HP 200 Unified Threat Management (UTM) Appliance Series Getting Started Guide
Contents
1. saving time range clock summer time ss 01 01 2007 date time zone offset one off 1 00 2008 1 1 1 00 2008 8 8 2 1 2 30r1 3 2 clock datetime 1 00 date time zone offset 2007 1 1 outside the daylight clock timezone saving time range zone time add 1 04 00 00 ss Mon clock summer time ss 01 01 2007 date time zone offset one off 1 00 summer offset 2007 1 1 1 00 2007 8 8 2 clock timezone zone time add 1 date time outside the clock summer time ss daylight saving time one off 1 00 01 00 00 zone time Mon range 2008 1 1 1 00 01 01 2007 2008 8 8 2 date time clock datetime 1 00 2007 1 1 lock ti date time in the daylight Se saving time range but clock summer time ss 23 1o32 1 date time summer offset Sne off 1 00 23 30 00 zone time Mon Ka eee outside the summer time 2008 1 1 1 00 12 31 2007 range 2008 8 8 2 date time summer offset Clock datetime 1 30 2008 1 1 clock timezone Both date time and zone time add 1 date time summer offset clock summer time ss in the daylight saving time one off 1 00 03 00 00 ss Tue range 2008 1 1 1 00 01 01 2008 2008 8 8 2 date time clock datetime 3 00 2008 1 1 Configuration procedure To change the system time Step Command Remarks Optional 1 Set the system time and date clock datetime time date Available in user view 2 Enter system view system view N A Optional Coordinated UTC time zone by default clock timezone zone name add 3 Se2. user interface firstnum 2 Enter user interface view lastnum1 aux console N A vty firstnum2 last num2 3 Set the idle timeout timer idle timeout minutes seconds 10 minutes by default 94 Enabling displaying the copyright statement The device by default displays the copyright statement when a Telnet or SSH user logs in or when a console or AUX user quits user view You can disable or enable the function as needed The following is a sample copyright statement KKEKKKE KKK KKK KKK KKK KKK KE KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKEKKKKKKKKK Copyright c 2010 2012 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed kkkxkxkxkxkxkxkxk xkxkxkxkxkkxkxkxkkkxkxkxkxkxkxkxkkxkxkkkkxkxkxkxkkkkxkxkkkxkkxkxkxkxkkkxkxkkkk xkxkxkxkkkxkxkxkkkkxkxkxkxkkkxkxx k To enable displaying the copyright statement Step Command Remarks 1 Enter system view system view N A 2 Enable displaying the copyright statement copyright info enable Enabled by default Configuring banners Banners are messages that the system displays during user login The system supports the following banners e Legal banner Appears after the copyright or license statement To continue login the user must enter Y or press Enter To quit the process the user must enter N Y and N are case insensiti
3. Ste Command Remarks 1 Enter system view system view N A 2 Enter console user interface user interface console first number N A view lasttnumber 3 Set the baud rate geod spacdvalus i default the baud rate is 9600 ps 4 Specify the parity check parity even mark none odd The default setting is none namely mode space no parity check The default is 1 5 Specify the number of sto cach TA y P stopbits 1 1 5 2 Stop bits indicate the end of a character The more the stop bits the p slower the transmission The default is 8 The setting depends on the character 6 Specify the number of data coding type For example you can bits in each character databits 5 6 7 l 8 set it to 7 if standard ASCII characters are to be sent and set it to 8 if extended ASCII characters are to be sent 7 Define the shortcut key for ivation key ch By default you press Enter to start starting a terminal session activation ey character the terminal session 8 Define a shortcut key for By default pressing Ctrl C terminating tasks escape key default character terminates a task 26 Step Command Remarks 9 Specify the terminal display type terminal type ansi vt100 By default the terminal display type is ANSI The device supports two types of terminal display ANSI and VT100 HP recommends setting the display type of both the device and the terminal to VT100 If the device and
4. Support and other resources Contacting HP For worldwide technical support information see the HP support website http www hp com support Before contacting HP collect the following information e Product model names and numbers e Technical support registration number if applicable e Product serial numbers e Error messages e Operating system type and revision level e Detailed questions Subscription service HP recommends that you register your product at the Subscriber s Choice for Business website http www hp com go wwalerts After registering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals e For related documentation navigate to the Networking section and select a networking category e For a complete list of acronyms and their definitions see HP FlexNetwork Technology Acronyms Websites e HP com http www hp com e HP Networking http www hp com go networking e HP manuals http www hp com support manuals e HP download drivers and software http www hp com support downloads e HP software depot http www software hp com e HP Education http www hp com learn 140 Conventions This section describes the conventions used in this documentat
5. 8 Enable none authentication i s device through the console port authentication mode none mode without authentication and have user privilege level 3 9 Configure common settings See Configuring common console Optional for console login user interface settings optional prong The next time you attempt to log in through the console port you do not need to provide any username or password 23 Configuring password authentication for console login Step Command Remarks 1 Enter system view system view N A 2 Enter console user interface user interface console firstnumber N A view lastnumber By default you can log in to the 3 Enable password saaltesGieciiciiacdemeecwoal device through the console port authentication P without authentication and have user privilege level 3 after login set authentication password 4 Seta password P cipher simple password By default no password is set 5 Configure common settings See Configuring common console i i Optional for console login user interface settings optional ania The next time you attempt to log in through the console port you must provide the configured login password Configuring scheme authentication for console login When scheme authentication is used you can choose to configure the command authorization and command accounting functions If command authorization is enabled a command is available only if
6. authentication privacy NOTE read view read view write view write view notify view notify view acl acl number acl ipv6 ipv acl number group and specify its access right Support for the acl ipv6 jpv6 acl number option depends on the device model For more information see Getting Started Command Reference snmp agent usm user v3 user name N A group name cipher NOTE 4 Add a user to the SNMP authentication mode md5 sha group auth password privacy mode 3des aes128 des56 priv password acl acl number acl ipv6 ipv acl number Support for the acl ipv6 jpv6 acl number option depends on the device model For more information see Getting Started Command Reference Configuring SNMPv1 or SNMPv2c access Step Command Remarks 1 Enter system view system view N A Optional By default the SNMP agent is disabled 2 Enable the SNMP agent snmp agent You can enable SNMP agent with this command or any command that begins with snmp agent Optional 3 Create or update MIB snmp agent mib view excluded included By default the MIB view view information view name oid tree mask mask value name is ViewDefault and OID is 1 Step Command Remarks e Approach 1 Specify the SNMP NMS access right directly by configuring an SNMP community snmp agent community read write community name mib view view name acl acl number acl ipv6
7. M Monitoring an NMS connected interface 104 Monitoring and managing the firewall module on the network device 69 O Overview 74 P Performing basic configuration at the CLI 81 Performing basic configuration in the Web interface 74 Rebooting the device 97 Related information 140 S Saving the running configuration 139 Scheduling jobs 99 Setting the idle timeout timer at the CLI 94 Setting the idle timeout timer in the Web interface 94 Setting the port status detection timer 102 SNMP login example 66 144 T Troubleshooting Web browser 60 U Understanding command line error messages 128 User levels 110 Using the command history function 128 Using the undo form of a command 122 UTM products 7 V Verifying and diagnosing transceiver modules 106
8. authentication mode Step Command Remarks Enter system view system view N A user interface first num 1 2 Enter user interface view last num1 console vty N A firstnum2 last num2 3 Configure the authentication Optional mode for any user who uses _quthentication mode none By default the authentication the current user interface to password mode for VTY user intertaces is log in to the device scheme and no authentication is needed for console users Optional 4 Configure the privilege level By default the user privilege level of users logged in through the user privilege level level for users logged in through the current user interface console user interface is 3 and that for users logged in through the other user interfaces is O For example Display the commands a Telnet user can use by default after login lt Sysname gt User view commands display Display current system information ping Ping function quit Exit from current command view rsh Establish one RSH connection ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tftp Open TFTP connection tracert Trace route function Configure the device to perform no authentication for Telnet users and to authorize authenticated Telnet users to use level O and level commands Use no authentication mode only in a secure network enviro
9. buffer vali By default the buffer saves 10 history commands Optional The default idle timeout is 10 minutes for all user interfaces The system automatically 9 Set the idle timeout timer idle timeout minutes seconds terminates the user s connection if there is no information interaction between the device and the user within the timeout time Setting idle timeout to O disables the timer Optional By default no automatically executed command is specitied The command auto execute auto execute command function is typically used for command redirecting a Telnet user to a specific host After executing the specified command and performing the incurred task the system automatically disconnect the Telnet session 10 Specify a command to be automatically executed when a user logs in to the user interfaces Using the device to log in to a Telnet server You can use the device as a Telnet client to log in to a Telnet server If the server is located in a different subnet than the device make sure the two devices have routes to reach each other 34 Figure 34 Telnetting from the device to a Telnet server ree ro PC Telnet client Telnet server To use the device to log in to a Telnet server Step Command Remarks 1 Enter system view system view N A Optional 2 Specify the source IPv4 telnet client source interface By default no source IPv4 address address or source interface interface
10. f fdisk fixdisk format free ftp lt Sysname gt display ftp ftp ftp server ftp user 124 Entering a command When you enter a command you can use keys or hotkeys to edit the command line or use abbreviated keywords or keyword aliases Editing a command line Use the keys listed in Table 23 or the hotkeys listed in Table 24 to edit a command line Table 23 Command line editing keys Key Function If the edit buffer is not full pressing a common key inserts the character at the k Common neys position of the cursor and moves the cursor to the right Deletes the character to the left of the cursor and moves the cursor back one Backspace P character Left arrow key or Ctrl B Moves the cursor one character to the left Right arrow key or Ctrl F Moves the cursor one character to the right If you press Tab after entering part of a keyword the system automatically completes the keyword e Ifa unique match is found the system substitutes the complete keyword for the incomplete one and displays what you entered in the next line Tab e f there is more than one match you can press Tab multiple times to pick the keyword you want to enter e If there is no match the system does not modify what you entered but displays it again in the next line Entering a STRING type value for an argument A STRING type argument value can contain any printable character ASCII code in the ra
11. inside local address local port vpn instance local name track vrrp virtual router id e For ACLbased NAT server nat server protocol pro type global acl number inside local address local port vpn instance local name Optional Configure none or one of the commands Optional By default GigabitEthernet 6 Assign an IP address to ip address ip address mask length mask 0 0 is assigned the IP the interface sub address 192 168 0 1 24 and the other interfaces have no IP addresses Return to system view quit N A 8 Enter security zone view zone name zone name id zone id N A 82 Step Command Remarks 9 Add the interface to the security zone import interface interface type interface number vlan vlan list By default GigabitEthernet 0 0 belongs to the Management zone and the other interfaces do not belong to any zone 10 Return to system view quit N A 11 Save the running configuration to the configuration file and specify the file as the nextstartup configuration file save safely This command is available in any view 12 Display the running configuration display current configuration Optional This command is available in any view Configuration guidelines To configure features after completing the basic configuration you must add interfaces to security zones except for Management and configure interzone pol
12. lot slot be newokdsvice oap connect slot slot number 68 After login the terminal screen displays the CLI of the firewall module To return to the CLI on the device press Ctrl K Monitoring and managing the firewall module on the network device Resetting the system of the firewall module A CAUTION The reset operation may cause data loss and service interruption Therefore before performing this operation save the configurations of the firewall module operating system and shut down the firewall module operating system to avoid service interruption and data loss If the operating system of the firewall module works abnormally for example the system does not respond you can reset the system with the following command This operation is the same as resetting the firewall module by pressing the reset button on the firewall module The firewall module has an independent CPU therefore the network device can still recognize and control the firewall module when you reset the system of firewall module To reset the system of the firewall module Task Command Remarks Reset the system of the firewall module oap reboot slot slotnumber Available in user view Configuring the ACSEI protocol ACSEI is an HP proprietary protocol It provides a method for exchanging information between ACFP clients and ACFP server so that the ACFP server and clients can cooperate to run a service As a supporting protocol of ACFP ACSEI also
13. s sy system 192 168 1 16 Admin rite i 00h36m14s 20 03 48 Table 21 Online user fields Field Description User ID Identity of the online user in the system User Name Username used for authentication IP Address IP address of the user s host Access type of the online user including PPP Portal Admin Telnet or Web and User Type L2TP The Web page does not display FTP users Login Time User login time Online Duration Elapsed time after user login 120 Using the CLI At the command line interface CLI you can enter text commands to configure manage and monitor your device Figure 82 CLI example KEK KKK KKK KKK KEK KKK KKK KEK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KE KKK KKK KKK KK KKK KKEKKKKKKKKK Copyright c 2010 2012 Hewlett Packard Development Company L P Without the owner s prior written consent x no decompiling or reverse engineering shall be allowed KKK KKK KKK KKK KEK KKK KKK KEK KKK KEK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKEKKKKKKKKK lt HP gt You can log in to the CLI in a variety of ways For example you can log in through the console port or using Telnet or SSH For more information about login methods see Logging in to the CLI Command conventions Command conventions help you understand the syntax of commands Commands in product manuals comply with the conventions listed in Table 22 Table 22 Command conventions Conven
14. 1 42 Vlan999 Configuring user privilege and command levels To avoid unauthorized access the device defines the user privilege levels and command levels in Table 28 User privilege levels correspond to command levels A user logged in with a specific privilege level can use only the commands at that level or lower levels 132 Table 28 Command levels and user privilege levels Level Privilege Default set of commands Includes commands for network diagnosis and commands for accessing an external 7 device Configuration of commands at this level cannot survive a device restart Upon 0 Visit device restart the commands at this level are restored to the default settings Commands at this level include ping tracert telnet and ssh2 Includes commands for system maintenance and service fault diagnosis Commands at this level are not saved after being configured After the device is restarted the 1 Monitor commands at this level are restored to the default settings Commands at this level include debugging terminal refresh and send Includes service configuration commands including routing configuration commands 5 and commands for configuring services at different network levels stem j By default commands at this level include all configuration commands except for those at manage level Includes commands that influence the basic operation of the system and commands for configuring system support modules 3 Manag
15. 6 Associate the HTTPS service separate login methods To use with the ACL ip https acl acl number HTTPS login you do not need to configure HTTP login Logging off online Web users Task Command Remarks Display the current login users display web users Available in user interface view free web users all user id Log off online Web users i user id user name user name Available in user interface view Web login control configuration example Network requirements Configure the firewall in Figure 80 to provide Web access service only to Host B Figure 80 Network diagram Host A 10 110 100 46 Firewall Host B 10 110 100 52 Configuration procedure Create ACL 2030 and configure rule 1 to permit packets sourced from Host B lt Firewall gt system view Firewall acl number 2030 match order config Firewall acl basic 2030 rule 1 permit source 10 110 100 52 0 Associate the ACL with the HTTP service so only the Web users on Host B can access the firewall 119 Firewall ip http acl 2030 Displaying online users Online users refer to the users who have passed authentication and got online You can view information about online users on the Web page of the device To display online users select User gt Online User from the navigation tree Figure 81 Online users UserID User Name IP Address User Type Login Time Online Duration 2 syy system 192 168 1 16 Admin oo 02h24m3
16. Add LocalUser Local User User Name fas Chars User Privilege Level Visitor y Service Type Owes Ort OssH OTeinet C Terminai CPPP Password 1 63Chars Confirm Password I Password z Encryption Reversible Irreversible Virtual Device Root Items marked with an asterisk are required 3 Configure a local user as described in Table 19 4 Click Apply Table 19 Configuration items ltem Description Enter the username of the local user User Name The username can contain spaces in the middle However the device ignores any leading spaces in the username Set the user privilege level of a user For more information see User levels User IMPORTANT Privilege e The user privilege levels apply only to Web FTP Telnet and SSH users Level e Users that use the root virtual device and users that use other virtual devices have different privilege levels For more information see Web overview Set the service type that a user can use including Web FTP SSH Telnet Terminal DVPN and PPP eiie Support for service types depends on the device model For more information see Table 20 Type You must configure a service type for each user for local authentication Otherwise user authentication fails Password Set and confirm the password The confirm password must be the same as the previously set Confirm password Password Any leading spaces in
17. Configure SNMP basic parameters After configuring the network device and the firewall module properly you can log in to the firewall module from the network device Logging in to the firewall module from the network device CLI user interfaces The device uses user interfaces also called lines to control CLI logins and monitor CLI sessions You can configure access control settings including authentication user privilege and login redirect on user interfaces After users are logged in their actions must be compliant with the settings on the user interfaces assigned to them Users are assigned different user interfaces depending on their login methods as shown in Table 2 Table 2 CLI login method and user interface matrix User interface Login method Console user interface Console port EIA TIA 232 DCE AUX port EIA TIA 232 DTE typically used for dial in access AUX user interface through modems Virtual type terminal VTY user interface Telnet or SSH User interface assignment The device automatically assigns user interfaces to CLI login users depending on their login methods Each user interface can be assigned to only one user at a time If no user interface is available a CLI login attempt will be rejected For a CLI login the device always picks the lowest numbered user interface from the idle user interfaces available for the type of login For example four VTY user interfaces O to 3 are
18. Execute command shutdown at 18 00 Mondays Tuesdays Wednesdays Thursdays Fridays Job name pc2 Specified view GigabitEthernet0 2 Time 1 Execute command undo shutdown at 08 00 Mondays Tuesdays Wednesdays Thursdays Fridays Time 2 Execute command shutdown at 18 00 Mondays Tuesdays Wednesdays Thursdays Fridays Job name pc3 Specified view GigabitEthernet0 3 Time 1 Execute command undo shutdown at 08 00 Mondays Tuesdays Wednesdays Thursdays Fridays Time 2 Execute command shutdown at 18 00 Mondays Tuesdays Wednesdays Thursdays Fridays Setting the port status detection timer Some protocols might shut down ports under specific circumstances For example MSTP shuts down a BPDU guard enabled port when the port receives a BPDU In this case you can set the port status detection timer If the port is still down when the detection timer expires the protocol module automatically cancels the shutdown action and restores the port to its original physical status 102 To set the port status detection timer Step Command Remarks 1 Enter system view system view N A 2 Set the port status detection By default the port status detection shutdown interval time Ae timer timer is 30 seconds Contiguring temperature thresholds for a device or a module Configuring basic temperature thresholds The following matrix shows the feature and hardware compatibility Hardware Feature compatible F1000 A El F 1000 S E No
19. F1000 E Yes F5000 Yes Arewa 12500 10500 Enhanced FW No Others Yes U200 A No U200 S Yes You can set the temperature threshold to monitor the temperature of a device or a module When the temperature reaches the threshold the device generates alarms To configure basic temperature thresholds Step Command Remarks 1 Enter system view system view N A By default the lower threshold is 0 C 32 F and the upper threshold is 50 C 122 F 2 Configure the basic temperature thresholds for a device or a module temperature limit s of number lower value upper value Configuring advanced temperature thresholds The following matrix shows the feature and hardware compatibility Hardware Feature compatible F1000 A El F 1000 S El Yes F1000 E No F5000 No 103 Hardware Feature compatible 12500 10500 Enhanced FW Yes Firewall module Others No U200 A Yes U200 S No You can set the temperature thresholds to monitor the temperature of a module or a device e When the temperature drops below the lower threshold or reaches the warning threshold the device logs the event and outputs a log message and a trap e When the temperature reaches the alarming threshold the device logs the event and outputs a log message and a trap repeatedly in the terminal display and alerts users through the LED on the device panel Due to temperature hysteresis a temperature decreasing notification is late
20. Optional a Telnet SSH or both protocol inbound all ssh By default both Telnet and SSH or mem are supported Optional 7 Enable command By default command authorization authorization command authorization is disabled The commands available for a user only depend on the user privilege level Optional By default command accounting is 8 Enable command accounting command accounting disabled The accounting server does not record the commands executed by users 9 Exit fo system view quit N A a Enter the ISP domain view domain domain name Optional b Apply the specified AAA For local authentication configure scheme to the domain local user accounts authentication default For RADIUS or HWTACACS o hwtacacs scheme authentication configure the 10 A an fae authentication lier aati RADIUS or HWTACACS scheme eme to the intended ne I Idap scheme on the device and configure Sma a eal authentication settings including shad peta none the username and password on radius sc eme Fens radius scheme name local For more information about AAA f configuration see Access Control c Exit to system view Configuration Guide quit 11 Create a local user and enter local By default a local user named sealuser view jocal user user name pcan By default the password for 12 Seta password for the local password cipher simple system predefined user admin is user password admin and no password is set for an
21. Task Display information about the user interfaces that are being used Command display users begin exclude include regular expression Remarks Available in any view Display information about all user interfaces the device supports display users all begin exclude include regular expression Available in any view Display user intertace information display user interface num aux console vty num2 summary begin exclude include regular expression Available in any view Display the configuration of the device when it serves as a Telnet client display telnet client configuration begin exclude include regular expression Available in any view Release a user interface free user interface num aux console vty num2 Available in user view Multiple users can log in to the device to simultaneously configure the device When necessary you can execute this command to release some connections You cannot use this command to release the connection you are using Lock the current user interface lock 49 Available in user view By default the system does not automatically lock a user interface Task Command Remarks send all num aux console vty num2 Send messages to user interfaces Available in user view Logging in to the Web interface The device provi
22. buffer oo for Web login logging web logbuffer size pieces Optional 11 Create a local user and o nter locolusai view local user user name By default a local user named admin exists 12 Configure a password for password cipher By delaylt T AEA EaR EN ihe local user impl d user admin is admin and no password is set simple passwor for any other local user 13 Specify the command authorization attribute By default no command level is configured for level of the local user level level the local user By default the system predetined user admin 14 Specify the Web service aitei b can use terminal service Telnet service SSH type for the local user ase We service and Web service and no service type is specified for any other local user 15 Exit to system view quit N A 16 Enter interface view interface interfacetype N A interface number 17 Assign an IP address and N A subnet mask to the interface ip address ip address mask mask length 56 By default only interface GigabitEthernet 0 0 is assigned an IP address 192 168 0 1 24 Displaying and maintaining Web login Task Command Remarks Display information about Web display web users begin exclude i Available in any view users include regular expression display ip http begin exclude Display HTTP state information include j reqularexaression Available in any view Display HTTPS state display ip htt
23. character sequence matches more than one Ambiguous command found at position eed q ee paroman The entered character sequence contains excessive YP keywords or arguments Wrong parameter found at position The argument in the marked position is invalid gp p g p Using the command history function The system can automatically save successfully executed commands to the command history buffer for the current user interface You can view them and execute them again or set the maximum number of commands that can be saved in the command history buffer A command is saved to the command history buffer in the exact format as it was entered For example if you enter an incomplete command the command saved in the command history buffer is also incomplete if you enter a command by using a command keyword alias the command saved in the command history buffer also uses the alias If you enter a command in the same format multiple times in succession the system buffers the command only once If you enter a command multiple times in different formats the system buffers each command format For example display cu and display current configuration are buffered as two entries but successive repetitions of display cu create only one entry in the buffer By default the command history buffer can save up to 10 commands for each user To set the capacity of the command history buffer for the current user interface use the history command max s
