configuration PETTITTE TITTLE 5 Configuring Interfaces PETTITTE LEE 5
221. tation Log Management in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co Ltd All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H8C Technologies Co Ltd www h3c com 24 24 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples SecPath Series Firewalls Virtual Firewall Configuration Examples Keywords VPN instance VRF private address public address address pool Abstract This document describes the virtual firewall implementation on a virtual device and or multiple VPN instances This document also presents the configuration and verification methods in detail through examples Acronyms Acronym Full spelling VPN Virtual Private Network VRF VPN routing and forwarding Hangzhou H3C Technologies Co Ltd www h3c com 1 11 H3sC SecPath Series Firewalls Virtual Firewall Configuration Examples Table of Contents Feature Ona 2 Ree ee eT ee er rT 3 Creating a VPN INSTANCE rtsrrrsssssssssssenunnnnnunnnnunnnunnnnnunnununnnnnunnununnnununnununnnnnunnununnnunnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 9 Associating a VPN Instance with an Interface eee eee eee eer eee reer errr errr etree eee eee errr rere ere eee eee eee eee eee eee 3 Configuring Route Exchange wee EERE EEE
222. tatistics from the navigation tree and then select zone Trust You can view the number of ICMP flood attacks and the number of dropped ICMP flood attack packets ICMP Redirect ICMP Unreachable Land Large ICMP Route Record Scan Source Route Smurf TOP Flag Tracett Winkuke SYN Flood IMP Flood WIDP Flood Number of connections per source IP exceeds the threshold Number of connections per dest IF exceeds the threshald Attack Type 0 0 0 0 0 0 0 0 0 0 0 0 0 he Attack Count Dropped Packet count 57016 D D DT Oo oO A AAAA AA 8 AAA Use SmartBits to send UDP packets from zone Unirust to 2 0 0 2 in zone Trust at a rate higher than 1000 frames per second changing the source address frequently Select Intrusion Detection gt Statistics from the navigation tree and then select zone Trust You can view the number of UDP flood attacks and the number of dropped UDP flood attack packets Hangzhou H3C Technologies Co Ltd www h3c com 14 18 H3s3sC SecPath Series Firewalls Attack Protection Configuration Example zne E Attack Type Attack Count Dropped Packet count Fraggle ICMP Redirect ICMP Unreachable Land Large ICMP Route Record Scan Source Route Smurf TOP Flag Tracett Winkluke SYN Flood ICMP Flood UDOP Flood 43392 ao oO oO A A A A A A A A AA Hi a A A non om oOo A A A oo oe m 157016 ha Number of connections per source IF exc
223. te fs Operation VLAN J VLAN J INLINE IMLIME Configuring Layer 2 and Layer 3 hybrid forwarding 1 Configuration description Configure Layer 2 and Layer 3 hybrid forwarding on the Device 2 Configuration procedure see Figure 2 e Configure devices through CLI On the switch interface GigabitEthernet1 0 1 port access vlan 102 it interface GigabitEthernet1 0 10 Hangzhou H3C Technologies Co Ltd www h3c com 27 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples port access vlan 103 interface GigabitEthernet1 0 16 port link type trunk undo port trunk permit vlan 1 port trunk permit vlan 102 to 103 it On the Device it vlan 100 to 103 it interface GigabitEthernet0 1 port link mode bridge port Link type trunk port trunk permit vlan 1 102 to 103 e Configure the Device through the web interface Select Device Management gt Interface from the navigation tree Create Layer 2 subinterface GigabitEthernet 0 1 102 add it to VLAN 100 Create VLAN interface 100 and specify the IP address as 192 168 2 1 24 Create VLAN interface 103 and specify the IP address as 192 168 3 1 24 Figure 42 Create GigabitEthernet 0 1 102 Interface Creation Interface Name GigabitEthemet 0 1 J102 F 40904 VID hoo ooo O O 1 4094 MTU ss TCP MSS es IP Config Mone Static Address DHCP BOOTP PPP Meqgotiate Unnumbered IP Address E Wask secondary IF Address Mask
