H3c-technologies H3C SecPath F1000-E Manual de usuario

H3C SecPath Series High-End FirewallsAccess Control Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

v Configuration consideration ························································································································

90 Displaying session table information 1. Select Firewall > Session Table > Session Summary from the navigation tree. The session table appe

91 Table 35 Field description Field Description Protocol Transport layer protocol, which can be TCP, UDP, ICMP, or RAWIP State Session status, which

92 Figure 93 Global session statistics Table 36 Field description Item Description Current Session(s) Total number of sessions of the system Curren

93 Item Description RAWIP Session Establishment Rate RAWIP session establishment rate in a 1-second sampling interval Received TCP Packet(s) Number

94 Displaying session statistics per IP address 1. Select Firewall > Session Table > Statistics from the navigation tree. 2. Click the IP Sta

95 Field Description RAWIP Connection Count Number of current RAWIP connections RAWIP Connection Rate RAWIP connection establishment rate in a 5-sec

96 Field Description TCP Connection Count Total number of TCP half-open connections, TCP half-close connections, and full TCP connections TCP Half-Op

97 Configuring session aging timers based on application layer protocol types Aging timers set in this task apply only to the sessions in READY/ESTAB

98 For more information about the configuration of basic and advance ACLs, see "Configuring ACLs." To specify the persistent session rule:

99 Configuring virtual fragment reassembly The virtual fragment reassembly configuration is available only in the Web interface. Overview To prevent

1 Configuring ACLs NOTE: The IPv6 ACL configuration is available only at the CLI. Overview An access control list (ACL) is a set of rules (or perm

100 2. Configure the parameters as described in Table 40. 3. Click Apply. Table 40 Configuration items Item Description Security Zone Specify a se

101 2. Configure a static address mapping: a. Select Firewall > NAT Policy > Static NAT from the navigation tree. b. Click Add in the Static

102 Figure 101 Configuring virtual fragment reassembly After the configuration, if the SecPath receives disordered fragments from the security zone

103 Configuring ASPF The ASPF configuration is available only in the Web interface. Overview Application Specific Packet Filter (ASPF) applications

104 Figure 103 Adding an ASPF policy 4. Configure the parameters as described in Table 41. 5. Click Apply. Table 41 Configuration items Item Des

105 Configuration procedure 1. Configure zone 1 and zone 2, and specify security zones for the interfaces. (Details not shown.) 2. Configure an ASP

106 Configuring connection limits Overview If a client in an internal network initiates a large number of connections to the external network through

107 Figure 107 Connection limit policies 3. Click Add to add an entry as required. 4. Configure the necessary parameters as described in Table 42

108 Configuring connection limit at the CLI Connection limit configuration task list Complete the following tasks to configure connection limiting:

109 Step Command 3. Configure an IP address-based connection limit rule. limit limit-id { source ip { ip-address mask-length | any } [ source-vpn sr

2 Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the ac

110 Figure 108 Network diagram Configuration procedure The following describes only connection limit configuration steps. For more information abou

111 Troubleshooting connection limit Connection limit rules with overlapping segments 1. Symptom On the SecPath, create a connection limit policy an

112 Configuring portal authentication The portal configuration is available only at the CLI. Feature and hardware compatibility Feature F1000-A-EI/E

113 Figure 109 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typi

114 2. On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server

115 packets from the client to go through the access port. Because no Layer 3 devices are present between the authentication clients and the access d

116 8. The security policy server exchanges security check information with the authentication client to check whether the authentication client mee

117 Portal configuration task list Task Remarks Specifying a portal server for Layer 3 portal authentication Required Enabling Layer 3 portal authe

118 NOTE: • For installation and configuration about the security policy server, see CAMS EAD Security Policy Component User Manual or IMC EAD Sec

119 there are Layer 3 forwarding devices between the authentication client and the access device, you must select the cross-subnet portal authenticat

3 ACL rule numbering What is the ACL rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it

120 NOTE: Regardless of whether portal authentication is enabled, you can only add or remove a portal-free rule. You cannot modify it. Configuring

121 Specifying the authentication domain for portal users After you specify the authentication domain for portal users on an interface, the firewall

122 that is bound with the access VLAN. The value of this NAS ID will be used as that of the NAS-identifier attribute in the RADIUS packets to be sen

123 Specifying an auto redirection URL for authenticated portal users After a user passes portal authentication, if the access device is configured w

124 NOTE: Adjust the maximum number of transmission attempts and the interval of sending probe packets according to the actual network conditions.

