HP Firewall Series User's Manual
Contents
1. 5 Inter zone access log auditing daly sig cigietaig we eaep eae wen E dy newemetes saphena asset eae nou aia sun dE ufu IU UDSI IURE ERU UESN 52 Abnormal traffic log auditing singin organ eto samo sso va VPN Ert VENIM YS dod iS nx ipo gts ip Nile 98 sees oS qucd T sui qe 52 Blacklist log auditing rr FOF TUR EROS TER CU VER OS Or TU es ee ee 53 Operation log auditing nnn 53 Other log auditing lr 5A NAT log auditing VXRSXRIRRRRIMPSRAIRP SP PR SER SP PPP PRIUS SPI S URP US SUP UPP PR US SPP IP PPP US PU UR PR TG ISP ISP PRU SPP SPP PRU C SPP IS PPP US SPP M P RR cee 55 MPLS log auditing BERDXASEXAKP RXDKRNPXRXPSRA Sis E usosasegasssasel as use eg as saFa gases age E age os usa ePusUPe 55 Security policy managgermaent eene nennen tnnt tenete nnne tnn intente tnnt te tete entren eterno innen en enentn tnt en nens 56 Security ZONOS m 56 Time LOUNGES enne nennen nennen nennen nennen nenne nennen nennen nennen 58 Cir CRS quiis c EE quU E Mauer e o sem Uu E DedUE VIN aN US 60 IfeTele IEEE ELLTTLLTLLLLLLLLLCTQQQQQQQQQEEQte RR 65 Interzone M all 22222222 2 2 2 CC 2 Interzone policies 76 Interzone policy applications 80 Firew2. Figure 13 Compare two configuration files Config Compare cfg Config File xml Config File Show Al Rows Show Different Rows Running Config Currently Running Config Currently E version 5 20 Beta 3155 E sysname Device undo voice vlan mac address 00e0 b600 0000 E E version 5 20 Beta 3155 E sysname Device E undo voice vlan mac adcdress ODec bbono oDOD E domem default enable system E ip host aaa 1 1 1 1 E eine server enable Session checksum icp fhm Ohms amm a nd z domain default enable system f ip host ssa 1 1 1 1 F teinel Server enable z Session checksum tcp Ce anus Ine bo anm a ud 0 1 3 4 5 6 x Rows Count 9 Change Rows Count A CAUTION The label Currently indicates the configuration file is currently used by the device and the label Baseline indicates the baseline version Configuration files with any of these labels cannot be deleted Return to Tabs on the device configuration information management page and functions provided 6 Running Config On the device configuration management list you can click the icon in the Management column of a device to bring up the configuration information management interface of the device as shown in Figure 12 Then click the Running Config tab to enter the running configuration file management page as shown in Figure 14 The Running Config tab allows you to e View back up restore and delete a running
3. L Untrust Local group testi chargen 22 Permit t Disabled Disabled E default ga EB L Lintrust Trust 0 Any Any Amy vvork Permit test Disabled Disabled default dd EB L Untrust DMZ 0 group testi chargen 22 Permit asdasd Disabled Disabled amp az Jd ES Table 82 Interzone rule management functions Function Description Interzone rule list Allows you to view all interzone rules in the system Adding an interzone rule Allows you to add an interzone rule Allows you to delete interzone rules Follow these steps 3 Select the check boxes before the interzone rules to be deleted Deleting interzone rules l 4 Click Delete D IMPORTANT Interzone rules that are referenced cannot be deleted Interzone rule list From the navigation tree of the firewall management component select Interzone Rules under Security Policy Management The interzone rule list is at the lower part See Figure 76 This list includes all interzone rules in the system Table 83 describes the interzone rule query options and Table 84 describes the fields of the interzone rule list Table 83 Interzone rule query options Option Description Src Zone Query interzone rules by source zone Dest Zone Query interzone rules by destination zone Action Query interzone rules by filtering action Src IP Query interzone rules by source IP 72 Dest IP Query interzone rules by destination IP Time Range Query interzone rules by time range Policy
4. 450 2009 11 02 16 58 51 2009 11 02 17 00 51 10 154 80 96 485 10 154 80 34 460 10 154 80 62 472 10 154 80 18 451 2009 11 02 16 58 51 2008 11 02 17 00 51 10 154 80 97 486 10 154 80 35 461 10 154 80 63 473 10 154 80 19 452 2009 11 02 16 59 51 2009 11 02 17 00 51 10 154 80 98 487 10 154 80 36 462 10 154 80 64 474 10 154 80 20 453 2009 11 02 16 59 51 2009 11 02 17 00 51 10 154 80 99 488 10 154 80 37 463 10 154 80 65 475 10 154 80 21 454 2009 11 02 16 58 51 2008 11 02 17 00 51 4 Bi Export MPLS log auditing Configuration guide From the navigation tree of the firewall management component select MPLS Logs under Event Auditing to enter the MPLS log auditing page as shown in Figure 57 This page lists MPLS logs in detail Each log records such information as source IP address and source port destination IP address and port VPN ID time and byte count MPLS log auditing allows you to query MPLS logs by source IP destination IP source port destination port VPN ID labels start time and end time helping you know the information of MPLS logs 55 Figure 57 MPLS log auditing src IP Dest IP src Part Dest Port VPM ID Label Label Labels Start Time 2008 11 02 17 00 75 End Time 2009 11 0217 58 MPLS Logs List 2i Export 1 to 50 Fage 1 Page Size 10 50 100 500 src IP Port Dest IP Port VPMID Label Label2 LabelS Start Time End Time Count bytez Details 00 0 5 6 O0 0 6 9 51 12 11 11 2009 11 02 17 29
5. Apply Table 39 Mail server configuration items Item Description Required SMTP Mail Server IP Type the IP or domain name of the mail server The domain name can comprise up to 100 characters Optional Require authentication Specify whether the mail server authenticates the identities of users trying to access Username Optional 32 Type the username for identity authentication on the mail server The password can comprise up to 80 characters Optional Password Type the password for identity authentication on the mail server Required Sender s Mail Address Type the mail address of the sender Managing filters A filter is used to filter the information of IPS devices to present only information that you are interested in through reports By configuring filters you can specify filtering conditions flexibly Configuration guide From the navigation tree of the system management component select Filter Management under System Config The filter management page appears as shown in Figure 33 Table 40 describes the filter management functions Figure 33 Filter management page Filter List TID Ibi Page 1 Page Size 10 50 100 500 Filter Name Filter Description Device Operation C filter Table 40 Filter management functions Function Description Filter list Allows you to view details about filters and modify filter settings Adding a filter Allows you to add a filter Allows you to d
6. Item Description Required Type a name for the user defined service Name Valid characters for the name letters digits underscores periods slashes and hyphens where underscores can t appear at the beginning or end of the name Optional Type some descriptive information for the user defined service Description Valid characters for the description letters digits blank spaces colons underscores _ commas periods exclamatory marks and hyphens where underscores can t appear at the beginning or end of the name Required Configure the protocol information for the user detine service Select TCP UDP ICMP or Others e If you select TCP specify the source port and the destination port in the range O to 65535 Protocol e f you select UDP specify the source port and the destination port in the range O to 65535 e If you select ICMP specify the protocol type and the code in the range O to 295 e f you select Others type the protocol number in the range O to 255 except 1 6 and 17 62 To delete user defined services select them and click Delete on the user defined service management page Return to Service management functions Service groups From the navigation tree of the firewall management component select Services under Security Policy Management Click the Service Groups tab to enter the service group management page as shown in Figure 66 Table 71 describe
7. as shown in Figure 37 Set the number of days that the system keeps the firewall logs and SSL VPN logs and then click Apply Figure 37 Log retention time configuration page Log Retention Time Firewall logs 70 days SSL VPN logs 70 days Monitoring the disk space This function provides the usage statistics of the disk space under the system installation directory It allows you to set the minimum free disk space so that an alarm is generated whenever the free disk space is less than the threshold You can also specify an email address so that the system sends generated alarms to the mail box This function helps reduce data loss due to lack of disk space Configuration guide From the navigation tree of the system management component select Disk Monitoring under System Config The disk space alarm configuration page appears as shown in Figure 38 On the page you can set the disk space alarm threshold so that the system issues an alarm whenever the free disk space is less than the threshold 37 Figure 38 Disk space alarm configuration page Residual Disk Monitoring Detail Residual Disk Space 537210 Warning Disk Space less than 2 U G Alarm Mode Alarm Made Parameter Configuration O Send a report by email Address d y Apply Table 46 Alarm configuration items of the disk space for logs ltem Description Required Warning Disk Space Set the minimum free disk space required An alarm is
8. backed up Last Operate Time Time of the last configuration file operation 2 Backing up configuration files From the navigation tree of the system management component select Device List under Device Management The device management page appears as shown in Figure 3 Then select the Device Config Management tab to enter the device configuration management page Select a device by selecting the check box and click Backup to bring up the backup configuration page as shown in Figure 10 A backup file is uniquely identified by a version number that is assigned by the system After a file is backed up click the icon in the Management column of a device to view the detailed information of the backup configuration files Figure 10 Backup configuration files Device Group Query Device Management Device Software Management Device Config Management Restore Backup Synchronize Restart 1 to 1 of Page 1 Page Size 10 50 100 500 Device Label Device Group Last Backup Time heck Last Operate Time Management Unknewn 192 168 252 172 detauit Ch 2011 05 1303 3504 Backup 3 it P rfornming the oper ation EJ fe new Label C Select Label C none v Backup Running Config File v Backup Startup Config File Canca Return to Device configuration management functions 13 3 Restoring a configuration file From the navigation tree of the system management component selec
9. exclamatory marks and hyphens where underscores can t appear at the beginning or end of the name 74 Src IP Dest IP Service Policy Action Time Range Enable logging Required Add source IP addresses for the interzone rule e Available IP addresses are listed in the left box The right box lists the source IP addresses to be added to the interzone rule e You can select one or more items in the left box and then click Add gt gt to add them to the right box You can also select one or more items in the right box and click Remove to remove them from the right box to the left box e f you do not add any IP address to the right box the interzone applies to any source IP address Required Add destination IP addresses for the interzone rule e Available IP addresses are listed in the left box The right box lists the destination IP addresses to be added to the interzone rule e You can select one or more items in the left box and then click Add gt gt to add them to the right box You can also select one or more items in the right box and click Remove to remove them from the right box to the left box e f you do not add any IP address to the right box the interzone applies to any destination IP address Required Add services for the interzone rule e Available services are listed in the left box The right box lists the services to be added to the interzone rule e You can select one
10. periods slashes and hyphens where underscores can t appear at the beginning Mame or end of the name Q IMPORTANT The name must be unique in the system It cannot be the same as the name of an existing host address address range subnet address or IP address group Optional Type some descriptive information for the host address Description Valid characters for the description letters digits blank spaces colons underscores commas periods exclamatory marks and hyphens where underscores can t appear at the beginning or end of the name Required Specily IP addresses for the host address IP Address e Input an IP address and click Add next to the text box to add the IP address to the IP addresses list You can also select an IP address on the list and click Delete to remove the IP address from the list e The IP addresses must be in dotted decimal notation To delete host addresses select them and click Delete on the host address management page Return to IP address management functions 66 Address ranges From the navigation tree of the firewall management component select IP Addresses under Security Policy Management Click the Address Ranges tab to enter the address range management page as shown in Figure 70 Table 76 describes the fields of the address range list Figure 70 Address range management page Host Addresses Subnet Addresses IP Address Groups Address
11. 1 261131 10 72 65 36 53 4 1 12 51366 gt 1072 66 36 53 4 1 1 21237 gt 10 63 16 4638293 4 1 1 2 1699 10 1657 5 7 2867 4 1 12 1051 gt 10522 40 443 4 1 1 2 16594 gt 210 21 230 11 80 4 1 1 252284 gt 10 72 65 36 53 Version 910 O30 R Time Date m Advanced Search Time Date Jan 15 15 26 12 483 2010 Jan 15 15 25 12 483 2010 Jan 15 15 24 59 483 2010 Jan 15 15 2420 483 2010 Displaying firewall management statistics on Firewall Manager Protocol Type TCP Flow Informabon 4 1 1 2 64696 10 72 65 36 53 4 1 1 2 64696 10 72 66 36 53 4 1 1 2 1758 gt 210 21 230 11 80 4 1 1 221758 gt 210 21 230 11 80 start Time M 5G E A 15 25 11 2010 01 15 15 25 11 2010 01 15 15 24 19 2010 01 15 15 24 18 End Time 2010 01 15 15 26 12 2010 01 15 15 25 11 2010 01 15 15 24 59 2010 01 15 15 24 19 Flow Action amp 2 4ged for timeout 8 Data flow created 2 4ged for timeout 8 Data flow created a As we have configured the firewall to send logs to Firewall Manager we can see the statistics and analysis in Firewall module on Firewall Manager webpage e Snapshot of Events happened in the firewall 108 Firewall gt Events Monitor gt Snapshot of Events Al peices Refresh Every 30 seconds JE Statistics Time 2090 04 15 14205 00 2010 04 15 1E0500 Total Attack Events 123 Blocked Attack Events Critical 0 Major 123 Minor 0 Wa
12. 15 SC E SC AAA SUCCESS A amp A amp ATypesALITHEN AA Schemes lacal Service login 175835 UserMame admini system AAA is successful 54 NAT log auditing Configuration guide From the navigation tree of the firewall management component select NAT Logs under Event Auditing to enter the NAT log auditing page as shown in Figure 56 The page lists NAT logs of HP firewalls Each log records the source IP port and destination IP port before and after network address translation as well as the NAT session start time and end time Figure 56 NAT log auditing SrcPaferNAT DestPafierNAT Src Port after MAT Dest Port after MAT SP est nc Port Dest Part xin stat Tine 2008 17 02 16 00 E End Tine 2000 11 02 17 59 E NAT Logs List 1to0 Page 1 Page Size 10 50 100 500 sre IP Port Dest IP Port Sre IP Port after MAT Dest IP Port after NAT Session Start Time Session End Time 10 154 80 91 480 10 154 60 29 455 10 154 80 57 467 10 154 80 13 446 2009 11 02 16 59 51 2009 11 02 17 00 51 10 154 80 92 481 10 154 80 30 456 10 154 80 58 468 10 154 80 14 447 2008 11 02 16 59 51 2009 11 02 17 00 51 10 154 60 93 482 10 154 80 31 45 7 10 154 80 59 469 10 154 80 15 448 2009 11 02 16 53 51 2003 11 02 17 00 51 10 154 80 94 483 10 154 80 32 458 10 154 80 60 470 10 154 80 16 449 2009 11 02 16 59 51 2008 11 02 17 00 51 10 154 80 95 484 10 154 80 33 459 10 154 80 61 471 10 154 60 17
13. 168 0 3 85 records 15 per page page 2 6 record 16 30 First Prev fled Lasti2 SO e Blacklist Log 107 R Time Date v search Advanced Search Time Date Mode Source IP Reason Jan 15 14 48 51782 2010 delete 4115 Auto delete Jan 15 14 46 51 762 2010 delete 4 1 15 auto delete Jan 15 14 42 51762 2010 delete 4112 auto delete Jan 15 14 37 57 176 2010 add 4115 Auto insert Jan 15 14 35 28 098 2010 add 4 1 1 5 Auto insert Jan 15 14 32 41 316 2010 add 4 1 12 Auto insert 6records 15 per page page 1 1 e Intrusion Policy Log 2 Stat Time v Search Advanced Search Start Time End Time Source Zone Destination Zone Policy ID Action 2010 01 15 14 51 20 2010 01 15 14 52 00 Trust Untrust permitted 2010 01 15 14 44 17 2010 01 15 14 45 18 Trust Untrust 0 permitted 2010 01 15 142727 2010 01 15 142828 Trust Untrust 0 permitted 2010 01 15 14 26 05 2010 01 18 14 26 41 Trust Untrust 0 permitted 2010 01 15 14 25 44 2010 01 15 14 26 24 Trust Untrust 0 permitted 2010 01 15 14 21 40 2010 01 15 14 22 46 Trust Untrust 0 permitted 2010 01 15 14 18 22 2010 01 15 14 19 02 Trust Untrust permitted 2010 01 15 14 10 37 2010 01 15 14 11 28 Trust Untrust 0 permitted e User log Flow Log 10 10 10 10 10 10 record 1 6 Pr protocol type TCP 5 UDP 17 UDP 17 UDP 17 TCP 6 UDP 17 TCP 6 UDP 17 Hold Time minutes flow infomation 4 1 1 221717 210 21 230 11 80 4 1
14. 4 Figure 4 Add a device Add Device Host Hame IP E 0 154 78 120 Device Label AFI000E defaut Time Calibration Greenwich lean Time v Select access template Specify access parameters Device Access Parameters Device Group C Multi Card Device Table 4 Device configuration items Item Description Required Host Name IP Type the name or IP address of the device to uniquely identify the device in the system Required Device Label Type a label for the device which can be used as an alias of the device The device label can comprise up to 20 characters Select a device group for the device By default the device group named Device Group default is selected Required Time Calibration Select a time mode for the device Required Select either of them Select access template If you select Select access template select a template from the following Specify access parameters drop down list By default the template named default is selected 6 Web Username Web Password Web Port Telnet Username Telnet Password SNMP Version Community String for Reading Community String for Writing Authentication Username Authentication Protocol If you select Specify access parameters specify the access parameters including Web Username Web Password Web Port Telnet Username Telnet Password SNMP Version Community String for Reading and Commu
15. Adding an LDAP server From the navigation tree of the system management component select LDAP Server Management under System Config Click Add to add an LDAP server as shown in Figure 36 and Table 45 Figure 36 Add an LDAP server Add LDAP Server Server Hame dap service Server Version 3 v Serwer IP 192 1680 3 Server Port 389 Admin DH cn admin cn Users dcs hp dc com Ti Admin Password e Username Attribute en Base DH de hp dcscom Table 45 LDAP server configuration items Item Description Required Server Name Type a name for the LDAP server Required Server Version l Select an LDAP server version Required Server IP Type an IP address for the LDAP server Required Server Port Type a port number for the LDAP server Required Admin DN Type the administrator DN for the LDAP server 36 Required Admin Password Type the administrator password for the LDAP server Required Username Attribute Type a username attribute for the LDAP server Required Base DN Type a base DN for the LDAP server Return to LDAP server management functions Managing log retention time This function allows you to configure the period of time during which the system keeps the firewall logs and SSL VPN logs for query Configuration guide From the navigation tree of the system management component select Log Retention Time under System Config The log retention time configuration page appears
16. Attack Event M Other Attack Event a 10000 ON 7500 5000 4 2500 X e amp 8S 8 S 8 8S amp 8 8 8 8 8 8 8 8 8 8 8 8 SB S8 S eo e e T AD io Fs Go em c T e Lu T MD ie Pa 0 c c e LN e el Cr ur cer 2 c C c el s n T T T m x e c Critical Major Minor VVarning Details every hour Time Event Count Blocked Event Ratio of Blocked Event Critical Major Mirvor Warning 00 00 T 06 0 0 0 Table 53 Query options on the attack event overview page Option Description Select a device a device group or All devices from the Device drop down list The system will display the relevant event information All devices and device groups that are under your management will appear in the drop down list IMPORTANT Device f you select a device group the system will display the event information matching the filter of all firewall devices in the device group in the specified statistics duration e If you select a device name the system will display the event information matching the filter of the firewall device in the specified statistics duration Filter Select a filter from the drop down list to filter attack events Dueren Select the statistics duration You can select Day Week or Month or select Customize to specify a statistics duration Time Select the statistics time whose value range varies with the statistics duration selected Besides the attack event trend graphs the system
17. Config Label List 1to3aof3 Page 1 Page Size 10 50 100 500 C Label Running Config Backup Time Compare Startup Config Backup Time Compare Restore C Currently Currently HH Currently isis baseline Version 2010 11 24 15 37 56 RE versioni 2010 11 24 16 37 56 EH wp C label new Version 2010 11 24 15 37 56 EH version 2010 11 24 15 37 56 isis uy Mote It is the current configuration that is running in the device The current label and baseline label can t be removed 14 Table 11 Tabs on the device configuration information management page and functions provided Tab Description Label A label represents a configuration file of a device Running Config Allows you to perform operations on running configuration files of different versions Allows you to view back up and delete the current startup configuration file of a Startup Config device The functions are the similar to those for management of running configuration files Draft Allows you to manage drafts for a device 5 Label A label is used to indicate the backup running and or startup configuration files of a device On the device configuration management list you can click the icon in the Management column of a device to bring up the configuration information management interface of the device as shown in Figure Lz The Label tab allows you to e Add and delete labels e View the information of the backup configuration file such as version number an
18. Management component and then select Device Management under Device Management from the navigation tree to enter the device management page Click Add to enter the page for adding devices to the firewall management component as shown in Figure 107 Figure 107 Add a device to the firewall management component Add Device Please select Device Label Device IP Device Group devices C VAO 686192 169 0 199 192 16 0 1 95 default After you configure the devices and add the firewall devices to the HP A IMC Firewall Manager the Firewall Manager system is configured basically and ready for service operations A CAUTION For devices that Firewall Manager has discovered automatically you do not need to add them manually 3 On the web interface of each firewall device set the IP address of the syslog server in the notify action to that of the Firewall Manager server and port number to 30514 A CAUTION The A IMC Firewall Manager uses port 30514 to receive syslogs 100 Configuration example 2 Network requirements The FW device connects the internal network 4 1 1 0 24 through GigabitEthernet 0 4 and connects the external network through GigabitEthernet O 1 Configure the FW device to send logs to the syslog server with IP address 192 168 96 15 in the external network Figure 108 Network diagram for configuring FW and Firewall Manager Trust Firewall Untrusi Firewall Manager network 192 168 247 194 Client GE