224. tem cwetaanrernnanmtewnianntasaieaeneeriananenuidunmiasddienendeniateneiirenwtuudiwnnnereianndubneteladereumiuetannnens 3 C nfiguralion lt 1 9 Reree eee cece eee eee eer ener cer cemetcecn tert trr erererec cere tree eer eer tre 3 Network Requirements wee EEE EERE ORE EEE EEE EEE OEE E EES ES ESSERE SESS ES SESE EEES 3 Configuration Considerations nnuunnununnnunnNNNNNNNNNNNNNNSNNNSNNNENNNENNNNNNNNSNNNENNNNNNENNNNSNNNENNNENNNENNNENNNNENNNNNNENNNENNNEENNNENNNENENE 4 Software Version Used nnuunnunnnununnnnNNNNNNNNNNNNNNNNNNNNENNNENNNENNNNSNNNENNNENNNNNNNNNNESNNNENNNENNNENNNNSNNNENNNNNNNENNNENNENNNENNENNNENNNEENE 4 Configuring Layer 3 Link Aggregation in Static Modessssssssssssesestssesessseeesssesnesesesesneseseseenenesseneneneensnens 4 Configuration on the Device wee EEE EERE EEE ESE OREO E ORES OREO EE SEES EEE EEEE 4 Configuration on the S9505 switch wR EERE REESE ESO RE EES EE EEE EERE OEE 5 Configuring Layer 3 Link Aggregation in Dynamic Moderssss sssssstsstssssetessssseteensesesesnesesesesesesesneseseeesnens G Configuration on the Device unuuunununununNNNENNENNNNNNNNNNNNSNNNENNNENNNESNNNNNNNNNNNNNNENNNNNNNNSNNNENNNENNNENNNNENNENNNENNNNNNNNNENNNEN 6 Configuration on the S9505 switch cE EE EEE EE EERE SORES ES OES SEES EE SEES SESE EEE 7 Configuring Layer 2 Link Aggregation in Static Modensss ssssssssesestsssseseseetesssesnesesesesneseseseeeneessneneseensnens 7 Configuration on the Device wee OEE EEE EERE EEE EERE OREO R ESO EE ORES EE SESE EEEE 8 Co
225. the destination address and port of the request to the private address of the internal server and a specified destination port Configuration steps 1 Configure an internal server e Select Firewall gt NAT gt Internal Server from the navigation tree to enter the page as shown below internal Serer Server Interface YPN Instance Global IP Range of Global Port Range of Internal IP Internal Port Protocol Type ACL Tracked VRRP Group Operation Add e Click Add to enter the Add Internal Server page and perform the configuration as shown in the page below and click Apply Hangzhou H3C Technologies Co Ltd www h3c com 17 25 HSC Add Internal Server Interface YEN Instance Protocol Type External IP Address Assign IP Address O Use IF Address of Interface Global Port Internal IP Internal Port ACL C Enable track to VRRP tems marked with an asterisk are required SecPath Seires Firewalls NAT Configuration Examples GigabitEthernet0 1 2 Create an ACL that permits access from the Untrust zone to the DMZ zone In the same way create an ACL to permit access from the Untrust zone to the Trust zone Access PC 2 from PC 3 ping public address 172 1 1 60 Verification 1 is expected 3 Create ACL 2000 that denies all packets 4 Apply ACL 2000 to the internal server as shown below Hangzhou H3C Technologies Co Ltd E ICMP 172 1 1 60 F 0 655535 0 represents anyi 1 565535
226. the same name but different sequence numbers In an IPsec policy template group an IPsec policy template with a smaller sequence number has a higher priority Required Configure an IPsec policy by specifying the parameters directly or by referencing a created IPsec policy template The Web interface supports only IKE dependent IPsec policies An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers In an IPsec policy group an IPsec policy with a smaller sequence number has a higher priority lz Y Highlight An IKE dependent IPsec policy created by referencing a template cannot be used to initiate SA negotiation but it can be used to respond to a negotiation request The parameters specified in the IPsec policy template must match those of the remote end while the parameters not defined in the template are determined by the initiator Required Apply an IPsec policy group to an interface logical or physical to protect certain data flows www h3c com 6 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Task Remarks Optional Viewing IPsec SAs View brief information about established IPsec SAs to verify your configuration Optional Viewing Packet Statistics View packet statistics to verify your configuration Configuring ACLs IPsec uses ACLs to identify data flows Each ACL rule contains a deny or permit keyword and is regarded as a deny or permit statem
