H3C SecPath Series Security Products

Transcription

1 Web-Based Configuration Manual Hangzhou H3C Technologies Co., Ltd. Manual Version: T U C-2.01

2 Copyright 2007, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice Technical Support The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. To obtain the latest information, please access: h3c.com customer_service@h3c.com h3c.com

3 About This Manual Related Documentation In addition to this manual, each documentation set includes the following: Manual H3C SecPath Series Security Products Operation Manual H3C SecPath Series Security Products Command Manual Description It provides an overall introduction to the functions and features, operational principle, and configuration and operation guide of the H3C SecPath series security gateways/firewalls. It introduces all commands available in the configuration and operation on the H3C SecPath series security gateways/firewalls. The details include command name, complete command form, parameter, operation view, usage guide, and configuration example. Organization Web-Based Configuration Manual is organized as follows: Part 1 Web-Based Management Overview 2 System Management 3 Network Configuration 4 Firewall Configuration 5 Object-Oriented Management 6 VPN Configuration Contents Introduces the firewall and its features, how to connect and login the firewall, and introduces the Web-based management interface. Introduces configuration steps of system summary information, configuration file management, user management, DNS, software upgrade, and interface management. Introduces configuration steps of static route, PPPoE client, SNMP, and AAA. Introduces configuration steps of security zone, NAT, ACL, attack defense, mail filtering, Web filtering, blacklist, IP-MAC address binding, firewall session, ASPF, and TCP proxy functions. Introduces configuration steps of firewall objects and policies. Introduces configuration steps of L2TP, IPsec, IKE, GRE, and PKI.

4 Part 7 System Report 8 Commonly Used Utilities Contents Introduces configuration steps of firewall log management and flow statistics. Introduces two commonly used utilities used for diagnosing network faults, namely, ping and tracert. Conventions The manual uses the following conventions: I. Command conventions Convention Boldface italic [ ] { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Description The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. One is selected. Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. The argument(s) before the ampersand (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. II. GUI conventions Convention Description < > [ ] Button names are inside angle brackets. For example, click <OK>. Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window.

5 Convention Description / Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. III. Symbols Convention Warning Caution Note Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description.

6 Web-Based Management Overview

7 Web-Based Configuration Manual Web-Based Management Overview Table of Contents Table of Contents Chapter 1 Firewall Overview Chapter 2 Firewall Login Preparing for Login Connecting the Firewall Configuring the Firewall Network Parameters Adding a User Logging into the Firewall Chapter 3 Introduction to the Web-Based Management Interface Navigation Tree Title Bar Information and Configuration Area i

8 Web-Based Configuration Manual Web-Based Management Overview Chapter 1 Firewall Overview Chapter 1 Firewall Overview H3C SecPath Series Firewalls (hereinafter referred to as the SecPath firewalls) are new generation firewalls for enterprise users. They can be used as outbound firewalls for small- and medium-sized enterprises and internal firewalls for medium-sized enterprises. The supported features include the following: Defending against external attacks, monitoring and controls the traffic, and filtering Web pages and s, to safeguard the internal network efficiently. Employing the application specific packet filter (ASPF) status detection technology for connection process monitoring and malicious command detection, and working together with ACL for dynamic packet filtering. Providing intelligent analysis and management functions that support alert, various types of logs, and network management monitoring and control, to help network administrators perform network security management. Supporting technologies such as Authorization, Authentication and Accounting (AAA) and Network Address Translation (NAT), to allow a reliable, secure network to be built on the open Internet. Supporting various VPN services such as L2TP VPN, IPsec VPN, GRE VPN, and dynamic VPN, to construct various forms of VPNs such as Internet, intranet, and remote access, that allow access of remote users through dial-in, leased line, VLAN, or tunnels based on actual requirement. Providing basic routing functions, and supporting RIP/OSPF/BGP routing policies and policy routing. Supporting abundant QoS features, including traffic policing, traffic shaping, and various queue scheduling policies. 1-1

