DPtech FW1000 Series Firewall Products User Configuration Guide v1.0

Transcription

1 DPtech FW1000 Series Firewall Products User Configuration Guide v1.0 i

2 Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where you purchase their products. Hangzhou DPtech Technologies Co., Ltd. Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi Address code: ii

3 Declaration Copyright 2011 Hangzhou DPtech Technologies Co., Ltd. All rights reserved. No Part of the manual can be extracted or copied by any company or individuals without written permission, and can not be transmitted by any means. Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind express or implied. iii

4 Table of Contents CHAPTER 1 PRODUCT OVERVIEW PRODUCT INTRODUCTION WEB MANAGEMENT LOGGING IN TO THE WEB MANAGEMENT INTERFACE WEB INTERFACE LAYOUT 1-6 CHAPTER 2 SYSTEM MANAGEMENT INTRODUCTION TO SYSTEM MANAGEMENT DEVICE MANAGEMENT DEVICE INFORMATION DEVICE STATUS DEVICE CONFIGURATION SNMP CONFIGURATION SNMP VERSION CONFIGURATION RMON CONFIGURATION ALARM HISTORY ADMINISTRATOR INTRODUCTION TO ADMINISTRATOR AUTHORITY MANAGEMENT WEB ACCESS PROTOCOL LIMITED INTERFACE SERVICE REMOTE USER CONFIGURATION FILE HOT PATCHING SIGNATURE DATABASE APP SIGNATURE URL CLASSIFICATION FILTERING SIGNATURE AV SIGNATURE IPS SIGNATURE LICENSE MANAGEMENT SOFTWARE VERSION NTP VIRTUAL MANAGEMENT SYSTEM VIRTUAL MANAGEMENT SYSTEM CONFIGURATION VIRTUAL MANAGEMENT SYSTEM PARAMETER SETTINGS OVC VRF DIGITAL CERTIFICATE INTRODUCTION TO DIGITAL CERTIFICATE CERTIFICATE MANAGEMENT INSTALLATION PACKAGE 2-52 iv

5 2.16 MANAGEMENT CENTER 2-53 CHAPTER 3 NETWORK MANAGEMENT INTRODUCTION TO NETWORK MANAGEMENT INTERFACE MANAGEMENT NETWORKING CONFIGURATION VLAN CONFIGURATION INTERFACE CONFIGURATION PORT AGGREGATION PORT MIRRORING LOGIC INTERFACE GRE G DIAL-UP NETWORK OBJECT SECURITY ZONE IP ADDRESS IPV6 ADDRESS MAC ADDRESS MAC ADDRESS MANAGE ACCOUNT DOMAIN NAME SERVICE FORWARDING FORWARDING FORWARDING MODE NEIGHBOR DISCOVER TRANS_TECH DS_LITE TO4 TUNNEL AUTOCONFIG STATELESS CONFIGURATION IPV4 UNICAST ROUTING IPV4 UNICAST ROUTING CONFIGURE STATIC ROUTE ROUTING TABLE BASIC ROUTING TABLE DETAILED ROUTING TABLE EQUAL-COST ROUTE BGP RIP OSPF IS-IS GUARD ROUTE IPV6 UNICAST ROUTING STATIC ROUTE 3-92 v

6 RIPNG OSPFV GUARD ROUTE IPV4 MULTICAST ROUTING BASIC CONFIG IGMP SNOOPING IGMP/IGMP PROXY PIM MSDP MULTICAST VPN MULTICAST SOURCE PROXY MULTICAST SOURCE NAT MULTICAST DESTINATION NAT MULTICAST STATIC ROUTING MULTICAST ROUTING TABLE IPV6 MULTICAST ROUTING BASIC CONFIG MLD PIM PIM MULTICAST ROUTING TABLE POLICY-BASED ROUTING INTRODUCTION TO POLICY-BASED ROUTING IPV6 POLICY-BASED ROUTING IPV4 POLICY-BASED ROUTING MPLS MPLS CONFIGURATION STATIC FTN/ILM LDP L2VPN CONFIGURATION ARP CONFIGURATION DISPLAY ARP ANTI-ARP-SNOOPING MAC ADDRESS MANAGE DNS CONFIGURATION INTRODUCTION TO DNS DNS DHCP CONFIGURATION INTRODUCTION TO DHCP DHCP SERVER DHCPV6 SERVER DHCP RELAY AGENT DHCP IP ADDRESS TABLE BFD BFD CONFIGURATION BFD SESSION BFD MANUAL BASIC WIRELESS vi

7 3.22 DIAGNOSTIC TOOLS PING TRACEROUTE CAPTURE LAN SWITCH SPANNING TREE CHAPTER 4 FIREWALL INTRODUCTION TO THE FIREWALL PACKET FILTERING POLICY PACKET FILTERING POLICY PACKET FILTERING POLICY LOG IPV6 PACKET FILTERING POLICY IPV6 PACKET FILTERING POLICY IPV6 PACKET FILTERING LOG NAT INTRODUCTION TO NAT SOURCE NAT DESTINATION NAT ONE TO ONE NAT N TO N NAT NAT NAT64 PREFIX NAT64 ADDRESSS ADDRESS POOL NAT SOURCE NAT DESTINATION NAT ADDRESS POOL DS_LITE_NAT DS_LITE_NAT ADDRESS POOL ALG CONFIGURATION ALG CONFIGURATION USER-DEFINED LOG BASIC ATTACK PROTECTION BASIC ATTACK PROTECTION BASIC ATTACK LOG QUERY NETWORK ACTION MANAGE SESSION LIMIT SERVICE LIMIT BLACKLIST IPV4 BLACK LIST CONFIGURATION IPV6 BLACK LIST CONFIGURATION BLACK LIST QUERY vii

8 BLACKNAME LOG QUERY MAC/IP BINDING MAC/IP BINDING AUTO LEARNING USER MAC BINDING USER/IP BINDING BINDING LOG QUERY SESSION MANAGEMENT SESSION LIST SESSION PARAMETER SESSION MONITORING SESSION LOG CONFIGURATION QOS VIP BANDWIDTH GUARANTEE 错误! 未定义书签 TRAFFIC CLASSIFICATION CONGESTION AVOIDANCE CONGESTION MANAGEMENT TRAFFIC SHAPING ANTI-ARP-SPOOFING ANTI-ARP-SPOOFING ARP CONFIGURATION CHAPTER 5 LOG MANAGEMENT INTRODUCTION TO THE LOG MANAGEMENT SYSTEM LOG LATEST LOG SYSTEM LOG QUERY SYSTEM LOG FILE OPERATION SYSTEM LOG CONFIGURATION OPERATION LOG LATEST LOG OPERATION LOG QUERY LOG FILE OPERATION OPERATION LOG CONFIGURATION SERVICE LOG SERVICE LOG CONFIGURATION CHAPTER 6 LOAD BALANCING LINK LOAD BALANCING INTRODUCTION TO LINK LOAD BALANCING LINK LOAD BALANCING LINK HEALTH CHECK ISP viii

9 CHAPTER 7 ACCESS CONTROL RATE LIMITATION INTRODUCTION TO THE RATE LIMITATION RATE LIMIT SINGLE USER LIMIT GROUP MANAGEMENT NETWORK APPLICATION BROWSING TYPICAL CONFIGURATION FOR THE RATE LIMITATION ACCESS CONTROL INTRODUCTION TO THE ACCESS CONTROL ACCESS CONTROL GROUP MANAGEMENT TYPICAL CONFIGURATION FOR THE ACCESS CONTROL URL FILTERING URL CLASSIFICATION FILTERING CUSTOMIZE URL CLASSIFICATION ADVANCED URL FILTERING URL FILTER PAGE PUSH TYPICAL CONFIGURATION FOR THE RATE LIMITATION SQL INJECTION PROTECTION CHAPTER 8 VPN INTRODUCTION TO IPSEC IPSEC SYSCONFIG IPSEC POLICY MODE IPSEC ROUTE MODE NET PROTECT SA IPSEC INTERFACE L2TP INTRODUCTION TO L2TP L2TP L2TP USER AUTHENTICATION L2TP IP POOL L2TP ONLINE STATUS PPTP GRE INTRODUCTION TO THE GRE GRE CONFIGURATION SMAD SMAD SMAD BLACKLIST SMAD LOG SSL VPN ix

10 8.6.1 INTRODUCTION TO THE SSL VPN SSL VPN RESOURCES USER MANAGEMENT AUTHENTICATION KEY SECURITY POLICY LOG MANAGEMENT REPORT FORMS CHAPTER 9 ONLINE BEHAVIOR MANAGEMENT INTRODUCTION TO ONLINE BEHAVIOR MANAGEMENT TRAFFIC ANALYSIS TRAFFIC ANALYSIS BEHAVIOR ANALYSIS POLICY CONFIGURATION ADVANCED CONFIGURATION KEYWORD FILTERING CHAPTER 10 PORTAL AUTHENTICATION INTRODUCTION TO THE PORTAL AUTHENTICATION AUTHENTICATION CONFIG WEB AUTHENTICATION NOTICE WEB LISTEN PROSCENIUM MANAGEMENT TERMINAL MANAGEMENT ONLINE USER LOCAL ACCOUNT USER BLACKNAME LIST REMOTE SYNCHRONIZATION CHAPTER 11 IDS INTEGRATION INTRODUCTION IDS INTEGRATION DISPLAY IDS COOPERATION LOG CHAPTER 12 HIGH AVAILABILITY VRRP INTRODUCTION TO VRRP GROUP MONITOR IP ADDRESS OBJECT MONITORING BFD OPTION x

11 12.2 OVERFLOW OVERFLOW PROTECT HOT STANDBY HOT STANDBY HANDWORK SYNCHRONIZATION BACKUP REBOOT INTERFACE SYNCHRONIZATION GROUP List of Figures Figure1-1 WEB Management Interface Figure1-2 Deploying of WEB Interface Figure2-1 System menu Figure2-2 Device information Figure2-3 Device status Figure2-4 Device information settings Figure2-5 System name Figure2-6 System time settings Figure2-7 System threshold Figure2-8 Enable remote diagnostics Figure2-9 Set frame gap Figure2-10 System parameter Figure2-11 Clear database Figure2-12 SNMP Figure2-13 Device information Figure2-14 SNMP version configuration Figure2-15 IP address list Figure2-16 Alarm Figure2-17 Alarm_stat Figure2-18 History Figure2-19 History_stat Figure2-20 RMON log Figure2-21 Current administrator Figure2-22 Administrator settings Figure2-23 Administrator authentication settings Figure2-24 Login parameter settings Figure2-25 Authority management Figure2-26 WEB access protocol Figure2-27 Interface service Figure2-28 Remote user Figure2-29 Configuration file Figure2-30 Hot patching Figure2-31 APP signature Figure2-32 Signature version information Figure2-33 Auto-upgrade settings Figure2-34 Manual upgrade xi

12 Figure2-35 Upgrade progress interface Figure2-36 URL classification filtering signature Figure2-37 Signature version information Figure2-38 Auto-upgrade settings Figure2-39 Manual upgrade Figure2-40 Upgrade progress interface Figure2-41 AV signature Figure2-42 IPS signature Figure2-43 License management Figure2-44 Software version Figure2-45 NTP configuration Figure2-46 NTP client configuration Figure2-47 Virtual management system Figure2-48 Virtual management system parameter settings Figure2-49 OVC configuration Figure2-50 Virtual system Figure2-51 Certification configuration Figure2-52 Device information configuration Figure2-53 CA server configuration Figure2-54 CRL server configuration Figure2-55 Certificate management Figure2-56 Key management Figure2-57 Certificate application Figure2-58 Certificate management Figure2-59 CRL management Figure2-60 Install option Figure2-61 Management center Figure3-1 Manage center Figure3-2 Networking configuration Figure3-3 VLAN Interface configuration Figure3-4 VLAN frame manage Figure3-5 Interface configuration Figure3-6 Interface rate beyond warning Figure3-7 Port aggregation configuration Figure3-8 Aggregation group status Figure3-9 Local mirroring Figure3-10 Remote source mirroring Figure3-11 Remote destination mirroring Figure3-12 Sub interface configuration Figure3-13 Loopback interface configuration Figure3-14 PPP interface configuration Figure3-15 Template interface Figure3-16 IPsec interface Figure3-17 GRE Figure3-18 3G dial-up Figure3-19 Security zone Figure3-20 Network diagram for configuring security zones xii

13 Figure3-21 IP address object Figure3-22 IP address object group Figure3-23 IPv6 address Figure3-24 MAC address Figure3-25 MAC address group Figure3-26 MAC address manage Figure3-27 Account user Figure3-28 Domain name Figure3-29 Predefined service object Figure3-30 User-defined service object Figure3-31 Service object group Figure3-32 Forwarding Figure3-33 Forwarding mode Figure3-34 Neighbor discover Figure3-35 DS_Lite Figure3-36 6to4 tunnel Figure3-37 Stateless configuration Figure3-38 Configure static route Figure3-39 Health check Figure3-40 Basic routing table Figure3-41 Detailed routing table Figure3-42 Equal-cost route Figure3-43 Configure BGP Figure3-44 Configure BGP-VPN Figure3-45 BGP neighbor information Figure3-46 Configure RIP Figure3-47 Display RIP state Figure3-48 Configure OSPF Figure3-49 OSPF interface information Figure3-50 OSPF neighbor information Figure3-51 Configure IS-IS Figure3-52 IS-IS neighbor Figure3-53 ISIS LSP Figure3-54 Guard route Figure3-55 Static route Figure3-56 Basic routing table Figure3-57 Detailed routing table Figure3-58 RIPng configuration Figure3-59 OSPFv3 configuration Figure3-60 OSPFv3 area configuration Figure3-61 OSPFv3 advanced configuration Figure3-62 OSPFv3 neighbor information Figure3-63 OSPFv3 neighbor information Figure3-64 Guard route Figure3-65 Basic config Figure3-66 IGMP_Snooping Figure3-67 IGMP snooping proxy xiii

14 Figure3-68 IGMP snooping routing Figure3-69 IGMP proxy Figure3-70 IGMP SSM mapping Figure3-71 IGMP Proxy Figure3-72 IGMP status Figure3-73 PIM Figure3-74 Static RP configuration Figure3-75 Candidate RP configuration Figure3-76 PIM interface configuration Figure3-77 Admin scope zone Figure3-78 PIM status Figure3-79 BSR status Figure3-80 RP-Mapping Figure3-81 MSDP Figure3-82 Peer status Figure3-83 Cache status Figure3-84 Multicast VPN Figure3-85 Multicast source proxy Figure3-86 Multicast source NAT Figure3-87 Multicast destination NAT Figure3-88 Multicast static routing Figure3-89 Multicast routing table Figure3-90 PIM multicast routing table Figure3-91 IGMP multicast routing table Figure3-92 IGMP proxy routing table Figure3-93 Basic config Figure3-94 MLD snooping Figure3-95 MLD Figure3-96 MLD status Figure3-97 PIM Figure3-98 Admin scope zone Figure3-99 PIM status Figure3-100 BSR status Figure3-101 RP-Mapping Figure3-102 PIM multicast routing table Figure3-103 Policy-based routing Figure3-104 Monitoring Figure3-105 Policy-based routing Figure3-106 Monitoring Figure3-107 Global configuration Figure3-108 Static FTN Figure3-109 Static ILM Figure3-110 LDP configuration Figure3-111 Display LDP neighbor Figure3-112 Display LDP adjacency Figure3-113 Display LDP interface Figure3-114 L2VPN configuration xiv

15 Figure3-115 SVC mode Figure3-116 CCC mode Figure3-117 MARTINI mode Figure3-118 VPLS mode Figure3-119 Display ARP Figure3-120 Static ARP Figure3-121 Gratuitous ARP Figure3-122 Configure ARP probe period Figure3-123 Anti-ARP snooping Figure3-124 ARP configuration Figure3-125 ARP log Figure3-126 MAC address manage Figure3-127 DNS Figure3-128 DHCP server Figure3-129 DHCPv6 server Figure3-130 DHCP relay agent Figure3-131 DHCP IP address table Figure3-132 Basic wireless Figure3-133 Basic session Figure3-134 Basic session Figure3-135 Basic wireless Figure3-136 Ping Figure3-137 Traceroute Figure3-138 Capture Figure3-139 Spanning tree Figure3-140 STP Figure3-141 RSTP Figure3-142 MSTP Figure3-143 STP status Figure4-1 Firewall Figure4-2 Packet filtering policy Figure4-3 Configuring action Figure4-4 Packet filtering policy log Figure4-5 IPv6 packet filtering policy Figure4-6 IPv6 packet filtering log Figure4-7 Source NAT Figure4-8 Address pool Figure4-9 Destination NAT Figure4-10 One to one NAT Figure4-11 N to N NAT Figure4-12 NAT64 prefix Figure4-13 NAT64 address Figure4-14 Address pool Figure4-15 Source NAT Figure4-16 Destination NAT Figure4-17 Address pool Figure4-18 DS_LITE_NAT xv

16 Figure4-19 Address pool Figure4-20 ALG configuration Figure4-21 User-defined log Figure4-22 Basic attack protection Figure4-23 Basic attack log query Figure4-24 Network action manage Figure4-25 Sessions Limit Figure4-26 Service Limit Figure4-27 IPv4 blacklist configuration Figure4-28 Blacklist query Figure4-29 Black list query Figure4-30 Blacklist log query Figure4-31 MAC/IP Binding Figure4-32 Auto learning... 错误! 未定义书签 Figure4-33 User MAC binding Figure4-34 User/IP binding Figure4-35 binding log query Figure4-36 Session Management Figure4-37 Session Parameter Figure4-38 Session Monitoring Figure4-39 Session Monitoring Figure4-40 VIP bandwidth guarantee... 错误! 未定义书签 Figure4-41 Traffic classification Figure4-42 Congestion avoidance... 错误! 未定义书签 Figure4-43 Congestion management Figure4-44 Traffic shaping Figure4-45 Anti-ARP-Spoofing Figure4-46 ARP configuration Figure5-1 Log management menu Figure5-2 Latest log Figure5-3 System log query Figure5-4 System log file operation Figure5-5 System log configuration Figure5-6 Latest log Figure5-7 Operation log query Figure5-8 Log file operation Figure5-9 Operation log configuration Figure5-10 Service log configuration Figure6-1 Interface config Figure6-2 Interface config Figure6-3 ISP configuration Figure7-1 Access control menu Figure7-2 Rate limit Figure7-3 User group parameter Figure7-4 Single user limit Figure7-5 Rate limitation Figure7-6 Group management xvi

17 Figure7-7 Network application browsing Figure7-8 Access control Figure7-9 Group management Figure7-10 Network application browsing Figure7-11 URL classification filtering Figure7-12 Customize URL classification Figure7-13 Advanced URL filtering Figure7-14 Advanced URL filtering configuration Figure7-15 URL filter page push Figure7-16 URL page push Figure7-17 Advanced URL filtering Figure7-18 SQL injection prevention Figure8-1 IPSec sysconfig Figure8-2 IPsec policy mode Figure8-3 IPsec route mode Figure8-4 Net protect Figure8-5 SA Figure8-6 IPsec interface Figure8-7 L2TP configuration Figure8-8 L2TP user authentication Figure8-9 L2TP IP pool Figure8-10 L2TP online status Figure8-11 PPTP Figure8-12 GRE configuration Figure8-13 SMAD Figure8-14 SMAD blacklist Figure8-15 SMAD log Figure8-16 SSL VPN Figure8-17 IP pool configuration Figure8-18 Domain configuration Figure8-19 License management Figure8-20 Portals management Figure8-21 Resource configuration Figure8-22 Share space Figure8-23 User configuration Figure8-24 User status Figure8-25 Authentication key Figure8-26 Security set Figure8-27 Security rule Figure8-28 Security rule group Figure8-29 Policy configuration Figure8-30 Log query Figure8-31 Log configuration Figure8-32 Log manage Figure8-33 User stat form Figure8-34 Flux stat form Figure8-35 Statistical offline users xvii

18 Figure8-36 Online time ranking form Figure8-37 Resource access form Figure9-1 Traffic analysis Figure9-2 Traffic analysis Figure9-3 Policy configuration Figure9-4 Advanced configuration Figure9-5 Keyword filtering Figure9-6 Keyword filtering Figure10-1 Security center Figure10-2 Basic authentication configuration items Figure10-3 Webauth configuration Figure10-4 TAC configuration Figure10-5 Customer configuration Figure10-6 Web authentication notice Figure10-7 Web listen Figure10-8 Proscenium management Figure10-9 Online management for the hotel user Figure10-10 Terminal management Figure10-11 USB data leakage monitor Figure10-12 Terminal configuration Figure10-13 Online user Figure10-14 Local Account Authentication Figure10-15 Blackname list Figure10-16 Remote synchronization Figure11-1 Display IDS cooperation log Figure12-1 High availability Figure12-2 VRRP configuration Figure12-3 Monitoring Figure12-4 Monitoring Figure12-5 BFD option Figure12-6 Overflow protect Figure12-7 Hot standby Figure12-8 Handwork synchronization Figure12-9 Backup reboot Figure12-10 Interface synchronization group xviii

19 List of Tables Table2-1 Device information Table2-2 Device status Table2-3 System threshold Table2-4 SNMPv3 configuration Table2-5 User management Table2-6 Current administrator Table2-7 Administrator settings configuration items Table2-8 Administrator authentication setting Table2-9 Login parameter settings Table2-10 Authority management configuration items Table2-11 WEB access protocol Table2-12 Interface service Table2-13 Remote user Table2-14 Configuration file configuration items Table2-15 Version information Table2-16 The auto-upgrade settings Table2-17 Manual upgrade configuration items Table2-18 Version information Table2-19 The auto-upgrade settings Table2-20 Manual upgrade configuration items Table2-21 Software version configuration items Table2-22 NTP server mode configuration items Table2-23 NTP client mode Table2-24 Virtual server setting configuration items Table2-25 VRF configuration items Table2-26 Device information configuration items Table2-27 CA Server configuration items Table2-28 CRL server configuration Table2-29 Certification Management Table2-30 CRL management Table3-1 Security zone configuration items Table3-2 IP address object configuration items Table3-3 IP address object group Table3-4 IP address object group Table3-5 Account user Table3-6 State Table3-7 Configure static route Table3-8 Basic routing table Table3-9 Detailed routing table configuration items Table3-10 BGP neighbor configuration Table3-11 BGP advanced configuration Table3-12 BGP advanced configuration Table3-13 BGP-VPN configuration items i

20 Table3-14 BGP-VPN configuration items Table3-15 RIP interface configuration Table3-16 RIP advanced configuration Table3-17 OSPF advanced configuration Table3-18 OSPF area configuration Table3-19 OSPF interface configuration Table3-20 OSPF interface information Table3-21 OSPF neighbor information Table3-22 IS-IS advanced configuration Table3-23 IS-IS interface configuration Table3-24 IS-IS neighbor Table3-25 ISIS LSP Table3-26 Basic routing table Table3-27 Detailed routing table Table3-28 RIPNG interface configuration Table3-29 RIPng advanced configuration Table3-30 OSPFv3 area configuration Table3-31 OSPFv3 interface configuration Table3-32 OSPFv3 advanced configuration Table3-33 OSPFv3 interface information Table3-34 OSPFv3 neighbor information Table3-35 Basic config Table3-36 IGMP snooping Table3-37 IGMP configuration Table3-38 IGMP Proxy Table3-39 IGMP status Table3-40 Candidate BSR configuration Table3-41 Static RP configuration Table3-42 Candidate RP configuration Table3-43 Interface configuration Table3-44 Global zone configuration Table3-45 Global zone configuration Table3-46 Basic config Table3-47 Global zone configuration Table3-48 Global zone configuration Table3-49 Policy-based routing configuration items Table3-50 Policy-based routing configuration items Table3-51 Dynamic DHCP server configuration Table3-52 Static DHCP server configuration Table3-53 DHCP relay configuration Table3-54 DHCP IP address table Table3-55 BFD configuration Table3-56 Select STP configuration items Table3-57 MSTP region configuration items Table4-1 Packet filtering policy configuration items Table4-2 Configuring action Table4-3 Destination NAT configuration ii

21 Table4-4 One to one NAT configuration Table4-5 Address pool configuration Table4-6 Basic attack protection Table4-7 Basic attack log query Table4-8 Blacklist configuration Table4-9 Blacklist query Table4-10 Blacklist log query Table4-11 MAC/IP binding Table4-12 Switches table Table4-13 Auto learning Table4-14 User/Mac binding Table4-15 User /IP binding Table4-16 binding log query Table4-17 VIP bandwidth guarantee... 错误! 未定义书签 Table4-18 Congestion avoidance... 错误! 未定义书签 Table4-19 Congestion management Table4-20 Anti-ARP-Spoofing Table4-21 ARP configuration Table5-1 Latest log Table5-2 System log querying condition Table5-3 System log file operation Table5-4 System log configuration Table5-5 Latest log Table5-6 Operation log query Table5-7 Back up or delete operation file Table5-8 Operation log configuration Table5-9 Service log configuration Table7-1 Rate limit configuration items Table7-2 User group parameter Table7-3 Single user limit Table7-4 Single user rate limit Table7-5 Access control configuration items Table7-6 URL classification filtering configuration items Table7-7 Customize URL classification Table7-8 Advanced URL filtering configuration items Table7-9 URL filter parameter configuration items Table7-10 SQL injection protection configuration items Table8-1 IPSec VPN configuration Table8-2 IPSec VPN client access mode and gateway-gateway mode Table8-3 LNS configuration items Table8-4 LNS configuration items Table8-5 PNS configuration Table8-6 Customer information Table8-7 GRE configuration items Table8-8 SSL VPN configuration items Table9-1 Traffic statistic configuration items Table9-2 Policy configuration iii

22 Table9-3 Keyword filtering configuration items Table9-4 Keyword filtering configuration items Table10-1 Basic authentication configuration items Table10-2 Webauth configuration items Table10-3 TAC configuration items Table10-4 Customer configuration Table10-5 Web listen configuration items Table10-6 Proscenium management Table10-7 Hotel user online management Table10-8 Microsoft patch management Table10-9 USB data leakage monitor Table10-10 Terminal configuration items Table10-11 Online user Table10-12 Local account authentication Table10-13 Local account authentication configuration items Table11-1 Display IDS integration log configuration items Table12-1 VRRP configuration items Table12-2 Monitor IP address object configuration items Table12-3 Hot standby details of the hot standby Table12-4 Interface synchronization group iv