227. tion page Time Date Source F Reason Hold Time minutes Jun g 171643994 2010 1 1 1 1 Manual insert Permanence Table 12 describes the blacklist log configuration items Table 12 Blacklist log configuration items Item Description Time Date Displays the time when the blacklist members are generated Mode Displays whether the blacklist members are newly added or removed Source IP Displays the source IP addresses of the blacklist members Displays the reasons why the addresses are added to the blacklist including manual add and automatic add e Automatic add means that the system automatically adds the source IP Reason address to the blacklist e Manual add means that the blacklist is manually added through Web interface Hold Time Displays the hold time of the blacklist members Displaying Inter Zone Policy Logs Inter zone logs are logs of the flows matching an inter zone policy To record inter zone policy logs you need to enable the Syslog function when configuring an inter zone policy For more information see Inter Zone Policy Configuration Select Log Report gt Report gt InterZone Policy Log from the navigation tree to enter the page as shown in Figure 11 Hangzhou H3C Technologies Co Ltd www h3c com 13 24 H3sC SecPath Series Firewalls Log Management and SecCenter Configuration Example Figure 11 Inter zone policy log configuration page Start Time End Time Source One Destination zone Policy ID Action
228. tton and click Add to enter the page shown below Hangzhou H3C Technologies Co Ltd www h3c com 7 15 H3sC SecPath Series Firewalls DHCP Configuration Examples IF Pool Warne 1 35 Chars IP Address Client MAC Address Client ID Client Domain Name f 1 50 Chars Gateway Address Upto 8 addresses separated by comma ONS Server Address Up to 8 addresses separated by comma WINS Server Address Up to 8 addresses separated by comma NetBIOS Node Type tems marked with an asteriski are required Configuration on DHCP Clients 1 Configure GigabitEthernet 0 1 of client 2 to obtain an IP address through DHCP Mm Interface Name GigabitEtherneto Interface Type VID MTU 1500 46 1500 Default 1500 TCP MSS 1460 1 28 2048 Default 1460 Working Mode Bridge Mode Router Made IP Configuration OMone Static Address DHCP O BOOTP PPP Negotiate Wnnumbered IP Address Wask Unnumbered Interface 2 Configure client 1 running Window XP in the example as a DHCP client Right click Network Neighborhood on the desktop and select Properties from the shortcut menu to enter the Network Connections window Right click Local Area Connection and select Properties from the shortcut menu to enter the Local Area Connection Properties window Select a proper network interface card for Connect using and select Internet Protocol TCP IP Click Internet Protocol TCP IP and then click Properties to enter the
229. uccessfully display the session table You can see an FTP session from 3 1 1 2 to 2 1 1 2 in virtual device root TEF 34 1 2102 4 1 1 221 lt 2 1 1 2 21 3 1 1 2 1028 TEP 3586 4 i EST 3 The verification concludes e The server and Host C cannot ping each other which means that the policy is effective e Host C cannot log into the server through FIP which means the interzone policy deny is effective e Display the session table There is no session from 3 1 1 2 to 2 1 1 2 Remarks After finishing this example remove the configuration made in this example ASPF Filtering for ICMP Packets and Non SYN TCP Initial Packets Requirements Configure filtering for ICMP error packets and non SYN TCP packets with ASPF that is using ASPF to allow or deny ICMP error packets and non SYN TCP initial packets Configuration procedures 1 Enter http 155 1 1 1 in the address bar on Host B to enter the login page Type username admin and password admin and click Login to log in to the web interface The current virtual device is root Connect GE 0 2 and GE 0 3 of the device to port A and port B of the SMB respectively Set the IP address of port A to 2 1 1 2 24 and that of port B to 3 1 1 2 24 Configure packet filtering among different security zones Add GE 0 2 to zone Untrust and GE 0 3 to zone Trust Do not configure ASPF between zones Trust and Untrust By default the system allows ICMP error packets and non SYN TCP