125 You can configure any combination of the configuration items described as needed, with respect to the following: • If both detection methods are

126 Step Command Remarks 2. Configure the portal user information synchronization function. portal server server-name user-sync [ interval interval

127 Task Command Remarks Display the portal configuration of a specific interface. display portal interface interface-type interface-number [ | { beg

128 Figure 112 Network diagram NOTE: • Configure IP addresses for the host, SecPath firewall, and servers as shown in Figure 112 and make suret

129 • Enter the start IP address and end IP address of the IP group. Make sure that the IP address of the user host (2.2.2.2) is in the IP group. •

4 For example, when you use a large ACL for a session-based service, such as NAT or ASPF, you can enable ACL acceleration to avoid session timeouts ca

130 Figure 116 Device list On the port group configuration page, click Add to enter the page for adding a port group, as shown in Figure 117. Perfo

131 [SecPath-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [

132 ACL:NONE Work-mode:stand-alone MAC IP Vlan Interface ----------------------------------------------------------

133 Configuration procedure NOTE: • For re-DHCP authentication, configure a public address pool (20.20.20.0/24, in this example) and a private ad

134 [SecPath] domain default enable dm1 3. Configure portal authentication on the SecPath: # Configure the portal server as follows: { Name: newpt

135 Configuration procedure NOTE: • Make sure that the IP address of the portal device added on the portal server is the IP address of the interf

136 { U R L : h t t p : / / 19 2 .16 8 . 0 .111:8080/portal. [SecPathA] portal server newpt ip 192.168.0.111 key portal port 50100 url http://192.1

137 [SecPath] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the CAMS or IMC server, set the server type to extended. [Se

138 [SecPath] portal server newpt ip 192.168.0.111 key portal port 50100 url http://192.168.0.111:8080/portal # Enable extended portal authentication

139 Configuration procedure NOTE: • For re-DHCP authentication, configure a public address pool (20.20.20.0/24, in this example) and a private ad

5 Figure 1 ACL list Figure 2 ACL configuration page Table 3 Configuration items Item Description ACL Number Enter a number for the ACL. Match Ord

140 [SecPath] domain default enable dm1 3. On the SecPath, configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 300

141 Figure 122 Network diagram Configuration procedure NOTE: • Make sure that the IP address of the portal device added on the portal server is

142 [SecPathA-isp-dm1] authentication portal radius-scheme rs1 [SecPathA-isp-dm1] authorization portal radius-scheme rs1 [SecPathA-isp-dm1] accountin

143 • The host is assigned with a public network IP address either manually or through DHCP. Before passing portal authentication, the host can acce

144 Log in to IMC and select the Service tab. Then, select Portal Service Management > Server from the navigation tree to enter the portal server

145 • Set whether to enable IP address reallocation. Direct portal authentication is used in this example, and therefore select No from the Realloca

146 Figure 128 Adding a port group # Select Service Parameters > Validate System Configuration from the navigation tree to validate the configur

147 # Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication an

148 Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, th

149 Configuring AAA Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module FIPS No No No Yes DVPN users N

6 Figure 3 List of basic ACL rules Figure 4 Basic ACL rule configuration page Table 4 Configuration items Item Description Rule ID Select the Rule

150 accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and a remote server exchange user information between t

151 Security and authentication mechanisms RADIUS uses a shared key that is never transmitted over the network to authenticate information exchanged

152 6. The user accesses the network resources. 7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a st

153 • The Identifier field (1 byte long) is used to match request packets and response packets and to detect duplicate request packets. Request and

154 No. Attribute No. Attribute 21 (unassigned) 68 Acct-Tunnel-Connection 22 Framed-Route 69 Tunnel-Password 23 Framed-IPX-Network 70 ARAP-Pas

155 • Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1

156 HWTACACS RADIUS Supports authorization of configuration commands. Which commands a user can use depends on both the user level and the AAA author

157 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends bac

158 Figure 135 Determining the ISP domain of a user by the username The authentication, authorization, and accounting process of a user depends on

159 Figure 136 Network diagram for AAA across VPNs NOTE: Together with the AAA across VPNs feature, you can implement portal authentication acros

7 Item Description Source IP Address Select the Source IP Address box and enter a source IP address and source wildcard, in dotted decimal notation. S

