DPtech WCS7000 Series Wireless Access Controller User Configuration Guide

Transcription

1 DPtech WCS7000 Series Wireless Access Controller User Configuration Guide i

2 Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where you purchase their products. Hangzhou DPtech Technologies Co., Ltd. Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi Address code: ii

3 Declaration Copyright 2012 Hangzhou DPtech Technology Co., Ltd. All rights reserved. No Part of the manual can be extracted or copied by any company or individuals without written permission, and can not be transmitted by any means. Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech Technology Co., Ltd. has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech Technology Co., Ltd. made every effort in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind express or implied. iii

4 Table of Contents CHAPTER 1 PRODUCT OVERVIEW PRODUCT INTRODUCTION WEB MANAGEMENT LOGIN TO THE WEB MANAGEMENT INTERFACE WEB INTERFACE LAYOUT 4 CHAPTER 2 SYSTEM MANAGEMENT INTRODUCTION TO SYSTEM MANAGEMENT DEVICE MANAGEMENT DEVICE INFORMATION DEVICE STATUS DEVICE SETTINGS SNMP CONFIGURATION INTRODUCTION TO SNMP RMON CONFIGURATION INTRODUCTION TO RMON ALARM ENTRY ADMINISTRATOR INTRODUCTION TO ADMINISTRATOR ADMINISTRATOR CONFIGURATION RANGE WEB ACCESS PROTOCOL SETTINGS INTERFACE SERVICE LIMIT REMOTE USER MANAGEMENT CONFIGURATION FILE SOFTWARE VERSION NTP CONFIGURATION 31 CHAPTER 3 NETWORK MANAGEMENT INTRODUCTION TO NETWORK MANAGEMENT INTERFACE MANAGEMENT NETWORK MODE VLAN CONFIGURATION SERVICE INTERFACE CONFIGURATION NETWORK OBJECT SECURITY ZONE IP ADDRESS MAC ADDRESS MAC ADDRESS TABLE MANAGEMENT 39 i

5 3.4 FORWARDING CONFIGURATION FORWARDING CONFIGURATION UNICAST IPV4 ROUTING STATIC ROUTE ROUTING TABLE EQUIVALENT ROUTING RIP OSPF PROTOCOL ARP CONFIGURATION DISPLAY ARP STATIC ARP GRATUITOUS ARP SENDING DNS CONFIGURATION INTRODUCTION TO DNS DNS DHCP CONFIGURATION INTRODUCTION TO DHCP DHCP SERVER DHCP RELAY DHCP IP ADDRESS TABLE DIAGNOSTIC TOOLS 57 CHAPTER 4 AP MANAGEMENT AP CONFIGURATION AP TEMPLATE AP CONFIGURE AP BASIC INFORMATION AP VERSION CONTROL BASIC CONFIGURATION STA MANAGEMENT AC-AP LOG ROGUE AP LOG INFO AP UNUSUAL LOG INFORMATION BLACK NAME MANAGEMENT 67 CHAPTER 5 ADVANCED SERVICE PACKET FILTERING POLICY PACKET FILTERING POLICY PACKET FILTERING POLICY LOG ALG CONFIGURATION IPV6 PACKET FILTERING POLICY NAT INTRODUCTION TO NAT SOURCE NAT 74 ii

6 5.4.3 DESTINATION NAT ONE TO ONE NAT ADDRESS POOL ALG CONFIGURATION NAT_PT BASIC ATTACK PROTECTION BASIC ATTACK PROTECTION BASIC ATTACK LOG QUERY SESSION LIMIT SERVICE LIMIT IPV4 BASIC DDOS DEFEND OBJECT MANAGEMENT CONFIGURATION AND TENDENCY PROTECTION HISTORY IPV6 BASIC DDOS CONFIGURATION AND TENDENCY PROTECTION HISTORY BLACKNAME BLACKNAME BLACKLIST QUERY BLACKNAME LOG QUERY MAC/IP BINDING MAC/IP BINDING AUTO-LEARNING USER MAC BINDING USER/IP BINDING BINDING LOG QUERY SESSION MANAGEMENT SESSION LIST SESSION PARAMETER SESSION MONITORING SESSION LOG CONFIGURATION QOS VIP BANDWIDTH GUARANTEE TRAFFIC CLASSIFICATION CONGESTION AVOIDANCE CONGESTION MANAGEMENT TRAFFIC SHAPING ANTI-ARP-SPOOFING ANTI-ARP-SPOOFING ARP CONFIGURATION 101 CHAPTER 6 LOG MANAGEMENT INTRODUCTION TO LOG MANAGEMENT SYSTEM LOG 103 iii

7 6.2.1 LATEST LOG SYSTEM LOG QUERY SYSTEM LOG FILE OPERATION SYSTEM LOG CONFIGURATION OPERATION LOG LATEST LOG OPERATION LOG QUERY LOG FILE OPERATION OPERATION LOG CONFIGURATION SERVICE LOG SERVICE LOG CONFIGURATION 111 CHAPTER 7 USER AUTHENTICATION PORTAL AUTHENTICATION INTRODUCTION TO PORTAL AUTHENTICATION AUTHENTICATION CONFIG 114 iv

8 List of Figures Figure1-1 WEB management interface... 3 Figure1-2 Deploying of WEB Interface... 5 Figure2-1 System management menu... 7 Figure2-2 Device information... 8 Figure2-3 Device status... 9 Figure2-4 Device information settings Figure2-5 System name settings Figure2-6 System time configuration Figure2-7 Log sending method Figure2-8 VCPU configuration Figure2-9 System threshold Figure2-10 Enabling remote diagnostic Figure2-11 Setting frame gap Figure2-12 System parameter settings Figure2-13 Database clearing Figure2-14 SNMP version configuration Figure2-15 Device information Figure2-16 IP address list Figure2-17 Alarm entry Figure2-18 Statistic entry Figure2-19 Current administrator Figure2-20 Administrator settings Figure2-21 Administrator authentication settings Figure2-22 Logon administrator settings Figure2-23 Configuration range Figure2-24 WEB access protocol settings Figure2-25 Interface service limit Figure2-26 Remote user management Figure2-27 Configuration file management Figure2-28 Software version Figure2-29 NTP Time configuration Figure2-30 NTP client configuration Figure3-1 Network management menu Figure3-2 Network configuration Figure3-3 VLAN interface configuration Figure3-4 VLAN configuration Figure3-5 Service interface configuration Figure3-6 Interface rate limitation alarming Figure3-7 Security zone Figure3-8 Address object Figure3-9 Address object group Figure3-10 Mac address Figure3-11 MAC group Figure3-12 MAC address table management i

9 Figure3-13 Forwarding configuration Figure3-14 configuring static route Figure3-15 Health check Figure3-16 Basic routing table Figure3-17 Displaying detailed routing table Figure3-18 Equivalent routing Figure3-19 Configure RIP Figure3-20 Display RIP state Figure3-21 Configuring OSPF protocol Figure3-22 Displaying OSPF interface information Figure3-23 Displaying OSPF neighbor information Figure3-24 Display ARP Figure3-25 Static ARP Figure3-26 Gratuitous ARP sending Figure3-27 DNS Figure3-28 DHCP Server Figure3-29 DHCP relay Figure3-30 DHCP IP address table Figure3-31 Diagnostic tools Figure3-32 Testing result of Ping command Figure4-1 AP configuration Figure4-2 AP configure Figure4-3 AP basic information Figure4-4 AP version control Figure4-5 Basic configuration Figure4-6 STA display management Figure4-7 Rogue AP Log info Figure4-8 AP Unusual Log information Figure4-9 BLACK NAME Management Figure5-1 Firewall Figure5-2 Packet filtering policy Figure5-3 Configuring action Figure5-4 Packet filtering policy log Figure5-5 Packet filtering match number Figure5-6 Alg configuration Figure5-7 Packet filtering policy Figure5-8 Source NAT Figure5-9 Configuring destination NAT Figure5-10 One to one NAT Figure5-11 Address pool Figure5-12 Alg configuration Figure5-13 IPv6 bound Figure5-14 Basic attack protection Figure5-15 Basic attack log query Figure5-16 Sessions Limit Figure5-17 Service Limit Figure5-18 Defend Object Management ii

10 Figure5-19 Traffic status and monitoring Figure5-20 DDOS defend settings Figure5-21 Protection history Figure5-22 Protection configuration Figure5-23 Traffic Trend Art Figure5-24 Protection history Figure5-25 Blackname configuration Figure5-26 Blackname query Figure5-27 Blacklist log query Figure5-28 MAC/IP Binding Figure5-29 Auto learning Figure5-30 User MAC binding Figure5-31 User/IP binding Figure5-32 binding log query Figure5-33 Session list Figure5-34 Session Parameter Figure5-35 Session Monitoring Figure5-36 Session log configuration Figure5-37 bandwidth guarantee basic set Figure5-38 Traffic classification Figure5-39 Congestion avoidance Figure5-40 Congestion management Figure5-41 Traffic shaping Figure5-42 Anti-ARP-Spoofing Figure5-43 ARP configuration Figure6-1 Log management menu Figure6-2 Latest log Figure6-3 System log query Figure6-4 System log file operation Figure6-5 System log configuration Figure6-6 Latest log Figure6-7 Log query Figure6-8 System log file operation Figure6-9 Operation log configuration Figure6-10 Service log Figure7-1 Security center Figure7-2 Basic authentication Figure7-3 Webauth configuration Figure7-4 TAC configuration Figure7-5 Customer configuration iii

11 List of Tables Table2-1 Device information... 8 Table2-2 Device status... 9 Table2-3 System threshold Table2-4 SNMP version configuration Table2-5 Statistic entry Table2-6 Administrator management feature Table2-7 Current administrator list Table2-8 Administrator settings Table2-9 Administrator authentication method and configuration parameter Table2-10 Logon parameter settings Table2-11 Configuration range Table2-12 WEB access protocol settings Table2-13 Interface service limitation Table2-14 Remote login management Table2-15 Configuration file Table2-16 Software version Table2-17 NTP server mode Table2-18 NTP client mode Table3-1 Address object Table3-2 Address object group Table3-3 MAC group Table3-4 MAC address table Table3-5 Displaying basic routing table Table3-6 Displaying detailed routing table Table3-7 RIP advanced configuration Table3-8 RIP interface configuration Table3-9 OSPF advanced configuration Table3-10 OSPF area configuration Table3-11 OSPF interface configuration Table3-12 Displaying OSPF interface information Table3-13 Displaying OSPF neighbor information Table3-14 Policy-based routing Table3-15 Policy-based routing Table3-16 DHCP server configuration items Table3-17 DHCP host address Table3-18 DHCP relay configuration Table3-19 DHCP IP address table Table4-1 AP basic configuration Table4-2 SSID group configuration Table4-3 SSID configuration Table4-4 Viewing AP Table4-5 AP basic information Table4-6 AP version control i

12 Table4-7 STA display management Table4-8 Black/white list management Table5-1 Packet filtering policy configuration items Table5-2 Configuring action Table5-3 Packet filtering policy log Table5-4 Alg configuration Table5-5 Source NAT configuration Table5-6 Destination NAT configuration Table5-7 One to one NAT configuration Table5-8 Address pool configuration Table5-9 Alg configuration Table5-10 Basic attack protection Table5-11 Basic attack log query Table5-12 Defend Object Management Table5-13 Traffic and status monitoring configuration items Table5-14 DDOS defend settings Table5-15 Protection configuration Table5-16 Blackname configuration Table5-17 Blackname query Table5-18 Blacklist log query Table5-19 MAC/IP binding Table5-20 Switches table Table5-21 Auto learning Table5-22 User/Mac binding Table5-23 User /IP binding Table5-24 binding log query Table5-25 bandwidth guarantee basic set Table5-26 Congestion avoidance Table5-27 Congestion management Table5-28 Anti-ARP-Spoofing Table5-29 ARP configuration Table6-1 Latest log Table6-2 System log searching conditions Table6-3 System log file operation Table6-4 System log configuration items Table6-5 Latest log configuration items Table6-6 Operation log query configuration items Table6-7 Operation log file configuration items Table6-8 Operation log configuration items Table6-9 Service log configuration items Table7-1 Basic authentication configuration items Table7-2 Webauth configuration items Table7-3 TAC configuration items Table7-4 Customer configuration ii

13 Chapter 1 Product Overview 1.1 Product Introduction With information technology quickly changed, Internet technology is developed toward broadband, mobile and intelligent network. Especially the mobile terminal popularization, such as notebook, pad, and intelligence cell phone rapid, makes worldwide WLAN application presenting rapid growth trend. Wireless Local Area Networks (WLAN) is a kind of technology using radio frequency to realize rapid access Ethernet, which is the combinative products in computer network and wireless communication technology with easy deployment, management, extend and maintenance and high mobility features. It fully meet man s need on get rid of the wired constraint, realizing mobile office and wireless online requirement anytime and anywhere series wireless access controller is a new generation products developed by Hangzhou DPtech Technologies Co., Ltd for the telecom operators. It can realize wireless network comprehensive management for FIT AP+AC mode and simply network configuration, realizing network monitoring status and enhance network expandability. Through 7000 series wireless access controller and WAP902n series wireless access point, they provide multiple flexible easy-to-use solution to construct local area wireless network and metropolitan area wireless network for user. In the meanwhile, 7000 series also provides user with a new wireless network safety access solution, which excellent security and compatibility can extremely meet professional user s strict requirement and adequate protected the user s investment. 1.2 WEB Management Login to the WEB management interface This section introduces how to log in to the Web Management Interface: Make sure that the host can communicate with the management port of the. Open an IE browser and access the IP address of the management port using HTTP Type in the username and password in the interface shown in Figure1-1, and click login to access the Web management interface of the device. Figure1-1 WEB management interface 3