19. Policy Management to enter the security zone management page as shown in Figure 58 Click Add to enter the Add Security Zone page type a name for the security zone and click Add Figure 59 Add a security zone Add Security Zone Security Zone 1 20 Chars Cancel 57 Table 63 Security zone configuration item Item Description l Type a name for the security zone Security Zone A security zone name cannot contain any of these characters lt gt amp Return to Security zone management functions Importing security zones from a device From the navigation tree of the firewall management component select Security Zones under Security Policy Management to enter the security zone management page as shown in Figure 58 Click Import from Device to enter the Import Security Zone from Device page select a device and click OK Figure 60 Import security zones from a device Import Security Zone from Device Device A F1000 E 192 168 0 1 A CAUTION Available devices are those added in the device management module of the firewall management component Return to Security zone management functions Time ranges Configuration guide From the navigation tree of the firewall management component select Time Ranges under Security Policy Management to enter the time range management page as shown in Figure 61 Table 64 describes the functions available on the page Figure 61 Time range management page T
20. Ranges ada peite ito ioti Page 1 Page Size 10 50 100 500 Mame Address Range Excluded Addresses Description Reterenced Operation testi 1444144410 testi amp 0d Table 76 Fields of the address range list Field Description Name Name of the address range Address Range Specific address range Excluded Addresses Excluded addresses in the address range Description Descriptive information about the address range Referenced Whether the address range is referenced or not Operation Click the 2 icon to modify the address range To add an address range click Add on the address range management page to enter the Add Address Range page and configure the range as shown in Figure 71 and Table 77 Figure 71 Add an address range Add Address Range Hame 1 31 Chars Description 1 31 Chars Address Range E Excluded Please input address Excluded IP addresses List Delete Mmm mom 67 Table 77 Address range configuration items Item Description Required Type a name for the address range Valid characters for the name letters digits underscores periods slashes and hyphens where underscores can t appear at the beginning Name or end of the name IMPORTANT The name must be unique in the system It cannot be the same as the name of an existing host address address range subnet address or IP address group Optional Type some descriptive information for
21. Registering the firewall MINCE GEREREREREEEEEEEEEEETEE Uninstalling the firewall MANAJEr srreresesesesesesesesesesesesetesesesesesesesesesesesrenencnsnsncnenensnsnsnsnsnsnensnsnensnsassensnensesnsesssnsnsnsnessneneneeets 3 System management 4 Device management igecnu dieu lunveceveopaensanreanasagaeasasannsaaadadasasacannssladadadddaasnaGheethcct eectectheethectheetiectenassanaasaaanesasaaanesasaganesenasaneeenes 4 Managing el Vile MMMMDRRDPS A AA A Managing batch import TTT 18 Managing device e oe E 18 Managing events nennen eene enne enne nennen nennen nennen nennen nennen nennen nennen nennen nenne 20 Managing device access templates ce L v 22 Managing the device software database HM eM Meer 24 Managing deployment tasks IRR 26 Operator management M 27 Managing operators Po a a E a a m 27 Managing operation logs nennen nennen enne nennen nennen nennen nennen nenne 29 Changing your login password ee Id da M dV Md Nd EPI DE NIHU dp MU 30 System configuration mici RM M UU d ee etia dta d 3 Configuring system parameter inen nint nnn nint tnter enne 3
22. Type Current Version Latest Version fw 192158 0 30 default Firewall secpath200cmw back bin Table 5 Device software management functions Function Description Deploying software to devices Allows you to deploy software to devices as required Allows you to backup the software of selected devices to the device Backing up the software of devices soitvarecdatsbass Refreshing device information Allows you to obtain the up to date device information Table 6 Fields of the device software list Field Description Device name and IP address You can click the link to view details about Device Label the device and modify the configuration Device Group Device group to which the device belongs Device Type Model of the device Current Version Current software version of the device Latest software version available for the device This version information Latest Version comes from the software database 2 Deploying software to devices This software deployment tunction allows you to deploy main boot file to devices On the device software management page click Deploy Device Software to enter the software deployment page as shown in Figure 7 Table 7 describes the software deployment configuration items You can deploy software to 9 multiple devices at a time You can specify deployment parameters such as the deployment sequence policy time and error handling mode A successfully created software deployment task
23. also provides contrast graphs of the Top 10 attack events attacked IP addresses attacker IP addresses attacked ports and attack protocols as shown in Figure 46 46 Figure 46 Top 10 attack events contrast graph Filter None Device au devices Top 10 Duration Day Time poi 05 13 a Display Trend Dest Port Protocol Export TOP Attack Event Comparison e FWW 3S000S ICMP unreachable 9400 e FvV 30007 UDP flood 4500 e FwW 30019 source route 1100 FW 30004 winnuke 1000 e FW 3 0 018 large ICMP 900 FW 30020 route recard 900 FVW 30003 ICMP redirect 900 e FWw 30003 fragale 800 e F 30012 TCP flag 800 e FVV 30001 land 600 Others 1100 Details ID Event Name Level Type Event Count Percentage Trends F I 30008 Pe S0008 ICMP unreachable lCMP unreachable Major Firewall 9400 EN 27 ba Fyv 30007 Fv 30007 UDP flood LIDP flood Major Firewall 4500 O AE b F 30019 F 30018 source route source route Major Firewall 1100 5 ka You can click the BSlExport link to export all the analysis reports that the event overview function provides A CAUTION Logs are aggregated at 3 o clock every day When you query event information of the current month the system displays only the data collected from the first day of the month to the day before the current day Event details The Firewall Manager provides the powerful query function which helps you quickly find the desired security
24. can t appear at the beginning or end of the name Required Add members to the IP address group e Available members are listed in the left box including all added IP addresses The Member right box lists the members to be added to the IP address group e You can select one or more members in the left box and then click Add gt gt to add them to the right box You can also select one or more members in the right box and click lt lt Remove to remove them from the right box to the left box To delete IP address groups select them and click Delete on the IP address group management page Return to IP address management functions 7 Interzone rules Configuration guide From the navigation tree of the firewall management component select Interzone Rules under Security Policy Management to enter the interzone rule management page as shown in Figure 76 Table 82 describes the functions available on the page Figure 76 Interzone rule management page src Zone Dest Zone he Action b Src IP Dest IP v Time Range zx ka Policy wv Status D hs Referenced bs w Interzone Rules 1lto 5 of 5 Page 1 Page Size 10 50 100 500 C Src Zone Dest Zone ID SrclP DestlP Service Time Range Action Description Status Logging Referenced Policy Operation Trust DMZ 0 test3 test3 chargen Permit Disabled Disabled amp as d EB C DML Untrust 0 test3 group rlogin Permi aaaa Enabled Enabled E corporate 2d EB
25. component select Device Group List under Device Management The device group management page appears as shown in Figure 17 Table 15 describes the device group management functions Figure 17 Device group management page Device Group List 1 to of Page 1 Page Size 10 50 100 500 Device Group Mame Description Operation default default device group cannot be deleted 0d ast as qe Table 15 Device group management functions Function Description Allows you to view details about device groups and modify and delete Device group list device groups Allows you to add a device group and configure the device group name Adding a device group and description Device group list From the navigation tree of the system management component select Device Group list under Device Management The device group management page appears as shown in Figure 17 Details of all device groups are displayed on the page Table 16 Fields of the device group list Field Description Device Group Name Name of the device group Description Description of the device group e Click the 8 icon of a device group to modify the device group Operation e Click the icon of a device group to delete the device group Return to Device group management functions Adding a device group From the navigation tree of the system management component select Device Group list under Device Management to enter the device group management
26. configuration file e Specify the running configuration as the baseline or save it as a draft e Compare two configuration files to find the differences Figure 14 Running configuration file list Device Config Info Management DeviceFW 192 168 0 20 Back Label Running Config Startup Config Draft Running Config List Backup Running Config ito Note o Page fi Page Size 10 50 100 500 version Backup Time Label Compare Set Baseline Label Management Save as Draft Restore C Currently BE i version 8 2009 08 07 11 11 13 label_new EE B it d version T 2009 08 07 10 57 32 Ak B a im w Mote It is the current configuration that is running in the device The current label and baseline label cant be removed 16 Table 13 Fields of the running configuration list Field Description Uniquely identifies the running configuration file The version number is assigned Version l automatically by the system for each backup file Backup Time Time when the running configuration file is backed up Label Label for this version Allows you to compare two configuration files including the drafts to find the Compare l P differences Set Baseline Allows you to set the running configuration file as the baseline Label Management Allows you to re label the running configuration file Allows you to save the running configuration file as a draft and t
27. documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional CEE Braces enclose a set of required syntax choices separated by vertical bars from which Pee you select one eed ed Square brackets enclose a set of optional syntax choices separated by vertical bars from Pre which you select one or none TIN Asterisk marked braces enclose a set of required syntax choices separated by vertical Ple bars from which you select at least one peta Asterisk marked square brackets enclose optional syntax choices separated by vertical es bars from which you select one choice multiple choices or none eee The argument or keyword and argument combination before the ampersand amp sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Descri ption Window names button names field names and menu items are in bold text For Boldface example the New User window appears click OK gt Multi level menus are separated by angle brackets For example File gt Create gt Folder Symbols Convention Descri ption An alert that calls attention to important information that if not understood or followed can A WA
28. firewall management component and then click Add The firewall device management page appears indicating that the devices are successfully added Return to Firewall management functions Viewing device statistics The device statistics function can collect statistics on devices by day week and month You can select the statistics period as needed and view the statistics report which provides statistics on each firewall device including the total number of events number of blocked events destination IP address count source IP address count and destination port count Configuration guide From the navigation tree of the firewall management component select Device Statistics under Device Management to enter the device statistics page as shown in Figure 89 Figure 89 Device statistics Duration Time 2009 07 06 mal Display Attack Protection Device Label Total Number af Events Blocked Events Dest IP Count erc IP Count Dest Port Count Analysis server 192 168 0 20 0 i 10 154 78 114 Lit Table 98 Device statistics query options Option Description Select the statistics duration You can select Day Week or Month or Duration i me select Customize to specify a statistics duration Select the statistics time whose value range varies with the statistics Time i duration selected You can click the E icon in the Analysis column of a device to enter the attack event analysis page Th
29. for the logs of interest Figure 28 Operation log management page Operator User Host IP Operation Result Operation Log List Delete 1 to 31 of 31 Page 1 Page Size 10 50 100 500 LI Operator IP Address Time Operation Result Details admin 127 0 0 1 2011 07 11 14 30 44 Adding a security zone Succeeded Security zone test O admin 127 0 0 1 2011 07 11 14 13 24 Adding an device group Succeeded Device group name ae Table 35 Operation log query options Option Description Operator Specily the operator whose logs you are interested in Gateway IP Type the IP address of the gateway Select the operation result of the operations Operation Result By default the value of this option is which means both the succeeded and failed operations 29 Table 36 Fields of the operation log list Field Description Operator Name of the operator IP Address IP address of the PC used by the operator to log in Time Time when the operation occurred Operation What the operator did Result Whether the operation succeeded or failed Details Operation details Changing your login password This function allows you to change your login password From the navigation tree of the system management component select Password under Operator Management to enter the page for changing your login password as shown in Figure 29 Table 37 describes the configuration items for changing your password Figure 29 Change
30. generated once the actual free disk space is lower than this value Optional Send a report by email Selecting the check box will make the system send generated alarms to the specified mail box You can also select the Residual Disk Monitoring tab to view the disk space usage information in the last three hours 36 hours and 36 days and the remaining disk space per day or select the Detail tab to view disk space usage statistics of function modules as shown in Figure 39 38 Figure 39 Free disk space monitoring page Alarm Config Residual Disk Monitoring The use of disk space for the most recent 3 hours p Il PAMPLEPLUPLUP P um 07 50 00 07 55 00 08 30 00 08 35 00 08 50 00 08 55 00 09 00 00 09 45 00 09 20 00 09 30 00 09 35 00 09 40 00 m Space Used Free Space The use of disk space for the most recent 36 hours p lala m um am uam um FE I EN LEITET EET A EI GEI ORT ER em c x r4 aea 05 27 08 05 28 08 05 28 09 05 28 10 E Space Used E Free Space The use of disk space for the most recent 36 days D aELEFLEF EF LIEF LP LP LIP LI LP LP LR LP LP UP UP LU LIP EP P ER PEPPER LP PP LRL LIP LP LP UP am 2010 0422 2010 0425 2010 0424 2010 0425 2010 0426 2010 04 27 2010 0425 2010 0429 20410 04430 2010 05 04 2010 05 02 2010 05 03 2010 05 04 2010 05 05 2010 05 06 2010 05 07 2010 05 08 2010 05 09 2010 05 10 2010 05 14 2010 05 12 2010 05 13 2010 05 14 2010 05 15 2010 05 16 201
31. guide From the navigation tree of the firewall management component select Deployment Tasks under Policy Management to enter the deployment task management page as shown in Figure 97 On this page you can select a task status to display all deployment tasks in the status select tasks to execute them immediately or cancel delete or modify tasks Figure 97 Deployment task management page Task Status a Deployment Task List i to i of i Page i Page Size 10 50 100 500 Execution Status Task Name Task Type Creation Time Creator Start Time End Time Modify Details 1 Executed Task Configure Segment 2010 03 15 E 2010 03 15 2010 03 15 successfully 2010031 51 72326 Deployment Task 17 24 15 17 24 15 17 24 45 Hote Only a task waiting for execution can be executed immediately Only a task waiting for execution can be canceled Table 102 Deployment task management functions Function Description Deployment task list Allows you to view information about all deployment tasks Allows you to execute selected deployment tasks Executing deployment tasks On the configuration segment management page select the deployment immediately tasks that you want to execute and click the Execute Now button Only a task waiting for execution can be executed immediately Allows you to cancel selected deployment tasks On the configuration segment management page select the deployment C ling depl t task seach a eee dessen tasks that y
32. is listed in the deployment task management module How many boot files can be stored on a device depends on the device s disk space Generally two files one main boot file and one backup boot file are stored on the device Figure 7 Deploy software to devices Software Deployment Task Hame Description Add Device Device Label fw 192 168 0 30 Deployment Sequence Deployment Policy Deployment Time Task 2010112463513 Software deployment task created by admin Current Software version Deploy Software version Device Storage Path secpath2000um cmyvy beck bin Please select the sottware version flashes x C Parallel C5 Serial Set the currently running software as the backup startup software Detete software that is currently running E Delete startup software that is currently backup Reboot the device immediately after deployment 9 Execute How CO Execute as Scheduled Table 7 Software deployment configuration items ltem Description Required Task Name Description Add Device Type the name of the deployment task By default it consists of the word Task a string indicating the current time and a space in between Required Type a description for the task The description must not contain these characters lt gt amp 76 N Click this button to add a device to which you want to deploy a software version You can add multiple devices You can click the 9 icon
33. mu vlr Cl Seat Absolute Start Time 2011 07 11 15 00 End Time 2011 07 1215 00 7s Add Canca Table 66 Time range configuration item Item Description Required Name Type a name for the time range The name can t be null and can t contain any of these characters lt gt amp Required Specify the time periods during which a security policy that references the time Time Range range take effect A time period can be periodic or absolute e Periodic Select the start time and end time for the periodic time period 59 and then select the days of the week during which the time period applies By default the periodic time period is from 0 0 to 24 0 every day e Absolute Select the start time and end time for the absolute time period By default the absolute time period is a 24 hour period starting from the full hour of the current time An absolute time range takes effect only once Return to Time range management functions Services Configuration guide From the navigation tree of the firewall management component select Services under Security Policy Management The predefined service management page appears as shown in Figure 63 Table 67 describes the functions of the tabs Figure 63 Service management page User Defined Services Service Groups Predefined Services 1 to 50 of 54 Page iJz t M Page Size 10 50 100 500 Name Protocal Protocol Parameter
34. number of existing rules for the source zone and destination zone pair starting from O For example the first rule created for the source zone Trust and the destination zone DMZ is numbered O the second rule created for the same source zone and destination zone pair is numbered 1 Src IP Source IP address of the interzone rule Dest IP Destination IP address of the interzone rule Service All services of the interzone rule Time Range Time range during which the interzone rule takes effect Action Filtering action of the interzone rule Description Descriptive information about the interzone rule Status Whether the interzone rule is enabled or disabled Logging Whether logging is enabled for the interzone rule 82 Policies that the interzone rule is in Policy You can click a policy name to enter the page for managing the policy s rules See Rule management Return to Interzone policy application management functions Firewall device management Managing firewall devices With the management right on devices you can add or delete devices view the detailed information of the devices and change the device groups and labels of the devices If the system cannot discover some firewall devices automatically you need to add these firewall devices to the firewall management component manually so that the Firewall Manager can collect and display the attack event statistics and event auditing information of these devices Config
35. or more items in the left box and then click Add gt gt to add them to the right box You can also select one or more items in the right box and click Remove to remove them from the right box to the left box e f you do not add any service to the right box the interzone applies to any service Required Add policies to which you want to add the interzone rule You can add a rule to multiple policies when you create the rule or add it to a policy on the policy s rule management page e Available policies are listed in the left box The right box lists the policies to be added for the interzone rule e You can select one or more items in the left box and then click Add gt gt to add them to the right box You can select one or more items in the right box and dick Remove to remove them from the right box to the left box Required Select a filtering action for the interzone rule It can be Permit or Deny Optional Specily the effective time for the interzone rule You can select a time range for the rule If you do not select a time range the rule takes effect at any time Optional Select this option to enable the syslog function for the interzone rule By default this option is not selected 5 Optional Enable this rule Select this option to enable the interzone rule By default this option is not selected Optional Continue to add another rule Select this option to add another rule after finishing this r
36. send E QU e Table 56 Query options of the report export task list Option Description Select the export interval which can be Day Week Month Year or All The Period system will display export tasks with the export interval being the one you selected Filter Select a filter to filter the report export tasks 49 Table 57 Fields of the report export task list Field Description Report Task Name of the report export task Creation Time Time when the task was created Period Reports export interval specified in the export task Send Mail Whether the report export file is to be sent to the specified mail box Click the E icon of a task to display all generated report files of the task and Generate Report the file creation time These files have the same suffix which is xls Click a report file s name link to export the file e Click the 4 icon of a task to enter the task modification page where you can modify the task Operation e dikke icon ofa taskia ted waciher thetaskccan funcionwit he test succeeds the system generates a report file based on data of the current day The filename starts with test Table 58 Report export task management functions Function Description Allows you to view the detailed information of all report export tasks and Report t tile list EROT eae IE Mp modify and test a report export task Adding a report export task Allows you to add a report export task Allows you to del