160 No. Attribute Description 7 Framed-Protocol Encapsulation protocol for framed access. 8 Framed-IP-Address IP address assigned to the user. 1

161 No. Attribute Description 80 Message-Authenticator Used for authentication and checking of authentication packets to prevent spoofing Access-Req

162 No. Sub-attribute Description 62 User_HeartBeat Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This

163 Figure 137 AAA configuration procedure Table 48 AAA configuration task list Task Remarks Configuring AAA schemes Configuring local users Requir

164 Configuring AAA schemes Configuring local users To implement local user authentication, authorization, and accounting, you must create local user

165 about binding attributes, see "Configuring local user attributes." Be cautious when deciding which binding attributes to configure for

166 Step Command Remarks 1. Enter system view. system-view N/A 2. Set the password display mode for all local users. local-user password-display-m

167 Step Command Remarks 8. Configure the password control attributes for the local user. • Set the password aging time: password-control aging agi

168 Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and

169 Displaying and maintaining local users and local user groups Task Command Remarks Display local user information. display local-user [ idle-cut

8 Figure 6 Advanced ACL rule configuration page Table 5 Configuration items Item Description Rule ID Select the Rule ID box and enter a number for t

170 Figure 139 RADIUS scheme configuration page 3. Enter a RADIUS scheme name. 4. Click the expand button before Advanced in the Common Configura

171 Figure 140 Common configuration area 5. Configure the common parameters for the RADIUS scheme as described in Table 49. Table 49 Configuration

172 Item Description Username Format Select the format of usernames to be sent to the RADIUS server. A username is generally in the format of userid@

173 Item Description Request Transmission Attempts Set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Be

174 Item Description RADIUS Packet Source IP Specify the source IP address for the firewall to use in RADIUS packets sent to the RADIUS server. IMP

175 Figure 141 RADIUS server configuration page 7. Configure the parameters of the RADIUS authentication servers and accounting servers as describ

176 Figure 142 Network diagram Configuring the RADIUS server running on CAMS This example assumes that the RADIUS server runs on CAMS version 2.10-

177 Enter hello@bbb as the user name. Set the password to abc and confirm the password. Select Telnet as the service type. Set the EXEC privilege lev

178 Figure 145 Adding an access device The IP address of the access device must be the same as the source IP address of the RADIUS packets sent fro

179 Figure 146 Adding an account for device management Configuring SecPath # Configure the IP address and security zone of each interface. (Details

9 Item Description Source IP Address Select the Source IP Address box and enter a source IP address and source wildcard, in dotted decimal notation. S

180 Figure 147 RADIUS authentication server configuration page 5. In the RADIUS Server Configuration area, click Add to configure a RADIUS account

181 Figure 149 RADIUS scheme configuration page # Enable the Telnet service on SecPath. [SecPath] telnet server enable # Configure SecPath to use A

182 Verifying the configuration After the configuration, the Telnet user should be able to Telnet to SecPath and use the configured account (username

183 Specifying the RADIUS authentication/authorization servers You can specify one primary authentication/authorization server and up to 16 secondary

184 Follow these guidelines when you configure RADIUS accounting servers: • The IP addresses of the primary and secondary accounting servers must be

185 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a sha

186 NOTE: Changing the RADIUS server type restores the unit for data flows and that for the packets sent to the RADIUS server to the defaults. Set

187 • If you remove an authentication or accounting server in use, the communication of the firewall with the server soon times out, and the firewal

188 The firewall periodically sends accounting updates to RADIUS accounting servers to report the traffic statistics of online users. For normal and

189 To specify a source IP address for all RADIUS schemes in a VPN or the public network: Step Command Remarks 1. Enter system view. system-view N

Copyright © 2011-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

10 Figure 7 List of Ethernet frame header ACL rules Figure 8 Ethernet frame header ACL rule configuration page Table 6 Configuration items Item De

190 configured with small values. In this case, the next authentication or accounting attempt may succeed because the firewall has set the state of t

191 Configuring the IP address of the security policy server The core of the H3C EAD solution is integration and cooperation, and the security policy

192 • The status of a RADIUS server changes. If a NAS receives no response to an accounting or authentication request before the specified maximum n

193 Task Command Remarks Clear RADIUS statistics. reset radius statistics Available in user view Clear the buffered stop-accounting requests for wh

194 { After receiving an authentication/accounting response from a server, the firewall changes the status of the server identified by the source IP

195 Figure 150 Creating an HWTACACS scheme Configuring HWTACACS server 1. If the HWTACACS scheme system already exists, select User > HWTACACS

196 Configuration item Description Secondary Server TCP Port Enter the TCP port of the secondary server. Configure different TCP port numbers specif

197 Item Description Realtime-Accounting Interval Real-time accounting interval, whose value must be a multiple of 3. To implement real-time accounti

198 Item Description Username Format Set the format of the username sent to the HWTACACS server. A username is generally in the format of userid@isp-

199 Figure 153 Network diagram Configuring the HWTACACS server # Set the shared keys to expert, add a Telnet user, and set a password for the user.