24. command indicated by the keyword enter the complete keyword e Ifyou enter a string that partially matches multiple aliases the system gives you a prompt Configuration procedure To configure a command keyword alias Step Command Remarks 1 Enter system view system view N A 2 Enable the command By default the command keyword alias command alias enable keyword alias function function is disabled By default no command keyword alias is 3 Configure a command command alias mapping configured keyword alias cmdkey alias You must enter the cmdkey and alias arguments in their complete form Configuring and using hotkeys To facilitate CLI operation the system defines the hotkeys shown in Table 24 and provides five configurable command hotkeys Pressing a command hotkey is the same as entering a command To configure a command hotkey Step Command Remarks 1 Enter system view system view N A By default e Ctrl G is assigned the display current configuration command hotkey CTRL_G CTRL_L e Ctrl L is assigned the display ip 2 Configure hotkeys CTRL_O CTRL_T CTRL_U routing table command command e Ctrl O is assigned the undo debugging all command e Nocommand is assigned to Ctrl T or Ctrl U 126 Ste Command Remarks display hotkey begin Optional Be Display hoikays exclude include Available in any view See Table 24 for regularexpression hotkeys reserved by the syste
25. copper port switching e Two interface module expansion slots which support the following interface modules 4GBE 8GBE 1EXP and 4GBP Appearance Figure 3 Front view 1 AC power switch ON OFF 2 RPS receptacle RPS 3 CF card slot CF CARD 4 Device mode USB port 1 USB 1 5 Host mode USB port O USB 0 6 Console port CONSOLE 7 AUX port AUX 8 AC input power receptacle 100 to 240 VAC 50 or 60 Hz 2 5 A Figure 4 Rear view 1 Grounding screw and sign 2 Combo interfaces 0 to 3 3 Interface module slot 2 A Interface module slot 1 Overview The F5000 provides security protection for large enterprises carriers and data centers It adopts multi core multi threaded and ASIC processors to construct a distributed architecture which allows for the separation of the system management and service processing making it a firewall that has the highest distributed security processing capability The F5000 supports the following functions and features e Protection against external attacks internal network protection traffic monitoring email filtering Web filtering application layer filtering e ASPF e Multiple types of VPN services such as L2TP VPN GRE VPN IPsec VPN and dynamic VPN e RIP OSPF BGP routing routing policy and policy based routing e Power module 1 1 redundancy backup AC AC or DC DC e Multiple types of service interface modules e High availability functi
26. default device name is HP Configuring the system time in the Web interface A correct system time setting is essential to communication and network management System time allows you to display and set the device system time time zone and daylight saving time on the Web interface The device supports setting system time through manual configuration and automatic synchronization of NTP server time Defined in RFC 1305 the NTP synchronizes timekeeping among distributed time servers and clients The purpose of using NTP is to keep consistent timekeeping among all clock dependent devices within a network so that the devices can provide diverse applications based on the consistent time The time of a local system that runs NTP can be synchronized to other reference sources and used as a reference source to synchronize other clocks Displaying the current system time Select Device Management gt System Time from the navigation tree to enter the System Time tab page as shown in Figure 63 The current system time of the device appears on the page Figure 63 System time page SystemTime Time Zone Network Time Protocol System Time Configuration 2011 06 16 11 41 40 Configuring the system time 1 Select Device Management gt System Time from the navigation tree The System Time page appears as shown in Figure 63 2 Click the System Time Configuration text box The calendar page appears 85 Figure 64 Calendar page 2011 0
27. encrypts user passwords with an irreversible encryption algorithm 5 Click Next The page for configuring service management appears 76 Figure 58 Basic configuration wizard 3 6 service management 3 6 Basic Configuration Wizard Service Management FTP C Enable Telnet Enable HTTP Enable Port 80 eon 025 65535 Default 80 HTTPS C Enable Port 443 1025 65535 Default 443 Note Modification of the configuration of a service may result in disconnection with the device Perform the operation with caution tems marked with an asterisk are required Next 6 Configure the parameters as described in Table 12 Table 12 Configuration items ltem Description ap Specify whether to enable FTP on the device Disabled by default Specify whether to enable Telnet on the device Telnet Disabled by default Specify whether to enable HTTP on the device and set the HTTP port number Enabled by default important HTTP e Ifthe current user has logged in to the Web interface through HTTP disabling HTTP or modifying the HTTP port number will result in disconnection with the device Therefore perform the operation with caution e When you modify a port number make sure the port number is not used by another service 77 ltem Description Specify whether to enable HTTPS on the device and set the HTTPS port number Disabled by default IMPORTANT e If the current user logged in to t
28. guide or online help to log in to the device 20 Figure 26 Connection description Connection Description Connect To 2 Figure 28 Setting the properties of the serial port Port Settings Bits per second C Data bits beo HM Parity None O Stop bits hooo n Elow control Restore Defaults 5 Power on the device and press Enter at the prompt Figure 29 CLI Dle a 3 ala System application is starting User interface con is available ess ENTER to get started lt HP gt mee 12 15 10 20 251 2012 HP SHELL 4 LOGIN p 1 3 6 1 4 1 25506 2 2 1 1 3 0 1 login from Console wer 12 15 10 20 251 2012 HP SHELL 5 SHELL LOGIN Console logged in from con _ 6 At the default user view prompt lt HP gt enter commands to configure the device or view the running status of the device To get help enter Configuring console login control settings The following authentication modes are available for controlling console logins e None Requires no authentication This mode is insecure e Password Requires password authentication 22 Scheme Uses the AAA module to provide local or remote console login authentication You must provide a username and password for accessing the CLI For more information about authentication modes and parameters see Access Control Configuration Guide Keep your username and password By default console login does not require authenticat
29. has two entities server and client e The ACSEI server is integrated into the software system Comware of the network device e The ACSEI client is integrated into the software system Comware of the firewall module NOTE The collaborating IDS Intrusion Detection System modules or IDS devices serve as the ACFP clients which run applications of other vendors and support the IPS Intrusion Prevention System IDS services ACSEI mainly provides the following functions e Registration and deregistration of an ACSEI client to the ACSEI server e ID assignment The ACSEI server assigns IDs to ACSEI clients to distinguish between them e Mutual monitoring and awareness between an ACSEI client and the ACSEI server e Information interaction between the ACSEI server and ACSEI clients including clock synchronization e Control of the ACSEI clients on the ACSEI server For example you can close or restart an ACSEI client on the ACSEI server 69 An ACSEI server can register multiple ACSEI clients ACSEI timers An ACSEI server uses two timers the clock synchronization timer and the monitoring timer The clock synchronization timer is used to periodically trigger the ACSEI server to send clock synchronization advertisements to ACSEI clients You can set this timer through command lines The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to ACSEI clients You can set this t
30. interface type interface number N A transceiver modules begin exclude include regular expression display transceiver diagnosis interface interface type interface number begin N A exclude include Display the measured values of the digital diagnosis parameters for transceiver modules regular expression Enter system view system view N A Optional Disable alam raps tar transceiver phony alarm disable default al transceiver modules phony By default alarm traps are enabled for transceiver modules 106 Displaying and maintaining device management For diagnosis or troubleshooting you can use separate display commands to collect running status data module by module or use the display diagnostic information command to bulk collect running data for multiple modules Task Command Remarks Display system version display version begin exclude f Available in any view information include regular expression display clock begin exclude Available in any view include regular expression Display the system time and date Display information about the users that have logged in to the device but are not under user view display configure user begin Available in any view exclude include regular expression Display the software and display copyright begin exclude Aalena isi hardware copyrig
31. keyword begin the minus sign equals the keyword exclude and the plus sign equals the keyword include The following definitions apply to the begin exclude and include keywords e begin Displays the first line that matches the specified regular expression and alll lines that follow e exclude Displays all lines that do not match the specified regular expression e include Displays all lines that match the specified regular expression A regular expression is a case sensitive string of 1 to 256 characters that supports the special characters in Table 27 Table 27 Special characters supported in a regular expression Character Meaning Examples user matches all lines beginning with user A Astri Matches th inning of a line f Wa f A ere alches tine baginning ah a line line beginning with Auser is not matched string Matches the end ofa line user matches lines ending with user A line ending with userA is not matched Matches any single character such as a single character a special s matches both as and bs character and a blank Matches the preceding character or x P g zo matches z and zoo and zo matches character group zero or multiple ae i e i zo and zozo times Matches the preceding character or character group one or multiple zo matches zo and zoo but not z times Matches the preceding or succeeding character string def int on
32. new software of the device into effect e Reboot the device immediately in the Web or at the CLI e At the CLI schedule a reboot to occur at a specific time and date or after a delay e Power off and then power on the device This method might cause data loss and is the least preferred method Reboot in the Web or at the CLI enables easy remote device maintenance Rebooting the firewall in the Web interface A CAUTION e Rebooting the device results in service interruption e To avoid configuration loss save the configuration before rebooting the device For how to save the running configuration see System Management and Maintenance Configuration Guide 1 Select Device Management gt Reboot from the navigation tree 97 Figure 72 Rebooting the device Rebooting Device The unsaved configuration will be lost after reboot Check whether the configuration is saved to the configuration file for next boot 2 f necessary select Check whether the configuration is saved to the configuration file for next reboot If you select this option the device checks whether the configuration file for the next startup reflects the running configuration If yes the device reboots If not a prompt is displayed and the device does not reboot You can save the configuration and try to reboot the device again If you do not select this option the device directly reboots 3 Click Apply A confirmation dialog box appears 4 Co
33. one view and up to 10 commands If you specify multiple views the one specified last takes effect o Enter a view name in its complete form Most commonly used view names include monitor for user view system for system view GigabitEthernet x x for Ethernet interface view and Vlan interfacex for VLAN interface view o The time ID time id must be unique in a job If two time and command bindings have the same time ID the one configured last takes effect Scheduling a job in the non modular approach To schedule a job execute one of the following commands in user view Task Command e Schedule a job to run a command at a specific time schedule job at time date view view command Schedule a job e Schedule a job to run a command after a delay schedule job delay time view view command Remarks Use either command If you execute the schedule job command multiple times the most recent configuration takes effect Changing any clock setting can cancel the job set by using the schedule job command Scheduling a job in the modular approach Step Command Remarks Enter system view system view N A 2 Create a job and enter ob ew job job name N A 3 Specify the view in which the commands in the job view view name run You can specify only one view for a job The job executes all commands in the specified view 100 Step Command Remarks e Configure a command to run ata spe
34. password simple 123 Sysname luser test service type telnet When users Telnet to the device through VTY 1 they must enter username test and password 123 After passing the authentication the users can only use level O commands Assign commands of levels O through 3 to the users Sysname luser test authorization attribute level 3 Configuring the user privilege level directly on a user interface To configure the user privilege level directly on a user interface that uses the scheme authentication mode Step Command Remarks 1 Configure the authentication For more information see System Reauired only for SSH h type for SSH users as Management and Maintenance a p y i ati ane laa publickey Configuration Guide a aia ea 2 Enter system view system view N A user interface first num 1 3 Enter user interface view lastnum vty firstnum2 N A last num2 By default the authentication 4 Enable the scheme ssailicnnaaneaspodecohend mode for VTY users is scheme and authentication mode no authentication is needed for console users 134 Step Command Remarks By default the user privilege level for users logged in through the user privilege level level console user interface is 3 and that for users logged in through the other user interfaces is O 5 Configure the user privilege level To configure the user privilege level directly on a user interface that uses the none or password
35. supports SNMPv1 SNMPv2c and SNMPv3 and can work with various network management software products including IMC For more information about SNMP see System Management and Maintenance Configuration Guide By default SNMP access is disabled To enable SNMP access log in to the device through any other method and configure SNMP login Contiguring SNMP access Connect the PC the NMS and the device to the network making sure they can reach each other as shown in Figure 53 This document describes only the basic SNMP configuration procedures on the device Figure 53 Network diagram S GEO O gt fs Firewall NMS Lix IMPORTANT To make SNMP operate correctly make sure the SNMP settings including the SNMP version on the NMS are consistent with those on the firewall Prerequisites e Assign an IP address to a Layer 3 interface on the firewall By default only interface GigabitEthernet 0 0 is assigned an IP address 192 168 0 1 24 e Configure routes to make sure the NMS and the Layer 3 interface can reach each other Configuring SNMPv3 access Step Command Remarks 1 Enter system view system view N A 64 Step Command Remarks Optional By default the SNMP agent is 2 Enable the SNMP agent snmp agent disabled You can enable SNMP agent with this command or any command that begins with snmp agent By default no SNMP group is snmp agent group v3 group name configured 3 Configure an SNMP
36. the NMS to update with the new IP address for communicating with the device You can configure one primary and one secondary interface for the device to communicate with the NMS but the device monitors only one of them for IP address change at one time If the IP address of the monitored interface in UP state changes whether because of manual reassignment or DHCP reassignment the device notifies the NMS of the new IP address The IP address changes of the interface not under monitor will be ignored The device preferentially monitors the primary interface HP recommends you specify the interface that has better route or more reliable link as the primary The device changes the monitored interface only when the interface goes down the interface IP address is deleted or the role of the interface is removed by using the undo nms primary secondary monitor interface command Before you specify NMS connected interfaces make sure you have configured the NMS as the SNMP notification destination host For more information about SNMP see System Management and Maintenance Configuration Guide To monitor NMS connected interfaces Step Command Remarks 1 Enter system view system view N A Configure at least one command e Specify the primary interface eae By default no interfaces are nms primary monitor interface 2 Specify s configured as NMS connected NMS i interface type interface number riei at tera connecte interfac
37. the device model For more information see Getting Started Command Reference Display RPS status information display rps rps id begin exclude include regular expression Available in any view NOTE Support for this command depends on the device model For more information see Getting Started Command Reference Display the mode of the last reboot display reboot type begin exclude include regular expression Available in any view Display the configuration of the job configured by using the schedule job command display schedule job begin exclude include regular expression Available in any view Display the reboot schedule display schedule reboot begin exclude include regular expression Available in any view Display the configuration of jobs configured by using the job command display job job name begin exclude include regular expression 108 Available in any view Task Command Remarks Display the exception handling display system failure begin Available i iew method exclude include regular expression able in any view 109 Managing users Local users are a set of user attributes configured on the local device A local user is uniquely identified by username To enable users using a certain network service to pass the local authentication you must configur
38. the password are ignored Specify the password encryption method Password e Reversible The device encrypts user passwords with a reversible encryption algorithm Encryption e Irreversible The device encrypts user passwords with an irreversible encryption algorithm 111 ltem Description Set the virtual device to which a user belongs Every time a user logs in through the Web interface the user logs in to the virtual device to which Virtual the user belongs When a root virtual device user with privilege level Configure or Management Device logs in to the device the user can log in to another virtual device by selecting Device gt Virtual Device gt Virtual Device The access right of the user is the same as other virtual device users that have the same privilege level Table 20 Service type feature and hardware compatibility Hardware Feature compatible F1000 A EI F 1 000 S El Does not support the DVPN service type F1000 E Supports all service types F5000 Supports all service types Firewall module Supports all service types U200 A Does not support the DVPN service type U200 S Does not support the DVPN service type Configuration example Network requirements As shown in Figure 76 configure the firewall to allow user Emily to log in to the firewall root virtual device through the Web interface and view the data on the firewall but prevent the user from performing any configurat
39. the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme Command accounting allows the HWTACACS server to record all commands executed by users regardless of command execution results This function helps control and monitor user behaviors on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server Follow these guidelines when you configure scheme authentication for AUX login e To make the command authorization or command accounting function take effect apply an HWTACACS scheme to the intended ISP domain This scheme must specify the IP address of the authorization server and other authorization parameters e If the local authentication scheme is used use the authorization attribute level level command in local user view to set the user privilege level on the device e Ifa RADIUS or HWTACACS authentication scheme is used set the user privilege level on the RADIUS or HWTACACS server To configure scheme authentication for AUX login Step Command Remarks 1 Enter system view system view N A 2 Enter one or more AUX user user interface aux first number interface views lastnumber N A 42 Step Command Remarks By default p
40. the username or password configured on a remote server was lost contact the server administrator for help Table 8 Configuration required for different AUX login authentication modes Authentication Configuration tasks Reference mode Set the authentication mode to none for the AUX user Cenliguring bak None authentication for AUX interface at login Enable password authentication on the AUX user interface Configuring password Password authentication for AUX Set a password login 39 Authentication Configuration tasks Reference mode Enable scheme authentication on the AUX user interface Configure local or remote authentication settings To configure local authentication 18 Configure a local user and specify the password 19 Configure the device to use local authentication i oe Configuring scheme Scheme To configure remote authentication authentication for AUX 20 Configure the RADIUS or HWTACACS scheme on the login device 21 Configure the username and password on the AAA server 22 Configure the device to use the scheme for user authentication Configuring none authentication for AUX login Step Command Remarks 1 Enter system view system view N A 2 Enter one or more AUX user user interface aux firs number interface view lastnumber N A 3 Enable none authentication By default password mode authentication mode none authentication is enabled for AUX
41. to an interface of the device and make sure the interface and the SSH client can reach each other By default only interface GigabitEthernet 0 0 is assigned an IP address 192 168 0 1 24 e Configure scheme authentication for VTY login users scheme authentication by default e Configure the user privilege level of VTY login users O by default Local login through the AUX port By default login through the AUX port is disabled To enable AUX login log in to the device through the console port and configure the password for the default password authentication mode or change the authentication mode and configure parameters for the new authentication mode NOTE Support for this login method depends on the device model For more information see Configuring none authentication for AUX login Logging in to the Web interface By default you can log in to the Web interface of the device with the IP address 192 168 0 1 24 the IP address of interface GigabitEthernet 0 0 the username admin and the password admin Login method Default setting and configuration requirements By default SNMP login is disabled To use SNMP service complete the following configuration tasks e Assign an IP address to an interface of the device and make sure Accessing the device through SNMP the interface and the NMS can reach each other By default only interface GigabitEthernet 0 0 is assigned an IP address 192 168 0 1 24 e
42. to filter Telnet traffic by source and or destination IP address Use an Ethernet frame header ACL 4000 to 4999 to filter Telnet traffic by source MAC address To access the device a Telnet user must match a permit statement in the ACL applied to the user interface 113 Configuring source IP based Telnet login control Step Command Remarks 1 Enter system view system view N A 2 Create a basic ACL and enter its view or enter the view of ipv number acl number name By default no basic ACL an existing basic ACL name match order config auto exists e For IPv4 networks By default a basic ACL rule rule id deny permit does not contain any rule counting fragment logging The logging keyword takes source sour addr sour wildcard effect only when the module any time range time range name such as the firewall using vpn instance vpn insfance name the ACL supports the 3 Configure an ACL rule e For IPv networks logging function rule rule id deny permit NOTE Peouning negment logging Support for the jov address routing type routing fype source degufnent depends andhe ll ipyroddres p F enat device model For more ipv6 address prefix length any omase Cn time range time range name Started G d 9 vpn instance vpn instance name pe A eference 4 Exit the basic ACL view quit N A S Enferuserinienace view user interface type firs n
43. together provide highly integrated network and security functions for large networks The firewall modules support the following functions and features e Traditional firewall functions e Virtual firewall security zone attack protection URL filtering e Application Specific Packet Filter ASPF which can monitor connection processes and user operations and provide dynamic packet filtering together with ACLs e Multiple types of VPN services such as IPsec VPN e RIP OSPF BGP routing A firewall module provides two GE ports and two GE combo interfaces which can be used as management ports and stateful failover ports It is connected to the main network device through the internal 10GE port The HP main network device s rear card has the line speed forwarding capability ensuring fast data forwarding with the firewall module The firewall modules are equipped with dedicated multi core processors and high speed caches They can process security services without impacting performances of the main network devices Appearance Figure 7 Firewall module for 5800 switches Enhanced firewall modules The Enhanced firewall module is a new generation firewall module developed based on the 40G hardware platform to meet the security network integration trend and satisfy the ultra 10G Ethernet bandwidth requirements It is the first model of ultra 10G firewall module in the industry and can be used in HP 10500 12500 Ethernet switches Using
44. transceiver module including its transceiver type connector type central wavelength of the transmit laser transfer distance and vendor name Display its electronic label The electronic label is a profile of the transceiver module and contains the permanent configuration including the serial number manufacturing date and vendor name The data is written to the storage component during debugging or testing To verify transceiver modules execute the following commands in any view Task Command Display key parameters of the display transceiver interface interface type interface number begin transceiver modules exclude include regular expression Display transceiver modules display transceiver manuinfo interface interface type interface number electrical label information begin exclude include regular expression Diagnosing transceiver modules The device provides the alarm function and digital diagnosis function for transceiver modules When a transceiver module fails or works inappropriately you can examine the alarms present on the transceiver module to identify the fault source or examine the key parameters monitored by the digital diagnosis function including the temperature voltage laser bias current TX power and RX power To diagnose transceiver modules execute the following commands in any view Step Command Remarks display transceiver alarm interface Display alarms present on
45. 0 week day mon tue wed thu fri command shutdown Firewall job pcl quit Create a job named pe2 and enter its view Firewall job pc2 Configure the job to be executed in the view of GigabitEthernet 0 2 Firewall job pc2 view gigabitethernet 0 2 Configure the firewall to enable GigabitEthernet 0 2 at 8 00 on working days every week Firewall job pc2 time 1 repeating at 8 00 week day mon tue wed thu fri command undo shutdown Configure the firewall to shut down GigabitEthernet 0 2 at 18 00 on working days every week Firewall job pc2 time 2 repeating at 18 00 week day mon tue wed thu fri command shutdown Firewall job pc2 quit Create a job named pc3 and enter its view Firewall job pc3 Configure the job to be executed in the view of GigabitEthernet 0 3 Firewall job pc3 view gigabitethernet 0 3 Configure the firewall to enable GigabitEthernet 0 3 at 8 00 on working days every week Firewall job pc3 time 1 repeating at 8 00 week day mon tue wed thu fri command undo shutdown Configure the firewall to shut down GigabitEthernet 0 3 at 18 00 on working days every week Firewall job pc3 time 2 repeating at 18 00 week day mon tue wed thu fri command shutdown Firewall job pc3 quit Display information about scheduled jobs Firewall display job Job name pcl Specified view GigabitEthernet0 1 Time 1 Execute command undo shutdown at 08 00 Mondays Tuesdays Wednesdays Thursdays Fridays Time 2