23 Chapter 1 Product Overview 1.1 Product Introduction With information technology change and network information system development, the application level of government and enterprise are expanding from traditional small to critical large scale business system. Information security is a dynamic process, providing itself with high-efficient network operation platform but also potentially threaten the network by complicated IT business system and different background users. Therefore, firewall can effectively prevent and protect service flow and sensitive information transmission from inside network to the Internet, understanding network system security status timely and accurately, which can detect the against security policy violation events, report logs and alarm in the real time. DPtech FW1000 Series are next-generation products designed for enterprise, telecom and industry users, providing users with all kinds of solutions under various network environments. DPtech FW1000 Firewall combines packet filtering function with VPN security protection; integrate OSPFv3, RIP routing into source NAT and destination NAT translation, which separate and restrict network communication from Intranet and Internet and other outside network to separate, and restrict network communication so that the inner network devices can be protected. FW1000 firewall not only satisfied with inner network security protection under all kinds of network environments, but also has powerful application layer features such as flow control, analysis, webpage filtering, which helps enterprise administrators understand and grasp network safety status in time, and discovers unsafe factors (such as visit violation, misuse resource, packet attack and divulge secret. etc.); Continuous and periodical signature database update allow enterprises to get the newest signature database in shortest time, which guarantee the most safety inner network. 1.2 WEB Management Logging in to the Web Management Interface This section introduces how to log in to the web management interface: Make sure that the host can communicate with the management port of the FW. Open an IE browser and access the IP address of the management port using HTTP Type in the username and password in the interface shown in Figure1-1, and then click Login to access the Web management interface of the FW device. 1-5

24 Figure1-1 WEB Management Interface! Caution: It is recommended that you should use IE 6.0 or higher. The resolution should be 1024 x 768 or higher. <Backward>, <Forward> and <Refresh> are not supported on the Web management interface. If you use these buttons, the Web page may not be displayed properly. By default, the name of the management port is meth0_0, and the IP address is Both of the default username and the default password are admin. You can use the default username for the first login, but it is strongly recommended that you should change your password. For how to change your password, see the Section xxxx. After you log in, if you don t perform any operations within 5 minutes, the connection will timeout and go back to the login page. Up to 5 administrators are allowed to log in to the Web management interface at the same time Web Interface Layout Figure1-2 shows the main page of the Web Management Interface of the FW device. 1-6

25 Figure1-2 Deploying of WEB Interface (1)Navigation bar (2)Shortcut area (3)Configuration area Navigation bar: Lists all of the Web management function menus. You can choose the desired function menu, which is shown in the configuration area. Shortcut area: Shows the directory of the current page, as well as the status of the device. This area also provides function buttons, including Collapse, Homepage, Restart, Help and Logout. Configuration area: Provides an area for configuring and viewing the device. 1-7

26 Chapter 2 System Management 2.1 Introduction to System Management System management allows user to configure the related system management function, including: Device management SNMP configuration RMON configuration Administrator Configuration file Signature database Software version NTP configuration Virtual system VRF Digital certificate Installation package Centralized management To access system menu, you can select Basic > System from navigation tree, as shown in Figure

27 Figure2-1 System menu 2.2 Device Management Device information Device information feature helps user to know the information about current system and the device, including system name, system time and system time zone, memory, external memory, serial number, PCB hardware version, software version, default management interface information, CPLD hardware version, Conboot version and power. To enter the device information page, you can choose Basic > System management > Device management > Device information from navigation tree, as shown in Figure

28 Figure2-2 Device information Table2-1 describes the fields of device information. Table2-1 Device information System name System time System time zone Memory External memory size Serial number PCB hardware version Software version Default management interface information CPLD hardware version Conboot version Power Displays the name of the system. Displays the current time of the system. Displays the time zone of the system. Displays the memory capacity of the hardware device. Displays the type of the external memory and capacity. Displays the serial number of the hardware device. Displays the hardware PCB version information. Displays the version information of the system software. Displays the name of the default management interface and default IP address. Displays the CPLD hardware version. Displays the Conboot version information of the system. Displays power supply power of the device. Note: When you login to the FW WEB management interface, the first page you will seen is the Device Information page Device status Device status module displays the system current health status, which helps user to understand CPU, memory, disk and CF card utilization, fan and power supply status, CPU and mainboard temperature. 2-10

29 To enter the device status page, you can choose Basic > System management > Device management > Device status from navigation tree, as shown in Figure2-3. Figure2-3 Device status Table2-2 describes the details of device status. Table2-2 Device status CPU utilization Memory utilization Hardware utilization CF Card utilization Fans status Power status CPU temperature Mainboard temperature Displays real-time CPU utilization. When it beyond the threshold, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time memory utilization. When it beyond the threshold, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time hardware utilization. When it beyond the threshold, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time CF Card utilization. When it beyond the threshold, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time fans status. When one of the fans can t work normally, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time power status. When the power can t work normally, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time CPU temperature. When it beyond the threshold, the indicator light displays red light. Otherwise, the indicator light displays green light. Displays real-time mainboard temperature. When it beyond the threshold, the indicator light displays red light. Otherwise, the indicator light displays green light. Note: Hover your mouse pointer over an LED, you can view the real-time data. On the webpage, you can view the real-time information about CPU, memory utilization, fan and power supply status. 2-11

30 2.2.3 Device configuration Device information settings Device information settings provide a function of modifying the system name and time. Users can modify the system threshold according to their requirement and select whether to enable the remote diagnostic function. To enter the device information settings page, you can choose Basic > System management > Device management > Device setting > Device information settings from navigation tree, as shown in Figure2-4. Figure2-4 Device information settings The system name feature allows users to customize system name, which is easily to be managed. To enter the information settings page and configure the system name, you can choose Basic > System management > Device management > Information settings, as shown in Figure2-5. Figure2-5 System name To modify system name, you can take the following steps: Select Device Information Setting tab and type in the system name After you click Ok button, new settings take effect immediately. System time allows user to customize the system time, synchronizing with the current time. 2-12

31 To enter the system time interface, you can choose Basic > System management > Device management > Information settings from navigation tree, as shown in Figure2-6. Figure2-6 System time settings To modify the system time, you can take the following steps: Select Device Information Settings tab, and reconfigure time zone, date and time. After you click Ok button, new settings take effect immediately. System threshold allow user to configure the hardware utilization and temperature threshold. To enter the device information settings and configure system threshold, you can choose Basic > System management >Device management > Information settings from navigation tree, as shown in Figure2-7. Figure2-7 System threshold Table2-3 describes the configuration items of system threshold. Table2-3 System threshold CPU usage threshold Memory usage threshold Hardware usage threshold CPU temperature threshold Set the CPU usage threshold. Set the memory usage threshold. Set the hard disk usage threshold. Set the lower limit and upper limit of the CPU temperature threshold. 2-13

32 Mainboard temperature threshold Set the lower limit and upper limit of the mainboard temperature threshold. To configure system thresholds of the device, you can take the following steps: Select Device Information Settings tab. Enter the threshold in the corresponding place. After you click Ok button, new settings take effect immediately. Enable remote diagnostic allows users to do non-local operations for the device, which effectively solve the network failure. To enter the device information settings page and enable the remote diagnostics function, you can choose Basic > System management >Device management > Information settings from navigation tree, as shown in Figure2-8. Figure2-8 Enable remote diagnostics The set frame gap allows user to set the frame gap of data frames. To enter the device information settings page and set frame gap, you can choose Basic > System management >Device management > Information settings from navigation tree, as shown in Figure2-9. Figure2-9 Set frame gap! Caution: Please configure the system threshold according to hardware specification and processing capacity. If there is no special requirement, you should adopt default settings. When hardware utilization, CPU and mainboard temperature beyond thresholds, the hardware LED on Device Status page will turn red from green. Please contact network administrator to solve the problem System parameter System parameter is mainly set the fast forwarding parameter setting, blacklist taking effect immediately setting, packet filtering taking effect immediately setting, and Ac Memory Spec Set setting. 2-14

33 To enter the system parameter setting page, you can choose Basic > System management >Device management > System parameter settings, as shown in Figure2-10. Figure2-10 System parameter Clear database Clear database function provides the function of clearing the database configuration. Clear the database and then the device will be rebooted. To enter the clear database page, you can choose Basic > System management >Device management > System parameter settings, as shown in Figure2-11. Figure2-11 Clear database 2.3 SNMP configuration Simple Network Management Protocol (SNMP) is a frame that use TCP/IP protocol suite to manage the devices on the Internet, providing a suite of basic operation to monitor and maintain Internet. 2-15

34 2.3.1 SNMP version configuration SNMP Simple Network Management Protocol (SNMP) is the communication rule used for the management device and managed device in the network. It defines a series of information, method and grammar and used for the management device access and manage to the managed device. To enter SNMP version configuration page, you can choose Basic > System management > SNMP configuration from navigation tree, as shown in Figure2-12. Figure2-12 SNMP To configure the SNMP version configuration, you can take the following steps: Select Basic > System management > SNMP configuration from navigation tree to enter the SNMP version page. Click the SNMPv1, SNMPv2c or SNMPv3 checkbox. Select SNMPv1, SNMPv2c option, you should configure the read community string or the read/write community string. Click Ok button in the upper right corner on the webpage. 2-16

35 SNMPv3 configuration Table2-4 describes the configuration items of SNMPv3. Table2-4 SNMPv3 configuration Username Authenticate protocol Authenticate password Encryption algorithm Encryption password User authority Operation Allows you to configure a user name for the SNMPv3 Determining that the message is from a valid source. You should select an authenticate protocol, including none, MD5 and SHA. Configure the authenticate password. Mixing the contents of a package to prevent it from being read by an unauthorized source. You should select a kind of encryption algorithm, including none, DES. Configure the encryption password. Configure the user authority. Click copy or delete to do the operations Device information To enter the device information page and configure the device information, you can choose Basic > System management > SNMP configuration from navigation tree, as shown in Figure2-13. Figure2-13 Device information To configure the device information, you can take the following steps: 2-17

36 Select Basic > System management > SNMP configuration from navigation tree to enter the SNMP version interface. Configure the device information, including device location, contact information, trap destination host. Click Ok button in the upper right corner on the webpage NAT Traverse To enter the NAT traverse page and configure NAT traverse, you can choose Basic > System management > SNMP configuration from navigation tree, as shown in Figure2-14. Figure2-14 SNMP version configuration To configure NAT traverse, you can take the following steps: Select Basic > System management > SNMP configuration from navigation tree to enter the SNMP version interface. Configure the primary channel configuration and command channel configuration. Click Ok button in the upper right corner on the webpage IP address list The administrator who has added into the IP address list can access to device. To enter the device information page and configure IP address list, you can choose Basic > System management > SNMP configuration from navigation tree, as shown in Figure2-15. Figure2-15 IP address list 2-18

37 2.4 RMON configuration Remote Monitoring (RMON) defined by Internet Engineering Task Force (IETF), which is a kind of Management Information Base (MIB), reinforcement of the MIB II standard. RMON is mainly used to monitor one network segment or the whole network traffic, which is the widely used network management standard at present Alarm Alarm The RMON alarm group monitors specified alarm variables, such as statistics on a port. If the sampled value of the monitored variable is bigger than or equal to the upper threshold, an upper event is triggered; if the sampled value of the monitored variable is lower than or equal to the lower threshold, a lower event is triggered. The event is then handled as defined in the event group. To enter the RMON alarm page, you can choose Basic > System management > RMON from navigation tree, as shown in Figure2-16. Figure2-16 Alarm Alarm_stat To enter the alarm_stat device information page and configure IP address list, you can choose Basic > System management > Alarm_stat from navigation tree, as shown in Figure2-17. Figure2-17 Alarm_stat 2-19

38 2.4.2 History History The history group periodically collects statistics on data at interfaces and saves the statistics in the history record table for query convenience. The statistics data includes bandwidth utilization, number of error packets, and total number of packets. Once you successfully create a history entry in the specified interface, the history group starts to periodically collect statistics on packet at the specified interface. Each statistical value is a cumulative sum of packets sent/received on the interface during a sampling period. To enter the RMON alarm page, you can choose Basic > System management > RMON from navigation tree, as shown in Figure2-18. Figure2-18 History History_stat To enter the alarm_stat device information page and configure IP address list, you can choose Basic > System management > History_stat from navigation tree, as shown in Figure2-19. Figure2-19 History_stat RMON log To enter the RMON log page, you can choose Basic > System management > RMON log, as shown in Figure

39 Figure2-20 RMON log 2.5 Administrator Introduction to administrator The administrator allows user to add, modify and delete an administrator. Administrators log in web management interface with different privilege, authentication method, and web access protocol and port. Table2-5 describes the configuration items of administrator. Table2-5 User management Current administrator Administrator settings List all administrators who has logged into the web management interface, which can kick out other administrator. Allows you to add, delete and modify an administrator s password and administrator authority and to modify the administrator except the administrator itself. Administrator settings authentication Allows you to configure the login authentication parameter, it includes local authentication and Radius authentication and Tacacs Plus authentication. Logon configuration parameter Allows you to configure the logon parameter, it includes the time out settings, login lock settings, unlock time Current administrator Current administrator allows you to view the administrators who has logged into the web management interface. To enter the current administrator interface, you can choose Basic > System management > Administrator > Administrator from navigation tree, as shown in Figure2-21. Figure2-21 Current administrator 2-21

40 Table2-6 describes the details of current administrator. Table2-6 Current administrator Administrator Logon time Last access time Logon IP address Displays the name of the administrator who has logged into the web management interface. Displays the specific time of the administrator who has logged on the device. Displays the last time when an administrator log in to the web management interface. Displays the IP address of the administrator who has logged into the web management interface. Operation Click the kick out icon that an administrator can be kicked out Administrator settings Administrator settings allow user to add, modify and delete an administrator. To enter the administrator settings interface, you can choose Basic > Administrator > Administrator from navigation tree, as shown in Figure2-22. Figure2-22 Administrator settings Table2-7 describes the configuration items of the administrator settings Table2-7 Administrator settings configuration items Administrator Password Confirm password Add the administrator name in the system. Consists of alphanumeric characters, case sensitive, and must be begun with letter and digit. The length must be 3 to 20 characters. The password that administrator uses it to login to the device. Consists of alphanumeric characters, case sensitive, and allows to use special characters ()-+= []:;/_,. The password and confirm password must be same. If not, the system will prompt you that the two passwords are inconsistent when you submit them. Configure the description of the administrator. 2-22

41 Consists of alphanumeric characters, case sensitive, and allows using space and special character. The length of the description is from 0 to 40 characters. Level Set the administrator permission level. Different administrators login to the web with different authorities. Status Allows you to select a status for the administrator, including lock or normal. Lock: means the administrator who has been locked that cannot log in to the web management interface. Normal: means the administrator who isn t locked that can login into web management interface. Operation Click delete icon that the administrator can be deleted. To add an administrator, you can take the following steps: Enter the administrator page, you choose Basic > Administrator > Administrator from navigation tree. Click Add icon. In each column, you type in the password, confirm password and description. Select the privilege for the administrator. Click Ok button in the upper right corner on the webpage. To modify an administrator, you can take the following steps: Make sure that the administrator will be modified. If you want to modify the password of the administrator, hover your mouse pointer over the password, then click to modify the password. Password and confirm password must be same. Click Ok button in upper right on the webpage. If you want to modify other properties of the administrator, such as description, configure range, and status, please repeat the above steps. To delete an administrator, you can take the following steps: Make sure that the administrator will be deleted. Click Delete button. Click Ok button in the upper right corner on the webpage. 2-23

42 ! Caution: Default password cannot be used when you add an administrator, please confiure the password corresponding to the rule. You cannot lock administrator when you add the administrator. Default status is normal. If you require to lock the administrator, you should lock the administrator after you create it. When you delete an administrator, the system will prompt you. Please carefully use it Administrator authentication setting The administrator authentication setting page allows user to configure the authentication method of an administrator to login to the webpage, including local authentication and Radius authentication. To enter the administrator authentication setting page, you can choose Basic > System management > Administrator from navigation tree from navigation tree, as shown in Figure2-23. Figure2-23 Administrator authentication settings Table2-8 describes the configuration items of administrator authentication setting. Table2-8 Administrator authentication setting Local authentication To authenticate administrator s name and password through the device. 2-24

43 Radius authentication Tacacs Plus authentication LDAP authentication To authenticate administrator s name and password through Radius server, please configure the following parameters: Server IP address Authentication port number Shared key Authentication packet timeout time Authentication packet retransmission times Radius authentication user to which user group belongs To authenticate administrator s name and password through Tacacs Plus server. Please configure the following parameters: Server IP address Share key To authenticate administrator s name and password through Tacacs Plus server. Please configure the following parameters: LDAP server version LDAP server address LDAP server port Username attribute name Base DN Administrator DN Administrator Password Login parameter settings You can set several security parameters to login to web, including time out settings, login lock settings, and unlock time and login password strength settings. To enter the login parameter settings page, you can choose Basic > System management > Administrator from navigation tree, as shown in Figure

44 Figure2-24 Login parameter settings Table2-9 describes the details of login parameter settings. Table2-9 Login parameter settings Idle timeout Set the idle timeout for the current administrator. If an administrator did not perform any operations in that time, the administrator will be quit by the system forcedly. Login lock settings Unlock time If you type in error password for the administrator for consecutive times, the administrator will be locked. Set the time that the administrator has been locked. Lock: means the specific time that you have designated for the administrator to be locked. When the time is arrived, this administrator can be unlocked automatically. Permanent: If an administrator has been locked, this administrator unable to unlock by itself. Only if an administrator with system permission configuration can modify the locked administrator status in the Administrator setting column. Password strength settings The group to which a remote authentication user belongs Allows you to select the password strength, including high, medium and low. Allows you to select a configuration to which a remote authentication user belongs, includes: Super System configuration Business configuration Log configuration Manage center configuration Remote authentication user rights Configure remote authentication user right. The range is from 1 to 5, 1 is the highest level. 2-26

45 ! Caution: If an user has been locked, whether you enter correct password or not, the system will prompt you that the user has been locked, please try it again later! Authority management User can login to the web management page according to different privileges, and also user can login to the web management page as their requirements. To enter the authority management page, you can choose Basic > System management > Administrator > authority from navigation tree, as shown in Figure2-25. Figure2-25 Authority management Table2-10 describes the configuration items of authority management. Table2-10 Authority management configuration items Super System configuration Business configuration Log management configure range User customize configure range The administrator has the permission to login to the Web, which can configure all modules. The administrator has the permission to login to the Web, which can configure system management module and network management module, without the permission except system configuration. The administrator has the permission to login to the Web, which can configure the firewall module, load balancing module, access control module, VPN module, behavior analysis module, user authentication module and comprehensive module, without the permission except business management. The administrator has the permission to login to the Web, which can view service log, system log, operation log and comprehensive log, without the permission except log management. The administrator has the permission to login to the Web and allow user to customize the configuration range. 2-27

46 2.5.3 WEB access protocol On the web access protocol interface, you can configure web access protocol and port. To enter the WEB access protocol interface, you can choose Basic > System management > Administrator > WEB access protocol from navigation tree, as shown in Figure2-26. Figure2-26 WEB access protocol Table2-11 describes the configuration items of WEB access protocol. Table2-11 WEB access protocol HTTP settings HTTPS settings Click Enable HTTP checkbox and configure the port number. Click Enable HTTPS checkbox and configure the port number. If digit certificate is configured, you can enable the administrator certificate authentication function to enhance security function. Connection number Configure the connection number. The range is from 5-200, default is 100. IP address list Configure the IP address range for the administrator Limited interface service Limited interface service module limits the login access protocol for all service interfaces, including https, http, telnet, SSH, ping protocol. 2-28

47 To enter the limited interface service page, you can choose Basic > System management > Administrator > Interface service limit from navigation tree, as shown in Figure2-27. Figure2-27 Interface service Table2-12 describes the configuration items of interface service. Table2-12 Interface service Interface name Limit services Operation Allows you to select an interface to be limited. Allows you to select which kind of access protocol to be limited, including Https, Http telnet, SSH, Ping protocol. Click copy button or delete button to do the operations Remote user Set the remote user login method, and set the maximum remote user login number. To enter the remote user page, you can choose Basic > System management > Administrator > Interface service limit from navigation tree, as shown in Figure2-28. Figure2-28 Remote user Table2-13 describes the configuration items of remote user. 2-29

48 Table2-13 Remote user Client IP Client port Login type Client login time Last operation time Displays the IP address that the client used to login to the web. Displays the login user port number. Displays the client login type, including telnet and SSH method. Displays the client login time. Displays the last time that the user did operation. Operation Click kick out button to quit the administrator forcedly.! Caution: User can enable the Telent and SSH method at the same time, but only login method can be used to login to the device. 2.6 Configuration file Configuration file provides the function of saving current system configuration to your local system. Through this function, you can configure one of the devices if there are many devices in the network with same configurations and export configuration file to your local system and then from other devices to import the configuration file. To enter the configuration file page, you can choose Basic > System management > Administrator > Configuration file from navigation tree, as shown in Figure

49 Figure2-29 Configuration file Table2-14 describes the configuration items of configuration file. Table2-14 Configuration file configuration items Configuration file Last save Software version Operation Displays the name of the configuration file. The first line displays factory default configuration file. Displays the last time when configuration file saved. Displays the software version of the configuration file which you saved the last time. Allows you to save, export, switch, or deleted configuration file by clicking such icons: the save icon, the export icon, the switch icon and the delete icon. You only can switch the factory default configuration file. To create a new configuration file, you can take the following steps: Click the New config button in the upper left corner on the webpage. Configure the file name in the new line of the configuration file list, and click the Save icon. To import a configuration file and apply it, you can take the following steps: 2-31

50 Click Browse button which beside the file path, and select a configuration file to be downloaded, and click Download button The downloaded configuration file displays in the configuration file list. Click the switch icon to switch configuration file. A pop-up a window hit you that switch the configuration, after that, the device will restart, will you continue? Click the Ok button. To upload your configuration file to a server, you can take the following steps: Select TFTP or FTP protocol which will be used if you upload your configuration file to the server Configure server address to upload your configuration file, such as /test On the server, you should run the software 3CDaemon and create a new file folder, such as test Click Upload button beside the file name To download a configuration file, you can take the following steps: Select TFTP or FTP protocol which will be used if you download a configuration file from the server Configure the server address to download the configuration file, such as /test On the server, you should run the software 3CDaemon and select a software version to be downloaded. Click Download beside the file path To save configuration file on your device at regular time, you should take the following steps: Enable the Time save device configuration option Select unit settings Select time settings Note: Please refer to the above steps if you want to save, export or delete configuration file. 2.7 Hot patching Hot patching is a kind of fast and low cost method to repair the software defect. Compare with updating software version, the main advantage of hot patching is the running services of the device will not be disconnected, that is, you don t need to reboot your device that the current software of the device can be repaired. 2-32

51 To enter the patch page, you can choose Basic > System management > Administrator > Patch from navigation tree, as shown in Figure2-29. Figure2-30 Hot patching 2.8 Signature database APP signature Introduction to the APP signature APP signature module displays APP signature version information and allows user to upgrade APP signature database automatically or manually. To enter the APP signature page, you can choose Basic > System management > Signature > APP Signature from navigation tree, as shown in Figure2-31. Figure2-31 APP signature Version Information Version information is used to display version information of APP signature database. To enter the version information page, you can choose Basic > System management > Signature > APP signature from navigation tree, as showing in Figure2-32. Figure2-32 Signature version information 2-33

52 Table2-15 describes the details of the version information. Table2-15 Version information Current version History version Valid period Downgrade Displays the release date, signature version and update time of the current APP signature. Displays the release date, signature version of the version which you have updated last time. Displays when you can update the signature database. Click the downgrade button that you can downgrade the APP signature database to the previous version. To downgrade a signature database version, you can take the following steps: Click Downgrade button in the upper right corner, the system prompt you that signature database will be downgraded to a history version, continue? Click Confirm button After you downgrade the signature database version, current signature version become history version Auto-upgrade Settings Auto-upgrade settings help user to get the newest signature database from official website in every specific time, real time updating signature database. To enter the auto-upgrade settings interface, you can choose Basic > System management > Signature > APP signature from navigation tree, as shown in Figure2-33. Figure2-33 Auto-upgrade settings Table2-16 describes the details of auto-upgrade settings. Table2-16 The auto-upgrade settings Enable Auto-upgrade Configure whether to enable or disable the auto-upgrade function. 2-34

53 Click the check box of the enable auto-upgrade, and then the configuration can be used. Start time Time interval Upgrade address Sets the auto-upgrade start time. Sets the auto-upgrade time interval. Sets the IP address for signature database auto-upgrading. To auto-upgrade a signature database version: Click enable auto-upgrade Click the start time table and then select auto-upgrade start time. Select time interval After you finished the above steps, click the Save button Manual upgrade Manual upgrade allows you to upgrade signature database when you need it. And user can export specific signature database file from your local system and manual upgrade the signature database. To enter the manual upgrade interface, you can choose Basic > System management > Signature > APP Signature from navigation tree, as shown in Figure2-34. Figure2-34 Manual upgrade Table2-17 describes the configuration items of the manual upgrade settings. Table2-17 Manual upgrade configuration items File path Select signature database upgrade packet file path and select which upgrade packet should be downloaded. To manual upgrade a signature database version: Click the Browse button Select which upgrade packet to be downloaded. After you finish the above steps, click Confirm button in the right side in the upper right corner. 2-35

54 Note: During signature database upgrade process, the interface will skip to the upgrade process interface. Figure2-35 Upgrade progress interface URL classification filtering signature Introduction to URL classification filtering signature URL classification filtering signature module displays URL classification filtering signature version information and allows user to upgrade URL classification filtering signature database automatically or manually. To enter the URL classification filtering signature page, you can choose Basic > System management > Signature > URL classification filtering from navigation tree, as shown in Figure2-36. Figure2-36 URL classification filtering signature Version Information Version information is used to display version information of URL classification filtering signature database. To enter the version information page, you can choose Basic > System management > Signature > URL classification filtering signature from navigation tree, as showing in Figure

55 Figure2-37 Signature version information Table2-18 describes the details of the version information. Table2-18 Version information Current version History version Valid period Downgrade Displays the release date, signature version and update time of the current URL classification filtering signature. Displays the release date, signature version of the version which you have updated last time. Displays when you can update the signature database. Click the downgrade button that you can downgrade the URL classification filtering signature database to the previous version. To downgrade a signature database version, you can take the following steps: Click Downgrade button in the upper right corner, the system prompt you that signature database will be downgraded to a history version, continue? Click Confirm button After you downgrade the signature database version, current signature version become history version Auto-upgrade settings Auto-upgrade settings help user to get the newest signature database from official website in every specific time, real time updating signature database. To enter the auto-upgrade settings page, you can choose Basic > System management > Signature > URL classification filtering signature from navigation tree, as shown in Figure2-38. Figure2-38 Auto-upgrade settings Table2-19 describes the details of auto-upgrade settings. 2-37

56 Table2-19 The auto-upgrade settings Enable Auto-upgrade Start time Time interval Upgrade address Configure whether to enable or disable the auto-upgrade function. Click the check box of the enable auto-upgrade, and then the configuration can be used. Sets the auto-upgrade start time. Sets the auto-upgrade time interval. Sets the IP address for signature database auto-upgrading. To auto-upgrade a signature database version: Click enable auto-upgrade Click the start time table and then select auto-upgrade start time. And then select time interval for the auto-upgrade settings After you finish the above steps, click the Save button Manual upgrade Manual upgrade allows you to upgrade signature database when you need it. And user can export specific signature database file from your local system and manual upgrade the signature database. To enter the manual upgrade interface, you can choose Basic > System management > Signature > URL classification filtering signature from navigation tree, as shown in Figure2-39. Figure2-39 Manual upgrade Table2-20 describes the configuration items of the manual upgrade settings. Table2-20 Manual upgrade configuration items File path Select signature database upgrade packet file path and select which upgrade packet should be downloaded. To manual upgrade a signature database version: Click the Browse button 2-38