11 Item Description Destination MAC Address Select the Destination MAC Address box and specify the destination MAC address and wildcard. Destination W

200 Figure 155 Configuring an HWTACACS authentication server 5. On the page as shown in Figure 155, configure an HWTACACS authorization server for

201 Figure 156 Configuring the parameters for communication # Through CLI, enable Telnet services on SecPath. <SecPath> system-view [SecPath]

202 Task Remarks Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTA

203 Step Command Remarks 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify HWTACACS authentication servers. • Spe

204 When the firewall receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-acco

205 Step Command Remarks 3. Specify the shared keys for authenticating HWTACACS authentication, authorization, and accounting packets. key { account

206 Step Command Remarks 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Set the format of usernames sent to the HWTACAC

207 Step Command Remarks 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify a source IP address for outgoing HWTACA

208 Displaying and maintaining HWTACACS Task Command Remarks Display the configuration information or statistics of HWTACACS schemes. display hwtaca

209 Creating an ISP domain In a networking scenario with multiple ISPs, an access device may connect users of different ISPs, and users of different

12 Figure 9 Network diagram Creating a time range # Create a periodic time range of Saturday and Sunday. • Select Resource > Time Range from th

210 Step Command Remarks 6. Enable the self-service server location function and specify the URL of the self-service server. self-service-url enable

211 • Determine whether to configure an authentication method for all access types or service types. Follow these guidelines when you configure AAA

212 Step Command Remarks 8. Specify the authentication method for SSL VPN users. authentication ssl-vpn radius-scheme radius-scheme-name Optional. T

213 • If you specify the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name [ local | none ] option when you configure a

214 • Local accounting (local)—Local accounting is implemented on the access device. It counts and controls the number of concurrent users who use t

215 Step Command Remarks 5. Specify the command accounting method. accounting command hwtacacs-scheme hwtacacs-scheme-name Optional. The default acc

216 Step Command Remarks 2. Create a NAS ID profile and enter NAS ID profile view. aaa nas-id profile profile-name You can apply a NAS ID profile to

217 Figure 157 Network diagram Configuring the RADIUS server on CAMS This section uses CAMS version 2.10-R0210. 1. Add an access device: a. Log i

218 Enter username hello@bbb and set the password. Select Telnet as the service type. Set the EXEC privilege level to 3. This value identifies the pr

219 Figure 160 Adding an access device 2. Add a user for device management: a. Click the User tab, and then select Access User View > Device M

13 Figure 11 Creating an ACL • Enter the ACL number 2000. • Select the match order Config. • Click Apply. # Create a rule to allow Host A to acce

220 Figure 161 Adding a user for device management Configuring the RADIUS server on IMC PLAT 5.0 This section uses IMC PL AT 5.0 (E0101H03) and IMC

221 { IP address of the outbound interface (the default) Figure 162 Adding an access device 2. Add a user for device management: a. Click the Us

222 Figure 163 Adding an account for device management Configuring SecPath You can use either method to configure SecPath. • Method 1: You can con

223 Figure 164 RADIUS authentication server configuration page d. Click Apply. e. In the RADIUS Server Configuration area, click Add to configure

224 Figure 166 RADIUS scheme configuration page # Enable the Telnet service on SecPath. [SecPath] telnet server enable # Configure SecPath to use A

225 # Configure the IP address of interface GigabitEthernet 0/2, through which SecPath communicates with the server. [SecPath] interface GigabitEthe

226 Network requirements As shown in Figure 167, configure SecPath to perform local authentication and authorization for Telnet users. Figure 167 Net

227 Level switching authentication for Telnet users by a RADIUS server The RADIUS server in this example runs ACSv4.0. Network requirements As shown

228 # Configure the IP address of GigabitEthernet 0/2, through which SecPath communicates with the server. [SecPath] interface GigabitEthernet 0/2 [