46. 000 on user interfaces VTY O through VTY 4 so only Host A and Host B can Telnet to the firewall Firewall user interface vty 0 4 Firewall ui vty0 4 acl 2000 inbound Configuring source IP based SNMP login control Use a basic ACL 2000 to 2999 to control SNMP logins by source IP address To access the requested MIB view an NMS must use a source IP address permitted by the ACL To configure source IP based SNMP login control Step Command Remarks 1 Enter system view system view N A By default no basic ACL exists 2 Create a basic ACL and NOTE enter its view or enter the acl ipv6 number acl number name name Support for the ipv6 view of an existing basic match order config auto keyword depends on ACL the device model For more information see Getting Started Command Reference 116 Step Command Remarks rule rule id deny permit counting fragment logging source sour addr 3 Configure an ACL rule sour wildcard any time range N A time range name vpn instance vpn instance name 4 Exit the basic ACL view quit N A e SNMPv1 v2c community snmp agent community read write community name mib view view name acl acl number acl ipv6 ipv acl number e SNMPv1 v2c group snmp agent group v1 v2c group name read view read view write view write view For more information notify view notify view acl aclnumber acl ghout SNMP
47. 10 110 100 46 0 Firewall acl basic 2000 quit Associate the ACL with the SNMP community and the SNMP group Firewall snmp agent community read aaa acl 2000 Firewall snmp agent group v2c groupa acl 2000 Firewall snmp agent usm user v2c usera groupa acl 2000 Configuring Web login control Use a basic ACL 2000 to 2999 to filter HTTP HTTPS traffic by source IP address for Web login control To access the device a Web user must use an IP address permitted by the ACL You can also log off suspicious Web users that have been logged in Configuring source IP based Web login control Step Command Remarks 1 Enter system view system view N A By default no basic ACL exists NOTE Support for the ipv6 jpv6 acl number option depends on the device model For more information see Getting Started Command Reference 2 Create a basic ACL and enter acl ipv6 number acl number its view or enter the view of name name match order an existing basic ACL config auto 118 Step Command Remarks rule rule id deny permit counting fragment logging 3 Create rules for this ACL source sour addr sour wildcard N A any time range time range name vpn instance vpn instance name 4 Exit the basic ACL view quit N A 5 Associate the HTTP service oh aclnumb Configure either or both of the with the ACL p ttp ee OCENIMO commands HTTP login and HTTPS login are
48. 6 16 11 42 57 3 d Jun 2071 Sun Mon Tue Wed Thu Fn Sat 1 2 3 4 2 6 Sk S 9 wN 12 13 14 15 r is 19 20 21 22 23 2425 26 27 23 29 30 Time 11 42 59 3 Modify the system time either in the System Time Configuration text box or through the calendar page You can perform the following operations on the calendar page o Click Today to set the current date on the calendar to the current system date of the local host and the time stays unchanged o Set the year month date and time and then click OK 4 Click Apply in the system time configuration page to save your configuration Configuring the network time 1 Select Device Management gt System Time from the navigation tree 2 Click Network Time Protocol The page for configuring network time appears Figure 65 Network time System Time Time Zone Network Time Protocol Clock status unsynchronized Local Reference Source v Stratum 1 w Source Interface v Key 1 ID 1 4294967295 Key String 1 32 Chars Key2 ID 1 4294967295 Key String 1 32 Chars External Reference Source NTP Server 1 Reference Key ID NTP Server 2 Reference Key ID 3 Configure the network time as described in Table 15 4 Click Apply 86 Table 15 Configuration items ltem Description Clock status Displays the synchronization status of the system clock Set the IP ad
49. ADIUS or HWTACACS authentication is 3 Enable scheme ok adopted depends on the configured authentication authentication mode scheme AAA scheme By default console login users are not authenticated Optional 4 Enable command a By default command authorization authorization command authorization is disabled The commands available for a user only depend on the user privilege level Optional 5 Enable command By default command accounting is accounting command accounting disabled The accounting server does not record the commands executed by users 6 Exit fo system view quit N A Optional a Enter ISP domain view By default local authentication is domain domain name used b Apply an AAA scheme to For local authentication configure the domain local user accounts authentication default For RADIUS or HWTACACS 7 Apply an AAA hwtacacs scheme gs authentication scheme to hwtacacs scheme name sulheniicalion conliguresine the i RADIUS or HWTACACS scheme on e intended domain local local none f the device and configure radius scheme papi f authentication settings including the radius scheme name username and password on the local server c Exit to system view coe For more information about AAA quit configuration see Access Control Configuration Guide 8 Create a local user and local By default a local user named enter local user view eee ves Heer admin e
50. Configuring common VTY user intertace settings optional You might be unable to access the CLI through a VTY user interface after configuring the auto execute command command on it Before you configure the command and save the configuration make sure you can access the CLI through a different user interface To configure common settings for VTY user interfaces Step Command Remarks 1 Enter system view system view N A 2 Enter one or multiple VTY user user interface vty firstnumber N A interface views lastnumber Optional 3 Enable the terminal service shell By default terminal service is enabled 33 Step Command Remarks Optional 4 Enable the user interfaces to ep eee ee By default both Telnet and SSH support Telnet SSH or both of ti i inbound all ssh are supported telnet ihein The configuration takes effect the next time you log in 5 Define a shortcut key for escape key default Optional l terminating tasks character By default pressing Ctrl C terminates a task 6 Configure the type of terminal Optional display terminal type ansi vt100 By default the terminal display type is ANSI Optional 7 Set the maximum number of lines By default up to 24 lines is screen length screen length to be displayed on a screen displayed on a screen A value of O disables the function Optional 8 Set the size of command history history command max size prong
51. HP Firewalls and UTM Devices Getting Started Guide Part number 5998 4163 Software version F1000 A El Feature 3722 F1000 S El Feature 3722 F5000 Feature 3211 F1000 E Feature 3174 Firewall module Feature 3174 Enhanced firewall module ESS 3807 U200 A ESS 5132 U200 S ESS 5132 Document version 6PW100 20121228 Legal and notice information Copyright 2012 Hewlett Packard Development Company L P No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett Packard Development Company L P The information contained herein is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Contents Cet E EEEE E aaah eee ag aaa gisa EEE FIQOOAEI RIG00S Elicetoscestcast cscacsne cots ss comiacanshnanancuseiieau
52. Switch acsei server enable Enter ACSEI server view Switch acsei server Set the clock synchronization timer to 10 minutes Switch acsei server acsei timer clock sync 10 Set the monitoring timer to 10 seconds Switch acsei server acsei timer monitor 10 Enable ACSEI client on the Ten GigabitEthernet 0 0 interface lt FW module gt system view FW module interface ten gigabitethernet0 0 FW module acsei client enable Verifying the configuration Restart the firewall module on the network device lt Switch gt oap reboot slot 3 This command will recover the OAP from shutdown or other failed state Warning This command may lose the data on the hard disk if the OAP is not being shut down Continue Y N y Reboot OAP by command The output shows that you can restart the firewall module on the network device Display the ACSEI server configuration information on the network device lt Switch gt display current configuration configuration acsei server 72 acsei server acsei timer clock sync 10 acsei timer monitor 10 return Switch The output shows that the clock synchronization timer and monitoring timer are 10 minutes and 10 seconds respectively 73 Basic configuration Overview Basic configuration information include Device name and login password Modify the system name and the password of the current user Service management Specify whether to enable the servi
53. abling the HTTPS service associate the HTTPS service with an SSL server policy first If the HTTPS service has been enabled any changes to the SSL server policy associated with it do not take effect By default HTTPS is disabled Enabling the HTTPS service triggers an SSL handshake negotiation process During the process if the local certificate of the device exists the SSL negotiation succeeds and the HTTPS service can be started properly If no 4 Enable the HTTPS service ip https enable local certificate exists a certificate application process will be triggered by the SSL negotiation Because the application process takes much time the SSL negotiation often fails and the HTTPS service cannot be started normally In that case execute the ip https enable command multiple times to start the HTTPS service Optional By default the HTTPS service is not associated with any certificate based attribute access control policy Associating the HTTPS service with a certificate based attribute access control policy 5 Associate the HTTPS enables the device to control the access rights service with a certificate P https certificate of clients attribute based access access control policy You must configure the client verify enable control policy policy name command in the associated SSL server policy If not no clients can log in to the device The associated SSL server policy must contain at least one permit r
54. acanemauanausesans 1 Ov niews e i eae Le 1 Appearance sssssssssssssssseeesssssssssssseessssssssssseeeessusssssssseeessnsssssssseeessuusssssseseesssussssssssecessnsssssssseesssussssssseseessousssssssses 1 F G00 E EEEE E E E eA A RIIRAA AAS 2 Oveniewe en e ee ee eee ee oe ew 2 Appearance ss ssssssssssssssseessesssssssseeesssssssssssseeessssssssssseeessusssssssseeessusssssssseeessssssssssssecessnsssssssseesssvassssssseceesusassssssees 3 P5000 aeie cosas tens ecaveraved wee ac E E E A E reused E E E eee eae cone 3 OVEN EWE E E E E E E E E E E E AE E E E 3 Appearance ssssssssssssssssseessssssssssseeeesssssssssseesessssssssssseesssussssssseeeessussssssssseesssusssssssseeeessusssssssseeessusnsssssseceesusnsssssenes 4 Ee etarelll tenes ti lesscesesesesessaeceeeeseceeeceeee E eee es oe eee 5 Oyeniew e aa A A eueueenamenuenaeses 5 Appearance sssssssssssssssseessssssssssseeessesssssssseeeessssssssssseesssusssssssseesssusssssssseeesssssssssssseeessussssssssecessusssssssseceesunssssssenes 6 Enhanced lirewdlimodoles oin ene e A A E E E E 6 UTM products ssssssssssssesssssssssssssssesessssssssssseeessessssssssseeessnssssssssseeessssssssssseecssussssssssseeesnsssssssceseessesasssssssecessusnsssssssesssen 7 OVENEWE EEE R E N A A AEEA A E E 7 Appearance ss sssssssssssssseeessssssssssseeessnsssssssseecessesssssssssceessssssssssseeessussssssssseesssssssssssecesssssssssssecessuassssssseeeesusassesssnes 8 Application SCQNALIOS vereeeteseteeeeeeeeeseeeeeeeeeseesaeeesceesseeeessss
55. assword 3 Enable scheme fae aires authentication authentication mode scheme authentication is enabled on AUX user interfaces Optional a way d By default command Enable comman Boon aay Supt cien command authorzation authorization is disabled The commands available for a user only depend on the user privilege level Optional 5 Enable command By default command accounting accounting command accounting is disabled The accounting server does not record the commands executed by users 6 Exit to system view quit N A Optional a Enter the ISP domain view By default local authentication is domain domain name used b Apply the specified AAA For local authentication configure scheme to the domain local user accounts authentication default 7 Apply an AAA authentication hwtacacs scheme ia BADIA ie a scheme to the intended hwtacacs scheme name aulhenneationcontiquie the f RADIUS or HWTACACS scheme domain local local none i on the device and configure radius scheme ae authentication settings including radius scheme name the username and password on local the server Exit t t iew pa E N For more information about AAA q configuration see Access Control Configuration Guide 8 Create a local user and enter ocal user view local user user name By default no local user exists 9 Seta password for the local assword cipher simple password ipne sim
56. aunch a Web browser and enter the IP address of the interface in the address bar The Web login page appears as shown in Figure 48 Figure 48 Web login page Web User Login User Name Password Verify Code Enter the username password verification code and click Login The homepage appears After login you can configure device settings through the Web interface HTTPS login configuration example Network requirements As shown in Figure 49 to prevent unauthorized users from accessing the firewall configure the firewall as the HTTPS server and the host as the HTTPS client and request a certificate for each of them Figure 49 Network diagram Firewall 10 1 1 1 24 10 1 2 1 24 Host CA Configuration procedure This example assumes that the CA is named new ca runs Windows Server and is installed with the SCEP add on This example also assumes that the firewall host and CA can reach one other 1 Configure the firewall HTTPS server Configure a PKI entity configure the common name of the entity as http server1 and the FQDN of the entity as ssl security com lt Firewall gt system view Firewall pki entity en Firewall pki entity en common name http serverl fqdn ssl security com Firewall pki entity en quit 1 Firewall pki entity en 1 58 Create a PKI domain specify the trusted CA as new ca the URL of the server for certificate request as http 10 1 2 2 certsrv ms
57. authentication is adopted 4 Enable scheme i depends on the configured AAA authentication authentication mode scheme scheme By default local authentication is adopted Optional 5 Enable command By default command authorization is authorization command authorization disabled The commands available for a user only depend on the user privilege level Optional 6 Enable command By default command accounting is accounting command accounting disabled The accounting server does not record the commands executed by users 7 Exit fo system view quit N A a Enter ISP domain view Optional domain domain name By default local authentication is used b Apply an AAA scheme to For local authentication configure the domain local user accounts authentication default ee ees For RADIUS or HWTACACS 8 Apply an AAA hwtacacs scheme ees ee authentication contigure the RADIUS authentication scheme to hwtacacs scheme name or HWTACACS scheme on the device the intended domain local local none SDN and configure authentication settings radius scheme including the username and radius scheme name password on the server local f For more information about AAA c Exit to system view vit configuration see Access Control q Configuration Guide 9 Create a local user and local By default a local user named admin enter local user view See Meet Learns exists By default the password for 10 Set a passwor
58. cep mscep dll authority for certificate request as RA and the entity for certificate request as en Firewall pki domain 1 Firewall pki domain 1 ca identifier new ca Firewall pki domain 1 certificate request url http 10 1 2 2 certsrv mscep mscep dll Firewall pki domain 1 certificate request from ra Firewall pki domain 1 certificate request entity en Firewall pki domain 1 quit Create RSA local key pairs Firewall public key local create rsa Retrieve the CA certificate from the certificate issuing server Firewall pki retrieval certificate ca domain 1 Request a local certificate from a CA through SCEP for the firewall Firewall pki request certificate domain 1 Create an SSL server policy myssl specify PKI domain 1 for the SSL server policy and enable certificate based SSL client authentication Firewall ssl server policy myssl Firewall ssl server policy myssl pki domain 1 Firewall ssl server policy myssl client verify enable Firewall ssl server policy myssl quit Create a certificate attribute group mygroup1 and configure a certificate attribute rule specifying that the distinguished name in the subject name includes the string of new ca Firewall pki certificate attribute group mygroupl Firewall pki cert attribute group mygroupl attribute 1 issuer name dn ctn new ca Firewall pki cert attribute group mygroupl quit Create a certificate attribute based acc
59. ces like FTP Telnet HTTP and HTTPS and set port numbers for HTTP and HTTPS Interface IP address Configure IP addresses for Layer 3 Ethernet interfaces and VLAN interfaces NAT Configure dynamic NAT internal server translation and related parameters Security zone Add interfaces to security zones After you add interfaces to security zones you can apply security policies to the interfaces or their IP addresses based on security zones You can configure basic configuration information at the CLI or in the Web interface This chapter describes how to configure basic configuration information at the CLI and through the basic configuration wizard For more information see the following configuration guides Device name Managing the device Login password Managing users Service management Access Control Configuration Guide Interface IP address Network Management Configuration Guide NAT NAT and ALG Configuration Guide Security zone Access Control Configuration Guide Performing basic configuration in the Web interface 1 2 Select Wizard from the navigation tree Click the Basic Device Information hyperlink 74 Figure 56 Basic configuration wizard 1 6 1 6 Basic Configuration Wizard The basic configuration wizard guides you to configure device basic information service managment IP address management and NAT Click Next to continue Items marked with an asterisk are req
60. character w or underline and w equals character2 and service i is character2 A Za z0 9_ Wa matches a with being character W Equals b and a being character2 but does not match 2a or ba Escape character If a special character listed in this table follows the specific meaning of the character is removed matches a string containing matches a string containing and b matches a string containing b The following are several regular expression examples Use begin user interface in the display current configuration command to match the first line of output that contains user interface to the last line of output lt Sysname gt display current configuration begin user interface user interface con 0 user interface vty 0 4 authentication mode none user privilege level 3 return Use exclude Direct in the display ip routing table command to filter out direct routes and display only the non direct routes lt Sysname gt display ip routing table exclude Direct Routing Tables Public Destination Mask Proto Pre Cost NextHop Interface Tel 10 24 Static 60 0 192 168 0 0 Vlanl Use include Vlan in the display ip routing table command to filter in route entries that contain Vlan lt Sysname gt display ip routing table include Vlan Routing Tables Public Destination Mask Proto Pre Cost NextHop Interface 192 168 1 0 24 Direct 0 0 192 168
61. cific time and date time time id at time date command command e Configure a command to run ata specific time Use any of the commands 4 Add commands to the time time id one off repeating Changing a clock setting does not job at time month date month day affect the schedule set by using the week day week daylist command time at or time delay command command e Configure a command to run after a delay time time id one off repeating delay time command command Scheduled job configuration example Network requirements Configure scheduled jobs on the firewall to enable interfaces GigabitEthernet 0 1 GigabitEthernet 0 2 and GigabitEthernet 0 3 at 8 00 and disabled them at 18 00 on working days every week to control the access of the PCs connected to these interfaces Figure 73 Network diagram Firewall PC 1 PC 2 PC 3 Configuration procedure Enter system view lt Firewall gt system view Create a job named pel and enter its view Firewall job pcl Configure the job to be executed in the view of GigabitEthernet 0 1 Firewall job pcl view gigabitethernet 0 1 Configure the firewall to enable GigabitEthernet 0 1 at 8 00 on working days every week Firewall job pcl time 1 repeating at 8 00 week day mon tue wed thu fri command undo shutdown Configure the firewall to shut down GigabitEthernet 0 1 at 18 00 on working days every week 101 Firewall job pcl time 2 repeating at 18 0
62. configured of which VTY O and VTY 3 are idle When a user Telnets to the device the device assigns VTY O to the user and uses the settings on VTY O to authenticate and manage the user User interface identification A user interface can be identified by an absolute number or the interface type and a relative number An absolute number uniquely identifies a user interface among all user interfaces The user interfaces are numbered starting from O and incrementing by 1 and in the sequence of console AUX and then VTY user interfaces You can use the display user interface command without any parameters to view supported user interfaces and their absolute numbers A relative number uniquely identifies a user interface among all user interfaces that are the same type The number format is user interface type number e Console user interface CONO e AUX user interface AUX O e VTY user interfaces Numbered starting from O and incrementing by 1 19 Logging in to the CLI By default the first time you access the CLI you must log in through the console port At the CLI you can configure Telnet or SSH for remote access Logging in through the console port for the first time To log in through the console port make sure the console terminal has a terminal emulation program for example HyperTerminal in Windows XP In addition the port settings of the terminal emulation program must be the same as the default settings of the
63. console port in Table 3 Table 3 Default console port properties Parameter Default Bits per second 9600 bps Flow control None Parity None Stop bits 1 Data bits 8 To log in through the console port from a console terminal for example a PC 1 Connect the DB 9 female connector of the console cable to the serial port of the PC 2 Connect the RJ 45 connector of the console cable to the console port of the device Ej IMPORTANT e Identify the mark on the console port and make sure you are connecting to the correct port e The serial ports on PCs do not support hot swapping If the device has been powered on always connect the console cable to the PC before connecting it to the device and when you disconnect the cable first disconnect it from the device Figure 25 Connecting a terminal to the console port RS 232 Console 92 Host Device If the PC is off turn on the PC 4 Launch the terminal emulation program and configure the communication properties on the PC Figure 26 through Figure 28 show the configuration procedure on Windows XP HyperTerminal Make sure the port settings are the same as listed in Table 3 On Windows Server 2003 add the HyperTerminal program first and then log in to and manage the device as described in this document On Windows Server 2008 Windows 7 Windows Vista or some other operating system obtain a third party terminal control program first and then follow the user
64. d password cipher simple system predefined user admin is password admin and no password is set for any other local user 11 Specify the command Piai ERE E p E Optional authorization attribute level eve level of the local user By default the command level is 0 By default the system predefined user 12 Specify Telnet service for admin can use terminal service Telnet ihe lcal user service type telnet service SSH service and Web service and no service type is specified for any other local user 13 Exit to system view N A quit 32 Step Command Remarks 14 Configure common settings for VTY user interfaces See Configuring common VTY user tional interface settings optional Optiona The next time you attempt to Telnet to the CLI you must provide the configured login username and password as shown in Figure 33 If you are required to pass a second authentication you must also provide the correct password to access the CLI If the maximum number of login users has been reached your login attempt fails and the message All user interfaces are used please try later appears Figure 33 Scheme authentication interface for Telnet login cs Telnet 192 168 2 3 Copyright lt c 2616 2612 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Login authentication Username admin Password KHP gt
65. d all commands executed by users regardless of command execution results This function helps control and monitor user behaviors on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server Follow these guidelines when you configure scheme authentication for Telnet login e To make the command authorization or command accounting function take effect apply an HWTACACS scheme to the intended ISP domain This scheme must specify the IP address of the authorization server and other authorization parameters e Ifthe local authentication scheme is used use the authorization attribute level level command in local user view to set the user privilege level on the device e Ifa RADIUS or HWTACACS authentication scheme is used set the user privilege level on the RADIUS or HWTACACS server To configure scheme authentication for Telnet login Ste Command Remarks Enter system view system view N A 2 Enable Telnet servet ienet server enable By default the Telnet server function is disabled 31 Step Command Remarks 3 Enter one or multiple user interface vty firs number VTY user interface views lastnumber N A Whether local RADIUS or HWTACACS
66. des a built in Web server for you to configure the device through a Web browser Web login is by default enabled Configuration guidelines e The Web based configuration interface supports the operating systems of Windows XP Windows 2000 Windows Server 2003 Enterprise Edition Windows Server 2003 Standard Edition Windows Vista Windows 7 Linux and MAC OS e The Web based configuration interface supports the browsers of Microsoft Internet Explorer 6 0 SP2 and higher Mozilla Firefox 3 0 and higher Google Chrome 2 0 174 0 and higher and the browser must support and be enabled with JavaScript e The Web based configuration interface does not support the Back Next Refresh buttons provided by the browser Using these buttons may result in abnormal display of Web pages e The Windows firewall limits the number of TCP connections so when you use IE to log in to the Web interface sometimes you may be unable to open the Web interface To avoid this problem HP recommends you to turn off the Windows firewall before login e _ If the software version of the device changes clear the cache data on the browser before logging in to the device through the Web interface otherwise the Web page content may not be displayed correctly You can display at most 20 000 entries that support content display by pages Logging in by using the default Web login settings By default the HTTP service is enabled on the device and you can log in to th
67. dress of the local clock source to 127 127 1 u where u ranges from O to 3 representing the NTP process ID e Ifthe IP address of the local clock source is specified the local clock is Local Reference Source used as the reference clock and thus can provide time for other devices e Ifthe IP address of the local clock source is not specified the local clock is not used as the reference clock Set the stratum level of the local clock The stratum level of the local clock decides the precision of the local clock Stratum A higher value indicates a lower precision A stratum 1 clock has the highest precision and a stratum 16 clock is not synchronized and cannot be used as a reference clock Set the source interface for an NTP message If you do not want the IP address of a certain interface on the local device to become the destination address of response messages you can specify Source Interface the source interface for NTP messages so that the source IP address in the NTP messages is the primary IP address of this interface If the specified source interface is down the source IP address of the NTP messages sent is the primary IP address of the outbound interface Key 1 Set NTP authentication key The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand This feature enhances the network security by means of client server key authentication whic