57 Select which upgrade packet to be downloaded. After you finish the above steps, click Confirm button in the right side in the upper right corner. Note : During signature database upgrade process, the interface will skip to the upgrade process interface. Figure2-40 Upgrade progress interface AV signature To enter AV signature page, you can choose Basic > System Management > Signature database > License management from navigation tree, as shown in Figure2-43. Figure2-41 AV signature IPS signature To enter IPS signature page, you can choose Basic > System Management > Signature database > IPS signature from navigation tree, as shown in Figure

58 Figure2-42 IPS signature License management License management module is the license registered page that allows you to import and export license file. To enter license management page, you can choose Basic > System Management > Signature database > License management from navigation tree, as shown in Figure2-43. Figure2-43 License management To export license file to your local system: Click the Export File button and then system prompt you a windows. And then select a file path for the license file and then click the Save button. To import license file from your local system: Click the Browse button and then select a file path for the license file. And then select a license file to download. After you finish the above steps, click the Import File button. 2-40

59 2.9 Software version Software version provides the function of managing and upgrading device software version. To enter the software version interface, you can choose Basic > System Management > Software Version from navigation tree, as shown in Figure2-44. Figure2-44 Software version Table2-21 describes the configuration items of the software version. Table2-21 Software version configuration items Image name Image version Current status Operation The software for the next boot Download IP address Displays the name of software version. Displays the version number of software version. Displays the status of software version, including in use and others. Click save or delete icon to do the operations. In-use software version can t be deleted. Select a software version for the next boot, which will be run when you reboot your device. Download software version from UMC Configure the IP address of downloading file and port number, and then click Reboot after finishing upgrade button. To download a software version file and apply it, you can take the following steps: Click Browse button and select a software version to download, then click Download button. On the software version page, displayed the downloaded software version, move your mouse pointer to the software version for the next boot, and then mouse pointer become pencil icon. Click the drop down list and select a software version. After you finished the above steps, click Ok button. 2-41

60 Reboot your device. Configurations take effect NTP NTP is intended for the clock synchronization of all devices in the network, keeping time consistent for all devices, so that the devices can provide multiple applications based on time synchronization. To enter the NTP page, you can choose Basic > System Management > NTP from navigation tree, as shown in Figure2-45. Figure2-45 NTP configuration Table2-22 describes the configuration items of NTP server mode. Table2-22 NTP server mode configuration items NTP server address Master-slave server NTP client subnet Mask Authentication Operation Configures NTP server IP address or domain name. Select whether the NTP server is a master NTP server. Configures an IP segment for the NTP client. Configures the subnet mask for the NTP client. Select whether to enable NTP client authentication. To copy or delete NTP configuration, you can click the delete icon. copy icon and the 2-42

61 NTP server mode configuration steps: Select server mode as NTP work mode Configure NTP server address and domain name, select whether the server is a master server. Configure NTP client segment and mask Click Ok button in the upper right corner on the webpage. The following diagram is NTP client configuration, as shown in Figure2-46. Figure2-46 NTP client configuration Table2-23 describes the configuration items of the NTP client mode. Table2-23 NTP client mode NTP server address Configures NTP server address and select whether to enable authentication. NTP client mode configuration steps: Select client mode as NTP work mode Select NTP server address or domain name Select whether to enable the authentication mode Click Ok button in the upper right corner on the webpage. 2-43

62 2.11 Virtual management system Virtual management system configuration Virtual management system is a new system generated by the existing operation system. Meanwhile it also has the same function with original system that can be switched to the original system flexibly. To enter the virtual management system page, you can choose Basic > System Management > Virtual System from navigation tree, as shown in Figure2-47. Figure2-47 Virtual management system Virtual management system parameter settings To enter the virtual management system parameter settings page, you can choose Basic > System Management > Virtual management system parameter settings from navigation tree, as shown in Figure2-48. Figure2-48 Virtual management system parameter settings Table2-24 describes the configuration items of the virtual server setting. Table2-24 Virtual server setting configuration items Name Session limit Configure the name of the virtual system. Configure session limit number of the virtual system. 2-44

63 2.12 OVC To enter the OVC configuration page, you can choose Basic > System Management > OVC from navigation tree, as shown in Figure2-48. Figure2-49 OVC configuration 2.13 VRF VPN Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. To enter the virtual system page, you can choose Basic > System management > VRF from navigation tree, as shown in Figure2-50. Figure2-50 Virtual system Table2-25 describes the configuration items of the VRF. Table2-25 VRF configuration items Enable VRF configuration Name Select whether to enable VRF configuration. Configure the name of the virtual device. 2-45

64 Interface Manage server Select one interface or several interfaces for each virtual interface. Select whether to enable the managing service function. Operation Click the Click the copy icon that you can copy an entry of the VRF configuration. delete icon that you can delete an entry of the VRF configuration Digital certificate Introduction to digital certificate A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. To enter the digital certificate configuration page, you can choose Basic > System management > Digital certification > Certification configuration from navigation tree, as shown in Figure2-51. Figure2-51 Certification configuration Device information configuration provides the function of configuring basic information of digital certificate. 2-46

65 To enter the device information configuration page, you can choose Basic > System management > Digital certification > Certification configuration from navigation tree, as shown in Figure2-52. Figure2-52 Device information configuration Table2-26 describes the configuration items of the device information configuration. Table2-26 Device information configuration items Common name IP address Country State City Company Department RSA key length Specify a common name. The range is from 1 to 31 characters. Type in the IP address of the device. Select a country for the device. Configure the state for the device. Configure the city for the device. Configure the company name for the device. Configure the department for device. Sets RSA key length. To configure the device information configuration, you can take the following steps: Configure all items of the device information configuration. And then select RSA key length. After you finish the above steps, click Ok button in the upper right corner on the webpage. CA server configuration is used in configuring the information of CA server. To enter to the CA server interface, you can choose the Basic > System management > Digital certification > Certification configuration from navigation tree, as shown in Figure

66 Figure2-53 CA server configuration Table2-27 describes the configuration items of CA server. Table2-27 CA Server configuration items CA ID Certificate application URL How to apply for a certificate Root certificate authentication algorithm Root certificate fingerprint Configure the CA ID Configure the certificate application URL Select how to apply for a certificate Select root certificate authentication algorithm Set the root certificate fingerprint To configure the CA server configuration, you can take the following steps: Configure CA ID Configure certificate application URL Select a method of how to apply for a certificate And then configure the certificate query number and configure the certificate query time interval After you finish the above steps, click Ok button in the upper right corner on the webpage. CRL server configuration is used in configuring CRL server information. To enter to the CRL server configuration interface, you can choose Basic > System management > Digital certification from navigation tree, as shown in Figure

67 Figure2-54 CRL server configuration Table2-28 describes the details of CRL server configuration Table2-28 CRL server configuration How to get URL Obtain CRL URL Select how to get the URL. Set the URL for manual configuring the CRL. To configure the CRL server, you can take the following steps: Select a method of how to get the URL If you the select manual configuration option, you should configure the obtain CRL URL item After you finished the above steps, you can click the Confirm button Certificate management Certificate management is used in obtaining the key of a certificate, applying certificate, and managing certificate and CRL. To enter to the certification management interface, you can choose Basic > System management > Digital certification > Certification management from navigation tree, as shown in Figure

68 Figure2-55 Certificate management Key management is used to generate new key of the certificate and allows you to view or hide key information. To enter to the key management page, you can choose the Basic > System management > Digital certificate > Certificate management from navigation tree, as shown in Figure2-56. Figure2-56 Key management Note: Factory default for the certificate key is that the device does not have certificate key. Click the Hide key information button that you can view or hide RSA publick key information. Certificate application can be used to generate certificate application information and allows you to submit certificate application online or offline. To enter the certification management interface and view the certificate application, you can choose the Basic > System management > Digital certification > Certificate management from navigation tree, as shown in Figure

69 Figure2-57 Certificate application Certificate management module provides two methods to obtain certificate, including import certificate offline and the obtain certificate online. To view certificate management, you can choose Basic> System management > Digital certification > Certification application from navigation tree, as shown in Figure2-58. Figure2-58 Certificate management Table2-29 describes the details of certification management. Table2-29 Certification Management Certificate file name Certificate issuer Certificate subject/identification name(dn) Certificate expiration date Certificate type Certificate operation Displays the name of the certificate file. Displays the certificate issuer. Displays the certificate subject or identification name (DN). Displays the expiration date of the certificate. Displays the type of the certificate. The certificate can be managed through the followings: Click the certificate. Click the browse icon that you can view the detailed information of the delete icon that you can delete a certificate file. 2-51

70 CRL management provides these functions: offline import CRL function, start/stop CRL query, and export CRL files, and allows you to manage CRL, such as view the detailed information of a CRL and delete the CRL. To enter the certificate management interface and view the CRL management, you can choose Basic > System management > Digital certification > Certificate application from navigation tree, as shown in Figure2-59. Figure2-59 CRL management Table2-30 describes the details of the CRL management. Table2-30 CRL management CRL file name CRL issuer Current CRL update date Next CRL update date CRL operation Displays the name of the CRL file. Displays the CRL issuer. Displays the update date time of current CRL. Displays the next update date time of CRL. CRL can be managed through the followings: Click the browse icon that you can view the detailed information of the CRL. Click the delete icon that you can delete a CRL Installation Package To enter the installation package interface, you can choose Basic > System management > Installation Package from navigation tree, as shown in Figure2-60. Figure2-60 Install option 2-52

71 To download an installation package: Click Browse button and select an installation package to be downloaded Click Download button 2.16 Management center Centralized management is a method of the firewall using an interface to manage several firewalls in the network. As simple as you using a remote control to manage all electrical appliances in your home, the centralized management can greatly simplify administrator s work. To enter the centralized management page, you can choose Basic > System management > Management center from navigation tree, as shown in Figure2-61. Figure2-61 Management center 3-53

72 Chapter 3 Network Management 3.1 Introduction to network management Network management provides the related function about device network management: Interface management 3G Dial-up Network object Forwarding IPv6_Tunnel IPv6 autoconfig IPv4 unicast routing IPv4 multicast routing IPv6 multicast routing Policy-based routing ICMP MPLS ARP DNS DHCP BFD Wireless Diagnostic tool Lan switch To access network management menu, you can choose Basic > Network, as shown in Figure

73 Figure3-1 Manage center 3.2 Interface management Interface management provides function of configuring network mode, such as networking configuration, VLAN configuration, interface configuration, port aggregation, and logic interface configuration Networking configuration User can configure the FW device s interface working mode according to their requirement for the network mode and select the interface type. If you select Layer 2 interface, you should configure a VLAN ID for the Layer 2 interface. If you select Layer 3 interface, you should configure an IP address for the Layer 3 interface. To enter the networking configuration page, you can choose Basic> Network > Interface management > Networking configuration from navigation tree, as shown in Figure

74 Figure3-2 Networking configuration VLAN Configuration VLAN configuration provides the function of configuring VLAN ID and applying the VLAN ID to Layer 2 network mode interface for users VLAN Interface Configuration To enter the VLAN interface configuration page, you can choose Basic> Network > Interface management > VLAN interface configuration from navigation tree, as shown in Figure3-3. Figure3-3 VLAN Interface configuration VLAN frame manage To enter the VLAN frame manage page, you can choose Basic> Network > VLAN configuration > VLAN frame manage from navigation tree, as shown in Figure

75 Figure3-4 VLAN frame manage Interface configuration Interface configuration Service interface configuration allows user to view and modify the interface status of the device. To enter the interface configuration page, you can choose Basic> Network > Interface management > Interface configuration, as shown in Figure3-5. Figure3-5 Interface configuration Interface rate beyond warning To enter the interface rate beyond warning page, you can choose Basic> Network > Interface management > Interface rate beyond warning, as shown in Figure

76 Figure3-6 Interface rate beyond warning Port aggregation Port aggregation configuration Port aggregation binds multiple links together to form a logical channel, so that it can increase link bandwidth. In the meanwhile, those bound together links can dynamically backup with each other which enhance the link reliability. To enter the port aggregation configuration page, you can choose Basic> Network > Interface management > Port aggregation, as shown in Figure3-7. Figure3-7 Port aggregation configuration Aggregation group status To enter the aggregation group status page, you can choose Basic> Network > Interface management > Port aggregation status, as shown in Figure3-8. Figure3-8 Aggregation group status 3-58

77 3.2.5 Port mirroring Local mirroring To enter the local mirroring page, you can choose Basic> Network > Interface management > Local mirroring, as shown in Figure3-9. Figure3-9 Local mirroring Remote source mirroring To enter the local mirroring page, you can choose Basic> Network > Interface management > Remote source mirroring from navigation tree, as shown in Figure3-10. Figure3-10 Remote source mirroring Remote destination mirroring To enter the remote destination mirroring page, you can choose Basic> Network > Interface management > Remote destination mirroring from navigation tree, as shown in Figure3-11. Figure3-11 Remote destination mirroring Logic interface Logic interface is to divide one physical interface into several logical interfaces, so that it can realizes sub interfaces data switching. Logic interface configuration includes sub interface, Loopback interface, and PPP interface configuration. 3-59

78 Sub interface configuration To enter the sub interface configuration page, you can choose Basic> Network > Interface management > Logic interface > Sub interface, as shown in Figure3-12. Figure3-12 Sub interface configuration Loopback interface configuration To enter the loopback interface configuration page, you can choose Basic> Network > Interface management > Logic interface > Loopback interface, as shown in Figure3-13. Figure3-13 Loopback interface configuration PPP interface configuration To enter the PPP interface configuration page, you can choose Basic> Network > Interface management > Logic interface > PPP interface from navigation tree, as shown in Figure3-14. Figure3-14 PPP interface configuration Template interface To enter the template interface page, you can choose Basic> Network > Interface management > Logic interface > Template interface from navigation tree, as shown in Figure3-15. Figure3-15 Template interface 3-60

79 IPsec interface To enter the IPsec interface page, you can choose Basic> Network > Interface management > Logic interface > IPsec interface from navigation tree, as shown in Figure3-16. Figure3-16 IPsec interface GRE To enter the GRE page, you can choose Basic> Network > Interface management > GRE from navigation tree, as shown in Figure3-17. Figure3-17 GRE 3.3 3G Dial-up 3G dial-up allows you to dial-up the Internet by using of 3G. User can select a network operator for 3G dial-up, and user can select whether to enable the reconnect after disconnection function according to requirement and add default route. To enter the 3G Dial-up page, you can choose Basic> Network > 3G dial-up from navigation tree, as shown in Figure3-18. Figure3-18 3G dial-up 3-61

80 3.4 Network object Security zone Introduction to security zone Traditional firewall policies are configured based on packet inbound and outbound interfaces on early dual-homed firewalls. With the development of firewalls, they can not only connect the internal and external network, but also connect the internal network, external network, and the Demilitarized Zone (DMZ). Also, they are providing high-density ports. A high-end firewall can provide dozens of physical interfaces to connect multiple logical subnets. In this networking environment, traditional interface-based policy configuration mode requires configuration of a security policy for each interface, which brings great working loads for administrators and thus increases probability for introducing security problems due to improper configurations. The industry-leading firewalls solve the above problems by implementing security policies based on security zones. A security zone is an abstract conception. It can include physical interfaces and logical interfaces, and also Trunk interface + VLAN. Interfaces added to the same security zone have consistent security needs. Therefore, an administrator can classify interfaces (assign them to different zones) based on their security needs, thus implementing hierarchical policy management. For example, on the firewall in the following figure, the administrator can add the interface that connects the R&D area to Zone_RND, and the interface connecting the servers to Zone_DMZ. In this way, the administrator only needs to deploy security policies in the two zones. If the network changes in the future, the administrator only needs to adjust the interfaces in a certain zone, without modifying the security policies. The security zone management feature not only simplifies policy maintenance but also separates network services from security services Security zone To enter the security zone page, you can choose Basic> Network > Network object > Security zone from navigation tree, as shown in Figure3-19. Figure3-19 Security zone Table3-1 describes the configuration items of the security zone. 3-62

81 Table3-1 Security zone configuration items Serial number Zone name Interface Priority Operation Allows you to view the serial number of the security zone. Allows you to specify a name for the security zone. Allows you to select an interface for the security zone. Allows you to specify the priority for the security zone. Allows you to specify the description for the security zone. Click copy icon or delete icon to do the operations Typical configuration for security zone 1. Network requirement Figure3-20 Network diagram for configuring security zones 2. A company uses Device as the network border firewall device to connect the internal network and the Internet and to provide WWW and FTP services to the external network. You need to perform some basic configurations for the zones of the firewall to prepare for the configurations of the security policies. The internal network is a trust network and can access the server and the external network. You can deploy the internal network in the Trust zone with a higher priority and connect the interface eth0/0 on Device to the external network. The external network is an 3-63

82 untrusted network, and you need to use strict security rules to control access from the external network to the internal network and the server. You can deploy the external network in the Untrust zone with a lower priority and connect the interface gige 0_0 on Device to the external network. If you deploy the WWW server and the FTP server on the external network, security cannot be ensured; if you deploy them on the internal network, the external illegal users may use the security holes to attack the internal network. Therefore, you can deploy the servers in the DMZ zone with a priority between Trust and Untrust, and connect the Ethernet interface eth0/1 on Device to the servers. In this way, the server in the DMZ zone can access the external network in the Untrust zone with a lower priority, but when it accesses the internal network in the Trustzone with a higher priority, its access is controlled by the security rules. 3. Configuration procedure: By default, the system has created the Trust, DMZ and Untrust zones, defined the priority of these zones. (1) Deploy the Trustzone. Select Basic> Network > Network object > Security zone from navigation tree to enter the security zone interface, then select the interface eth0_0 for the trust zone, and then click Ok button. (2) Deploy the DMZ zone. Select Basic> Network > Network object > Security zone from navigation tree to enter the security zone interface, then select the interface eth0_1 for the DMZ, and then click Ok button. (3)Untrust zone Select Basic> Network > Network object > Security zone from navigation tree to enter the security zone interface, then select the interface eth0_7 for the Untrust zone, and then click Ok button IP address Introduction to IP address IP address function provides user with address object, address object group function for users. Those functions can divide the inner network addresses into several groups and apply these addresses to the expanded application, so that the inner network user can be managed effectively IP address object To enter the IP address object page, you can choose Basic> Network > Network object > IP address > IP address object from navigation tree, as shown in Figure

83 Figure3-21 IP address object Table3-2 describes the configuration items of the IP address object. Table3-2 IP address object configuration items Serial number Name Content Policy reference Operation Displays the serial number of the IP address object. Allows you to specify a name for the IP address object. Allows you to specify a name Displays the IP range of the IP address object and exceptional IP address. Allows you to specify the description of the IP address object. Whether the IP address object is referenced. Click copy icon or delete icon to do the operations IP address object group To enter the IP address object group page, you can choose Basic> Network > Network object > IP address > IP address object group from navigation tree, as shown in Figure3-22. Figure3-22 IP address object group Table3-3 describes the details of the IP address object group. 3-65

84 Table3-3 IP address object group No. Name Content Policy reference Operation Displays the sequence number of the IP address object. Displays the name of the IP address object. Displays the net address object. Displays the description of the IP address object group. Displays which policy can be referenced to the IP address object group. Click copy icon or delete icon to do the operations IPv6 address Introduction to IPv6 Address To enter the IPv6 address page, you can choose Basic> Network > Network object > IPv6 address from navigation tree, as shown in Figure3-23. Figure3-23 IPv6 address MAC address Introduction to MAC address To enter the MAC address page, you can choose Basic> Network > Network object > MAC address from navigation tree, as shown in Figure

85 Figure3-24 MAC address MAC Address Group To enter the MAC address group page, you can choose Basic> Network > Network object > MAC address group from navigation tree, as shown in Figure3-25. Figure3-25 MAC address group Table3-3 describes the details of the IP address object group. Table3-4 IP address object group Mac address Mac address group Displays the user group created in the MAC address. Create the MAC address group, and add the MAC address to the MAC address group MAC address manage To enter the MAC address manage page, you can choose Basic> Network > Network object > MAC address manage from navigation tree, as shown in Figure

86 Figure3-26 MAC address manage Account A user, which is added into the account list can access to the Internet Account user To enter the account user page, you can choose Basic> Network > Network object > Account > Account user from navigation tree, as shown in Figure3-27. Figure3-27 Account user Table3-4 describes the configuration items of the account user. Table3-5 Account user From UMC From domain name Configure the UMC IP address and port number. Configure the LDAP server. 3-68

87 SN Account list Operation Displays the sequence of account user. Allows you to configure the account user manually. Allows you to configure the description of the account user. Click copy or delete icon to do operations Domain name The domain name function provides the domain name and IP address translation function for users, which allows users to view the IP address after domain name is configured. To enter the domain name page, you can choose Basic> Network > Network object > Domain name from navigation tree, as shown in Figure3-28. Figure3-28 Domain name Service The service function definite the type and character of the protocol carried by IP (Such as TCP or UDP source port/ destination port, ICMP protocol information type/information code), which can be referenced to the policy as packet matching condition Predefined service object To enter the predefined service object page, you can choose Basic> Network > Network object > Service> Predefine service object from navigation tree, as shown in Figure

88 Figure3-29 Predefined service object User-defined service object To enter the user-defined service object, you can choose Basic> Network > Network object > Service > User-defined service object from navigation tree, as shown in Figure3-30. Figure3-30 User-defined service object Service object group To enter the service object group page, you can choose Basic> Network > Network object > Service > Service object group from navigation tree, as shown in Figure3-31. Figure3-31 Service object group 3.5 Forwarding Forwarding To enter the forwarding page, you can choose Basic> Network > Network object > Forwarding > Forwarding from navigation tree, as shown in Figure

89 Figure3-32 Forwarding Forwarding mode To enter the forwarding mode page, you can choose Basic> Network > Network object > Forwarding > Forwarding mode from navigation tree, as shown in Figure3-33. Figure3-33 Forwarding mode Neighbor discover To enter the neighbor discover page, you can choose Basic> Network > Network object > Forwarding > Neighbor discover from navigation tree, as shown in Figure3-34. Figure3-34 Neighbor discover 3-71

90 3.6 Trans_Tech DS_LITE To enter the DS_Lite page, you can choose Basic> Network > Trans_Tech > DS_Lite from navigation tree, as shown in Figure3-35. Figure3-35 DS_Lite 3.7 6to4 tunnel To enter the 6to4 tunnel page, you can choose Basic> Network > 6 to4 tunnel from navigation tree, as shown in Figure3-37. Figure3-36 6to4 tunnel Table3-6 State Tunnel ID Tunnel IP Tunnel source interface IP Tunnel Dest IP Operation Configure the tunnel ID number. Configure the IP address for the tunnel interface. Select whether to use the tunnel source address or the tunnel source interface to configure Configure the tunnel destination IP address. Click icon or delete to do the operations. 3-72

91 3.8 Autoconfig Stateless configuration To enter the stateless configuration page, you can choose Basic> Network > Stateless configuration, as shown in Figure3-37. Figure3-37 Stateless configuration 3.9 IPv4 unicast routing IPv4 unicast routing IPv4 unicast routing allows you to configure IPv4 static routing manually. After you configured IPv4 static routing, data packets will be transmitted to the destination according to your requirement Configure static route Introduction to static route Static route is a kind of special route that configured by administrator manually. After static route is configured, data packets go to the specific destination will be forwarded to the paths designated by administrator. In a simple network, network communication can be realized only by configure the static route. If you set and use static route properly, it can improve the network performance and guarantee bandwidth for important applications. When you configure static route, you should understand the following: 1. Destination IP address and mask When you configure static route, destination IP address and mask must be in dotted decimal notation format. 2. Outbound interface and next hop When you configure static route, you can specify the outbound interface and next hop. Whether you specify the outbound interface or next hop, you should depend on the real condition. Routing cannot take effect if the next hop is local interface IP address. 3-73

92 In actual, all route entries have their explicit next hop addresses. When data packet are sent, their destination address will be looked up in the routing table and find out which route can be matched. Only if you specify the next hop, link layer find the corresponding layer address and forward data packet. 3. Priority You can specify different priorities for different static routes, so that you can flexibly use the route management policy. Such as: configuring multiple routes to the same destination, if you specify the routes with same priority, it can realize load sharing, if you specify different the routes with different priority, then route back up can be realized. To enter the configure static route page, you can choose Basic> Network > IPv4 unicast routing > Configure static route from navigation tree, as shown in Figure3-38. Figure3-38 Configure static route Table3-5 describes the configuration items of the configure static route. Table3-7 Configure static route Batch configure static route Batch delete Destination subnet Subnet mask Describe Gateway(next hop) Advanced configuration Operation Allows you to import static routes in batch. Allows you to delete static routes in batch. Allows you to configure the destination segment. Allows you to configure the subnet mask. Allows you to configure the description for the static route. Allows you to configure the gateway (next hop). Allows you to configure the advanced configuration. Click copy icon or delete icon to do the operations. 3-74

93 Monitoring To enter the health check page, you can choose Basic> Network > IPv4 unicast routing > Health check from navigation tree, as shown in Figure3-39. Figure3-39 Health check To configure static route, you should take the following steps: 1. Import static route in batch: Select Basic > Network> Network object > Static Routing from the navigation tree to enter the configure static route page. Click Browse button, and then select a CSV format file, then click Ok button. Export static route in batch: Click Export CSV File button, and then select a file path, then click Ok button. 2. Configure static route manually: Configure the destination address: , subnet mask: , Gateway (next hop): , interface: auto, next hop: , advanced configuration is default Routing table Basic routing table Basic routing table page provides user with the basic routing table query function. User can select the all routes, designated destination network segment or designated destination IP radio box to look up routing table, as shown in Figure3-40. To enter the configure static route page, you can choose Basic> Network > IPv4 unicast routing > Basic routing table from navigation tree, as shown in Figure

94 Figure3-40 Basic routing table Table3-8 describes the configuration items of the basic routing table. Table3-8 Basic routing table Destination network segment Subnet mask Gateway (Next hop) Outbound interface Allows you to view the destination network segment Allows you to view the destination subnet mask. Allows you to view the network gateway (Next hop) address. Allows you to view the static route outbound interface Detailed routing table Detailed routing table page provides user with the detailed routing table query function. User can select the all routes, designated destination network segment, designated protocol, or designated destination IP radio box to look up routing table. To enter the detailed routing table page, you can choose Basic> Network > IPv4 unicast routing > Detailed routing table, as shown in Figure