14 ! Caution: It is recommended that you should use IE 6.0 or higher. The resolution should be 1024 x 768 or higher. <Backward>, <Forward> and <Refresh> are not supported on the Web management interface. If you use these buttons, the Web page may not be displayed properly. By default, the name of the management port is meth0_0, and the IP address is Both of the default username and the default password are admin. You can use the default username for the first login, but it is strongly recommended that you should change your password. For how to change your password, you can see the Section xxxx. After you logged in, if you don t perform any operations within 5 minutes, the connection will be timeout and go back to the login page. Up to 5 administrators are allowed to log in to the Web management interface at the same time WEB Interface Layout Figure1-2 shows the main page of the Web Management Interface of the device. 4

15 Figure1-2 Deploying of WEB Interface (1)Navigation bar (2)Shortcut area (3)Configuration area Navigation bar: Lists all of the Web management function menus. You can choose the desired function menu, which is shown in the configuration area. Shortcut area: Shows the directory of the current page, as well as the status of the device. This area also provides function buttons, including <Collapse>, <Homepage>, <Restart>, <Help> and <Logout>. Configuration area: Provides an area for configuring and viewing the device. 5

16 Chapter 2 System Management 2.1 Introduction to system management System management provides device and system related management functions, including: Device management SNMP configuration RMON configuration Administrator Configuration file Signature database Software version NTP configuration Virtual system VRF Digital certification Installation package option support Centralized management Select AC > System management from navigation tree, as shown in Figure2-1. 6

17 Figure2-1 System management menu 2.2 Device management Device information Device information module can help user to understand system and device hardware related information, includes system name, system time, system time zone, memory size, external memory information, device serial number, PCB hardware version, software version, factory default management port, CPLD hardware version, Conboot version and power supply. Select AC > System management > Device management > Device information from navigation tree to enter the device information page, as shown in Figure2-2. 7

18 Figure2-2 Device information Table2-1 describes the details of Device Information fields. Table2-1 Device information System name System time System time zone Memory size External memory information Device serial number PCB hardware version Software version Factory default management information CPLD hardware version Conboot version Power supply Displays the name of the system. Displays current time of the system. Displays current time zone of the system. Displays memory capacity of the hardware device. Displays external memory and capacity of the hardware device. Displays the serial number of the hardware device. Displays the version information of hardware PCB. Displays the version information of system software. Displays the name of management interface and its default IP address. Displays the version information of hardware CPLD. Displays the version information of system Conboot basic field. Displays the power of the device. Note: When you login to the Web management interface of 7000 series AC product, you can see the homepage is the Device Information page. 8

19 2.2.2 Device status Device status page displays the health status of the current system, helping user to understand CPU, internal memory, hardware disk, CF card utilization, and fan and power s supply s status and CPU and mainboard temperature. Select AC > System management > Device management > Device status from navigation tree to enter the device status page, as shown in Figure2-3. Figure2-3 Device status Table2-2 describes the details of Device Status Table2-2 Device status CPU usage Displays CPU real-time utilization. If the CPU usage exceeds the threshold, is displayed; otherwise, is displayed. Memory usage Displays memory real-time utilization. If the memory usage exceeds the threshold, is displayed; otherwise, is displayed. Harddisk usage Displays harddisk real-time utilization. If the harddisk usage exceeds the threshold, is displayed; otherwise, is displayed. CF usage Displays CF card real-time utilization. If the CF usage exceeds the threshold, is displayed; otherwise, is displayed. Fan status Displays current fan s status: normal or fail If any fan fails, are displayed; otherwise, are displayed. Power status Displays current power supply s status: normal or fail If any power supply unit (PSU) fails, are displayed; otherwise, are displayed. CPU temperature Displays current temperature of CPU. If the temperature exceeds the threshold, is displayed; otherwise, is displayed. Mainboard Temperature Displays the current temperature of mainboard. If the temperature exceeds the threshold, is displayed; otherwise, is displayed. 9

20 Note: Put your mouse cursor on an indicator, and then you can view the relevant real-time data Device settings Device information settings Device information settings provide system name and system modification for user. User can set system threshold and select whether to enable remote diagnosis function according to requirement. Select AC > System management > Device management >Configuration > Information settings from navigation tree to enter the device information page, as shown infigure2-4. Figure2-4 Device information settings System name function allows user to customize user name to be easily managed. Select AC > System management > Device management > Configuration > Information settings from navigation tree to enter the system name settings page, as shown in Figure2-5. Figure2-5 System name settings To modify system name, you should: Select [Device information settings] Tab and enter the new system name Click Ok button on the upper right corner, new settings will take effect. 10

21 System time feature allows user to define system time and synchronize with current time. Select AC > System management > Device management > Configuration > Device information settings from navigation tree from navigation tree to enter the system time configuration page, as shown in Figure2-3. Figure2-6 System time configuration To modify system time, you should: Select [Device information settings] tab and then select system time and set time and date Click Ok button in the upper right corner on the webpage, new settings will take effect immediately. You can select the Chinese log option or the English log option for the log sending method. Select AC > System management > Device management > Configuration > Information settings from navigation tree to enter the log sending method page, as shown in Figure2-7. Figure2-7 Log sending method The VCPU configuration can configure VCPU number. Select AC > System management > Device management > Configuration >Information settings from navigation tree to enter the VCPU configuration page, as shown in Figure2-8. Figure2-8 VCPU configuration To set the VCPU configuration, you should: Select [Device information settings] tab and configure the VCPU number. Click Ok button in the upper right corner on the webpage, new settings will take effect immediately. System threshold features allows user to configure system hardware utilization and temperature threshold. 11

22 Select AC > System management > Device management > Configuration >Information settings from navigation tree to enter the system threshold page, as shown in Figure2-9. Figure2-9 System threshold Table2-3 describes the details of System threshold. Table2-3 System threshold CPU usage threshold Internal memory usage threshold Hardware usage threshold CPU usage threshold Mainboard usage threshold Configure the CPU usage threshold. Configure the internal memory usage threshold. Configure the hardware usage threshold. Configure the lower limit and upper limit of the CPU temperature threshold. Configure the lower limit and upper limit of the mainboard temperature threshold. To configure the system threshold, you should: Select [Device information settings] tab Type in new threshold in each place Click Ok button in the upper right corner on the webpage, new settings will take effect immediately. Remote diagnosis function allows user to do nonlocal operation for the device, so that it can ensure the network failure effectively solved. Select AC > System management > Device management > Configuration >Information settings from navigation tree to enable remote diagnostic function, as shown in Figure2-10. Figure2-10 Enabling remote diagnostic Setting frame gap function allows user to set the data frame time intervals. 12

23 Select AC > System management > Device management > Configuration > Information settings from navigation tree to enter the setting frame gap page, as shown in Figure2-11. Figure2-11 Setting frame gap! Caution: Please configure the system threshold according to hardware specification and processing capacity, if there is no special requirement, system default should be used. When hardware utilization and CPU, mainboard temperature exceed threshold, the indicator on the device status page will become red, meanwhile, please contact administrator to solve the problem System parameter settings System parameter settings is mainly to configure the fast forwarding, blacklist take effect immediately and packet filtering take effect immediately, ac internal memory specification configuration. Select AC > System management > Device management > Configuration >System Parameter from navigation tree, as shown in Figure2-12. Figure2-12 System parameter settings To configure the system parameter settings, you should: Configure the fast forwarding maximum specification, default is 50. Unit: ten thousand. Configure the IPv6 fast forwarding maximum specification, default is1. Unit: ten thousand. 13

24 Select whether to enable the blacklist take effect immediately function Select packet filtering policy take effect immediately function AC internal memory specification configuration, default is 2. Unit: MB Click Ok button in the upper right corner on the webpage Database clearing Database clearing function provides database configuration clearing function. After the database is cleared, the system will reboot the device. Select AC > System management > Device management > Configuration > Clear Database from navigation tree to enter the database clearing page, as shown in Figure2-13. Figure2-13 Database clearing 2.3 SNMP Configuration Introduction to SNMP Simple Network Management Protocol (SNMP) is a communication rule between NMS and Agent device, which defines a series of information, method and grammar, realizing NMS device s access and management for the Agent device. SNMP features the following advantages: Automatic network management: Network administrator can utilize SNMP platform on the network node retrieving information, modifying information and discovering failure and completing failure diagnose, planning capacity and generating report. Minimizing physical difference between vendors: It can realize automatic management for different products of different vendors. SNMP only provides the basic function set, making management task and managed device physical feature and the lower networking technology relatively independent, so that it realizes the device management from different factory, especially in the small, rapid and low cost environment. An SNMP enabled network comprises Network Management Station (NMS), Agent and MIB. NMS manages an SNMP-enabled network. It uses SNMP to manage and monitor the network devices in the network. NMS can be a server that manages the network or an application performing management function on a device. NMS can send a request to an agent to query or modify one or more variables. At the same time, NMS can receive traps sent by the agent to obtain the status of the managed device. 14

25 As an application module that resides in a network device, an agent maintains the information of the managed devices, responds to NMS requests, and sends the data to the NMS. Upon receiving an NMS request, an agent completes the querying or modification operations, and sends the result to the NMS. Meanwhile, if the device fails or other events occur, the agent will send unsolicited traps to the NMS to notify it of the status changes of the device SNMP version configuration Currently, SNMP includes three versions: SNMPv1, SNMPv2c and SNMPv3. SNMPv1 is the first version of the SNMP protocol, providing a minimum network management function. The Structure of Management Information (SMI) and MIB of SNMPv1 are rather simple and have many security defects. SNMPv1 uses community name for authentication. A community name plays a similar role as a password and can be used to control access from NMS to Agent. SNMP packets with community names that do not pass the authentication on the device are simply discarded. SNMPv2c also uses community name for authentication. Compatible with SNMPv1, it extends the functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk; it supports more data types such as Counter32; and it provides various error codes, thus being able to distinguish errors in more detail. By adopting User-based Security Model (USM) and View-based Access Control (VACM) technologies, SNMPv3 enhances security. USM offers authentication and privacy functions; while VACM controls users access to specific MIBs. Select AC > System management > SNMP from navigation tree to enter the SNMP version configuration page, as shown in Figure2-14. Figure2-14 SNMP version configuration Table2-4 describes the details of the SNMP version configuration. Table2-4 SNMP version configuration SNMP v1/v2 It is the SNMP version number, adopting community authentication. 15

26 SNMP v3 None: means version 3 is not authenticated and not encrypted group. MD5:None (version 3 is not authenticated and not encrypted group or it authenticated but it isn`t encrypted group) DES(All of the version 3 group) SHA:None(version 3 is not authenticated and not encrypted group or it authenticated but it isn`t encrypted group) DES(All of the version 3 group) Note: For the SNMP v1, SNMP v2c, it related to add a new community name. For the SNMPv3, it only adds a new group user for the SNMP version. Only if you select the SNMP v3 mode, authentication protocol can be selected. For the authentication password, if you don t select None option, you can enter the authentication password. For the encryption algorithm, if you don t select None option, you can enter the authentication password. To configure SNMP version configuration, you should: Select [SNMP configuration] tab Select SNMP version number In parameter setting column, you should enter community string Click Ok button in the upper right corner, new configuration will take effect immediately Device information Device information provides configuring device information function for users. Select AC > System management > SNMP from navigation tree to enter the device information page, as shown in Figure2-15. Figure2-15 Device information To configure the device information, you should: Select [SNMP configuration] tab 16

27 Configure the device information, contact information, Trap destination host relevant parameter. Click Ok button in the upper right corner on the webpage, new configuration will take effect immediately IP address list IP address list can allow user to define the specific administrator to have the MIB access permission. Select AC > System management > SNMP from navigation tree to enter the IP address list page, as shown in Figure2-16. Figure2-16 IP address list To configure the IP address list, you should: Select [SNMP configuration] tab In the right input box, you should configure the management administrator IP address and select subnet mask. Click Add button to add the IP address into the left box. Click Ok button in the upper right corner on the webpage, IP address list will take effect immediately. 2.4 RMON Configuration Introduction to RMON Remote Monitoring (RMON) realization is completely based on SNMP system structure, it is compatible with the existing SNMP frame and it doesn t modify the protocol. RMON made SNMP more effective, proactive to monitor the remote network device, providing effective method for monitoring subnet operation. RMON can reduce network management station and agent communication traffic, achieving simple and effective managed large scale interconnection network Alarm entry Alarm entry Alarm entry is the agent device can monitor the designated variable value. When it reaches the alarm threshold, it automatically records log and send the management device Trap information. Select AC > System management > RMON configuration > Alarm entry from navigation tree to enter Alarm entry page, as shown in Figure