230. uired Configuring Device B Assign IP addresses to the interfaces and add the interfaces to their target zones Omitted Configure ACL 3101 to permit packets from subnet 192 168 1 0 24 to subnet 172 16 0 0 24 Hangzhou H3C Technologies Co Ltd www h3c com 34 39 H3sC SecPath Series Firewalls IPsec Configuration Examples Figure 39 Configure a rule for ACL 3101 Advanced ACL3101 Fule lD Operation Description permit ip Source 192 168 1 0 0 0 0 255 destination 172 16 0 0 0 0 0 255 T note NAT applied to physical interfaces process packets before IPsec You must exclude the target traffic of IPsec from NAT mappings so NAT does not translate the source address of target traffic For example NAT on port GE 0 0 uses ACL 3901 for identifying traffic In this ACL you must add a rule rule 1 to deny traffic from 192 168 1 0 24 to 172 16 0 0 24 This rule must have a higher priority than the permit rule that identifies all traffic sourced from 192 168 1 0 24 as shown in Figure 40 Figure 40 Add a rule in the ACL for NAT to deny IPsec protected traffic Advanced ACLS901 Rule lD Operation Description deny ip source 192 168 1 0 0 0 0 255 destination 172 16 0 0 0 0 0 255 permit ip source 192 168 1 0 0 0 0 255 Add Configure the IKE local name named branch Figure 41 Configure the IKE local name IEE Global Configuration NAT Keepalive Interval 2 ss gecondse 300 Default 20 tems marked with an asterisk
231. ult 1 4094 to 2 as shown in the figure below Modify the VLAN for GigabitEthernet 0 2 to 2 and add the interface to the Untrust zone Ping PC2 from PC1 Result B is obtained Hangzhou H3C Technologies Co Ltd www h3c com 6 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 6 Modify the Trust zone 1 fone Name reas Pret reference 86 1 100 ohare No w Virtual Device Root CS REY ee RO Interface Search Advanced Search Interface VLAN C NULLO O O Gigabitethereto e Edit the Trust zone again Set the VLAN ID for GigabitEthernet 0 1 to a value different from the PVID 2 In this example the VLAN ID is set to 1 as shown in the figure below Ping PC2 from PC1 Result C is obtained Figure 7 Modify the Trust zone 2 Preference Ce ohare No ow vua Dewee Root Interface Mame r l A Advanced Search Intertace O NULLO GigabitEthermnet01 3 Verification Result A The ping operation succeeds Result B The ping operation succeeds Result C The ping operation fails Layer 2 packets are forwarded between security zones according to the zones where the interfaces VLANs reside In this example GigabitEthernet 0 1 rejects VLAN 2 packets because VLAN 2 to which GigabitEthernet 0 1 belongs is not added to the Trust zone though GigabitEthernet 0 1 is added to the Trust zone 4 Configuration guidelines Hangzhou H3C Technologies Co Ltd www h3c
232. uration Example eee eee eeeeee nec eeereeree E treme otter eee sree er tee eect terete cree tree tree 17 Network Requirements wee EERE E EEE ERRORS EEE EE OES EO ESS EE SESE EEEE 17 Configuration Considerations wee EEE EEE EERE EERE ORE REESE EERE E EERE ESE EEEES 18 Software Versjon USCC sssssssssssssssununnnnnunnununnnnuunnununnnnunnnununnnnunnnnnnnununnnnunnnununnnnunnnununnnnnnnnnnnnnnnnnnnnnnnnnnnnnn na 18 Configuration Procedures crtttt ttt t etter eeeeeeeeeeeesaeeaeeeesaseeeeeeeaaaeeeesaaoeeeesaaaaeeeeeesaaaaeeessaaaaeeeesaaaeeesauaaeeessaaanens 18 Configuring the Firewall to Send the Syslogs to the SecCenter EPPETP TTT 18 Configuring the Firewall to Send the Session Logs to the SeCCenter s 1r stertterttesttteetttsetteetseees 18 Enabling SNMP Agent on the Firewall to Connect to the SecCenter for Management wrens 20 Adding a device to the SecCenter cE EEE EE EEE EERE OREO R EEE ESO EE SEES EE SEES EES 20 Verification trttrtt tert ttt teeter eee ester ee eeeeeeeeeeeeeeeeeeeseaeeeeeaaaoeeeeeaaaaeeeeeanaaeeeesaaaoeaeeesaaaaaeeeeaaaaceeesaaareessaaueeeesaaaeeeeas 21 Viewing the Logs ON the Firewall ss sssssss ssussnunnunuunnununnnnuunnununnnnuunnununununnnununnnnunnnuuunnununnnunnnnnnnnn 21 Viewing the Logs on the SecCenter wenn OEE EEE EEE EEE REESE EERE EE EE EE 22 RTT EG CS sree setes ta cn vans stage ncaa utente nh estan as acon tangeeniaue ine nee eee ieee 24 Protocols and Standards cE EEE REE EEE EEE ERRORS OES ES ORES EE SEES EE SE