9 Web-Based Configuration Manual Web-Based Management Overview Chapter 2 Firewall Login Chapter 2 Firewall Login 2.1 Preparing for Login Before you can login to your SecPath firewall and manage it through the Web-based management interface, you need to perform some simple configurations at first Connecting the Firewall I. Introduction to the console port The SecPath firewall provides an RS-232 asynchronous serial port (console port), through which you can configure the firewall. II. Console cable The console cable is an 8-pin shielded cable, with an RJ-45 connector (B) at one end for the console port of the firewall, and a DB-9 (female) connector (A) at the other end for the serial port on the configuration terminal, as shown in Figure 2-1. A X3 A Figure 2-1 Console cable III. Connecting the console cable Complete the following preparation before configuring the firewall via a terminal device: 1) Select a terminal device: The configuration terminal can be either a standard character terminal with an RS-232 port or a PC. The latter is used more often. 2) Connect the console cable: Turn off the firewall and the configuration terminal, and then plug the DB-9 connector of the console cable into the RS-232 port of the terminal and the RJ-45 connector into the console port of the firewall Configuring the Firewall Network Parameters I. Configuring the firewall to permit matched packets to pass by default <H3C> system-view [H3C] firewall packet-filter default permit 2-1

10 Web-Based Configuration Manual Web-Based Management Overview Chapter 2 Firewall Login II. Configuring an IP address for an Ethernet interface of the firewall (GigabitEthernet 0/0 for example), and add the interface to the trusted zone [H3C] interface GigabitEthernet0/0 [H3C-GigabitEthernet0/0] ip address [H3C-GigabitEthernet0/0] quit [H3C] firewall zone trust [H3C-zone-trust] add interface GigabitEthernet0/0 III. Configuring an IP address for the PC Configure the IP address of the PC to be IV. Verifying the network connectivity by the ping command <H3C> ping PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=128 time=30 ms Reply from : bytes=56 Sequence=2 ttl=128 time=10 ms Reply from : bytes=56 Sequence=3 ttl=128 time=10 ms Reply from : bytes=56 Sequence=4 ttl=128 time=10 ms Reply from : bytes=56 Sequence=5 ttl=128 time=10 ms ping statistics packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/14/30 ms The above output of the ping command proves the connectivity between the firewall and the PC Adding a User To enable a user to log in to the firewall through the Web and manage the firewall, you need to create an account and configure an access level for the user. For example, you can create an account of which the username and the password are both admin, the service type is telnet, and the access level is 3. [H3C] local-user admin [H3C-luser-admin] password simple admin [H3C-luser-admin] service-type telnet [H3C-luser-admin] level 3 2-2

11 Web-Based Configuration Manual Web-Based Management Overview Chapter 2 Firewall Login 2.2 Logging into the Firewall Launch the Internet browser (IE 5.0 or later recommended) on the PC, enter the IP address of in the address bar. When the firewall login page appears, type the user name and password (which are both admin in this example), and click Login. You can also select a language for the management interface from the Language drop-down list, as shown in Figure 2-2. Figure 2-2 Web login page 2-3

12 Web-Based Configuration Manual Web-Based Management Overview Chapter 3 Introduction to the Web- Based Management Interface Chapter 3 Introduction to the Web-Based Management Interface Compared with the command line interface (CLI), the Web-based management interface provides a more user-friendly way for firewall configuration and management. Figure 3-1 Web-based management interface 3.1 Navigation Tree The navigation tree is in the left part of the Web-based management interface, as shown in Figure 3-2. Figure 3-2 Navigation tree 3-1

13 Web-Based Configuration Manual Web-Based Management Overview Chapter 3 Introduction to the Web- Based Management Interface When the mouse pointer is moved onto a menu, the corresponding submenus will appear, as shown in Figure 3-3. Figure 3-3 Configuration menus and submenus 3.2 Title Bar The title bar on the top of the Web-based management interface displays the ongoing configuration task. Under the title bar are a set of tabs that provide you entries to specific configurations. Figure 3-4 Title bar and configuration task tabs 3.3 Information and Configuration Area In the information and configuration area, you can view system information and perform a specific configuration task by clicking the corresponding check box, drop-down box, or button, as shown in Figure

14 Web-Based Configuration Manual Web-Based Management Overview Chapter 3 Introduction to the Web- Based Management Interface Figure 3-5 Information and configuration area 3-3