95 Figure3-41 Detailed routing table Table3-9 describes the configuration items of the detailed routing table. Table3-9 Detailed routing table configuration items Destination subnet Subnet mask Gateway (Next hop) Outbound interface Status Protocol Priority Cost Type Allows you to view the destination IP address. Allows you to view the subnet mask of the destination IP address. Allows you to view the gateway (next hop) IP address. Allows you to view the interface on which IP packets are forwarded. Allows you to view the active state of the route. Allows you to view the method that the route is generated, including Static, Connect, RIP, OSPF, BGP, Guard protocol. Allows you to view the static route priority. Allows you to view the route cost. Allows you to view the route type Equal-cost route Equal-cost route (ECMP) is that in order to go to the same destination IP address or destination segment, multiple route paths with the same Cost value are existed. If device supports equal-cost route, Layer 3 traffic forwarded to the destination IP or destination segment can realize load sharing through different paths, so that the network load balancing can be realized. If failure occurs in some paths, these paths will be replaced by others which realize route redundancy backup function. 3-77

96 To enter the equal-cost route page, you can choose Basic> Network > IPv4 unicast routing > Equal-cost route load balancing from navigation tree, as shown in Figure3-42. Figure3-42 Equal-cost route BGP Introduction to BGP Border Gateway Protocol (BGP) is a kind of dynamic routing protocol used for autonomous systems (AS). Autonomous systems have the same routing policy, running at a series of routes under the same technology management department. There are three early BGP versions, BGP-1 (RFC1105), BGP-2 (RFC1163) and BGP-3 (RFC1267). The current version in use is BGP-4 (RFC 4271), which is the defacto Internet exterior gateway protocol used between ISPs Configure BGP To enter the configure BGP page, you can choose Basic> Network > IPv4 unicast routing > BGP from navigation tree, as shown in Figure3-43. Figure3-43 Configure BGP Table3-9 describes the configuration items of the BGP neighbor configuration. Table3-10 BGP neighbor configuration Neighbor IP Configure the IP address of BGP neighbor. 3-78

97 Neighbor AS The max hop of EBGP Authentication information Advanced configuration Routing capacity Operation Displays neighbor AS Displays the max hop of EBGP Allows you to select a method of BGP authentication, include none and MD5. Allows you to configure the advanced configuration Allows you to select a routing capacity. Click copy, delete or insert icon that you can do the operations. To configure the BGP neighbor configuration, you should take the following steps: Click the checkbox of enable BGP, enter the local AS number Configure the neighbor configuration Click Ok button in the upper right corner on the webpage. Table3-11 describes the details of BGP advanced configuration. Table3-11 BGP advanced configuration Router ID Redistribute route Router priority BGP graceful restart Configure the router ID. Default is auto. Displays the BGP protocol introduced route. Configure the router priority. Enable BGP graceful restart. To configure BGP advanced configuration, you should take the following steps: Click advanced configuration. Configure the router ID. Select which kind of route will be introduced. Click Ok button in the upper right corner. Table3-11 describes the details of BGP advanced configuration. 3-79

98 Table3-12 BGP advanced configuration Destination network segment Subnet mask Advanced configuration Operation Configure destination network segment for route aggregation. Configure the mask for the route aggregation. Select the options: Compute AS-PATH attributes when route aggregating. Advertise aggregation route, not detailed route, when route advertising. Click icon, delete icon, insert icon to do the operations. To configure route aggregation, you should take the following steps: Configure each item of route aggregation Click Ok button in the upper right corner on the webpage Configure BGP-VPN To enter the configure BGP-VPN neighbor information page, you can choose Basic> Network > IPv4 unicast routing > Configure BGP-VPN from navigation tree, as shown in Figure3-44. Figure3-44 Configure BGP-VPN Table3-13 describes the configuration items of the configure BGP-VPN. Table3-13 BGP-VPN configuration items VRF Enable RD RT Redistribute a Route Allows you to select a VRF. Allows you to enable or disable the BGP-VPN function. Allows you to configure the RD. Allows you to configure the RT. Allows you to redistribute the routes BGP-VPN configuration steps: Firewall device A: 3-80

99 Select Basic> System > Virtual system from navigation tree to enter the virtual system interface, and click the enable virtual system configuration. Select Basic> System > VRF from navigation tree to enter the VRF interface, and create a new VRF, such as VRF_A, select a virtual system and an interface for the VRF. Select Basic> Network > IPv4 unicast routing > BGP from navigation tree to enter the VRF interface, and create a new VRF, such as VRF_A, select a virtual system and an interface for the VRF Enable the MPLS and LDP function, and configure the BGP-VPN function, example: select VRF_A, configure the RD 1:100, RT import: 1:200, RT export: 1:300, and select which kind of route redistributed to the BGP route. Firewall device B: Select Basic> System > Virtual system from navigation tree to enter the virtual system interface, and click the enable virtual system configuration. Select Basic> System > VRF from navigation tree to enter the VRF interface, and create a new VRF, such as VRF_A, select a virtual system and an interface for the VRF. Select Basic> Network > IPv4 unicast routing > BGP from navigation tree to enter the VRF interface, and create a new VRF, such as VRF_A, select a virtual system and an interface for the VRF Enable the MPLS and LDP function, and configure the BGP-VPN function, example: select VRF_A, configure the RD 1:100, RT import: 1:300, RT export: 1:200, and select which kind of route redistributed to the BGP route BGP neighbor information To enter the configure BGP neighbor information page, you can choose Basic> Network > IPv4 unicast routing > BGP Neighbor Information from navigation tree, as shown in Figure3-45. Figure3-45 BGP neighbor information Table3-11 describes the configuration items of the configure BGP-VPN. Table3-14 BGP-VPN configuration items Neighbor IP Neighbor AS Neighbor ID Displays the IP address of the neighbor. Displays the AS number of the neighbor. Displays the ID number of the neighbor. 3-81

100 Neighbor status Local outbound interface ID Established time Timeout time Displays the status of the neighbor. Displays the ID of local outbound interface. Displays the time when BGP neighbor is established. Displays the timeout time of the BGP neighbor RIP Introduction to RIP The Routing Information Protocol (RIP) is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process Configure RIP To enter the RIP page, you can choose Basic> Network > IPv4 unicast routing > RIP from navigation tree, as shown in Figure3-46. Figure3-46 Configure RIP Table3-15 describes the configuration items of the RIP interface configuration. 3-82

101 Table3-15 RIP interface configuration Interface name Enabling status Authentication information Advanced configuration Displays the name of the interface. Allows you to enable or disable an interface that run RIP protocol. Allows you to configure RIP authentication information. Allows you to configure the advanced configuration. Table3-16 describes the configuration items of RIP advanced configuration. Table3-16 RIP advanced configuration Route priority Router update timer Router aging timer Garbage collection timer Indirect neighbor Redistribute route Allows you to configure the route priority. Allows you to configure the time intervals for router update timer. Allows you to configure the router aging timer. Allows you to configure garbage collection timer. Allows you to add or delete non-direct neighbor. Allows you to set the RIP protocol introduced route Display RIP state To enter the RIP page, you can choose Basic> Network > IPv4 unicast routing > RIP from navigation, as shown in Figure3-47. Figure3-47 Display RIP state 3-83

102 OSPF Open Shortest Path First (OSPF) is a link state interior gateway protocol developed by the OSPF working group of the Internet Engineering Task Force (IETF). OSPF has the following features: Wide scope: Supports networks of various sizes and up to several hundred routers in an OSPF routing domain. Fast convergence: Transmits updates instantly after network topology changes for routing information synchronization in the AS. Loop-free: Computes routes with the shortest path first (SPF) algorithm according to collected link states, so no route loops are generated. Area partition: Allows an AS to be split into different areas for ease of management and routing information transmitted between areas is summarized to reduce network bandwidth consumption. Equal-cost multi-route: Supports multiple equal-cost routes to a destination. Routing hierarchy: Supports a four-level routing hierarchy that prioritizes routes into intra-area, inter-area, external Type-1, and external Type-2 routes. Authentication: Supports interface-based packet authentication to ensure the security of packet exchange. Multicast: Supports multicasting protocol packets on some types of links OSPF To enter the OSPF page, you can choose Basic> Network > IPv4 unicast routing > OSPF from navigation tree, as shown in Figure3-48. Figure3-48 Configure OSPF 3-84

103 Table3-17 describes the details of the OSPF advanced configuration Table3-17 OSPF advanced configuration Route priority Route device ID NBMA neighbor Redistribute route GR capacity settings GR timeout time Configure the route priority of the device. Configure the ID number of the router device. Add or delete NBMA neighbor of the device. Select which route will be imported by OSPF. Configure GR capability. Configure GR timeout time (Default is 60 seconds) To configure OSPF advanced configuration, you should take the following steps: Click advanced configuration. And then configure route priority. Set route device ID number (The auto is the maximum IP address of device interfaces). Add NBMA neighbor. Select which kind of route will be redistributed. Select GR capability settings. Enter the GR timeout time (Default is 60 seconds). Click Ok button in the upper right corner on the webpage. Table3-18 describes the details of OSPF area configuration Table3-18 OSPF area configuration Area ID Enable interface Advanced configuration Operation Configure the ID number of the area. Enable the interface. Configure the advanced priorities in the area configuration. Click copy icon or delete icon to do the operations. To configure OSPF area configuration, you should: Configure area ID number 3-85

104 Select an interface for the area configuration Configure the advanced configuration for the area Click Ok button in the upper right corner on the webpage Table3-19 describes the details of the OSPF interface configuration. Table3-19 OSPF interface configuration Interface name Hello interval Dead interval Authentication information Advanced configuration Displays all interface names of the device. Allow you to configure the Hello packet time interval (Default is 10 second). Allows you to configure the Dead time interval that the interface doesn t receive Hello packet (Default is 40 second). Allows you to select authentication mode. Allows you to configure the OSPF advanced configurations. To configure OSPF interface configuration, you should: Configure time interval for the interface to send Hello packet. Configure time interval for the interface to send Dead packet. Configure OSPF authentication information for the interface (including None, Test authentication and Md5 authentication) In the advanced configuration, you should select Cost value, DR election priority, working mode and interface type for the interface. Click Ok button in the upper right corner on the webpage. Note: After you enable OSPF, the OSPF function and OSPF advance configuration can be used OSPF interface information To enter the OSPF interface information, you can choose Basic> Network > IPv4 unicast routing > OSPF interface information from navigation tree, as shown in Figure

105 Figure3-49 OSPF interface information Table3-20 describes the details of the OSPF interface information. Table3-20 OSPF interface information Querying item Keyword Interface name Area Interface status COST DR BDR Neighbor number Allows you to select an item to be queried Interface information that contains keyword. Displays the OSPF interface. Displays the interface to which area belongs. Displays the interface status. Displays the interface COST value. Displays the DR of the interface in the area. Displays the BDR of interface in the area. Displays the neighbor numbers of the interface. To configure the OSPF interface information, you should: Select an item to be queried Type in the keyword that you want to query on the OSPF interface information page Click Query button OSPF neighbor information To enter the OSPF interface information page, you can choose Basic> Network > IPv4 unicast routing > OSPF interface information from navigation tree, as shown in Figure3-50. Figure3-50 OSPF neighbor information 3-87

106 Table3-21 describes the details of the OSPF neighbor information. Table3-21 OSPF neighbor information Querying item Keyword Neighbor ID Neighbor IP Priority Neighbor state To which area belongs Interface name DR BDR Dead Time Established time Allows you to select an item to be queried. Interface information that contains keyword. Displays the ID number of the neighbor. Displays the IP address of the neighbor. Displays the priority of the routing protocol. Displays the connection state of the neighbor. Displays the interface to which area belongs. Displays the name of the interface. Displays the DR of the interface in the area. Displays the BDR of interface in the area. Displays the Dead time that the device establish relationship with neighbors. Displays the time that the device establish relationship with neighbors. To configure the OSPF interface information, you should: Select an item to be queried Enter the keyword to be queried on the OSPF neighbor information page Click Query button IS-IS Configure IS-IS To enter the configure IS-IS page, you can choose Basic> Network > IPv4 unicast routing > IS-IS from navigation tree, as shown in Figure

107 Figure3-51 Configure IS-IS Table3-22 describes the details of IS-IS advanced configuration. Table3-22 IS-IS advanced configuration Level NET Redirect route Displays the area. Configure the NET address. Allows you to configure the redistributed route. Table3-23 describes the details of IS-IS interface configuration. Table3-23 IS-IS interface configuration Interface name Enabling status NET type Priority Hello interval Hello_multiplier Displays interface name Allows you to configure the enabling status. Allows you to configure the NET type, including broadcast and P2P. Specify an elect route protocol Specify Hello time interval Specify hello_multiplier time. To configure the IS-IS advanced configuration, you should take the following steps: Select to enable IS-IS function. 3-89

108 Click advanced configuration. Configure IS-IS level, including Level1, Level2, and Level1and Level2 Configure the NET Enable an interface Click Ok button in the upper right corner IS-IS neighbor information To enter the configure IS-IS neighbor information page, you can choose Basic> Network > IPv4 unicast routing > IS-IS from navigation tree, as shown in Figure3-52. Figure3-52 IS-IS neighbor Table3-24 describes the details of IS-IS neighbor Table3-24 IS-IS neighbor Sys ID Type Outbound interface IPv4 address IPv6 address State Hold Time Circuit ID Displays system ID number. Displays the type of area. Displays the outbound interface. Displays IPv4 address. Displays IPv6 address. Displays the status. Displays the hold time. Displays circuit ID IS-IS LSP To enter the IS-IS LSP page, you can choose Basic> Network > IPv4 unicast routing > IS-IS LSP from navigation tree, as shown in Figure

109 Figure3-53 ISIS LSP Table3-25 describes the details of ISIS LSP information Table3-25 ISIS LSP LSP ID Level Sequence Number Remaining Lifetime Operation Displays the LSP ID. Displays the IS-IS Level. Displays the sequence number. Displays the remaining lifetime. Click to view the detailed information Guard route The Guard route should be used with BGP. BGP protocol imports guard route to the BGP route table and advertises it to BGP peer, so that the traffic forwarded to other devices by BGP peer will be introduced to Guard device, then Guard device filter and clear the traffic. To enter the guard route page, you can choose Basic> Network > IPv4 unicast routing > Guard from navigation tree, as shown in Figure3-54. Figure3-54 Guard route 3-91

110 3.11 IPv6 unicast routing IPv6 unicast routing allows user to configure IPv6 static routing manually. After you configured IPv6 static routing, data packets will be transmitted to the desired destination Static route To enter the static route page, you can choose Basic> Network > IPv6 unicast routing > Static route from navigation tree, as shown in Figure3-55. Figure3-55 Static route To configure static route in batch, you should take the following steps: Click Browse button to select a configuration file from local disk. Click Ok button and then static route configuration file is imported immediately. Click Export button to export all static routes. To manually configure the IPv6 static route, you should: Set the IPv6 destination subnet IP address, subnet mask. Select outbound interface and configure the next hop address for the network gateway (next hop) Select route priority, type and weight in the advanced configuration. After you click Ok button, the manually created static routes take effect immediately Basic routing table Basic routing table provides users with the function of querying detailed routing information. User can click all routes or specify the destination subnet radio box to query the basic routing table. 3-92

111 To enter the basic routing table page, you can choose Basic> Network > IPv6 unicast routing > Basic routing table from navigation tree, as shown in Figure3-56. Figure3-56 Basic routing table Table3-26 describes the details of basic routing table. Table3-26 Basic routing table Destination subnet Subnet mask Gateway (Next hop) Outbound interface Allows you to view the destination subnet IP address. Allows you to view the destination subnet IP address and subnet mask. Allows you to view the gateway (Next hop) address. Allows you to view the outbound interface of the route Detailed routing table Detailed routing table provides users with the function of querying detailed routing information. Users can click all routes or specify the destination subnet, specify a protocol to query radio box to query the detailed routing table. To enter the detailed routing table page, you can choose Basic> Network > IPv6 unicast routing > Detailed routing table from navigation tree, as shown in Figure

112 Figure3-57 Detailed routing table Table3-27 describes the details of the detailed routing table. Table3-27 Detailed routing table Destination subnet Subnet mask Gateway (Next hop) Outbound interface Status Protocol Priority Cost Type Allows you to view the destination IP address. Allows you to view the subnet mask of the destination IP address. Allows you to view the gateway (next hop) IP address. Allows you to view the interface on which IP packets are forwarded. Allows you to view the active state of the route. Allows you to view the method that the route is generated, including Static, Connect, RIP, OSPF, BGP, Guard protocol. Allows you to view the static route priority. Allows you to view the route cost. Allows you to view the route type RIPng RIPng is also called the next generation RIP protocol, which derives from RIP-2 protocol in IPv4 network. Most RIP conception can be used for RIPng protocol. RIPng uses hop count to measure the distance to the destination (also is called metric or cost). In RIPng, hop 0 can be counted from one router to the directly connected network, hop 1 can be counted from one router to the directly connected router to other network, and the rest can be done in the same manner. When the hop count is larger than or equal to 16, destination network or host is unreachable. 3-94

113 RIPng To enter the RIPng page, you can choose Basic> Network > IPv6 unicast routing > RIPng from navigation tree, as shown in Figure3-58. Figure3-58 RIPng configuration Table3-28 describes the details of RIPng interface configuration. Table3-28 RIPNG interface configuration Interface name Enabling status Advanced configuration Displays all interfaces of the device. Specify whether to enable RIP protocol for the interface. Specify the interface RIP working mode and horizontal split. To configure RIPng configuration, you should: Select whether to enable RIPng Select working mode as active mode(default is Active mode) Select whether to enable horizontal split Click Ok button in the upper right corner. Table3-29 describes the details of RIPng configuration. 3-95

114 Table3-29 RIPng advanced configuration Route update timer Route aging timer Garbage recycle timer Non direct neighbor Redistribute a route Specify the update route time interval. Specify the route aging time. Specify the deleted time interval of out routing table. Specify the device indirect connect neighbor. Specify the RIPng redistributed route. To configure the RIPng advanced configuration: Click advanced configuration Set update timer(by default, it is 30) Set route aging timer(by default, it is 180) Set garbage recycle timer (By default, it is 120). Select a route which you want to redistribute. Click Ok button in the upper right. Note: RIPng and its advanced configuration can be used after enable RIPng function OSPFv Configuring OSPFv3 To enter the OSPFv3 page, you can click Basic > Network > OSPFv3 from navigation tree, as shown in Figure

115 Figure3-59 OSPFv3 configuration OSPFv3 area configuration shows in Figure3-60. Figure3-60 OSPFv3 area configuration Table3-30 describes the details of OSPFv3 area configuration. Table3-30 OSPFv3 area configuration Create an area Area ID Enable the interface Create an OSPFv3 area. Specify area ID number. Specify an interface for the area. Operation Click delete icon, and then you can delete an area. 3-97

116 To configure the OSPFv3 area configuration: Click create an area Type in area ID Add the interface into the new created area. Click Ok button in the upper right. Table3-31 and Table3-32 describes the details of OSPFv3 interface configuration. Table3-31 OSPFv3 interface configuration Interface name Hello time interval Dead time interval Instance ID Advanced configuration Displays all interfaces of the device. Specify the hello packet time interval for an interface. Displays the dead time interval of an unreceived interface. Specify the Instance ID Specify interface OSPFv3 protocol and all its advanced configuration. To configure OSPFv3 configuration: Set hello packet time interval for an interface. Set the dead time interval of hello packet. Specify the instance ID Configure the item in advanced configuration, including cost, DR, working mode and MTU. Click Ok button in the upper right. Note: To configure OSPFv3 configuration, you must add interface into OSPFv3 protocol. OSPFv3 advanced configuration shows in Figure3-61. Figure3-61 OSPFv3 advanced configuration 3-98

117 Table3-32 describes the details of OSPFv3 advanced configuration. Table3-32 OSPFv3 advanced configuration Router device ID Redistribute a route Specify the router device ID Specify the redistributed route of OSPF To configure OSPFv3 advanced configuration: Click advanced configuration Set route ID(auto is the maximum IP address of all interfaces) Select a route which you want to redistribute. Click Ok button in the upper right corner OSPFv3 neighbor information To access the OSPFv3 interface information, you can click Basic > Network > Unicast IPv6 routing > OSPFv3 > OSPFv3 neighbor information as shown in Figure3-62. Figure3-62 OSPFv3 neighbor information Table3-33 describes the details of the OSPFv3 interface information Table3-33 OSPFv3 interface information Query item Keywords Interface name Area State COST Select an item which you want to query. Displays the interface information which contains keywords Displays OSPFv3 interface Displays the area to which interface belongs Displays the interface status Displays cost of an interface. 3-99

118 DR BDR Neighbor count Displays DR of an area Displays BDR of an area Displays the number interface neighbor OSPFv3 neighbor information To access the OSPFv3 interface information, you can click Basic >Basic > Network > IPv6 unicast routing > OSPFv3 neighbor information, as shown in Figure3-63. Figure3-63 OSPFv3 neighbor information Table3-34 describes the details of OSPFv3 neighbor information. Table3-34 OSPFv3 neighbor information Query item Keyword Neighbor ID Neighbor IP Priority Neighbor status Area Interface name DR BDR Dead Time Established time Select an item which you want to query. Displays neighbor information which contains keyword. Displays neighbor ID. Displays neighbor IP address. Displays route priority. Displays neighbor connect status. Displays the area to which interface belongs. Displays interface name Displays DR of an area. Displays BDR of an area. Displays the dead time of neighbor relationship. Displays how long the neighbor relationship established

119 Guard route To enter the guard route page, you can choose Basic> Network > IPv4 unicast routing > Guard, as shown in Figure3-54. Figure3-64 Guard route 3.12 IPv4 multicast routing The multicast technique effectively addresses the issue of point-to-multipoint data transmission. By allowing high-efficiency point-to-multipoint data transmission over an IP network, multicast greatly saves network bandwidth and reduces network load Basic config To enter basic config page, you can choose Basic> Network > IPv6 multicast routing > Basic config from navigation tree, as shown in Figure3-65. Figure3-65 Basic config Table3-35 describes the configuration items of basic config

120 Table3-35 Basic config Interface name Enabling status Multicast border Allows you to view all interfaces of the device. Allows you to disable or enable the interface. Allows you to configure multicast address and subnet mask. To configure basic-config, you should take the following steps: Select an interface to enable the status. Configure IP multicast address and subnet mask. Click Ok button in the upper right corner IGMP snooping IGMP snooping Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. To enter IGMP_snooping page, you can choose Basic> Network > IPv6 multicast routing > IGMP_Snooping interface from navigation tree, as shown in Figure3-66. Figure3-66 IGMP_Snooping Table3-11 describes the configuration items of the IGMP snooping. Table3-36 IGMP snooping VLAN Dynamic learning Displays the VLAN number. Allows you to select whether to enable the dynamic learning function

121 Quick leave Static configuration: MAC address/member port Static configuration: Router port Allows you to select whether to enable the quick leave function. With quick leave processing function enabled, when the device receives an IGMP leave message on a port, the device directly removes that port from the forwarding table entry for the specific group. If only one host is attached to the port, enable fast leave processing to improve bandwidth management. Displays static configuration: MAC group address/member port Displays static configuration: Router port IGMP snooping proxy To enter the IGMP page, you can choose Basic> Network > IPv4 multicast routing > IGMP snooping proxy, as shown in Figure3-67. Figure3-67 IGMP snooping proxy Table3-37 describes the configuration items of IGMP configuration. Table3-37 IGMP configuration Interface name Version Timer query interval Max response time Other querier Group num Static group Group filter Displays the name of the IGMP interface. Allows you to select an IGMP version. Allows you to set the timer query interval. Allows you to set the max response time. Allows you to set other querier present interval. Allows you to set the IGMP multicast group number. Allows you to configure the static group. Allows you to set the group filter

122 IGMP snooping routing To enter the IGMP snooping routing page, you can choose Basic> Network > IPv4 multicast routing > IGMP proxy from navigation tree, as shown in Figure3-44. Figure3-68 IGMP snooping routing IGMP/IGMP proxy IGMP To enter the IGMP page, you can choose Basic> Network > IPv4 multicast routing > IGMP/IGMP Proxy > IGMP from navigation tree, as shown in Figure3-69. Figure3-69 IGMP proxy IGMP SSM mapping To enter the IGMP SSM mapping page, you can choose Basic> Network > IPv4 multicast routing > IGMP/IGMP Proxy > IGMP SSM Mapping from navigation tree, as shown in Figure3-70. Figure3-70 IGMP SSM mapping 3-104

123 IGMP proxy To enter the IGMP proxy page, you can choose Basic> Network > IPv4 multicast routing > IGMP/IGMP Proxy > IGMP proxy from navigation tree, as shown in Figure3-71. Figure3-71 IGMP Proxy Table3-38 describes the configuration items of IGMP proxy. Table3-38 IGMP Proxy Host interface configuration Route interface configuration Select whether to enable IGMP proxy on the host interface. Select whether to enable IGMP proxy on each interface. To configure IGMP proxy configuration, you should take the following steps. Select whether to enable IGMP proxy. Set the host interface enable status Set the router interface enable status Click Ok button in the upper right corner on the webpage. Note: After you enable the IGMP Proxy function, IGMP Proxy can be used IGMP status To enter the IGMP status interface, you can choose Basic> Network > IPv4 multicast routing > IGMP status from navigation tree, as shown in Figure

124 Figure3-72 IGMP status Table3-39 describes the configuration items of the IGMP status. Table3-39 IGMP status Number Interface name Group address Source address Group record types Displays the sequence number of the IGMP. Displays the name of the IGMP interface. Displays the IGMP group address. Displays the source address. Displays the group record types PIM PIM Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging static routes or unicast routing tables generated by any unicast routing protocol, such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System To Intermediate System (IS-IS), or Border Gateway Protocol (BGP). Independent of the unicast routing protocols running on the device, multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes. To enter the PIM page, you can choose Basic> Network > IPv4 multicast routing > PIM > PIM from navigation tree, as shown in Figure

125 Figure3-73 PIM Table3-40 describes the details of candidate BSR configuration. Table3-40 Candidate BSR configuration Candidate BSR enable status Candidate BSR interface Candidate BSR hash mask length Candidate BSR priority Select the enabling status of BSR, including enable and disable. Configure the candidate BSR interface. Configure the candidate BSR hash mask length. Configure the candidate BSR priority. To configure static RP configuration, you can choose Basic> Network > IPv4 multicast routing > PIM > Static RP configuration from navigation tree, as shown in Figure3-74 Figure3-74 Static RP configuration Table3-41 describes the details of static RP configuration. Table3-41 Static RP configuration Static RP enabling status Select the enabling status of static RP configuration, including enable and disable

126 Static RP address Static RP boundary Configure the static RP address. Configure the static RP boundary. To configure candidate RP configuration, you can choose Basic> Network > IPv4 multicast routing > PIM > Candidate RP configuration from navigation tree, as shown in Figure3-75. Figure3-75 Candidate RP configuration Table3-42 describes the details of candidate RP configuration. Table3-42 Candidate RP configuration Interface name Candidate RP enabling status Candidate RP advertisement interval Candidate RP priority Candidate RP boundary Displays the interfaces of the device. Allows you to enable or disable candidate RP. Set the candidate RP advertisement interval. Set the candidate RP priority. Allows you to view candidate RP boundary To configure the PIM interface configuration, you can choose Basic> Network > IPv4 multicast routing > PIM from navigation tree, as shown in Figure3-76. Figure3-76 PIM interface configuration Table3-43 describes the details of interface configuration Table3-43 Interface configuration Interface name Enabling status Displays all interfaces of the device. Select the enabling status of interface configuration, including enable and disable