233. v 1 4094 ve et Mone Static Address DHCP BOOTP FFF Negotiate Unnumbered IP Config Select Network gt VLAN gt VLAN from the navigation tree and add GigabitEthernet 0 1 102 and GigabitEthernet 0 1 103 to VLAN 1000 Figure 10 Add subinterfaces to VLAN 1000 iD Description VLAN 1000 1 32 Chars Untagged Member Tagged Member Nota Member Gigabitetheneiyt Sigabit ethenetay Gigabitethenetat 102 GigabitEthenet0 _ 103 Select Device Management gt Zone from the navigation tree Add GigabitEthernet 0 1 and GigabitEthernet 0 1 102 to the Trust zone and make sure that VLAN 1000 is permitted on the interfaces Add GigabitEthernet 0 1 103 to the Untrust zone and make sure that VLAN 1000 is permitted on the interface Hangzhou H3C Technologies Co Ltd www h3c com 10 31 H3sC SecPath Series Firewalls Layer 2 and Layer 3 Forwarding Configuration Examples Figure 11 Edit the Trust zone a fone ID fone Mame Preference Share Virtual Device Interface Name A Interface w search Advanced Search Interface VLAN O NULLO GigabitEthernetO 1 4094 GigabitEthernet0M 102 1 4094 Assign IP addresses for PCs 192 168 2 10 24 for PC1 and 192 168 2 11 24 for PC2 e Ping PC2 from PC1 Result A is obtained e Ping PC1 from PC2 Result B is obtained e Add GigabitEthernet 0 1 to the Untrust zone and then ping PC2 from PC1 Result C is obtained e Delete VLAN 1000 and
234. vice GigabitEthernet0 3 Device GigabitEthernet0 3 Device Device GigabitEthernet0 1 Device GigabitEthernet0 1 Device GigabitEthernet0 1 Device Device acl basic 2000 Device acl basic 2000 Device SecPath Seires Firewalls NAT Configuration Examples Command Description ip vpn instance vpn1 route distinguisher 111 1 Configures a VPN instance vpn target 111 1 export extcommunity vpn target 111 1 import extcommunity quit interface GigabitEthernet0 3 Binds the interface to ip binding vpn instance vpn1 the VPN instance Specifies an IP address for an interface ip address 2 1 1 1 24 quit interface GigabitEthernet0 1 Binds the interface to ip binding vpn instance vpn1 the VPN instance Specifies an IP address for the interface ip address 172 1 1 1 24 quit acl number 2000 Adds an ACL rule Adds a VPN ACL rule rule permit rule permit vpn instance vpn1 ip route static vpn instance vpn1 0 0 0 0 O 172 1 1 2 public Configures a VPN route to the public network 2 Select Firewall gt NAT gt Dynamic NAT from the navigation tree click Add in the Dynamic NAT field to enter the Add Dynamic NAT page as shown in the following figure e Select GigabitEthernet0 1 for Interface type 2000 for ACL select Easy IP for Address Transfer and then click Apply Hangzhou H3C Technologies Co Ltd www h3c com 22 25 HSC SecPath Seires Firewalls NAT Configuration Examples Add Dyn
235. vice is separated from each other and cannot communicate with each other generally A virtual device is a so called virtual firewall and also constitutes a virtual firewall instance VFI e Security zone is a logical concept It can contain Layer 3 interfaces Layer 2 VLAN sub interfaces and Layer 2 physical trunk interfaces bound with VLANs Security zone helps the network administrator categorize the interfaces with the same security requirements into a zone so that hierarchical policy management can be implemented e Session management simplifies the design of function modules such as Network Address Translation NAT application specific packet filter ASPF Application Level Gateway ALG attack defense and connection number limit modules It is responsible for processing kinds of session information and aging sessions based on session states It can work with multiple firewall features such as NAT ASPF attack defense and connection number limitation featuring united resource management and improving the firewall performance e ASPF provides session status detection between zones based on the session management feature It checks protocol related information in packets and monitors connection based protocol status ASPF is a session context based dynamic firewall because it dynamically determines where packets are allowed to pass on all connections Application Scenarios e Virtual device application is applied to divide a physical