229 Configuring the RADIUS server Add the usernames and passwords for user privilege level switching authentication, as shown in Table 56 and Figure

14 Figure 13 Configuring an ACL rule to deny access of other hosts to SecPath on Saturday and Sunday • Select Deny as the operation. • Select time

230 Figure 170 List of the usernames for privilege level switching Verifying the configuration After you complete the configuration, the user can T

231 Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Å Enter the p

232 Set the ports for authentication and accounting to 1812 and 1813, respectively. Select LAN Access Service as the service type. Select H3C as the

233 Figure 173 Adding a charging plan 3. Add a service: a. Click the Service tab, and then select Access Service > Service Configuration from

234 Select the user hello from the IMC Platform or add the user if it does not exist. Enter portal as the account name and set the password. Select

235 { IP address specified with the nas-ip command on the access device { IP address specified with the radius nas-ip command on the access device

236 Figure 177 Adding a charging plan 3. Add a service: a. Click the Service tab, and then select User Access Manager > Service Configuration

237 Select the user hello from the IMC Platform or add the user if it does not exist. Enter the account name portal and set the password. Select the

238 Figure 180 Portal server configuration 2. Configure the IP address group: a. Select Access Service > Portal Service Management > IP Gro

239 Enable or disable IP address reallocation. To use direct portal authentication, select No from the Reallocate IP list. c. Leave the default sett

15 Figure 15 Associating HTTP service with ACL 2000 • Click the + sign before HTTP to expand the configuration area. • Enter 2000 in the ACL fiel

240 Figure 184 Port group configuration 5. Select Service Parameters > Validate System Configuration from the navigation tree to validate the c

241 Figure 185 Portal server configuration 2. Configure the IP address group: a. Select User Access Manager > Portal Service Management > I

242 a. Select User Access Manager > Portal Service Management > Device from the navigation tree. b. Click Add to configure a portal device as

243 Select Portal_user from the IP Group list. The IP address used by the user to access the network must be within this IP address group. c. Leave

244 [SecPath-isp-dm1] accounting portal radius-scheme rs1 [SecPath-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a

245 Analysis 1. A communication failure exists between the NAS and the RADIUS server. 2. The username is not in the format of userid@isp-name or th

246 Solution Check that: 1. The accounting port number is correctly set. 2. The authentication/authorization server and the accounting server are

247 Configuring password control Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module FIPS No No No Ye

248 system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the use

249 { Digits 0 to 9. { 32 special characters. For information about special characters, see the password-control composition command in Security Co

16 Configuring a basic ACL Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses. To configure an IPv4 basic A

250 The system logs all successful password changing events and user blacklisting events due to login failures. Password control configuration task l

251 To enable password control: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the password control feature. password-contr

252 Step Command Remarks 8. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified

253 Step Command Remarks 5. Configure the password composition policy for the user group. password-control composition type-number type-number [ typ

254 To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password.

255 Task Command Remarks Display information about users blacklisted due to authentication failure. display password-control blacklist [ user-name na

256 [Sysname] password-control aging 30 # Set the minimum password update interval to 36 hours. [Sysname] password-control password update interval 3

257 User authentication timeout: 60 seconds Maximum failed login attempts: 2 times Login attempt-failed action: Lock Minimu

258 Configuring FIPS Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module FIPS No No No Yes Overview

259 Enabling FIPS mode IMPORTANT: To enable both FIPS mode and password control, enable FIPS mode first and then password control. To disable both

17 Step Command Remarks 4. Set the rule numbering step. step step-value Optional. 5 by default. 5. Create or edit a rule. rule [ rule-id ] { deny

260 Table 58 Power-up self-tests Type Operations Cryptographic algorithm self-test Test the following algorithms: • DSA (signature and authenticat

261 Displaying and maintaining FIPS Execute display commands in any view. Task Command Display FIPS state. display fips status

262 Index A C D E F I L O P S T V Z A AAA configuration examples,216 AAA overview,149 Address resource overview,45 ASPF configuration example,104

263 Service management configuration examples,35 Specifying a portal server for Layer 3 portal authentication,118 Specifying a source IP address for

18 Step Command Remarks 5. Create or edit a rule. rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value |

19 Step Command Remarks 5. Create or edit a rule. rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value |

Preface The H3C SecPath Series High-End Firewalls documentation set includes 10 configuration guides, which describe the software features for the H3C