68. ds Yes You can use the time command in job view to configure commands to be executed at different time points User view and system view In the schedule job command shell represents user view and system represents system view Supported views All views In the time command monitor represents user view Commands in user view and system Supported commands y Commands in all views view C job b t an a job be execu ed No Yes multiple times Can a job be saved No Yes Configuration guidelines e To have a job successfully run a command make sure the specified view and command are valid The system does not verify their validity 99 After job execution the configuration interface view and user status that you have before job execution restores even if the job ran a command to change the user interface for example telnet ftp and ssh2 the view for example system view and quit or the user status for example super messages The jobs run in the background without displaying any messages except log trap and debugging If you reboot the device the system time and date are restored to the factory default To make sure scheduled jobs can be executed at the expected time you must change the system time and date or configure NTP for the device For NTP configuration see Network Management and Monitoring Configuration Guide In the modular approach o Every job can have only
69. e By default commands at this level involve the configuration commands of file system FTP TFTP Xmodem download user management level setting and parameter settings within a system which are not defined by any protocols or RFCs Configuring a user privilege level If the authentication mode on a user interface is scheme configure a user privilege level for the user interface s users through the AAA module or directly on the user interface For SSH users who use public key authentication the user privilege level configured directly on the user interface always takes effect For other users the user privilege level configured in the AAA module has priority over the one configured directly on the user interface If the authentication mode on a user interface is none or password configure the user privilege level directly on the user interface For more information about user login authentication see Logging in to the CLI For more information about AAA and SSH see Access Control Configuration Guide Configuring a user privilege level for users through the AAA module Step Command Remarks 1 Enter system view system view N A user interface first num lastnum1 console vty N A firs num2 last num2 2 Enter user interface view By default the authentication mode for VTY users is scheme and no authentication is needed for console login users 3 Specify the scheme authentication mode authen
70. e Web interface of the device with the following default Web login settings e Username admin e Password admin e Management interface GigabitEthernet 0 0 IP address 192 168 0 1 If the HTTP service is disabled you can enable it by following the steps provided in Configuring HTTP login You can use the default settings to log in to the Web interface by following these steps 1 Connect a PC to the device s management interface GigabitEthernet 0 0 by using a crossover Ethernet cable 2 Change the IP address of the PC to one that in the network segment 192 168 0 0 24 except for 192 168 0 1 for example 192 168 0 2 Configure routes to make sure the PC and device can communicate with each other properly 4 Launch a Web browser on the PC enter the IP address 192 168 0 1 in the address bar and press Enter to open the Web login page 5 Enter the username password and verification code and click Login To get a new verification code click the verification code displayed on the Web login page 5 Up to five users can concurrently log in to the device through the Web interface Figure 46 Web login page Web User Login User Name Password Verify Code _ U4BH Login Adding a Web login account Perform the following configuration at the CLI l Add a Web user Set the username to userA password to 123456 and user privilege level to 3 HP local user userA New local user added HP luser userA s
71. e accounts for the users to the local user database on the device A local user has the following attributes e Username e User password e User privilege level e Service type that the user can use e Virtual device to which the user belongs User levels User levels from low to high are visitor monitor configure and management A user with a higher level has all the operating rights of a lower level e Visitor Users of this level can perform ping and traceroute operations but can neither access the device data nor configure the device e Maonitor Users of this level can only access the device data but cannot configure the device e Configure Users of this level can access data from the device and configure the device but they cannot upgrade the host software add delete modify users or back up restore the application file e Management Users of this level can perform any operations for the device The previously mentioned user levels apply to users using root virtual devices only Configuring a local user in the Web interface Configuration procedure To configure a local user 1 Select User gt Local User from the navigation tree Figure 74 Local user User Name ee Service Type Virtual Device Operation admin Management Web Telnet Root i user_yda Visitor Telnet VD_A i user_vdb Management Web Telnet YD_B a il Add 110 2 Click Add Figure 75 Adding a local user
72. e by deal 5 Configure the monitoring ii j d Optional acsei timer monitor seconds mer Five seconds by default 6 Close the specified be oo Opona ient acsei dient close client id Supported on the ACSEI client runnin ACSEI clien pp g Linux only 7 Restart the specified ACSEI client acsei client reboot client id Optional 70 Configuring ACSEI client on the firewall module Step Command Remarks 1 Enter system view system view N A interface interface type interface number 2 Enter interface view N A Disabled by default The Comware platform can run only one ACSEI client that is the ACSEI client can be enabled on only one interface at a time But the ACSEI client on the Comware platform and that on the firewall module can run simultaneously 3 Enable the ACSEI client acsei client enable Displaying and maintaining ACSEI server and client Task Command Remarks On the network device display acsei client summary Display ACSEI client summary clientid Available in any view display acsei client info Display ACSEI client information Available in any view clientid On the firewall module Display ACSEI client information display acsei client information Available in any view Display current ACSEI client state display acsei client status Available in any view Example of monitoring and managing the firewall module from the network device Network r
73. e local server The system uses the login device with the super password username as the privilege level switching username command for the privilege level 138 Changing the level of a command Every command in a view has a default command level The default command level scheme is sufficient for the security and ease of maintenance requirements of most networks If you want to change the level of a command make sure the change does not result in any security risk or maintenance problem To change the level of a command Step Command Remarks 1 Enter system view system view N A 2 Change the level of a command privilege level level view See Table 28 for the default command in a specific view view command settings Saving the running configuration You can use the save command in any view to save all submitted and executed commands into the configuration file Commands saved in the configuration file can survive a reboot The save command does not take effect on one time commands including display and reset commands One time commands are never saved Displaying and maintaining CLI Task Command Remarks Display the command keyword display command alias begin f Available in any view alias configuration exclude include regular expression display clipboard begin exclude i f Available in any view include regular expression Display data in the clipboard 139
74. e required 8 Assign IP addresses to the interfaces 78 Table 13 Configuration items ltem Description Set the approach for obtaining the IP address including e None The IP address of the interface is not specified The interface has no IP address e Static Address Specify the IP address for the interface Pesara manually If you select this item specify both the IP IMPORTANT onfiguration g address and the mask Modification to the e DHCP The interface obtains an IP address interface IP address automatically through the DHCP protocol results in disconnection with the device so make e Do not change The IP address of the interface does changes with caution not change IP Address If you select Stack Address as the approach for obtaining the IP address set the interface IP address and network Mask mask 9 Click Next The page for configuring NAT appears Figure 60 Basic configuration wizard 5 6 NAT configuration 5 6 Basic Configuration Wizard NAT Configuration Interface GigabitEthernet0 0 x Dynamic NAT Cl Enable Source IPM ildcard ll Destination ll IPaildcard J Protocol Type Internal Server C Enable External IP Port l 0 65535 0 represents any Internal IP Port K 0 65535 0 represents any Note Modification of the NAT configuration may result in disconnection with the device Perform the operation with cau
75. e system time automatically decreases by summer offset is outside the summer offset 3 clock summer time ss 4 one off 1 00 date time outside the A 2007 1 1 1 00 01 00 00 UTC Tue lion saving time sg 2007X082 01 01 2008 range clock datetime 1 00 2008 1 1 3 wa date time summer offset ea ee Ses outside the daylight 2007 1 1 1 00 23 30 00 UTC Sun saving time range 2007 8 8 2 12 31 2006 3 1 i date time summer offset Clock datetime 1 30 date time in the 2007 1 1 daylight saving time ime sommer trer Gleck summer time ss range one off 1 00 in the daylight saving time 2007 1 1 1 00 03 00 00 ss Mon range 2007 8 8 2 01 01 2007 date time clock datetime 3 00 2007 1 1 Original system clock offset outside the clock timezone EN os zone time add 1 aylight saving time clock summer time ss 02 00 00 zone time Sat range one off 1 00 01 01 2005 Original system clock 2007 1 1 1 00 zone offset 2007 8 82 2 3 or 3 2 Original system clock zone offset outside the clock timezone daylight saving time zono Emme aadi System clock configured range clock summer time ss 04 00 00 ss Sat off 1 00 Original system clock Been 1 00 01 01 2005 zone offset 2005 8 8 2 summer offset 92 Command Effective system time Configuration example System time clock datetime 1 00 2007 1 1 date time zone offset clock timezone outside the daylight zone time add 1 02 00 00 zone time Mon
76. e user interface vty firs number N A views last number 4 Enable none Sika noniodeinas By default the authentication mode for VTY authentication mode a user interfaces is scheme 5 Configure the command level for s r piivilege level leval By default the default command level is O for login users on the privileg VTY user interfaces current user interfaces 6 Configure common settings for the VTY user interfaces See Configuring common VTY user interface settings optional Optional The next time you attempt to Telnet to the device you do not need to provide any username or password as shown in Figure 31 If the maximum number of login users has been reached your login attempt fails and the message All user interfaces are used please try later appears Figure 31 Telnetting to the device without authentication cs Telnet 192 168 2 3 Copyright lt c 20106 2612 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Configuring password authentication for Telnet login Step Command Remarks 1 Enter system view system view N A By default the Telnet server 2 Enable Telnet server telnet server enable function is disabled 3 Enter one or multiple VTY user interface vty firstnumber user interface views last number N A By default the authentication authentication mode password m
77. eader ACLs apply to Telnet traffic only if the Telnet client and server are located in the same subnet To configure source MAC based Telnet login control Step Command Remarks 1 Enter system view system view N A 2 Create an Ethernet frame header ACL and enfer its acl number acl number name name By default no Ethernet match order config auto frame header ACL exists view g 3 Configure an ACL rule rule rule id permit deny rule string N A 4 Exit Ethernet frame header ACL view quit N A user interface type firstnumber lastnumber 5 Enter user interface view N A 6 Use the ACL to control user logins by source MAC acl acl number inbound address inbound Filters incoming packets Telnet login control configuration example Network requirements Configure the firewall in Figure 78 to permit only incoming Telnet packets sourced from Host A and Host B 115 Figure 78 Network diagram Host A 10 110 100 46 Firewall Host B 10 110 100 52 Configuration procedure Configure basic ACL 2000 and configure rule 1 to permit packets sourced from Host B and rule 2 to permit packets sourced from Host A lt Firewall gt system view Firewall acl number 2000 match order config Firewall acl basic 2000 rule 1 permit source 10 110 100 52 0 Firewall acl basic 2000 rule 2 permit source 10 110 100 46 0 Firewall acl basic 2000 quit Reference ACL 2
78. eeesssussssnssesssssuusssnnsesesssiunsnnnneeessssuasansneeeesssunsnnanseensnsinsnnen 60 Failure to access the device through the Web interface cerrrrresreessseseeessseeeeeseeeeessesesesesseeseesseessssssessesseeseeereeeees 60 Accessing the device through SNMP coscsssecseseceseeeeeeseseeeeeesseeeeeeeeseeseeeeeeeesesesesseeeseeseesessesseseuseseesneaseueeesenenseueeseaaeeonss 64 Configuring SNMP access srrttstttttttttetettesnsseensaeeesseeeensseeeeessceesnsseesssseeesnsssessssceesssssssesseeeessssessecseeeseesesesseeeeeeseeeeeseeees 64 Prerequisites ssssssssssssssssssssseeeeeessssssssssssssessssssssssssnneeseessssssssvusunnssssssssneeeeeeesssssssuusunnnnsssssnnneeeesssssssesiunnannnssnss 64 Configuring SNM Pv33 ACCESS errr tteeeeeeeeseeeeseeesssaaaeesseeeseeseesssseeessssesessseeeesssssessssceesessseesesseesseeaeeessseeeeeeseeeeees 64 Configuring SNMPv1 or SNMPv2c access sttsssssseeeesnnesssssseeseeeessussssnsseeessiuussnnnneesessussnnnssesssssunnnnnsetes 65 SNMP login excamplersssssssssssssseessisesssssseeeeessusssssnseeesssusssnnnseeesssussnnnneeeesssusnnnnseessssuussnseeseesessnannnneeeessssuannnnestes 66 Network requirements sseucbebeccbauevesendeesaneeecebsneteSererebsyesevesscebeberesehereneneneneseeetae es ecebater caseressseveneneresenenecesereretees lt ecssereve 66 Configuration procedure a isda SESE NENEN Enr es sd ss a Sse sis gece ces EFESE EEEANEE LEELEE EEEE EE EEEE EE EEEE EEEE ER REEERE EESTE EREEREER R EEEE E EREEREER SS 66 Logging in to the fi
79. eenseeeenseeersenseeene 125 Entering a STRING type value for an argymenteeeeeeeetetititiistststrtitetstsestrteteestsestrtenesesrneartenen 125 Abbreviating COMMANSrissereeetreeeeeteteeeeseteessseeseesseecessessesecesessssssesseessesessssesssesesssessesscessesecessesecensesscenseseseeeeseeenes 125 Configuring and using command keyword aliases sssssssssssssssssssseeeesesssssssesesssusssssnssssssseeeeeeeses 126 Configuring and using hotkeys sssssssssssessssssssssssssssssssseeeeeesssssssusssssssssnsssseeeeeeesssssssuassssnnnsssssseeeenenes 126 Enabling redisplaying entered butnot submitted commands PP PEPE IEEE A NENNE NE AE IEE AE E NERIENE 127 Understanding command line error Messages SR 128 Using the command history function eeeeeeeeeeeeeeeeereeretretsetrrstrerserserrsersererrerserersererersertrarseraerersereerersererrerere tt 128 Viewing history laro lanlane lale CA 129 Setting the command history buffer size for user interfaces vrcrrtttteetteteeeteeeteeesseeeeesseseeesseseeessessseseseserseeseenes 129 Controlling the CLI outputerssssssrssssesseesseeeeessssssssnsseseeeeeeeecessnnnnnnnnnnnssseseeeeeeeeeeensssnnnnnnnnnsssssssceeeeeeeeeennnnnnnnnnnnssssssssssst 129 Pausing between screens of OUTPUT sesreereeseeseseeseeseeneesseseseeseeneeneneeneensessessseencenseasessessseescensensessasscencensensessesseeaseas 129 Filtering the output froma display COMMAN CO 130 Configuring user privilege and command levels ssssssssseeeetessssssssneeeesssuusssnsseeesssusss
80. eessseeesseseeeesseeessnsssesssseeessssseesseceesesesessseceeeessseseseeeeeeseeseseeeeeeeeees 9 PEOOG AGI F000 6 El cesta arene nn E EEE 9 Be hr hie isi csoos eae A tin cas cee eet ai 11 Fes Ui ch weed ten cacao tent taped endo tnessl cede cem do tncitonaioe ons eatonn dain ninate nednae dees 12 ENEE EE E E EE E E A 12 Enhanced Fs nell moduk s a a ra a a E cee 13 DS E E E E E 15 Login overview sssssssssssssseeseeeesseesnesssnsssnssnnsssnssssssussssssssssssssssssssseseseeseeeessesssnssanssanasnassunnuusnuuussusssssssessceseeseeceesset 17 Login methods at a glance E a S E E E E E 17 Cil assess cei cia s ena e rete yeti re ona eee 18 User interface assignment abecauesetesehenes cheveneb lt secenescoesesevassreressseceuesereuasescuesesercssrecebesereveserceesesceseneneneceses lt eereseresecacecers 18 User interface identification ccrrrrrccrtreteetrseeesseeeessseeeessseessessssesesessesesessesscessesssessesesensesssesesscessesseessesesessesesenseeesenes 18 Logging in to the CL vvccsecsceccceessecsesccccscesccccccesccccscevccscccsscssescssccsescsscssescssccsescsscssescsucscescsscseescessensscescsesscesecessceseseesceseees 20 Logging in through the console port for the first timecccccecrccceerreeeeeeeeeeeteeeeeesseeeeeseeecesseseesssssessesssssesessssesseesseseseaess 20 Configuring console login control settings s sessssssesssesssssssseseessseseceeeceeeecceccenceceneneencceneceeeeseeseeeeeeeeeeeeeeeneeeneete 22 Configuring none authentication for console login srrs
81. equirements A firewall module is installed in slot 3 of the network device to detect the traffic passing the network device The internal interface Ten GigabitEthernet 3 0 1 on the network device is connected to the internal interface Ten GigabitEthernet0 0 on the firewall module The network device redirects received traffic to the firewall module The firewall module processes the traffic based on the configured security policy and redirects permitted traffic to the network device for forwarding Configure the network device and firewall module so that you can log in to and restart the firewall module from the network device Configure the clock synchronization timer as 10 minutes and configure the monitoring timer as 10 seconds Figure 55 Network diagram Firewall module Switch or Router Configuration procedure This example uses a switch The configuration on a router is the same 1 Log in to the firewall module from the network device Configure the AUX user interface of the firewall module lt FW module gt system view FW module user interface aux 0 FW module ui aux0 authentication mode none FW module ui aux0 user privilege level 3 FW module ui aux0 Log in to the firewall module lt Switch gt oap connect slot 3 Connected to OAP lt FW module gt Configure the clock synchronization timer and the monitoring timer on the network device Enable ACSEI server lt Switch gt system view
82. ers enter VLAN view to add ports to the specific VLAN enter user interface view to configure login user attributes or create a local user and enter local user view to configure attributes for the local user To display all commands available in a view enter a question mark at the view prompt 122 Figure 84 CLI view hierarchy Interface view VLAN view User System i interface User view gt view view Local user view Entering system view from user view Task Command Enter system view from user view system view Returning to the upper level view from any view Task Command Return to the upper level view from any view quit Executing the quit command in user view terminates your connection to the device In public key code view use the public key code end command to return to the upper level view public key view In public key view use the peer public key end command to return to system view Returning to user view from any other view You can return directly to user view from any other view by using the return command or pressing Ctrl Z instead of using the quit command multiple times To return to user view from any other view Task Command Return to user view return 123 Accessing the CLI online help The CLI online help is context sensitive You can enter a question mark at any prompt or in any position of a command to display all available options To access the CLI onl
83. ers at branches to access the network e Supports various VPN gateways facilitating easy access of mobile users to the network Figure 24 Network diagram Headquarters Internet Branch Branch 16 Login overview This chapter describes the available login methods and introduces the related concepts Login methods at a glance You can access the device through the console port or the Web interface at the first login After login you can configure other login methods on the device such as AUX Telnet and SSH Table 1 Login methods Login method Default setting and configuration requirements Logging in to the CLI e Logging in through the console port for the first time By default login through the console port is enabled no username or password is required and the user privilege level is 3 e Logging in through Telnet By default Telnet service is disabled To use Telnet service you only need to enable the Telnet server function After you enable the Telnet server function a user can log in to the device through Telnet with the IP address 192 168 0 1 24 the IP address of interface GigabitEthernet 0 0 the username admin the password admin and the user privilege level 3 e Logging in through SSH By default SSH service is disabled To use SSH service complete the following configuration tasks e Enable the SSH server function and configure SSH attributes e Assign an IP address
84. ervice type web HP luser userA password simple 123456 HP luser userA authorization attribute level 3 HP luser userA quit Add an interface to the management zone To allow users to log in to the device s Web interface through an interface other than the management interface GigabitEthernet 0 0 you must add the interface to the management zone HP zone name management HP zone management import interface gigabitethernet0 1 Configuring Web login To enable Web login log in through the console port and perform the following configuration tasks Enable HTTP or HTTPS service Configure the IP address of a Layer 3 interface and make sure the interface and the configuration terminal can reach each other Configure a local user account for Web login The device supports HTTP 1 0 and HTTPS for transferring webpage data across the Internet HTTPS uses SSL to encrypt data between the client and the server for data integrity and security and is more secure than HTTP You can define a certificate attribute based access control policy to allow only legal clients to access the device HTTP login and HTTPS login are separate login methods To use HTTPS login you do not need to configure HTTP login Table 10 shows the basic Web login configuration requirements 52 Table 10 Basic Web login configuration requirements Object Requirements Assign an IP address to an interface Configure routes to make sure the
85. es are reserved for future use display device manuinfo slot slotnumber begin exclude Available in any view include regular expression Display the electronic label data for the device 107 Task Display basic device temperature information Command display environment cpu begin exclude include regular expression Remarks Available in any view NOTE Support for this command depends on the device model For more information see Getting Started Command Reference Display advanced device temperature information display environment slot slot number vent begin exclude include regular expression Available in any view Support for this command depends on the device model For more information see Getting Started Command Reference Display the operating states of fans display fan fan id verbose begin exclude include regular expression Available in any view NOTE Support for this command depends on the device model For more information see Getting Started Command Reference Display memory usage statistics display memory begin exclude include regular expression Available in any view Display power supply information display power power id begin exclude include regular expression Available in any view NOTE Support for this command depends on
86. es to be monitored inledaces e Specify the secondary interface The monitoring function only applies to interfaces that use IPv4 addresses nms secondary monitor interface interface type interface number Clearing unused 16 bit interface indexes The device must maintain persistent 16 bit interface indexes and keep one interface index match one interface name for network management After deleting a logical interface the device retains its 16 bit interface index so the same index can be assigned to the interface at interface re creation To avoid index depletion causing interface creation failures you can clear all 16 bit indexes that have been assigned but not in use The operation does not affect the interface indexes of the interfaces that have been created but the indexes assigned to re recreated interfaces might change A confirmation is required when you execute this command The command will not run if you fail to make a confirmation within 30 seconds or enter N to cancel the operation To clear unused 16 bit interface indexes execute one of the following commands in user view Task Command Clear unused 16 bit interface indexes reset unused porttag 105 Verifying and diagnosing transceiver modules This section describes how to verify and diagnose transceiver modules Verifying transceiver modules You can verify the genuineness of a transceiver module in the following ways Display the key parameters of a
87. ess 106 Displaying and maintaining device management PEE 107 Managing users s ssssssesssesssssesssessssssssssunsessssssssssssssesssesseeseceeeesneensnssnnassnssnnssusssunsiunnusuasnunnsssussscsssssseseccscceeeseee 110 User eyeliner aati iaaa naan baen near 110 Configuring a local user in the Web interface s ssssssssesssssssssseeesssussssnnseeessuussnnneseeessusnsnnnseesessussnnnsesenssinnnnne 110 Configuration procedure aetedeteuaabed snetenessesuscencnetseaiscoeusevecevecsdece asedscedeusvexesestseaeuexsseseees0eesekeseseseeeueeesesesessseseaeseer gt 110 Configuration example EES AT 112 Configuring a local user at the CL sssssssssssssessssssseessssusssssnsseeessuussssnnseeessuussnnnseeessssuusnnnnseeesssansnnnnesesssonnnen 113 Controlling user logins s ssssssssssssssssssseeesssssseessusssssessssnssneessussaseesssusssnsessnsaseesssnnssssesssnsaneesssnnsaessnnanesteee 113 Configuring Telnet login control s sssssssssssssssseeeesiunssssssesseeeessuusssnnaneessssuussnnnseeesssiunsnnnnseesnsuusnnnnnseensssnnnnnn 113 Telnet login control configuration example E E S S 115 Configuring source IP based SNMP login control eeeeeeeeeeerererrretrerserstrrsererrersererrerserrrerstrerrersererreretrtt 116 SNMP login control configuration example aevdbeuaeudeea eeu bend beed seve vendvebescseceseeeesceceeessecesedececceeecsseceverssowesedeeeeeesees 117 Configuring Web login control ssssssssssssssesssssssseesesussssssseeesssuussssnseeesssiuussnnsneeesssiussnnnnseesss
88. ess control policy myacp Configure a certificate attribute based access control rule specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp Firewall pki certificate access control policy myacp Firewall pki cert acp myacp rule 1 permit mygroupl Firewall pki cert acp myacp quit Associate the HTTPS service with SSL server policy myssl Firewall ip https ssl server policy myssl Associate the HTTPS service with certificate attribute based access control policy myacp Firewall ip https certificate access control policy myacp Enable the HTTPS service Firewall ip https enable Create a local user named usera set the password to 123 specify the Web service type and specify the user privilege level 3 A level 3 user can perform all operations supported by the firewall Firewall local user usera Firewall luser usera password simple 123 Firewall luser usera service type web Firewall luser usera authorization attribute level 3 Configure the host HTTPS client 59 On the host run the IE browser and then enter http 10 1 2 2 certsrv in the address bar and request a certificate for the host as prompted 3 Verify the configuration Enter https 10 1 1 1 in the address bar and select the certificate issued by new ca When the Web login page of the firewall appears enter the username usera and password 123 to log in to the Web ma
89. evel switching authentication modes supported by the device Table 29 Privilege level switching authentication modes Authentication mode Keywords Description The device uses the locally configured passwords for privilege level Local password switching authentication authentication only local local only To use this mode you must set the passwords for privilege level switching using the super password command The device sends the username and password for privilege level switching to the HWTACACS or RADIUS server for remote authentication pis AFA T To use this mode you must perform the following configuration tasks aurienticanon firoug scheme e Configure the required HWTACACS or RADIUS schemes and HWTACACS or 7 RADIUS configure the ISP domain to use the schemes for users For more information see Access Control Configuration Guide e Add user accounts and specify the user passwords on the HWTACACS or RADIUS server Local password The device first uses the locally configured passwords for privilege authentication first and local level switching authentication If no local password is set the device then remote AAA scheme allows console users to switch their privilege levels without authentication authentication but performs AAA authentication for VTY users Remote T AAA authentication is performed first and if the remote HWTACACS authentication first and scheme f or RADIUS server does not respond or AAA configuration