236. with an asterisk are required Configuring a Time Range Resource Configure a time range from 8 00 to 18 00 on working days Monday through Friday Select Resource gt Time Range from the navigation tree and click Add Perform the configurations shown in Figure 10 Hangzhou H3C Technologies Co Ltd www h3c com 8 13 H3s3sC SecPath Series Firewalls Interzone Policy Configuration Example Figure 10 Configure a time range resource Mame worktime 1 32 Chars Periodic Time Range Start Time lo End Time 18 ij0 C sun M mon M Tues 4 ved 4 Thurs Fri LJ Sat Absolute Time Range From f f To j j anon cancer tems marked with an asterisk are required e Type worktime in the Name text box e Select the Periodic Time Range check box e Set the start time to 8 00 e Set the end time to 18 00 e Select the Mon Tues Wed Thurs and Fri check boxes e Click Apply Configuring an Address Resource Configuring an IP address resource e Select Resource gt Address gt IP Address from the navigation tree and then click Add Perform the configurations shown in Figure 11 Hangzhou H3C Technologies Co Ltd www h3c com 9 13 H3sC SecPath Series Firewalls Interzone Policy Configuration Example Figure 11 Create an IP address resource rest Range Subnet IP Address Domain Name Mame public 01 31 Chars Description 1 31 Chars IF List ele Bia e
237. y means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 39 39 H3sC SecPath Series Firewalls DHCP Configuration Examples SecPath Series Firewalls DHCP Configuration Examples Keywords DHCP Abstract This document describes DHCP configuration methods and configuration examples Acronyms Acronym Full spelling DHCP Dynamic Host Configuration Protocol Hangzhou H3C Technologies Co Ltd www h3c com 1 15 H3sC SecPath Series Firewalls DHCP Configuration Examples Table of Contents Feature CV Gri OW ecen a wed win swine bos she aielutw agen a a 3 DHCP Overview TUTTE TTETTTTTTTTT TTT TTT Eeeeeee irri itiriiteteerrirri eee a 3 Address Allocation Mechanisms TITTLE TTTTTTTT TITTLE TTT rii eee rirriitteeeeeeeiiiriieee eee eee 3 IP Address Allocation Sequence SAARE mE AEA A E A a a A A A E a 9 Application SCOM 9 Ce cee eee en ee E S 3 DHCP Configuration Example I spac ects tas wnt E E A E nic EE earners missense sc E E ga E E E E E 3 Network Requirements emea E NE a a E E E E E a E E a 9 Configuration Considerations ES EEE E E E A A R DE E E E E E E A EEE E a aE 4 Software Version Used E TTT tirriieeeeeiierieteeeiii rire eee 4 Configuration Procedures PTTTTTITTTTTTTTTT LETT TTT TTT E E E 4 Basic Configuration TTUTETETTTTTTT TTT LETTE TLE E E S EE 4 Configuration on the DHCP Server mA E A E aA A TIT
238. yer 2 and Layer 3 hybrid forwarding on a non default virtual device Create a virtual device named Device and configure VLAN 100 and VLAN 103 as the device members of the virtual device Type 100 in the VLAN text box next to GigabitEthernet 0 1 102 and add VLAN interface 100 to the Device_Trust zone Type 103 in the VLAN text box next to GigabitEthernet 0 1 and add VLAN interface 103 to the Device_Untrust zone Ping PC2 from PC1 Result C is obtained 3 Verification Result A The ping operation succeeds Result B The ping operation succeeds Result C The ping operation succeeds 4 Configuration guidelines The PVID of a Layer 2 subinterface cannot be the same as the subinterface ID or the ID of the VLAN to which a Layer 3 VLAN interface belongs In this example the ID of the Layer 2 subinterface is 102 the PVID is 100 and the VLAN ID of the Layer 3 virtual interface is 103 Copyright 2010 Hangzhou H3C Technologies Co Ltd All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co Ltd www h3c com 31 31 H3sC SecPath Series Firewalls Attack Protection Configuration Example SecPath Series Firewalls Attack Protection Configuration Example Keywords Attack protection scanning blacklist Abstract This document d