15 System Management

16 Web-Based Configuration Manual System Management Table of Contents Table of Contents Chapter 1 Device Summary Device Summary Configuration Tasks Chapter 2 Configuration Management Configuration Management Tasks Configuration Management Details Downloading the Configuration File Uploading the Configuration File Chapter 3 User Management User Management Tasks User Management Details Adding a User Modifying a User Chapter 4 DNS Configuration DNS Overview Configuring DNS Chapter 5 Software Update Updating the Software Chapter 6 Reboot Rebooting the Device Chapter 7 Interface Management Interface Management Configuration Tasks Creating an Interface Configuring an Interface i

17 Web-Based Configuration Manual System Management Chapter 1 Device Summary Chapter 1 Device Summary 1.1 Device Summary Configuration Tasks Select System > Device Summary from the navigation tree to enter the device summary page, as shown in Figure 1-1. Figure 1-1 Device summary page Complete these tasks to configure the device summary information: Task Device Summary Flash System Resource Description Select the Device Summary tab to display the current summary information of the firewall, such as device type and system name. Click Poll Interval to set the information update interval. Move the mouse pointer onto a port to view the port type, connection rate, duplex mode, and the port status. Select the Flash tab to view information such as the current path, files stored on the device, the size of each file, and the flash size and free space. Select the System Resource tab to view the current CPU usage and memory usage. Click Details to view detailed information about the usage of system resources. 1-1

18 Web-Based Configuration Manual System Management Chapter 2 Configuration Management Chapter 2 Configuration Management 2.1 Configuration Management Tasks Select System > Current Configuration from the navigation tree to enter the configuration management page, as shown in Figure 2-1. Figure 2-1 Configuration management page Complete these tasks to perform configuration management: Task Displaying the Configuration File Saving the Configuration File Downloading the Configuration File Uploading the Configuration File Description Select Display Config to display the current firewall configuration. Select Save Config to save the current firewall configuration. Select Restore Config to download the configuration file from the TFTP server. Select Backup Config to upload the configuration file to the remote TFTP server. 2.2 Configuration Management Details Downloading the Configuration File In the case that the configuration file is lost or cannot be loaded, you can download a new configuration file from a remote server to restore the configuration. Select Restore Config to enter the configuration download page. 2-1

19 Web-Based Configuration Manual System Management Chapter 2 Configuration Management Table 2-1 File download configuration items 1 IP Address 2 Remote File Name Specify the IP address of the remote TFTP server from which the firewall will download the configuration file. Specify the name of the remote configuration file to be downloaded from the TFTP server Uploading the Configuration File After saving the current configuration to the configuration file, you can upload the file to a remote server for future configuration restoration. Select Backup Config to enter the configuration file upload page. Table 2-2 File upload configuration items 1 IP Address 2 Remote File Name Specify the IP address of the remote TFTP server to which the firewall will upload the configuration file. Specify the name the configuration file is to be saved as on the TFTP server. 2-2

20 Web-Based Configuration Manual System Management Chapter 3 User Management Chapter 3 User Management 3.1 User Management Tasks Select System > User Management from the navigation tree to enter the user management page, as shown in Figure 3-1. Figure 3-1 User management configuration page Complete these tasks to perform user management configuration: Task Adding a User Modifying a User Setting the User Timeout Timer Description Click Create to add a user. Select a user and then click Modify to modify the settings of the user. Click Timeouts to set the user timeout timer. If no operation is performed within the specified timeout time, the user will be disconnected and needs to log in again. 3.2 User Management Details Adding a User Click Create in the user information summary page. Table 3-1 Account creation configuration items 1 User Name Type a user name. 2 Password Type a password. 3 Confirm Password Confirm the password. 4 Access Level Select an access level for the user. 3-1

21 Web-Based Configuration Manual System Management Chapter 3 User Management 5 Password Display Mode Select a password display mode for the user, which can be simple or cipher Modifying a User Select a user in the Users Information Summary page and click Modify. Table 3-2 Account modification configuration items 1 User Name Type a new user name. 2 Access Level Select an access level for the user. 3 Modify Password 4 New Password Select the Modify Password check box before you can modify the user password. Type a new password. This option is available only when the Modify Password check box is selected. 5 6 Confirm New Password Password Display Mode Confirm the new password. This option is available only when the Modify Password check box is selected. Select a password display mode for the user, which can be simple or cipher. 3-2