127 Enable mode Hello interval DR priority BSR border Select whether to enable the PIM-SM or PIM-DM mode. Select the Hello interval which counts in unit of second. Configure the DR priority. Select the enabling status of BSR border, including enable and disable Admin scope zone To enter the admin scope zone page, you can choose Basic> Network > IPv4 multicast routing > PIM > Admin scope zone, as shown in Figure3-77. Figure3-77 Admin scope zone Table3-44 describes the configuration item of Global zone configuration. Table3-44 Global zone configuration Global zone configuration Hash mask length Priority Enable/disable Global zone. Set the hash mask length. Set the priority To configure Global zone configuration, you can take the following steps: Select to enable Global zone configuration and configure other configuration. Click Ok button in the upper right corner on the webpage. Table3-45 describes the configuration items of the global zone configuration

128 Table3-45 Global zone configuration SCOPE Hash mask length Priority Operation Configure SCOPE. Set the hash mask length. Set the priority. Click insert or delete icon to do the operations. To configure global zone configuration, you should take the following steps: Configure scope and set the hash mask length. Click Ok button in the upper right corner on the webpage. Note: After you enable the global zone configuration, global zone configuration can be used PIM status To enter the PIM status page, you can choose Basic> Network > IPv4 multicast routing > PIM > PIM status, as shown in Figure3-78. Figure3-78 PIM status BSR status To enter the BSR status page, you can choose Basic> Network > IPv4 multicast routing > PIM > BSR status, as shown in Figure

129 Figure3-79 BSR status RP-Mapping To enter the RP-Mapping page, you can choose Basic> Network > IPv4 multicast routing > PIM > RP-Mapping from navigation tree, as shown in Figure3-80. Figure3-80 RP-Mapping MSDP Multicast Source Discovery Protocol (MSDP) establishes MSDP peer relationships among RPs of different PIM-SM domains, source active (SA) messages can be forwarded among domains and the multicast source information can be shared MSDP To enter MSDP page, you can choose Basic> Network > IPv4 multicast routing > MSDP from navigation tree, as shown in Figure

130 Figure3-81 MSDP Peer status To enter peer status page, you can choose Basic> Network > IPv4 multicast routing > MSDP > Peer status from navigation tree, as shown in Figure3-82. Figure3-82 Peer status Cache status To enter cache status page, you can choose Basic> Network > IPv4 multicast routing > MSDP > Cache status from navigation tree, as shown in Figure3-83. Figure3-83 Cache status 3-112

131 Multicast VPN To enter the Multicast VPN page, you can choose Basic> Network > IPv4 multicast routing > Multicast VPN from navigation tree, as shown in Figure3-84. Figure3-84 Multicast VPN Multicast source proxy To enter the multicast source proxy page, you can choose Basic> Network > IPv4 multicast routing > Multicast source proxy, as shown in Figure3-85. Figure3-85 Multicast source proxy Multicast source NAT To enter the multicast source NAT page, you can choose Basic> Network > IPv4 multicast routing > Multicast source NAT from navigation tree, as shown in Figure3-86. Figure3-86 Multicast source NAT Multicast destination NAT To enter the multicast destination NAT page, you can choose Basic> Network > IPv4 multicast routing > Multicast destination NAT from navigation tree, as shown in Figure

132 Figure3-87 Multicast destination NAT Multicast static routing To enter the multicast static routing page, you can choose Basic> Network > IPv4 multicast routing > Multicast static routing from navigation tree, as shown in Figure3-88. Figure3-88 Multicast static routing Multicast routing table Multicast routing table To enter the multicast routing table page, you can choose Basic> Network > IPv4 multicast routing > Multicast routing table from navigation tree, as shown in Figure3-89. Figure3-89 Multicast routing table PIM mulitcast routing table To enter the PIM multicast routing table page, you can choose Basic> Network > IPv4 multicast routing > PIM multicast routing table from navigation tree, as shown in Figure

133 Figure3-90 PIM multicast routing table IGMP mulitcast routing table To enter the IGMP multicast routing table page, you can choose Basic> Network > IPv4 multicast routing > IGMP multicast routing table, as shown in Figure3-91. Figure3-91 IGMP multicast routing table IGMP proxy routing table To enter the IGMP proxy routing table page, you can choose Basic> Network > IPv4 multicast routing > IGMP proxy routing table from navigation tree, as shown in Figure3-92. Figure3-92 IGMP proxy routing table 3-115

134 3.13 IPv6 multicast routing Basic Config To enter the basic config page, you can choose Basic> Network > IPv6 multicast routing > Basic config, as shown in Figure3-93. Figure3-93 Basic config Table3-46 describes the details of basic config. Table3-46 Basic config Interface name Enabling status Display all interfaces of the device. Select a status of basic config, including enable and disable. To configure the basic config, you should take the following steps: Select an interface will be enabled and then select the Enable status for the interface. Configure the multicast address and subnet mask for the interface. Click Ok button in the upper right corner on the webpage MLD Multicast Listener Discovery (MLD) is a component of the Internet Protocol Version 6 (IPv6) suite. MLD is used by IPv6 routers to discover multicast listeners on a directly attached link, much as IGMP is used in IPv MLD snooping To enter the MLD snooping page, you can choose Basic> Network > IPv6 multicast routing > MLD snooping from navigation tree, as shown in Figure

135 Figure3-94 MLD snooping MLD To enter the MLD page, you can choose Basic> Network > IPv6 multicast routing > MLD from navigation tree, as shown in Figure3-95. Figure3-95 MLD MLD status To enter the MLD status page, you can choose Basic> Network > IPv6 multicast routing > MLD status, as shown in Figure3-96. Figure3-96 MLD status PIM Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging static routes or unicast routing tables generated by any unicast routing protocol, such as RIP, OSPF, IS-IS, BGP

136 PIM To enter the PIM page, you can choose Basic> Network > IPv6 multicast routing > PIM from navigation tree, as shown in Figure3-97. Figure3-97 PIM Admin scope zone To enter the admin scope zone page, you can choose Basic> Network > IPv6 multicast routing > PIM > Admin scope zone from navigation tree, as shown in Figure3-98. Figure3-98 Admin scope zone Table3-47 describes the configuration item of Global zone configuration. Table3-47 Global zone configuration Global zone configuration Hash mask length Priority Enable/disable Global zone. Set the hash mask length. Set the priority 3-118

137 To configure Global zone configuration, you can take the following steps: Select to enable Global zone configuration and configure other configuration. Click Ok button in the upper right corner on the webpage. Table3-48 describes the configuration items of the global zone configuration. Table3-48 Global zone configuration SCOPE Hash mask length Priority Operation Configure SCOPE. Set the hash mask length. Set the priority. Click insert or delete icon to do the operations. To configure global zone configuration, you should take the following steps: Configure scope and set the hash mask length. Click Ok button in the upper right corner on the webpage. Note: After you enable the global zone configuration, global zone configuration can be used PIM status To enter the PIM status page, you can choose Basic> Network > IPv6 multicast routing > PIM > PIM status from navigation tree, as shown in Figure3-99. Figure3-99 PIM status 3-119

138 BSR status To enter the BSR status page, you can choose Basic> Network > IPv6 multicast routing > PIM > BSR status, as shown in Figure Figure3-100 BSR status RP-Mapping To enter the RP-Mapping page, you can choose Basic> Network > IPv6 multicast routing > PIM > RP-Mapping, as shown in Figure Figure3-101 RP-Mapping PIM multicast routing table To enter the PIM multicast routing table page, you can choose Basic> Network > IPv6 multicast routing > PIM > RP-Mapping from navigation tree, as shown in Figure Figure3-102 PIM multicast routing table 3-120

139 3.14 Policy-based routing Introduction to policy-based routing The policy-based routing (PBR) is a routing mechanism based on user-defined policies that used to modify next hoop address and marketing packet to provide different network service. When the device transmitted packets, it will look up the route table of forward by route-policy before route, if packets are not matched, the device will look up the static route table, if the packets are not matched, the device will look up the route table of forward by route-policy after route. The policy-based routing (PBR) of DPtech is a technology that recognize different network packets thus forward these packets as the policy created in advance. PBR can classify the network packets according different key field and decide which policy-based routing should be used. It can effectively control network streams and behaviors. PBR is on the IP layer, before IP forwarded, if a massage match with a PBR policy, it will execute relatively action, the actions includes redirect to the nexthop, remark (such as TOS, IP priority, DSCP), and then according to destination IP address of the replaced packet of the nexthop to look up FIB table to do IP forwarding IPv6 policy-based routing Policy-based routing To enter the policy-based routing page, you can choose Basic> Network >Policy-based routing from navigation tree, as shown in Figure Figure3-103 Policy-based routing 3-121

140 Table3-49 describes the configuration items of policy-based routing. Table3-49 Policy-based routing configuration items ID Source subnet Destination subnet ToS Inbound interface Protocol Nexthop Operation Displays the sequence number of the PBR policy. Allows you to configure the source IP address of the PBR policy. Allows you to configure the destination IP address of the PBR policy. Allows you to configure the type of service (ToS). Allows you to select which interface enabled the PBR policy. Allows you to select which protocol should be used by the PBR policy Allows you to configure nexthop information. Click copy or delete or insert icon to do the operations Monitoring To enter the monitoring page, you can choose Basic> Network >Monitoring from navigation tree, as shown in 错误! 未找到引用源. Figure3-104 Monitoring IPv4 policy-based routing Policy-based routing To enter the policy-based routing interface, you can choose Basic> Network >Policy-based routing >Policy-based routing from navigation tree, as shown in Figure

141 Figure3-105 Policy-based routing Table3-50 describes the configuration items of policy-based routing. Table3-50 Policy-based routing configuration items ID Source subnet Destination subnet ToS Inbound interface Protocol Nexthop Operation Displays the sequence number of the PBR policy. Allows you to configure the source IP address of the PBR policy. Allows you to configure the destination IP address of the PBR policy. Allows you to configure the type of service (ToS). Allows you to select which interface enabled the PBR policy. Allows you to select which protocol should be used by the PBR policy Allows you to configure nexthop information. Click copy or delete or insert icon to do the operations Monitoring To enter the monitoring page, you can choose Basic> Network >Policy-based routing > Monitoring from navigation tree, as shown in Figure

142 Figure3-106 Monitoring 3.15 MPLS Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommunications networks which directs and carries data from one network node to the next with the help of labels MPLS configuration Global configuration To enter the MPLS configuration page, you can choose Basic> Network >MPLS > Global configuration from navigation tree, as shown in Figure Figure3-107 Global configuration Static FTN/ILM Configure FTN To enter the static FTN page, you can choose Basic> Network > MPLS > Configure FTN from navigation tree, as shown in Figure Figure3-108 Static FTN Configure ILM 3-124

143 To enter the configure ILM page, you can choose Basic> Network > MPLS > Configure ILM from navigation tree, as shown in Figure Figure3-109 Static ILM LDP LDP configuration To enter the LDP configuration page, you can choose Basic> Network > MPLS > LDP > LDP configuration from navigation tree, as shown in Figure Figure3-110 LDP configuration Display LDP neighbor To enter the display LDP neighbor page, you can choose Basic> Network > MPLS > LDP > Display LDP neighbor from navigation tree, as shown in Figure Figure3-111 Display LDP neighbor Display LDP adjacency To enter the display LDP adjacency page, you can choose Basic> Network > Display LDP adjacency from navigation tree, as shown in Figure

144 Figure3-112 Display LDP adjacency Display LDP interface To enter the display LDP interface page, you can choose Basic> Network >Policy-based routing from navigation tree, as shown in 错误! 未找到引用源. Figure3-113 Display LDP interface L2VPN configuration MPLS L2VPN transfers Layer 2 user data transparently on the MPLS network. For users, the MPLS network is a Layer 2 switched network and can be used to establish Layer 2 connections between nodes L2VPN configuration To enter the L2VPN configuration, you can choose Basic> Network >MPLS > L2VPN configuration > L2VPN configuration from navigation tree, as shown in Figure Figure3-114 L2VPN configuration SVC mode Static Virtual Circuit (SVC) also implements MPLS L2VPN by static configuration. It transfers L2VPN information without using any signaling protocol. The SVC method resembles the Martini method closely and is in fact a static implementation of the Martini method. To enter the SVC mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration > SVC mode from navigation tree, as shown in Figure

145 Figure3-115 SVC mode CCC mode To enter the CCC mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration > CCC mode from navigation tree, as shown in Figure Figure3-116 CCC mode MARTINI mode To enter the MARTINI mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration > MARTINI mode from navigation tree, as shown in Figure Figure3-117 MARTINI mode VPLS mode VPLS provides Layer 2 VPN services. However, it supports multipoint services, rather than the point-to-point services that traditional VPN supports. With VPLS, service providers can create on the PEs a series of virtual switches for customers, allowing customers to build their LANs across the Metropolitan Area Network (MAN) or Wide Area Network (WAN). To enter the VPLS mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration > VPLS mode, as shown in Figure Figure3-118 VPLS mode 3-127

146 3.16 ARP Configuration Address Resolution Protocol (ARP) is the protocol that converts IP address to the Ethernet MAC address. In local area network, when the host or other network device send data to the other host or device, they must know the network layer address (IP address) of each other. But only the IP address is not enough, because IP data packets runs encapsulated by line protocol, so that the sender must know the receiver s physical IP address and needs the IP address and physical address mapping relationship. ARP protocol is used for this kind of requirement Display ARP Display ARP To enter the display ARP page, you can choose Basic> Network >ARP > Display ARP, as shown in Figure Figure3-119 Display ARP Static ARP To enter the static ARP display interface, you can choose Basic> Network > ARP > Static ARP, as shown in Figure Figure3-120 Static ARP 3-128

147 Gratuitous ARP A gratuitous ARP reply is a reply to which no request has been made. Gratuitous ARP could mean both gratuitous ARP request and gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification but could be used in some cases. A gratuitous ARP request is an Address Resolution Protocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. To enter the gratuitous page, you can choose Basic> Network > ARP > Gratuitous ARP from navigation tree, as shown in Figure Figure3-121 Gratuitous ARP Configure ARP probe period To enter the configure ARP probe period page, you can choose Basic> Network > ARP > Configure ARP probe period from navigation tree, as shown in Figure Figure3-122 Configure ARP probe period Anti-ARP-snooping Anti-ARP-snooping To enter the anti-arp-snooping page, you can choose Basic> Network > ARP > Anti-ARP snooping from navigation tree, as shown in 错误! 未找到引用源

148 Figure3-123 Anti-ARP snooping ARP configuration To enter the ARP configuration page, you can choose Basic> Network > ARP> ARP configuration from navigation tree, as shown in Figure Figure3-124 ARP configuration ARP log To enter the ARP log page, you can choose Basic> Network > ARP> ARP log, as shown in Figure Figure3-125 ARP log 3.17 MAC address manage To enter the MAC address manage page, you can choose Basic> Network > MAC address manage, as shown in Figure

149 Figure3-126 MAC address manage 3.18 DNS Configuration Introduction to DNS DNS domain name system is used to provide domain and IP address switching function for users DNS To enter the DNS page, you can choose Basic> Network > DNS from navigation tree, as shown in Figure Figure3-127 DNS To configure DNS configuration, you can take the following steps: Enter the DNS server address and click the check box of DNS proxy. Click Ok button in the upper right corner on the webpage DHCP Configuration Introduction to DHCP DHCP allows administrator to monitor and distribute the IP address from central node. While a computer is moved to other place in a network, it will automatically receive the new IP address, this facilitates user configuration and centralized management. In a local network, the DHCP server is used to distribute IP address for every workstation and the DHCP relay will distribute IP address when the local network is divided into several subnets, After DHCP 3-131

150 clients is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server DHCP server To enter the DHCP server page, you can choose Basic> Network > DHCP > DHCP server from navigation tree, as shown in Figure Figure3-128 DHCP server Table3-51 describes the details of dynamic DHCP server configuration. Table3-51 Dynamic DHCP server configuration Start IP address End IP address Subnet mask Gateway address Agent address DNS server WINS server Region name Lease(minute) Specify start IP address from the IP address pool. Specify end IP address from the IP address pool. Specify the subnet mask for the IP address pool. Specify the distributing gateway address for every host in the network. Specify agent address for every host in the network. Specify DNS server for every host in the network. Specify the distributing WINS server for every host in the network. Specify the region name. Specify valid time for the allocated IP address

151 Operation Click copy or delete icon to do the operations. Table3-52 describes the details of static DHCP server configuration. Table3-52 Static DHCP server configuration Hostname MAC address IP address Operation Specify a hostname which is required to obtain static IP address. Specify the MAC address which is required to obtain the static IP address. Allocating IP address to the above hosts. Click the copy icon or delete icon to do the operations. To configure the dynamic DHCP address pool, you can take the following steps: Click copy icon. And then, enter the starting and ending IP address, which will be distributed by DHCP server. Enter IP address subnet mask of the distributed address and enter the DHCP server gateway address. Enter the DHCP domain name server address and then enter the WIN server address, which will allocate IP address to the host. Enter the specific region name and then select valid time Click Ok button in the upper right corner on the webpage. To create the static DHCP address pool, you can take the following steps: Click the copy icon. Enter the hostname of the static DHCP configuration. Enter the MAC address which will be distributed an IP address statically. Enter the IP address which will be distributed a static IP address. Click Ok button in the upper right corner on the webpage

152 DHCPv6 server To enter the DHCPv6 server page, you can choose Basic> Network > DHCP > DHCPv6 server from navigation tree, as shown in Figure Figure3-129 DHCPv6 server DHCP relay agent To enter the DHCP relay agent page, you can choose Basic> Network > DHCP > DHCP relay agent, as shown in Figure Figure3-130 DHCP relay agent Table3-53 describes the details of DHCP relay configuration. Table3-53 DHCP relay configuration Interfaces list DHCP servers list Specify an interface which automatically obtain IP address Specify DHCP server IP address which provides DHCP service. Operations Click the delete icon, and then you can delete the address pool

153 To configure the DHCP relay configuration: Click DHCP relay agent check box Click the interface list and then select an interface to enable the DHCP relay. Click the DHCP server list and then add a DHCP server IP address Click Ok button in the upper right corner on the webpage DHCP IP address table DHCP IP address table allows you to view the related information of the host allocated by DHCP server. To enter the DHCP IP address table interface, you can choose Basic> Network > DHCP > DHCP IP address table from navigation tree, as shown in Figure Figure3-131 DHCP IP address table Table3-54 describes the details of DHCP IP address table. Table3-54 DHCP IP address table Serial number Host name MAC address IP address Lease period Displays the serial number of the host. Displays the hostname of the host. Displays the MAC address of the host Displays the IP address of the host Displays the lease period of the host 3.20 BFD BFD configuration BFD is a detection protocol designed to provide fast forwarding path failure detection times for all media types, encapsulations, topologies, and routing protocols

154 To enter the BFD interface, you can choose Basic> Network > BFD, as shown in Figure Figure3-132 Basic wireless Table3-55describes the configuration items of the BFD configuration. Table3-55 BFD configuration Interface Enable status Mode Advanced configuration Configure the BFD interface. Allows you to enable or disable the interface. BFD provides the following detection modes: Initiative mode: In initiative mode, two systems periodically send BFD control packets to each other. If one system receives no packets consecutively, the system considers the BFD session Down. Passive mode: If multiple BFD sessions exist in a system, periodically sending costs of BFD control packets affects system running. To solve this problem, use the demand mode. In demand mode, after BFD sessions are set up, the system does not periodically send BFD control packets. The system detects connectivity using other mechanisms such as the Hello mechanism of a routing protocol and hardware detection to reduce the costs of BFD sessions. Configure the advanced configuration BFD session To enter the BFD page, you can choose Basic> Network > BFD session from navigation tree, as shown in Figure

155 Figure3-133 Basic session BFD manual To enter the BFD manual page, you can choose Basic> Network > BFD manual from navigation tree, as shown in Figure Figure3-134 Basic session 3.21 Basic wireless To enter the basic wireless address table interface, you can choose Basic> Network > Wireless from navigation tree, as shown in Figure Figure3-135 Basic wireless To configure basic wireless configuration: Click Enable option Configure the SSID, example: dptech Select wireless mode (default wireless mode is 802.1n) Select channel1 Select whether to enable SSID broadcast Select security policy Click Ok button in the upper right corner on the webpage

156 3.22 Diagnostic tools Ping Ping is used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer. To enter the PING page, you can choose Basic> Network > Diagnose tool > Ping from navigation tree, as shown in Figure Figure3-136 Ping To use Ping diagnose tool: Enter the PING destination IP address Click the Test button on the bottom right The PING test result will be show on the interface Traceroute Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network. To enter the Traceroute tool page, you can choose Basic> Network > Diagnose tool > Traceroute from navigation tree, as shown in Figure

157 Figure3-137 Traceroute Capture To enter the Capture page, you can choose Basic> Network > Diagnose tool > Capture from navigation tree, as shown in Figure Figure3-138 Capture 3.23 LAN Switch Spanning tree Select STP To enter the select STP page, you can choose Basic> Network > LAN Switch > Spanning tree > Select STP, as shown in Figure Figure3-139 Spanning tree 3-139

158 Table3-56 describes the configuration items of the select STP. Table3-56 Select STP configuration items Enable STP STP mode RSTP mode MSTP mode Select whether to enable the STP function. After the STP function enabled, you can enable the following function: STP, RSTP and MSTP. All ports of the device send out STP BPDUs. All ports of the device send out RSTP BPDUs. If the device detects that it is connected with a legacy STP device, the port connecting with the legacy STP device will automatically migrate to STP-compatible mode. All ports of the device send out MSTP BPDUs. If the device detects that it is connected with a legacy STP device, the port connecting with the legacy STP device will automatically migrate to STP-compatible mode STP To enter the STP interface, you can choose Basic> Network > LAN Switch > Spanning tree > STP from navigation tree, as shown in Figure Figure3-140 STP RSTP To enter the RSTP page, you can Basic> Network > LAN Switch > Spanning tree > RSTP from navigation tree, as shown in Figure

159 Figure3-141 RSTP MSTP Spanning tree protocol (STP) is a layer 2 management protocol selectively block the redundancy links in a network to eliminate layer 2 loop, it also can backup links. To enter the MSTP interface, you can Basic> Network > LAN Switch > Spanning tree > MSTP from navigation tree, as shown in Figure Figure3-142 MSTP Table3-57 describes the configuration items of the MSTP region. Table3-57 MSTP region configuration items Revision level Region name Allows you to configure the revision level of MSTP region. Allows you to configure the region name

160 Protocol message form Start BPDU protection Allows you to select protocol message form. Select whether to enable the global BPDU protection function. BPDU protection function can prevent the device from malicious attack by fabricate configuration information, so that it can avoid network oscillation STP status To enter the STP status, you can Basic> Network > LAN Switch > Spanning tree > MSTP, as shown in Figure Figure3-143 STP status 3-142

161 Chapter 4 Firewall 4.1 Introduction to the Firewall Firewall module control incoming and outgoing data packet and block intrusion from outside network, the followings are provided by firewall, including: Packet filtering policy IPv6 packet filtering NAT NAT_PT Basic attack protection Session limit Service limit IPV4 Basic DDOS Blacklist MAC/IP Binding Session Management QoS Anti-ARP-spoofing To enter the firewall menu, you can choose Basic> Network > Firewall > Packet filtering policy from navigation tree, as shown in Figure

162 Figure4-1 Firewall 4.2 Packet Filtering Policy Packet Filtering Policy Packet filtering is to inspect the source domain, destination domain, originator source IP, originator destination IP, originator source MAC, originator destination MAC, service, IP fragment, flow re-mark, action for every data packet. To enter the packet filtering policy interface, you can choose Basic> Network > Firewall > Packet filtering policy from navigation tree, as shown in Figure4-2. Figure4-2 Packet filtering policy Table4-1 describes the configuration items of packet filtering policy

163 Table4-1 Packet filtering policy configuration items Serial number Name Source domain Destination domain Originator source IP Originator destination IP Originator source MAC Originator destination MAC Service IP fragment Valid time Status Action Operation Displays the serial number of the packet filtering policy. Configure a name for the packet filtering policy. Specify the source domain. Specify the destination domain. Specify the originator source IP. Specify the originator destination IP. Specify the range of packet source MAC. Specify the range of packet destination MAC. Select a service for the packet filtering policy. Select whether to permit fragment packet passing through the device Select a time range for the rule. By default, time range is the always. Always is the packet filtering policy effect always. Select a status for the packet filtering policy. Enable: packet filtering policy is enabled. Disable: packet filtering policy is disabled. Specify whether to permit packet pass the device and further limit packet filtering policy. Click copy icon, delete icon or insert icon to do the operations

164 Figure4-3 Configuring action Table4-2 describes the details of how to configure action. Table4-2 Configuring action Pass Discard Rate limitation Per IP rate limitation Access control URL filtering Advanced filtering Behavior audit Flow analysis Allow packet to pass through the device. Not allow packet pass through the device. Select rate limitation rule which will apply to the packet filtering policy. Select per IP limitation rule which will apply to the packet filtering policy. Select access control rule which will apply to the packet filtering policy. Select URL filtering rule which will apply to the packet filtering policy. Select advanced filtering rule which will apply to the packet filtering policy. Select behavior audit rule which will apply to the packet filtering policy. Select whether to enable the flow analysis. To create packet filtering policy: Click the copy icon Select source domain and destination domain in the new line Select initiate source IP and initiate destination IP for the packet filtering policy Select the related service and valid for the packet filtering policy The action you can select is the pass, discard or rate limitations 4-146

165 Click Ok button in the upper right corner on the webpage.! Caution: It performs default packet filtering policy if there is no packet match packet filtering policy. The default is that interface with higher security level can access the interface with lower security level, but interface with lower security level cannot access higher security level interface Packet filtering policy log Packet filtering policy log query function is to query specific log in the database, but the premise is you should click the select box before packet filtering policy. To enter the packet filtering policy interface, you can choose Basic> Network > Firewall > Packet filtering policy from navigation tree, as shown in Figure4-4. Figure4-4 Packet filtering policy log 4.3 IPv6 packet filtering policy IPv6 packet filtering policy To enter the IPv6 packet filtering policy page, you can choose Basic> Network > Firewall > Packet filtering policy > IPv6 packet filtering policy from navigation tree, as shown in Figure

166 Figure4-5 IPv6 packet filtering policy IPv6 packet filtering log To enter the IPv6 packet filtering log page, you can choose Basic> Network > Firewall > Packet filtering policy > IPv6 packet filtering log from navigation tree, as shown in Figure4-6. Figure4-6 IPv6 packet filtering log 4.4 NAT Introduction to NAT Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address. Originally, NAT is used to allow users using private IP addresses to access public networks. By using of NAT, a smaller number of public IP addresses can meet public network access requirements for a larger number of private hosts, thus NAT can effectively alleviate the depletion of IP addresses Source NAT Source NAT To enter the source NAT page, you can choose Basic> Network > Firewall > Source NAT > Source NAT from navigation tree, as shown in the Figure