28 Figure2-17 Alarm entry Statistic entry Statistic entry provides user with the RMON data monitoring statistical table, so that user can understand the current network performance. Select AC > System management > RMON configuration > Alarm > Statistic entry from navigation tree to enter the statistic entry page, as shown in Figure2-18. Figure2-18 Statistic entry Table2-5 describes the details of the statistic entry. Table2-5 Statistic entry Statistic table Packet loss event Number of bytes Packet number Broadcast packet Multicast packet CRC alignment errors Undersize packets Oversize packets Fragments Jabbers Displays the interface name of the statistic table. Displays the event number of network packet loss. Displays the number of bytes of the current network traffic. Displays the packet number of the current network transmission. Displays the broadcast packet number of the current network traffic. Displays the multicast packet number of the current traffic. Displays the CRC alignment error packet number of the current network traffic. Displays the undersize packets number of the current network traffic. Displays the oversize packets number of the current network traffic. Displays the fragment number of the current network traffic. Displays the Jabber number of the current network traffic. 18

29 Collisions Receiving packet partition statistic (length) Displays the collision number of the current network traffic. Displays the receiving packet partition statistic, according to the packet length to statistic. 2.5 Administrator Introduction to administrator The Administrator feature provides user for adding, modifying, deleting administrator. User can log into web management interface according to different permission, different authentication method, and different Web access protocol and port. Table2-6 describes the details of the administrator feature. Table2-6 Administrator management feature Current administrator Administrator settings Displays a list of the administrators who have logged into web management interface. Current administrator can kick out other administrator. You can add or delete an administrator, and modify the password of an administrator, and the permission of an administrator who isn t login to the device, and modify the status of an administrator except the administrator itself. Administrator settings authentication You can configure the login authentication parameter, including local authentication, Radius authentication and Tac Plus authentication. Logon parameter settings You can configure the Logon parameter, including timeout time, login lock times and unlock time Administrator Current administrator Current administrator lists the administrators who have logged into device. Select AC > System management > Administrator > Administrator from navigation tree to enter the current administrator page, as shown in Figure

30 Figure2-19 Current administrator Table2-7 describes the details of current administrator list. Table2-7 Current administrator list Administrator Logon time Last access time Logon address Displays the name of the administrator who has logged into the device. Displays the specific time of the administrator who has logged into the device. Displays the last time of the administrator did operation on the Web. Displays the host IP address of the administrator who has logged into the device. Operation Click kick out icon that a logged in administrator can be quitted forcedly Administrator settings Administrator settings allow user to create, modify and delete an administrator. Select AC > System management > Administrator > Administrator from navigation tree to enter the administrator settings page, as shown in Figure2-20. Figure2-20 Administrator settings Table2-8 describes the details of administrator settings list. Table2-8 Administrator settings Administrator Create a name for the administrator in the system. It consists of letters, digitals and special characters. _ -, must begin with letter or digital and the length should be 3 to 20 characters. Password Create a password 20

31 It consists of letters, digitals, which allow you to use the special characters such as ()-+= []:;/_, and the length should be 3 to 128 characters. Confirm password System will prompt you the password you entered is not consist with the confirm password when you submit it to the system. Configure the description for the administrator It consists of letters, digitals and space and special characters._ - and the length should be 0 to 40 characters. Virtual system Configure the administrator to which virtual system belongs. Default is Public System Configuration range Set the configuration range for the administrator You should use it combine with the settings in the configuration range. Configuration permission Set the configuration permission for the administrator Configuration permission has 5 levels, 1 to 5; the minimum number has the highest privilege. Advanced configuration Configure the IP address of the administrator which has logged in to the device. You can set an IP address or IP segment for the administrator. Status Configure the status of the administrator, including lock and normal Lock: Means the administrator has been locked, which cannot login to the Web management interface. Normal: means the administrator is unlocked, which can login to the Web management interface normally. Operation Click delete icon that you can delete the administrator in the administrator settings list. To add an administrator, you should. Click add icon In the new line of the administrator list, you should type in the name, password and confirmed password for the administrator. Select the configuration range and permission for the administrator. Click Ok button in the upper right corner. To modify an administrator, you should: Make sure that the administrator should be modified. 21

32 If you want to modify administrator s password, move your mouse to the password, and then the mouse pointer becomes the pencil icon and then click your mouse left button to modify the password. Make sure that the confirm password should consist with the modified password. Click Ok button in the upper right corner on the webpage. If you want to modify other properties of the administrator, such as description, permission and status you should repeat the above steps. To delete an administrator, you should: Make sure the administrator to be deleted. Click delete icon of the administrator Click Ok button in the upper right corner on the webpage.! Caution: Default password can t be used when you add an administrator. You should create the password corresponding to the rule. You cannot lock an administrator when you add an administrator. Normal is default status. If you want to lock an administrator, you should change its status after you have created it successfully. The system will prompt you when you delete an administrator, please use it carefully Administrator authentication settings Administrator authentication settings allow user to set the authentication method for user logging to the Web management interface, including local authentication, Radius authentication, Tac Plus authentication and LDAP authentication. Select AC > System management > Administrator > Administrator from navigation tree to enter the administrator authentication settings page, as shown in Figure

33 Figure2-21 Administrator authentication settings Table2-9 describes the details of the administrator authentication method and configuration parameter. Table2-9 Administrator authentication method and configuration parameter Local authentication Radius authentication Tac Plus authentication LDAP authentication To authenticate the username and password of the administrator through the device. To authenticate the username and password of the administrator through Radius server: Server address Authentication port number Shared key Authentication packet timeout time Authentication packet retransmission time Radius authentication user to which user group belongs To authenticate the username and password of the administrator through Tac Plus server, parameters as follows: Server address Server To authenticate the username and password of the administrator through LDAP server, parameters as follows: LDAP server version LDAP server IP address LDAP server port number Username property name Base DN Administrator DN 23

34 Administrator password Logon administrator settings You can set several login parameters about web security, including timeout time, login locked times and unlock time after locked and the password strength. Select AC > System management > Administrator > Administrator from navigation tree to enter the logon administrator settings page, as shown in Figure2-22. Figure2-22 Logon administrator settings Table2-10 describes the details of the logon parameter settings. Table2-10 Logon parameter settings Timeout time settings Configure the timeout time for the current administrator If the administrator didn t perform any operations in that time, the system will quit the administrator forcedly. Login locked times Unlocked time after locked The administrator will be locked if you type in error password for several times. Configure the locked time for the administrator. Lock: means the administrator locked time is the designated locked time and the administrator will be unlocked when the time is finished. Permanent lock: once an administrator has locked, the administrator can t unlock automatically. It only can be unlocked by the administrator with system configuration permission in the administrator settings list can modify user unlock time. Password strength Configure the password strength for the administrator, including high, medium and low. 24

35 ! Caution: If an administrator has locked and no matter you entered is correct when you login again, the system will prompt you user has been lock, please try again later! Password strengthen should be 7 to 128 characters without username; It must contains letters, digitals and special characters Configuration range User can select different access permission to login to the Web management interface and also can customize access permission. Select AC > System management > Administrator > Administrator from navigation tree to enter the configuration range page, as shown in Figure2-23. Figure2-23 Configuration range Table2-11 describes the details the configuration range. Table2-11 Configuration range Super System configuration Business configuration Log configuration Customize permission Administrator can access to the web management interface, which can configure all modules. Administrator can access to the web management interface, which can configure system management and network management module, without the management function expect system configuration. Administrator can access to the web management interface, which can configure IPS, anti-virus, access control, audit analysis, Web application firewall, DDOS protection, comprehensive defense module, without configuration permission except business configuration. Administrator can access to the web management interface, which can view service log, system log, operation log, comprehensive defense log, without configuration permission except log management Administrator can access to the web management interface and customize access permission as requirement WEB access protocol settings Web access protocol feature allows user to configure by using of what protocol and port number the administrator used to access web management interface. 25

36 Select AC > System management > Administrator > Web access protocol from navigation tree to enter the web access protocol settings page, as shown in Figure2-24. Figure2-24 WEB access protocol settings Table2-12 describes the details of web access protocol settings. Table2-12 WEB access protocol settings HTTP protocol Allows you to enable HTTP protocol and configure the port number. HTTPS configuration protocol Allows you to enable HTTPS protocol and configure the port number. To enhance security, you can enable the administrator certificate authentication if you configured digital certification. Concurrent connections IP address list Allows you to configure the concurrent connections. Allows you to configure the address range for accessing web management interface and select local log sending function Interface service limit Interface service limit is to limit access protocol of all interface, including https, http, telnet, ssh, ping. Select AC > System management > Administrator > Interface service from navigation tree, as shown in Figure

37 Figure2-25 Interface service limit Table2-13 describes the details of the interface service limitation. Table2-13 Interface service limitation Interface name Limit service Operation Allows you to select an interface to be limited. Allows you to select which kind of protocol to be limited. Allows you to add and delete the interface service limit rule Remote user management Remote user management feature allows user to set the login method of remote user and configure the maximum number of remote login user. Select AC > System management > Administrator > Remote user from navigation tree to enter the remote user management page, as shown in Figure2-26. Figure2-26 Remote user management Table2-14 describes the details of the remote login management. Table2-14 Remote login management Client IP Client port Login type Client login time Displays the remote login user IP address. Displays the remote login user port number. Displays the client login type, including telnet and ssh Displays the client login time 27

38 Last operation time Displays the user last operation time Operation Click icon that you can quit an administrator forcedly.! Caution: User can enable the telnet and ssh remote login method at the same time, but only one kind can be used. 2.6 Configuration file Configuration file module provides user with saving system configuration to the disk function. Through this, if many devices deploy in the network with the same configuration, user can configure one of them and export configuration to the local disk and then import it from local disk for other device, so that it can avoid user to repeat configuration. Select AC > System management > Configuration file from navigation tree to enter the configuration file page, as shown in Figure2-27. Figure2-27 Configuration file management Table2-15 describes the details of the configuration file. Table2-15 Configuration file Configuration file Displays the name of the configuration file. Factory default is displayed in the first line. Last saving time Software version of the last saving file Displays the time when the configuration file is saved. Displays the version number of the configuration file saved the last time. 28

39 Operation You can save, export and switch and delete configuration file. Factory default file only can be switched. To create configuration file, you should: Click Create Configuration File button in upper right corner In the new line of configuration file, you should type in configuration file name and click Save icon to save the configuration file. To import the configuration file and apply it, you should: Click Browse button behind the file path and then select a configuration file, click Download configuration file button The downloaded configuration file exists in the configuration file list, and then click switch button to s witch configuration file. And then system prompts you that Reboot after you switched configuration file, continue? Click Ok button. Note: Please refer to the above step to complete other configuration, such as save, export and delete. 2.7 Software version Software version feature provides user with the device software version management and update function Select AC > System management > Software version from navigation tree to enter the software version page, as shown in Figure

40 Figure2-28 Software version Table2-16 describes the details of the software version. Table2-16 Software version Software version name Software version number Current status Displays the name of the in used software version and other software versions. Displays the version number of the software version. Displays the current status of the software version, including in use and other status. Operation You can save or delete all software versions. In used software version is not allowed to delete. Software version for the next reboot File path Download address Select a software version for the next reboot. When the device initiating, the software version will run. Software version download file path. Click Browse button and then select a software version file, and then click Download software version button. Software version downloads address. Select download port and click the Reboot after update option, and then click Online update button. To download a software version, you should: Click Browse button behind file path and then select a software version to be download, and click Download software version button. The downloaded configuration file exists in the list, and then moves your mouse pointer to the software version for the next reboot, then mouse pointer become pencil icon. Click the mouse left button and then select a software version from the drop-down list. Select software version for the next time reboot. Click Ok button after you finished the above configurations. This configuration takes effect after the device rebooted. 30

41 2.8 NTP configuration Network Time Protocol (NTP) is used to synchronize device clock in the network, keeping all devices time synchronization, so that it can provide multiple application based on time synchronization. Select AC > System management > NTP Time configuration from navigation tree to enter the NTP configuration page, as shown in Figure2-29. Figure2-29 NTP Time configuration Table2-17 describes the details of NTP server mode. Table2-17 NTP server mode NTP server address Is it a primary server NTP client segment Subnet mask Operation Configure IP address and domain name for the NTP server. Select whether the server is a primary server. Select NTP client segment and select whether to enable authentication. Select client segment mask. Click copy icon or delete icon that you can copy or delete the NTP server and NTP client. To configure NTP server mode, you should: Select NTP server mode. Configure NTP server address or domain name, and select whether the NTP server is a primary server. Configure NTP client segment and mask. Click Ok button in the upper right corner. NTP client mode configuration 31

42 Figure2-30 NTP client configuration Table2-18 describes the details of NTP client mode. Table2-18 NTP client mode NTP server address Allows you to configure the NTP server IP address and domain name; Select whether to enable authentication. To configure the NTP client mode: Select NTP client mode as NTP configuration. Configure NTP server address or domain name. Select whether to enable the authentication function. Click Ok button in the upper right corner on the webpage. Chapter 3 Network Management 3.1 Introduction to network management Network management provides the device network related management functions, including: Interface management 3G dial-up Network object Forwarding configuration Unicast IPv4 routing Multicast IPv4 routing 32