22 Web-Based Configuration Manual System Management Chapter 4 DNS Configuration Chapter 4 DNS Configuration 4.1 DNS Overview Static domain name resolution is performed by means of the static domain name resolution table, which is something like the hosts file in a Windows operating system. The firewall can obtain the IP addresses of common domain names by inquiring this table. Moreover, the user can use host names that are easy to memorize, rather than abstract IP addresses, to access the related devices. 4.2 Configuring DNS Select System > DNS from the navigation tree to enter the DNS configuration page, as shown in Figure 4-1. Click Create to create a static domain name mapping entry. Figure 4-1 DNS configuration page Table 4-1 DNS configuration items 1 Host Name Specify a host name. 2 Host IP Address Specify the IP address of the host. 4-1

23 Web-Based Configuration Manual System Management Chapter 5 Software Update Chapter 5 Software Update 5.1 Updating the Software Select System > Software Update from the navigation tree to enter the software update page, as shown in Figure 5-1. Figure 5-1 Software update page Table 5-1 Software update configuration items 1 IP Address Specify the IP address of the TFTP server. 2 Remote File Name Specify the name for the software image on the TFTP server. 3 Local File Name Name the file to be saved to the Flash. 5-1

24 Web-Based Configuration Manual System Management Chapter 6 Reboot Chapter 6 Reboot 6.1 Rebooting the Device Select System > Reboot from the navigation tree to enter the device reboot page. An alert box appears before the system restarts, prompting you to save the configurations you have made, as shown in Figure 6-1. Figure 6-1 System reboot hints 6-1

25 Web-Based Configuration Manual System Management Chapter 7 Interface Management Chapter 7 Interface Management 7.1 Interface Management Configuration Tasks Select System > Interface Management from the navigation tree to enter the interface management page, as shown in Figure 7-1. Figure 7-1 Interface management page Complete these tasks to perform interface management configurations: Task Creating an Interface Configuring an Interface Removing the Interface(s) Description Click Create to create a logical interface. Select an interface, and then click Configure to configure parameters for the interface. Select one or more interfaces, and then click Remove. Only created logical interfaces can be deleted Creating an Interface Click Create in the interface management page to create a logical interface. Table 7-1 Interface creation configuration items 1 Interface Type Select the type of the logical interface to be created, which can be Ethernet subinterface, bridge template interface, dialer interface, loopback interface, tunnel interface, or virtual template interface. 7-1

26 Web-Based Configuration Manual System Management Chapter 7 Interface Management 2 Interface If the selected interface type is Ethernet subinterface, select a primary interface for which the Ethernet subinterface is to be created. This option is available only when a subinterface is created. 3 Interface Number Specify a number for the logical interface Configuring an Interface Select an interface and click Configure in the interface management page to configure parameters for the interface. Table 7-2 Interface configuration items 1 Interface Name Specify the name of the interface to be configured. 2 Address Assign Mode The support for address assignment mode varies with interfaces. Select one of the following modes from the Address Assign Mode drop-down list. Borrowed: Specifies that the interface can use the IP address of another interface. Select an IP address owner interface from the Share Interface text box. This mode is available for a dialer interface, a tunnel interfaces, or a virtual template interface only. Manual: Specifies that the IP address must be configured manually. Dhcp: Specifies that an IP address is to be automatically obtained by using DHCP. This mode is available for an Ethernet interface only. Bootp: Specifies that an IP address is to be automatically obtained by using BOOTP. This mode is available for an Ethernet interface only. Negotiation: Specifies that an IP address is to be obtained through IP address negotiation over PPP. This mode is available for a dialer interface only. None: Specifies not to configure any IP address for the interface. 3 Share Interface Select an IP address owner interface. This option is available only when the address assignment mode is Borrowed. 4 IP Address Manually specify an IP address for the interface. 5 sub Specify that the IP address assigned for the interface is a secondary IP address. 7-2