37. software Start Time Start time of the backup operation Status Result of the backup operation Result Description of the operation result or failure reason Return to Device software management functions Device config management The device configuration management function allows you to manage configuration files of devices A configuration file records the configurations users have made on the device The configuration file is used by the device to filter traffic passing through A configuration file can be a startup configuration file or a running configuration file The startup configuration file refers to the configuration file that a device keeps and will use at next boot The running configuration file refers to the configuration currently used by a device which you can save to the device as a file and once saved becomes the startup configuration file The device configuration management function supports setting baseline versions for devices managing the running versions and startup versions of devices and deploying configuration files to devices 1 Configuration guide From the navigation tree of the system management component select Device List under Device Management The device management page appears as shown in Figure 3 Then select the Device Config Management tab to enter the device configuration management page as shown in Figure 9 Table 9 describes the device configuration management functions and Table 10 descri
38. 0 15 15 15 20 15 25 Critical Top 5 Attack Sources Top Source IP 1 1721902 Top 5 Attack Protocols 15 30 15 35 15 40 Critical 0 Major 372 Minor 0 Warning 0 15 45 15 50 15 55 16 00 16 05 16 10 Major Minor Warning Total Event Types 1 Event Count Percentage Detail 372 EE Total Source IP 1 Event Count Percentage Detail 372 LL Total Protocols 1 Top Destination Port Event Count Percentage Detail Top Protocol Event Count Percentage Detail 1 NA 372 ms c5 372 Ls S Table 49 Event snapshot query options Option Description Device Top Statistics Time Select a device a device group or All devices from the Device drop down list The system will display the relevant event information All devices and device groups that are under your management will appear in the drop down list IMPORTANT e Selecting a device group Specifies all devices in the device group e Selecting a device name Specifies the single device Select a value in the Top drop down list to specify the number of records to be displayed in the graphs and lists Period of time during which the statistics were collected The snapshot statistics time is the last hour Table 50 Fields in the event snapshot lists Field Description Attack Event Destination IP Destination Port Source IP Protocol Event Count Percentage Attack protection statistics lists including the e
39. 0 05 17 2010 05 19 2010 05 19 2040 05 20 2010 05 24 2040 05 22 2010 05 25 2010 05 24 2010 05 25 2010 05 26 2010 05 27 2010 05 28 m Space Used Free Space Managing subsystems The subsystem management allows you to manage and monitor multiple Firewall Managers effectively By adding different systems as the subsystems you can access these subsystems by simply clicking their URL links instead of entering the URLs usernames and passwords repeatedly Configuration guide From the navigation tree of the system management component select Subsystem Management under System Config to enter subsystem configuration page as shown in Figure 40 Table 47 describes the fields of the subsystem list 39 Figure 40 Subsystem information Subsystem 1to3aof3 Page 1 Page Size 10 50 100 500 Server F Port User Mame Password Link 168 0 admin p 88 0 12 ecCenter 182 158 10 12 50 dimi icc http inl 32 158 0 12 80 5eccent 165 165 admin p 1865 16 45 ecCenter 192 165 16 46 50 dimi ipe http inl 32 155 15 45 80 secCent 165 3 Server p 188 3 43 ecCenter 132 158 3 45 a0 EERE http il 32 158 345 80 seccent Table 47 Fields of the subsystem list Field Description Server IP IP address of the server for the subsystem Port Port for connecting to the subsystem User Name Username for logging in to the subsystem Password Password for logging in to the subsystem Link URLs of the subsystem Click a link to log in to the s
40. 010 01 15 15 06 62 4 1 1 20 dee Suto delete Vilarning 1 0 2010 01 15 15 02 08 1 1 2 deme Varese gekjs vVarning 10 2010 01 15 14 55 52 4 1 1 20 add Auto neer Warning 10 2010 01 15 14 55 28 4 1 1 2 acd Auto mrt Warming 10 2010 01 15 14 45 01 1 1 8 demere Aut deba Varig 10 2010 01 15 14 43 01 4 1 1 5 delete Auto delete Warning 10 2010 01 15 14 38 00 2 1 1 2 gekte Autn galete Waria 10 2010 01 15 14 34 05 4 1 1 8 add Auto ngeri Warnia 10 2010 01 15 14 32 40 4 1 1 5 acd Auto meri Warning 10 2010 01 15 14 28 52 4 4 1 2 add utn insert Warning 10 e Operation Logs Firewall gt Event Auditing gt Operation Logs Username sep Operation Severty Level AI v Start Time 2010 01 15 00 00 End Time 2010 01 15 2358 75 Device All devices E Operation Logs List BE 1to 24 of 24 Page 1 Page Size 10 50 100 500 Time Lisername Usar IF Operabon Seventy Lewe L E rien adea 182 TEE D 3 VirluallDevacezHaeci FPAddrz 1 1 2 Blacklist bem was deprmed Lo das 2010 01 15 14 58 53 x um Command s pag 4 1 1 2 2010 01 15 1 14 50 29 ida Command i amp ping 112 2010 01 15 14 58 11 mA Command amp sy 2010 01 15 moa J 1 t r 4 in 1257 34 Ha Command d iib 2010 01 15 dimin 192 1680 ViriualDevicesRaot ZoneeTrust Scanning Detecbon Enabie Threshpide 30 599 source F to the Warring 14 56 28 i bisckimteEnabie TimeiolL ree 10 Rule of scanning detection wee configured 2010 01 15 14 47
41. 07 2008 11 02 17 39 07 2 E 000 5 8 0 0 0 5 3 51 12 11 11 2009 11 02 17 29 37 20 08 11 02 17 39 37 2 E 0 0 0 5 8 O0 0 6 9 51 12 11 11 2009 11 02 17 30 07 20 08 11 02 17 40 07 2 E 0 0 0 5 a 0 0 0 6 8 51 12 11 11 2009 11 02 17 30 37 2008 11 02 17 40 37 2 E 0 0 0 5 8 O 0 0 6 9 51 12 11 11 2009 11 02 17 31 07 2008 11 02 17 41 07 2 E 0 0 0 5 8 0 0 0 6 3 51 12 11 11 2009 11 02 17 31 37 2008 11 02 17 41 37 2 H 000 5 8 0 0 0 5 3 51 12 11 11 2009 11 02 17 32 07 2009 11 02 17 42 07 2 E NOTE If the IP address port number is null in the database NA will be displayed in the IP address or port field Security policy management This function allows you to configure security policies for the firewall devices so that the devices can automatically identify and filter network traffic that travel through the devices More specifically this function allows you to configure a series of rules to match packets between a source security zone and a destination security zone and permit or drop the matched packets Security zones Configuration guide From the navigation tree of the firewall management component select Security Zones under Security Policy Management to enter the security zone management page as shown in Figure 58 Table 61 describes the security zone management functions available on the page Figure 58 Security zone management page Security Zones 1 to of Fage 1 Page Size 10 50 100 500 LI Security Zone Device Ref
42. 22 test gj dd Table 73 IP address management functions Function Description Host addresses Allows you to manage all host addresses in the system Address ranges Allows you to manage all address ranges in the system Subnet addresses Allows you to manage all subnet addresses in the system IP address groups Allows you to manage all IP address groups in the system Host addresses From the navigation tree of the firewall management component select IP Addresses under Security Policy Management The host address list is on the lower part as shown in Figure 68 Table 74 describes the fields of the list Table 74 Fields of the host address list Field Description Name Name of the host address IP Addresses All IP addresses for the host address Description Descriptive information about the host address Referenced Whether the host address is referenced or not Operation Click the 2 icon to modify the IP addresses for the host address To add a host address click Add on the host address management page to enter the Add Host Address page and configure the host address as shown in Table 75 65 Figure 69 Add a host address Add Host Address Hame 1 31 Chars Description 1 31 Chars IP Address Please input address Add IP Addresses List Table 75 Host address configuration items ltem Description Required Type a name for the host address Valid characters for the name letters digits underscores _
43. Configuring management ports M M M oie 3 Configuring the Mail B a T RETRO 32 Managing filters 22MM M M DLL 33 Managing LDAP servers mmm nennen nennen nennen nennen nennen nennen nennen nennen nennen nenne 35 Managing log retention Bill MM LCD 37 Monitoring the disk SDOICE teen nennen nennen nennen nine etetn enn nene enne enenen enint enne enne enint nnne 37 Managing subsystems mmmmmnnnennennennnennenn nnne nennenn nennen nennen nennen nennen nennen nennen nenne 39 Firewall management M P 42 Attack events monitoring See agp nnn E ecco ena ele mcrae tn snc A Snapshot Of AVENTIS IM PLC 42 Recent events lispeeeeeeeeeeeereeeeeeereeeeeeeeeeeeeeeeeeeereeresrosrosroseeseesreseeeseeeeesesreseeseeseesreoreeeeesresresresreesresresresresrosresresreseesreeseeeee 44 Device monitoring 45 Event analysis 45 Event overview nnne nennen nnne enn nenne nennen nennen essen senem eese n ness nnne nennen enne 45 Event details ZH esse eeseesee esse eseeeeeeseseeeseeesese esse eeee nese eeeweeeweeeees 47 Report exporting management E a E M 49 Event auditing
44. DZ HA Command d iib 2010 01 18 _ A es ciis Mai US 110 Support and other resources Contacting HP For worldwide technical support information see the HP support website http www hp com support Before contacting HP collect the following information e Product model names and numbers e Technical support registration number if applicable e Product serial numbers e Error messages e Operating system type and revision level e Detailed questions Subscription service HP recommends that you register your product at the Subscriber s Choice for Business website http www hp com go wwalerts After registering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals e For related documentation navigate to the Networking section and select a networking category e Fora complete list of acronyms and their definitions see HP A Series Acronyms Websites e HP com http www hp com e HP Networking http www hp com go networkin e HP manuals http www hp com support manuals e HP download drivers and software http www hp com support downloads e HP software depot http www software hp com Conventions This section describes the conventions used in this
45. E id Table 78 Fields of the subnet address list Field Description Name Name of the subnet address 68 Subnet Subnet address and mask Excluded Addresses Addresses excluded from the subnet Description Descriptive information about the subnet address Referenced Whether the subnet address is referenced or not Operation Click the 24 icon to modify the subnet address To add a subnet address click Add on the subnet address management page to enter the Add Subnet Address page and configure the subnet address as shown in Figure 73 and Table 79 Figure 73 Add an subnet address Add Subnet Address Hame test 1 31 Chars Description test i 1 31 Chars 1334 IP Wildeard i 0 0 0 255 A wildcard mask is an inverse mask contrasting with a network mask Excluded Please input address Addresses aga Excluded IP addresses List Delete Ada J Cancel Table 79 Subnet address configuration items Item Description Required Type a name for the subnet address Valid characters for the name letters digits underscores periods slashes and hyphens where underscores can t appear at the beginning NOE or end of the name IMPORTANT The name must be unique in the system It cannot be the same as the name of an existing host address address range subnet address or IP address group Optional Type some descriptive information for the subnet address Description Valid characters f
46. HP A IMC Firewall Manager Configuration Guide Part number 5998 2267 Document version 6PW 101 20110805 Legal and notice information O Copyright 2011 Hewlett Packard Development Company L P No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett Packard Development Company L P The information contained herein is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Contents us RE Introduction to HP A IMC Firewall Manager H What HP A IMC Firewall Manager can do emnes Installation and uninstallation 7 mmHmHM RI 2 Installing the firewall MANAJEr eene enne nnne nnne nnne nnne nnne nnne
47. NA 2011 07 18 1406 50 192 166 246 965 10000170 100 0 0 1 FVV 018 large lICMP large ICMP IP MA NA 2011 07 18 14 06 50 192 166 246 596 100 0 0 174 100 0 0 1 FY Y 3001 8 large lICMP large ICMP IP MA NA 2011 07 18 1406 50 132 158 248 35 100 0 0 152 100 0 0 1 FY W 3001 5 large ICMPrlarge ICMP IP NA NA 2011 07 18 14 06 50 192 166 246 956 10000182 100 0 0 1 PYY 3001 6 large ICMPrlarge ICMP IP NA NA 2011 07 18 1406 50 192 166 246 956 10000122 100 0 0 1 PA 30015 large ICMPrlarge ICMPI IP MA NA 2011 07 18 14 06 50 192 168 246 936 100 0 0 157 100 0 0 1 FVCSODT8 large ICMP large ICMP IP MA NA 2011 07 18 14 06 50 192 166 246 965 10000141 1000 01 FVi 3D018 large lICMP large ICMP IP NA NA 2011 07 18 14 06 50 192 168 246 936 100 00158 100 0 0 1 FY W 3001 5 large ICMP large ICMP IP NA NA 2011 07 18 14 06 50 192 166 246 596 10000129 100010 1 FV 30018 large ICMP large ICMP IP NA NA Table 51 Query option description Option Description Filter Select a filter from the drop down list to display specific events Table 52 Fields of the recent events list Field Description Time Time when the event occurred Device IP IP address of the firewall device Source IP Source IP address of the attack packets Destination IP Destination IP address of the attack packets Event Description of the event Protocol Name Protocol of the attack packets Source Port Source port of the attack packets Destination Port Destination port of the
48. Name of the draft Description Remarks on the draft Creation Time Time when the draft is created Last Modify Time Last time when the draft is modified Compare Allows you to compare the draft with a configuration file to find the differences Allows you to set the draft as the configuration file for the device Restore D IMPORTANT Do not set a draft as the startup configuration file Return to Tabs on the device configuration information management page and functions provided Managing batch import The batch import function allows you to add devices to the A IMC Firewall Manager in batches by using a batch import file Configuration guide From the navigation tree of the system management component select Batch Import under Device Management The batch import page appears as shown in Figure 16 Click Browse to select the batch import file and then click Apply Figure 16 Batch import of devices Batch Import ph from Browse m Download the device import template i Tip Please fill the file follovving the tips on the first line Each line represents one device Managing device groups The device group management function allows you to add modify and delete device groups When you add devices later you can group devices into device groups so that you can manage and collect statistics on users devices and IP addresses by device group Configuration guide From the navigation tree of the system management
49. Query interzone rules by policy Status Query interzone rules by status enabled disabled or both Referenced Query interzone rules by reference status referenced not referenced or both Table 84 Fields of the interzone rule list Filed Description Src Zone Source zone of the interzone rule Dest Zone Destination zone of the interzone rule ID of the interzone rule When you create an interzone rule the system automatically assigns an ID to the ID rule according to the number of existing rules for the source zone and destination zone pair starting from O For example the first rule created for the source zone Trust and the destination zone DMZ is numbered O the second rule created for the same source zone and destination zone pair is numbered 1 Src IP Source IP address of the interzone rule Dest IP Destination IP address of the interzone rule Service All services of the interzone rule Time Range Time range during which the interzone rule takes effect Action Filtering action of the interzone rule Description Descriptive information about the interzone rule Status Whether the interzone rule is enabled or disabled Logging Whether logging is enabled for the interzone rule Referenced Whether the interzone rule is referenced or not Policies that the interzone rule is in Policy You can click a policy name to enter the page for managing the policy s rules See Rule management l e Click the 8 icon to modify the interzon
50. RNING result in personal injury An alert that calls attention to important information that if not understood or followed can CAUTION result in data loss data corruption or damage to hardware or software D IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information Q TIP An alert that provides helpful information 112 Network topology icons Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device 113 Index A Abnormal traffic log auditing 52 Adding devices to the firewall manager 99 Authentication failure auditing 97 B Blacklist log auditing 53 C Changing your login password 30 Configuring intrusion detection in firewall and sending logs to Firewall Manager 103 Configuring management ports 31 Configuring system parameter 31 Configuring the firewall device 101 Configuring the Firewall Manager 102 Configuring the mail server 32 D Daily user statistics 94 Device monitoring 45 Device monitoring 25 Documents 111 E Event details 47 Event o
51. Return to Configuration segment management functions Adding a configuration segment To add a configuration segment click Add on the contiguration segment management page to enter the Add Configuration Segment page as shown in Figure 91 Then select the file type specity a filename type a description and add and edit configuration commands that comply with the contiguration file syntax requirements Finally click Add to create the configuration segment Figure 91 Add a configuration segment Add Configuration Seqment File Type Q etg iml Filename example Description JJ Tip To make a configuration segment reusable you can embed variables in it v nen you deploy a configuration segment with variables the system will prompt you to give a value to each variable and then replace the variables with your settings Variable format variable name For example HIP address A variable must be follovred immediately by a space or newline character The name of a variable cant contain any non printable character or any of these 1j Configurations Hat lt naAat gt lt respond table gt zroaw zrespond get 0c respond get c row z respond table z nat z nat zXsession zZsession session mode table lt row gt lt mode gt O0 lt mode gt lt raw gt z asession mode tahble v gt 87 Table 101 Configuration segment configuration items Item Description Required File Type Select the configuration segme
52. SSL VPN auditing component select Device Monitoring under Comprehensive Analysis to enter the device monitoring page as shown in Figure 101 The page presents the daily SSL VPN access information by device including the IP address of the device maximum daily user login times maximum daily operations and maximum daily resource access operations In addition you can e Click the a icon in the Admin Login column of a device to log in to the device as an administrator e Click the icon in the User Login column of a device to log in to the device as a user Figure 101 Device monitoring Device Monitoring Device Daily Max Login Count Daily Max Operation Count Daily Max Resource Access Count Admin Login User Login vych 10154 78 116 1087 1086 B517 P amp 95 SSL VPN log auditing The SSL VPN log auditing function allows you to audit user access records operation logs resource accesses and authentication failures You can also export and save the reports as an Excel file User access records auditing The user access records display details about the access information of SSL VPN users such as the username IP address of the SSL VPN user virtual IP address login time logout time online duration IP address of the firewall device number of user operations and number of accessed resources It also supports flexible user access records query Configuration guide From the navigation tree of the SSL VPN auditing compon
53. U QI E dE AUT AR APACHE 14 Overview Introduction to HP A IMC Firewall Manager HP A IMC Firewall Manager is a powerful system for comprehensive analysis and centralized management of firewall devices It is an important component of the HP A Intelligent Management Center A IMC The Firewall Manager allows you to manage and control all HP firewall devices in your network It features great scalability visual realtime event monitoring comprehensive security event analysis such as attack analysis and rich reports enabling you to learn the network security status at any time In addition the Firewall Manager provides the Security Socket Layer SSL VPN log auditing function for you to analyze SSL VPN users and monitor firewall devices SSL VPN is an emerging VPN technology based on HTTPS and provides a measure of security for remote access to the intranet Together with HP firewall devices the Firewall Manager provides you with visual all around powerful network security protection What HP A IMC Firewall Manager can do As a powerful efficient firewall management system the Firewall Manager supports centralized management and realtime monitoring of firewall devices throughout the network implements collection and comprehensive analysis of attack event information enables log auditing and provides kinds of visual detailed reports From the all around reports you can see the history security status as well as the security t
54. UO 4 GEO 4 1 1 2 4 1 1 1 192 168 250 214 Configuration procedures Configuring the firewall device 1 Configure interfaces Select Device Management Interface assign the IP address 192 168 250 214 24 to GigabitEthernet O 1 and add the interface to zone Untrust Assign the IP address 4 1 1 1 24 to GigabitEthernet 0 4 and add the interface to zone Trust Figure 109 Configure interfaces a Advanced Search Mame IP Address Mask Security Zane status GigabitEthernet 192 188 0 1 255255 255 0 GigabitEthernet 1 192 168 250 214 255 255 255 0 Untrust GigabitEthernet 2 GigahbitEthernet 3 GigabitEthernet 4 4 1 1 1 255 255 255 0 Trust GigahbitEthernet 5 oo00000172 2 Configure NAT Select Firewall gt NAT Policy gt Dynamic NAT configure dynamic NAT on GigabitEthernet 0 1 referencing ACL 3000 and configuring Easy IP as the address translation mode Figure 110 Configure dynamic NAT tM MAT Interface ACL Address Pool Index Address Transfer Global VPN Instance Tracked VRRP Group Operation GigabitEthernet01 3000 Easy IP B ij 101 Select Firewall gt ACL configure rules for ACL 3000 to permit packets sourced from 4 1 1 0 24 Figure 111 Configure ACL 3000 Advanced ACL3000 ACL3000 Rule ID Operation Description Time Range 0 permit ip source 4 1 1 0 0 0 0 255 None 3 Configure a static route Select Network gt Routing Management gt Static Routing add a default static route with t
55. User Count User Information 2009 11 03 09 20 00 1087 Ej 2009 11 03 09 25 00 1087 2005 11 03 08 30 00 1087 Daily user statistics The daily user statistics function presents you the counts of login times of SSL VPN users user operations and resources that users have accessed every day during a period of time Configuration guide From the navigation tree of the SSL VPN auditing component select Daily User Statistics under Comprehensive Analysis to enter the daily user statistics page as shown in Figure 100 Under the trend graph is a list showing the detailed daily user trend statistics including the time user login times number of user operations and number of resources that the users have accessed 94 Figure 100 Daily user statistics Device Al devices vx Start Time 2011 05 07 775 End Time 2011 05 13 73 Daily Trend Graph of Users 100 an 30 70 80 50 40 30 20 10 1 r E E a 05 07 05 08 05 08 05 10 05 11 05 12 05 13 ll User Count Daily User Statistics d Time User Count Operation Count Visited Resource Count 2011 05 13 100 100 500 NOTE The User Count field shows the count of login times on that day Device monitoring In addition to the SSL VPN user statistics of the entire network the SSL VPN auditing component also allows you to view SSL VPN access statistics by firewall device and log in to a device as an administrator or user Configuration guide From the navigation tree of the