90. figurations To modify your configuration click Back to go back to the previous page Performing basic contiguration at the CLI Step Command Remarks 1 Enter system view system view N A 2 Change the device Optional name sysname sysname HP by default 3 Enable the Telnet service telnet server enable Optional Disabled by default 81 Step Command Remarks e To configure a static NAT mapping a nat static local ip vpn instance local name global ip vpn instance global name b interface interface type interface number c nat outbound static Optional 4 Configure NAT e To configure dynamic NAT By default NAT is not d ined meriscclyae configured on an interface interface number e nat outbound acl number address group group number vpn instance vpn instance name no pat track vrrp virtual router id e For normal NAT server o nat server Index acl number protocol pro type global global address current interface interface interface type intertace number global port1 global port2 vpn instance global name inside local address 1 local address2 local port vpn instance local name track vrrp virtual router id 5 Configure the NAT o nat server Index acl number server protocol pro type global global address current interface interface interface type interface number global port vpn instance global name
91. h prohibits a client from synchronizing with a device that has failed Key 2 authentication You can set two authentication keys each of which is composed of a key ID and key string e ID is the ID of a key e Key string is a character string for MD5 authentication key NTP Server Specify the IP address of an NTP server and configure the authentication 1 Reference key ID used for the association with the NTP server Only if the key Key ID provided by the server is the same with the specified key will the device synchronize its time to the NTP server External Reference You can configure two NTP servers The clients will choose the optimal Source NTP Server reference source 2 Ref yD important The IP address of an NTP server is a unicast address and cannot be a broadcast or a multicast address or the IP address of the local clock source Configuring the time zone and daylight saving time 1 Select Device gt System Time from the navigation tree 2 Click Time Zone The page for setting the time zone appears 87 Figure 66 Setting the time zone System Time Network Time Protocol Set System Time Zone Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London Set Daylight Saving Time C Adjust clock for daylight saving time changes 3 Configure the time zone and daylight saving time as described in Table 16 4 Click Apply Table 16 Configuration items ltem Description Time Zone Se
92. h2 ipv6 command depends on the device model For more information see Getting Started Command Reference Log in to an IPv6 SSH server _ ssh2 ipv6 server To work with the SSH server you might need to configure the SSH client For information about configuring the SSH client see Access Control Configuration Guide Local login through the AUX port The following matrix shows the feature and hardware compatibility Hardware Feature compatible F1000 A El F 1000 S El No 38 Hardware Feature compatible F1000 E Yes F5000 Yes Firewall module No U200 A No U200 S No As shown in Figure 37 to perform local login through the AUX port use the same cable and login procedures as console login For a device with separate console and AUX ports you can use both ports to log in to the device Figure 37 AUX login diagram YY RS 232 AUX port 63 Host Device To control AUX logins configure authentication and user privilege for AUX port users By default password authentication applies to AUX login but no login password is configured To allow AUX login you must configure a password The following are authentication modes available for controlling AUX logins e None Requires no authentication and is insecure e Password Requires a password for accessing the CLI e Scheme Uses the AAA module to provide local or remote authentication You must provide a username and password for accessing the CLI If
93. he Web interface through HTTPS disabling HTTPS or modifying the HTTPS port number will result in disconnection with the device HTTPS Therefore perform the operation with caution e When you modify a port number make sure the port number is not used by another service e By default HTTPS uses the PKI domain default If this PKI domain does not exist the system will prompt you for it when the configuration wizard is completed However this does not affect the execution of other configurations 7 Click Next The page for configuring interface IP appears The table lists the IP address configuration information for all Layer 3 Ethernet interfaces and VLAN interfaces You can click a value in the table and then modify it Figure 59 Basic configuration wizard 4 6 interface IP address configuration 46 Basic Coniguraton wizard _ Basic Configuration Wizard Interface IP Configuration Name Confi a on IP Address Mask GigabitEthernet0 0 Static Address 192 168 2 3 255 255 255 0 GigabitEthernet0 1 None GigabitEthernet0 2 None GigabitEthernet0 3 None GigabitEthernet0 4 None GigabitEthernet0 5 None GigabitEthernet0 6 None GigabitEthernet0 7 None GigabitEthernet0 8 None GigabitEthernet0 9 None GigabitEthernet0 10 None GigabitEthernet0 11 None Note Modification of the IP address of an interface may result in disconnection with the device Perform the operation with caution Items marked with an asterisk ar
94. he maximum number of concurrent Users You can configure this command to limit the number of users that can enter the system view simultaneously When the number of concurrent users reaches the upper limit other users cannot enter system view 96 When multiple users configure a setting in system view only the last configuration applies To configure the maximum number of concurrent users Step Command Remarks 1 Enter system view system view N A By default up to two users can configure user count number perform operations in system view at the same time 2 Configure the maximum number of concurrent users Configuring the exception handling method You can configure the device to handle system exceptions in one of the following methods e reboot The device automatically reboots to recover from the error condition e maintain The device stays in the error condition so you can collect complete data including error messages for diagnosis In this approach you must manually reboot the device To configure the exception handling method Step Command Remarks 1 Enter system view system view N A 2 Configure the exception By default the system uses the handling method for the system failure maintain reboot reboot method when an exception system occurs Rebooting the device You can reboot the device in one of the following ways to restore the device from an error condition or place the
95. hedule reboot at hh mm date The scheduled reboot function is disabled by default Changing any clock setting can cancel the reboot schedule Schedule a reboot e Schedule a reboot to occur after a delay schedule reboot delay hh mm mm Scheduling jobs You can schedule a job to automatically run a command or a set of commands without administrative interference The commands in a job are polled every minute When the scheduled time for a command is reached the job automatically executes the command If a confirmation is required while the command is running the system automatically enters Y or Yes If characters are required the system automatically enters a default character string or an empty character string when no default character string is available Job configuration approaches You can configure jobs in a non modular or modular approach Use the non modular approach for a one time command execution and use non modular approach for complex maintenance work Table 18 A comparison of non modular and modular approaches Comparison ieri Scheduling a job in the non modular Scheduling a job in the modular P approach approach Configuration method Configure all elements in one command Separate job view and time settings Can multiple jobs be configured Ne Yes No If you use the schedule job command multiple times the most recent configuration takes effect Can a job have multiple comman
96. hotkey is available before you press Enter Esct lt Moves the cursor to the beginning of the clipboard Esc gt Moves the cursor to the ending of the clipboard Enabling redisplaying entered but not submitted commands The redisplay entered but not submitted commands feature enables the system to display what you have typed except Yes or No for confirmation at the CLI when your configuration is interrupted by system 127 output such as logs If you have entered nothing the system does not display the command line prompt after the output To enable redisplaying entered but not submitted commands Step Command Remarks 1 Enter system view system view N A E Enablevediplaying By default this feature is disabled entered but not submitted info center synchronous For more information about this command commands see System Management and Maintenance Command Reference Understanding command line error messages When you press Enter to submit a command the command line interpreter first examines the command syntax If the command passes syntax check the CLI executes the command If not the CLI displays an error message Table 25 Common command line error messages Error message Cause IAI Unrecognized command found at position The keyword in the marked position is invalid One or more required keywords or arguments are Incomplete command found at position missing f m The entered
97. ht statements include regular expression Available in any view NOTE Display flow engine usage display flowengine usage begin Support for this command statistics exclude include regular expression depends on the device model For more information see Getting Started Command Reference Available in any view NOTE Support for this command depends on the device model For more information see Getting Started Command Reference display flowengine usage history begin exclude include regular expression Display historical flow engine usage statistics in charts display diagnostic information begin exclude include Available in any view regular expression Display or save running status data for multiple feature modules display cpu usage enfry number offset verbose from device begin exclude include regular expression Display CPU usage statistics Available in any view display cpu usage history task task id begin exclude include Available in any view regular expression Display historical CPU usage statistics in charts Available in any view Display information about the display device cf card usb slot The current software version device s modules CF cards USB _slot number verbose begin does not support USB The devices and PCB board exclude include regular expression USB interfac
98. icies For more information about security zones and interzone policies see Access Control Configuration Guide 83 Managing the device Device management includes monitoring the operating status of devices and configuring their running parameters The configuration tasks in this document are order independent You can perform these tasks in any order Feature and hardware compatibility Hardware Supported storage medium F1000 A El F 1000 S E flashO F1000 E cfaO F5000 cfaO Firewall module cfaO U200 A cfaO U200 S cfaO For description convenience all examples in this chapter use the storage medium cfa0 Configuring the device name in the Web interface A device name identifies a device in a network To configure the device name 1 Select Device Management gt Device Basic gt Device Basic Info from the navigation tree to enter the page shown in Figure 62 2 Enter the system name 3 Click Apply Figure 62 Device basic information Cs Sysname HP Chars 1 30 tems marked with an asterisk are required Contiguring the device name at the CLI A device name identifies a device in a network and works as the user view prompt at the CLI For example if the device name is Sysname the user view prompt is lt Sysname gt 84 To configure the device name Step Command Remarks 1 Enter system view system view N A 2 Configure the device name sysname sysname The
99. imer through command lines An ACSEI client starts two timers the registration timer and the monitoring timer The registration timer is used to periodically trigger the ACSEI client to multicast registration requests with the multicast MAC address being O10F E200 0021 You cannot set this timer The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to the ACSEI server You cannot set this timer ACSEI startup and running ACSEI starts up and runs in the following procedures The firewall module runs the ACSEI client application to enable ACSEI client Start up the network device and enable the ACSEI server function on it The ACSEI client multicasts a registration request After the ACSEI server receives a valid registration request it negotiates parameters with the ACSEI client and establishes a connection with the client if the negotiation succeeds The ACSEI server and the ACSEI client mutually monitor the connection Upon detecting the disconnection of the ACSEI client the ACFP server removes the configuration and policies associated with the client Configuring ACSEI server on the network device Step Command Remarks Enter system view system view N A 2 Enable ACSEI server acsei server enable Disabled by default 3 Enter ACSEI server view acsei server N A 4 Configure the clock _ Optional synchronization timer acsei timer clock syne minutes Pirenn
100. ine help use one of the following methods Enter a question mark at a view prompt to display the first keyword of every command available in the view For example lt Sysname gt User view commands archive Specify archive settings backup Backup next startup configuration file to TFTP server boot loader Set boot loader bootrom Update read backup restore bootrom cd Change current directory Enter a space and a question mark after a command keyword to display all available subsequent keywords and arguments If you type a question mark in place of a keyword the CLI displays all possible keyword matches with a brief description for each keyword For example lt Sysname gt terminal debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information to terminal If you type a question mark in place of an argument the CLI displays the description of this argument For example lt Sysname gt system view Sysname interface vlan interface lt 1 4094 gt VLAN interface number Sysname interface vlan interface 1 lt cr gt Sysname interface vlan interface 1 The string lt er gt indicates that the command is complete and you can press Enter to execute the command Enter an incomplete keyword string followed by a question mark to display all keywords starting with the string For example lt Sysname gt
101. ing NTP or changing the system time before you run it on the network Network management depends on an accurate system time setting because the timestamps of system messages and logs use the system time For NTP configuration see Network Management and Monitoring Configuration Guide In a small sized network you can manually set the system time of each device lt Q IMPORTANT If you reboot the device the system time and date are restored to the factory default To ensure an accurate system time setting you must change the system time and date or configure NTP for the device 90 Configuration guidelines You can change the system time by configuring the relative time time zone and daylight saving time The configuration result depends on their configuration order see Table 17 In the first column of this table 1 represents the clock datetime command 2 represents the clock timezone command and 3 represents the clock summer time command To verify the system time setting use the display clock command This table assumes that the original system time is 2005 1 1 1 00 00 Table 17 System time configuration results Command Effective system time Configuration example System time datetime clock datetime 1 00 01 00 00 UTC Mon 2007 1 1 01 01 2007 2 Original system time aleck timezone 02 00 00 zone time Sat zone offset zone time add 1 01 01 2005 clock datetime 2 00 2007 2 2 03 00 00 zone time F
102. interface and the PC can reach each other Device Perform either or both of the following tasks e Configuring HTTP login e Configuring HTTPS login Install a Web browser PC Obtain the IP address of the device s interface Configuring HTTP login Step Command Remarks Optional 1 Specify a fixed verification code for Web login web captcha verification code By default a Web user must enter the verification code indicated on the login page to log in This command is available in user view 2 Enter system view system view N A 3 Enable the HTTP service ip http enable By default HTTP service is enabled 4 Configure the HTTP service port number ip http port portnumber Optional The default HTTP service port is 80 If you execute the command multiple times the last one takes effect 5 Associate the HTTP service with an ACL ip http acl ac number Optional By default the HTTP service is not associated with any ACL Associating the HTTP service with an ACL enables the device to allow only clients permitted by the ACL to access the device 6 Set the Web connection timeout time web idle timeout minutes Optional 7 Set the size of the buffer for Web login logging web logbuffer size pieces Optional 8 Create a local user and enter local user view local user user name By default a local user named admin exists 9 Configure a pa
103. ion Any user can log in through the console port without authentication and have user privilege level 3 To improve device security configure the password or scheme authentication mode immediately after you log in to the device for the first time Table 4 Configuration required for different console login authentication modes Authentication Configuration tasks Reference mode u fi e Set the authentication mode to none for the console user pa rE None authentication for console interface it login Enable password authentication on the console user Configuring password Password interface authentication for console Set a password login Enable scheme authentication on the console user interface Configure local or remote authentication settings To configure local authentication 1 Configure a local user and specify the password 2 Configure the device to use local authentication Configuring scheme Scheme To configure remote authentication authentication for console 3 Configure the RADIUS or HWTACACS scheme on login the device 4 Configure the username and password on the AAA server 5 Configure the device to use the scheme for user authentication Configuring none authentication for console login Ste Command Remarks 6 Enter system view system view N A 7 Enter console user interface user interface console firstnumber N A view lastnumber By default you can log in to the
104. ion set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional isiy ioa Braces enclose a set of required syntax choices separated by vertical bars from which ven you select one Nala Square brackets enclose a set of optional syntax choices separated by vertical bars from es which you select one or none eo ee Asterisk marked braces enclose a set of required syntax choices separated by vertical ses bars from which you select at least one et cel Asterisk marked square brackets enclose optional syntax choices separated by vertical ie bars from which you select one choice multiple choices or none Beit The argument or keyword and argument combination before the ampersand amp sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Window names button names field names and menu items are in bold text For Boldface example the New User window appears click OK gt Multi level menus are separated by angle brackets For example File gt Create gt Folder Symbols Convention Description A An alert that calls attention to important information that if not unders
105. ional Some common settings configured for an AUX user interface take effect immediately and can interrupt the login session To save you the trouble of repeated re logins use a login method different from AUX login to log in to the device before you change AUX user interface settings After the configuration is complete change the terminal settings on the configuration terminal and make sure they are the same as the settings on the device You can connect a device Device B to the AUX port of the current device Device A and configure the current device to redirect a Telnet login user to that device If the redirect enable and redirect listen port port number commands are configured a user can use the telnet DeviceA IP address port number command to log in to Device B If the ip alias ip address port number command is also configured to associate Device A s IP address with the Telnet redirect listening port a user can use the telnet DeviceA IP address command to log in to Device B This Telnet redirect function enables a device to provide Telnet service with its IP address protected To configure common settings for AUX user interfaces Ste Command Remarks 1 Enter system view system view N A 2 Associate the Telnet redirect By default a Telnet redirect listening port with an IP ip alias ip address portnumber listening port is not associated with address of the current device any IP address 3 Enter one or more AUX user
106. ions Figure 76 Network diagram GEO 1 YY 192 168 1 2 24 S Emily Firewall 192 168 1 1 24 Configuration procedure 1 Configure the IP address of the interface and the zone to which it belongs Details not shown 2 Configure local user Emily a Select User gt Local User from the navigation tree b Click Add 112 Figure 77 Creating a local user Local User Online User Add Local User Local User User Name User Privilege Level Service Type Password Confirm Password Password Encryption Virtual Device Emily 4 55 Chars Monitor v We b Orr Ossu O Tenet CI Terminal 1 63Chars lx Root Reversible Irreversible Items marked with an asterisk are required pap Enter Emily as the username Select the user privilege level Monitor Select the service type Web Enter aabbcc as the password and confirm the password g Select the virtual device Root h Click Apply Configuring a local user at the CLI For more information see Access Control Configuration Guide Controlling user logins User login control can be configured only at the CLI Use ACLs to prevent unauthorized logins For more information about ACLs see Access Control Configuration Guide Configuring Telnet login control Use a basic ACL 2000 to 2999 to filter Telnet traffic by source IP address Use an advanced ACL 3000 to 3999
107. ipv6 acl number Use either approach The username in approach 2 is equivalent to the community name used in approach 1 and must be the e Approach 2 Configure an SNMP group same as the community name 4 Configure the SNMP and add a user to the SNMP group configured on the NMS access right a snmp agent group v1 v2c NOTE group name read view read view write view write view notify view notify view acl acl number acl ipv6 ipv acl number Support for the acl ipv6 ipv6 acl number option depends on the device model For more information see b snmp agent usm user v1 v2c Getting Started Command username group name acl acl number acl ipv6 ipv6 acl number Reference SNMP login example Network requirements Configure the firewall and network management station so you can remotely manage the firewall through SNMPv3 Figure 54 Network diagram GEO O Firewall NMS Configuration procedure 1 Configure the firewall Assign an IP address to the firewall Make sure the firewall and the NMS can reach each other Details not shown Enter system view lt Sysname gt system view Enable the SNMP agent Sysname snmp agent Configure an SNMP group Sysname snmp agent group v3 managev3group Add a user to the SNMP group Sysname snmp agent usm user v3 managev3user managev3group 66 Configure the NMS Make sure the NMS has the same SNMP
108. ith the stratum of 2 Device B operates in client mode and uses Device A as the NTP server 88 Figure 68 Network diagram c3 1 0 1 11 24 ae T Device A Device B Configuration procedure 1 On Device A configure the local clock as the reference clock with the stratum 2 Select Device Management gt System Time from the navigation tree Click Network Time Protocol The page for setting up NTP appears c Select 127 127 1 1 from the Local Reference Source list d Select 2 from the Stratum list e Click Apply Figure 69 Configuring the local clock as the reference clock System Time Network Time Protocol Clock status unsynchronized Local Reference Source 127 127 1 1 v Stratum 2 B Source Interface i Key 1 D 1 4294967295 Key String 1 32 Chars Key 2 ID 1 4294967295 Key String 1 32 Chars External Reference Source NTP Server 1 Reference Key ID NTP Server 2 Reference KeyID Set System TimeZone TimeZone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London an 2 On Device B configure Device A as the NTP server of Device B Select Device Management gt System Time from the navigation tree Click Network Time Protocol The page for setting up NTP appears c Enter 1 0 1 11 in the NTP Server 1 box d Click Apply 89 Figure 70 Configuring Device A as the NTP server of Device B System Time Network Ti
109. ize command 128 Viewing history commands You can use arrow keys to access history commands in Windows 200x and Windows XP Terminal or Telnet In Windows 9x HyperTerminal the arrow keys are invalid and you must use Ctrl P and Ctrl N instead To view command history use one of the following methods Task Command Display all commands in the command history display history command begin exclude include buffer regular expression Display the previous history command Up arrow key or Ctrl P Display the next history command Down arrow key or Ctrl N Setting the command history buffer size for user interfaces Step Command Remarks 1 Enter system view system view N A user interface first num1 2 Enter user interface view last num1 console vty N A first num2 last num2 3 Set the maximum number of Optional commands that can be saved _ history command max size een in the command history sizevalje By default the command history buffer buffer can save up to 10 commands Controlling the CLI output This section describes the CLI output control features that help you quickly identify the desired output Pausing between screens of output If the output being displayed is more than will fit on one screen the system automatically pauses after displaying a screen By default up to 24 lines can be displayed on a screen To change the screen length use the sereen length screen leng
110. lnet server 27 Table 5 shows the Telnet server and client configuration required for a successful Telnet login Table 5 Telnet server and Telnet client configuration requirements Device role Requirements Enable Telnet server Assign an IP address to an interface of the device and make sure the Telnet Telnet server server and client can reach each other By default only interface GigabitEthernet 0 0 is assigned an IP address 192 168 0 1 24 Configure the authentication mode and other settings Run the Telnet client program Telnet client Obtain the IP address of the interface on the server To control Telnet access to the device operating as a Telnet server configure login authentication and user privilege levels for Telnet users By default password authentication applies to Telnet login To allow Telnet access to the device after you enable the Telnet server you must configure scheme authentication The following are authentication modes available for controlling Telnet logins e None Requires no authentication and is insecure e Password Requires a password for accessing the CLI If your password was lost log in to the device through the console port to re set the password e Scheme Uses the AAA module to provide local or remote authentication You must provide a username and password for accessing the CLI If the password configured in the local user database was lost log in to the device through
111. login users 4 Configure common settings See Configuring common settings Optional for AUX login for AUX login optional poong The next time you attempt to log in through the AUX port you do not need to provide any username or password as shown in Figure 38 Figure 38 Accessing the CLI through the AUX port without authentication Dls a3 2 DEMEME JEJE 96 969696 96 DE DEFE 96 FE FE FE FE FE FE FE IE IE FE E E E 96 9696 96 E IE IE IE DE DE ME MEIE JEFE FEFEFE FEFE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE E FE IE E 3E 3E 3E IE IE IE EIE EEIEIE x Copyright c 2010 2012 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed 90 36 JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE HE JE JE JE JE JE JE JE JE JE JE JE JE JE E JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE FE JE JE JE User interface aux is available Please press ENTER lt HP gt Configuring password authentication for AUX login Step Command Remarks 1 Enter system view system view N A 2 Enter one or more AUX user user interface aux firstnumber interface views lastnumber N A By default password authentication is enabled but no 3 Ep S E A diiihentication anode password password is configured To access the device through the AUX port you must configure a pas
112. ly matches a character string containing def or int 130 Character Meaning Examples If it is at the beginning or the end of a regular expression it equals or a_b matches a b or a b _ab only matches gt In other cases it equals comma a line starting with ab ab_ only matches a line space round bracket or curly ending with ab bracket It connects two values the smaller one before it and the bigger one 1 9 means 1 to 9 inclusive a h means a to h after it to indicate a range together inclusive with 16A matches a string containing any character among 1 6 and A 1 36A matches a string containing any character among 1 2 3 6 and A Matches a single character is a hyphen contained within the brackets To match the character put it at the beginning of a string within brackets for example sfring There is no such limit on 123A means a character group 123A 408 12 matches 40812 or 408121212 But it does not match 408 A character group It is usually used with or Repeats the character string specitied by the index A character string refers to the string within string 1 repeats string and a matching string must before index refers to the contain stringstring string 1 string2 2 repeats sequence number starting from 1 string2 and a matching string must contain index from left to right of the character st