239. your configuration in time To do so select Device Management gt Maintenance gt Save from the navigation tree and click Apply as shown in the following figure Backup Restore Initialize This operation will save your configuration to device Are you sure to save the current configuration C Encrypt the configuration file Configuration Examples E4 Note The SecPath F1000E is used in the configuration examples Hangzhou H3C Technologies Co Ltd www h3c com 4 25 H3sC SecPath Seires Firewalls NAT Configuration Examples Networking Scenarios Figure 1 Network diagram for NAT operation PC3 172 1 1 2 24 PC2 2 1 1 0 24 GE0 1 172 1 1 1 24 DMZ GE0 3 2 1 1 1 24 155 1 1 1 24 GE0 2 1 1 1 1 24 1561 1 2 24 PC3 1 1 1 2 24 Trust PC1 Device Basic Configuration Configuring Interfaces Select Device Management gt Interface from the navigation tree Perform interface configuration GigabitEthernet 0 0 GigabitEthernet 0 1 GigabitEthernet 0 2 and GigabitEthernet 0 3 are Layer 3 interfaces and their IP addresses are shown in Figure 2 Adding the Interfaces to Zones Select Device Management gt Zone from the navigation tree and add the following interfaces to the corresponding zones e Add GigabitEthernet 0 0 into the management zone default e Add GigabitEthernet 0 1 into the Untrust zone e Add GigabitEthernet 0 2 into the Trust zone e Add GigabitEthernet
240. zhou H3C Technologies Co Ltd www h3c com 20 39 H3sC SecPath Series Firewalls IPsec Configuration Examples 4 Note This configuration example is applicable to SecPath F5000 A5 SecPath F1000E and SecPath UTM 200 A 200 M 200 S firewalls A UTM device is used in this configuration example for illustration e As shown in Figure 15 an IPsec tunnel is established between Device A and Device B to protect traffic between subnet 192 168 1 0 24 where Host A resides and subnet 172 16 0 0 24 where Host B resides e The security protocol to be used is ESP encryption algorithm is DES and authentication algorithm is MD5 Figure 15 Network diagram for IPsec configuration 192 168 1 2 192 168 1 1 192 168 250 12 192 168 250 230 172 16 0 1 172 16 0 2 so Network _ amp __ GEO 3 GE0 0 GE0 0 GE0 3 Host A Device A Device B Host B Software Version Used Secpath F1000E V300R001B01 R3166 series and V300R001B01 F3166 series Secpath F5000 A5 V300R002B01 R3206 series SecPath UTM 200 A 200 M 200 S firewall V500R001B01 R5116 series Configuration Procedures Configuring Device A Assign IP addresses to the interfaces and add them to their target zones Omitted Define ACL 3101 to identify packets from subnet 192 168 1 0 24 to subnet 172 16 0 0 24 e Select Firewall gt ACL from the navigation tree and then click Add Configure the ACL as shown in Figure 16 Figure 16 Create ACL 3101 2000 2999 for basic ACLS ACL Number
241. zone mytrust in virtual device VD1 and configure zone mytrust as the shared zone Add GE 0 3 zone Untrust in virtual device root Zone Untrust is a private security zone The server and Host C ping each other Result 2 is expected Configure a shared zone among different virtual devices and configure packet filtering based on interzone policy Add GE 0 2 to virtual device VD1 and zone mytrust and configure zone mytrust as the shared zone Add GE 0 3 zone Untrust in virtual device root Configure an interzone policy between zones Untrust and mytrust to make Host C unable to access the server The following detailed configurations cover resource configuration and policy configuration Resource configuration To configure an address resource select Resource gt Address gt IP Address from the navigation tree and then click Add Add the two following address resource Resource IP address wildcard add_q02 2 1 1 0 0 0 0 255 add_q03 3 1 1 0 0 0 0 255 Hast Range Search tem Nane Y Keywords search a C add_q02 2 1 1 0 0 0 0 255 Out of Use i C add_g03 3 1 1 0 0 0 0 255 Out of Use Mame Subnet Exclude IF Address Description Status Operation To configure an address group resource select Resource gt Address gt Address Group from the navigation tree and then click Add Add an address group named addz_q and add address resources add_q02 and add_q03 to the group IP Address Group MAC Address Group addz
Download Pdf Manuals
Related Search