20 Step Command Remarks 5. Create or edit a rule. rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-addr dest-mask | { l

21 Step Command Remarks 2. Enable ACL acceleration for an IPv4 ACL. acl accelerate number acl-number Disabled by default. The ACL must exist. Only IP

22 Figure 16 Network diagram Configuration procedure # Create a periodic time range from 8:00 to 18:00 on working days. <SecPath> system-view

23 Reply from 1000::100: time<1ms Ping statistics for 1000::100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip t

24 Configuring security zones You can configure security zones only in the Web interface. To use an interface as a service interface, you must add it

25 Figure 17 Zone classification Zone configuration task list Task Remarks Selecting the virtual device to which the specified zone belongs Option

26 Figure 18 Zone list 2. Click Add. Figure 19 Creating a zone 3. Configure the zone as described in Table 7. 4. Click Apply. Table 7 Configur

27 Figure 20 Modifying a zone 3. Configure the zone as described in Table 8. 4. Click Apply. Table 8 Configuration items Item Description Zone ID

28 Item Description Preference Set the preference of the specified zone By default, packets from a high priority zone to a low priority zone are allo

29 Figure 21 Network diagram Configuration consideration By default, the system has created the Trust, DMZ and Untrust zones, and you only need to

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times

30 Figure 22 Configuring the Trust zone c. Select GigabitEthernet 0/1. d. Click Apply. 2. Configure the DMZ zone, and add interface GigabitEther

31 Figure 23 Configuring the DMZ zone c. Select GigabitEthernet 0/2. d. Click Apply. 3. Configure the Untrust zone and add interface GigabitEthe

32 Figure 24 Configuring the Untrust zone c. Select GigabitEthernet 0/3. d. Click Apply.

33 Configuring service management Overview The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP, and HTTPS. You

34 Configuring service management 1. Select Device Management > Service Management from the navigation tree. The service management configuration

35 Item Description ACL Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service. Y

36 Configuring a periodic time range on Saturday and Sunday 1. Select Resource > Time Range from the navigation tree. 2. Click Add. The page fo

37 a. Enter the ACL number 2000. b. Select the match order Config. c. Click Apply. Creating a rule to allow Host A to access SecPath 1. Click the

38 Figure 30 Configuring an ACL rule to disable other hosts from accessing SecPath on Saturday and Sunday Configuring an ACL rule to allow other ho

39 Figure 32 Associating HTTP service with ACL 2000 HTTPS configuration example Network requirements As shown in Figure 33, Host can access and con

Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical D

40 The page for adding a PKI entity appears. Figure 34 Adding a PKI entity 3. Configure a PKI entity as shown in Figure 34. a. Enter en as the PK

41 Figure 35 Adding a PKI domain 3. Add a PKI domain as shown in Figure 35. a. Enter 1 as the PKI domain name. b. Enter CA server as the CA iden

42 2. Click Retrieve Cert. The page for retrieving a certificate appears. 3. Retrieve the CA certificate as shown in Figure 37. a. Select 1 as the

43 Figure 39 Enabling HTTPS service 2. Select the Enable HTTPS service box. 3. Select CN=http-server1 from the certificate list. 4. Click Apply

44 Verifying the configuration Open an Internet browser on Host and enter h t t p s : / / 10 .1.1.1 in the address bar to enter the web login interf

45 Configuring address resources NOTE: The address resource configuration is available only in the web interface. Address resource overview Addre

46 Figure 42 Host address resource configuration page Table 10 Configuration items Item Description IP Address Select either of them as the address

47 Figure 43 Address range resource list Figure 44 Address range resource configuration page Table 11 Configuration items Item Description Name S

48 Configuring a subnet address resource Select Resource > Address > IP Address from the navigation tree, and click the Subnet tab to enter the

49 Item Description Exclude IP Address Specify the IP addresses to be excluded. • Type an IP address in the text box next to the Add button, and the

i Contents Configuring ACLs ··························································································································

50 Table 13 Configuration items Item Description Name Specify the name for the address group resource. IMPORTANT: All resources (excluding the time

51 Table 14 Configuration items Item Description Name Specify the name for the MAC address resource. IMPORTANT: All resources (excluding the time ra

52 Figure 52 MAC address group configuration page Table 15 Configuration items Item Description Name Specify the name for the MAC address group res

53 Figure 53 Export configurations Importing resource configurations On any of the resource list page, click Import to bring up the dialog box as s