43 Policy-based routing ICMP MPLS configuration ARP configuration DNS configuration DHCP configuration BFD configuration Diagnostic tools Lan Switch Figure3-1 Network management menu 3.2 Interface management Interface management is used to view and configure network management, VLAN configuration, service interface configuration and logical interface configuration. 33

44 3.2.1 Network mode According to requirement, user configure device interface working mode and select interface type. If you select the layer 2 interface, you should configure Vlan ID number. If you select the layer 3 interface, you should configure the IP address of layer 3. Select AC > Network management > Interface management > Network configuration from navigation tree, as shown in Figure3-2. Figure3-2 Network configuration VLAN configuration VLAN configuration function allows user to configure Vlan ID, which can be applied to network mode the layer 2 interface configuration VLAN interface configuration User can view the enabling status of the configured Vlan ID and configure an IP address for it. 34

45 Select AC > Network management > Interface management > Configure VLAN from navigation tree to enter the VLAN interface configuration page, as shown in Figure3-3. Figure3-3 VLAN interface configuration VLAN configuration VLAN configuration allows user to add or delete VLAN ID in batch and allows user to view the type and include which port. Select AC > Network management > Interface management > VLAN configuration from navigation tree, as shown in Figure3-4. Figure3-4 VLAN configuration Service interface configuration Service interface configuration Service interface configuration allows user to view the working status of the device interfaces and modify the functions of the interfaces. Select AC > Network management > Interface management > Interface configuration from navigation tree, as shown in Figure3-5 35

46 Figure3-5 Service interface configuration Interface rate limitation alarming Select AC > Network management > Interface management > Service interface > Interface Rate Beyond Warming from navigation tree to enter the interface rate limitation alarming, as shown in Figure3-6. Figure3-6 Interface rate limitation alarming 3.3 Network object Security zone Select AC > Network management > Network object > Security zone from navigation tree to enter the security zone page, as shown in Figure3-7. Figure3-7 Security zone IP address IP address function provides user with address object, address object group and address object cluster function, which is to divided inner network address into several groups, and apply them to the extended function, ensuring effective management for the inner network user Address object Select AC > Network management > Network object > IP address > IP address object from navigation tree to enter the address object page, as shown in Figure

47 Figure3-8 Address object Table3-1 describes the details of the address object. Table3-1 Address object Serial number Name Content Policy reference Operation Displays the serial number of the IP user group. Displays the name of IP user group. Displays the IP address segment and exception IP address of the created IP user group. Displays the description of the user group. Displays the policy to be applied on the user group. Click copy or delete icon to copy or delete the user group. To create an address object, you should: Click copy icon of the All users In the new line, you should configure user name and user description Configure IP address and subnet mask and configure the exception IP address of network user group Click Ok button in the upper right corner Address object group Select AC > Network management > Network object > IP address > IP address object group from navigation tree to enter the address object group page, as shown in Figure3-9. Figure3-9 Address object group 37

48 Table3-2 describes the details of the address object group. Table3-2 Address object group Address object Address object group Displays the user group in the address object. Create an IP address object group and add IP address into IP address object group. To create an IP address object group, you should: Click add icon of the IP address object group and enter a name for it. Select an IP address object and drag it to the right box to the IP address object group. Click Ok button in the upper right corner.! Caution: Click Click modify icon to modify IP address object group. delete icon to delete IP address object group MAC address MAC address is to divide inner network user MAC address into several groups MAC address Select AC > Network management > Network object > MAC address from navigation tree to enter the MAC address object, as shown in Figure3-10. Figure3-10 Mac address MAC group Select AC > Network management > Network object > MAC address from navigation tree to enter the MAC address object, as shown in Figure

49 Figure3-11 MAC group Table3-3 describes the details of the MAC group. Table3-3 MAC group MAC address MAC group Displays the created MAC address user group in MAC address object. Create a MAC group and drag MAC address object into MAC group. To create a MAC address group, you should: Click add icon of MAC address group and enter a name Select a MAC address object and drag it to the right box, to the new created MAC address object group Click Ok button in the upper right corner! Caution: Click Click modify icon to modify MAC group name. delete icon to delete MAC group name MAC address table management Select AC > Network management > Network object > MAC address manage from navigation tree to enter the MAC address table management page, as shown in Figure3-12. Figure3-12 MAC address table management Table3-4 describes the details of the MAC address table. 39

50 Table3-4 MAC address table Select a querying item Serial number MAC address VLAN ID Out port Type Configure the querying item to view the MAC address table Serial number of the MAC address table Displays the MAC address to be added. ID of the VLAN to which the MAC address belongs Displays the out port of MAC address. Displays the type of MAC address. 3.4 Forwarding configuration Forwarding configuration Select AC > Network management > Forwarding configuration from navigation tree to enter the forwarding configuration page, as shown in Figure3-13. Figure3-13 Forwarding configuration 3.5 Unicast IPv4 routing Unicast IPv4 route feature allows user to configure IPv4 static route manually and enable dynamic routing such RIP, OSPF and BGP. 40

51 3.5.1 Static route Configuring static route Static route is a kind of special routing configured by the administrator manually. After you configure a static routes, data message will be forwarded to the specify destination as administrator requirement. In a simple network structure, only a static route can realize network intercommunication. To improve network performance, you can properly set routes and use static route, which guarantee the network bandwidth for critical application. Before configuring a static route, you need to know the following concepts: 1) Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask). 2) Output interface and next hop address While configuring a static route, you can specify either the output interface or the next hop address depending on the specific occasion. The next hop address cannot be a local interface IP address; otherwise, the route configuration will not take effect. In fact, all the route entries must have a next hop address. When forwarding a packet, a router first searches the routing table for the route to the destination address of the packet. The system can find the corresponding link layer address and forward the packet only after the next hop address is specified. When specifying the output interface, note that: If the output interface is a Null 0 or loopback interface, there is no need to configure the next hop address. If the output interface is a point-to-point interface, there is no need to configure the next hop address. You need not change the configuration even if the peer s address changes. For example, a PPP interface obtains the peer s IP address through PPP negotiation, so you need only specify the output interface. If the output interface is an NBMA or P2MP interface, which support point-to-multipoint network, the IP address to link layer address mapping must be established. Therefore, it is recommended to configure both the next hop IP address and the output interface. You are not recommended to specify a broadcast interface (such as an Ethernet interface, virtual template, or VLAN interface) as the output interface, because a broadcast interface may have multiple next hops. If you have to do so, you must specify the corresponding next hop for the output interface. 3) Other attributes: You can configure different preferences for different static routes so that route management policies can be applied more flexibly. For example, specifying the same preference for different routes to the same destination enables load sharing, while specifying different preferences for these routes enables route backup. Select AC > Network management > IPv4 unicast routing > Static route from navigation tree to enter the configuring static route page, as shown in Figure

52 Figure3-14 configuring static route To configure static routes in batch, you should: Click Browse button to import static route file from your local computer. Click Ok button Click Export button that you can export all entries of static route to your computer Health check Select AC > Network management >IPv4 unicast routing > Static route > Monitoring from navigation tree to enter the health check page, as shown in Figure3-15. Figure3-15 Health check Routing table Displaying basic routing table Displaying basic routing table function provides user with basic routing table information. According to the All route information or the designated a network segment option, user can query the basic routing table. Select AC > Network management >IPv4 unicast routing > Routing table from navigation tree to enter the routing table page, as shown in Figure3-16. Figure3-16 Basic routing table 42

53 Table3-5 describes the details of displaying basic routing table. Table3-5 Displaying basic routing table Destination network segment Subnet mask Gateway(next hop) Outbound interface View destination network segment IP address. View the subnet mask of destination network segment IP address. View network gateway next hop address. View static route outbound interface Displaying detailed routing table Displaying detailed routing table provides users with the querying detailed routing information. Users can search the routing table as all routes or specific destination segment, protocol, as shown in Figure3-17. Figure3-17 Displaying detailed routing table Table3-6 describes the configuration items of displaying detailed routing table. Table3-6 Displaying detailed routing table. Destination subnet Subnet mask Gateway (Next hop) Outbound interface Status Protocol Priority Allows you to view the destination of the IP address. Allows you to view the subnet mask of the destination. Allows you to view the gateway (next hop) IP address. Allows you to view the static route outbound interface. Allows you to view the static route active state. Allows you to view the protocol of static route, there are five protocols including static, connect, rip, ospf, bgp, guard. Allows you to view the static route priority. 43

54 cost Type Allows you to view the static route cost. Allows you to view the static route type Equivalent routing Equivalent routing (ECMP) is that there are multiple different route paths with the same Cost value exists in the network for the purpose of arriving to the same destination IP address or destination segment. To realize network load balancing, if device supporting equivalent routes, the layer 3 traffic sends to the same destination IP address or network segment can be shared through different paths. When some paths are obstructed, other routes will replace them to forward traffic, which realize route redundant backup function. Select AC > Network management > IPv4 unicast routing > Equal-cost route from navigation tree to enter the equivalent routing page, as shown in Figure3-18. Figure3-18 Equivalent routing RIP Introduction to RIP The Routing Information Protocol (RIP) is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process Configuring RIP Select Basic> Network > IPv4 unicast routing > RIP from navigation tree to enter the Configuring RIP page, as shown in Figure3-19. Figure3-19 Configure RIP 44

55 Table3-7 describes the configuration items of RIP advanced configuration. Table3-7 RIP advanced configuration Route priority Router update timer Router aging timer Garbage collection timer Allows you to configure the route priority. Allows you to configure the router update timer. Allows you to configure the router aging timer. Allows you to configure garbage collection timer. Table3-8 describes the configuration items of the RIP interface configuration. Table3-8 RIP interface configuration Interface name Enabling status Authentication information Advanced configuration Displays the name of the interface. Allows you to enable or disable an interface running RIP protocol. Allows you to select RIP authentication information. Allows you to configure the advanced configuration Displaying RIP state Select AC > Network > IPv4 unicast routing > RIP from navigation tree to enter the Displaying RIP state page, as shown in Figure

56 Figure3-20 Display RIP state OSPF protocol Open Shortest Path First (OSPF) is a link state interior gateway protocol developed by the OSPF working group of the Internet Engineering Task Force (IETF). At present, OSPF version 2 (RFC2328) is used. OSPF has the following features: Wide scope: Supports networks of various sizes and up to several hundred routers in an OSPF routing domain. Fast convergence: Transmits updates instantly after network topology changes for routing information synchronization in the AS. Loop-free: Computes routes with the shortest path first (SPF) algorithm according to collected link states, so no route loops are generated. Area partition: Allows an AS to be split into different areas for ease of management and routing information transmitted between areas is summarized to reduce network bandwidth consumption. Equal-cost multi-route: Supports multipleequal-cost routes to a destination. Routing hierarchy: Supports a four-level routing hierarchy that prioritizes routes into intra-area, inter-area, external Type-1, and external Type-2 routes. Authentication: Supports interface-based packet authentication to ensure the security of packet exchange. Multicast: Supports multicasting protocol packets on some types of links Configuring OSPF Select AC> Network management > IPv4 unicast Routing > OSPF > Configure OSPF from navigation tree to enter the configuring OSPF page, as shown in Figure

57 Figure3-21 Configuring OSPF protocol Table3-9 describes the details of the OSPF advanced configuration Table3-9 OSPF advanced configuration Route priority Route device ID NBMA neighbor Introduced route GR capacity settings GR timeout time Configure the route priority of the device. Configure the ID number of the route device. Add or delete NBMA neighbor of the device. Configure the introduce route of the OSPF protocol. Configure the GR capability. Configure the GR timeout time (Default is 60 seconds) To configure OSPF advanced configuration, you should: Click the advanced configuration icon And then configure the route priority Set route device ID number (The auto is the maximum IP address of device interfaces ) Add NBMA neighbor Click the introduced route option Select GR capability settings Enter the GR timeout time (Default is 60 seconds). 47

58 Click Ok button in the upper right corner on the webpage. Table3-10 describes the details of OSPF area configuration Table3-10 OSPF area configuration Area ID Enable interface Advanced configuration Configure the ID number of the area. Configure the interface in the area configuration. Configure the advanced priorities in the area configuration. Operation Click Click copy icon, you can insert one line of the area configuration. delete icon, you can delete the area configuration. To configure OSPF area configuration, you should: Configure area ID number Select an interface for the area configuration Configure the advanced configuration for the area Click Ok button in the upper right corner on the webpage Table3-11 describes the details of the OSPF interface configuration. Table3-11 OSPF interface configuration Interface name Hello interval Dead interval Authentication information Advanced configuration Displays all interface names of the device. Allow you to configure the Hello packet time interval (Default is 10 second). Allows you to configure the Dead time interval that the interface doesn t receive Hello packet (Default is 40 second). Allows you to select authentication mode. Allows you to configure the OSPF advanced configurations. To configure OSPF interface configuration, you should: Configure time interval for the interface sending Hello packet. Configure time interval for the interface sending Dead packet. 48