167 Figure4-7 Source NAT Address pool To enter the address pool page, you can choose Basic> Network > Firewall > Source NAT > Address pool from navigation tree, as shown in the Figure4-8. Figure4-8 Address pool Destination NAT To enter the destination NAT page, you can choose Basic> Network > Firewall > Destination NAT from navigation tree, as shown in Figure4-9. Figure4-9 Destination NAT Table4-3 describes the details of destination NAT configuration. Table4-3 Destination NAT configuration No. Name Inbound interface Public IP address Shows the sequence number of destination NAT. Configure a name for the destination NAT. Allows you to select an inbound interface for the destination NAT. Configure public IP address

168 Service Intranet address Advanced configuration VRRP State Operation Allows you to select a kind of service. Configure Intranet address. Configure advanced configuration. Allows you to select whether is related to VRRP. Allows you to select a state. Click add icon or delete icon to do the operations. To configure destination NAT configuration, you can take the following steps: Click the copy button of the destination NAT policy Select the outbound interface Configure the service type of the destination NAT policy Configure the public address of the destination NAT server Configure the inner IP address of the destination NAT server After you finished the above steps, you can click Ok button in the upper right corner on the webpage. Note: If you configure the server inner port in the advanced configuration, it will connect to the destiantion port after it switched destination NAT One to one NAT One to one NAT is that an internal network user accesses an external network that NAT uses an external or public IP address to replace the original internal IP address. This address is the outbound interface address (a public IP address) of the NAT gateway. This means that all internal hosts use the same external IP address when accessing external networks. If only one host is allowed to access external networks at a given time. Hence, it is referred to as one-to one NAT. To enter the one to one NAT page, you can choose Basic> Network > Firewall > One to one NAT from navigation tree, as shown in Figure

169 Figure4-10 One to one NAT Table4-4 describes the configuration items of one to one NAT configuration. Table4-4 One to one NAT configuration Destination Serial number Public interface One to one NAT Public address Operation Displays the serial number of one to one NAT policy. Displays the outbound interface of one to one NAT policy. Displays the inner address of one to one NAT policy. Displays the public address of one to one NAT policy. Click copy or delete icon to do the operations. To configure one to one NAT configuration, you can take the following steps: Click icon of the one to one NAT policy Select public interface Configure the inner address of one to one NAT policy Configure the public address of one to one NAT policy After you finished the above steps, you can click the Ok button in the upper right corner on the webpage N to N NAT When the first internal host accesses external networks, NAT chooses a public IP address for it, records the mapping between the two addresses and transfers data packets. When the second internal host accesses external networks, NAT choose another public IP address for the second host, others will be followed by such kind of operations. This kind of NAT is called N- to-n NAT. To enter the N to N NAT page, you can choose Basic> Network > Firewall > N to N NAT from navigation tree, as shown in Figure

170 Figure4-11 N to N NAT Table4-5 describes the details of address pool. Table4-5 Address pool configuration No. Net interface Innet address Net address VRRP Operation Shows the sequence number of N to N NAT. Allows you to select the Net interface. Allows you to select the innet address Configure Net address. Allows you to select whether is related to VRRP. Click copy or delete icon to do the operations. To configure address pool configuration, you can take the following steps: Click button of the address pool Configure ID number Configure start IP Configure end IP After you finished the above steps, you can click Ok button in the upper right corner on the webpage. 4.5 NAT64 Network Address Translation IPv6 to IPv4 (NAT64 for short) is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and an IPv6 network segment of 32-bits (for instance 64:ff9b::/96, that is NAT64 prefix). The IPv6 client embeds the IPv4 address it wishes to communicate with using these bits, and sends its packets to the resulting address. The NAT64 server then creates a NAT-mapping between the IPv6 and the IPv4 address, allowing them to communicate

171 4.5.1 NAT64 prefix To enter the NAT64 prefix page, you can choose Basic> Network > Firewall > NAT64 prefix from navigation tree, as shown in Figure4-12. Figure4-12 NAT64 prefix NAT64 addresss To enter the NAT64 transfer page, you can choose Basic> Network > Firewall > NAT64 address from navigation tree, as shown in Figure4-13. Figure4-13 NAT64 address Address pool To enter the address pool page, you can choose Basic> Network > Firewall > Address pool from navigation tree, as shown in Figure4-14. Figure4-14 Address pool 4-153

172 4.6 NAT Source NAT To enter the NAT66 source NAT page, you can choose Basic> Network > Firewall > NAT> Source NAT from navigation tree, as shown in Figure4-15. Figure4-15 Source NAT Destination NAT To enter the NAT66 destination NAT page, you can choose Basic> Network > Firewall > NAT > Destination NAT from navigation tree, as shown in Figure4-16. Figure4-16 Destination NAT Address pool To enter the NAT66 address pool page, you can choose Basic> Network > Firewall > NAT > Address pool from navigation tree, as shown in Figure4-17. Figure4-17 Address pool 4-154

173 4.7 DS_LITE_NAT Because of IPv4 address exhaustion, DS _Lite was designed to let an Internet service provider omit the deployment of any IPv4 address to the customer's Customer-premises equipment (CPE). Instead, only global IPv6 addresses are provided DS_LITE_NAT To enter the DS_LITE_NAT page, you can choose Basic> Network > Firewall > DS_LITE_NAT from navigation tree, as shown in Figure4-18. Figure4-18 DS_LITE_NAT Address pool To enter the address pool page, you can choose Basic> Network > Firewall > Address pool from navigation tree, as shown in Figure4-19. Figure4-19 Address pool 4.8 ALG configuration Application level gateway (ALG) is mainly to process the application layer packets. Usually, NAT only translate the IP address and port number carried in packet header while it doesn t translate the fields in the payload of application layer. NAT can t effectively translate the IP address and port number in the payload of some special protocols, which may result problems

174 4.8.1 ALG configuration To enter the ALG configuration page, you can choose Basic> Network > Firewall > ALG configuration from navigation tree, as shown in Figure4-20. Figure4-20 ALG configuration User-defined log To enter the user-defined log interface, you can choose Basic> Network > Firewall > User-defined log from navigation tree, as shown in Figure4-21. Figure4-21 User-defined log 4.9 Basic attack protection Basic attack protection Sometimes, normal packets transmitted in the network with attack packets which interference hosts receiving normal packets. Basic attack protection block attack packets and send logs to a remote host or displays logs on local device. To enter the basic attack protection page, you can choose Basic> Firewall > Basic attack protection from navigation tree, as shown in Figure4-22. Figure4-22 Basic attack protection 4-156

175 Table4-6 describes the details of basic attack protection. Table4-6 Basic attack protection Attack type Threshold Block Send log Number of attacks Clear counter Time interval(per second) Terms interval Select an attack type of basic attack protection. Set the threshold of the basic attack protection. Click the select box of the basic attack protection, which enable the relevant protocol attack protection. Click the select box and then you can view the log while attack packet transmitted through the device interface. Statistics of the attack count. Clear the attack count statistics. Select how much time it sending log per second. Select how many log it report the new log. To configure basic attack protection: Click the select box of attack type. Click the send log box and then, you can click Ok button in the upper right corner on the webpage

176 4.9.2 Basic Attack Log Query Basic attack log query allow you to query the specific log from the database. To enter the basic attack lo query interface, you can choose Basic> Firewall > Basic attack protection > Basic attack log query from navigation tree, as shown in Figure4-23. Figure4-23 Basic attack log query Table4-7 describes the details of basic attack log query. Table4-7 Basic attack log query Serial number Time Attack type Protocol Source IP Destination IP Source port Action Displays serial number of the attack. Displays when the attack log is created. Displays the type of the attack. Displays the protocol of the attack. Displays the source IP of the attack. Displays the attack packet destination IP address. Displays the interface of the attack. Displays the action for the attack. To query the basic attack log query: Enter the desired to query parameter Click Search button and then you can view the related searching result Click Export button and then you can export the log file to remote system Click Delete button, and then you can delete the logs which you queried 4-158

177 4.10 Network action manage To enter the network action manage, you can choose Basic> Firewall > Basic attack protection > Network action manage from navigation tree, as shown in Figure4-24. Figure4-24 Network action manage 4.11 Session limit Session entries occupy certain of internal memory. If there too many session entries on the device, these entries occupy large amount of internal memory and influence other service to be performed. User can configure session limit to limit the new created session on the device. When session number reaches the device s maximum session number, new session could not be created; only if the session number smaller than the maximum session number that the device can allow to create new session. To enter the session limit page, you can choose Basic> Firewall > Sessions Limit from navigation tree, as shown in Figure4-25. Figure4-25 Sessions Limit 4-159

178 4.12 Service limit To enter the service limit page, you can choose Basic> Firewall > Service Limit from navigation tree, as shown in Figure4-26. Figure4-26 Service Limit 4.13 Blacklist IPv4 black list configuration Blacklist is an attack prevention mechanism that filters packets based on source IP address. Blacklist feature can be easily configured and filter packets source from particular IP addresses fast. To enter the IPv4 blacklist configuration page, you can choose Basic> Firewall > Blacklist from navigation tree, as shown in Figure4-27. Figure4-27 IPv4 blacklist configuration Table4-8 describes the details of blacklist configuration. Table4-8 Blacklist configuration Option IP address/mask Remaining life time Status Last configuration record Click the Enable IPv4 black list check box to enable this function. Specifies an IP address to be blacklisted. Displays the last configuration record that you can view the valid time and life cycle. Allows you to select the status for the IPv4 blacklist configuration. Click copy icon and delete icon to do the operation

179 To configure the black list, you can take the following steps: Enter a source IP address which is listed in the blacked. Enter the remaining time of blacklist. Click the Confirm the selected configuration button in the upper right corner on the webpage. If you want to delete one configuration, you can click the Delete the selected configuration button IPv6 black list configuration To enter the IPv6 black list configuration page, you can choose Basic> Firewall > Blacklist query from navigation tree, as shown in Figure4-28. Figure4-28 Blacklist query Black list query To enter the black list query page, you can choose Basic> Firewall > Black list query from navigation tree, as shown in Figure4-29. Figure4-29 Black list query Table4-9 describes the details of blacklist query. Table4-9 Blacklist query IP address/mask Valid time Remaining time Cause Displays the blacklisted IP address. Displays the valid time Displays the remaining time and the time when you create the black list. Displays the add reason of a blacklisted IP address

180 Blacklist log query To enter the blacklist log query page, you can choose Basic> Firewall > Blacklist Log Query from navigation tree, as shown in Figure4-30. Figure4-30 Blacklist log query Table4-10 describes the details of blacklist log query. Table4-10 Blacklist log query Serial number Time IP address Lifecycle Add reasons Displays the serial number of a blacklist log query. Displays the time when the attack begins. Displays the blacklisted IP address. Displays the lifecycle in blacklist log query. Displays the IP address is added, including Manual and Dynamic. To query the blacklist log, you should take the following steps: Configure each query item to be queried. Click Search button and then you can view the searching results. Click Export to CSV button that you can export the log file. Click Delete button, and then you can delete the logs you have searched MAC/IP Binding Auto Learning Auto learning is that the firewall receives ARP packets sent by each host, so that the firewall can get the IP address and MAC address of each host

181 To enter the auto learning page, you can choose Basic> Firewall > MAC/IP binding >Auto learning from navigation tree, as shown in Figure4-31. Figure4-31 Auto-learning Table4-11 describes the details of auto learning. Table4-11 Auto learning Option IP address MAC address Binding status Allows you to select one item or several items to add into the MAC/IP binding list. Displays the auto learned IP address Displays the auto learned MAC address. Displays MAC/IP binding status, including not bind and already bind. To each Layer 2 network mode auto-learning, you should take the following steps: Click the Layer 2 mode network radio box, click Auto-learn button. Click Check current learned result button that you can view the MAC/IP learning result. Click Add to MAC/IP binding learning button, the MAC/IP address is added into MAC/IP binding list. To each Layer 3 network mode auto-learning, you should take the following steps: Click the Layer 3 mode network radio box, configure switch IP address and SNMP community string, and click Auto-learn button. Click Check current learned result button that you can view the MAC/IP learning result. Click Add to MAC/IP binding learning button, the MAC/IP address is added into MAC/IP binding list

182 MAC/IP Binding User configure the IP address-to-mac address binding relationship on the firewall, so that the firewall checks the IP address and MAC address in a packet and compares them to the addresses that are registered with firewall and forwards the packet only if they both match. MAC/IP binding can avoid IP address forgery attack. To enter the MAC/IP binding page, you can choose Basic> Firewall > MAC/IP address from navigation tree, as shown in Figure4-32. Figure4-32 MAC/IP Binding Table4-12 describes the details of MAC/IP binding Table4-12 MAC/IP binding Enable MAC/IP binding Enabled interface MAC/IP binding (only appointed address pass) IP address MAC address Operation Enable MAC/IP binding function. Select an interface to be enabled MAC/IP binding. Click the MAC/IP binding (only appointed address pass) checkbox that only appointed address can pass through the device. Configure the IP address of the MAC/IP binding list. Configure the MAC address of the MAC/IP binding list. Click copy icon or delete icon to do the operations. To create MAC/IP binding rule, you should take the following steps: Enter the binding IP address and MAC address. Click Ok button in the upper right corner on the webpage. Export a MAC/IP binding form, and then you can click Search button, and then you can select a CSV form file from local system, and click import the import CSV file button. Table4-13 describes the details of switches table

183 Table4-13 Switches table Switches IP address SNMP read community Operation Specify the switches IP address. Specify community sting of the switches Click copy icon or delete icon to do the operations User/IP binding User/IP binding should be used with the web authenticate function. With username and IP address binding function configured, an interface checks whether the username and IP addresses in packet is identical. If so, it forwards the packet; otherwise, it discards the packet. To enter the User/ IP binding page, you can choose Basic> Firewall > MAC/IP binding > User/IP binding from navigation tree, as shown in Figure4-33. Figure4-33 User/IP binding Table4-14 describes the details User/IP binding. Table4-14 User /IP binding Binding mode No. Username Manual configuration: add username and IP address through manual configuration. Automatic learning: learn username and IP address from the switch. Displays the sequence number of the user/ip binding list. Enter manually: configure IP address manually Existent authenticated user: select a user from the existent authentication user list

184 IP address Operation Configure the IP address of the user/ip binding list. Click the copy icon or delete icon to do the operations. To add username and IP address through manual configuration, you should take the following steps: Click manual configuration Enter user name and IP address Click Ok button in the upper right corner on the webpage If you want to import username and IP address in batch, click Browse button, and select the user/ip binding file from your local system, click import button. If you want to export username and IP address to a CSV file, you can click export button, then select a file path to store your use/ip binding file, and then click Save button User/ MAC binding User/MAC binding should be used with the web authenticate function. With username and IP address binding function configured, an interface checks whether the username and IP addresses in packet is identical. If so, it forwards the packet; otherwise, it discards the packet. To enter the User/ MAC binding page, you can choose Basic> Firewall > User/MAC binding from navigation tree, as shown in Figure4-34. Figure4-34 User/MAC binding Table4-15 describes the details of User/MAC binding

185 Table4-15 User/Mac binding Binding mode No. Username IP address Operation Manual configuration: add username and IP address through manual configuration. Automatic learning: learn username and IP address from the switch. Displays the sequence number of the user/ip binding list. Configure the username of the user/ip binding list. Configure the IP address of the user/ip binding list. Click the copy icon or delete icon to do the operations. To add user name and MAC address by manual configuration, you should take the following steps: Click manual configuration Enter user name and IP address Click Ok button in the upper right corner on the webpage If you want to import username and IP address in batch, click Browse button, and select the user/ip binding file from your local system, click import button. If you want to export username and IP address to a CSV file, you can click export button, then select a file path to store your use/ip binding file, and then click Save button. To add user name and MAC address automatically, you should take the following steps: Click Automatic learning, can also be manually configured radio box to enable this function Binding log query Binding log query displays the IP address and MAC address To enter the binding log query interface, you can choose Basic> Firewall > MAC/IP binding > MAC/IP binding log query, as shown in Figure

186 Figure4-35 binding log query Table4-16 describes the details of binding log query. Table4-16 binding log query Serial number Time IP address MAC address Detailed information Displays the serial number of the queried logs. Displays the time that the device detects the unmatched IP address and MAC address. Displays the IP address of the unmatched Displays the MAC address that unmatched with MAC/IP binding list. Displays the detailed information about MAC/IP binding log. To query MAC/IP binding log, you should take the following steps: Select the time scope that you want to query Click Query button that you can view the results Click Export to CSV button, you can select whether to save or delete MAC/IP binding log, if you click save button, you should choose a file path to save Click Delete button to delete all searched MAC address and IP address

187 4.15 Session management Session management is mainly used for detecting translation layer data packets. Its substance is to trace the connection status for general TCP protocol and UDP protocol through layer protocol detection, which maintain and manage connection status uniformly Session list To enter the session list page, you can choose Basic> Firewall > Session Management > Session List from navigation tree, as shown in Figure4-36. Figure4-36 Session management Table4-17 describes the details of binding log query. Table4-17 Binding log query No. Protocol type Session status Create time TTL Initiator Source Address: Port->Destination Address: Port Initiator Packets/Bytes Displays the sequence number of the session list. Transport layer protocol type, including TCP, UDP, ICMP, ICMPv6, GRE, AH, ESP, and Unknown protocol. Displays session status, including new, close-wait, established, time-wait, etc. Displays when the session is created. Display the session time to live. Displays the source port and destination port of the session initiator. Displays the total packet numbers send by session initiator

188 Responder Source Address: Port->Destination Address: Port Responder Packets/Bytes Displays the source port and destination port of the session responder. Displays the total packet numbers received by session initiator. Operation Click delete icon to delete this entry of session record Session zone To enter the session zone page, you can choose Basic> Firewall > Session Management > Session zone from navigation tree, as shown in Figure4-37. Figure4-37 Session zone Session forwarding After you enable this function, response packets will be forwarded by using of original interface. Original interface is the interface that request packets come into the device. To enter the session forwarding page, you can choose Basic> Firewall > Session Management > Session forwarding from navigation tree, as shown in Figure4-38. Figure4-38 Session forwarding Session parameter To enter the session parameter page, you can choose Basic> Firewall > Session Management > Session parameter from navigation tree, as shown in Figure

189 Figure4-39 Session parameter Session monitoring Session monitoring allows you to select a kind of session or multiple sessions to display. The session monitoring displays as a trend chart. To enter the session monitoring page, you can choose Basic> Firewall > Session Management > Session Monitoring from navigation tree, as shown in Figure4-40. Figure4-40 Session monitoring Session log configuration To enter the session log configuration page, you can choose Basic> Firewall > Session Management > Session Log Configuration from navigation tree, as shown in Figure

190 Figure4-41 Session log configuration Table4-18 describes the details of session log configuration Table4-18 Session log configuration Log type Log format Content format type Log option Allows you to select the log type, including NAT log and session log. Allows you to select the log format, including stream format and syslog format. Stream format log: binary format log which received by UMC server. Syslog format log: plain text log received by log server. Allows you select the stream format log and syslog format. Normal: sending log as normal format. Third party: sending log as third part log format. If you select the stream format option, you can configure the inbound interface of packet option and select the PROCID options. Inbound interface of packet: if you enable this option, the interface information field will be added into data packet. PROCID: if you enable this option, the PROCID field will be added into data packet. If you select the syslog formation option, you can select syslog1, syslog2, syslog3, syslog4 format log. Guangdong Unicom format: syslog data packets transmitted as Guangdong Unicom format. Yunnan Telecom format: syslog data packets transmitted as Yunnan Telecom format. China Telecom format: syslog data packets transmitted as China Telecom format

191 ZTE format: syslog data packets transmitted as ZTE format. Method for sending log Log Src IP Log Src Port Log server list Allows you to select the log sending method, including share mode and send all. Share mode: the device sends logs to log server according load sharing method. You can configure 16 servers to receive logs at most, and you can configure load sharing weight for the 16 servers. Send all: the device sends all logs to the log server. The source IP address of log sending device. The source port of log sending device. Allows you configure IP address and weight for log server. Log server port: Allows you to configure the log server port. The port number is QoS QoS is a kind of network mechanism which is used for resolving the problem of network delay and network congestion. If the network only limited on some specific applications, such as web application or , without time limitation, QoS does not required. But, it is very important for multilayer application. When network overload or network congestion happens, QoS can ensure the network working efficiently and ensure some important services to will not be delayed or discarded Basic setting To enter the basic setting page, you can choose Basic> Firewall > QOS> Basic setting from navigation tree, as shown in 错误! 未找到引用源. Figure4-42 Basic setting 错误! 未找到引用源 describes the details of basic setting. Table4-19 Basic setting Name Allows you to configure a name for the basic settings

192 Device interface Uplink bandwidth Allows you an interface for bandwidth reservation. Allows you to configure the uplink bandwidth Downlink bandwidth Allows you to configure the downlink bandwidth. Unit Transmission rate unit, including K, M, G. K represents Kilo-Bytes per second M represents Million-Bytes per second G represents Gigabit Bytes per second User group bandwidth reservation Bandwidth reservation for user group. Single user bandwidth reservation Bandwidth reservation for single user. Operation Click copy icon or delete icon to do the operations User group bandwidth reservation User group bandwidth reservation allocates service stream according to the importance of service stream and delay sensibility, thus can make the most use of available bandwidth. If network congestion happens, low priority service will be discarded. Bandwidth reservation: in order to provide user with satisfying QoS, you must reserves the bandwidth resource to ensure the resource will not be used. To enter the VIP bandwidth guarantee interface, you can choose Basic> Firewall > QOS> Traffic classification, as shown in Figure4-43. Figure4-43 Traffic classification To configure user group bandwidth reservation: Enter a name for this entry of user group bandwidth reservation Select the interface group Select the user group Configure guarantee rate Click Ok button in the upper right corner on the webpage

193 Configuration for guarantee rate: Select one application group or several network application groups Configure the uplink guarantee rate Configure the maximum uplink rate Configure the downlink guarantee rate Configure the maximum downlink rate Select the transmission rate unit Click Ok button in the upper right corner Single user bandwidth reservation To enter the single user bandwidth reservation page, you can choose Basic> Firewall > QOS> Single user bandwidth reservation, as shown in 错误! 未找到引用源. Figure4-44 Single user bandwidth reservation To configure single user bandwidth reservation: Enter a name for this entry of single user bandwidth reservation Select the interface group Select the user group Configure guarantee rate Click Ok button in the upper right corner on the webpage. Configuration for guarantee rate: Select one application group or several network application groups Configure the uplink guarantee rate Configure the maximum uplink rate Configure the downlink guarantee rate Configure the maximum downlink rate Select the transmission rate unit Click Ok button in the upper right corner

194 4.17 Advanced QoS Advanced QoS consists of the traffic marking, congestion management, congestion avoidance, and traffic shaping function. It executes Weighted Round Robin (WRR), Deficit Round Robin (DRR) scheduling method for IP packets and implements Weighted Random Early Detection (WRED), traffic policy and traffic shaping for IP packets Traffic classification Traffic classification is used for doing QoS action for data packets. Priority mapping table: the device provides multiple priority mapping tables, which represents different priority mapping relationship respectively. Under normal condition, the device looks up default priority mapping for data packets. If default priority mapping table cannot satisfied with users, user can modify mapping table according to their requirement. To enter the traffic classification page, you can choose Basic> Firewall > QOS> Traffic classification, as shown in Figure4-45. Figure4-45 Traffic classification 错误! 未找到引用源 describes the details of traffic classification. Table4-20 Traffic classification COS EXP CoS is a 3-bits field in a packet header. It specifies a priority value between 0 and 7, more commonly known as CS0 through CS7, which is used by quality of service (QoS). EXP is a 3-bits field in MPLS packet header. It specifies a priority value between 0 and 7. By default, the priority EXP and IPv4 can match with each other

195 DSCP IPsec VPN SSL VPN Customize session parameter DiffServ uses a 6-bit differentiated services code point (DSCP) in the 8-bit Differentiated services Field (DS field) in the IP header for packet classification purposes. The DS field and ECN field replace the outdated IPv4 TOS field. It specifies a priority value between When QoS executed, router will inspect data packet priority. Click IPsec VPN checkbox to enable IPsec VPN QoS function. Click SSL VPN checkbox to enable SSL VPN QoS function. Classifies data packet as IP packet quintuple. IP packet quintuple includes protocol, source IP address, destination IP address, source port, destination port Congestion avoidance When network congestion increase, it drops packets actively and adjusts network traffic to eliminate network overload problem. To enter the congestion avoidance page, you can choose Basic> Firewall > QoS> Congestion avoidance, as shown in Figure4-46. Figure4-46 Congestion avoidance 错误! 未找到引用源 describes the details of traffic classification. Table4-21 Traffic classification Name Packet drop policy Enter a name for congestion avoidance policy. Select a kind of packet drop algorithm. In order to avoid TCP global synchronization pheromone, Random Early Detection (RED) or Weighted Random Early Detection (WRED) can be used. Weighted Random Early Detection (WRED): Queuing method that ensures that high-precedence traffic has lower loss rates than other traffic during times of congestion. Random Early Detection (RED): also known as random early discard or random early drop is a queuing discipline for a network scheduler suited for congestion avoidance. Enabling connection Maximum packet drop rate Operation 4-177

196 Congestion management We adopt the queuing technology for congestion management generally. If we use queue algorithm for traffic classification, then we use a kind of priority algorithm to send out the traffic. Each queue algorithm is used for resolve the specific network traffic problems, which influences bandwidth resource allocation, time delay, Jitter. The processing of congestion management includes the queue creation, packet classification, sending different packet to different queue, queue scheduling. To enter the congestion management page, you can choose Basic> Firewall > QoS> Congestion management, as shown in Figure4-47. Figure4-47 Congestion management Table4-22 describes the details of congestion management. Table4-22 Congestion management Name Outbound interface Congestion avoidance Total bandwidth settings Franchise s PRI Low PRI protected Priority setting Displays the congestion management policy name. Displays the congestion management outbound interface. Readjust congestion avoidance. Configure the total bandwidth settings. Configure the congestion management franchise priority. Select whether to enable low priority protected. Configure the congestion management priority settings. Operation Click the Click the copy icon, and then you can copy a rule of congestion management. delete icon, and then you can delete a rule of congestion management

197 Traffic shaping Traffic shaping is a measure that adjust traffic output rate actively. To enter the traffic shaping page, you can choose Basic> Firewall > QOS> Traffic shaping, as shown in Figure4-48. Figure4-48 Traffic shaping 4.18 Anti-ARP-Spoofing Anti-ARP-Spoofing To enter the Anti-ARP-Spoofing interface, you can choose Basic> Firewall > Anti-ARP-Spoofing, as shown in Figure4-49. Figure4-49 Anti-ARP-Spoofing Table4-23 describes the details of Anti-ARP-Spoofing