54 Configuring service resources The service resource configuration is available only in the web interface. Overview A service resource defines a ser

55 Configuring a customized service resource 1. Select Resource > Service > Customized Service from the navigation tree. All existing customiz

56 Item Description TCP Source Port Set the source and destination TCP port ranges in the fields. These fields are available after you select TCP. •

57 ICMP message name Type Code ttl-exceeded 11 0 Configuring a service group resource 1. Select Resource > Service > Service Group from the

58 Table 18 Configuration items Item Description Name Specify a unique name for the service group resource. IMPORTANT: Service and address resource

59 Importing configurations 1. On the customized or service group resource list page, click Import. The page for importing configurations appears as

ii Exporting and importing configuration ·············································································································

60 Configuring time range resources Overview A time range resource defines a time range, which can be referenced by an ACL or an interzone policy to

61 Figure 63 Time range resource configuration page Table 19 Configuration items Item Description Name Enter the name for the time range resource.

62 Step Command Remarks 3. Display the configuration and status of one or all time ranges. display time-range { time-range-name | all } [ | { begin

63 Interzone policy configuration NOTE: The interzone policy configuration is available only in the web interface. Interzone policy overview Inte

64 Configuring an interzone policy Configuration task list NOTE: Before configuring an Interzone policy, be sure to configure the zones. For infor

65 Figure 64 List of interzone policy rule list Table 21 Operations you can perform on the list Field Operation Source Address/Destination Address/

66 Figure 65 Interzone policy rule configuration page Table 22 Configuration items Item Description Source Zone Specify the source zone for the in

67 Item Description Service Select a service resource for the rule. You can select one service resource from the list or click Multiple to select mo

68 Item Description Continue to add next rule Specify whether to create another rule after finishing this one. • If you select this box, you will ent

69 Exporting and importing configuration Select Firewall > Security Policy > Interzone Policy from the navigation tree to enter the interzone p

iii Configuring ASPF ·································································································································

70 Table 23 Operations you can perform on the list Field Operation Referenced ACLs Click an ACL to enter the ACL configuration page, where you can vi

71 results matching the search conditions. Click Reset in the Operation column to clear the packets statistics of the related interzone policy and at

72 Figure 73 Network diagram Method 1: Configuring an interzone policy rule # Create a periodic time range from 8:00 to 18:00 on working days (from

73 Figure 75 Configure an IP address resource • Select the IP Address option. • Type public as the name. • Type 10 .1.1.12 as the IP address. T

74 • Select Trust as the source zone and Untrust as the destination zone. • Select public as the address. • Select Permit as the filter action. •

75 Figure 78 Configure a time range • Type worktime in the Name field. • Select the Periodic Time Range box. • Set the start time to 8:00. • Se

76 Figure 80 Allow the host Public to access the external network at any time • Select Permit as the operation. • Select the Source IP Address bo

77 Figure 81 Deny all the other hosts' access to the external network during working time • Select Deny as the operation. • Select the time

78 • Select Trust as the source zone. • Select Untrust as the destination zone. • Select 3000 under Available ACLs, and click << to add it t

79 Figure 83 Firewall policy configuration wizard: 1/7 3. Configure the items on the page. Table 27 Configuration items item Description Source Zo

iv AAA overview ······································································································································

80 Table 28 Configuration items Item Description Filter Action Specify the action to be taken for packets matching the firewall policy: • Permit—All

81 Figure 86 Firewall policy configuration wizard: 4/7 9. Configure the items on the page. Table 30 Configuration items item Description Service (

82 Figure 87 Firewall policy configuration wizard: 5/7 11. Configure the items on the page. Table 31 Configuration items Item Description Time Ran

83 Figure 88 Firewall policy configuration wizard: 6/7 13. Configure the items as described in Table 32. Table 32 Configuration items Item Descrip

84 Figure 89 Firewall policy configuration wizard: 7/7 15. Select whether to save the current configuration to the configuration files to be used

85 Managing sessions Overview The session management feature is designed to manage sessions of applications such as network address translation (NAT)

86 • Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payloads of these packets. As ICM

87 Displaying and maintaining session management information Task Remarks Displaying session table information Display the session table information

88 Figure 90 Session configuration 2. Configure the parameters as described in Table 33. 3. Click Apply.

89 Table 33 Configuration items Item Description Enable unidirectional traffic detection Enable or disable unidirectional traffic detection. • With