59 Configure OSPF authentication information for the interface (including None, Test authentication and Md5 authentication) In the advanced configuration, you should select cost value, dr election priority, working mode and interface type for the interface. Click Ok button in the upper right corner on the webpage. Note: After you enable the OSPF option, OSPF function and OSPF advance configuration can be used Displaying OSPF interface information Select AC> Network management > IPv4 unicast routing > OSPF > OSPF interface information from navigation tree to enter the Displaying OSPF interface information page, as shown in Figure3-22. Figure3-22 Displaying OSPF interface information Table3-12 describes the details of the displaying OSPF interface information. Table3-12 Displaying OSPF interface information Querying item Keyword Interface name To which area belongs to Interface status COST DR BDR Neighbor number Allows you to select an item to be queried Interface information that contains keyword. Displays the OSPF interface. Displays the interface to which area belongs. Displays the interface status. Displays the interface COST value. Displays the DR of the interface in the area. Displays the BDR of interface in the area. Displays the neighbor numbers of the interface. To configure the OSPF interface information, you should: 49

60 Select an item to be queried Type in the keyword that you want to query on the OSPF interface information page Click Query button Displaying OSPF neighbor information Select AC> Network management > IPv4 Unicast Routing > OSPF > Displaying OSPF neighbor information from navigation tree to enter the Displaying OSPF neighbor information page, as shown in Figure3-23. Figure3-23 Displaying OSPF neighbor information Table3-13 describes the details of the displaying OSPF neighbor information. Table3-13 Displaying OSPF neighbor information Querying item Keyword Neighbor ID Neighbor IP Priority Neighbor state To which area belongs Interface name DR BDR Dead Time Established time Allows you to select an item to be queried. Interface information that contains keyword. Displays the ID number of the neighbor. Displays the IP address of the neighbor. Displays the priority of the routing protocol. Displays the connection state of the neighbor. Displays the interface to which area belongs. Displays the name of the interface. Displays the DR of the interface in the area. Displays the BDR of interface in the area. Displays the Dead time that the device establish relationship with its neighbor. Displays the time that the device establish relationship with its neighbor. 50

61 To configure the OSPF interface information, you should: Select an item to be queried Enter the keyword to be queried on the OSPF neighbor information page Click Query button 3.6 ARP configuration Address Resolution Protocol (ARP) is to resolve IP address to the Ethernet MAC Address protocol. In local area network, if the host or other network devices sent data to other host or device, it must know the network layer address (IP address) of the receiver. But it is not enough to have an IP address, because IP data packets must be encapsulated into a frame that can be sent through the physical network, so it needs a mapping from IP address to physical address. So that ARP is the protocol which can meet the requirement Display ARP Select AC> Network management >MPLS >ARP > Display ARP from navigation tree to enter the display ARP configuration page, as shown in Figure3-24. Figure3-24 Display ARP Static ARP A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Select AC> Network management >MPLS >ARP > Static ARP from navigation tree to enter the display ARP configuration page, as shown in Figure

62 Figure3-25 Static ARP Table3-14 describes the details of policy-based routing. Table3-14 Policy-based routing Serial number IP address MAC address Interface Displays the serial number of static ARP entry. Displays the IP address of the ARP entry. Displays the MAC address of the ARP entry. Displays the interface which receives the ARP packet. Operation Click the copy icon to copy a static ARP entry. Click the delete icon to delete a static ARP entry Gratuitous ARP sending In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. Select AC> Network management>mpls >ARP > Gratuitous ARP from navigation tree to enter the ARP sending page, as shown in Figure3-26. Figure3-26 Gratuitous ARP sending 52

63 3.7 DNS Configuration Introduction to DNS Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses DNS Select AC > Network management>mpls > DNS from navigation tree to enter the DNS configuration, as shown in Figure3-27. Figure3-27 DNS To configure DNS configuration, you should: Enter an IP address for the preferred DNS server IP Enter an IP address for the alternated DNS server IP Click Ok button in the upper right corner on the webpage. Table3-15 describes the details of policy-based routing. Table3-15 Policy-based routing Preferred DNS server IP Alternate DNS server IP Enable DNS proxy Allows you to configure the primary DNS server IP address. Allows you to configure the secondary DNS server IP address. DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. 53

64 3.8 DHCP Configuration Introduction to DHCP Dynamic Host Configuration Protocol (DHCP) is a network protocol for the local network using of UDP protocol. For administrators to use DHCP there are two purposes: the DHCP can automatically allocate IP addresses to the local network and it also can help administrator to central managed computers DHCP server Select AC > Network management>mpls > DHCP server from navigation tree to enter the DHCP server page, as shown in Figure3-28. Figure3-28 DHCP Server Table3-16 describes the configuration items of DHCP server. Table3-16 DHCP server configuration items Interface Address pool Gateway address Agent address DNS server WINS server Region name Select an interface for dynamic allocation. Type an IP address segment for dynamic allocation. Type the gateway addresses for the client. Type the agent address for the client. Type the DNS server addresses for the client. Type the WINS server addresses for the client. Type a region name 54

65 Lease period (minute) Configure the address lease duration for the address pool. Operation Click Click copy icon to copy an entry of DHCP configuration. delete icon to delete an entry of DHCP configuration. Table3-17 describes the configuration items of DHCP host address. Table3-17 DHCP host address Host name MAC address IP address Allows you to configure the name of the host. Allows you to configure the host s MAC address. Allows you to configure the host s IP address. Operation Click Click copy icon to copy an entry of the DHCP host address. delete icon to delete an entry of the DHCP host address. To configure DHCP address pool, you should: Select an interface. In the address pool column, you should configure the starting IP address, the ending IP address and the mask item. Enter DNS server address and WIN server address Enter region name and configure a number for the lease period Click Ok button in the upper right corner on the webpage. To configure DHCP host address, you should: Configure a hostname for the host. Configure MAC address for the host. Configure IP address for the host. Click Ok button in the upper right corner on the webpage DHCP Relay Select AC > Network management >MPLS > DHCP relay from navigation tree to enter the DHCP relay page, as shown in Figure

66 Figure3-29 DHCP relay Table3-18 describes the details of DHCP relay configuration. Table3-18 DHCP relay configuration Interfaces list DHCP servers list Specify an interface which automatically obtain IP address Configure the DHCP server list which allows you to Operations Click the delete icon, and then you can delete the address pool. To configure the DHCP relay configuration, you should Enable DHCP relay agent function In the DHCP relay list column, configure an IP address Click Ok button in the upper right corner on the webpage DHCP IP address table Select AC > Network management>mpls > DHCP>DHCP IP address table from navigation tree to enter the DHCP IP address table page, as shown in Figure3-30. Figure3-30 DHCP IP address table Table3-19 describes the details of DHCP IP address table 56

67 Table3-19 DHCP IP address table Serial number Host name MAC address IP address Lease period Displays the serial number of the host. Displays the hostname Displays the MAC address of the host Displays the IP address of the host Displays the lease period of an IP address. 3.9 Diagnostic tools The diagnostic tool Ping command is used to detect whether a host is alive or detect whether the network is connected. By using of Ping command, users can inspect whether a specific IP address is reachable and test whether network is failure. Select AC > Network management>mpls > Diagnostic tools from navigation tree to enter the Diagnostic tools page, as shown in Figure3-31. Figure3-31 Diagnostic tools To use diagnose tool Ping command, you should: Enter an IP address for the IP address box Click Test button Then you can view the testing result of PING command, as shown in Figure

68 Figure3-32 Testing result of Ping command Chapter 4 AP Management The AP (Access Point) is the wireless the access point. Wireless access point also known as wireless bridge, wireless gateway, which is known as "thin" AP. Transport mechanism of this wireless device is equal to the hub in the wired network, which constantly receive and transmit data in wireless local area network. Any PC equipped with wireless network card can share the resource of wired local area network by AP even in the wide-area network resources. Theoretically, if a wireless AP increased in the network, it can expand its network covering diameter manifold; also it can accommodate many devices in the network. Each wireless AP has an Ethernet interface, which realize wireless and wired network connection. 4.1 AP configuration AP configuration module provide user with AP online initialization plate, single AP settings and online viewing basic AP information, and the unified remote upgrade AP version function AP Template Select AC >AP management > AP configuration from navigation tree to enter the AP configuration page, as shown in Figure

69 Figure4-1 AP configuration Table4-1 describes the details of the AP basic configuration Table4-1 AP basic configuration Radio State Mode Channel Transmit power 11n configuration Wireless configuration Wireless radio frequency: 2G/5G. Allows you to enable or disable the wireless radio function. Select the wireless radio mode, including: 2G: 11b/11bg/11bgn/11gn/11n 5G: 11a/11an/11n Configure the wireless radio channel. Configure the wireless radio transmit power. Configure several parameter of the 11n Includes spatial flow, channel bandwidth, A-MPDU, A-MSDU, packet sending intervals Configure the wireless configuration, including: Fragment threshold byte( , default is 2346) Specifies the maximum length of frames that can be transmitted without fragmentation. Fragmentation means to fragment a large frame into small pieces, with each piece transmitted and acknowledged separately. When the length of a frame exceeds the specified fragment threshold value, it is fragmented. A longer frame is less likely to be successfully 59

70 received. Therefore, in a WLAN where there is high error rate, you can decrease the fragment threshold to increase frame transmission reliability. Beacon interval (time unit , default is 100): interval for sending beacon frames. Beacon frames are transmitted at a regular interval to allow mobile clients to join the network. Beacon frames are used for a client to identify nearby APs or network control devices. Request to send (RTS) threshold length. If a frame is larger than this value, the RTS mechanism will be used. RTS is used to avoid data sending collisions in a WLAN. You need to set a rational value: A small value causes RTS packets to be sent more often, thus consuming more of the available bandwidth. However, the more often RTS packets are sent, the quicker the system can recover from interference or collisions. DTIM Period (1-255, default is 1) Number of beacon intervals between delivery traffic indication message (DTIM) transmissions. The AP sends buffered broadcast/multicast frames when the DTIM counter reaches 0. Long Retry Threshold (1-15, default is 4) Number of retransmission attempts for frames larger than the RTS threshold. Short Retry Threshold (1-15, default is7) Number of retransmission attempts for frames smaller than the RTS threshold if no acknowledgment is received for it.! Caution: Only if the wireless radio mode contains 11n, you can configure the 11n configuration parameter. Table4-2 SSID group configuration Group name By default is enabled Configure the SSID group name. Allows you to select whether it is AP default configuration, if you select Yes, then the SSID under its group will be added into Default group. Operation Click copy icon to add a new SSID group. Click delete icon to delete an SSID group. Table4-3 describes the configuration item of the SSID configuration. Table4-3 SSID configuration Serial number Displays the serial number of the SSID configuration plate. 60

71 SSID group SSID VLAN ID Security authentication Displays the SSID group configuration. Displays the service set identification code, default is serial number. Allows you to select the SSID to which VLAN belongs. Allows you to configure the security authentication function. Security function includes open authentication, WEP, WPA1 and WPA2. Open authentication: it is the default authentication mechanism, which is also the simplest authentication algorithm, which is no authentication. Authentication settings can be set as open authentication, then all wireless client request authentication will be passed. WEP authentication: set the type, ID number and key WPA1 authentication :set the type, pre-shared key WPA2 authentication : set the type and pre-shared key Radio binding Select the wireless radio mode for the SSID: 2G 5G 2G and 5G Hidden SSID Advanced configuration Allows you to select SSID display or hidden option. QOS option: allows you to enable or disable QOS STA isolation: allows you to enable or disable the STA isolation function Black/white list: if you configure the black list, then MAC address in Black/White list cannot connect. If black list is selected, mac address in Black/ white list cannot connect If white list is selected, mac address in Black/white list cannot connect If grey list is selected, then there is no limitation. User maximum number: user maximum connection number, default is 64. Operation Click Click copy icon to create a new item of SSID plate; delete icon to delete the SSID plate; To configure the SSID configuration, you should: Configure SSID group Configure SSID Select to which VLAN belongs To configure the security authentication, if you select WEP encryption method, user can select the encryption type according to requirement. Encryption method includes WEP64 and WEP 128, and then select key index number and configures the key; if you select WPA1 or WPA2 encryption method, user can select the encryption type according to requirement. The encryption type includes tkip, ccmp, and both. And then configure the pre-shared key. 61

72 Select radio binding method, including the hidden SSID, QOS switch and the STA isolation. Click Ok button in the upper right corner on the webpage AP configure AP settings allows user to view the various detailed information of the online AP, which also can management a single AP. Select AC > AP management > AP configuration > AP configure from navigation tree to enter the AP configure page, as shown in Figure4-2. Figure4-2 AP configure Table4-4 describes the details of AP configuration. Table4-4 Viewing AP Serial number Basic information Displays the serial number of the AP settings. Type: displays the type of the AP to be managed. Serial number: displays the serial number of the AP to be managed. Plate interface SSID VLAN ID Security authentication Radio binding Displays the plate interface. Displays the SSID service set identification code Displays the SSID to which VLAN belongs Displays the security authentication method, including the encrypted or the unencrypted. 2G 5G 2G and 5G Hidden SSID Advanced configuration Displays the hidden SSID function. QOS option: allows you to enable or disable QOS 62