56. User defined services From the navigation tree of the firewall management component select Services under Security Policy Management Click the User Defined Services tab to enter the user defined service management page as shown in Figure 64 Table 69 describes the fields of the service list Figure 64 User defined service management page Predefined Services ser Defined Service Service Groups User Defined Services 1 to 1 of 1 Page 1 Page Size 10 50 100 500 Name Description Protocol Protacol Parameters Referenced Operation test test TCP Source port 2 22 Destination port 5 55 a ed Table 69 Fields of the user defined service list Field Description Name Name of the user defined service Description Descriptive information about the user defined service Protocol Protocol used by the user defined service Protocol Parameters Parameters configured for the protocol Referenced Whether the user defined service is referenced or not Operation Click the 28 icon to modify the service To add a user define service click Add on the user defined service management page to enter the Add User Defined Service page and configure the service as described in Table 70 61 Figure 65 Add a user defined service Add User Defined Service llame K 31 Chars Description K 31 Chars Protocol 9 TCP Source Port Destination Port 0 65535 UOP ICMP Others Table 70 User defined service configuration items
57. all device management 0r 83 Managing firewall devices mm ener nennen nennen nnne nnne 83 Viewing device STATISTICS MDC 85 Managing the device configuration lata base EDD 85 Managing deployment le 2 9 SSL VPN auditing M 93 Comprehensive analysis TETTE 93 NNI SCIL DD E 93 Online users trends nennen nennen nnne nnne nenne enne nnne nennen nnne 9A Daily user statistics MR 94 Device monitoring E E EE E E E 95 SSL VPN log auditing Fre OCT CTE Cree ere ere creer ere rere rere errr ere rere rere rer errr erence rer errr ny errr errr errr errr rrr errr errr rrr r errr 96 User access records auditing 96 Operation log auditing E E 96 Resource access auditing T 97 Authentication failure auditing M 97 Configuration example o 99 Network requirements YX 99 Configuration procedure M 99 Adding de
58. ame Operation Parameters Time from 2008 11 02 00 0000 M to Ta Device All devices s Query Operation Logs is Export 1 to 50 of 1086 Page 1 2 3 H Page Size 10 50 100 500 Session ID User Operation Parameter Time Device 001 235456 aciministratarimodomein create DCA user account ta 2068 11 02 18 4215 yychi10 154 78 118 00123456 administratorepdoment create local user account ta 2009 11 02 18 42 18 vychi10 154 78 116 001234565 acrministratonzidomaint create local user account 4user name username status active public account no 00123456 administratorfhdomsint create local user account TORGLUUE e LA 00123456 administratonadomainnt create local user account ta 2008 11 02 18 42 21 yych 10 154 78 115 00123456 amp ckministratariedomoein Create local user account t3 2008 11 02 18 42 22 yeh 10 154 78 116 Resource access auditing The resource access auditing allows you to audit operations of SSL VPN users based on the information of username operations related to resource access operation time and IP address of the firewall device It also supports flexible operation log query Configuration guide From the navigation tree of the SSL VPN auditing component select Visited Resource Auditing under Log Auditing to enter the page for auditing resource access logs as shown in Figure 104 Figure 104 Resource access log auditing Session ID User Name Visited Resource Time from 2011 07 14 00 00 00 3 to Cs Device All
59. ation Mode Local Authentication 28 Table 34 Operator configuration items Item Description Login Name Type a name for the operator a string of up to 40 characters Specify a password for the operator to use at login Login Password The password must comprise 6 to 20 alphanumeric characters and its strength must meet the password strength requirements of the device Type the password again which must be the same as that for Login Password If Confirm Password the two are not the same an error message will appear telling you that they must be identical Role Select an operation level for the operator Manage Device Group Specify which device groups the operator can manage Select an authentication mode for the operator Authentication Mode Available authentication modes include local authentication and LDAP authentication If you select LDAP authentication you must also select an LDAP server Return to Operator management functions Managing operation logs Configuration guide Operation logs reflect what operators have done after login A super administrator can view operations logs query logs by different conditions and delete logs From the navigation tree of the system management component select Operation Logs under Operator Management The operation log management page appears as shown in Figure 28 Table 35 describes the operation log query options You can use any combination of the options to query
60. attack packets 44 Device monitoring In addition to the attack event information of the entire network the firewall management component also allows you to view the attack event information of every firewall device Configuration guide From the navigation tree of the firewall management component select Device Monitoring under Events Monitor to enter the device monitoring page as shown in Figure 44 The page presents the attack protection information in the last hour by device including the total number of events number of blocked events number of source destination IP addresses and number of destination ports Figure 44 Device monitoring Device Monitoring Statistics Time 2009 03 24 15 15 00 2009 03 24 16 15 00 Attack Protection Device Lable Total Number of Events Blocked Events Dest IP Count src IP Count Dest Part Count Snapshot Details Ivl 10 154 78 114 416 0 1 1 1 LE tu In the list you can Click the W icon in the Snapshot column of a firewall device to enter the attack event snapshot page of the device For more information see Snapshot of events e Click the icon in the Details column of a firewall device to enter the attack event details page of the device For more information see Event details The firewall management component features comprehensive analysis and statistics reports through which you can evaluate the network security status in real time and take attack prevention mea
61. bes the fields of the device configuration management list Figure 9 Device configuration management page Device Group All v Query fe wa 112rr 2 secs Errea a atate Device Management Device Config Management 1 to 1 of 1 Page 1 Page Size 10 50 100 500 O Device Label Device Group Last Backup Time Check Last Operate Time Management fw 192 158 0 30 default 2010 11 24 16 37 58 tp 2010 11 24 16 37 56 Backup m Table 9 Device configuration management functions Function Description Allows you to back up the running configuration file and or the Backing up configuration files startup configuration file of a device Backup files are identified by labels and version numbers Restoring a configuration file Allows you to restore the startup and or backup configuration file of 12 a device to another version Allows you to deploy new configuration settings to devices to make Synchronizing configurations ib ni dalacllact Restarting devices Allows you to restart devices Table 10 Fields of the device configuration management list Field Description Device name and IP address You can click the link to view details about the device Device Label and modify the configuration Device Group Device group to which the device belongs Last Backup Time Time of the last configuration file backup operation heck Check whether the current configuration of the device is consistent with that last
62. btain a formal license and register your license by following this procedure 1 From the navigation tree select License Application under License Management to enter the license application page The system automatically generates a host ID for license application as shown in Figure 1 Perform operations as prompted to obtain a license file Figure 1 Generate a host ID License Application User information collected successfully Please save the Host ID IMCS M4418308FC502CO9FAF and send it to HP License Center to apply for a formal license 2 From the navigation tree select License Registration under License Management to enter the license registration page as shown in Figure 2 Click Browse to select the license file and then click Apply to complete registration The suffix of a license file is lic Figure 2 Register your license License Registration Apply After seeing the acknowledgement page you can use the Firewall Manager to configure devices and perform other operations A CAUTION HP A IMC Firewall Manager is shipped with a trial license that is effective within one month which is saved in a license file named A IMC Firewall Manager Evaluation License lic Before you get a formal license you can use the trial license to register Uninstalling the firewall manager To uninstall HP A IMC Firewall Manager follow these steps 1 On the Windows desktop click Start and then select All Programs gt Firewall Manag
63. d backup time A backup file is uniquely identified by a version number assigned by the system e Compare two configuration files to find the differences e Click the restoration icon to set the startup configuration file and or running configuration file of a label as the startup configuration file and or running configuration file for the device Table 12 Fields of the configuration label list Field Description Label Label of a startup configuration file and or running configuration file Running Config Version number of the running configuration file associated with the label Backup Time Time when the running configuration file is backed up Allows you to compare two configuration files including the drafts to find the differences Follow these steps 3 Clickthe 55 icon of a file and select Compare as Left from the menu to place the Compare file on the left side of the comparison page 4 Click the BS icon of another file and select E Compare To to place the file on the right side of the comparison page as shown in Figure 13 IMPORTANT The running configuration file does not support the xml format Startup Contig Version number of the startup configuration file associated with the label Backup Time Time when the startup configuration file is backed up Restore Allows you to set the configuration file s identified by the label as the startup configuration file and or running configuration file for the device
64. devices Access Logs i Export 1 to 3 of Page 1 Page Size 10 50 100 500 session ID User Visited Resource Time Device 50631000 test TEST visits site http 32 168 248 50 2011 07 14 10 10 00 CPE 3 192 158 248 50 5D681000 test bTEST visits site hitp A 92 168 100 10 2011 07 14 10 10 03 CPE 3 192 168 248 50 SD681 000 test TEST visits site hitp 1 92 168 245 50 2011 07 14 10 10 07 CPE_3 192 165 246 50 Authentication failure auditing The authentication failure auditing allows you to audit authentication failure logs Each log provides the username reason for the authentication failure authentication time and IP address of the firewall device It also supports flexible operation log query Configuration guide From the navigation tree of the SSL VPN auditing component select Authentication Failure Auditing under Log Auditing to enter the page for auditing authentication failures as shown in Figure 105 97 Figure 105 Authentication failure auditing User Mame Authentication Information Device fan devices Time from 2011 07 01 000000 ME te p11 07415 101238 73 Authentication Failure Logs B Expot ito dg E Page 1 z Page Size 10 50 100 500 User Authentication Information Time Device seccenter SecCenter_zhaochangyi failed to authenticate 2011 07 12 11 57 51 CPE 3 182 158 248 50 administratarc SecCenter zhaochangyi failed to authenticate 2011 07 12 13 50 13 CPE 3 182 158 248 50 TEST amp BTEST fa
65. e 20 Figure 20 Device interface event list Start Time 2011 05 13 00 00 00 7E End Time 2011 05 14 00 00 00 7s Device Interface Event List 1 to 50 of 1100 Fage 1 2 3 M Page Size 10 50 100 500 LI Time Device IP Interface Status E 2011 05 13 11 11 59 192 168 20 9 GigabitEtherneto 2 Up L 2011 05 13 11 11 59 192 168 20 9 GigabaEtherneton LIP E 2011 05 13 11 11 59 192 160 20 9 GigabtEthernetiz DO E 2011 05 13 11 11 58 192 168 20 9 GigabitEtherneto DOMIN E 2011 05 13 11 11 35 132 156 20 9 GigabatEtherneti 2 up n 2011 05 13 11 11 35 192 168 20 9 GigabitEtherneto 1 up Table 21 describes the event query options You can use any combination of the options to query for the events of interest Table 21 Device interface event query options Option Description Start Time Select the time period during which the device interface events occurred End Time Table 22 describes the fields of the device interface event list You can select the check boxes before events and then click Delete to delete the events Table 22 Fields of the device interface event list Field Description Time Time when the device interface event occurred Device IP IP address of the device in the device interface event Interface Interface in the device interface event Status Status of the device interface event 2 Managing device access templates The device access template management function allows you to configure informati
66. e firewall management component select Abnormal Traffic Logs under Event Auditing to enter the abnormal trattic log auditing page as shown in Figure 52 This page lists the logs in order of time with the most recent log at the top Each log records the time source IP and destination IP of the abnormal traffic reason for giving the alarm severity and ratio of each protocol used by the abnormal traffic Abnormal traffic log auditing allows you to query abnormal traffic logs by source IP destination IP reason severity level time and device group helping you analyze traffic for abnormal behaviors 52 Figure 52 Abnormal traffic log auditing SouceiP Destination iP Reason Severity Level Al Start Time 2011 07 1500 00 E EndTime 2011 07 152359 E Device Alldevices Abnormal Traffic Logs List i Export 1 to 4 of 4 Page 1 Page Size 10 50 100 500 Time Source IP Destination P Session Establishment Rate pps Current Sessions Ratio of Protocol Reason Severity Level 2011 07 15 15 33 06 NA 100 0 0 2 10 too many destination IP sessions Varning 2011 07 15 15 33 06 200 0 0 2 NA 0 10 too many source IP sessions Warning 2011 07 15 16 38 35 100 0 0 2 MA 10 too many source IP sessions Warning 2011 07 15 18 38 35 NA 200 0 0 2 10 too many destination IP sessions mg Blacklist log auditing Configuration guide From the navigation tree of the firewall management component select Blacklist Logs under Event A
67. e group or All devices from the Device drop down list The system will display the relevant event information All devices and device groups that are under your management will appear in the drop down list Devi D IMPORTANT evice e If you select a device group the system will display the event information matching the filter of all firewall devices in the device group in the specified statistics duration e If you select a device name the system will display the event information matching the filter of the firewall device in the specified statistics duration Filter Select a filter from the drop down list to filter attack events D ren Select the statistics duration You can select Day Week or Month or select Customize to specily a statistics duration Time Select the statistics time whose value range varies with the statistics duration selected Event Select an attack event type to query the specified type of attack events Protocol Select the attack protocol The default is which means any protocol Severity Select the attack severity The default is which means any severity Src IP Specily the attack source IP address Dest IP Specily the attack destination IP address Dest Port Specily the attack destination port Select a grouping mode The system supports seven grouping modes None Event Src IP Gouna s grouping ystem supp grouping Dest IP Src IP and Dest IP Dest Port and Protocol 48 Table 55 Fields of the attac
68. e rule Operation i e Click the HE icon to copy the interzone rule Return to Interzone rule management functions Adding an interzone rule From the navigation tree of the firewall management component select Interzone rules under Security Policy Management Click Add to enter the Adding an interzone rule page and configure the rule as shown in Figure 77 and Table 85 Figure 77 Add an interzone rule Adding an interzone rule Sre Zone Local m 1 Dest Zone Local Description 1 31 Chars Sre IP itest test test3 Dest IP test test mcum tests group lt lt Remove Service bap Bul chargen cmd daytime dhcp relay v Policy defaut corporate as 1 A Tip Available items are in the list on the left and the chosen ones are in the list on the right For the src IP Dest IP and Service choosing nane means Any Action Permit v select the action for the firewall device to use for the server Time v Enable logging Enable this rule C Continue to add another rule Table 85 Interzone rule configuration items ltem Description Required Src Zone q Select a source zone for the interzone rule Required Dest Zone 4 Select a destination zone for the interzone rule Optional Type some descriptive information for the interzone rule Description Valid characters for the description letters digits blank spaces colons underscores commas periods
69. eck box all data whose source IP address is not 1 1 1 1 will be displayed add cance Table 42 Filter configuration items Item Description Required Filter Name Type a name for the filter The filter name can comprise up to 40 characters Optional Filter Description Type a description for the filter The description can comprise up to 50 characters Optional Device mE Select the devices that you want the system to collect statistics on Optional Source IP Specily the source IP addresses that you want the system to collect statistics on Optional Destination IP l mM E Specify the destination IP addresses that you want the system to collect statistics on Source Port Optional 34 Specily the source ports that you want the system to collect statistics on Optional Destination Port Specify the destination ports that you want the system to collect statistics on Optional Protocol Select the protocols that you want the system to collect statistics on Optional Event Specify the events that you want the system to collect statistics on A CAUTION The configuration items given in the previous table can be used to define query conditions For example you can enter source IP address 1 1 1 1 to search for data with the source IP address being 1 1 1 1 or enler source IP address 1 1 1 1 and select the Invert selection check box to search for data whose source IP address is not 1 1 1 1 Return to Filt
70. elete filters that are no longer in use Follow these steps 1 Select the check boxes before the filters to be deleted 2 Click Delete Deleting filters Filter list From the navigation tree of the system management component select Filter Management under System Config The filter management page appears as shown in Figure 33 Table 41 Fields of the filter list Field Description Filter Name Name of the filter Filter Description Description of the filter Device Device that the system collects statistics on 33 Field Description Operation Click the icon of a filter to modify the settings of the filter Return to Filter management functions Adding a filter From the navigation tree of the system management component select Filter Management under System Config to enter the filter management page Then click Add to enter the page for adding a filter as shown in Figure 34 Table 42 describes the filter configuration items Figure 34 Add a filter Add Filter d ra Filter Hame Please enter a name for the filter Required Gl Filter Description Please enter a description Y Deivce Y Source IP Y Destination IP Ery Source Port EM Destination Port EM Protocol EM Event i lllotes The above conditions will be used for query For example if you enter source IP address 1 1 1 1 all data with the source IP address 1 1 1 1 wil be displayed if you also select the Invert selection ch
71. em You must specify the filename and the filename must not be used by any existing file Leading spaces and ending spaces in the filename will be removed and the filename cannot contain any of these characters lt gt amp Return to Configuration segment management functions 88 Deploying a configuration segment On the configuration segments list click the BS icon of a configuration segment to configure a deployment task for the segment as shown in Figure 93 1 Select devices Click Add Device and select the devices you want to deploy the configuration segment to and then click Next Figure 93 Select the devices you want to deploy the configuration segment to Configure Segment Deployment Task Steps 1 Select devices 2 Configure parameters 3 Configure deployment task attributes 4 Confirm your configuration Basic Info Filename System snmpvvriteCommunity File Type cig Deployment Deploy to device as running configuration policy Deploy Configuration segment to Device Device Label Device Type A F1000 E 192 168 0 144 HP A F1000 E VPN x se 2 Configure parameters Type the SNMP version and community string and click Next Figure 94 Configure parameters Configure Segment Deployment Task Steps 1 Select devices 2 Configure parameters 3 Configure deployment task attributes 4 Confirm your configuration Device 122 163 0 144 Configure Parameters SHMP Version vi v2c M Community String publ
72. emarks on the software Import Time Time when the software is imported Size Size of the software file Check Allows you to check whether the exported software is consistent with the device software Rename Allows you to rename the software file Export Allows you to export the software to a local place Deployment Allows you to deploy the software to devices Importing device software From the navigation tree of the system management component select Device Software Database under Device Management to enter the device software database page as shown in Figure 23 Then click Import to bring up the device software import page as shown in Figure 24 You can import device software from a file or from devices e To import device software from a file specify the source and destination files e To import device software from devices specify the devices 25 Figure 24 Device software import page T T port rom Fi Jui Import from Device Source File Browse Destination File Apply Managing deployment tasks This function allows you to view all deployment task information Configuration guide From the navigation tree of the system management component select Deploy Task under Device Management to enter the deployment task list page as shown in Figure 25 Figure 25 Deployment task list Task Status Deployment Task List 1toi1of1 Execution Status Task Mame Task Type Creation Time Creator Start Time End Time Co
73. ent select User Access Records under Log Auditing to enter the user access records page as shown in Figure 102 Figure 102 User access record auditing User Name Device Au devices User IP Virtual IP Login Time from 2011 07 01 00 00 00 Fal to 2011 07 15 10 10 00 Logout Time from rs to Fa Online Time TE Online Period Hours User Access Record List S4 Export 1 to 10 of 18 Page 1 2 h MH Page Size 10 50 100 500 Session ID User User IP Virtual IP Login Time Logout Time Online Duration Device Operation Visited Resource Lu l 2011 07 11 2011 07 11 20000801 administratoraiSecCenter_zhaochangyi 192 168 96 14 17 26 08 17 2327 0 1Hours CPE 30 2 2011 07 11 2011 07 11 13400001 administratorieroot 192 165 96 14 472851 173108 Hours CPE 32 i A 2011 07 11 2011 07 11 SACODSO1 administrator sSecCenter zhaochangyi 192 168 96 14 17 31 43 18 34 33 1 1Hours CPE 3 12 Operation log auditing The operation log auditing allows you to audit operations of SSL VPN system operators based on the information of username executed operation and related parameters operation time and IP address of the firewall device It also supports flexible operation log query Configuration guide From the navigation tree of the SSL VPN auditing component select Operation Log Auditing under Log Auditing to enter the operation log auditing page as shown in Figure 103 96 Figure 103 Operation log auditing Session ID User M