113. m The hotkeys in Table 24 are defined by the device If a hotkey is also defined by the terminal software that you are using to interact with the device the definition of the terminal software takes effect Table 24 System reserved hotkeys Hotkey Function Ctrl A Moves the cursor to the beginning of a line Ctrl B Moves the cursor one character to the left Ctrl C Stops the current command Ctrl D Deletes the character at the cursor Ctrl E Moves the cursor to the end of a line Ctrl F Moves the cursor one character to the right Ctrl H Deletes the character to the left of the cursor Ctrl K Aborts the connection request Ctrl N Displays the next command in the command history buffer Ctrl P Displays the previous command in the command history buffer Ctrl R Redisplays the current line Ctrl V Pastes text from the clipboard Ctrl W Deletes the word to the left of the cursor Ctrl X Deletes all characters to the left of the cursor Ctrl Y Deletes all characters to the right of the cursor Ctrl Z Returns to user view Ctrl Terminates an incoming connection or a redirect connection Esc B Moves the cursor back one word Esc D Deletes all characters from the cursor to the end of the word Esc F Moves the cursor forward one word Esc N Moves the cursor down one line This hotkey is available before you press Enter Esc P Moves the cursor up one line This
114. me Protocol Clock status unsynchronized Local Reference Source a iv Stratum Source Interface l i Key 1 ID 1 4294967295 Key String 1 32 Chars Key 2 D 1 4294967295 Key String 1 32 Chars External Reference Source NTP Server 1 1 0 1 1 Reference KeyiD NTP Server 2 Reference Key ID Set System Timezone TimeZone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London M aew 3 Verifying the configuration After the configuration you can see that the current system time displayed on the System Time page is the same for Device A and Device B Configuration guidelines A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized If the clock of a server has a stratum level higher than or equal to that of a client s clock the client will not synchronize its clock to the server s The synchronization process takes a period of time Therefore the clock status may be unsynchronized after your configuration In this case you can refresh the page to view the clock status later on If the system time of the NTP server is ahead of the system time of the device and the difference between them exceeds the Web idle time specified on the device all online Web users are logged out because of timeout Contiguring the system time at the CLI You must synchronize your device with a trusted time source by us
115. nagement page For more information about PKI configuration commands SSL configuration commands and the public key local create rsa command see VPN Command Reference and Network Management Command Reference Troubleshooting Web browser Failure to access the device through the Web interface Symptom You can ping the device successfully and log in to the device through Telnet HTTP is enabled and the operating system and browser version meet the Web interface requirements However you cannot access the Web interface of the device Analysis e If you use the Microsoft Internet Explorer you can access the Web interface only when the following functions are enabled Run ActiveX controls and plug ins script ActiveX controls marked safe for scripting and active scripting e If you use the Mozilla Firefox you can access the Web interface only when JavaScript is enabled Configuring the Internet Explorer settings 1 Open the Internet Explorer and select Tools gt Internet Options 2 Click the Security tab and then select a Web content zone to specify its security settings 60 Figure 50 Internet Explorer setting I Internet Options Generall Security es Content Connections Programs Advanced Select a Web content zone to specify its security settings amp 0O Internet Local intranet Trusted sites Restricted sites 4 This zone contains all web sites you haven t placed in other zones Sec
116. nd line at the CLI and press Enter lt Sysname gt clock datetime 10 30 20 2 23 2010 Using the undo form of a command Most configuration commands have an undo form for canceling a configuration restoring the default or disabling a feature For example the info center enable command enables the information center and the undo info center enable command disables the information center CLI views Commands are grouped in different views by function To use a command you must enter its view CLI views are hierarchically organized as shown in Figure 84 Each view has a unique prompt from which you can identify where you are and what you can do For example the prompt Sysname vlan100 shows that you are in VLAN 100 view and can configure attributes for that VLAN You are placed in user view immediately after you are logged in to the CLI The user view prompt is lt Device name gt where the Device name argument representing the device hostname defaults to Sysname and can be changed by using the sysname command In user view you can perform basic operations including display debug file management FTP Telnet clock setting and reboot From user view you can enter system view to configure global settings including the daylight saving time banners and hotkeys The system view prompt is Device name From system view you can enter different function views For example you can enter interface view to configure interface paramet
117. network devices such as 5800 7500 9500 12500 switches and 6600 8800 routers Deployed at the egress of a network the firewall modules can protect against external attacks and implement security access control of the internal network by using security zones You can meet the development of the network simply by installing more firewall modules to a switch or router Deploying two switches routers with the firewall modules in the network can improve service availability Figure 19 Network diagram Quidview CAMS XLOG Network Management Zone Firewall module Internet Enhanced firewall modules Clound computing data center application The Enhanced firewall modules can provide high performance firewall functions They also support the virtual firewall function An Enhanced firewall module can be virtualized into multiple logical firewalls Each virtual firewall has its own security policy and is managed independently The virtual firewall function well satisfies the multi tenant requirements in cloud computing data centers Figure 20 Network diagram FW Enhanced 12500 Cloud portal servers Cloud storage servers Cloud service servers Enterprise network applicatoin Deployed in the core switch or the aggregation switch of an enterprise network the Enhanced firewall module provides security isolation and control of the network zones Working with the 10500 12500 switch the Enhanced firewall module can act as the network edge de
118. nfirm the reboot operation Rebooting the firewall at the CLI A CAUTION e Device reboot can interrupt network services e To avoid data loss use the save command to save the current configuration before a reboot e Use the display startup and display boot loader commands to verify that you have correctly set the startup configuration file and the main system software image file If the main system software image file has been corrupted or does not exist the device cannot reboot You must re specify a main system software image file or power off the device and then power it on so the system can reboot with the backup system software image file Rebooting devices immediately at the CLI To reboot a device execute the following command in user view Task Command Reboot a subcard or the device immediately reboot Scheduling a device reboot The switch supports only one device reboot schedule If you configure the schedule reboot delay command multiple times the last configuration takes effect The schedule reboot at command and the schedule reboot delay command overwrite each other and whichever is configured last takes effect For data security if you are performing file operations at the reboot time the system does not reboot To schedule a device reboot execute one of the following commands in user view Task Command Remarks e Schedule a reboot to occur at a specific time Use either command and date sc
119. nge of 32 to 126 except the question mark quotation mark backward slash and space For example the domain name is of the STRING type You can give it a value such as forVPN1 lt Sysname gt system view Sysname domain STRING lt 1 24 gt Domain name Abbreviating commands You can enter a command line quickly by entering incomplete keywords that uniquely identify the complete command In user view for example commands starting with an s include startup saved configuration and system view To enter the command system view you only need to type sy To enter the command startup saved configuration type st s You can also press Tab to complete an incomplete keyword 125 Configuring and using command keyword aliases The command keyword alias function allows you to replace the first keyword of a non undo command or the second keyword of an undo command with your preferred keyword when you execute the command For example if you configure show as the alias for the display keyword you can enter show in place of display to execute a display command Usage guidelines e After you successfully execute a command by using a keyword alias the system saves the keyword instead of its alias to the running configuration e If you press Tab after entering part of an alias the keyword is displayed e Ifa string you entered partially matches a keyword and an alias the command indicated by the alias is executed To execute the
120. nment lt Sysname gt system view Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode none Sysname ui vty0 4 user privilege level 1 135 Display the commands a Telnet user can use after login Because the user privilege level is 1 a Telnet user can use more commands now lt Sysname gt User view commands debugging Enable system debugging functions dialer Dialer disconnect display Display current system information ping Ping function quit Exit from current command view refresh Do soft reset reset Reset operation rsh Establish one RSH connection screen length Specify the lines displayed on one screen send Send information to other user terminal interface ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line characteristics titp Open TFTP connection tracert Trace route function undo Cancel current setting Configure the device to perform password authentication for Telnet users and to authorize authenticated Telnet users to use the commands of privilege levels 0 1 and 2 lt Sysname gt system view Sysname user interface vty 0 4 Sysname ui vtyl authentication mode password Sysname ui vty0 4 set authentication password simple 123 Sysname ui vty0 4 user privilege level 2 After the configuration is complete when users Telnet to the device they must enter the
121. nnnnen 90 Configuration guidelines PE PEPE T E EEE ces cseteseedsesesosdss 91 Configuration procedure PPE E E E 93 Setting the idle timeout timer in the Web interface v sssssstseessesseessssteseessnneeeessnnneceessnnneeeesnnniectsnnseceessnnnneten 94 Setting the idle timeout timer at the CLI s sssssssssssseesssssssesssssssssssssssseeeseeesseesssusussssnssssssseeeeeeenssssssunusnssnssssnssseeeeeenes 94 Enabling displaying the copyright statement crrereeeeereeeeeeseeetetseeeeseseeeesnsesceeeesaesceesseseessaesecesaeseesnseseeesseseeeesseeeaseseesaeeee 95 Configuring banners crrrrrrssreeeeeeseeeeesseseeesseeeeeessseseesssescsesesssessesssesseseessseseeesseseesssesceesasscssssssseessssseeassesssssssesassceeseeseeeseesees 95 Banner message input alete A 95 Configuration procedure EERE EEE E E E E 96 Configuring the maximum number of concurrent users corer eetettteeetteeteteeeeeeseeeeeeenaeeeeeeseseeeseseeesesseeneseseseseseesesesenes 96 Configuring the exception handling methodssssssssssssssesssssssssssssseeeeesesssssuusssssssssssseeeseessessssnunssssnnsnssseeeeeeenes 97 Rebooting the device cerrrrrreesreeeessrsseetesseeeessssescenseeseessseseesseseessesessssessesseseesssesessssesssessesssessesesessesssessesesessesseeesesseensesesenes 97 Rebooting the firewall in the Web interface vcrrrrrceessseessseeeeeesseeeeesseseeessesesessesecessessesssesseessesssessesesessesseesesesenes 97 Rebooting the firewall at the CLlevrcresssceesseceeesseeeeesseseeessesesesseeses
122. nsneeeesssussnnsseesessunsnnn 132 Configuring a user privilege level vss eseres teers eesessntecssnneeesnecesunccesnssecssnssecsonsrecesninsessunseceansseeesneney 133 Switching the user privilege JOQVE ceeereeeetseseeesseeseseseeseessesscessesessssssseesesssessessesseeessesessessessessseeseeeceseseseesasseeeneee ss 136 Changing the level of a command srrrrstssseseeeerssssssseseeeeeeeceeeensnnnnnnnnnsssseeeeeeeeeeeeetsnnnnnnnnnnnanaseeseeeeeneenssen 139 Saving the running configuration eetere trrtsretrrrtertrtertre ntre tsrentssn nesen sene nene terenne entreen tenente eetet 139 Displaying and maintaining C L vvveeceseeesessseeececeeessessnessseessceesesssesssecesssssseessseeeseesseeessseesesssseesseeeesessesesesseeeeeseeeseseeeens 139 Support and other resources ttteeeeereeseeeererterssssererssssesesnenessssrererreressserennsnsesesnenesssnreneenenessserernenressseenesssnseneenennsnsene 140 Contacting m 140 Subscription service srrsssssssssssssesessssssssescecesnssseeeeeeessnnnnsseseeeessnssnsssseeeessnsunssssceeeseannnasssseeeesennnnnsssseeessennnassssses 140 Related informations cretsesstseseessseseesssescessssseseessssssessseseessseseesseseeesseseessesessssesessssessssssesceessssceeseseessssceeseseeeseesees 140 PCL E E saeen sev sevens A E onevesnsgavansnauenentoeyeuanshanesesentaeven nanos E E E E 140 A a e E E EE E E E E E 140 E e A E E E EE E E EEEE 141 idek ee de cat desta sdeatenctasasesze e ersen eie inasa asadmin dnd enre EEEa ia dion nE de ded ei ai
123. nterface and the client can reach each other By default only interface GigabitEthernet SSH server 0 0 is assigned an IP address 192 168 0 1 24 Configure the authentication mode and other settings dieien If a host operates as an SSH client run the SSH client program on the host clien Obtain the IP address of the interface on the server To control SSH access to the device operating as an SSH server configure authentication and user privilege level for SSH users By default password authentication is adopted for SSH login but no login password is configured To allow SSH access to the device after you enable the SSH server you must configure a password Configuring the SSH server on the device When scheme authentication is used you can choose to configure the command authorization and command accounting functions If command authorization is enabled a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme Command accounting allows the HWTACACS server to record all commands executed by users regardless of command execution results This function helps control and monitor user behaviors on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are rec
124. o an SSH seryereeeeeeesesserrreressssereeeeserreessereeereeseeereennesseeeeeennesseeeernrnseeeresernneeeeeennenee 38 Local login through the AUX port eguishsesVevss stisestlsseueustausnesenegeseseuseceesceesseuessvesevesesses oKsesdesesevesesesevesseesevessveueveseseuessessscvessvses 38 Configuring none authentication for AUX logins ssssssssssssssssssssnnnnsnssnnsssnnnsnsnnnnnnnnnnnsnnnnnnnnnnnnnnnnannnn 40 Configuring password authentication for AUX logins ssssssssssssssssssssssssssssnnsssnnsnssnsnnsnnnnnnnnannnnnnnnnnnn 41 Configuring scheme authentication for AUX login srrssssrsteteeeeeeeeesssssnnnseteeeeeeeeeeeennnnnnnnnnnnsseeeeeeeecenensenen 42 Configuring common settings for AUX login optional E 44 Login procedure fds duedaes scentseneraxssesesewspiandsssstscectesgesesiesdusdetsssczestnuetcadsdassenesauchescsesessuesesessses2ucnaeeseseseucveveseseteecceeaseseseseee 46 Displaying and maintaining CLI login EERE E E a RRR 49 Logging in to the Web interface eeeeeereeeeeeerssseseseeeesssseeeereesessseeeersrssssseeeesssssessseenesssseerereeressseeeersessseeeessssesseeeeessssereene 51 Configuration guidelines ER E 51 Logging in by using the default Web login settings PEVE vesueeus ses csessueesscecveccesestecsependvesddesdseedsesdeesdeedveesteedsecevesdsesececieeys 5 Adding a Web login accounts sssssessssssseeessuusssssnseessssuusssnnsseesssiunsnnnssesesssiuusnnnnseeesssiussnnnnneensssunnnnnsseeninstin 52 Configuring Web login ails adv eveuedevex evedeseve
125. ode for the VTY user interfaces is scheme 4 Enable password authentication set authentication password cipher 5 Seta password simple password By default no password is set 6 Configure the user privilege level for login users user privilege level level The default level is O 7 Configure common settings See Configuring common VTY user i tional for VTY user interfaces intertace settings optional Optiona The next time you attempt to Telnet to the device you must provide the configured login password as shown in Figure 32 If the maximum number of login users has been reached your login attempt fails and the message All user interfaces are used please try later appears 30 Figure 32 Password authentication interface for Telnet login c Telnet 192 168 2 3 Copyright lt c 2616 2612 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Login authentication Password KHP gt m Configuring scheme authentication for Telnet login When scheme authentication is used you can choose to configure the command authorization and command accounting functions If command authorization is enabled a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme Command accounting allows the HWTACACS server to recor
126. odule 2GE Each product provides one interface slot for future interfacing and service expansion Appearance U200 A Figure 10 U200 A front view 1 Copper Ethernet ports GEO to GE5 2 Console port CONSOLE 3 USB port 4 CF ejector button 5 CF card slot Figure 11 U200 A rear view 1 Grounding screw and sign 2 Power switch ON OFF 3 AC input power receptacle A Interface module slot 1 SLOT1 5 Interface module slot 2 SLOT2 U200 S Figure 12 U200 S front view 1 Copper Ethernet ports GEO to GE4 2 Console port CONSOLE 3 USB port 4 CF ejector button 5 CF card slot Figure 13 U200 S rear view 1 AC input power receptacle 2 Interface module slot SLOT 3 Grounding screw and sign Application scenarios F1000 A EI F 1 000 S E Firewall application With powerful filtering and management functions the F1000 A EI F 1000 S El can be deployed at the egress of an internal network to defend against external attacks and control internal access by separating security zones Figure 14 Network diagram File Server Intranet data center F1000 A El DMZ 2 DMZ zone FTP Virtual firewall application The F1000 A EI F 1000 S El supports the virtual firewall function You can create multiple virtual firewalls on one firewall Each virtual firewall can have its own security policy and can be managed independently Figure 15 Network diagram F1000 A El Cai Vi
127. on the then local password local ee device is invalid the local password authentication is performed authentication To configure the authentication parameters for a user privilege level Step Command Remarks 1 Enter system view system view N A 2 Set the authentication mode for user privilege level switching local scheme By default local only authentication is used super authentication mode Optional If local authentication is involved this step is required 3 Configure the password super password level for the user privilege user level cipher level simple password If no user privilege level is specitied when you configure the command the user privilege level defaults to 3 By default a privilege level has no password If local only authentication is used a console user interface user can switch to a higher privilege level even if the privilege level has not been assigned a password 137 Switching to a higher user privilege level Before you switch to a higher user privilege level obtain the required authentication data as described in Table 30 The privilege level switching fails after three consecutive unsuccessful password attempts To switch the user privilege level perform the following task in user view Task Switch the user privilege level Command super level Remarks When logging in to the device a user has a user privilege level
128. ons such as stateful failover and VRRP Appearance Figure 5 Front view 1 MPU slot Slot O 2 Fan tray slot 3 Power module slot 1 PWR1 4 PoE power module filler panel reserved for future PoE support 5 Power module slot 2 PWR2 6 Grounding screw and sign 7 Interface module slots Slot 1 through Slot 4 Figure 6 Rear view 1 Rear chassis cover handle do not use this handle to lift the chassis __2 Optional Air filter 3 Chassis handle 4 Grounding screw and sign 5 Air vents Firewall modules Overview The firewall modules are developed based on the Open Application Architecture OAA for carrier level customers A firewall module can be installed in the HP 5800 7500E 9500E 12500 Switch or a 6600 8800 router A switch or router can be installed with multiple firewall modules to expand the firewall processing capability for future use The main network device switch or router and the firewall modules
129. ord Method 2 After you type the last command keyword type any single character as the start delimiter for the banner and press Enter At the system prompt type the banner and end the last line with a delimiter that is the same as the start delimiter For example you can configure the banner Have a nice day Please input the password as follows lt System gt system view System header shell A Please input banner content and quit with the character A Have a nice day Please input the password A Method 3 After you type the last keyword type the start delimiter and part of the banner and press Enter At the system prompt enter the rest of the banner and end the last line with a delimiter that is the same as the start delimiter For example you can configure the banner Have a nice day Please input the password as follows lt System gt system view System header shell AHave a nice day Please input banner content and quit with the character A Please input the password A Configuration procedure To configure banners Step Command Remarks 1 Enter system view system view N A 2 Configure the incoming banner header incoming text Optional 3 Configure the login banner header login text Optional 4 Configure the legal banner header legal text Optional 5 Configure the shell banner header shell text Optional 6 Configure the MOTD banner header motd text Optional Configuring t
130. orded on the HWTACACS server Follow these guidelines when you configure the SSH server e To make the command authorization or command accounting function take effect apply an HWTACACS scheme to the intended ISP domain This scheme must specify the IP address of the authorization server and other authorization parameters e If the local authentication scheme is used use the authorization attribute level level command in local user view to set the user privilege level on the device e Ifa RADIUS or HWTACACS authentication scheme is used set the user privilege level on the RADIUS or HWTACACS server The SSH client authentication method is password in this configuration procedure For more information about SSH and publickey authentication see System Management and Maintenance Configuration Guide To configure the SSH server on the device Step Command Remarks 1 Enter system view system view N A 2 c local k f By default no local key pairs are A reate local key pairs public key local create dsa rsa created 3 Enable SSH server ssh server enable By default SSH server is disabled 36 Step Command Remarks 4 Enter one or multiple VTY user user interface vty firstnumber interface views lastnumber N A 5 Enable scheme By default the authentication authentication authentication mode scheme mode for VTY user interfaces is scheme 6 Enable the user interfaces to
131. ow the configuration procedure on Windows XP HyperTerminal Make sure the port settings are the same as the common AUX port settings on the device If the default settings are used see Table 9 On Windows Server 2003 add the HyperTerminal program first and then log in to and manage the device as described in this document On Windows Server 2008 Windows 7 Windows Vista or some other operating system obtain a third party terminal control program first and then follow the user guide or online help of that program to log in to the device Figure 42 Connection description Connection Description 2 x ay New Connection Enter a name and choose an icon for the connection Name Switch Icon 47 Figure 43 Specifying the serial port used to establish the connection Connect To Figure 44 Setting the properties of the serial port COM1 Properties 5 Power on the device and press Enter at the prompt 48 Figure 45 CLI System application is starting User interface aux is available Press ENTER to get started lt HP gt Dec 12 15 10 20 251 wae HP ee LOGIN Trap 1 3 6 1 4 1 25506 2 3 0 1 login from Console Dec 12 15 10 20 251 2012 fat ghee os ener LOGIN Console logged in from aux _ 6 At the default user view prompt lt HP gt enter commands to configure the device or check the running status of the device To get help enter Displaying and maintaining CLI login
132. password 12345678 After passing authentication they can use commands of levels O 1 and 2 Switching the user privilege level Users can switch to a different user privilege level without logging out and terminating the current connection After the privilege level switching users can continue to manage the device without relogging in but the commands they can execute have changed For example with the user privilege level 3 a user can configure system parameters After switching to user privilege level O the user can execute only basic commands like ping and tracert and use a few display commands The switching operation is effective for the current login After the user relogs in the user privilege restores to the original level To avoid problems HP recommends that administrators log in with a lower privilege level to view switch operating parameters and switch to a higher level temporarily only when they must maintain the device When administrators must leave for a while or ask someone else to manage the device temporarily they can switch to a lower privilege level before they leave to restrict the operation by others 136 Configuring the authentication parameters for user privilege level switching A user can switch to a lower privilege level without authentication To switch to a higher privilege level however a user must provide the privilege level switching authentication information if any Table 29 shows the privilege l
133. pe By default no password is set password 10 Specifies the command level a Ophion ofthe local ser authorization attribute level level By default the command level is 0 11 Specify terminal service for TAE By default no service type is the local user service type termina specified 12 Configure common AUX user interface settings See Configuring common settings for AUX login optional Optional The next time you attempt to log in through the AUX port you must provide the configured username and password as shown in Figure 40 43 Figure 40 Scheme authentication interface for AUX login Blas 213 lal l DE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE Copyright c 2010 2012 Hewlett Packard Development Company L P x Without the owner s prior written consent no decompiling or reverse engineering shall be allowed DE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE HE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE EEE User interface aux is available Please press ENTER Login authentication Username user 901 Password lt HP gt Configuring common settings for AUX login opt
134. ps begin exclude f Available in any view information include regular expression HTTP login configuration example Network requirements As shown in Figure 47 configure the firewall to allow the PC to log in over the IP network by using HTTP Figure 47 Network diagram GEO O PC Firewall Configuration procedure 1 Configure the firewall Assign the IP address 192 168 0 58 24 to interface GigabitEthernet 0 0 Firewall interface gigabitethernet 0 0 Firewall GigabitEthernet0 0 ip address 192 168 0 58 255 255 255 0 Firewall GigabitEthernet0 0 quit Add interface GigabitEthernet 0 0 to zone Management By default interface GigabitEthernet 0 0 belongs to zone Management To use another interface GigabitEthernet 0 1 in the following example to log in to the device perform the following configuration Firewall zone name management Firewall zone management import interface gigabitethernet0 1 Create a local user named admin and set the password to admin Authorize the user to use the Web service and set the command level to 3 Firewall local user admin Firewall luser admin service type web Firewall luser admin authorization attribute level 3 Firewall luser admin password simple admin Sysname luser admin quit Enable the HTTP service Optional Required when the HTTP service is disabled Sysname ip http enable 57 2 Verify the configuration On the PC l