73 STA isolation: allows you to enable or disable the STA isolation function Black/white list: if you configure the black list, then MAC address in Black/White list cannot connect. If black list is selected, mac address in Black/ white list cannot connect If white list is selected, mac address in Black/white list cannot connect If grey list is selected, then there is no limitation. User maximum number: user maximum connection number, default is 64. Radio Wireless configuration Displays and set the AP wireless radio method and parameters. Configure the wireless configuration, including: Fragment threshold byte( , default is 2346) Specifies the maximum length of frames that can be transmitted without fragmentation. Fragmentation means to fragment a large frame into small pieces, with each piece transmitted and acknowledged separately. When the length of a frame exceeds the specified fragment threshold value, it is fragmented. A longer frame is less likely to be successfully received. Therefore, in a WLAN where there is high error rate, you can decrease the fragment threshold to increase frame transmission reliability. Beacon interval (time unit , default is 100): interval for sending beacon frames. Beacon frames are transmitted at a regular interval to allow mobile clients to join the network. Beacon frames are used for a client to identify nearby APs or network control devices. Request to send (RTS) threshold length. If a frame is larger than this value, the RTS mechanism will be used. RTS is used to avoid data sending collisions in a WLAN. You need to set a rational value small value causes RTS packets to be sent more often, thus consuming more of the available bandwidth. However, the more often RTS packets are sent, the quicker the system can recover from interference or collisions. DTIM Period (1-255, default is 1) Number of beacon intervals between delivery traffic indication message (DTIM) transmissions. The AP sends buffered broadcast/multicast frames when the DTIM counter reaches 0. Long Retry Threshold (1-15, default is 4) Number of retransmission attempts for frames larger than the RTS threshold. Short Retry Threshold (1-15, default is7) Number of retransmission attempts for frames smaller than the RTS threshold if no acknowledgment is received for it. Status Operation Displays the IP address of AP state information, including IP address and AP state and STA number. Click kickout icon to quit the AP. Click restart Click restore icon to restart the AP. icon to restore the AP plate settings. 63

74 4.1.3 AP basic information AP basic information module is convenient for the user to view and mark AP basic information. Select AC > AP management > AP configuration > AP basic information from navigation tree to enter the AP basic information page, as shown in Figure4-3. Figure4-3 AP basic information Table4-5 describes the AP basic information. Table4-5 AP basic information Sequence number Type Serial number SSID group State Displays the sequence number of the AP basic information. Displays the type of AP device. Displays the serial number of the AP device. Displays and sets the SSID group. Convenient for the user to describe the AP. Displays the AP current state information, such as IP address, state and STA number AP version control In order to manage and maintain AP software version, the AP version control feature unified all AP devices software version through which you can update the AP software remotely Select AC > AP management > AP configuration > AP version control from navigation tree to enter the AP version control page, as shown in Figure4-4. Figure4-4 AP version control 64

75 Table4-6 describes the details of the AP basic information. Table4-6 AP version control Sequence number Type Software version Version path Displays the sequence number of the AP control policy. Displays the type of AP device to be unified. Displays the name of the software version to be unified. Allows you to configure the software version download path. Operation Click Click copy icon to add software version control policy. delete icon to delete software version control policy Basic configuration Select AC > AP management > AP configuration > Basic configuration from navigation tree to enter the basic configuration page, as shown in Figure4-5. Figure4-5 Basic configuration Configure area code; the default area code is China (CN). 4.2 STA management Select AC > AP management > STA management > STA display from navigation tree to enter the STA display management page, as shown in Figure4-6. Figure4-6 STA display management 65

76 Table4-7 describes the details of the STA display management. Table4-7 STA display management Serial number MAC address IP address of STA To which AP belongs SSID State information Displays the serial number of the STA management table. Displays the MAC address information of the STA. Displays the IP address of the STA. Displays the IP address of the AP associated with STA. Displays the SSID service identification code associate with STA. Displays the AP description information of the AP associate with STA. Uplink flow: total uplink flow. Downlink flow: total downlink flow Rate state: connection rate Operation Click kickout icon to quit the STA. 4.3 AC-AP log Rogue AP Log info Select AC > AP management > AC-AP log > Rogue AP Log info from navigation tree to enter the Rogue AP Log info page, as shown in Figure4-7. Figure4-7 Rogue AP Log info Displays Rogue AP access record AP Unusual Log information Select AC > AP management > AC-AP log > AP Unusual Log information from navigation tree to enter the AP Unusual Log information page, as shown in 错误! 未找到引用源. Figure4-8 AP Unusual Log information 66

77 Displays the AP reported abnormal information. 4.4 BLACK NAME Management Select AC > AP Management > BLACK MANAGEMENT from navigation tree to enter the BLACK NAME Management, as shown infigure4-9. Figure4-9 BLACK NAME Management Table4-8 describes the details of the black/white list management. Table4-8 Black/white list management Sequence number MAC address Displays the serial number of the MAC address. Configure the MAC address of the STA. the format is MAC address without separator, such as 00259cf85acb. Operation Click Click copy icon to add an item of black/white list. delete icon to delete black the black/white list. 67

78 Chapter 5 Advanced Service Advanced service module can control Packet filtering policy IPv6 packet filtering NAT NAT_PT Basic attack protection Session limit Service limit IPV4 Basic DDOS Blacklist MAC/IP Binding Session Management QoS Anti-ARP-spoofing Select AC > Network > Firewall > Packet filtering policy from navigation tree t, as shown in Figure

79 Figure5-1 Firewall 5.2 Packet Filtering Policy Packet Filtering Policy Packet filtering is to inspect the source domain, destination domain, originator source IP, originator destination IP, originator source MAC, originator destination MAC, service, IP fragment, flow re-mark, action for every data packet. Select AC > Advance > Packet filtering policy from navigation tree t, as shown in Figure5-2. Figure5-2 Packet filtering policy Table5-1 describes the configuration items of packet filtering policy. 69

80 Table5-1 Packet filtering policy configuration items Serial number Name Source domain Destination domain Originator source IP Originator destination IP Originator source MAC Originator destination MAC Service IP fragment Valid time Status Displays the serial number of the packet filtering policy. Configure a name for the packet filtering policy. Specify the source domain. Specify the destination domain. Specify the originator source IP. Specify the originator destination IP. Specify the range of packet source MAC. Specify the range of packet destination MAC. Select a service for the packet filtering policy. Select whether to permit fragment packet passing through the device Select a time range for the rule. By default, time range is the always. Always is the packet filtering policy effect always. Select a status for the packet filtering policy. Enable: packet filtering policy is enabled. Disable: packet filtering policy is disabled. Action Specify whether to permit packet pass the device and further limit packet filtering policy. Operation Click copy icon to copy an entry of existing packet filtering rule. Click delete icon to delete an entry packet filtering rule. Click insert icon to insert an entry of the packet filtering policy into the packet filtering policy table. 70

81 Figure5-3 Configuring action Table5-2 describes the details of how to configure action. Table5-2 Configuring action Pass Discard Rate limitation Per IP rate limitation Access control URL filtering Advanced filtering Behavior audit Flow analysis Allow packet to pass through the device. Not allow packet pass through the device. Select rate limitation rule which will apply to the packet filtering policy. Select per IP limitation rule which will apply to the packet filtering policy. Select access control rule which will apply to the packet filtering policy. Select URL filtering rule which will apply to the packet filtering policy. Select advanced filtering rule which will apply to the packet filtering policy. Select behavior audit rule which will apply to the packet filtering policy. Select whether to enable the flow analysis. To create the packet filtering policy, you should: Click copy icon 71

82 And then select the source domain and destination domain And then select the initiate source IP and initiate destination IP Select a service for the policy filtering policy, and then select the valid time of the policy filtering policy. In the Action column, you can select the Pass, Discard or Rate limitation option. Click Ok button in the upper right corner on the webpage.! Caution: It performs default packet filtering policy if there is no packet match packet filtering policy. The default is that interface with higher security level can access the interface with lower security level, but interface with lower security level cannot access higher security level interface Packet Filtering Policy Log Packet filtering policy log query function is to query specific log in the database, but the premise is you should click the select box before packet filtering policy, as shown in Figure5-4. Figure5-4 Packet filtering policy log Select AC> Advance > Packet filtering policy > Packet filtering match number to enter the packet filtering match number, as shown in Figure5-5. Figure5-5 Packet filtering match number Table5-3 describes the details of packet filtering policy log. 72

83 Table5-3 Packet filtering policy log Serial number Time Protocol Source IP Destination IP Source port/type Destination port/code Inbound interface Outbound interface Action Displays the policy serial number. Displays when the log is created. Displays the protocol of the packet filtering policy. Displays the source IP of the packet filtering policy. Displays the destination IP of the packet filtering policy. Displays the source port/type of the packet filtering policy. Displays the destination port /code of the packet filtering policy. Displays the inbound interface of the packet filtering policy. Displays the outbound interface of the packet filtering policy. Display the action of the packet filtering policy Alg Configuration Alg configuration means you can configure all protocols application gateway, so that it can transmit all kind protocol packets to the destination. Select AC> Network > Firewall > Packet filtering policy > Alg configuration from navigation tree to enter the Alg configuration page, as shown in Figure5-6. Figure5-6 Alg configuration Table5-4 describes the details of Alg configuration. 73

84 Table5-4 Alg configuration Protocol State Displays the protocol name Displays the enabling status of alg configuration 5.3 IPv6 Packet Filtering Policy Select AC> Network > Firewall > IPv6 packet filtering policy from navigation tree to enter the IPv6 packet filtering policy, as shown in Figure5-7. Figure5-7 Packet filtering policy 5.4 NAT Introduction to NAT NAT (Network Address Translation) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a smaller number of public IP addresses are used to meet public network access requirements from a larger number of private hosts, and thus NAT effectively alleviating the depletion of IP addresses Source NAT Select AC>Advance> NAT >Source NAT from navigation tree to enter the source NAT page, as shown in Figure

85 Figure5-8 Source NAT Table5-5 describes the details of source NAT configuration. Table5-5 Source NAT configuration ID Out interface Source IP Destination IP Service Public IP address pool Displays the serial number of source NAT policy. Select the out interface for source NAT policy. Configure the source IP segment for the source NAT policy. Configure the destination IP segment for the source NAT policy. Configure the service scope of the source NAT policy, including all, service group, user-defined service object and the pre-defined service object. Configure the public address pool of the source NAT policy. Operation Click Click copy icon to copy an item of the source NAT policy. delete icon to delete the source NAT policy. To configure the source NAT configuration, you can take the following steps: Click copy icon of source NAT, except the first line of source NAT. Select the outbound interface of the source NAT policy Configure the IP address and subnet mask of the source NAT policy Configure the public IP address of the source NAT policy After the above configuration is finished, click Ok button in the upper right corner on the webpage Destination NAT Select AC>Advance > NAT> Destination NAT from navigation tree to enter the destination NAT page, as shown in Figure

86 Figure5-9 Configuring destination NAT Table5-6 describes the details of destination NAT configuration. Table5-6 Destination NAT configuration ID In interface Common address Service Expert config Advanced configuration Displays the destination NAT ID. Displays the inbound interface of destination NAT policy. Displays the destination NAT policy. Displays the service type of destination NAT policy. Displays the expert config of the destination policy. Displays the advanced configuration of the destination policy Operation Click Click copy icon, and then you can copy a destination NAT policy. delete icon, and then you can delete a destination NAT policy. To configure destination NAT, you should: Click copy icon of the destination NAT policy Select the outbound interface of the destination NAT policy Configure the service type of the destination NAT policy Configure the public address of the destination NAT server Configure the inner IP address of the destination NAT server After the above configuration is finished, you can click Ok button in the upper right corner on the webpage. Note: If you configure the server inner port in the advanced configuration, it will connect to the destination port after it switched destination NAT. 76

87 5.4.4 One to one NAT Select AC> Advance > NAT> One to one NAT from navigation tree to enter the one to one NAT page, as shown in Figure5-10. Figure5-10 One to one NAT Table5-7 describes the details of one to one NAT configuration. Table5-7 One to one NAT configuration Destination Serial number Public interface One to one NAT Public address Operation Displays the serial number of one to one NAT policy. Displays the outbound interface of one to one NAT policy. Displays the inner address of one to one NAT policy. Displays the public address of one to one NAT policy. Click the copy icon, and then you copy a one to one NAT policy. Click the delete icon, and then you can delete a one to one NAT policy. To configure one to one NAT configuration, you should: Click icon of the one to one NAT policy Select the public interface Configure the inner address of one to one NAT policy Configure the public address of one to one NAT policy After the above configuration is finished, click Ok button in the upper right corner on the webpage Address Pool Select AC> Advance > NAT>Address pool from navigation tree to enter the address pool page, as shown in Figure

88 Figure5-11 Address pool Table5-8 describes the details of address pool. Table5-8 Address pool configuration ID Start IP address End IP address Display the start IP address of address pool. Configure the start IP address of address pool. Configure the end IP address of address pool. Operation Click copy icon, and then you can copy an address pool policy. Click delete icon, and then you can delete an address pool policy. To configure address pool configuration, you should: Click icon of the address pool Configure the ID number Configure the start IP of address pool Configure the end IP of address pool After the above steps is finished, click Ok button in the upper right corner on the webpage Alg Configuration Alg configuration means you can configure all protocols application gateway, so that it can transmit all kind protocol packets to the destination. Select AC> Advance > NAT> Alg configuration from navigation tree to enter the Alg configuration page, as shown in Figure