74. er gt Uninstall Firewall Manager to enter the uninstall page 2 Click Uninstall and then click Next repeatedly as prompted Restart the operating system 4 Remove all files and subdirectories under the Firewall Manager installation directory C Program Files Firewall Manager for example and the installation directory itself if any A CAUTION During the uninstallation process no system data backup operation is performed and all data is removed If you need the system data backup the data before uninstalling the Firewall Manager System management The system management component is mainly used to configure the firewall devices to be managed by the Firewall Manager To access the system management component select the System Management tab Then you can perform e Device management e Operator management e System configuration e license management The license management function allows you to apply for register and view a license The license mechanism is used for enterprise identity authentication Device management The device management module allows you to perform the following tasks e Managing devices e Managing batch import e Managing device groups e Managing events e Managing device access templates e Managing the device software database e Managing deployment tasks Managing devices Device management After completing device group and template configuration you can add devices to be
75. er management functions Managing LDAP servers This function allows you to configure LDAP servers Then you can select LDAP authentication to verify the operator s username and password when they log in to the Firewall Manager system Configuration guide From the navigation tree of the system management component select LDAP Server Management under System Config The LDAP server management page appears displaying all LDAP servers Figure 35 LDAP server management page LDAP Server List Oto of Page 1 Page Size 10 50 100 500 Server Mame Server IP Address Server Version Operation Import Users ldap service 192 168 0 3 3 Ud Table 43 LDAP server management functions Function Description LDAP server list Allows you to view details about LDAP servers and modify LDAP server settings Adding an LDAP server Allows you to add an LDAP server Deleting LDAP servers Allows you to delete one or more LDAP servers from the system LDAP server list The LDAP server list is on the LDAP server management page as shown in Figure 35 35 Table 44 Fields of the LDAP server list Field Description Server Name Name of the LDAP server Server IP Address IP address of the LDAP server Server Version Version information of the LDAP server Operation Click the 8 icon of a LDAP server to modify the settings of the filter Import Users The device does not support importing users Return to LDAP server management functions
76. erenced Operation T Local amp F Trust e oO DMZ E r Untrust amp aa ci x go testi a x ij Tip The Device column displays the devices configured wth the security zone Table 61 Security zone management functions Function Description Security zone list Allows you to view the detailed information of all security zones 56 Adding a security zone Allows you to add a security zone Importing security zones from a Allows you to import security zones from a device device Allows you to delete security zones Follow these steps Deleting security zones 1 Select the check boxes before the security zones to be deleted 2 Click Delete A CAUTION e Security zones Local Trust DMZ and Untrust are system predefined security zones and cannot be deleted e Security zones that have been referenced cannot be deleted Security zone list The security zone list is on the security zone management page as shown in Figure 58 Table 62 describes the fields of the list Table 62 Fields of the security zone list Field Description Security Zone Name of the security zone Device Device that is configured with the security zone Referenced Whether the security zone is referenced or not Operation Click the 3 icon to delete the security zone Return to Security zone management functions Adding a security zone From the navigation tree of the firewall management component select Security Zones under Security
77. es but not Remarks configured on the device Rules that cover these security zones will not be deployed to the device Click the Had icon to apply policies to the device see Applying interzone policies Operation Click the icon to view the rules applied to the device see Applied rules list Return to Interzone policy application management functions Applying interzone policies From the navigation tree of the firewall management component select Apply Interzone Policy under Security Policy Management Select a device and click Apply The interzone policy application page appears as shown in Figure 85 Select the policies to be applied from the left box click Add gt gt to add the policies to the right box and click Apply Figure 85 Apply policies to the device Interzone Policy Please select policies policy 2 zaRemove i T Available items are in the list on the left and the chosen ones Ip are in the list on the right Choosing no policy means deleting all interzone policies from the devices apply A CAUTION The left box lists the available policies The right box lists the policies to be applied to the device Leaving the right box blank means to delete all interzone policies on the device Applied rules list From the navigation tree of the firewall management component select Apply Interzone Policy under Security Policy Management Click the icon of a device to view the rules a
78. ete report export tasks Follow these steps 1 Select the check boxes before the tasks to be deleted 2 Click Delete Deleting report export tasks Report export file list From the navigation tree of the firewall management component select Event Export Tasks under Event Analysis to enter the report export task management page as shown in Figure 48 Click the E icon of a task to display all generated report files of the task and the file creation time These files have the same suffix which is xls Click a report file s name link to export the file Figure 49 Report export file list Report Export File List 1 to 3 of 3 Page 1 Page Size 10 50 100 500 C Filename Creation Time E TEST 20110513093227 test 20110513 xls 2011 05 13 03 32 26 0 Table 59 Fields of the report export file list Field Description Filename Name of the report export file Creation Time Time when the report export file was created 50 Return to Report export task management functions Adding a report export task From the navigation tree of the firewall management component select Event Export Tasks under Event Analysis to enter the report export task management page as shown in Figure 48 Then click Add to enter the page for adding a report export task as shown in Figure 50 Table 60 describes the configuration items of a report export task Figure 50 Add a report export task Add Export Task Task Hame Template attack analy
79. event information from history data of months Configuration guide From the navigation tree of the firewall management component select Event Details under Event Analysis to enter the attack event details page as shown in Figure 47 This page allows you to query attack events by event name type severity source IP destination IP destination port and protocol to view the event details Table 54 describes the event details query options Table 55 describes the fields of the attack event details list 47 Figure 47 Attack event details Filter Mone Type v Device All devices w Event er Protacal severity bul erc IP Dest IP Dest Port Duration Day Time 2009 03 24 Bii Grouping by 9 None O Event Ogre IP Dest IP CO Sre IP and Dest IP CO Dest Port Protocol Attack Event Details 1 to 50 of 556 Page i 23 H Page Size 10 50 100 500 Time src IP Dest P Event Dest Port Protocol Event Count 2009 03 24 15 186 00 1721902 7232002 FV S001 TCP flag NA P 1 2009 03 24 161600 17213042 172 2002 PC3DD1 2 TCP flag NA Pp 1 2009 03 24 15 16 00 17219802 1722002 Pw 30017 TCP flag NA P 1 2003 03 24 16 16 00 1721802 172 2002 PYA30012 TCP flag NA P 1 2009 03 24 16 15 54 1721307 1723003 F 30012 TCP flag NA E 1 2009 03 24 16 15 54 172190 2 172200 2 PA 30014 TCP flag NA F 1 2009 03 24 16 15 54 1721902 172200 FVC30012 TCP flag NA P i Table 54 Event details query options Option Description Select a device a devic
80. evice 192 158 1 1 is down 2011 05 13 08 0912 Table 18 Event management functions Function Description Device event list Allows you to view details about device events Device interface event list Allows you to view details about device interface events Device event list Table 19 describes the device event query options You can use any combination of the options to query for the device events of interest Table 19 Device event query options Option Description Select the time period during which the device events occurred us By default the value of this option is which means any time Device IP Type the IP address of the device in dotted decimal notation Select the severity level of the device events Severity Severity levels in descending order are critical major minor and warning By default the value of this option is which means all levels 20 Table 20 describes the fields of the device event list You can select the check boxes before events and then click Delete to delete the events Table 20 Fields of the device event list Field Description Severity Severity level of the device event Source Label and IP address of the device that is the source of the device event Description Description of the device event Time Time when the device event occurred Device interface event list Select the Device Interface Event List tab to enter the device interface event list page as shown in Figur
81. ge Device Group a Modify Access Parameters 2 Deleted device pe Refresh Average Today Max Today 0 0 056 055 Device software management Device software refers to the software that a firewall device runs to provide services It can be regarded as the operating system of the device The device software management function provides you with the software information of the firewall devices and allows you to perform a series of operations to the software of firewall devices including deploying software to devices and backing up the software of devices The device software list also displays the device type the current software version and the latest available new software version 1 Configuration Guide From the navigation tree of the system management component select Device List under Device Management The device management page appears as shown in Figure 3 Then select the Device Software Management tab to bring up the device software management page as shown in Figure 6 Table 5 describes the device software management functions and Table 6 describes the fields of the device software list Figure 6 Device software management page Device Group All v Query Device Management C 7 3 31 94 Device Config Management Device Software Management Deploy Device Software Backup Device Software Refresh Device Info 1tolofi1 Page 1 Page Size 10 50 100 500 Device Label Device Group Device
82. he device Telnet Password Password for telneting to the device displayed as a string of asterisks e Click the icon of a template to modify the template Operation e Click the icon of a template to delete the template Return to Template management functions 22 Adding a template From the navigation tree of the system management component select Access Template List under Device Management to enter the access template management page Then click Add to add a template as shown in Figure 22 and Table 25 Figure 22 Add a template Add Access Template SNMP Parameters SNMP Version SNMPy1 Reading Writing Table 25 Template configuration items ltem Description Required Template Name l Type a name for the template a string of 1 to 20 characters Required Web Username Specify the username for managing the device through web The username can comprise up to 20 characters Required Specify the password for managing the device through web Web Password Q IMPORTANT The strength of the password must meet the password strength requirements of the device Required Web Port Specify the port of the device providing web access service Port 80 is the default Optional Telnet Username Specily the username for telneting to the device The username can comprise up to 20 characters Optional Telnet Password Specily the password for telneting to the device IMPORTANT 23 SNMP Version C
83. he next hop being 192 168 250 254 which is the IP address of the gateway for accessing the internet Figure 112 Configure a default static route Static Routing Destination Mask Protocol Priority Next Hop Interface 0 0 0 0 0 0 0 0 Static 60 192 168 250 254 4 Configure SNMP on the FW device To get connected with Firewall Manager you should first enable the SNMP function of all versions Create a community with the name of public allowing read only access right using this community name Create a community with the name of private allowing write operations using the community name Enter the following commands in the CLI A F1000 E snmp agent sys info version all A F1000 E snmp agent community read public A F1000 E snmp agent community write private Configuring the Firewall Manager 1 Install the Firewall Manager Install the Firewall Manager software in the host 192 168 247 194 visit http 192 168 247 194 then you can log in to the Firewall Manager management webpage The default username is admin and password is admin 2 Register the license Select the System Management tab to enter the system management configuration page Then from the navigation tree select License Registration under License Management to enter the license registration page Select the license file and then click Apply to complete registration 3 Add the FW device to the Firewall Manager Add the FW device to the Firewall Manager
84. hen edit the S Draft vege D content of the draft Allows you to set the configuration file identified by the version as the running eSI configuration file for the device Return to Tabs on the device configuration information management page and functions provided 7 Draft You can save a configuration file as a draft or create a new draft On the device configuration management list you can click the icon in the Management column of a device to bring up the configuration information management interface of the device as shown in Figure 12 Then click the Draft tab to enter the draft management page as shown in Figure 15 You can customize a configuration file and apply it to the device The Draft tab allows you to e Edit a configuration file and save it as a draft e Add and delete drafts e Click the restoration icon to replace the contents of the draft with the current startup or running configuration file e Compare a draft with itself another draft or any configuration file to find the differences Figure 15 Draft list Device Config Info Management Device utm 192 163 0 30 Back Startup Config ea m Label Running Config Draft List 1ltolofi Page 1 Page Size 10 50 100 500 F Mame Description Creation Time Last Modify Time Compare Restore P draft Base onRunning Contigversiant 2010 11 24 16 50 04 2010 11 24 16 50 04 Isis uy Table 14 Fields of the draft list Field Description Name
85. ic 3 Configure deployment task attributes as shown in Figure 95 and click Next 89 Figure 95 Configure deployment task attributes Configure Segment Deployment Task Steps 1 Select devices 2 Configure parameters 3 Configure deployment task attributes 4 Confirm your configuration Task Hame Task 2000217151331 Description Configuration file System snmpiriteCommunit Deployment Sequence O Parallel C Serial Error Handing Skip the device with deployment error Stop the deployment task Deployment Time e Execute How 2010 03 17 15 43 34 FRI Execute as Scheduled Es 4 Confirm your configuration You can click the icon in the device list to view the configuration content to be deployed To modify your configuration click Previous Check that everything is OK and click Finish Figure 96 Confirm your configuration Configure Segment Deployment Task Steps 1 Select devices 2 Configure parameters 5 Configure deployment task attributes 4 Confirm your configuration Deployment Task Task Hame Task 20100317151407 Description Configuration tle System snimpyriteCommunity ctg Deployment Sequence Parallel Deployment Time Execute Now Deployment Policy Deploy to device as running configuration Deploy to Devices Device Label Device Type A F1000 E 192 168 0 144 A F1000 E 192 168 0 144 ES mmis Return to Configuration segment management functions 90 Managing deployment tasks Configuration
86. ice software to the database from files or devices and deploy software to devices Configuration guide From the navigation tree of the system management component select Device Software Database under Device Management to enter the device software database page as shown in Figure 23 Table 26 describes the device software database functions Table 27 describe the device software database query option and Table 28 describes the fields of the device software database list 24 Figure 23 Device software database page Software Mame Software List Deploy itoiofi Page 1 Fage Size 10 50 100 500 C Software Mame Declaration Import Time Size Check Rename Export Deployment F secpath2000um cmyy back bin Importing from device 192 168 030 2010 11 24 15 36 01 28412MB 2 ich Ge Table 26 Device software database functions Function Description Importing device software Allows you to import device software from a file or from a device Allows you to remove software that is no longer in use Follow these steps Deleting device software 1 Select the check box before software names 2 Click Delete Deploying software to device Allows you to deploy software to devices Table 27 Device software database query option Option Description Software Name Specify the name of the software Table 28 Fields of the device software database list Field Description Software Name Name of the software file Declaration R
87. iled to authenticate 2011 07 12 20 31 43 CPE 3 192 158 248 50 98 Configuration example 1 Network requirements The HP A IMC Firewall Manager works with HP firewall devices The Firewall Manager collects attack events and logs sent by the firewall devices processes and analyzes the collected data and presents the information to the Firewall Manager operators You need to ensure that there is a reachable route between the Firewall Manager server and each managed HP firewall device Configuration procedure Adding devices to the firewall manager Adding devices to HP Firewall Manager is the prerequisites to other operations such as querying device information This section describes how to add devices to the HP Firewall Manager 1 Select the System Management component and then select Device List under Device Management from the navigation tree to enter the device management page Click Add to enter the page for adding a device as shown in Figure 106 Generally you can just input the IP address and label a string for identifying a device of a device and leave other fields with the default settings Figure 106 Add a device to the system management component AddDeviee S Host Harme P 1 0 1 2478 1 20 Device Label A F1000 E Device Group Time Calibration Greenwich Mean Time Select access template e Specify access parameters Device Access Parameters C Multi card Device 99 2 Select the Firewall
88. ime Ranges 1to3of3 Page 1 Page Size 10 50 100 500 Name Description Reterenced Operation 22 00 00 to 24 00 Mon amp x test 00 00 to 24 00 Sun gi Xx work 08 00 to 18 00 working day x Table 64 Time range management functions Function Description Time range list Allows you to view the detailed information of all time ranges Adding a time range Allows you to add a time range 58 Deleting a time range Allows you to click the 3 amp icon of a time range to delete the time range Time range list The time range list is on the time range management page as shown in Figure 61 Figure 62 describes the fields of the list Table 65 Fields of the time range list Field Description Name Name of the time range Description Time periods that the time range covers Referenced Whether the time range is referenced by a security policy or not Operation Click the 3 icon to delete the time range Return to Time range management functions Adding a time range From the navigation tree of the firewall management component select Time Ranges under Security Policy Management to enter the time range management page as shown in Figure 61 Click Add to enter the Add Time Range page configure the time range as described in Table 66 and click Add Figure 62 Add a time range Add Time Range Hame test 1 32 Chars Time Range Periodic Stat Time 0 My 0 M EndTime 24 wj U MI sun v Mon vlrue vhwed v
89. ion guide From the navigation tree of the firewall management component select Other Logs under Event Auditing to enter the page for auditing other logs as shown in Figure 55 The page lists the logs in order of time with the most recent log at the top Each log records the log time content and alarm severity level You can query the logs by content device group severity level and time so as to get an idea of other logs Figure 55 Other log auditing Device An devices Severity Level All Start Time 2011 07 15 00 00 E EndTime 01107152559 5 Ere Other Logs List ii Export 1 to 50 of 62386 Page 1 2 3 F H Page Size 10 50 100 500 Time Content Severity Level 2011 07 15 _ l o 475835 SHELLAVLOGOUT IY Trap 1 3 61 4 1 25506 2 2 1 1 3 0 2 hhi3cLogOuts admin logout from Wek Warning 2011 07 15 OI 17 58 35 SHELL AAL OGIN tY Trap 1 3 61 41 25506 2 2 1 1 3 0 1 hhicL ogni admin login from Vveb Warning 2011 07 15 SC B SC amp AA SUCCESSI AAATypesACOOUNT AAASchemes local Service login 17 58 35 UserName admingsystem AAA is successful fases SCIS SC AAA LAUNCH Y AAAType ACCOUNT AAAScheme local Service login UserName adnin system AAA launched 2011 07 15 SC 5 SC AAA SUCCESS AAATypesALITHOR A A ASchemes local Service login 17 58 35 UserName adming system AAA is successful ri SCSC AAA LAUNCH S4 amp amp TypesA amp UTHOR AA Schemes local Service login UserName admin system AAA launched 2011 07
90. is page provides the detailed attack statistics data where you can view the detailed attack statistics in different ways See Event overview for details Managing the device contiguration database The system provides a centralized configuration segment management interface where there are a set of pre defined configuration segments You can customize your own configuration segments based on these pre defined segments and modify copy delete export or deploy the custom configuration segments You can also import configuration files from devices and modify them to quickly create new configuration segments that satisfy your requirements Configuration guide From the navigation tree of the firewall management component select Device Configuration Database under Policy Management to enter the device configuration segment management page as shown in Figure 90 On this page you can query configuration segments by filename and file type add modify or delete configuration segments import configuration segment from a local file or import a configuration file from a device 85 Figure 90 Device configuration segment management page Filename File Type qu Configuration Segments List 1 to 27 of 27 Fage 1 Page Size 10 50 100 500 d Filename File Type Creation Time Description Operation example cfg 2010 03 17 14 00 24 system snmpiWritecomrmunity cfg 2010 01 01 00 00 00 Add SNMP read write community string system snmp
91. iting Configuration guide From the navigation tree of the firewall management component select Operation Logs under Event Auditing to enter the operation log auditing page as shown in Figure 54 This page lists the logs in order of time with the most recent log at the top Each log records the operation s time username IP address of the PC used to access the system operation performed and alarm severity level Operation log auditing allows you to query operation logs by username user IP operation severity level time and device group helping you know the information of login users and track the users operations 53 Figure 54 Operation log auditing Username User IP Operation Severity Level an Start Time 2011 07 1500 00 E EndTime 2011 07 1523 59 E Device AI devices Operation Logs List i Export 3ts0of 000 m Page 1 2 1 gt M Page Size 10 50 100 500 Tine Username User IP Operation l Severity Level 201 1 07 15 17 58 35 admin NA admin logged out from 192 166 100 135 Warning 2011 07 15 17 58 35 admin NA admin logged in from 192 163 100 135 Warning 201 1 07 15 17 58 35 admin NA admin logged out from 192 166 100 153 Warning 2011 07 15 17 58 35 agimin NA admin logged in from 192 168 100 13 Warning 201 1 07 15 17 58 35 agimin NA admin logged out from 192 168 100 13 Warning 2011 07 15 17 58 35 admin NA admin logged in from 132 168 100 13 Warning Other log auditing Configurat