135. r than the actual temperature decreasing event Fan speed changes might cause the actual temperature value read after an alarm to be lower than the alarm temperature To configure advanced temperature thresholds Step Command Remarks 1 Enter system view system view N A The default temperature thresholds depend on the hotspot sensors 2 Configure advanced temperature thresholds for a device or a module temperature limit slot slot number The warning and alarming thresholds hotspot sensor number lowerlimit must be higher than the lower warninglimit alarmlimit temperature threshold The alarming threshold must be higher than the warning threshold Monitoring an NMS connected interface The following matrix shows the feature and hardware compatibility Hardware Feature compatible F1000 A El F 1000 S El Yes F1000 E No F5000 No Firewall module No U200 A Yes U200 S Yes Typically the device does not send notifications to its NMS when the IP address of an interface changes If the IP address of the interface used by the device to communicate with the NMS changes the NMS will be unable to communicate with the device unless the new management IP address of the device is manually updated or the device is re added with the new IP address to the NMS database 104 To ensure management continuity you can configure the device to monitor the NMS connected interface for IP address changes and notify
136. racters of the currently edited command line exceeds 80 an anomaly such as cursor corruption or abnormal display of the terminal display might occur on the client 10 Configure the type of terminal display 11 Configure the user privilege ivileae level level By default the default command level for login users ta la i tewe seve level is O for the AUX user interface isplays 24 12 Set the maximum number of By Hatault gi screen displays l lines at most lines to be displayed on a screen length screen length l screen A value of O disables pausing between screens of output 13 Set the size of command By default the buffer saves 10 history buffer history command max size value hidon commander mod The default idle timeout is 10 minutes The system automatically terminates the user s connection if there is no information interaction between the device and the user in timeout time 14 Set the idle timeout timer idle timeout minutes seconds Setting idle timeout to O disables the timer 45 The port properties of the terminal emulation program must be the same as the default settings of the AUX port which are shown in the following table Parameter Default Bits per second 9600 bps e Independent AUX port On Hew control e Console and AUX integrated port Off Parity None Stop bits 1 Data bits 8 Login procedure To log in through the AUX port e Complete the authentication se
137. rewall module from the network deyice seseesseessseeresssssesserersssserereeresseseenerrennsssenennsnsssnenesnsssenenne 68 Feature and hardware compatibility Deecccedeess accnensnauesssdeacdactsaednerdsusutandsacasusduaddasednecsbensseedcecdceuusssssecccaueuseesesecanenesdsesecest 68 Logging in to the firewall module from the network device verre ttttetteeteseeeseseseeeseseesesseseeeseseeessesssesssseseseseeeseess 68 Monitoring and managing the firewall module on the network device rrr tttettstetsteetesssessessaeeeseeseseesseesseeaees 69 Resetting the system of the firewall Module vrrrrersteeerstetseeeteesreeeeeeeseeeeessseseessaeseessseseessseseesseseeessesssaeeessesseeseeeneess 69 Configuring the ACSEI protocol sssssssssssssssseeesuusssssneeeesssssusssnnseeeessusssnnnseeeessunssnnnneseessuussnnnsseeesssnnnnnsetes 69 Example of monitoring and managing the firewall module from the network devices 71 Basic configuration e A 74 Oi ery inte eee oie tee eit E 74 Performing basic configuration in the Web interface vvrrssrtsssseeeseeseeeeesseeeesseseeeseseeeseseeesseseesssessessseseesesesseeseeseeeeesees 74 Performing basic configuration At the CL vvvsceeessseessssseeesssesessseseeccesseeesesseescesseeseesseesescseeseeesssssecseeseeesessceseesseeeeeseeeseesess 81 Configuration guidelines abd big beh sbigbiebiebebe babe usbe sia vevevseeeis cotcececececeeccueucusievenceencusucecuceeucueecuueceuecseeceueceseceuecseecveeceeseseecessesses 83 Managing the deyicese seeeee
138. ri 1 2 date time zone offset E lace eae 02 02 2007 zone time add 1 clock timezone 2 Jaen zone time add 1 03 00 00 zone time Sat clock datetime 3 00 03 03 2007 2007 3 3 The original system time outside the daylight saving time range clock summer time ss one off 1 00 01 00 00 UTC Sat The system time does not 2006 1 1 1 00 01 01 2005 change until it falls into 2006 8 8 2 the daylight saving time range 03 00 00 ss Sat 01 01 2005 The original system time in the daylight saving time range The system time increases by summer offset clock summer time ss one off 00 30 2005 1 1 1 00 2005 8 8 2 If the original system time plus summer offset is beyond the daylight saving time range the original system time does not change After you disable the daylight saving setting the system time automatically decreases by summer oftset 9 Command Effective system time Configuration example System time k j date time outside the fae one a daylight saving time 01 00 00 UTC Mon clock summer time ss range one off 1 00 01 01 2007 date time 2006 1 1 1 00 2006 8 8 2 10 00 00 ss Mon 01 01 2007 1 3 If the date time plus clock datetime 8 00 date time in the daylight 2007 1 1 ai PON daylight saving time range sav ng time range clock summer time ss pee nee aan the system time equals date time summer offset 2007 1 1 1 00 date time After you disable 2007 8 8 2 the daylight saving setting th
139. ring I string2string2 string 1 string2 1 2 group before If only one character repeats string and string2 respectively and a group appears before index can matching string must contain only be 1 if n character groups string I string 2string I string2 appear before index index can be any integer from 1 to n 16A means to match a string containing any character except 1 6 or A and the matching string can also contain 1 6 or A but cannot contain these three characters only For example 16A matches abc and m16 but not 1 16 or 16A Matches a single character not contained within the brackets Matches a character string starting lt string Wiik siring lt do matches word domain and string doa 3 Match haracter stri di string gt vines cnaracrer sting ending ndo gt matches word undo and string abcdo Matches character 1 character2 rr Bt cee At ot characeel can be Ghy characier ba matches a with being character 1 and bcharacter2 a being character2 but it does not match 2a or except number letter or underline ba and b equals A Za z0 9_ Matches a string containing Bcharacter character and no space is allowed before character Bt matches t in install but not t in big top 131 Character Meaning Examples Matches character 1 character2 character2 must be a number letter v w matches vlan v is character and I is
140. rssrererresssssererrsrsssssrenessssseneenennessseerernenesssenernsnsenssnenesnsseneenenessserernerereessenennsnseseenesnsnreneenenee 84 Feature and hardware compatibility sover iiidid iiaiai sesccsseasssdeebdesedscedecededsdssedesecswcdesedsescecedsees 84 Configuring the device name in the Web interface s ssssssssssesesessssssseeesssussssnneeeessiuusssnnseeeessiunssnnseessssiunsnnn 84 Configuring the device name at the CL ssssessssssseeeeesunsssssseeeesussssnsseeesssuuusssnneeeesssussnsssnssiunuuusnansseeesssiunnnnn 84 Configuring the system time in the Web interface sssssssssssssseeeeeeessusssssnseeeessuusssnnnseesssiusssnnnseesssiuusnnnnsneesssunnsnnn 85 Displaying the current system time coreeeteteeteteeeeeeeeeeseessesseeeeseeeesesseeeesseeeseseesesseeeseeseeessseeeeesesseesseeeeeeeseeseseeeeeeneees 85 Configuring the system pime vereeeeeeeteeeteseeeeeeeeesseseeeeseeeesssseeessceeseeeesesseeeeeseceseessaeesssceesnsseesesseeeesesesessseeeseeseseseeseeeens 85 Configuring the network timecccrrccccreseeeeseseeesseseesseseesseseeesessessseseesseseesssseesseseesssescessssseessssssecesssensesseensesesenes 86 Configuring the time zone and daylight saving time ssssssseeeeeeeeesssssssssssssssnssnsnnnsssnnnnnnnnnnnnsnnsnnnnnnnnnnnnnen 87 Date and time configuration example PE E E S E E 88 Configuration guidelines PE E E E E E A N E 90 Configuring the system time att the CLl s ssssssssssseessssssseeessussssnnneeeessuussssnnseeesssusssnnneeeesssuussnnnsseesssuuusnannsseesso
141. rtual firewall 1 7 FinancejDept VPN application The F1000 A El F1000 S El supports VPN functions helping branch offices and remote users securely access the resources in the headquarters and those in their own networks Figure 16 Network diagram F1000 E Deployed at the egress of an enterprise network F1000 E firewalls can protect against external attacks ensure security access from the external network to the internal network resources such as servers in the DMZ zone through NAT and VPN functions and control access to the internal network by using security zones You can deploy two firewalls in the network for redundancy backup to avoid a single point failure Figure 17 Network diagram Quidview CAMS XLOG Network Management Zone F1000 E Internet F5000 Large data centers are connected to the 10G core network usually through a 10G Ethernet The F5000 firewall has a 10G processing capability and abundant port features It can be deployed at the egress of a network to protect security for the internal network You can deploy two firewalls to implement stateful failover e __ Active active stateful failover can balance user data e _ Active standby stateful failover improves availability of the firewalls They back up each other to avoid a single point failure Figure 18 Network diagram Internet ERP OA CRM WEB POP3 SMIP DMZ Data Center Firewall modules Firewall modules work with the main
142. see ipv6 ipv acl number System Management e SNMPv3 group and Maintenance snmp agent group v3 group name Configuration Guide 5 Apply the ACL to an authentication privacy read view SNMP community group or user read view write view write view notify view notify view acl acl number acl ipv6 ipv acl number SNMPv1 v2c user snmp agent usm user v1 v2c username group name acl acl number acl ipv6 ipv6 acl number SNMPv3 user snmp agent usm user v3 username group name cipher authentication mode md5 sha auth password privacy mode 3des aes128 des56 priv password acl acl number acl ipv6 ipv acl number NOTE Support for the ipv6 ipv6 acl number option depends on the device model For more information see Getting Started Command Reference SNMP login control configuration example Network requirements Configure the firewall in Figure 79 to allow Host A and Host B to access the firewall through SNMP 117 Figure 79 Network diagram Host A 10 110 100 46 Firewall Host B 10 110 100 52 Configuration procedure Create ACL 2000 and configure rule 1 to permit packets sourced from Host B and rule 2 to permit packets sourced from Host A lt Firewall gt system view Firewall acl number 2000 match order config Firewall acl basic 2000 rule 1 permit source 10 110 100 52 0 Firewall acl basic 2000 rule 2 permit source
143. seeteeeteessetttseeeeeeeeceeeeennnnnnnnnnnnssteeeeeeeeeeennnnen 23 Configuring password authentication for console login E lt weueuse ss ueesesceusssceereeeesnestreterestreterestuetenesecaeenerteens 24 Configuring scheme authentication for console login srrtsrrrstteetseneniiteeesnnnnnieeeeeeesnnnnneceeeenennnnnsseseenten 24 Configuring common console user interface settings optional eadsddeeesesesevevevseretevssevereves evades everererenerevesererceeec 26 Logging in through ET 27 Configuring none authentication for Telnet login srrsssersttetestessssensenttteseeeeeeeeeeeeennnnnnnnnnnnnsteeseeeeeeeeeneesnn 29 Configuring password authentication for Telnet login srsrsrsseeeeteesssentiteeeecnnnntieeeeeenennnnnsseeeeeenennnnnsseeetene 30 Configuring scheme authentication for Telnet login srssrsiteeeteeeeeesensittseeeeeeeeeeeeeensnnnnnnnnnsseseeeeeeeeenennennn 3 Configuring common VTY user interface settings optional bey evevevey ova tatsvsveusnscneserereres erereneteneeencrereeenererceeesners 33 Using the device to log in to a Telnet Server cerrrrrrretetrsetetseeeeeeseseessseaeeesenesesessesssensesesensesseessesesersesseensesesensesesenes 34 Logging in through SSH ccccessssesssessesssessesssessesssessessseseesesssesseessesssesesssessesseessesssessesssessesesensesesansescsessesseessesssesseseeeeeseseneeas 35 Configuring the SSH server on the devicersssssssssssseeeessuussssssseeessuussnsnseesssuussnnnsesesssuusnnnseesessiunnnnnsetes 36 Using the device to log in t
144. settings including the username as the firewall If not the firewall cannot be discovered or managed by the NMS Use the network management station to discover query and configure the firewall For more information see the NMS manual 67 Logging in to the firewall module from the network device Feature and hardware compatibility Hardware Feature compatible F1000 A El F 1000 S El No F1000 E No F5000 No Firewall module Yes U200 A No U200 S No This chapter describes how to log in to the firewall module from the network device Other login methods for the firewall module are the same as a firewall Logging in to the firewall module from the network device Before logging in to the firewall module from the network device you must configure the AUX user interface of the firewall module To configure the AUX user interface Step Command Remarks 1 Enter system view system view N A 2 Enter AUX user interface user interface aux firstnumber N A view lastnumber 3 Specify the none P E S By default the AUX user interface uses authentication mode E T SE O password authentication 4 Configure the user ivileae level level O by default HP recommends you set piivilege evel user privilege level leve itto 3 To log in to the firewall module from the network device Task Command Remarks Available in user view of the network device switch or router Log in to the firewall module from
145. ssesssessessesssesscssseeecensessessesssssesseesesesesseseseseesesenes 98 Scheduling jobs de cee A E E E tees 99 Job configuration approaches E ET A 99 Configuration guidelines E E E E E A E 99 Scheduled job configuration example rE T a a 101 Setting the port status detection timer svsssessssssseseestsessssssseeesssussssnseeesssusssanseeeesssuusssnsneeesssuusnnanssesessuunsnnnsetes 102 Configuring temperature thresholds for a device or a module ssssssssssesssseeetnsssssseeenusssseeesusssseeesusnnseeeen 103 Configuring basic temperature thresholds vs ssssssssssssseeesesssseeeesusnsseeesssnsssseessusnssseessnsnsseessunnassessinnnases 103 Configuring advanced temperature thresholds sssssssssssssssssssseeeeessnusssssnssneeeesssusssnnnseessssusnnnsseesssensnen 103 Monitoring an NMS connected interface edie weuSesuaveveveudesusviewien Uesgesegseueee eceeeseeuweveccuevecesesexsvexe vase veveusssueuesevesescsesevesexeeveuses 104 Clearing unused 16 bit interface indexes Le geese Rea IER RKR AGC RAR ARINC eect 105 Verifying and diagnosing transceiver modules cerreetretttteettetetttetseetestaeeeeceesseeeeesseseeenseseesnsesseessesseesseseeenseseeeseseeensess 106 Verifying transceiver modules eeeeeerseeereereersrrersrrerseeeeersererrsseerseeersesernerenrseenrserenneeennesenrsseenseeenrereneesennseeeneeeeneeeene 106 Diagnosing transceiver modules errretreetetetttteestettetseeeestseeeesnaeseessensescesssesceesseseeessescessssscessaescessassesseseseeeasaseesees
146. ssword for the local user password cipher simple password By default the password for system predefined user admin is admin and no password is set for any other local user Step Command Remarks 10 eee authorization attribute level level Pe ranana elie geniinurea the local user for the local user By default the system predefined user admin can use terminal 11 Specify the Telnet service type b service Telnet service SSH for the local user Service pe We service and Web service and no service type is specified for any other local user 12 Exit fo system view quit N A 13 Enter interface view interface interface type N A interface number N A 14 Assign an IP address and ip address ip address mask By default only interface subnet mask to the interface mask length GigabitEthernet 0 0 is assigned an IP address 192 168 0 1 24 Configuring HTTPS login The device supports the following HTTPS login modes Simplified mode To make the device operate in this mode you only need to enable HTTPS service on the device The device will use a self signed certificate a certificate that is generated and signed by the device itself rather than a CA and the default SSL settings This mode is simple to configure but has potential security risks Secure mode To make the device operate in this mode you must enable HTTPS service on the device specify an SSL server policy for the ser
147. suunnnnssssessssinnnnn 118 Web login control configuration example seateseeneed setenecceticeesdcnacesetesaceaacessesecdeeecaeaceedcneseusee2e lt esetecaacesecenecenacenscees 119 Displaying online USELsrrrrreetettetteeteeetteeeeeeeseeecesseessesssseseesseseesssssessssseeesssscesssesesesssceessseeeaesceessesesesesceessseesenseseeensess 120 Using the CL sssssssssssssssssesseeceeeeesseensnsnsnnsssnsnssssunsssnsssssssssssesseeseseeceeessassesansssnsssnsssnssnssssssnsuussssssesssssssscesseeseeeee 121 Command conventions ssestaadacccamesnates ieee iien iiaeaae aaah es eee 121 Using the undo form of a command sssssiiesssssssssssssseeeeessssssssiuussssssssssssseeeeeeesessssinnsusnsnseeesseeeeesenssssssnneen 122 Cilia EE can nasa ate EEEE E EE 122 Entering system view from user VIG W irrrtrttttetetteteteeseeetetseeeeessesecenesseessssseesassseessscesessessasseeesesesesseeseeeseesceeseesess 123 Returning to the upper level view from any VIQW reettttetsseeeeeeeeeseeeesesseeeeseeeeessseseessseeeeseseesesseeeeneseseeseseeeenesseesees 123 Returning to user view from any Other ViQw vevrcceseseseeeeeseseeeeeseeeeessseseessseseessesesssesesssesssessesessssesesesassssersesesensess 123 Accessing the CLI online help ssssssssesssssssssesssseeesssnsssnseeessssssseessusssseeesusssneessssasseesssssansssssnssnneessunnassessnnnanes 124 Eea 125 Editing a command lineeeeeeeeeeeerrereereeeerseeerseserseseersseerseeersesesrssesrsseenseeersesersseeersseenseeenseeeerseeenseeense
148. sword for authentication set authentication password 4 Seta password f cipher simple password By default no password is set 5 Configure common settings See Configuring common settings for AUX login for AUX login optional Optional The next time you attempt to log in to CLI through the AUX port you must provide the configured login password as shown in Figure 39 41 Figure 39 Password authentication interface for AUX login DS als 0 5 amp DEDE DE DE DE DE DE DE DE DE 96 90 9696 IE FE IE IE 98 9 90 98 98 96 96 2698 98 90 9098 DEDE DEDE DEDEDE DE DE DE DE FE IE FE IE FE E E E 90 98 9898 98 IE IE IE ME MEME MEME MEME MEME JEJE JEJEJE DEMEME DEMEME Copyright c 2010 2012 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed DE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE HE JE JE JE JE JE JE JE JE JE HE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE E JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE User interface aux is available Please press ENTER Login authentication Password D lt H Configuring scheme authentication for AUX login When scheme authentication is used you can choose to configure the command authorization and command accounting functions If command authorization is enabled a command is available only if
149. t filter ASPF feature which can monitor the connection setup process detect invalid operations and cooperate with ACLs to complete packet filtering e Support for various VPN solutions such as IP security IPsec VPN Layer 2 Tunneling Protocol L2TP VPN and Generic Routing Encapsulation GRE VPN You can use these functions to construct various VPNs e Support for static routing policy based routing and dynamic routing such as Routing Information Protocol RIP and Open Shortest Path First OSPF e Support for virtual firewalls which can effectively save the deployment cost The new generation firewalls not only provide powerful firewall functions but also support advanced functions that can help achieve higher network security which include intrusion detection and protection gateway anti virus Point to point P2P traffic control and universal resource locator URL filtering The UTM products have the advantages of high reliability and availability They support stateful failover sensing of temperature in the chassis and are available with AC power modules In addition they support network management and provide a Web management interface fully satisfying requirements for network maintenance upgrade and optimization U200 A supports two types of interface modules NSQ1GT2UAO and NSQ1GP4UO0 Each U200 A provides two MIM expansion slots for future interfacing and service expansion U200 S supports one type of interface m
150. t the time zone minus zone offset Step Command Remarks e Seta non recurring scheme clock summer time zone name Optional one off sfart time start date ith d 4 Set a daylight saving time end time end date add time E ous By default daylight saving time is disabled and the UTC time zone applies scheme e Seta recurring scheme clock summer time zone name repeating sfart time start date end time end date add time Setting the idle timeout timer in the Web interface Perform this task to set the idle timeout period for logged in users The system logs out a user that is idle within the specified period To set Web idle timeout 1 Select Device Management gt Device Basic gt Web Management from the navigation tree to enter the page shown in Figure 71 2 Enter the idle timeout 3 Click Apply Figure 71 Web management Setidle timeout idle timeout Idle timeout 30 Minutes 1 999 Default 10 Items marked with an asterisk are required Setting the idle timeout timer at the CLI You can set the idle timeout timer for a logged in user After a user logs in to the firewall if the user does not perform any operation when the timer expires the firewall automatically tears down the connection to the user If you set this timer to O the firewall does not tear down the connection automatically To set the idle timeout timer Step Command Remarks 1 Enter system view system view N A
151. t the time zone for the system Adjust the system clock for daylight saving time changes which means adding one hour to the current system time Click Adjust clock for daylight saving time changes to expand the option as shown in Figure 67 You can configure the daylight saving time changes in the following ways Adjust clock for Specify that the daylight saving time starts on a specific date and ends on a specific date daylight saving The time range must be greater than one day and smaller than one year For example time changes configure the daylight saving time to start on August 1st 2006 at 06 00 00 a m and end on September 1st 2006 at 06 00 00 a m e Specify that the daylight saving time starts and ends on the corresponding specified days every year The time range must be greater than one day and smaller than one year For example configure the daylight saving time to start on the first Monday in August at 06 00 00 a m and end on the last Sunday in September at 06 00 00 a m Figure 67 Setting the daylight saving time Set Daylight Saving Time M Adjust clock for daylight saving time changes O Repeat from to Repeat from 00 o0 o0 January v First Week v Sunday v to 00 00 l 00 January y First Week v Sunday v Date and time configuration example In this example Device A is the firewall Network requirements The local clock of Device A is set as the reference clock w
152. temperature thresholds for a device or a module 103 Configuring the device name at the CLI 84 Configuring the device name in the Web interface 84 Configuring the exception handling method 97 Configuring the maximum number of concurrent users 96 Configuring the system time at the CLI 90 Configuring the system time in the Web interface 85 Configuring user privilege and command levels 132 Configuring Web login 52 Contacting HP 140 Controlling the CLI output 129 Controlling user logins 113 Conventions 141 D Displaying and maintaining CLI 139 Displaying and maintaining CLI login 49 Displaying and maintaining device management 107 Displaying and maintaining Web login 57 Displaying online users 120 Enabling displaying the copyright statement 95 Enhanced firewall modules 6 Entering a command 125 Example of monitoring and managing the firewall module from the network device 71 F F1000 A El F1000 S El 1 F1000 E 2 F5000 3 Feature and hardware compatibility 68 Feature and hardware compatibility 84 Firewall modules 5 H HTTP login configuration example 57 HTTPS login configuration example 58 L Local login through the AUX port 38 Logging in by using the default Web login settings 51 Logging in through SSH 35 Logging in through Telnet 27 Logging in through the console port for the first time 20 Logging in to the firewall module from the network device 68 Login methods at a glance 17
153. terfaces 12 combo interfaces for fiber copper port switching Two expansion slots which support the 2 10GE fiber interface module NSQ1XS2U0 Appearance F1000 A El and F1000 S El have similar front and rear views Figure 1 Front view 1 Combo interfaces 2 Console port CONSOLE 3 USB port reserved for future use Figure 2 Rear view 1 Power module slot 1 PWR1 supports AC DC 2 Power module slot 2 PWR2 supports AC DC power modules power modules 3 Interface module slot 2 Slot 2 4 Grounding screw 5 Interface module slot 1 Slot 1 A NSQ1XS2U0 interface module can be installed only to slot 1 F1Q00 E Overview The F1000 E is designed for large and medium sized networks It supports the following functions e Traditional firewall functions e Virtual firewall security zone attack protection URL filtering e Application Specific Packet Filter ASPF which can monitor connection processes and user operations and provide dynamic packet filtering together with ACLs e Multiple types of VPN services such as IPsec VPN e RIP OSPF BGP routing e Power module redundancy backup AC AC or DC DC e Stateful failover Active Active and Active Standby mode e _ Inside chassis temperature detection e Support for management by its own Web based management system or by IMC The F1000 E uses a multi core processor and provides the following interfaces e Four combo interfaces for fiber
154. th command For more information about this command see Getting Started Command Reference To control output use keys in Table 26 Table 26 Keys for controlling output Keys Function Space Displays the next screen Enter Displays the next line Ctrl C Stops the display and cancels the command execution lt PageUp gt Displays the previous page lt PageDown gt Displays the next page 129 To display all output at one time and refresh the screen continuously until the last screen is displayed Task Disable pausing between screens of output for the current session Command Remarks The default for a session depends on the setting of the screen length command in user interface view The default of the screen length screen length disable command is pausing between screens of output and displaying up to 24 lines on a screen This command is executed in user view and takes effect only for the current session When you relog in to the device the default is restored Filtering the output from a display command You can use one of the following methods to filter the output from a display command e Specify the begin exclude include regular expression option at the end of the command e When the system pauses after displaying a screen of output enter a forward slash minus sign or plus sign and a regular expression to filter subsequent output The forward slash equals the
155. th the device for example specify an external IP address as the IP address of the local host or as the IP address of the current access interface Perform the operation with caution When you enable the internal server set the valid IP address and service port number External IP Port for the external access If you enable the internal server set the IP address and service port number for the Int IP Port ae 9 server on the internal LAN 11 Click Next The page listing all configurations you have made in the basic configuration wizard appears 80 Figure 61 Basic configuration wizard 6 6 5 Basic Configuration Ward Basic Configuration Wizard Save Configuration Basic Configuration Sysname Administrator Password Service Information FTP Service Telnet Service HTTP Service HTTPS Service Interface IP Address GigabitEthernet0 0 GigabitEthernet0 1 GigabitEthernet0 2 GigabitEthernet0 3 GigabitEthernet0 4 GigabitEthernet0 5 GigabitEthernet0 6 GigabitEthernet0 7 Items marked with an asterisk are required HP Not modified O Disabled Enabled Enabled portis 80 Disabled 192 168 2 3 255 255 255 0 None None None None None None None A v On this page you can set whether to save the current configuration to the startup configuration file which can be cfg or xml file for the next device boot when you submit the configurations 12 Click Finish to confirm the con
156. the Enhanced firewall module you can implement security functions such as firewall and VPN in the HP 10500 12500 switches integrating security protection with network functions The Enhanced firewall module supports the following functions e External attack protection internal network protection traffic monitoring URL filtering application layer filtering e ASPF e Email alarm attack log stream log and network management monitoring e _ Stateful failover Active Active and Active Standby mode implementing load sharing and service backup UTM products Overview The HP UTM products are a new generation of professional security devices developed by HP for enterprises They fall into the following categories e U200 A For small to medium sized enterprises and branches e U200 S For small enterprises and branches The UTM products are based on a high performance multi core and multi thread security platform and deliver the most comprehensive suite of firewall and virtual private network VPN features in the industry e Support for security zones static and dynamic blacklist functions MAC address IP address binding and security zone based access control and attack protection that can defend against attacks such as ARP spoofing attacks exploiting TCP flag bits large ICMP packet attacks SYN flood attacks and address scanning and port scanning These products also provide the stateful application specitic packe