89 Figure5-12 Alg configuration Table5-9 describes the detail of Alg configuration. Table5-9 Alg configuration Protocol State Displays the protocol name. Select whether to enable or disable the protocol. 5.5 NAT_PT Network Address Translation-Protocol Translation (NAT-PT) technology is adhering to the NAT technology (RFC2663) thoughts, but they are different in principle. It can be simply understand that the NAT technology translate IPv4 private network address to the public network address in order to solve the problem of IPv4 public network address lack problem; The NAT - PT technology is to switch IPv6 to IPv4 protocol, which definite in RFC 2765 and RFC 2766 document in order to solve the communication problem between the two protocols. Before the IPv4 network fully transferred to IPv6 network, the two networks communication can be done through NAT PT technology. Select AC> Network > NAT_PT from navigation tree to enter the NAT_PT page to configure the IPv6 bound function, as shown in Figure

90 Figure5-13 IPv6 bound 5.6 Basic Attack Protection Basic Attack Protection Sometimes, normal packets transmitted in the network with attack packets which interference hosts receiving normal packets. Basic attack protection block attack packets and send logs to a remote host or displays logs on local device. Select AC> Advance >Basic attack protection from navigation tree to enter the basic attack protection page, as shown in Figure5-14. Figure5-14 Basic attack protection Table5-10 describes the details of basic attack protection. 80

91 Table5-10 Basic attack protection Attack type Threshold Block Send log Number of attacks Clear counter Time interval(per second) Select an attack type of basic attack protection. Set the threshold of the basic attack protection. Click the select box of the basic attack protection, which enable the relevant protocol attack protection. Click the select box and then you can view the log while attack packet transmitted through the device interface. Statistics of the attack count. Clear the attack count statistics. Select how much time it sending log per second. Terms interval Select how many log it report the new log. To configure basic attack protection, you should: Click the select box of attack type. Click the send log box and then click Ok button in the upper right corner on the webpage Basic Attack Log Query Basic attack log query allow you to query the specific log from the database. Select AC> Advance > Basic attack protection > Basic attack log query from navigation tree to enter the basic attack log query page, as shown in Figure5-15. Figure5-15 Basic attack log query Table5-11 describes the details of basic attack log query. 81

92 Table5-11 Basic attack log query Serial number Time Attack type Protocol Source IP Destination IP Source port Action Displays serial number of the attack. Displays when the attack log is created. Displays the type of the attack. Displays the protocol of the attack. Displays the source IP of the attack. Displays the attack packet destination IP address. Displays the interface of the attack. Displays the action for the attack. To query the basic attack log query: In each item, enter the parameter that you want to query Click Query button, then you can view the searching result that you have queried Click Export button, then you can export the basic attack log file to the remote system Click Delete button, then you can delete all logs that you have searched. 5.7 Session Limit Select AC> Advance > Sessions Limit from navigation tree to enter the session limit page, as shown in Figure5-16. Figure5-16 Sessions Limit 5.8 Service Limit Select AC > Advance >Service Limit from navigation tree to enter the service limit page, as shown in Figure

93 Figure5-17 Service Limit 5.9 IPv4 Basic DDoS Defend Object Management Defend Object Management is to configure the defend object group, including IP address protected by DDoS attack protection and comment information. Select AC> Firewall > Basic DDoS Protection > Defend Object Management from navigation tree to enter the defend object management page, as shown in Figure5-18. Figure5-18 Defend Object Management Table5-12 describes the details of Defend Object Management. Table5-12 Defend Object Management Defend object management IP address and mask Comment Enter a name for the defend object management. Enter an IP address or several IP address protected by defend object management. Comment the defend object group. Operation Click the Click the copy icon, and then you can copy a rule. delete icon, and then you can delete a rule. To create a defend object management rule, you should: 83

94 Enter a name for the defend object management rule On the defend object management rule page, you should configure IP address and subnet mast to be protected After the above steps is finished, click Ok button in the upper right corner on the webpage Configuration and Tendency Traffic Status and Monitoring You can access the current defend group traffic status and monitoring via configuration and tendency. Select AC> Firewall > Basic DDoS Protection > Configuration and tendency from navigation tree to enter the traffic status and monitoring page, as shown in Figure5-19. Figure5-19 Traffic status and monitoring Table5-13 describes the configuration items of traffic status and monitoring. Table5-13 Traffic and status monitoring configuration items Name IP address Belong to Time range Displays the name of traffic status monitoring. Displays the IP address of traffic monitoring. Displays which protect type belong to. Displays the status time range DDOS Defend Settings DDOS defend settings is the basic configuration to all kind of attack. Select AC> Firewall > Basic DDOS Protection > DDOS defend settings from navigation to enter the DDoS defend settings page, as shown in Figure

95 Figure5-20 DDOS defend settings Table5-14 describes the details of DDOS defend settings. Table5-14 DDOS defend settings Manual configure the threshold Auto-learning the threshold You can sleek the manual configure or auto-learning the threshold. Set the number of the threshold. To modify DDOS defend settings, you should: click Open checkbox and select manual configure threshold and auto-learning threshold option Configure a number for the threshold After you finished the above steps, and then click the Ok button in the upper right corner on the webpage Protection History Protection History Select AC> Firewall > Basic DDOS Protection > Snapshot and history > Protection history from navigation tree to enter the protection history page, as shown in Figure

96 Figure5-21 Protection history 5.10 IPv6 Basic DDOS IPv6 basic DDOS ensure that the legal user and inner server through you configuration on IPv6 DDOS configuration Configuration and Tendency Protection History Select AC> Firewall > Advanced DDOS Protection > Protection history from navigation tree to enter the protection history page, as shown in Figure5-22. Figure5-22 Protection configuration Table5-15 describes the details of protection configuration. Table5-15 Protection configuration Enable/Disable Protection type Select whether to enable or disable advanced DDoS attack protection. Select the advanced DDOS protection type. 86

97 Check/protect Protection parameter You can configure it as check + protect. Configure the advanced DDOS detect threshold Traffic Trend Chart Select AC> Firewall > Advanced DDOS Protection > Protection history> Traffic Trend chart from navigation tree to enter the traffic trend chart page, as shown in Figure5-23. Figure5-23 Traffic Trend Art Protection History Protection History Select AC> Firewall > Advanced DDOS Protection > Protection history from navigation tree to enter the protection history page, as shown in Figure5-24. Figure5-24 Protection history 87

98 5.11 Blackname Blackname Blacklist is an attack prevention mechanism that filters packets based on source IP address. Blacklists are easier to configure and fast in filtering packets sourced from a particular IP address. Select AC>Advance> Blackname from navigation tree enter the blacklist page, as shown in Figure5-25. Figure5-25 Blackname configuration Table5-16 describes the details of blacklist configuration. Table5-16 Blackname configuration Option IP address/mask Source IP Remaining life time Last configuration record Click the Enable blacklist option Specifies the IP address to be blacklisted. Displays the entry of the remaining life time in which you can view the remaining time of blacklist. Displays the entry last configuration record in which you can the last configuration record and the remaining time for the blacklist. Displays the last configuration record. Operation Click copy icon to copy the blacklist rule. To configure the black list, you should: Enter a source IP address in the blacklist Select the remaining time of the blacklist. Click Ok button the selected configuration button in the upper right corner on the webpage. If you want to delete one configuration, you can click Delete button. 88

99 Blacklist Query Select AC > Advance> Blackname >Blackname query from navigation tree to enter the blacklist query page, as shown in Figure5-26. Figure5-26 Blackname query Table5-17 describes the details of blacklist query. Table5-17 Blackname query IP address/mask Valid time Remaining time Cause Displays the blacklisted IP address. Displays the valid time Displays the remaining time and the time when you create the black list. Displays the add reason of a blacklisted IP address Blackname Log Query Select AC> Advance> Blackname >Blackname Log Query from navigation tree to enter the blacklist log query page, as shown in Figure5-27. Figure5-27 Blacklist log query Table5-18 describes the details of blacklist log query. Table5-18 Blacklist log query Serial number Time IP address Displays the serial number of a blacklist log query. Displays the time when attack beginning. Displays the blacklisted IP address in blacklist log query. 89

100 Lifecycle Add reason Displays the blacklisted IP address lifecycle in blacklist log query. Displays the add reason of blacklisted IP address. To query the blacklist log, you should: Configure the query item which you want to query Click Query button and then you can view all searching results Click Export button to export blacklist log to CSV file Click Delete button to delete the logs that you have searched on the black list log query page 5.12 MAC/IP Binding MAC/IP Binding MAC/IP binding is to form the relationship between IP address and MAC address as user s configuration via unified threaten management. To this claimed IP address packet, if it not the MAC address cannot match the related IP address, the WCS will generate log. MAC/IP binding is mainly to avoid ARP spoofing. Select AC> Advance> MAC/IP binding from navigation tree to enter the MAC/IP binding page, as shown in Figure

101 Figure5-28 MAC/IP Binding Table5-19 describes the details of MAC/IP binding Table5-19 MAC/IP binding IP address MAC address MAC address getting method Displays the binding IP address. Displays the binding MAC address. Displays the MAC address getting method. Operation Click the Click the icon, and then you can copy a binding record from the table. icon, and then you can delete a binding record from the table. To create MAC/IP binding rule, you should: Enter the IP address and MAC address to be bound Click Ok button in the upper right corner on the webpage To import or export MAC/IP binding in batch, you can click the import or export button, then select a CSV file from local system, and click Ok button in the upper right corner on the webpage Table5-20 describes the details of switches table. 91

102 Table5-20 Switches table Switches IP address SNMP read community Specify the switches IP address. Specify community sting of the switches Operation Click the Click the copy icon, and then you can copy a binding record. delete icon, and then you can delete a binding record. To create switches table, you should: Enter the IP address of the switches table Enter the switch s community string. Click Ok button in the upper right corner on the webpage Auto-learning device can analyze network traffic and automatically learn MAC and IP address. You should add the binding information to the system ARP form. Select AC> Advance > MAC/IP binding >Auto-learning from navigation tree to enter the auto learning page, as shown in Figure5-29. Figure5-29 Auto learning Table5-21 describes the details of auto learning. Table5-21 Auto learning Option IP address MAC address MAC address binding method Binding status Select one or several IP/MAC record from the table. Displays the IP address auto-learned by WCS. Displays the MAC address auto-learned by WCS. WCS auto-learning method. There are three types of the IP and MAC address binding status in which one you 92

103 can select, unbinding, bind, not bind. To configure auto-learning function, you should: Click Auto learn from packet button to learn MAC/IP binding from data packet Click Auto learn from layer 3 switch button to learn MAC/IP binding from layer 3 switch Click Check current learning result button to view the learning result Click option checkbox to select which should be added in the binding list and click add to binding list button User MAC Binding Select AC> Advance > learning, User/MAC binding from navigation tree to enter the user MAC binding page, as shown in Figure5-30. Figure5-30 User MAC binding Table5-22 describes the details of User/MAC binding. Table5-22 User/Mac binding User name MAC address How to obtain MAC address It provides two method to create the username, includes manual create user name and add the username which you have created. Automatically learned MAC address by WCS. The learning method of WCS. Operation Click Click copy icon, and you can copy a record from User/Mac binding table. delete icon, and then you can delete a record from the table. To create a User/MAC account, you should: Enter a username name Enter the MAC address 93

104 Select an option for the How obtain MAC address method And then click Ok button in the upper right corner on the webpage And then if you want to import MAC/IP binding in batch, click Browse button and select a CSV file from your local system User/IP Binding Select AC > Advance > MAC/IP binding > User/IP binding from navigation tree to enter the User/IP binding page, as shown in Figure5-31. Figure5-31 User/IP binding Table5-23 describes the details User/IP binding. Table5-23 User /IP binding Username IP address The user/ip binding function provides user with two kind of methods of User/IP binding, including manual configure and auto-learn methods. Configure an add IP address manually. Operation Click Click copy icon to create an item of User/IP binding in the table. delete icon to delete the User/IP binding in the table. To create an account of User/IP binding, you should: Add username name Configure an IP address Click Ok button in the upper right corner on the webpage If you want to import User/IP binding in batch, click Browse button and then you can import a CSV file from your local system Binding Log Query MAC/IP log query provides you with the log query function, which allows you to query specific log from database. 94

105 Select AC > Advance > MAC/IP binding > MAC/IP binding log query from navigation tree to enter binding log query page, as shown in Figure5-23. Figure5-32 binding log query Table5-24 describes the details of MAC/IP binding log query. Table5-24 binding log query Serial number Time IP address MAC address Detailed information Displays the serial number your searching result. Displays the time when MAC and IP address mutually match. Displays the IP address which is showing in the binding log query table. Displays the MAC address which is showing in the binding log query table. Displays the detailed information about binding log query. To query the MAC/IP binding log, you should: Enter the parameters that you want to query Click Query button, then you can view all searching results that you have queried Click Export to CSV button, and then you can export all searching logs to a CSV format file. Click Delete button, and then you can delete the logs that you have queried Session Management The session management feature is designed to manage sessions of applications such as network address translation (NAT), application specific packet filter (ASPF), and intrusion protection. This feature regards packet exchanges at the transport layer as sessions and updates the status of sessions or ages out sessions according to the information in packets. 95