92. k event details list Field Description Time Time when the attack event occurred Src IP Attack source IP address Dest IP Attack destination IP address Event Name of the event Dest Port Attack destination port Protocol Protocol used by the attack Event Count Number of events that occurred at the time A CAUTION Logs are aggregated at 3 o clock every day When you query event information of the current month the system displays only the data collected from the first day of the month to the day before the current doy Report exporting management This function is for exporting reports periodically You can specify the report export period filter template and notification mode to define a report export task Then the system will automatically export reports according to your configuration You may specify to send a generated reports file to an Email box or download the reports file from the system Configuration guide From the navigation tree of the firewall management component select Event Export Tasks under Event Analysis to enter the report export task management page as shown in Figure 48 where you can query report tasks by specifying a report period and or filter Figure 48 Report export task management page Period Iv Fiter w Report Export Task List 1to lofi Page 1 Page Size 10 50 100 500 L Report Task Creation Time Periad Send Mail Generate report Operation gegg 2009 03 20 14 22 35 Day Da not
93. keacdcomrmunity Add cfg 2010 01 01 00 00 00 Add SNMP read only community string F System snmpcormrmunitylIndo cf 2010 01 01 00 00 00 Delete SNMP community string system snmpTrapEnable cfg 2010 01 01 00 00 00 Add SNMP trap destination without specitying the port System snmpTrapllndo cfo 2010 01 01 00 00 00 Disable SHMP trapping system telnetPassvveord cfg 2010 01 01 00 00 00 Configure password authentication tor Telnet users ystem_telnetscheme cfg 2010 01 01 00 00 00 Configure local authentication for Telnet users system zyslodgEnable cfg 2010 01 01 00 00 00 Enable Syslog ystem_ zwysloadlIndo cfg 2010 01 01 00 00 00 Disable Syslog system zwyslodgDefaultl og evel cfg 2010 01 01 00 00 00 Cancel log level d system syslodgLogHostDselete cfg 2010 01 01 00 00 00 Remove log host System localllserAddorMaodify cfg 2010 01 01 00 00 00 Addinodity local user system localllserDelete cf 2010 01 01 00 00 00 Delete local user System localllserServicelIndao cfg 2010 01 01 00 00 00 Disable service for lacal user Table 99 Configuration segment management functions Function Description Configuration segment list Allows you to view information about all configuration segments Adding a configuration segment Allows you to add a configuration segment Importing a configuration Allows you to import a configuration segment from a locally saved file segment On the configuration segment management page click the Import butto
94. ls common operator system administrator and super administrator A higher level operator has all the rights of operators of a lower level Table 31 describes the rights of the three user levels Table 31 User levels and the rights User level Rights Common operator e visitor level e e System administrator J monitoring level e Super administrator e management level Use the Ping tool Cannot perform any configuration Use the Ping tool View configuration information except for user information View log information except for operation logs Perform configurations except for user configuration operation logging configuration managing device groups batch import access template management System Parameter Management Ports Mail server LDAP Server Management Log Retention Time disk monitoring subsystem management license management View all configurations View all logs Perform all configurations Configuration guide From the navigation tree of the system management component select Operators under Operator Management The operator management page appears as shown in Figure 26 Figure 26 Operator management page Operator List Add 1 to 1of1 Fage 1 Page Size 10 50 100 500 Login Name Role Last Login Time Managed Device Group Authentication Mode Operation admin Super admin 2010 05 28 09 07 51 All Local Authentication ga x 27 Table 32 Operator management functions Function De
95. managed Only after you add devices to the system component successfully can you add the devices to the firewall component to collect statistics on and analyze attack information The device management page allows you to add and delete devices The device list shows the details of all managed devices and provides the links for you to export configurations and connect to the devices through web or Telnet 1 Configuration guide From the navigation tree of the system management component select Device List under Device Management The device management page appears showing the basic information of all devices added successfully to the Firewall Manager Figure 3 Device management page Device Group All ce ager Device Software Management Device Config Management Device List 3 Group by device group 1to Sof 5 Page 1 Page Size 10 50 100 500 Running Status Device Label Device Group Device Type IP Address Operation Critical Unknown 92 166 249 79 default Firewall 192 158 249 798 a E Normal local 192 168 20 9 default Firewall 192 168 20 9 9 Table 1 Device management functions Function Description Allows you to view details about devices export configurations and Device list connect to the devices through web or Telnet Adding a device Allows you to add devices to be managed Allows you to delete devices from the list of managed devices Follow these steps Deleting devices 1 Select the check boxe
96. management functions Function Description Interzone policy application list Allows you to view all interzone policy applications in the system Applying interzone policies Allows you to apply an interzone policy to devices Allows you to manage the interzone rules deployed on the specified Applied rules list decies Redeploying a policy Allows you to redeploy an interzone policy to devices Interzone policy application list From the navigation tree of the firewall management component select Apply Interzone Policy under Security Policy Management The interzone policy application list is at the lower part of the page See Figure 84 Table 91 describes the policy application query options and Table 92 describes the fields of the policy application list Table 91 Interzone policy application query options Option Description Device Query interzone policy applications by device Policy Query interzone policy applications by policy Table 92 Fields of the interzone policy application list Field Description Device Label Name and IP address of the device to which the interzone policy is applied Device Group Device group that the device is in Name of the policy applied to the device Policy Name You can click the policy name link to manage the policy s rules see Rule management Application Result Application result of the interzone policy Displays the security zones that are covered by some of the policy s rul
97. mponent supports centralized monitoring of security events It can collect and report attack events in real time and provide the snapshot information based on firewall devices and events Snapshot of events The event snapshot presents the attack protection information in the last hour including the time total number of events blocked events count source addresses and destination addresses as well as event types Besides it provides the TopN list of attack events attack destination IP addresses and ports attack sources and attack protocols helping you track the latest security status of the network in an intuitive way Configuration guide From the navigation tree of the firewall management component select Snapshot of Events under Events Monitor to enter the event snapshot page as shown in Figure 42 42 Figure 42 Snapshot of events Device All devices v Top 5 vi Attack Event Trends per 5 Minutes 200 150 100 50 Jj QM J I I am am a a o LL e i Q o Q o T A N 8 amp 8 0 9793 8 9 8 8 7 e 2 2 2 2 2 2 2 2 P E Blocked Attack Event Top 5 Attack Events Top Attack Event 1 FPwW 30012 TCP flag Top 5 Attack Destinations Top Destination IP 1 1722002 Top 5 Attack Destination Ports m Other Attack Event Total Destination IP 1 Event Count Percentage Detail 372 a Total Destination Ports 1 Statistics Time 2009 03 24 15 15 00 2009 03 24 16 15 00 Total Attack Events 372 Blocked Attack Events
98. n Allows you to selected configuration segments Deleting configuration segments On the configuration segment management page select the configuration segments that you want to delete and click the Delete button Refreshing configuration Allows you to refresh the configuration segments list segments On the configuration segment management page click the Refresh button Importing configuration segments hui Allows you to import the running configuration file from a device Configuration segment list The configuration segment list is on the configuration segment management page as shown in Figure 90 Table 100 Fields of the configuration segments list Field Description Filename Name of the configuration segment file File Type Type of the configuration segment file Creation Time Creation date and time of the configuration segment 86 Description Detailed description of the configuration segment e Click the E icon of a configuration segment to rename the configuration segment file Qu e Click the amp icon of a configuration segment to modify the description and configurations of the segment Operation Ja e Click the amp icon of a configuration segment to copy the segment e Click the im icon of a configuration segment to export the segment e Click the UB icon of a contiguration segment to configure a deployment task for the segment see Deploying a configuration segment
99. n page appears as shown in Figure 31 Table 38 describes the management port configuration items Figure 31 Management port configuration page Management Ports HAT Logs Port 30017 Syslog Logs Port 30514 HetStream V9 Logs Port 20011 i Notes To recere logs normally enter a valid port number and ensure that the port is not occupied by another application Table 38 Management port configuration items Item Description NAT Logs Port Required 3 Type the port for receiving NAT logs The port number must be in the range from 1 to 65534 Required Syslog Port Type the port for receiving syslogs The port number must be in the range from 1 to 65534 Required NetStream V9 Logs Port Type the port for receiving NetStream V9 logs The port number must be in the range from 1 to 65534 Configuring the mail server This module allows you to configure the mail server information so that the system emails alarm information to the specified server Configuration guide From the navigation tree of the system management component select Mail Server under System Config The mail server configuration page appears as shown in Figure 32 Table 39 describes the mail server configuration items Figure 32 Configure the mail server Configure Mail Server SMTP Mail Server 111 2 Require authentication Username 123123 Password TITTTT Sender s Mail Address test aaa com Send a test email Send to itest bbb com Test
100. nity String for Writing Required Specify the username for managing the device through web The username can comprise up to 20 characters Required Specify the password for managing the device through web The strength of the password must meet the password strength requirements of the device Optional Specily the port of the device to be connected with the network The port number must be an integer in the range from O to 65535 Optional Specily the username for telneting to the device The username can comprise up to 20 characters Optional Specily the password for telneting to the device IMPORTANT The strength of the password must meet the password strength requirements of the device Required Select an SNMP version which can be SNMPv1 SNMPv2 or SNMPv3 Required Specify the SNMP read community string to be used for communication with the device The string can comprise up to 20 characters Required Specify the SNMP write community string to be used for communication with the device The string can comprise up to 20 characters Required for SNMPv3 Specily the authentication username to be used for communication with the device Required for SNMPv3 Specily the authentication protocol to be used for communication with the device Password Encryption Protocol Required when you select the authentication protocol HMAC MD5 or SMAC SHA Specily the authentication password to be used f
101. nt type cfg or xml Required Type a filename for the configuration segment Filename A filename must be unique in the system Leading spaces and ending spaces in the filename will be removed and the filename cannot contain any of these characters c amp 96 N Optional Description Type some descriptive information for the configuration segment Required Configurations Type the contents of the configuration segment Return to Configuration segment management functions Importing configuration segments from device On the configuration segment management page click Import from Device to import the running configuration file of a device Select a device select the file type specify a filename and a description and click Import to import the running configuration file of the device After the import operation completes successfully a configuration segment by the name you specified will appear in the configuration segments list Later you can modify the content of the segment as desired Figure 92 Import the running configuration file of a device Import Configuration File from Device Device A F1000 E 192 168 0 1 File Type 9 cfg xml Filename Description Import the running configuration file of a device A CAUTION e Available devices are those added in the device management module of the firewall management component e The imported contiguration file will be saved with the specified filename in the syst
102. of a device to remove it from the list Select a location from the Device Storage Path drop down list to specify where the software should be saved on the device Generally the root directory of the CF card is selected Required Deploy Software Version Deployment Sequence Click the link in this column to select the software version to be deployed Required Select a deployment mode to deploy the software to the devices in parallel 10 Parallel or one by one Serial When the deployment sequence is serial the icons are configurable for adjusting the sequence Required when the deployment mode is Serial Error Handling Specily the error handling scheme to be used when a deployment error occurs Required Select the actions to be taken after deploying the software selected in the Deploy Software Version column e Set the currently running software as the backup startup software Specifies secpath 1O00fe cmw520 b5002 bin as the main startup software and the current running software as the backup startup software e Delete software that is currently running Specifies secpath 1000fe cmw520 b5002 bin as the main startup software and Deployment Policy deletes the current running software from the device e Delete startup software that is currently backup Specifies secpath I000fe cmw520 b5002 bin as the main startup software deletes the backup startup software from the device and leaves the current running sof
103. ommunity String for Reading Community String for Writing Authentication Username Authentication Protocol Password Encryption Protocol Password The strength of the password must meet the password strength requirements of the device Required Select an SNMP version which can be SNMPv1 SNMPv2 or SNMPv3 Required Specify the SNMP read community string to be used for communication with the device It can be a string of up to 20 characters Required Specify the SNMP write community string to be used for communication with the device It can be a string of up to 20 characters Required for SNMPv3 Specify the authentication username to be used for communication with the device Required for SNMPv3 Specily the authentication protocol to be used for communication with the device Required when you select the authentication protocol HMAC MD5 or SMAC SHA Specily the authentication password to be used for communication with the device Required when you select the authentication protocol HMAC MD5 or SMAC SHA Specily the encryption protocol to be used for communication with the device Required when you select the encryption protocol CBS DES or AES 128 Specily the encryption password to be used for communication with the device Return to Template management functions Managing the device software database The device software database is used to save all device software It allows you to import dev
104. on such as the device login password Configuration guide From the navigation tree of the system management component select Access Template List under Device Management The access template management page appears as shown in Figure 21 Table 23 describes the template management functions Figure 21 Access template management page Access Template List 1 to 2 of 2 Fage 1 Page Size 10 50 100 500 Template Version No Web Username Web Port Web Password Telnet Username Telnet Password Operation default Wd admin 80 dicii admin FUE gu X example V3 admin 80 cHES admin 4 Table 23 Template management functions Function Description Allows you to view details about access templates and modify and delete Template list P templates Adding a template Allows you to add templates Template list From the navigation tree of the system management component select Access Template List under Device Management The access template management page appears as shown in Figure 21 Details of all access templates are displayed on the page Table 24 Fields of the template list Field Description Template Name of the template Version No Version of the template Web Username Username for managing the device through web Web Port Port of the device providing web access service Password for managing the device through web displayed as a string of asterisks Web Password Telnet Username Username for telneting to t
105. or communication with the device Required when you select the authentication protocol HMAC MD5 or SMAC SHA Specily the encryption protocol to be used for communication with the device Required when you select the encryption protocol CBS DES or AES 128 Password Specity the encryption password to be used for communication with the device Optional Configure the cards in the device Multi Card Device IMPORTANT e You can specify the card 1 IP address card 2 IP address or both e The input IP address must be in the dotted decimal notation such as 192 168 0 35 Return to Device management functions 4 Device information From the navigation tree of the system management component select Device List under Device Management The device management page appears as shown in Figure 3 Then you can click the device label link of a device to display the details of the device and modify the information of the device as shown in Figure 5 Figure 5 Device information Device Details Device Label A F1000 E Device Group default System Hame Running Status ip Normal IP Address 182 168 0 1 Contact Device Location Running Time Device Model Firewall Type Firewall Last Poll Time Calibration Greenwich Mean Time System Description Mutti Card Device Na Basic Performance Monitoring Item Values Polled Last CPU Usage er Memory Usage ors y Telnet to Device Open Console 1 3 Modify Label ae Chan
106. or the description letters digits blank spaces colons underscores _ commas periods exclamatory marks and hyphens where underscores can t appear at the beginning or end of the name IP Address Required 69 Specily a subnet address The IP address must be in dotted decimal notation Required Wildcard Select a wildcard mask for the subnet address Required Specily the IP addresses to be excluded from the subnet EcludedAddhacens e Input an IP address and click Add next to the text box to add the IP address to the excluded IP addresses list You can also select an IP address on the list and click Delete to remove the IP address from the list e The IP addresses must be in dotted decimal notation To delete subnet addresses select them and click Delete on the subnet address management page Return to IP address management functions IP address groups From the navigation tree of the firewall management component select IP Addresses under Security Policy Management Click the IP Address Groups tab to enter the IP address group management page as shown in Figure 74 Table 80 describes the fields of the IP address group list Figure 74 IP address group management page Host Addresses Address Ranges Subnet Addresses IP Addres IP Address Groups Add Delete 1to1of1 Page 1 Page Size 10 50 100 500 O Mame Member Description Referenced Operation C grou
107. ore e after Please select the ID of the rule 1 Trust OM Figure 83 Policy s rule list after sorting the order Policy default Back Fules i to 2 of 2 Page 1 Page Size 10 50 100 500 oO ID Src zone Dest zone Sre iPS Dest iF Service Time Range Description Action Status Logging Sort Details Modity 1 Trust DMZ IP2 F1 Host Hosti bap tte ttp get http workday Permit Enabled Enabled 2 ri C 8 Trust DMZ IP IP1Host finger http ftp workday Permit Enabled Enabled 2 qd Return to Fields of the policy s rule list 9 Interzone policy applications Configuration guide From the navigation tree of the firewall management component select Apply Interzone Policy under Security Policy Management to enter the interzone policy application management page as shown in Figure 84 Table 90 shows the functions available on the page Figure 84 Interzone policy application management Device Al devices Policy vt Apply Interzone Policy Apply Redeploy 1 to 2 of 2 Page 1 Page Size 10 50 100 500 Fi Device Label Device Group Policy Mame Application Result Remarks Operation C fw 192 168 0 191 BB a fw 1 192 168 0 30 policy1 ta The Remarks column displays the security zones that are covered by some of the policy s rules but are not configured on the device Rules that i Tip A9 TI over these security zones will not be deployed to the device Table 90 Interzone policy application
108. ou want to cancel and click the Cancel button Only a task waiting for execution can be canceled Allows you to delete deployment tasks Deleting deployment tasks Follow these steps 1 Select the check boxes before the deployment tasks to be deleted 2 Click Delete Deployment task list From the navigation tree of the firewall management component select Deployment Tasks under Policy Management The deployment task list is at the lower part of the page See Figure 97 Table 103 describes the fields of the list 9 Table 103 Fields of the deployment task list Field Description Execution Status Execution status of the task Task Name Name of the task Task Type Type of the task Creation Time Creation date and time of the task Creator Administrator who created the task Start Time Time when the task started End Time Time when the task ended The Modify icon da brings you to the task modification page where you can Modify modify task attributes such as the description deployment sequence error handling mode and deployment time Details The Details icon brings you to the details page of a task 92 SSL VPN auditing As Virtual Private Network VPN is much cheaper and more flexible to use than leased lines more and more companies are establishing VPNs over public networks such as the Internet so as to allow employees working at home or traveling on business employees of branch offices and partner
109. p test test amp i Table 80 Fields of the IP address group list Field Description Name Name of the IP address group Member Names of the members in the IP address group Description Descriptive information about the IP address group Referenced Whether the IP address group is referenced or not Operation Click the 28 icon to modify the IP address group To add an IP address group click Add on the IP address group management page to enter the Add IP Address Group page and configure the IP address group as shown in Figure 75 and Table 81 70 Figure 75 Add an IP address group Add IP Address Group Hame 1 31 Chars Description 1 31 Chars Member Please select members test test tests Add Table 81 IP address group configuration items Item Description Required Type a name for the IP address group Valid characters for the name letters digits underscores _ periods slashes Name and hyphens where underscores can t appear at the beginning or end of the name IMPORTANT The name must be unique in the system It cannot be the same as the name of an existing host address address range subnet address or IP address group Optional Type some descriptive information for the IP address group Description Valid characters for the description letters digits blank spaces colons underscores _ commas periods exclamatory marks and hyphens where underscores