198 Table4-23 Anti-ARP-Spoofing Option IP address MAC address VLAN ID Interface Type Select an anti-arp-spoofing entry and then click the option. Displays the IP address scanned by anti-arp-spoofing. Displays the MAC address scanned by anti-arp-spoofing. Displays the VLAN ID scanned by anti-arp-spoofing. Displays the interface scanned by anti-arp-spoofing. Displays the obtaining method of anti-arp-spoofing ARP Configuration The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of that device to the corresponding MAC address. To enter the ARP configuration page, you can choose Basic> Firewall > ARP configuration, as shown in Figure4-50. Figure4-50 ARP configuration Table4-24 describes the details of ARP configuration. Table4-24 ARP configuration Interface name Displays the all interfaces name of the device

199 Enable state Enable/disable ARP configuration interface. Chapter 5 Log Management 5.1 Introduction to the Log Management Log management provides log management function for users, including: System log Operation log Business log To access the log management interface, you can click Basic > Log management, as shown in Figure

200 Figure5-1 Log management menu 5.2 System Log Latest Log Recent log provides the latest system log for users. To enter latest log interface, click Bascic > Log management > System log > Recent log, and then you can view at most 25 pieces log in this page, as shown in Figure5-2. Figure5-2 Latest log To export the system log to the local system, click Export button, and then you can made a choice from the pop up window that you can view the system log as CSV file or save it to the local system. Table5-1 describes the details of latest log. You can click the grey items of each column to sort and display the records based on the item you selected. Table5-1 Latest log Serial number Time stamp Module Severity level Shows the sequence of the latest system log Shows system log created time Shows which module is the system log belong Shows the severity of latest system log, it includes 5-182

201 Fatal error can result the system cannot be use Emergency error warn users must take emergency measures Critical is the system is dangerous status Common error will give you a hint Warning shows the warning information Status information shows the import information under the normal condition Information will show you system information Unknown will show you the unknown information. Log content Shows the specific system log. Note: Auto-refresh can be set as 10, 30, 60 second and it can refreshed as if you click the auto-refresh button and set the specific time, and it also can be refreshed as if you click the refresh button. Shading color is used in warning user and represent the severity of system log Red color stands for fatal error, emergency and serverity Orange color stands for common error and warning White color stands for status, informaiton, unkown informaiton System Log Query System log query provides users with system log querying function. To access the system log query interface, you can click Basic > Log management > System log > System log query. System log query allows you to query the logs according to different condition, as shown in Figure5-3. Figure5-3 System log query Click Export button, make a choice for the pop-up window, select whether to open or save the system log file. Click Query button to view the logs. Click the drop-down list of Jump to or Per page that you can view the logs as you desired

202 Note: You can select customize time scope and clik Query button, then you can view all system logs you ve queried. Table5-2 describes the details of system log querying condition. Table5-2 System log querying condition Severity Time scope Start time End time Search system log as severity condition Search system log as time scope Search system log as its beginning time Search system log as its finish time System Log File Operation System log file operation provides users with system save and delete as today and the desired day. To enter the system log file operation interface, you can click Basic > Log management > System log > Log file operation, as shown in Figure5-4. Figure5-4 System log file operation Click Click Note: Save icon that you can save the system log file on your local system. delete icon that you can delete the system log file. Table5-3 describes the details of system log file operation. System log file can be saved or deleted as you desired

203 Table5-3 System log file operation Serial umber Log file name Operation Shows the sequence of system log Shows the time of system log creating, today is the current time. Shows back up icon and delete icon System Log Configuration System log configuration provides users with system log save and export configuration. To enter system log configuration, you can click Basic > Log management > System log configuration, as shown in Figure5-5. Figure5-5 System log configuration Table5-4 describes the details of system log configuration. You can save log file on your device or export the log file to your local system. Table5-4 System log configuration Export to remote log server Days for saving Set the remote server parameter, it includes Remote syslog server IP address Service port Time stamp The system will delete the expired system log by your selection which includes one week, two week and three week, 30 days or customize. You can set specific days for saving system log

204 5.3 Operation Log Latest Log On latest log interface, it shows latest log of operation log. To enter the latest log interface, you can click Basic > Log management > Operation log > Latest log, which shows latest 25 operation log, as shown in Figure5-6. Figure5-6 Latest log Single click Export button on the bottom, and then you can make a choice from the system prompt window that you can view the system log as CSV format or export CSV log file to the local system, Table5-5 describes the details of the latest log and you can sort the log table by clicking their headline. Table5-5 Latest log Serial number Time stamp Shows the sequence of operation log generating Shows when the operation log generating

205 Shows the client type of operation log, including Web type is the administrator managing the device through web. Client type Administrator Address Console type is the administrator managing the device through console port. Telnet type is the administrator managing the device through telnet server. SSH type is the administrator managing the device through SSH service. Shows the administrator who did the operation Shows the IP address of the operation log Shows the result of operation log, including success and fail Operation result Log content success means your operation is successful fail means your operation is fail Shows the content of operation log Note: Auto-refresh can be refreshed by the system in every 10,30,60 second as your selecton if you click the auto-refresh button. Click refresh button, you can refresh the operation log interface Operation Log Query Operation log query provides operation log searching function. To enter operation log query interface, you can click Basic > Log management > Operation log > Log query, as shown in Figure5-7. Operation log query allows you to query logs according to different searching functions. Figure5-7 Operation log query 5-187

206 Click the export button, and then you can make a choice from the pop up window that you can open the file to view the log content or save the operation log to the local system. And then click the search button and then you can view all operation logs. You can view the operation log as your selection if you click the drop-down list of page and pieces Note: If you select customize as time scope and click search button, the system will you the whole content of operation log. Table5-6 describes the details of operation log query which provides you operation log query function. Table5-6 Operation log query Administrator IP address Time scope Start time End time Shows the administer who did the operation log Shows the IP address of operation log Select operation log as time scope Display or to set the operation log beginning time Display or to set the operation log finish time Log File Operation Log file operation provides operation log back up or delete function. You can back up or delete today or the desired day operation log. To enter the interface, you can click Basic > Log management > Operation log > Log file operation, as shown in Figure5-8. Figure5-8 Log file operation Click Click back up button of the operation log file and you can export the log file to local system. delete button of the operation log file and you can export the log file 5-188

207 Operation log file provides back up or delete operation log file as today or the desired day. Table5-7 Back up or delete operation file Serial number Log file name Shows the sequence of operation log Shows when the operation log file generating, today is the current time Operation Shows the back up and delete button Operation Log Configuration Operation log configuration provides operation log configuring with users. You can save or export operation log as your configuration. To enter operation log configuration interface, you can click Basic > Log management > Operation log >Log file operation, as shown in Figure5-9. Figure5-9 Operation log configuration Table5-8 describes the details of operation log configuration. You can save or export the operation log to the local system. Table5-8 Operation log configuration Export to remote server Days for saving Set the export to remote server configuration, including Remote syslog server IP address Service port Time stamp format The system will delete the expired operation log by your selection which includes one week, two week and three week, 30 days or customize. You can set specific days for saving system log

208 5.4 Service Log Service Log Configuration Service log configuration provides service log related configuration. To enter service log interface, you can click Basic > Log management > Service log, as shown in Figure5-10. Figure5-10 Service log configuration Table5-9 describes the details of operation log configuration. You can save or export the operation log to the local system. Table5-9 Service log configuration Days for saving Output to a remote syslog server Mail server IP address Source mail address Destination mail address User name Password The system will delete the expired service log by your selection which includes one week, two week and three week, 30 days or customize. You can set specific days for saving system log. Configuring the output to a remote syslog server function, including Remote syslog server IP address Service port Set the IP address of mail server Set the source mail address Set the destination mail address Set the user name for mail server Set the password for mail server 5-190

209 The number of s sent out every minute Domain name Configuring the sent frequency Set domain name of user

210 Chapter 6 Load Balancing 6.1 Link Load Balancing Introduction to Link Load Balancing In the information age, people more and more rely on network. In order to avoid the network availability risk of an ISP exit fault and solve the network access problem caused by bandwidth resource limitation, enterprise will hire two or more ISP links (Such as China Telecom, China Netcom). How to reasonably use ISP s multiple links, which will not cause network resources waste and better services enterprises? Traditional routing strategy can solve the problem in some extent, but the inconvenient and inflexible configurations can t dynamically adapt the network structure change and can t distribute packet according to bandwidth that you cannot take full advantage of the high throughput link. Through dynamic algorithm, link load balancing technology is capable of balancing the network flow on multiple links, which algorithm is simple and self-adaptive Link Load Balancing Interface config To enter the interface config interface, you can choose Service > Load balancing > Link config, as shown in Figure

211 Figure6-1 Interface config Interface config Click Add configuration button, you can view the basic configuration of the ISP, as shown in Figure6-2. Figure6-2 Interface config Link health check To enter the interface config interface, you can choose Service > Load balancing > Link config, as shown in Figure

212 6.1.4 ISP To enter the ISP interface, you can click Service > Load balancing > ISP, as shown in Figure

213 Figure6-3 ISP configuration Chapter 7 Access Control 7.1 Rate Limitation Introduction to the Rate Limitation Network traffic can be divided into several service types according to different network protocols such as HTTP service, FTP service, service that can be implemented different rate limitation is call bandwidth rate limitation. To access the access control menu, you can choose Service > Access control, as shown in Figure

214 Figure7-1 Access control menu Rate Limit Rate limit To enter the rate limit interface, you can choose Service > Access control > Rate limit > Rate limit, as shown in Figure7-2. Figure7-2 Rate limit Table7-1 describes the configuration items of the rate limit. Table7-1 Rate limit configuration items Name Limit parameter Time Disable Operation Configure a name for the user group limitation. Configure the user group limitation parameter. Select a time scope. User group limitation takes effect as your selection. Click the option that user group limitation will be disabled. Click copy delete insert icon to do the operations. To create the user group limit, you can take the following steps: Configure a name for the user group limit. And then select a status for the rule of rate limitation. Select a service and then configure upstream and downstream parameter for the service. Click Ok button in the upper right corner on the webpage

215 User group parameter You can configure the user group parameter, including net user group, uplink and downlink rate speed, unit(bps). Figure7-3 User group parameter Table7-2 describes the configuration items of user group parameter Table7-2 User group parameter NetUserGroup Up Unit(bps) Down Units(bps) Operation Configure a name for the user group parameter. Configure the rate speed for the uplink. Select a unit for the uplink rate limit. Configure the rate speed for the downlink. Select a unit for the downlink rate limit. Click copy or delete to do the operations Single user limit To enter the single user limit interface, you can choose Service > Access control > Rate limitation > Single user limit, as shown in Figure

216 Figure7-4 Single user limit Table7-3 describes the configuration items of single user limit. Table7-3 Single user limit Name Limit parameter Time Disable Operation Configure a name for the single user limit. Select a status for the rule of rate limitation. Select a service and then configure upstream and downstream parameter for the service. Click the option that user group limitation will be disabled. Click copy delete insert icon to do the operations. To create the rule of the rate limitation, you can take the following steps: Configure a name for the rule of rate limitation. And then select a status for the rule of rate limitation. Select a service and then configure upstream and downstream parameter for the service. Click Ok button in the upper right corner on the webpage. Figure7-5 Rate limitation 7-198

217 Table7-4 describes the configuration items of the single user rate limit parameter. Table7-4 Single user rate limit NetUserGroup Up Unit(bps) Down Units(bps) Operation Configure a name for the user group parameter. Configure the rate speed for the uplink. Select a unit for the uplink rate limit. Configure the rate speed for the downlink. Select a unit for the downlink rate limit. Click copy or delete to do the operations.! Caution: Rate limitation is to limit user communiation between inside network and outside, while it can t limit the communitcation in same network. Rate limiation is to control the sum of the newwork bandwith of all users correspond to the rule. Rate limitation per IP address is control the bandwidth of single user correspond to the rule Group Management To enter group management interface, you can choose Service > Access control > Rate limitation > Group management, as shown in Figure7-6. Figure7-6 Group management 7-199

218 7.1.5 Network Application Browsing To enter network application browsing interface, you can choose Service > Access control > Rate limitation > Browsing, as shown in Figure7-7. Figure7-7 Network application browsing Typical configuration for the Rate Limitation Network requirement On the firewall device, you can configure rate limitation, working mode of the network configuration is layer 3 interface, and then you can configure marketing department IP segment is , exclude the IP address , research department IP segment is /24, exclude IP address , and then you can do the following operations: Per IP address rate limitation for the marketing department for file transfer is that: upstream 10kbps Rate limitation for the research and development department for the HTTP download: downstream 1Mbps 7-200

219 Configuration requirement Configuration procedures Choose Basic > Network management > Network user group > IP user group WAN interface: eth0/3, access method: PPPoE, type the name and password provided by ISP. LAN interface: : eth0/0, IP address: , subnet mask: 24, eth0/5, IP address: , subnet mask:24,and then click the Ok button. Choose Basic > Network management > Network user group > IP address to enter the IP address page. Click the add button in the upper right corner. Type the name: marketing department. IP address range: , exclude IP: Click the Ok button in the upper right corner

220 Click the add button and type the name: research and development department. IP address range: , mask: 24 exclude IP: Click the Ok button in the upper right corner. Choose Service > Access control > Rate limitation > to enter the rate limitation interface. Create a rule of the rate limitation: such as bandwidth1 Type a name for the rate limitation rule: bandwidth1 Select the Enable status Configure rate limitation parameter, select a type of service: file transfer and configure rate limitation as: 1Mbps Click the Ok button in the upper right corner on the webpage. Click rate limitation per IP address select tab Create a rule of the rate limitation per IP address: bandwidth2 Configure a name for the rate limitation: bandwidth2 Select the Enable status Configure rate limitation parameter, select a type of service: HTTP download and configure the rate limitation as: 1Mbps Click Ok button in the upper right corner on the webpage. Choose Basic > Network management > Network object > Security zone to enter the security zone interface. Select trust security zone, interface: eth0/0 and eth0/5 Select untrust security zone, interface: eth0/3 Click Ok button in the upper right corner on the webpage. Reference the above mentioned IP address, security zone and rate limitation rule to packet filtering policy. 7.2 Access Control Introduction to the Access Control The device according to the application protocol to which receiving packets belong decides the service to which packet belongs and blocks all packets for this kind of service

221 7.2.2 Access Control To access to the access control interface, you can choose Service > Access control > Access control, as shown in Figure7-8. Figure7-8 Access control Table7-5 describes the configuration items of access control. Table7-5 Access control configuration items Name Network application group Action set Send log Operation Configure a name for the access control rule. Select a name for the network application group. Select black list or white list for the rule of access control. Select whether to enable the send log function. Click copy or delete icon to do the operations. To create the rule of the access control, you can take the following steps: Configure a name for the rule. Select network application group, and select an action for the rule, select whether to enable send log function. Click Ok button in the upper right corner on the webpage.! Caution: Access control is to restrict the communication between inside network and outside network, while, it can not restict the communiation in the same network Group Management To enter group management interface, you can choose Service > Access control > Rate limitation > Group management, as shown in Figure

222 Figure7-9 Group management To configure the network application group management, you can take the following steps: In the left box, the system pre-defined box, double click the user-defined application, and then you can configure a name for it. Click Click Click edit icon that you can select a kind of protocol and configure port number. add button that you can add entry of the user-defined application. delete button that you can delete an entry of the user-defined application. In the right box, the user-defined application group box, double click the node of application group and configure a name for it. Click add button that you can add entry of the user-defined application group. Click delete button that you can delete an entry of the user-defined application group. Click node of the system pre-define tree and drag the node from left side box, the system-predefined box to the right box, to the user-defined tree, that is, you add an application for one network application group. Click the node of the user-defined tree and then you can configure rate limitation priority of the node. To enter network application browsing interface, you can choose Service > Access control > Rate limitation > Browsing, as shown in Figure

223 Figure7-10 Network application browsing Typical configuration for the Access Control Network requirement On the firewall device, you can configure the access control for the marketing department, IP segment is , exclude the IP address , and then do the following operations: For the marketing department, block Tencent QQ, PPLivet

224 Configuration requirement Configuration procedures Choose Basic > Network management > Network user group > IP user group WAN interface: eth0/3, access method: PPPoE, type the name and password provided by ISP. LAN interface: : eth0/0, IP address: , subnet mask: 24, eth0/5, IP address: , subnet mask:24,and then click the Ok button. Choose Basic > Network management > Network user group > IP address to enter the IP address page. Click the add button in the upper right corner. Type the name: marketing department. IP address range: , exclude IP: Click the Ok button in the upper right corner

225 Choose Service > Access control > Group management to enter the group management interface. Create an application group, yyz, from the user-defined tree drag Tencent QQ and PPLive to the yyz. Select Access control selection tab Create an access control rule: bandwidth3 Configure a name for the access control rule: bandwidth3 Network application group: yyz Select blacklist and click the send log option Click Ok button in the upper right corner on the webpage. Reference the above mentioned IP address, security zone and rate limitation rule to packet filtering policy. 7.3 URL Filtering Uniform Resource Locator (there refer to URL hereinafter) is a kind of webpage filtering function, support HTTP request packet filtering according to IP address, host name, regular expression. The realization of URL filtering function rely on the URL filtering database which allow user to flexible configure URL filtering rule for the URL filtering URL Classification Filtering To enter the URL classification filtering interface, you can choose Service > Access control > URL filtering > Classification, as shown in Figure7-11. Figure7-11 URL classification filtering Table7-6 describes the configuration items of the URL classification filtering. Table7-6 URL classification filtering configuration items Name Filtering classification Configure a name for the URL filtering rule. Upgrade the signature database to obtain the system classification or customize your classification

226 Configure URL filtering parameter; you can select the customized URL classification. Black/white list Send log Page push Select an action for the rule of URL filtering. Select whether to enable send log function: Blacklist White list Select whether to enable the page push function. Operation Click the Click the copy icon to copy an entry of the URL filtering rule. delete icon to delete an entry of the access control rule Customize URL Classification To access the customize URL classification interface, you can choose Service > Access control > URL filtering > Customize, as shown in Figure7-12. Figure7-12 Customize URL classification Table7-7 describes the configuration items of the customize URL filtering Table7-7 Customize URL classification Classification name URL list Configure a name for the URL classification name. Configure the URL list Operation Click the Click the copy icon to copy an entry of the customized URL filtering rule. delete icon to delete an entry of the customized URL filtering rule

227 7.3.3 Advanced URL Filtering To enter the advanced URL filtering interface, you can click Service > Access control > URL filtering > Advanced URL filtering, as shown in Figure7-13. Figure7-13 Advanced URL filtering Table7-8 describes the configuration items of the advanced URL filtering. Table7-8 Advanced URL filtering configuration items Name Filter parameter Black/white list Send log Configure a name for the advanced URL filtering rule. Configure the advanced URL filtering parameter, including: IP address: filtering according to the IP address. Host name: filtering according to the host name. Regular expression: filtering according to the content restricted by regular expression. Select an action for the advanced URL filtering rule. Blacklist log White list log Select whether to enable the send log function. Operation Click the Click the copy icon to copy an entry of the advanced URL filtering rule. delete icon to delete an entry of the advanced URL filtering rule. To create an advanced URL filtering rule, you can take the following steps: Configure the URL filtering policy and configure name for the rule Configure filtering parameter for the rule. Select blacklist and then enable the send log function and the page push function. Click Ok button in the upper right corner on the webpage

228 Figure7-14 Advanced URL filtering configuration Table7-9 describes the configuration items of the filter parameter. Table7-9 URL filter parameter configuration items Filter type Filter parameter Select a type of the filter parameter. In the filter parameter column, you should configure the filter parameter: IP address: filtering according to the IP address. Host name: filtering according to the host name. Regular expression: filtering according to the content restricted by regular expression. Operation Click the Click the copy icon that you can copy an entry of the filter parameter. delete icon that you can delete an entry of the filter parameter URL Filter Page Push To enter the URL filter page push interface, you can choose Service > Access control > URL filter page push, as shown in Figure

229 Figure7-15 URL filter page push The URL filter page push provides the custom template allowing user to customize the page push information, as shown in Figure7-16. Figure7-16 URL page push Typical configuration for the Rate Limitation Network requirement On the firewall device, you can configure rate limitation, working mode of the network configuration is layer 3 interface, and then you can configure marketing department IP segment is , exclude the IP address , research department IP segment is /24, exclude IP address , and then you can do the following operations, and view the logs by using of the 3CDaemon Allow marketing department access IP address: , hostname: news.sina.com.cn Prohibit research and development access the website contains sports in URL, regular expression: sports.* 7-211

230 Configuration requirement The following is the network diagram for the URL configuration, as shown in Figure7-17. Figure7-17 Advanced URL filtering Configuration procedures Choose Basic > Network management > Network user group > IP user group WAN interface: eth0/3, access method: PPPoE, type the name and password provided by ISP. LAN interface: : eth0/0, IP address: , subnet mask: 24, eth0/5, IP address: , subnet mask:24,and then click the Ok button. Choose Basic > Network management > Network user group > IP address to enter the IP address page. Click the add button in the upper right corner

231 Type the name: marketing department. IP address range: , exclude IP: Click the Ok button in the upper right corner. Click the add button and type the name: research and development department. IP address range: , mask: 24 exclude IP: Click the Ok button in the upper right corner. Choose Service > Access control > Advanced > to enter the advanced URL interface. Create a rule for the advanced URL configuration: such as URL1. Type a name for the advanced URL configuration: such as URL1. Configure filter parameter, select IP address and then configure , host name: news.sina.com.cn and then click Confirm button. And then select white list and click the send log option. Click the Ok button in the upper right corner on the webpage. Create a rule for the advanced URL configuration: URL2 Configure a name for the advanced URL configuration: URL2 Configure the filter parameter, select regular expression, and then configure the fixed character string: sports, expression: sports.*, click the Confirm button. And then select blacklist for the URL rule and click the send log option Click Ok button in the upper right corner on the webpage, then the advanced URL configuration is finished. Choose Basic > Network management > Network object > Security zone to enter the security zone interface. Select trust security zone, interface: eth0/0,eth0/5 And then select untrust security zone, interface: eth0/3 Click Ok button in the upper right cornet on the webpage. Reference the above mentioned IP address, security zone and the advanced URL to the packet filtering policy.! Caution: All rules configured in the access control module must be reference to the packet filtering policy

232 7.4 SQL Injection Protection SQL injection is a technique often used to attack databases through a website. SQL injection attack a website through WWW normal port and it seems like the common webpage, firewall device cannot alarm for the SQL injection and if an administrator does not view the IIS log, SQL injection for a long time will not detected, so that the SQL injection protection is especially important. To enter the SQL injection protection interface, you can choose Service > Access control > SQL injection protection, as shown in Figure7-18. Figure7-18 SQL injection prevention Table7-10 describes the configuration items of the SQL injection protection. Table7-10 SQL injection protection configuration items Name Configure a name for the SQL injection protection rule. Exceptional interface Configure the exceptional interface. Exceptional parameter Configure the exceptional parameter Action Select an action for the rule, including warning and block Operation Click the copy icon to copy an entry of the SQL injection protection rule. Click the delete icon to delete an entry of the SQL injection protection rule. Chapter 8 VPN A virtual private network (VPN) is a private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to securely connect the branch offices of an organization to a head office network through the public Internet. IPSec 8-214

233 L2TP PPTP GRE SMAD Introduction to IPSec Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session IPsec sysconfig To enter the IPsec sysconfig interface, you can choose Service > VPN > IPSec > IPSec sysconfig, as shown in Figure8-1. Figure8-1 IPSec sysconfig Table8-1 describes the configuration items of the IPSec VPN configuration. Table8-1 IPSec VPN configuration Enable IPSec Select whether to enable the IPSec function

234 Advanced configuration Select whether to enable the NAT traverse function Select whether to enable the NAT session keepalive mechanism, configuring the intervals for sending NAT session keepalive packets (default is 20 Sec) Select whether to user IPsec acceleration Select whether to enable the layer 2 IPSec Select whether to enable UDP checksum Select a mode for the route add mode ( This configuration takes effect after restart IPsec) Table8-2 describes the configuration items of the IPSec VPN client access mode and gateway-gateway mode. Table8-2 IPSec VPN client access mode and gateway-gateway mode Connection Name Bind Interface Advanced Configuration Status Local IP Address Remote IP address Displays the name of the IPSec rule. Display the status of the IPSec rule. Displays the local IP address for the IPSec rule. Displays the remote IP address for the IPSec rule. Local Device ID Auto:(The system auto-select the local IP address as the local device ID) Host Name:(Required when NAT traverse is configured) IP Address:(Manually input any IP address on the local device as the local ID) Local Certificate ID Alias:(Required when it is required to strictly check the validity of the remote certification ID alias) Remote device ID Auto:(The system auto-select the local IP address as the local device ID) Host Name:(Required when NAT traverse is configured) IP Address:(Manually input any IP address on the local device as the local ID) Local Certificate ID Alias:(Required when it is required to strictly check the validity of the remote certification ID alias) Client ID Subnets Available to the clients Authentication Mode Configure the client ID number List The Encryption Protection Subnets To The Clients There are four kinds of authentication method provided for you, including Pre-shared key: Digital Certificate: usercert.cer(select the local certificate for certificate authentication) Xauth Authentication Assign private IP address for clients 8-216

235 Advanced configuration Click the including pencil icon that you can enter the advanced configuration interface, Negotiation mode IPSec Encryption Failed Action IPSec Security Protocol IKE Security Proposal IPSec Security Proposal Operation Click the copy icon that you can copy an entry of the IPSec rule. Click the delete icon that you can delete an entry of the IPSec rule. To configure IPSec VPN client access mode, you can take the following steps: Configure a correct name for the IPSec rule Select the Enable status for the rule Configure local IP address example: Configure local device ID and then from the four options you should select the obtaining method as your requirement example: auto Configure client ID and then from the four options you should select the obtaining method as your requirement example: auto Add the encryption protection subnets to the clients. Configure authentication method and then from the four options you should select an authentication as your requirement example: pre-shared key Configure the advanced configuration. After you finished the above steps, click Ok button up in the upper right corner. Configure the IPSec VPN gateway-gateway mode: Configure a correct name for the IPSec rule Select the Enable status for the rule. Configure local IP address example: Configure remote IP address example: Configure local device ID, and then from the four options you should select the obtaining method as your requirement example: auto 8-217

236 Configure remote device ID and then from the four options you should select the obtaining method as your requirement example: auto Configure an IP segment for the source IP address packet, example: \24, configure an IP segment for the destination IP address packet, example: \24 Configure authentication method and then from the two options you should select an authentication as your requirement example: pre-shared key After you finished the above steps, click Ok button in the upper right corner on the webpage IPsec policy mode To enter the IPsec policy mode interface, you can choose Service > VPN > IPSec > IPSec policy mode, as shown in Figure8-2. Figure8-2 IPsec policy mode IPsec route mode To enter the IPsec policy mode interface, you can choose Service > VPN > IPsec > IPsec policy mode, as shown in Figure8-3. Figure8-3 IPsec route mode 8-218