106 Session List Select AC> Advance > Session Management > Session List page from navigation tree to enter the session list page, as shown in Figure5-33. Figure5-33 Session list Session Parameter Select AC > Advance > Session Management > Session Parameter page from navigation tree to enter the session parameter page, as shown in Figure5-34. Figure5-34 Session Parameter Session Monitoring Select AC> Advance > Session Management > Session Monitoring from navigation tree to enter the session monitoring page, as shown in Figure

107 Figure5-35 Session Monitoring Session Log Configuration Select AC> Advance > Session Management > Session Log Configuration from navigation tree to enter the session log configuration page, as shown in Figure5-36. Figure5-36 Session log configuration 5.14 QoS QoS can ensure bandwidth with configuring VIP bandwidth guarantee and traffic classification VIP Bandwidth Guarantee Select AC > Advance > QOS> bandwidth guarantee basic set from navigation tree to enter the bandwidth guarantee basic set page, as shown in Figure5-37. Figure5-37 bandwidth guarantee basic set Table5-25 describes the details of bandwidth guarantee basic set. 97

108 Table5-25 bandwidth guarantee basic set Name Outbound interface Total bandwidth settings Assuring rate settings Displays the policy name of VIP bandwidth guarantee. Displays the outbound interface of data traffic. Displays the total bandwidth setting of outbound interface. Configure assuring rate settings which ensure the transmitting rate in all applications. Operation Click copy icon, and then you can copy a VIP bandwidth guarantee rule. Click delete icon, and then you can delete a VIP bandwidth guarantee rule Traffic Classification Select AC> Advance > QOS> Traffic classification from navigation tree to enter the traffic classification page, as shown in Figure5-38. Figure5-38 Traffic classification To configure traffic classification, you should: There are three type of priorities provided in traffic classification page, including COS EXP and DSCP. Select one priority to ensure bandwidth. Click Ok button in the upper right corner on the webpage Congestion Avoidance Select AC > Advance > QOS> Congestion avoidance from navigation tree to enter the congestion avoidance page, as shown in Figure

109 Figure5-39 Congestion avoidance Table5-26 describes the details of congestion avoidance. Table5-26 Congestion avoidance Name The policy of dropping package The request of turn on The minimum rate of dropping package The maximum rate of dropping Displays the policy name of congestion avoidance. The policy of dropping package includes RED and WRED. When network traffic is reached the threshold, the congestion avoidance policy will be enabled. Set the minimum rate of dropping package. Set the maximum rate of dropping package. package Operation Click Click copy icon, and then you can copy a rule of congestion avoidance. delete icon, and then you can delete a rule of congestion avoidance Congestion Management Select AC> Advance > QOS> Congestion management from navigation tree to enter the congestion management, as shown in Figure5-40. Figure5-40 Congestion management Table5-27 describes the details of congestion management. Table5-27 Congestion management Name Displays the congestion management policy name. 99

110 Outbound interface Congestion avoidance Total bandwidth settings Franchise s PRI Low PRI protected Priority setting Displays the congestion management outbound interface. Readjust congestion avoidance. Configure the total bandwidth settings. Configure the congestion management franchise priority. Select whether to enable low priority protected. Configure the congestion management priority settings. Operation Click Click copy icon, and then you can copy a rule of congestion management. delete icon, and then you can delete a rule of congestion management Traffic Shaping Select AC> Advance > QOS> Traffic shaping from navigation tree to enter the traffic shaping page, as shown in Figure5-41. Figure5-41 Traffic shaping 5.15 Anti-ARP-Spoofing Anti-ARP-Spoofing Select AC> Advance > QOS> Anti-ARP-Spoofing from navigation tree to enter the Anti-ARP-Spoofing page, as shown in Figure

111 Figure5-42 Anti-ARP-Spoofing Table5-28 describes the details of Anti-ARP-Spoofing. Table5-28 Anti-ARP-Spoofing Option IP address MAC address VLAN ID Interface Type Select an anti-arp-spoofing entry and then click the option. Displays the IP address scanned by anti-arp-spoofing. Displays the MAC address scanned by anti-arp-spoofing. Displays the VLAN ID scanned by anti-arp-spoofing. Displays the interface scanned by anti-arp-spoofing. Displays the obtaining method of anti-arp-spoofing ARP Configuration The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of that device to the corresponding MAC address. Select AC>Advance> ARP configuration from navigation tree to enter the ARP configuration page, as shown in Figure

112 Figure5-43 ARP configuration Table5-29 describes the details of ARP configuration. Table5-29 ARP configuration Interface name Enable state Displays the all interfaces name of the device. Enable/disable ARP configuration interface. 102

113 Chapter 6 Log Management 6.1 Introduction to Log Management Log management provides log management function, it include System log Operation log Business log Select Basic > Log management from navigation tree to enter the log management menu, as shown in Figure6-1. Figure6-1 Log management menu 6.2 System Log Latest log The system log page displays 25 terms of latest system logs Select AC > Log management > System log > Latest log from navigation tree to enter the latest log page, on which you can view 25 terms of latest system logs, as shown in Figure

114 Figure6-2 Latest log Note: To export system log to your local system, click Export button and select the Open or Save button the system prompt interface. If you select the Open button, you can open system log on your local system. If you select the Save button, you can save system logs to CSV file to your local system. Table6-1 describes the details of latest log. Click the header entry of each column that you can view system logs displayed as ascending or descending order. Table6-1 Latest log Serial number Time stamp Module Displays the serial number of latest system log. Displays when the system log is created. Displays the system log to which module belongs. Displays severity level of the latest system log, including: Fatal error: means the system is available Emergency error: warns user must take an emergency measures for the system Severity level Critical: means the system is dangerous status Common error: displays the common errors Warning: displays warning information Status information: important information under the normal status 104

115 Information: unknown information Unknown: means the unknown information. Log content Content of a log. Note: Auto-refresh function can be set as 10, 30, 60 seconds, after you enable this function, you can click the refresh button to manual refresh the latest log page. Different shading color represents different security level in order to warn user: Red shading color stands for fatal error, emergency error and critical error Orange shading color stands for common error and warning White shading color stands for status, information, unknown information System Log Query System log query function allows users to query the system log as their requirement. Select AC > Log management > System log > System log query from navigation tree to enter into system log query page, as shown in Figure6-3. Figure6-3 System log query Click Export button and then the system prompted you that you should select Open or Save to a CSV file. Click Query button to view the queried logs. Click drop-down list of the Jump to and Page, system log displayed as you selected. Note: If you select Customized time range and click Query button, all system logs displayed on the log query page. Table6-2 describes the system log query searching conditions. 105

116 Table6-2 System log searching conditions Severity Time scope Start time End time Allows you to search system log according to different severity level. Allows you to search system log as the selected time range. Displays or set the start time of system log to be queried. Displays or set the end time of system log to be queried System Log File Operation System log file operation function allows you to backup or delete one day s logs. Select AC > Log management > System log > Log file operation from navigation to enter into system log file operation page, as shown in Figure6-4. Figure6-4 System log file operation If you want to save one day s system logs, Click If you want to delete one day s system logs, Click Save button to save system logs to your local system. Delete button to delete the system log file. 0 describes the details of system log file operation. Table6-3 System log file operation Serial umber Log file name Displays the generated sequence of system log. Displays the time when system log was generated. 106

117 Operation Click Backup and delete icon to backup or delete system logs System Log Configuration System log configuration provides system log saving and exporting to remote host function. Select AC > Log management > System log configuration from navigation tree to enter into system log configuration page, as shown in Figure6-5. Figure6-5 System log configuration Table6-4 describes the details of system log configuration items. Table6-4 System log configuration items Output to remote syslog server Set remote syslog server parameters, including: Remote syslog server IP address Service port Time stamp Days for saving Select the max saving day for system log file and then system will delete the expired system log file. You can select one week, two weeks, or three weeks or 30 days or customized time option and you can set the days when you configure customize option. 6.3 Operation log Latest log Latest log of the operation log page displays 25 terms of latest operation logs. Select AC > Log management > Operation log > Latest log from navigation tree to enter the Latest log page, as shown in Figure

118 Figure6-6 Latest log Click Export button and then the system prompt you that you can open or save the CSV file to your local system. Table6-5 describes the details of the latest log configuration items. Table6-5 Latest log configuration items Serial number Time stamp Displays the sequence of operation log generating Displays when operation log generating. Displays the type of client who generate operation log, including Web: means administrator manages the device through web. Client type Administrator Address Console: means administrator manages the device through console port. Telnet: means administrator manages the device through telnet server. SSH: means administrator manages the device through SSH service. Displays which administrator did the operation Displays the IP address of operation log Displays the log of operation result, including: Operation result Log content Success: means your operation is successful Fail: means your operation is fail Displays the content of operation log. 108

119 Note: After you enable the auto-refresh function, you can select the auto-refresh time as 10, 30, 60 seconds. After you enable this function. Click Refresh button to refresh the interface manually Operation Log Query Operation log query provides operation log searching function. Select Basic > Log management > Operation log > Log query from navigation tree to enter into operation log query page, as shown in Figure6-7. Figure6-7 Log query Click Export button and then the system prompt you that you can open or save the CSV file to your local system. Click Query button to view the logs you have queried. Click Jump to and Page right drop-down list, you can view the system log displays as your selection. Note: All system logs display when you select Customized option and click Query button. Table6-6 describes the details of operation log query configuration items. Table6-6 Operation log query configuration items Administrator IP address Time scope Start time End time Shows the administer who did the operation log Shows the IP address of operation log Select operation log as time scope Display or to set the operation log beginning time Display or to set the operation log finish time 109

120 6.3.3 Log File Operation Operation log file operation module allows you to back up or delete system log file of today or another day. Select Basic > Log management > Operation log > Log file operation from navigation to enter into Operation log file operation interface, as shown in Figure6-8. Figure6-8 System log file operation If you want to save one day s system logs, Click If you want to delete one day s system logs, Click Save button to save system logs to your local system. Delete button to delete the system log file. Table6-7 describes the details of operation log configuration items Table6-7 Operation log file configuration items Serial umber Log file name Operation Displays the generated sequence of operation log. Displays the time when operation log was generated. Displays back up and delete icon Operation Log Configuration Operation log configuration provides system log saving and exporting configuration for users. Select Basic > Log management > System log configuration from navigation tree to enter into operation log configuration interface, as shown in Figure

121 Figure6-9 Operation log configuration Table6-8 describes the details of operation log configuration items. Table6-8 Operation log configuration items Output to remote syslog server Set remote syslog server parameters, including Remote syslog server IP address Service port Time stamp Days for saving Select the max saving day for system log file and then system will delete the expired system log file. You can select one week, two weeks, or three weeks or 30 days or customized time option and you can set the days when you configure customize option. 6.4 Service Log Service Log Configuration Service log configuration provides service log related configuration. Select Basic > Log management > Service log from navigation tree to enter the service log page, as shown in Figure

122 Figure6-10 Service log Table6-9 describes the configuration items of the service log. Table6-9 Service log configuration items Days for saving Brief log Audit log Local save audit log Log aggregation Output to a remote syslog server Select the max saving day for system log file and then system will delete the expired system log file. You can select one week, two weeks, or three weeks or 30 days or customized time option and you can set the days when you configure customize option. Allows you to select brief log option Allows you to select whether to enable audit log sending to server function Allows you to select audit log local save function Allows you to select whether to enable log aggregation function Configuring the output to a remote syslog server function parameter, including Remote syslog server IP address Service port DDoS remote syslog server Allows you to select whether to enable DDoS log sending to remote syslog server function Send an Mail server IP address Set the mail server IP address Source address mail Set the mail server source address Destination Set the mail server destination address 112

123 mail address User name Set the mail server username Password Set the mail server password Number of s sent out per minute Configure a number for sent out per minute Domain name Set domain name of user. 113

124 Chapter 7 User Authentication 7.1 Portal Authentication 7.2 Introduction to Portal Authentication Portal authentication provides several authentication mechanisms, which allows user to authenticate their user name and password before access to the Internet. Authentication Config Web Auth Notice Behavior Listen Proscenium Management Terminal Management Online User Local User Select AC > User authentication from navigation tree, as shown in Figure7-1. Figure7-1 Security center Authentication config Basic authentication Select AC> User authentication > Portal Authentication from navigation tree to enter the basic authentication page, as shown in Figure

125 Figure7-2 Basic authentication Table7-1 describes the details of basic authentication configuration items Table7-1 Basic authentication configuration items description Web auth Terminal auth Avoid auth IP User group Auth mode Unique authentication User aging time Quick offline Allows you to enable or disable web auth function. Allows you to enable or disable terminal auth function. Allows you to set the free authentication IP address. Allows you to select a user group. Allows you to select and configure authentication mode. Allows you to select whether to enable unique authentication function. Allows you to set the user aging time. Allows you to select whether to enable quick offline function Webauth Configuration Select Service > User authentication > Webauth configuration from navigation tree to enter the Webauth configuration page, as shown in Figure