110. page Then click Add to add a device group as shown in Figure 18 and Table 17 Figure 18 Add a device group Add Device Group Device Group Hame Description device group branch 1 priv Table 17 Device group configuration items Item Description Required Device Grows Name Type a name for the device group The device group name can comprise up to 40 characters and must not contain these characters lt gt amp 19 Optional Description Type a description for the device group The description can comprise up to 40 characters Return to Device group management functions Managing events Configuration guide The event management function records the operations on managed devices and logs the events allowing you to track the status of devices From the navigation tree of the system management component select Events under Device Management The device event list page appears by default as shown in Figure 19 Table 18 describes the device management functions Figure 19 Device event list page Time w Device IP severity v Event List 1 to 50 of 89 Page 1 2 M Page Size 10 50 100 500 Severity Source Description Time F im Critical 111 192 158 1 1 Device 182 158 1 1 is down 2011 05 13 08 39 12 Critical 111 182 153 1 1 Device 182 158 1 1 is down 2011 05 13 08 23 12 C Critical 111 182 168 1 1 Device 182 158 1 1 is down 2011 05 13 08 19 12 F Critical 111 192 158 1 1 D
111. pplied to the device Figure 86 shows the rules applied to device 192 168 0 30 Table 93 describes the query options and Table 94 describes the fields of the rule list 8 Figure 86 List of rules applied to a device Interzone Rules Device 192 168 0 30 erc Zone Dest Zone List of interzone rules applicated on this device 1 to 2 ofz ISre Zone Dest Zone ID Src IP Page 1 Dest IP Service Local Local 0 address range host_address Any Any Local Local 1 Any Any daytime cmd chargen bap Table 93 Applied rule list query options Back Action a Time Range es nS Page Size 10 50 100 500 Time Range Action Description Status Logging Policy time Permit Disabled Disabled policy Permit Disabled Disabled policy Option Description Src Zone Query interzone rules by source zone Dest Zone Query interzone rules by destination zone Action Query interzone rules by filtering action Src IP Query interzone rules by source IP Dest IP Query interzone rules by destination IP Time Range Query interzone rules by time range Policy Query interzone rules by policy Status Query interzone rules by status enabled or disabled Table 94 Fields of the interzone rule list Filed Description Src Zone Source zone of the interzone rule Dest Zone Destination zone of the interzone rule ID of the interzone rule When you create an interzone rule the system automatically assigns an ID to the rule ID according to the
112. ption Device IP Query a firewall device by its IP address Query a firewall device by its label Device Label D IMPORTANT The label you input here must not include the parentheses and IP address For example if the device label is wxsh 10 154 78 120 input only wxsh Table 97 Fields of the firewall device list Field Description Device name and IP address You can click the link to view the detailed Device Label information of the device and modify the device settings For more information see Device information Device IP IP address of the device Device Group Device group where the device resides Clickthe BI icon cta device to log in to open the web console of the Operation device e Click the E icon of a device to telnet to the device Return to Firewall management functions Adding firewall devices This function is used to add firewall devices to the firewall management component You can add only firewall devices that are under your management From the navigation tree of the firewall management component select Device Management under Device Management to enter the device management page Then click Add to enter the page for adding firewall devices as shown in Figure 88 Figure 88 Add firewall devices Add Device Please select F Device Label Device IP Device Group levices SEMIS w rr58 192 158 0 198 182 168 0 198 default Select the check boxes before the devices that you want to add to the
113. py Executed successfully Task 20110714095052 Software Deployment 2011 07 14 09 51 06 admin 2011 07 14 08 51 06 2011 07 14 08 52 36 HE Page 1 Page Size 10 50 100 500 Hote Only a task wailing for execution can be executed immediately Only a task waiting for execution can be canceled On the deployment task list you can e Execute deployment tasks immediately e Cancel deployment tasks e Delete deployment tasks e X Refresh the deployment task information Table 29 describes the deployment task query option and Table 30 describes the fields of the deployment task list Table 29 Deployment task query option Option Description Task Status Select a state to list all deployment tasks in the state Table 30 Fields of the deployment task list Field Description Execution Status Current status of the deployment task Task Name Name of the deployment task Task Type Type of the deployment task 26 Creation Time Time when the deployment task is created Creator Creator of the deployment task Start Time Time when the deployment task starts End Time Time when the deployment task ends Copy Allows you to create a deployment task based on the selected one Operator management The operator management function allows you to manage operators and operation logs and to change operator passwords Managing operators This function allows you to manage the rights of web users There are three user leve
114. r Event Auditing to enter the interzone access log auditing page as shown in Figure 51 A zone is a set consisting of one or more network segments Inter zone access logs are logs recorded by the firewall device when network segments of security zones are attacked Interzone access log auditing is for analysis of such logs Each log records the time when the attack occurred the attack s source zone destination zone source IP port destination IP port attack protection rule ID protocol and action taken by the system helping you know about the interzone access status of the network Figure 51 Inter zone access log auditing Source IP Destination IF Device an devices Source Zone Dest Zone Start Time 201 05 130000 E EndTme 2011 05 132559 5 Inter Zone Access Control Log List i4 Export 1to 50 of 4600 Page 1 23 M Page Size 10 50 100 500 Time source Zone Destination Zone source IP Port Dest IP Port Rule ID Protocol Action 2011 05 13 09 13 55 Uritrust Trust 10 10 15 3 620 10 10 12 3 661 1000 LIDP Permit 2011 05 13 09 13 55 Lintrust Trust 10 10 11 3 511 10 10 14 3 1015 1000 LDP Permit 2011 05 13 02 13 55 Untrust Trust 10 10 13 3 88 10 10 14 3 501 1000 UDF Permit 2011 05 13 08 14 01 Uritrust Trust 10 10 13 3 28 10 10 14 3 601 1000 UDF Permit 2011 05 13 08 14 01 Untrust Trust 10 10 11 3 1815 10 10 16 3 1581 1000 UDP Permit Abnormal trattic log auditing Configuration guide From the navigation tree of th
115. r Size 1000 Items 0 1024 Default 512 Log Host IP Address Log Host1 192 168 247 194 Part 30514 1 655535 Default 514 LogHost2 sid Port 1 85535 Default 514 Log Host 3 Pot 1 85535 Default 514 LogHost4 Pot 1 855535 Default 514 Refresh Refresh Period Manual v Cancel The port number should be in accordance with the management port number set in Firewall Manager which can be seen in System Management gt System Config gt Management Ports Figure 115 Management Ports Management Ports HAT Logs Port 30017 Syslog Logs Port 30514 HetStream V9 Logs Port 30011 Apply Hotes To receree logs normally enter a valid port number and ensure that the port is not occupied by another application 2 Configure User Log Flow logging records users access information to the external network The device classifies and calculates flows through the 5 tuple information which includes source IP address destination IP address source port destination port and protocol number and generates user flow logs Flow logs can be output in the following two formats and you can select either one e Output to the specified userlog log host in UDP packets in binary format e Output to the information center of the device in the format of syslog and it can be displayed as other syslogs in Log Report gt Report and can be sent to a syslog server too In this example we choose to send flo
116. rends of the network easily The Firewall Manager presents the following key features e Visual realtime monitoring which can help you detect network attacks in time e Perfect comprehensive analysis and rich statistics reports which can reduce your analysis time e Fine log auditing allowing you to track events e Friendly and easy to use interface allowing easy deployment Installation and uninstallation Installing the firewall manager The software and hardware requirements of the Firewall Manager are as follows e Hardware P4 2 0 CPU or above 1 5G memory or more 80G disk or more e Operating system Windows 2003 Server recommended or Windows XP installed with the up to date patches e Browser IE 6 0 or above To install HP A IMC Firewall Manager you only need to run the executable file install exe which is under the installation directory and click Next repeatedly as prompted A CAUTION After finishing installation you must restart the operating system Registering the firewall manager A In the address bar of the browser enter http localhost to open the login page The default login username and password are admin and admin respectively CAUTION The last character of the password is digit 1 When you log in to the Firewall Manager for the first time you will see the license information page and such a prompt You haven t registered Please register to use the system normally You can o
117. ribes the fields of the list 76 Table 87 Fields of the interzone policy list Filed Description Policy Name Name of the interzone policy Description Descriptive information about the interzone policy Device Name of the device to which the interzone policy is deployed Referenced Whether the interzone policy is referenced or not Click the 88 icon to enter the page for managing the policy s rules see Rule Rules management Return to Interzone policy management functions Adding an interzone policy From the navigation tree of the firewall management component select Interzone policies under Security Policy Management Click Add to enter the Adding Interzone Policy page and configure the policy as shown in Figure 79 and Table 88 Figure 79 Add an interzone policy Add Interzone Policy Hame policy 1 31 Chars Description Table 88 Interzone policy configuration items Item Description Required Name Type a name for the interzone policy The name cannot contain any of these characters amp N Optional Description Type some descriptive information for the interzone policy Return to Interzone policy management functions Rule management From the navigation tree of the firewall management component select Interzone policies under Security Policy Management Click the 8 icon of a policy to enter the policy s rule management page Figure 80 shows the rule management page of the polic
118. rning 0 55 25 pw am uam um m a E 8S 9 2 8 8 8 s 22 8 8B 559 9 8 f B T 3 X gJ 2 T yg X 1 X 3 3 3 EFF EF 5 m Blocked Attack Event Other Attack Event Critical Major Minor Warming Top 5 Attack Events Total Event Types 4 Top ABAck Event Event Count Percentage Detail to FW 30009 ICMP unreechabieCMP unteachabie a3 as 2 FVWi 30003 fraggie fraggie 32 NES E 3 FV 30004 winnukei winnuke 23 ms 4 FW 30027 ScaniScan E sse 1 Top 6 Attack Destinations Total Destination IP 29 Top 5 Attack Sources Top Destination P Event CountPercentage Detal Top Source P 1 192 188 0 3 55 as 192 968 100 254 2 4312 18 Bes Ea ass 3 a1120 18 Be D 3 4112 4 NA 5 s a as 5 21 137 1 7 1 E s 4 1 1 20 Recent list Firewall gt Events Monitor gt Snapshot of Events Total Source IP 5 ENS B lm 222 ORRA 123 E ost 3w E Refresh Every 30 seconds Y Filter None Statstice Time 2010 01 15 14 05 00 2010 01 15 15204 00 Recent Events 3 to 50 of 123 Page 1 23 M Page Size 10 50 100 500 Time Devt P Source P Destranon PE went Protocol Nene Source Pot Destraener Port 4010 01 15 Fyj 3ODR CYP urreechapee lie cal fu 14 27 04 192 188 240 214 182 188 100 274 4 1 1 31 umarhabisl a has ada 429010 01 15 F 30009 CNMP unreachabi E HP 1447 04 182 168 250 214 182 168 100 254 4 1 1 41 i abis F i MA 2010 01 15 Fit 20008 ICNP unreacha e
119. s bap TCP Source port any Destination port 173 chargen TEF Source port any Destination port 19 cmd TCP Source part any Destination part 514 daytime TCP Source port any Destination part 13 dhcp relay UCF Source port any Destination part 67 discard tcp TCP Source part any Destination part 13 finger TCP Source port any Destination part 73 ftp TCP source port any Destination port 21 ftp aet TCP Source port any Destination port 21 ftp put TCP source port any Destination port 21 gopher TCP Source part any Destination part 70 http TCP Source port any Destination part S0 https TCP source port anr Destination port 443 Table 67 Service management functions Function Description Predefined services Allows you to view the detailed information of all predefined services User defined services Allows you to manage user defined services Service groups Allows you to manage service groups Predefined services The predefined services are displayed by default when you select Services under Security Policy Management See Figure 63 You can view predefined services but cannot delete or modify them Table 68 describes the fields of the service list Table 68 Fields of the predefined service list Field Description Name Name of the service 60 Protocol Protocol used by the service Protocol Parameters Parameters configured for the protocol Return to Service management functions
120. s before the devices to be deleted 2 Click Delete Refreshing device information Allows you to obtain the up to date device information 2 Device list From the navigation tree of the system management component select Device List under Device Management The device management page appears as shown in Figure 3 Table 3 describes the fields of the device list Table 2 Device query option Option Description Device Group Select a device group to list all devices in the device group Table 3 Fields of the device list Field Description Status of the device You can click the link to view the event list of the Running Status device For more information see Managing events Name and IP address of the device You can click the link to view the Device Label details of the device and modify the relevant information For more information see Device information Device Group Device group to which the device belongs Device Model Model of the device IP Address IP address of the device l e Clickthe BB icon of a device to open the web console for the device Operation e Click the 5 icon of a device to telnet to the device Return to Device management functions 3 Adding a device From the navigation tree of the system management component select Device List under Device Management The device management page appears as shown in Figure 3 Then click Add to add a device as shown in Figure 4 and Table
121. s the fields of the service group list Figure 66 Service group management page Predefined Services User Defined Services D 1 371 99 Service Groups ito i ofi Page 1 Page Size 10 50 100 500 Manne Member Description Reterenced Operation 1 testi dhep relay http testi1 a ga Table 71 Fields of the service group list Field Description Name Name of the service group Member Services in the service group Description Descriptive information about the service group Referenced Whether the service group is referenced or not Operation Click the 28 icon to modify the service group To add a service group click Add on the service group management page to enter the Add Service Group page and configure the service group as described in Table 72 63 Figure 67 Add a service group Add Service Group _ Hame 1 31 Chars Description 1 31 Chars Service Please select services bap chargen cmd daytime dhcp relay discard tcp finger http https icmp addrezz mask icmp dest unreachable icmp fragment needed icmp fragment reassembly icmp host unreachable icmp infa icmp parameter problem icmp port unreachable icmp protocol unreach Add Table 72 Service group configuration items ltem Description Required iame Type a name for the service group Valid characters for the name letters digits underscores _ periods slashes and hyphens where underscores can t appear a
122. s to access the internal networks SSL VPN is an emerging VPN technology and has been widely used for secure remote web based access For example it can allow remote users to access the corporate network securely The SSL VPN auditing component supports analyzing and auditing operations of SSL VPN users It also provides realtime monitoring of online users and history records helping you understand SSL VPN usage and the network security To access the SSL VPN auditing component select the SSL VPN Auditing tab Then you can perform e Comprehensive analysis e SSL VPN log auditing Comprehensive analysis The comprehensive analysis function provides information of online users online user trend daily user statistics and device monitoring for you to understand what SSL VPN users have done during their access to the internal network You can export and save the reports as an Excel file Online users The online user statistics function displays the SSL VPN users that are currently accessing the internal network This list presents the username user IP address virtual IP address login time online duration operation that the user has performed and resources the user has accessed It also supports flexible online user query Configuration guide From the navigation tree of the SSL VPN auditing component select Online Users under Comprehensive Analysis to enter the online user list page as shown in Figure 98 Figure 98 Online u
123. scription Allows you to view details about operators modify operator information Operator list P and delete operators Adding an operator Allows you to add operators Operator list From the navigation tree of the system management component select Operators under Operator Management The operator management page appears as shown in Figure 26 Table 33 Fields of the operator list Field Description Login Name Username used by the operator at login Role Operation level of the operator Last Login Time Last time when the operator logged in Managed Device Groups Device groups for which the operator has operation rights Authentication Mode Authentication mode of the operator Qui e Click the 8 icon of an operator to modify the operator s information Operation e Click the 9 icon of an operator to delete the operator Return to Operator management functions Adding an operator From the navigation tree of the system management component select Operators under Operator Management to enter the operator management page Then click Add to enter the page for adding an operator as shown in Figure 27 Table 34 describes the operator configuration items Figure 27 Add an operator Add Login llame Po Login Password 0 Confirm Password Role Common operator Manage Device Group OAN Select Device Group Device Group Name Description default default group cannot be deleted Authentic
124. ser list User Name User IP Virtual IP Online Period gt Hours bad Device All devices aiuer y Online User List 2 Export 1 to 3 of 3 Page 1 Page Size 10 50 100 500 session ID User Liser IP Virtual IP Login Time Online Duration Device Operation Visited Resource FF6S1000 administrator eTEST 132 168 36 14 2011 07 14 10 06 22 0 1Hours CPE 3 0 F 401000 administratoreP TEST 182 158 8614 2011 07 14 10 07 56 Hours CPE 3 5 50681000 teste TEST 1924158 9514 2011 07 14 10 08 57 DHours CPE_3 0 3 93 Online users trends The online user trend graph displays the number of online SSL VPN users during a day week month or a customized period of time Configuration guide From the navigation tree of the SSL VPN auditing component select Online Users Trends under Comprehensive Analysis to enter the online user trend analysis page where the online user trend graph is listed as shown in Figure 99 Under the trend graph is a list showing the online user statistics including the audit time online user count and a link for you to view the user information Figure 99 Online user trend Device All devices wt Duration Day v Time 2009 11 03 5 Online User Trend Graph EM Export 1100 1000 agg 600 Foo auc s00 400 an 200 100 Y i i 01 00 03 00 05 00 OF 3x 03 00 11 00 13 00 16 00 17200 19 00 27 00 2200 Humber of online users Online User Trend Audit Time Online
125. side to inside such as land attack Winnuke attack the firewall will detect them and log Select Log Report gt Report to display the system log connection limit log attack prevention log blacklist log interzone policy log and userlog e X Attack prevention Log RE Tim v Advanced Search Time Type Interface Source IP Source MAC Destination IP Destination MAC Speed 2010 01 15 14 48 59 Winnuke GigabitEthemeto 4 4112 192 1680 3 2010 01 15 14 48 59 Winnuke GigabitEthemeto 4 41 12 192 168 0 3 0 2010 01 15 14 48 59 Winnuke GigabitEthemeto 4 4112 192 158 0 3 0 2010 01 15 14 48 59 Wannuke GigabitEthemet 4 4112 192 158 0 3 0 2010 01 15 14 48 59 Winnuke GigabitEthemeto 4 4112 192 1880 3 0 2010 01 15 14 48 59 Winnuke GigabitEthemeto 4 41 12 182 158 0 3 0 2010 01 15 14 43 59 Winnuke GigabitEtherneto 4 4 1 12 192 168 0 3 0 2010 01 15 14 48 59 Winnuke GigabitEthemeto 4 4112 182 158 0 3 0 2010 01 15 14 37 57 Scan GigabitEthemeto 4 41 16 20 2010 01 15 14 37 57 Fraggle GigabitEthemet 4 41 16 192 158 0 3 0 2010 01 15 14 37 33 Fraggle Gigabitethemetos 41 16 192 158 0 3 0 2010 01 15 14 37 33 Fraggle GigabitEthemneto 4 41 16 19216803 0 2010 01 15 14 37 33 Fraggle GigabitEthemeto 4 41 16 192 168 0 3 i 2010 01 15 14 37 33 Fraggle GigabitEthemeto 4 4 1 16 192 1680 3 0 2010 01 15 14 37 33 Fraggle GigabitEthemnetQ 4 4116 192
126. sis report template Notification Mode Action Configuration Parameter Tip C Send a report by email Address di y Table 60 Configuration items of a report export task ltem Description Required Task Name Specify the name of the task The name can comprise up to 40 characters Required Period Specify the export interval which can be Day Week Month or Year The default is Day Optional Filter Specify the data to be included in the file by selecting a filter Required Template Specify the template for exporting reports Only one template is available at present Optional Notification Mode Specify the Email box to which the export file will be sent Return to Report export task management functions Event auditing The event auditing function allows you to audit abnormal traffic logs blacklist logs operation logs NAT logs inter zone access control logs MPLS logs and other logs It also supports exporting up to 10 000 entries of logs If there are more than 10 000 log entries only the first 10 000 entries will be exported 51 The event auditing function does not support cross day query If the query period spans a day or the query start time is later than the end time the end time will automatically change to 23 59 of the same day as the start time Inter zone access log auditing Configuration guide From the navigation tree of the firewall management component select Inter Zone Access Logs unde
127. sures accordingly Event analysis Event overview The system supports comprehensive analysis of attack events including e X Attack event trend analysis during a day week month and a customized period e TopN statistics reports by event destination IP address source IP address destination port and protocol You can export the reports Configuration guide From the navigation tree of the firewall management component select Event Overview under Event Analysis The attack event trend page appears by default as shown in Figure 45 This page allows you to view attack event trend analysis during a day week month or a customized period of time This page shows a trend graph comparing the counts of blocked attack events and the other attack events as well as a trend graph of attack events by severity level Under the trend graphs is a list showing the detailed attack event statistics including the number of events number of blocked events and number of events of each severity level 45 Figure 45 Attack event overview Fitter Mone Device fan devices Dest Port Protocol zt Export Source Attack Event Trends 10000 7500 5000 2500 3 Lm e m ce ce C a c c a Uy e ae oO e ce e a Lm e c i e cC o a oO OQ 6 O O 8 OG 8 OG GO O OG G amp O OG OQ oO dO oO OQ GO 8 c m Ul e T Wu pui E a e cC z x ur T Lu io F oo en c g 4 x C e cC i el C a c m a T x T T T T ka T T Lh 04 Ue Lia m Blocked