157. the client use different display types for example HyperTerminal or Telnet terminal or both are set to ANSI when the total number of characters of the currently edited command line exceeds 80 an anomaly such as cursor corruption or abnormal display of the terminal display might occur on the client 10 Configure the user privilege level for login users user privilege level level By default the default command level is 3 for the console user interface 11 Set the maximum numker of lines to be displayed on a screen screen length screen length By default a screen displays 24 lines at most A value of O disables pausing between screens of output 12 Set the size of command history buffer history command max size value By default the buffer saves 10 history commands at most 13 Set the idle timeout timer idle timeout minutes seconds The default idle timeout is 10 minutes The system automatically terminates the user s connection if there is no information interaction between the device and the user within the idle imeout time Setting idle timeout to O disables the idle timeout function Logging in through Telnet NOTE Telnet login is not supported in FIPS mode You can Telnet to the device for remote management or use the device as a Telnet client to Telnet to other devices as shown in Figure 30 Figure 30 Telnet login Telnet client Te
158. the console port and re set the password If the username or password configured on a remote server was lost contact the server administrator for help Table 6 Configuration required for different Telnet login authentication modes Authentication i Configuration tasks Reference mode Set the authentication mode to none for the VTY user Configuring IMRE None authentication for Telnet interface Ge login Enable password authentication on the VTY user Configuring password Password interface authentication for Telnet Set a password login 28 Authentication mode Scheme Configuration tasks Reference Enable scheme authentication on the VTY user interface Configure local or remote authentication settings To configure local authentication 14 Configure a local user and specify the password 15 Configure the device to use local authentication To configure remote authentication Configuring scheme authentication for Telnet 16 Configure the RADIUS or HWTACACS scheme on login the device 17 Configure the username and password on the AAA server 18 Configure the device to use the scheme for user authentication Configuring none authentication for Telnet login Step Command Remarks 1 Enter system view system view N A 2 Enable Telietserver teiner serverenable By default the Telnet server function is disabled 3 Enter one or multiple WIV ser in erlac
159. the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme Command accounting allows the HWTACACS server to record all commands executed by users regardless of command execution results This function helps control and monitor user behaviors on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server Follow these guidelines when you configure scheme authentication for console login e To make the command authorization or command accounting function take effect apply an HWTACACS scheme to the intended ISP domain This scheme must specify the IP address of the authorization server and other authorization parameters e If the local authentication scheme is used use the authorization attribute level level command in local user view to set the user privilege level on the device e Ifa RADIUS or HWTACACS authentication scheme is used set the user privilege level on the RADIUS or HWTACACS server To configure scheme authentication for console login Step Command Remarks Enter system view system view N A 2 Enter console user interface user interface console firstnumber view lastnumber N A 24 Step Command Remarks Whether local R
160. tication mode scheme 4 Return to system view quit N A 133 Step Command Remarks 5 Configure the Frimore nlormmakon s e svidi This task is required only for SSH users authentication mode eens who are required to provide their for SSH users be Management and Maintenance Confiauration Guide usernames and passwords for password g authentication e Touse local authentication User either approach For local authentication if you do not configure the user privilege level the user privilege level is O a Use the local user command to create a local user and enter local user view For remote authentication if you do not configure the user privilege level the user privilege level depends on the default configuration of the authentication server 6 Configure the user b Use the level keyword in the privilege level through authorization attribute the AAA module command to configure the user privilege level e To use remote authentication RADIUS HWTACACS or LDAP i a lina about the n Configure ihei ser privilege level ocal user and authorization attribute on the authentication server commands see Access Control Command Reference For example Configure the device to use local authentication for Telnet users on VTY 1 lt Sysname gt system view Sysname user interface vty 1 Sysname ui vtyl authentication mode scheme Sysname ui vtyl quit Sysname local user test Sysname luser test
161. tion tems marked with an asterisk are required Next 10 Configure the parameters as described in Table 14 79 Table 14 Configuration items ltem Description Interface Select an interface on which the NAT configuration will be applied Specify whether to enable dynamic NAT on the interface If dynamic NAT is enabled the IP address of the interface will be used as the IP address of a matched packet after the translation By default dynamic NAT is disabled Dynamic NAT Source IP Wildcard If dynamic NAT is enabled set the source IP address and wildcard for packets Destination IP Wildcard If dynamic NAT is enabled set the destination IP address and wildcard for packets If dynamic NAT is enabled select the protocol type carried over the IP protocol protecel ype including TCP UDP and IP indicating all protocols carried by the IP protocol Specify whether to enable the internal server If the internal server is enabled when a user from the external network accesses the internal server the NAT translates the destination address of request packets into the private IP address of the internal server When the internal server replies to the packets the NAT translates the source address private IP address of reply packets internal Server into a public IP address By default the internal server is disabled IMPORTANT Configuration of the internal server may result in disconnection wi
162. tion Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional ae Braces enclose a set of required syntax choices separated by vertical bars from which WN 4 you select one ely asd Square brackets enclose a set of optional syntax choices separated by vertical bars from a pst which you select one or none iya Asterisk marked braces enclose a set of required syntax choices separated by vertical yilas bars from which you select at least one ely i asl Asterisk marked square brackets enclose optional syntax choices separated by vertical y es bars from which you select one choice multiple choices or none lt 1 n gt The argument or keyword and argument combination before the ampersand amp sign can be entered 1 to n times A line that starts with a pound sign is comments Command keywords are case insensitive The following example analyzes the syntax of the clock datetime time date command according to Table 22 121 Figure 83 Understanding command line parameters clock datetime Italic Arguments Replace them with actual values at the CLI i Boldface Keywords J For example to set the system time to 10 30 20 February 23 2010 enter the following comma
163. tite se nlinasaadde eae 143 Overview This documentation is applicable to the following firewall and UTM products HP F1000 S El firewall hereinafter referred to as the F1000 S El HP F1000 A El firewall hereinafter referred to as the F1000 A El HP F1000 E firewall hereinafter referred to as the F1000 E HP F5000 firewall hereinafter referred to as the F5000 HP firewall modules HP Enhanced firewall modules HP U200 A U200 S Unified Threat Management Products hereinafter referred to as the UTM You can configure most of the firewall functions in the Web interface and some functions at the command line interface CLI Each function configuration guide specifies clearly whether the function is configured in the Web interface or at the CLI F1000 A El F 1000 S El Overview F1000 A EI F 1000 S El a leading firewall device of HP is designed for medium sized enterprises Traditional firewall functions Virtual firewall security zone attack protection URL filtering Application Specific Packet Filter ASPF which can monitor connection processes and user operations and provide dynamic packet filtering together with ACLs Multiple types of VPN services such as IPsec VPN RIP OSPF BGP routing Stateful failover Active Active and Active Standby mode Inside chassis temperature detection Management by its own Web based management system and IMC F1000 A EI F 1000 S El uses a multi core processor and provides the following in
164. tood or followed can WARNING result in personal injury An alert that calls attention to important information that if not understood or followed can A caution result in data loss data corruption or damage to hardware or software IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information Q TIP An alert that provides helpful information 141 Network topology icons 2 i F 5 i Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents a firewall product or a UTM device 6 GE Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device 142 Accessing the CLI online help 124 Adding a Web login account 52 Application scenarios C Clearing unused 16 bit interface indexes 105 CLI user interfaces 18 CLI views 122 Command conventions 121 Configuration guidelines 83 Configuration guidelines 51 Configuring a local user at the CLI 113 Configuring a local user in the Web interface 110 Configuring banners 95 Configuring console login control settings 22 Configuring SNMP access 64 Configuring
165. ttings on the AUX user interface By default password authentication is enabled but no password is set To use password authentication you must set a password for password authentication e Make sure the configuration terminal has a terminal emulation program for example HyperTerminal in Windows XP e Port settings of the terminal emulation program must be the same as the settings of the AUX port Table 9 lists the default AUX port properties Table 9 Default AUX port properties Parameter Default Bits per second 9600 bps Flow control Off Parity None Stop bits 1 Data bits 8 To log in through the AUX port from the configuration terminal for example a PC 1 Plug the DB 9 female connector of the console cable to the serial port of the PC 2 Plug the RJ 45 connector of the console cable to the AUX port of the device IMPORTANT e Identify the mark on the console port and make sure you are connecting to the correct port e The serial ports on PCs do not support hot swapping If the switch has been powered on always connect the console cable to the PC before connecting to the switch and when you disconnect the cable first disconnect from the switch 46 Figure 41 Connecting the AUX port to a terminal YY RS 232 AUX port G Host Device If the PC is off turn on the PC 4 Launch the terminal emulation program and configure the communication properties on the PC Figure 42 through Figure 44 sh
166. type interface number ip _ or source interface is specified for outgoing Telnet packets p address The device automatically selects a source IPv4 address 3 Exit to user view quit N A e Log in to an IPv4 Telnet server telnet remote host service port vpn instance vpn instance name source Use either command interface interface type NOTE interface number ip i 4 Use the device to log in to a ip address Support for the telnet ipv6 Telnet server command depends on the device model For more information see Getting Started Command Reference e Log in to an IPv6 Telnet server telnet ipv6 remote host i interface type interface number port number vpn instance vpn instance name Logging in through SSH SSH offers a secure approach to remote login By providing encryption and strong authentication it protects devices against attacks such as IP spoofing and plain text password interception You can use an SSH client to log in to the device operating as an SSH server for remote management as shown in Figure 35 You can also use the device as an SSH client to log in to an SSH server Figure 35 SSH login diagram SSH client SSH server Table 7 shows the SSH server and client configuration required for a successful SSH login 35 Table 7 SSH server and client requirements Device role Requirements Assign an IP address to an interface of the device and make sure the i
167. uired Back Next Finish 3 Click Next The page for basic configuration appears 75 Figure 57 Basic configuration wizard 2 6 basic information 216 Basic Configuration Wizard Basic Configuration Wizard Basic Configuration Sysname HP Chars 1 30 C Modify Current User Password nelle Chars 1 83 Confirm Password Password Encryption Reversible Irreversible Items marked with an asterisk are required 4 Configure the parameters as described in Table 11 Table 11 Configuration items Item Description Sysname Enter the system name Modify Current Specify whether to modify the login password of the current user User Password To modify the password of the current user set the new password and the confirm New Password password and the two passwords must be identical IMPORTANT You can modify the password of a user authenticated by local authentication only and cannot modify that of a user authenticated by remote authentication If the name of a user authenticated by local authentication and that of a user authenticated by remote authentication are duplicated your modification only takes effect on the user authenticated by local authentication Confirm Password Specify the password encryption method e Reversible The device encrypts user passwords with a reversible encryption Password algorithm Encryption e Irreversible The device
168. ule Otherwise no clients can log in to the device For more information about certificate attribute based access control policies see VPN Configuration Guide 6 Specify the HTTPS service ht sees Optional i s port portnumber port number las a al The default HTTPS service port is 443 55 Step Command Remarks By default the HTTPS service is not associated with any ACL 7 Associate the HTTPS service with an ACL ip https acl acl number Associating the HTTPS service with an ACL enables the device to allow only clients permitted by the ACL to access the device Optional By default a user must enter the correct username and password to log in through HTTPS When the auto mode is enabled a e If the user s PKI certificate is correct and not 8 Specify the authentication expired the CN field in the certificate is mode for users tryingto web https authorization used as the username to perform AAA log in to the device mode auto manual authentication If the authentication through HTTPS succeeds the user automatically enters the Web interface of the device e If the user s PKI certificate is correct and not expired but the AAA authentication fails the device shows the Web login page The user can log in to the device after entering correct username and password 9 Set the Web user ae F connection timeout time Web idle timeout minutes Optional 10 Set the size of the
169. umber N A lasttnumber e inbound Filters incoming packets e outbound Filters outgoing packets 6 Use the ACL to control user NOTE logins by source IP address acl ipv6 acl number inbound outbound Support for the ipv6 keyword depends on the device model For more information see Getting Started Command Reference Configuring source destination IP based Telnet login control Step Command Remarks 1 Enter system view system view N A By default no advanced ACL ists 2 Create an advanced ACL and aoe enter its view or enter the acl ipv number aclnumber NOTE name name match order view of an existing advanced config auto ACL Support for the ipv6 keyword depends on the device model For more information see Getting Started Command Reference 114 Step Command Remarks 3 Configure an ACL rule rule rule id permit deny N A rule string 4 Exit advanced ACL view quit N A user interface type firstnumber lastnumber 5 Enter user interface view N A e inbound Filters incoming Telnet packets e outbound Filters outgoing Telnet kets 6 Apply the ACL to the user acl ipv6 acl number inbound eras interfaces outbound NOTE Support for the ipv6 keyword depends on the device model For more information see Getting Started Command Reference Configuring source MAC based Telnet login control Ethernet frame h
170. urity level for this zone Custom Custom settings To change the settings click Custom Level To use the recommended settings click Default Level Custom Level Default Level 3 Click Custom Level The dialog box Security Settings appears 4 Enable Run ActiveX controls and plug ins script ActiveX controls marked safe for scripting and active scripting 61 Figure 51 Internet Explorer setting Il Security Settings Settings gt 6 Run ActiveX controls and plug ins Administrator approved Disable n Enable 3 Prompt Script ActiveX controls marked safe for scripting Disable Enable Prompt 25 Downloads HAY Audamatic neamnhina Fae Fila dauinlasd WJ rrop 5 Scripting Active scripting Disable Enable Prompt 5 Allow paste operations via script ON ninahina 5 Click OK in the Security Settings dialog box Configuring Firefox Web browser settings 1 Open the Firefox Web browser and select Tools gt Options 2 Click the Content tab select the Enable JavaScript box and click OK 62 Figure 52 Firefox Web browser setting Options cat Main Tabs Applications Privacy Security Advanced 63 Accessing the device through SNMP NOTE Accessing the device through SNMP is not supported in FIPS mode You can run SNMP on an NMS to access the device MIB and perform GET and SET operations to manage and monitor the device The device
171. user interface aux firstnumber N A interface views lastnumber A Seiho baud aie UE E A By default the baud rate is 9600 bps 5 Specify the parity check mode Parity even mark none The default setting is none namely odd space no parity check 44 Step Command Remarks The default is 1 6 Specify the number of stop bits stopbits 1 1 5 2 Stop bits indicate the end of a character The more the bits the slower the transmission By default the number of data bits in each character is 8 The setting depends on the databits 5 6 7 8 character coding type For l example you can set it to 7 if standard ASCII characters are to be sent and set it to 8 if extended ASCII characters are to be sent 7 Specify the number of data bits in each character 8 Define a shortcut key for nen eee eee By default press Enter to start a starting a session activation key character se si i 9 Define a shortcut key for By default press Ctrl C to terminating tasks escape key default character ermine dtas By default the terminal display type is ANSI The device supports two types of terminal display ANSI and VT100 HP recommends setting the display type of both the device and the client to VT100 If the device terminal type ansi vt100 and the client use different display types for example HyperTerminal or Telnet terminal or both are set to ANSI when the total number of cha
172. ve e Message of the Day MOTD banner Appears after the legal banner and before the login banner e Login banner Appears only when password or scheme authentication has been configured e Incoming banner Appears for Modem users e Shell banner Appears for non Modem users Banner message input modes You can configure a banner in one of the following ways e Single line input Input the entire banner in the same line as the command The start and end delimiters for the banner must be the same but can be any visible character The input text including the command keywords and the delimiters cannot exceed 510 characters In this mode do not press Enter before you input the end delimiter For example you can configure the shell banner Have a nice day as follows lt System gt system view System header shell tHave a nice day e _Multiple line input Input message text in multiple lines In this approach the message text can be up to 2000 characters Use one of the following methods to implement multi line input mode 95 O Method 1 Press Enter after the last command keyword At the system prompt enter the banner message and end with the delimiter character For example you can configure the banner Have a nice day Please input the password as follows lt System gt system view System header shell Please input banner content and quit with the character S Have a nice day Please input the passw
173. vedeedveveresexeverevessesdsacedececeedcececeeddececeedcecedessdesedesteesedevevestcestsesedestdesedesseeceseseveresese 52 Configuring HTTP login ebceeapecaeeseecsasceaectedessrenetesecereder cererererecerererererererererererevererererenerecerererenerenerecereterecererercssnessece 53 Configuring HTTPS login sssssssssssssseesseesssssseeeessssssuusssnsseeeessusssnnnneeessiussnnnnseeeessuussnnnseeenssuussnnnnseessssussnnnsets 54 Displaying and maintaining Web login a 57 HTTP login configuration example Pee eaea esasen EEE EESE EAEE EESE EPE PEEPI evereteseveteves everercusaerever everevesevevevererereveds 57 Network requirements seecaceacduandecstdnducbesecescwetasesecebarescoasescbcberesenerenenescoeseeetes lt seccbesecevesanesesencbesenebenesecebereseeescucesevees 57 Configuration procedure dpeveuee cues eucyeuessexerecesecerecesecesteesereeteeterectreterertrererertreteretvetencetretenceteetene treveresteetencstectecesteere 57 HTTPS login configuration example S avayevauswsusscusscssesweusecuevessweueversetteserererere eretereherererererererenetes cnterectersterererereneeereretener 58 Network requirements iucceeaydccueedsccerdteseseecsesseeues eeeceugeecesesstcvesdeescesscoeseeescus sees sesceees successceuesevescesecoeesese cess eeseasececoessees 58 Configuration procedure rearea rae e seve gees sasusnenesecestvavecseresereretererererererererenercrevereterencnerereuenetereretererecetetererererererenesers 58 Troubleshooting Web browser ssssssssssessssessssssssss
174. vice and configure PKI domain related parameters This mode is more complicated to configure but provides higher security For more information about SSL and PKI see Network management Configuration Guide and VPN Configuration Guide Follow these guidelines when you configure HTTPS login If the HTTPS service and the SSL VPN service use the same port number they must have the same SSL server policy Otherwise only one of the two services can be enabled If the HTTPS service and the SSL VPN service use the same port number and the same SSL server policy disable the two services before you modify the SSL server policy and re enable them after the modification Otherwise the SSL server policy does not take effect To configure HTTPS login Step Command Remarks Optional P Specify a fixed verification web captcha By default a Web user must enter the code for Web login rode verification code indicated on the login page to log in This command is available in user view 2 Enter system view system view N A 54 Step Command Remarks Optional By default the HTTPS service is not associated with any SSL server policy and the device uses a self signed certificate for authentication 3 Associate the HTTPS If you disable the HTTPS service the system service with an SSL server P https ssl server policy automatically de associates the HTTPS service policy policy name from the SSL service policy Before re en
175. vice to protect against external attacks or as the internal network access control device to isolate different security zones Figure 21 Network diagram File Server Enterprise data center FW Enhanced DMZ 2 Remote access application The Enhanced firewall module supports VPN functions helping branch offices and remote users securely access the resources in the headquarters Figure 22 Network diagram UTM Firewall application The UTM Security Products can be deployed at the exits of small to medium sized enterprise networks to defend against attacks from the Internet This type of application has the following advantages e Integrated security functions that can protect the whole network at application layer e Powerful attack protection that can protect the internal servers against various attacks e Network Address Translation NAT that enables internal users to access the Internet and allows internal servers to provide various services for external users Friendly Web interface which can help reduce the network management and maintenance load Figure 23 Network diagram Server cluster Internet Internal network Ss S VPN application The UTM Security Products can be used as the gateways of branches to establish VPN tunnels to the Headquarters This type of application has the following advantages e Supports various NAT and Application Level Gateway ALG features making it easy for us
176. which depends on user interface or authentication user level Table 30 Information required for user privilege level switching User interface User privitege ae level switching Information required for the Information required for the authentication nee fi henticat drcuthonsicai d mode authentication irst authentication mode second authentication mode mode Password configured for the local privilege level on the device with N A the super password command Password configured for the Username and password local scheme privilege level on the device with configured on the AAA server for none password the super password command the privilege level scheme Username and password for the N A privilege level Username and password for the Local user privilege level scheme local h ae privilege level switching password Password configured for the local privilege level on the device with N A the super password command Password for privilege level Password configured for the switching configured on the local scheme privilege level on the device with AAA server The system uses the the super password command login username as the privilege level switching username scheme Password for privilege level switching configured on the AAA scheme server The system uses the login N A username as the privilege level switching username Password for privilege level switching configured on the AAA Password configured on the schem
177. xists By default the password for 9 Set an authentication password cipher simple system predefined user admin is password for the local user password admin and no password is set for any other local user 10 Specifies a command level a Optional ol the local sek authorization attribute level level By default the command level is 0 By default the system predefined 11 Specify terminal service for user admin can use terminal service the lecal user service type terminal Telnet service SSH service and Web service and no service type is specified for any other local user 12 Configure common settings for console login See Configuring common console user interface settings optional 25 Optional The next time you attempt to log in through the console port you must provide the configured login username and password Configuring common console user interface settings optional Some common settings configured for a console user interface take effect immediately and can interrupt the console login session To save you the trouble of repeated re logins use a login method different from console login to log in to the device before you change console user interface settings After the configuration is complete change the terminal settings on the configuration terminal and make sure they are the same as the settings on the device To configure common settings for a console user interface
178. y other local user 13 Specify the command level of Optional the user authorization attribute level level 37 By default the command level is 0 Step Command Remarks By default the system predefined user admin can use terminal 14 Specify SSH service for the service Telnet service SSH user Sefvice lype Ssh service and Web service and no service type is specified for any other local user 15 Exit to system view quit N A ssh user username service type 16 Create an SSH user and stelnet authentication type specify the authentication password any N A mode for the SSH user password publickey publickey assign publickey keyname 17 Configure common settings See Configuring common VTY coad for VTY user interfaces user interface settings optional prones Using the device to log in to an SSH server You can use the device as an SSH client to log in to an SSH server If the server is located in a different subnet than the device make sure the two devices have routes to reach each other Figure 36 Logging in to an SSH client from the device 7 pes oo ee ee PC SSH client SSH server Perform the following tasks in user view Task Command Remarks The server argument represents the IPv4 address or Log in to an IPv4 SSH server _ ssh2 server host name of the server The server argument represents the IPv6 address or host name of the server NOTE Support for the ss
Download Pdf Manuals
Related Search