237 8.1.5 Net protect To enter the Net protect interface, you can choose Service > VPN > IPsec > Net protect, as shown in Figure8-4. Figure8-4 Net protect SA To enter the SA interface, you can choose Service > VPN > IPsec > SA, as shown in Figure8-5. Figure8-5 SA IPsec interface To enter the IPsec interface, you can choose Service > VPN > IPsec > IPsec interface, as shown in Figure8-6. Figure8-6 IPsec interface 8.2 L2TP Introduction to L2TP L2TP is a standard Internet tunnel protocol similar to the PPTP protocol, and both of them can encrypt network on the network stream. But the difference is that PPTP required to be IP network and L2TP is the peer-to-peer connection facing to data packet; PPTP is to use a single tunnel whereas L2TP is to use multi tunnel; And the L2TP provides the packet header compressing, tunnel verification, and vice versa, the it cannot supported by PPTP

238 8.2.2 L2TP To enter the L2TP configuration interface, you can click Service > VPN > L2TP, as shown in Figure8-7. Figure8-7 L2TP configuration Table8-3 describes the configuration items of LNS. Table8-3 LNS configuration items Tunnel name Tunnel interface IP PPP authentication mode Client IP address range Displays the tunnel name of the LNS rule. Configure the IP address of the tunnel interface. Select an option from PPP authentication mode drop-down list, such as CHAP, PAP, MSCHAP, and MSCHAPV2. Configure the client IP address range and from the address pool to allocate local tunnel IP address. Advanced configuration Click the rule, modify icon that you can configure the advanced configuration of the LNS Operation Click the delete icon that you can delete an entry of the LNS rule. Table8-4 describes the configuration items of the LAC. Table8-4 LNS configuration items Enable L2TP Tunnel Name Displays whether to enable the L2TP function. Displays the tunnel name

239 Remote LNS IP Trigger Mode Advanced Configuration Displays the remote LNS. Displays the IP trigger mode. Displays the advanced configuration. To batch import configuration, you can take the following steps: To batch import the configuration, you can click Browse button and then select file a path on the pop-up window for the configuration file and click Import. To export the configuration, click Export and then click Save as button select file path for the configuration file and then click Save button L2TP user authentication To enter the L2TP configuration interface, you can click Service > VPN > L2TP, as shown in Figure8-8. Figure8-8 L2TP user authentication L2TP IP pool To enter the L2TP IP pool interface, you can click Service > VPN > L2TP IP pool, as shown in Figure

240 Figure8-9 L2TP IP pool L2TP online status To enter the L2TP online status interface, you can click Service > VPN > L2TP online status, as shown in Figure8-10. Figure8-10 L2TP online status 8.3 PPTP Point to Point Tunneling Protocol (PPTP) is a kind of technology support multiple protocol VPN, working at layer 2. To enter the L2TP configuration interface, you can click Service > VPN > PPTP, as shown in Figure8-11. Figure8-11 PPTP Table8-5 describes the configuration items of the PNS configuration

241 Table8-5 PNS configuration Tunnel name Local tunnel IP PPP authentication mode Client IP address range DNS server Displays the name of the tunnel. Configure local tunnel IP address. Select PPP authentication method Configure the start IP address of the IP address pool and configure a size of the IP address pool. Configure the DNS server address. Operation Click the delete icon that you can delete PNS configuration. Table8-6 describes the configuration items of the customer configuration. Table8-6 Customer information User name Password Confirm password Configure a user name for the customer information. Configure the corresponding password for the username. Configure the configuration password. Operation Click the copy icon that you can copy an entry of the user information configuration. Click the configuration. delete icon that you can delete an entry of the user information 8.4 GRE Introduction to the GRE Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol. A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets GRE configuration To enter the GRE configuration interface, you can click Service > VPN > GRE, as shown in Figure

242 Figure8-12 GRE configuration Table8-7 describes the configuration items of GRE. Table8-7 GRE configuration items Tunnel interface NO Configure the GRE tunnel interface number (the number is from 1 to 64). Tunnel interface IP address Tunnel source interface/ip address Tunnel destination IP address Advanced configuration Operation Configure the GRE tunnel interface IP address. Displays GRE tunnel source interface IP address, select tunnel interface or the corresponding IP address. IP address of the remote device GRE configuration Configure the advanced configuration, including MTU discovery and checksum checkout and tunnel key. Allows you to copy or delete the GRE rule. Operation Click the Click the copy icon that you can copy an entry of the GRE rule. delete icon that you can delete an entry of the GRE rule. To configure the GRE VPN rule, you can take the following steps: Configure a name corresponding to the GRE rule. Configure the tunnel IP address, example: /24. Configure the tunnel source interface/ip address, example: or eth0_7. Configure the tunnel destination IP address, such as /24. Configure the advanced configuration, including the MTU discovery, checksum checkout and tunnel key. After you finished the above steps, click Ok button in the upper right corner on the webpage

243 8.5 SMAD SMAD To enter the SMAD interface, you can click Service > VPN > SMAD, as shown in Figure8-13. Figure8-13 SMAD SMAD blacklist To enter the SMAD blacklist interface, you can click Service > VPN > SMAD blacklist, as shown in Figure8-14. Figure8-14 SMAD blacklist SMAD log To enter the SMAD log interface, you can click Service > VPN > SMAD log, as shown in Figure8-15. Figure8-15 SMAD log 8-225

244 8.6 SSL VPN Introduction to the SSL VPN SSL VPN is the most simple and the safest technology to resolve remote user access sensitive company data. Compare with the complicated IPsec VPN, SSL VPN use the simple method to realize remote connection. Every computer with browser can use SSL VPN software, for the reason of SSL VPN embedded into the browser, which don t need you to set up client software on every host like traditional IPsec VPN SSL VPN Basic configuration To enter the basic configuration interface, you can choose Service > VPN > SSL VPN, as shown in Figure8-16. Figure8-16 SSL VPN Table8-8 describes the configuration items of the SSL VPN. Table8-8 SSL VPN configuration items Enable SSL VPN server Select a digital certificate for the server Select the CA digit certificate Select whether to enable the client certificate authentication. Advanced configuration User login port number configuration Allow user to access the interface configuration Maximum user number Free authentication configuration. Select whether to allow access VPN only

245 IP pool configuation To enter the IP pool configuration interface, you can choose Service > VPN > SSL VPN > IP pool configuration, as shown in Figure8-17. Figure8-17 IP pool configuration Domain configuration To enter the domain configuration interface, you can choose Service > VPN > SSL VPN > Domain configuration, as shown in Figure8-18. Figure8-18 Domain configuration License management To enter the license management interface, you can choose Service > VPN > SSL VPN > License management, as shown in Figure8-19. Figure8-19 License management Portals management To enter the portals management interface, you can choose Service > VPN > SSL VPN > Portals management, as shown in Figure

246 Figure8-20 Portals management Resources Resource configuration To enter the resources interface and configure the IP resource configuration, you can choose Service > VPN > SSL VPN > Resource, as shown in Figure8-21. Figure8-21 Resource configuration Share space To enter the share space interface, you can choose Service > VPN > SSL VPN > Share space, as shown in Figure8-22. Figure8-22 Share space 8-228

247 8.6.4 User management User management To enter the share space interface, you can choose Service > VPN > SSL VPN > Share space, as shown in Figure8-23. Figure8-23 User configuration User status To enter the user status interface, you can choose Service > VPN > SSL VPN > User status, as shown in Figure8-24. Figure8-24 User status Authentication key To enter the authentication key interface, you can choose Service > VPN > SSL VPN > Authentication key, as shown in Figure8-25. Figure8-25 Authentication key 8-229

248 8.6.6 Security policy Security set To enter the security set interface, you can choose Service > VPN > SSL VPN > Security set, as shown in Figure8-26. Figure8-26 Security set Security rule To enter the security rule interface, you can choose Service > VPN > SSL VPN > Security rule, as shown in Figure8-27. Figure8-27 Security rule Security rule group To enter the security rule group interface, you can choose Service > VPN > SSL VPN > Security rule group, as shown in Figure8-28. Figure8-28 Security rule group Policy configuration To enter the policy configuration interface, you can choose Service > VPN > SSL VPN > Policy configuration, as shown in Figure

249 Figure8-29 Policy configuration Log management Log query To enter the log query interface, you can choose Service > VPN > SSL VPN > Log query, as shown in Figure8-30. Figure8-30 Log query Log configuration To enter the log configuration interface, you can choose Service > VPN > SSL VPN > Log configuration, as shown in Figure8-31. Figure8-31 Log configuration Log manage To enter the log manage interface, you can choose Service > VPN > SSL VPN > Log manage, as shown in Figure8-32. Figure8-32 Log manage 8-231

250 8.6.8 Report forms User stat form To enter the user stat form interface, you can choose Service > VPN > SSL VPN > User stat form, as shown in Figure8-33. Figure8-33 User stat form Flux stat form To enter the flux stat form interface, you can choose Service > VPN > SSL VPN > Flux stat form, as shown in Figure8-34. Figure8-34 Flux stat form Statistical offline users To enter the statistical offline users interface, you can choose Service > VPN > SSL VPN > Statistical offline users, as shown in Figure8-35. Figure8-35 Statistical offline users Online time ranking form To enter the online time ranking form interface, you can choose Service > VPN > SSL VPN > Online time ranking form, as shown in Figure

251 Figure8-36 Online time ranking form Resource access form To enter the resource access form interface, you can choose Service > VPN > SSL VPN > Resource access form, as shown in Figure8-37. Figure8-37 Resource access form 9-233

252 Chapter 9 Online Behavior Management 9.1 Introduction to Online Behavior Management Online behavior management module provides the following features: Traffic analysis Behavior analysis Keyword filtering To view the online behavior management menu, you can choose Service > Behavior > Traffic analysis, as shown in Figure9-1. Figure9-1 Traffic analysis 9.2 Traffic analysis Traffic analysis To enter the traffic analysis interface, you can choose Service > Behavior > Traffic analysis, as shown in Figure9-2. Figure9-2 Traffic analysis 9-234

253 Table9-1 describes the configuration items of traffic statistic. Table9-1 Traffic statistic configuration items Interface traffic statistics Traffic statistics per IP address Exception web config Enable whether to enable the interface traffic statistic. Select whether to enable the traffic statistics per IP address function, and configure the sending interval and network user group. Configure the exception website. 9.3 Behavior Analysis Policy configuration To enter the policy configuration interface, you can choose Service > Behavior > Behavior analysis > Policy configuration, as shown in Figure9-3. Figure9-3 Policy configuration Table9-2 describes the details of policy configuration Table9-2 Policy configuration Policy name User/User group Configure audit object Save details Displays the name of behavior analysis policy Select an user or an user group for the behavior analysis policy Allows you to select behavior analysis objects Allows you to select to the save details objects Operation Click the Click the copy icon to copy a behavior analysis rule. delete icon to delete behavior analysis rule. To create a behavior analysis policy: Enter a name for the behavior analysis policy 9-235

254 Select a user or an user group for the behavior analysis policy In the save detail column, you can select an item and several items of behavior analysis policy After you finish the above steps, you can click the Ok button in the upper right corner Advanced configuration To enter the policy configuration interface, you can choose Service > Behavior > Behavior analysis > Advanced configuration, as shown in Figure9-4. Figure9-4 Advanced configuration Keyword Filtering Keyword Filtering To enter the keyword filtering interface, you can choose Service > Behavior > Keyword filtering, as shown in Figure

255 Figure9-5 Keyword filtering Table9-3 describes the configuration items of keyword filtering function Table9-3 Keyword filtering configuration items Name Action Enter a name for the keyword filtering rule. Select an action for the keyword filtering rule, including warning or block. Operation Click the Click the copy icon that you can copy an entry of the keyword filtering rule. delete icon that you delete an entry of the keyword filtering rule. To create a keyword filtering rule, you can take the following steps: Enable the keywords filtering function And then enter a name for the keyword filtering rule And then select an action for the rule. Click Ok button in the upper right corner on the webpage Latest Log To enter the keyword filtering interface, you can choose Service > Behavior > Keyword filtering, as shown in Figure

256 Figure9-6 Keyword filtering Table9-3 describes the configuration items of keyword filtering function Table9-4 Keyword filtering configuration items Name Action Enter a name for the keyword filtering rule. Select an action for the keyword filtering rule, including warning or block. Operation Click Click copy icon that you can copy an entry of the keyword filtering rule. delete icon that you delete an entry of the keyword filtering rule. To create a keyword filtering rule, you can take the following steps: Enable the keywords filtering function And then enter a name for the keyword filtering rule And then select an action for the rule. Click Ok button in the upper right corner on the webpage

257 Chapter 10 Portal Authentication 10.1 Introduction to the Portal Authentication Portal authentication provides several authentication mechanisms, which allows user to authenticate their user name and password before access to the Internet. Authentication Config Web Auth Notice Behavior Listen Proscenium Management Terminal Management Online User Local User To view the user authentication menu, you can choose Service > User authentication, as shown in Figure10-1. Figure10-1 Security center Authentication Config Basic authentication To enter the user authentication interface, you can choose Service > User authentication > Basic authentication, as shown in Figure10-2. Figure10-2 Basic authentication configuration items

258 Table10-1 illustrates configuration items of the basic authentication. Table10-1 Basic authentication configuration items description Web auth Terminal auth Avoid auth IP User group Auth mode Unique authentication User aging time Quick offline Allows you to enable or disable web auth function. Allows you to enable or disable terminal auth function. Allows you to set the free authentication IP address. Allows you to select a user group. Allows you to select and configure authentication mode. Allows you to select whether to enable unique authentication function. Allows you to set the user aging time. Allows you to select whether to enable quick offline function Webauth Configuration To enter the webauth configuration interface, you can choose Service > User authentication > Webauth configuration, as shown in Figure

259 Figure10-3 Webauth configuration Table10-2 describes the configuration items of webauth configuration. Table10-2 Webauth configuration items NAT traverse configuration Login state Notice Enable proxy authentication HTTP/HTTPS Using USB key Temporary user login Tem background photo Login interface image Get MAC Allows you to configure the NAT traverse configuration, including authenticated protocol configuration, authentication policy configuration. Allows you to select whether to show the login state window. Allows you to select no notice, web auth notice and URL address option for web authentication. Allows you to use proxy server to authenticate web users and allows you to configure the proxy server IP address. Allows you to enable authenticate HTTP/HTTPS configuration. Allows you to enable usbkey authentication function (Require importing certificate and corresponding CA reboot are required, to take effect). Allows you to enable temporary user login function. Allows you to select the background image. Allows you to select the login interface image. Allows you to enable the get MAC function and then you can get MAC from SNMP

260 TAC configuration To enter the TAC configuration interface, you can choose Service > User authentication > Webauth configuration > TAC configuration, as shown in Figure10-4. Figure10-4 TAC configuration Table10-3 describes the configuration items of TAC. Table10-3 TAC configuration items Management server IP address Client download URL MAC match Aged by traffic User group Configure an IP address for the management server. Type client download URL for the TAC configuration Select whether to enable the MAC match function. Select whether to enable the aged by traffic function. Select an user group for the TAC configuration Customer Configuration To enter customer configuration interface, you can choose Service > User authentication > Webauth configuration > Customer configuration, as shown in Figure

261 Figure10-5 Customer configuration Table10-4 describes the configuration items of the customer configuration. Table10-4 Customer configuration Login page Customize web authentication interface Select an option that the login page will skip to the specific page Default Upload the return page URL address ( Allows you to customize the web authentication interface Web Authentication Notice To enter the web authentication notice interface, you can choose Service > User authentication > Web authentication notice, as shown in Figure10-6. Figure10-6 Web authentication notice

262 Table10-5 describes the configuration items of web listen. Table10-5 Web listen configuration items Serial number Title Content Displays the sequence number of the web auth notice. Configure the title of the notice. Configure the notice content. Operation Click the Click the copy icon that you can copy an entry of the notice. delete icon that you can delete an entry of the notice Web Listen If the web authentication function isn t enabled, you can enable the web listen function for user authentication. To enter the web listen interface, you can choose Service > User authentication > Web listen, as shown in Figure10-7. Figure10-7 Web listen Proscenium Management To enter the proscenium management interface, you can choose Service > User authentication > Portal authentication, as shown in Figure10-8. Figure10-8 Proscenium management Table10-6 describes the configuration items of the proscenium management

263 Table10-6 Proscenium management Proscenium administrator Configure the user name for proscenium administrator. Password Configure the password for the proscenium administrator. Access address of proscenium Configure the device bridge interface IP address or WAN interface address. address (addressee) Configure the address of the mail receiver(addressee) Operation You can copy or delete the proscenium administrator configuration by click the copy icon or delete icon. Click the administrator. icon that you can send to the specific proscenium To configure the proscenium management configuration, you can take the following steps: In the operation column, you can click the copy icon And then configure the proscenium administrator Configure the proscenium administrator s password. Configure the access address of the proscenium, which is the WAN interface address or bridge address of the device. After you finished the above steps, click Ok button in the upper right corner on the webpage. After you configured the proscenium configuration, click the button that proscenium administrator can receive an which contains the user name, password and URL. When you log into the online management interface, you can create user information, as shown in Figure10-9. Figure10-9 Online management for the hotel user. Table10-7 describes the configuration items of the hotel user online management. Table10-7 Hotel user online management User name Password Displays the user name of the online user. Configure the password of the online user

264 Room number of the user Real name of the user Identification card Operation Room number of the user. Real name of the user. Configure the identification card number of the user. Allows you to modify, add or delete an administrator. To configure the hotel user online management, you can take the following steps: In the operation column, click the copy icon Configure user name for the hotel user. Configure password for the hotel user Configure room number for the hotel user. Configure real name for the hotel user. Configure identification number of the hotel user. After you finished the above steps, Click Ok button in the upper right corner on the webpage Terminal Management Microsoft Patch Management To enter the Microsoft update interface, you can choose Service > User authentication > Portal authentication > Terminal > Microsoft update, as shown in Figure Figure10-10 Terminal management Table10-8 describes the details of the Microsoft patch management. Table10-8 Microsoft patch management Remind management Click the Enable option that you can enable the remind management function. Click the Disable option that you can disable the remind management function

265 Remind check level Remind install Select the remind check level. Configure the remind install, including not install, forcible install and remind install USB Data Leakage Monitor To enter the USB leakage monitor interface, you can choose Service > User authentication > Portal authentication > Terminal > USB data leakage monitor, as shown in Figure Figure10-11 USB data leakage monitor Table10-9 describes the configuration items of the USB data leakage monitor. Table10-9 USB data leakage monitor USB data leakage monitor USB log audit Click the Enable option that you can enable the USB data leakage monitor function. Click the Disable option that you can disable the USB data leakage monitor function. Allows you to query or export the USB data monitor audit log Terminal Configuration To enter the terminal configuration interface, you can choose Service > User authentication > Portal authentication > Terminal > Terminal configuration, as shown in Figure Figure10-12 Terminal configuration Table10-10 describes the configuration items of the terminal configuration

266 Table10-10 Terminal configuration items Terminal name MAC address IP address Physical position of terminal Configure a name for the terminal. Configure the terminal MAC address. Configure the terminal IP address. Configure the physical position of the terminal. Operation Click the Click the copy icon that you can copy an entry of the terminal configuration. delete icon that you can delete an entry of the terminal configuration Online User After the user is authenticated, the user s authentication information will be displayed on the online user interface. To enter the online user interface, you can choose Service > User authentication > Portal authentication > Online user, as shown in Figure Figure10-13 Online user Table10-11 describes the details of the online user. Table10-11 Online user Username IP Enter net time Displays the user name of the authentication user. Displays the IP address of the authentication host. Displays the time when the authentication user is online Operation Click the icon that you can log out an administrator forcibly on the online user page

267 Local account user Local account authentication user Local account authentication user is mainly to authenticate and manage local user. To enter the local authentication user interface, you can choose Service > User authentication > Portal > Local authentication user, as shown in Figure Figure10-14 Local Account Authentication Table10-12 describes the configuration items of the local account authentication. Table10-12 Local account authentication Username Password Repeat password User account group Real name group Status Configure an user for the local authentication user Configure a password for the local authentication user. Configure the confirm password for the local authentication user. Select user account group for the local authentication user. Select real name group for the local authentication user. Select the Normal status or Locked status for the local authentication user. Configure the local authentication user description Operation Click Click copy icon that you can an entry of the local authentication user. delete icon that you can delete an entry of the local authentication user. To configure local authentication user: Configure a name for the local authentication user. Configure the password for the local authentication user

268 Configure the repeat password for the local authentication user. Select user account group and select the real name user group. Configure the description for the local account user. Select Normal status or Locked status for the authentication user. Click Ok button in the upper right corner on the webpage. To import or export local authentication users in batch, you can: Click Browse button and select a file from your local system Click Import button To query local authentication users in batch, you can: Enter the username or description you want to query Click Search button Blackname list To enter the blackname interface, you can choose Service > User authentication > Portal > Local authentication user, as shown in Figure Figure10-15 Blackname list Remote Synchronization Remote synchronization allows you to synchronize the local user authentication information with a remote host with Unified Management Center software. To enter the remote synchronization interface, you can choose Service > User authentication > Portal > Remote synchronization, as shown in Figure

269 Figure10-16 Remote synchronization Table10-13 describes the configuration items of the local account authentication. Table10-13 Local account authentication configuration items Username User account group Select Display the user name of the Displays the user account group of the Displays the description of the local user authentication Allow you to select the local user authentication To synchronize with remote server, you can: Configure the IP address of UMC server, example: port number: 9502 Select a remote user need to be synchronized, click Ok button. If you want to search one of users, enter username in in the search bar, and click Search button

270 Chapter 11 IDS Integration 11.1 Introduction Firewall device added up with IDS cooperation function in order to cooperate with IDS device. IDS device can detect network traffic if attacks exist and sent SNMIP Trap information to the firewall device with blocking information, including source IP address and destination IP address of the packets. When IDS cooperation function enabled, the firewall receives SNMP Trap information and generates blocked entry for the follow-up traffic IDS Integration Display IDS cooperation log To enter the display IDS cooperation log interface, you can choose Service > IDS integration > Display IDS cooperation log, as shown in Figure11-1. Figure11-1 Display IDS cooperation log Table11-1 describes the configuration items of the display IDS integration log. Table11-1 Display IDS integration log configuration items Serial number Source IP Destination IP Whether or not bidirectional Valid time (Second) Time stamp Displays the serial number of the IDS integration log. Displays the source IP address of the attack event. Displays the destination IP address of the attack event. Displays the direction of the attack event. Displays the valid time of the IDS integration. Displays the time stamp of the attack event. Operation Click Click copy icon to copy an entry of the IDS integration log. delete icon to delete an entry of the IDS integration log

271 Chapter 12 High Availability 12.1 VRRP High availability module provides the following features: VRRP Hot standby Interface synchronization group To enter the VRRP interface, you can choose Service > High availability > VRRP, as shown in Figure12-1. Figure12-1 High availability Introduction to VRRP Group During data communication process, software and hardware error may result network disconnection, causing data transmission failure. To avoid data communication disconnected, DPtech FW has provides Virtual Router Redundancy Protocol (VRRP) technology using back up solution when communication line or device failure, so that it ensure data communication smoothly and enhance network robustness and availability. Enhancing local network and outside network connection availability, VRRP is fit for the local area network which support multicast and broadcast (such as Ethernet). Through many devices forming a back up group, they have an exit gateway for the local network and they are all transparent inside the local network. In the back up group, if an FW device failure, it will be substituted by other device. So that the local host can still work without any modification, greatly enhance network communication availability. To enter the high availability interface, you can choose Service > High availability > VRRP, as shown in Figure

272 Figure12-2 VRRP configuration Table12-1 describes the configuration items of VRRP. Table12-1 VRRP configuration items VRID Virtual IP Interface Authentication mode Advanced configuration Virtual router identification. A virtual router consists of a group of routers with same VRID. Virtual IP address: virtual router IP address. A virtual router has one or several IP addresses. Configure VRRP backup group interface, example:eth0_7. Allows you to select an authentication method, including None, simple text and MD5. None authentication: No authentication is performed for any VRRP packet, without security guarantee. Simple text authentication: You can adopt the simple text authentication mode in a network facing possible security problems. A router sending a VRRP packet fills an authentication key into the packet, and the router receiving the packet compares its local authentication key with that of the received packet. If the two authentication keys are the same, the received VRRP packet is considered valid; otherwise, the received packet is considered an invalid one. MD5 authentication: You can adopt MD5 authentication in a network facing severe security problems. The router encrypts a VRRP packet to be sent using the authentication key and MD5 algorithm and saves the encrypted packet in the authentication header. The router receiving the packet uses the authentication key to decrypt the packet and checks whether the validity of the packet. 1.Configure elect parameter: Priority: VRRP determines the role (master or backup) of each router in a virtual router by priority. Hello interval: Configure Hello packet time interval. Non-preemptive mode: the backup working in non-preemptive mode remains as a backup as long as the master does not fail. The backup will not become the master even if the former is configured with a higher priority. Preemptive mode: the backup working in preemptive mode compares the priority in the packet with that of its own when a backup receives a VRRP advertisement. If its priority is higher than that of the master if preempts as the master; otherwise, it remains a backup

273 2.Configure tracking interface: 3. Configure monitor IP: Status Operation Displays the relationship of master and server. Click Add button or the delete button that you can add or delete an entry of the VRRP configuration. To configure the VRRP configuration, you can take the following steps: Configure a number for the back up group ID number, the range is from 0 to 255, example: 1 Configure virtual IP address for the back up group, example: Select backup group interface, example: eth0_7 Select an authentication method including none, text, and MD5 In the advanced configuration column, configure master elect priority, announce packet sending interval, master preempt mode, and master preempt delay configuration, example: master elect priority 20, announcement packet interval:1s, master preempt mode: preempt, master preempt delay: 0s After you finished the above steps, click Confirm button in the upper right corner on the webpage. Note: Backup group ID number must be same in the same backup group. Click Click delete icon that you can delete an entry of the VRRP configuration. copy icon that you can copy an entry of the VRRP configuration Monitor IP address Object To enter the monitor IP address object interface, you can choose Service > High availability > VRRP, as shown in Figure12-3. Figure12-3 Monitoring Table12-2 describes the configuration items of the monitor IP address object

274 Table12-2 Monitor IP address object configuration items Name Monitor IP Monitor interval(second) Current status operation Displays the monitor IP address object name. Displays the monitor IP address. Displays the monitor interval. Displays the current status of monitor IP address status. Add or delete the entry of monitor IP address object Monitoring To enter the monitoring interface, you can choose Service > High availability > Monitoring, as shown in Figure12-4. Figure12-4 Monitoring BFD Option To protect key applications, a network is usually designed with redundant backup links. Devices need to quickly detect communication failures and restore communication through backup links as soon as possible. On some links, such as POS links, devices detect link failures by sending hardware detection signals. However, some other links, such as Ethernet links, provide no hardware detection mechanism. In that case, devices can use the hello mechanism of a protocol for failure detection, which has a failure detection rate of more than one second. Such a rate is too slow for some applications. Some routing protocols, such as OSPF and IS-IS, provide a fast hello mechanism for failure detection, but this mechanism has a failure detection rate of at least one second and is protocol-dependent. To enter the BFD option interface, you can choose Service > High availability >VRRP >BFD option, as shown in the Figure12-5. Figure12-5 BFD option