128. system so that the Firewall Manager system can receive the syslog packets from the A F1000 E device Select the System Management tab to enter the system management configuration page Then from the navigation tree select Device List under Device Management to enter the device management page Then click Add to enter the page for adding a device Type the IP address of GigabitEthernet O 1 of FW as the host IP address Specify the device label If the A F1000 E system time zone is UTC select Greenwich Mean Time for the time calibration Leave the default settings for other parameters 102 Figure 113 Add the FW device to the Firewall Manager Add Device Host NameilP Device Label Device Group Time Calibration Select access template Specify access parameters Device Access Parameters Vy eb m ort SNMP Version For Reading For Writing C Multi card Device Contiguring intrusion detection in tirewall and sending logs to Firewall Manager Enable logging and send logs to Firewall Manager The log management feature enables you to store the system messages or logs generated by actions such as packet filtering to the log buffer or send them to the log hosts 1 Configure a log host Select Log Report gt Syslog from the navigation tree set the log buffer size and configure the Firewall Manager host ip address as the log host ip address 103 Figure 114 Configure a log host Sysog Log Buffer Log Buffe
129. t Device List under Device Management The device management page appears as shown in Figure 3 Then select the Device Config Management tab to enter the device configuration management page as shown in Figure 9 Select a device and click Restore to bring up the restoration configuration page as shown in Figure 11 Select a startup configuration file and or running configuration file by their labels and click Apply to specify the files as the startup and or running configuration files for the device Figure 11 Restore configuration files Device Management Device Software Management Device Config Management 1 to 1 of 1 Page 1 Device ahel Diecici xn n set Fiker r Time fei heck I act Onerste Time tw C Performing the operation a X wines 1637 56 Please select Config label to be restore Label label new Return to Device configuration management functions 4 Device configuration information management On the device configuration management list you can click the icon in the Management column of a device to bring up the configuration information management page of the device as shown in Figure 12 Table 11 describes the tabs on the device configuration information management page and the functions provided on the tabs Figure 12 Device configuration information management interface Device Config Info Management Deviceutm 192 163 0 30 Back Running Config Startup Contig Dr aft
130. t the beginning or end of the name Optional Type some descriptive information for the service group Description Valid characters for the description letters digits blank spaces colons underscores _ commas periods exclamatory marks and hyphens where underscores can t appear at the beginning or end of the name Required Add services to the service group e Available services are listed in the left box including all predefined services and Service user defined services The right box lists the services to be added to the service group e You can select one or more services in the left box and then click Add gt gt to add them to the right box You can also select one or more services in the right box and click Remove to remove them from the right box to the left box To delete service groups select them and click Delete on the service group management page Return to Service management functions 64 IP addresses Configuration guide From the navigation tree of the firewall management component select IP Addresses under Security Policy Management to enter the IP address management page as shown in Figure 68 Table 73 describes the functions of the tabs Figure 68 IP address management page Address Ranges Subnet Addresses IP Address Groups Host Addresses i t i ofi Page 1 Page Size 10 50 100 500 LI Marne IP Addresses Description Referenced Operation L test 192 169 00
131. the address range Description Valid characters for the description letters digits blank spaces colons underscores _ commas periods exclamatory marks and hyphens where underscores can t appear at the beginning or end of the name Required Address Range Set the start IP address and end IP address of the address range The IP addresses must be in dotted decimal notation Required Specify the IP addresses to be excluded from the address range Ended Addresses e Input an IP address and click Add next to the text box to add the IP address to the excluded IP addresses list You can also select an IP address on the list and click Delete to remove the IP address from the list e The IP addresses must be in dotted decimal notation To delete address ranges select them and click Delete on the address range management page Return to IP address management functions Subnet addresses From the navigation tree of the firewall management component select IP Addresses under Security Policy Management Click the Subnet Addresses tab to enter the subnet address management page as shown in Figure 72 Table 78 describes the fields of the subnet address list Figure 72 Subnet address management page Host Addresses Address Ranges IP Address Groups Subnet Addresses 1toiofi1 Page 1 Page Size 10 50 100 500 LI Marne Subnet Excluded Addresses Description Referenced Operation test3 222 2 0 0 0 255 test3
132. the interzone rule Sort Click the 3 icon to change the position of the interzone rule among the rules for the same source zone and destination zone See Sorting interzone rules Details Modity Click the 88 icon to enter the interzone rule list and modily the interzone rule To add more interzone rules to the policy click Add on the policy s rule management page A page as shown in Figure 81 appears showing all rules that have been created for the same source zone and destination zone pair but are not in the policy Select the rules you want to add to the policy and click Add 78 Figure 81 Add interzone rules to the policy Src Zone 4 Dest Zone v ad Quy Rules Add 1 to 3 of 3 Page 1 Page Size 10 50 100 500 C Src Zone Dest Zone ID Description Unirust DMZ 0 asdasd O DMZ Uritrust 0 aaa L Trust DMZ Return to Interzone policy management functions Sorting interzone rules On an interzone policy s rule management page you can click the 1 icon of a rule to change the position of the rule among the policy s rules for the same source zone and destination zone For example on the page shown in Figure 80 you can click the icon of rule O to bring up the page shown in Figure 82 select after select rule 1 from the drop down list and click Apply to move rule O Figure 83 shows the result Figure 82 Move rules 0 Performing the operation Srce Zone Trust pest Zone DMZ Move rule 9 rule Q bef
133. tum 1247 04 192 168 250 214 192 188 100 254 4 1 1 28 suma P NA NA e Interzone access logs 109 Firewall gt Event Auditing gt Inter Zone Access Logs Start Time 2010 01 15 00 00 End Time 2010 01 15 23 59 inter Zone Access Control Log List fi espe 1 to 50 of 1720 Page 1 23 M Page Size 10 50 100 500 Tine Source Zone Desthaboh Zoe Source P Port Des IP Port Rue D Protocol Acton ZDT0 01 15 11 39 08 Tram Littl 17 723213 210 27 230 11 80 E TEP Came 2010 01 15 11 38 18 Trost Untrua 11248258 10 72 88 38 53 a uDe Perret 2010 01 15 11 37 28 Trust Untruat a1123120 182 168 106 10 80 TCR Permt 2010 01 15 11 37 28 Trus Untrust 41123129 182 168 100 10 80 t te Bere 2010 01 15 11 37 28 Trust Untrust 41122128 182 168 100 10 80 c TCP Perm 2010 0115 11 37 28 Tree Untrust 41123127 182 168 100 10 80 t TEP Peret 2010 01 15 11 37 28 Trust Untrust 41123128 182 188 100 10 80 t TEP Permit 2010 01 15 11 37 28 Trust Untrust 41122125 182 168 100 10 80 c TCP Bee Z015 D1 15 11 37 28 Tru Untruat 1 1 2 3124 TEZ 162 100 10 86 D TOP Pare 2015 01 15 11 37 28 True Untrust 4 1 12 3123 182 168 100 10 80 D TCP bert e Blacklist logs Firewall gt Event Auditing gt Blacklist Logs Start Time 2010 01 1500 00 78 End Time 2010 01 15 23 59 05 Device All devices pa Blacklist Logs List 2 Erce Twoo o Paget Page Size 10 0 100 Sot Time Source P Operate Mode Reason Sewerty Level Hold Time minutes 2
134. tware on the device e Reboot the device immediately after deploying Specifies secpath 1000fe cmw520 b5002 bin as the main startup software leaves all software files stored on the device and reboots the device After the device reboots secpath 1000fe cmw520 b5002 bin is the current running software of the device Deployment Time Specily the execution time of the deployment task NOTE You must select a software version for the Deploy Software Version field before deploying software to devices Return to Device software management functions 3 Backing up the software of devices On the device software management page select devices and then click Backup Device Software to back up the software of the selected devices The Import from Device page appears with the operation results as shown in Figure 8 Table 8 describes the fields of the software backup result list Figure 8 Software backup result Import from File Import Device List Device Label Software Mame Size Start Time Status Result fw 192 168 0 30 secpath2000um cmvyy back bin 28 412MB 2010 11 24 16 36 00 e Executed successfully Reun If the backup operation fails the system shows the reasons The software backup files are stored in the software database Table 8 Fields of the software backup result list Field Description Device Label Device name and IP address Software Name Name of the software backed up Size Size of the backup file for the
135. ubsystem Adding a subsystem From the navigation tree of the system management component select Subsystem Management under System Config Click Add to enter the page for adding a subsystem as shown in Figure 41 Table 48 describes the configuration items for adding a subsystem Figure 41 Add a subsystem Add Subsystem Server IP Server Port 9 User Hame Passwor l Table 48 Configuration items for adding a subsystem Item Description Required Server IP Type the IP address for the subsystem Required Server Port Type the port of the subsystem It defaults to port 80 40 Required User Name Type the username for logging in to the subsystem The username can comprise up to 40 characters Required Password Specify the password for logging in to the subsystem The password must comprise 6 to 20 alphanumeric characters 4 Firewall management The Firewall Manager enables centralized management of firewall devices in the network centralized event collection and analysis realtime monitoring event snapshot comprehensive analysis event details and log auditing It provides abundant reports which can be exported periodically To access the firewall management component select the Firewall tab Then you can perform e Attack events monitoring e Event analysis e Event auditing e Security policy management e Firewall device management Attack events monitoring The firewall management co
136. uditing to enter the blacklist log auditing page as shown in Figure 53 Blacklist filters packets by source IP address It can effectively filter out packets from a specific IP address The blacklist log auditing page lists the blacklist logs of HP firewalls Each log records the log time source IP address reason to add the address to the blacklist as well as the blacklist entry s severity level hold time of the log entry and operation mode helping you know the blacklist status of the network Figure 53 Blacklist log auditing Source IP E 1 Operate Mode Reason Severity Level a Start Time 2011 07 15 00 00 Bil End Time 011 07 152359 rs Device Ai devices e Blacklist Logs List fia Export 1 to 50 of 511 Page 1 2 3 M Page Size 10 50 100 500 Time Source IP Operate Mode Reason Severity Level Hold Time minutes 2011 07 15 17 25 03 100 0 2 3 add Auto insert VWarning 10 2011 07 15 17 25 03 100 0 2 0 add Auto insert Warning 10 2011 07 15 17 25 03 100 01 249 add Auto insert varning 10 2011 07 15 17 25 03 100 0 1 252 acid Auto insert Warning 10 2011 07 15 17 25 03 100 0 1 245 add Auto insert Warning 10 2011 07 15 17 25 03 100 0 1 250 add Auto insert Warning 10 2011 07 15 17 25 03 100 0 1 254 add Auto insert Warning 10 2011 07 15 17 25 03 100 0 1 253 add Auto insert Warning 10 2011 07 15 17 25 03 100 0 1 251 add Auto insert Warning 10 2011 07 15 17 25 03 100 04 246 add Auto insert Warming 10 Operation log aud
137. uirements e Packet inspection 105 Packet Inspection Configuration Zone Ure v Discard Packets when the specified attack is detected M Enable Fraggle Attack Detection M Enable Land Attack Detection Enable WinNuke Attack Detection 7 Enable TCP Flag Attack Detection Enable ICMP Unreachable Packet Attack Detection vy Enable ICMP Redirect Packet Attack Detection Enable Tracert Packet Attack Detection Enable Smurf Attack Detection Enable IP Packet Carrying Source Route Attack Detection Enable Route Record Option Attack Detection Enable Large ICMP TRIES 7 m go Packet Atfack Detection Max Packet Length 28 65534 Bytes e Scanning detection Security Zone Trust v Enable Scanning Detection Scanning Threshold 30 i 1 10000 connections per second Add the source IP to the blacklist Lifetime 10 1 1000 minutes LApply _ e Blacklist Global Configuration Enable Blacklist Apply e URPF check 106 URPF Configuration Security Zone MEME iv Enable URPF Allow Default Route ACL 2000 3999 Type of Check Strict v Items marked with an asterisk are required NOTE After configuring all the policies please remember to click Apply to make them take effect Verification Firewall logs and Firewall Manager analysis Displaying log report on the firewall webpage The internal PC send some attack packets to the external PC or from out
138. ule By default this option is not selected Return to Interzone rule management functions Interzone policies Configuration guide From the navigation tree of the firewall management component select Interzone Policies under Security Policy Management to enter the interzone policy management page as shown in Figure 78 Table 86 describes the functions available on the page Figure 78 Interzone policy management page Interzone Policies 1 to 3 of 3 Page 1 Page Size 10 50 100 500 Policy Mame Description Device Referenced Rules C default gi d corporate 111 182 158 0 1 amp in L as asd uj id Table 86 Interzone policy management functions Function Description Interzone policy list Allows you to view all interzone policies in the system Adding an interzone policy Allows you to add an interzone policy Allows you to delete interzone policies Follow these steps 1 Select the check boxes before the interzone policies to be deleted 2 Click Delete Deleting interzone policies D IMPORTANT e Interzone policies that have been applied cannot be deleted e Interzone polices named default and corporate are system predefined policies and cannot be deleted Interzone policy list From the navigation tree of the firewall management component select Interzone Policies under Security Policy Management The interzone policy list is at the lower part of the page as shown in Figure 78 Table 87 desc
139. uration guide From the navigation tree of the firewall management component select Device Management under Device Management to enter the device management page where the managed firewall devices are listed as shown in Figure 87 Figure 87 Firewall device management page Device IP Device Label Device List 1toiofi1 Page 1 Page Size 10 50 100 500 Iri Device Label Device IP Device Group Operation O fw 1924358 0 191 192 158 0 191 default P Sa On the firewall device management page you can view information about a firewall or add or delete a firewall Table 95 describes the functions in detail Table 95 Firewall management functions Function Description Firewall device list Allows you to view information about the current firewall devices Allows you to add the firewall devices managed in the system Adding firewall devices management component to the firewall management component Allows you to delete firewall devices Follow these steps Deleting devices 1 Select the check box before the firewall devices that you want to delete in the firewall device list 2 Click Delete 83 Firewall device list From the navigation tree of the firewall management component select Device Management under Device Management The firewall device list is at the lower part of the page See Figure 87 Table 97 describes the fields of the list Table 96 Query options on the firewall device management page Option Descri
140. vent name destination IP address destination port source IP address protocol of the attack Count of events Percentage of the events 43 e In the Detail column of a TopN list you can click the El icon of an attack event to enter the attack event details page For more information see Event details Recent events list The firewall management component presents firewall attack events not only through graphs but also in a table list The recent events list presents you the attack events occurred during the last hour including the device IP address the event s time source IP address destination IP address event description protocol source port and destination port It also supports events query by different filters Configuration guide From the navigation tree of the firewall management component select Recent List under Events Monitor The recent events page appears listing the attack events that occurred during the last hour as shown in Figure 43 Table 51 describes the query option of the list Table 52 describes the fields of the event list Figure 43 List of recent attack events Filter None i Statistics Time 2011 07 18 13 10 00 2011 07 18 14 10 00 Recent Events Fi ta 50 of 160 Page 1J 23 M Page Size 10 50 100 500 Time Device IP Source IP Destination IP Event Protocol Mame Source Port Destination Port 2011 0 18 14 06 50 192 166 248 965 100 0 0 155 100 0 0 1 FV 30018 large lCMP large ICMP IP HA
141. verview 45 F Firewall logs and Firewall Manager analysis 107 Inter zone access log auditing 52 Interzone policies 76 Interzone policy applications 80 Interzone rules 72 IP addresses 65 M Managing batch import 18 Managing deployment tasks 91 Managing deployment tasks 26 Managing device access templates 22 Managing device groups 18 Managing devices 4 Managing events 20 Managing filters 33 Managing firewall devices 83 Managing LDAP servers 35 Managing log retention time 37 Managing operation logs 29 Managing operators 27 Managing subsystems 39 Managing the device configuration database 85 Managing the device software database 24 Monitoring the disk space 37 MPLS log auditing 55 N NAT log auditing 55 O Online users 93 Online users trends 94 Operation log auditing 96 Operation log auditing 53 Other log auditing 54 R Recent events list 44 Report exporting management 49 Resource access auditing 97 S Security zones 56 Services 60 Snapshot of events 42 Subscription service 11 T Time ranges 58 U User access records auditing 96 W V Websites 111 Viewing device statistics 85 115
142. vices to the firewall manager eene nennen nnne nennen nnn in eene nn nennen eene nnnntnenen nene innen nnno 99 Configuration example EOS 101 Network requirements 101 Configuration procedures 101 Configuring the firewall deyjceeeeeeeeeeeeseeeeeesereseeeseesseeseeeseesseeseeseeeseceseeeseesereseeeseesseosereseeeseeseeosereseeeseeseeoseeeseeeseese 101 Configuring the Firewall Manager E E MY 102 Configuring intrusion detection in firewall and sending logs to Firewall Managers sete 103 AV Vat i fetot i 1o 1 2 2 2L RR 107 Firewall logs and Firewall Manager analysis rS S ERE FASER Ainin 107 Support and other resources nennen nnne nennen nennen nennen nnne ennt nennen enne nnne enne 111 Contacting a MME 111 Subscription 3 4 RAL 4 4 111 Related information LEE CCTZLLLLLLILLLLTL 111 DOCUME 11 222222 22222 1121 5 5 ee 111 MAY eT 11 1 22222222222222 2 2 2 22 0 0 111 Conventions d EE 112 Index F RAAdAPERERR A AORE QA RUE DRE ERN E AERE AR ARR M RR RAE AE ERA EA REGH RE DEEUEEREA NEQU DEEEDAREQUE PEE ERE QE ERE ERU E EAR EAE QA DERE R
143. w log to a log host Select Log Report gt Userlog from the navigation tree to enter the page as below Configure the Firewall Manager host ip address as the log host ip address and port number 30017 104 Figure 116 Userlog Auc Log Version Source IP Address of Packets p Log Host Configuration Log Host 1 9 IPv4 Oi IPv6 IP Address 192168247194 VPN Instance v Port 130017 0 85535 Log Host2 9 IPv4 IPv6 IP Address VPN Instance wl Port UN 0 855535 Output flow logs to information center With this function enabled the system will not output flow logs to the specified userlog host Items marked with an asterisk are required NOTE At present flow logs refer to session logs only To generate flow logs you need to configure session logging according to the following illustration 3 Configure a session logging policy Select Log Report gt Session Log gt Log Policy from the navigation tree then click Add to create policies as below Figure 117 Log Policy Source Zone All zones Destination Zone All zones Source Zone Destination Zone ACL Operation Trust Untrusl Unirust Trust De ct Configuring intrusion detection Select Intrusion Detection from the navigation tree enable packet inspection enable scanning detections blacklist and URPF check As an example the threshold is set quite low In real environment please set the proper threshold according to the req
144. y default Table 89 describes the fields of the rule list 7 Figure 80 Rule management page Policy default Back Rules 1 dee of Fage 1 Page Size 10 50 100 500 ID Src Zone Dest Zone Src IP Dest IP Service Time Range Description Action Statue Logging Sort DetaileModity C Trust DMZ P2 IPA Hosti finger http ftp workday Permit Enabled Enabled qd 1 Trust DMZ P2 IPA Host Host o bgp ftp ftp get http workday Permit Enabled Enabled qd Table 89 Fields of the policy s rule list Filed Description ID of the interzone rule When you create an interzone rule the system automatically assigns an ID to the ID rule according to the number of existing rules for the source zone and destination zone pair starting from O For example the first rule created for the source zone Trust and the destination zone DMZ is numbered O the second rule created for the same source zone and destination zone pair is numbered 1 Src Zone Source zone of the interzone rule Dest Zone Destination zone of the interzone rule Src IP Source IP address of the interzone rule Dest IP Destination IP address of the interzone rule Service All services of the interzone rule Time Range Time range during which the interzone rule takes effect Description Descriptive information about the interzone rule Action Filtering action of the interzone rule Status Whether the interzone rule is enabled or disabled Logging Whether logging is enabled for
145. your login password Modify Password Login Hame admin Old Password Hew Password Confirm Password Apply Table 37 Configuration items for changing your password ltem Description Required Old Password Type the current password The password must be an alphanumeric string of 6 to 20 characters Required New Password Type the new password The password must be an alphanumeric string of 6 to 20 characters Required Confirm Password Type the new password again This password must be exactly the same as that for New Password 30 System configuration Configuring system parameter Configure the system parameter to allow non SNMP devices in the system Configuration guide From the navigation tree of the system management component select System Parameter under System Config The system parameter configuration page appears as shown in Figure 30 Select the check box for the parameter and click Apply Figure 30 System parameter setting System Parameter Parameter Setting Allow to add device even if SNMP connect failed i Tip After setting the parameter be sure to click Apply to put the setting into effect Configuring management ports This module allows you to specify the Firewall Manager background ports for receiving various logs from devices Configuration guide From the navigation tree of the system management component select Management Ports under System Config The management ports configuratio
Download Pdf Manuals
Related Search