27 Web-Based Configuration Manual System Management Chapter 7 Interface Management 6 Net Mask Specify a subnet mask for the interface IP address. 7 VLAN ID 8 Duplex Mode 9 Flow-Control Mode 10 Ethernet Speed Specify a VLAN ID for the interface. This option is available only for an Ethernet subinterface. This option is available only for an Ethernet interface. Select one of the following duplex modes for the interface. Full: Specifies that the interface will operate in full-duplex mode. When the interface is connected to a switch, it must be configured to operate in full-duplex mode. Half: Specifies that the interface will operate in half-duplex mode. When the interface is connected to a hub, it must be configured to operate in half-duplex mode. Negotiation: Specifies that the Ethernet interface will operate in auto negotiation mode. No Change: Specifies that the Ethernet interface will operate in the default mode, that is, the auto negotiation mode. This option is available only for an Ethernet interface. Select one of the following flow control modes for the interface. Enable: Enables flow control on the interface. Flow control must be enabled on both ends for it to take effect. When flow control is enable, if the negotiation fails, the interface cannot go up. Disable: Disables flow control on the interface. No Change: Specifies to use the default mode, that is, the flow control is disabled. This option is available only for an Ethernet interface. Select one of the speeds for the interface. 10: Sets the Ethernet interface speed to 10 Mbps. 100: Sets the Ethernet interface speed to 100 Mbps. 1000: Sets the Ethernet interface speed to 1000 Mbps. Negotiation: Specifies that the interface will operate at an automatically negotiated speed. No Change: Specifies that the Ethernet interface will operate at the default speed, that is, the automatically negotiated speed. 7-3

28 Web-Based Configuration Manual System Management Chapter 7 Interface Management 11 MTU Specify the maximum transmission unit (MTU) for the interface. The MTU determines whether a packet needs to be fragmented on the interface. 7-4

29 Network Configuration

30 Web-Based Configuration Manual Network Configuration Table of Contents Table of Contents Chapter 1 Route Management Static Route Overview Configuring a Static Route Chapter 2 PPPoE Client Configuration PPPoE Overview PPPoE Client Configuration Tasks PPPoE Client Configuration Details Configuring a PPPoE Client Using Wizard Configuring a Dialer Interface Chapter 3 SNMP Configuration SNMP Overview SNMP Configuration Tasks SNMP Configuration Details Configuring Basic Information Managing Users Managing Groups Managing Views Managing Community Names Configuring Traps Chapter 4 AAA Configuration AAA Overview Introduction to AAA Introduction to RADIUS Introduction to HWTACACS AAA Configuration Tasks AAA Configuration Details Configuring RADIUS Configuring HWTACACS i

31 Web-Based Configuration Manual Network Configuration Chapter 1 Route Management Chapter 1 Route Management 1.1 Static Route Overview In a relatively simple network, routers can work normally with just static routes configured. The use of static routes can improve the network performance and guarantee the bandwidth for important applications. A static route can have the following attributes: Reachable route: A normal route is of this type. With a reachable route, IP packets are routed to the next hop. This is the common usage of a static route. Unreachable route: When a static route to a destination has the "reject" attribute, all IP packets to this destination will be discarded, and the originating host will be notified that the destination is unreachable. Blackhole route: When a static route to a destination has the "blackhole" attribute, all IP packets to this destination will be discarded without a notification sent to the originating host. 1.2 Configuring a Static Route Select Network > Route Management from the navigation tree to enter the static route configuration page, as shown in Figure 1-1. Figure 1-1 Static route configuration page Click Create to create a static route. Table 1-1 Static route configuration items 1 Destination IP Specify the destination network segment. 2 Mask Specify the subnet mask of the destination network segment. 1-1

32 Web-Based Configuration Manual Network Configuration Chapter 1 Route Management 3 Interface 4 Next Hop 5 Preference 6 Attribute Select a local interface as the outgoing interface to the destination network. Specify the IP address of the next router on the way to the destination network. If no outgoing interface has been specified, you need to specify the next hop address. If a point-to-point interface (such as a virtual PPP tunnel interface or a PPP-encapsulated dialer interface) has been specified as the outgoing interface, you can skip the configuration of a next-hop address; if the specified outgoing interface is a broadcast-typed or an NBMA-typed interface (such as an Ethernet interface), as it supports point-to-multipoint packet transmission, a next-hop must be specified. Specify a preference value for the route. The smaller the preference, the higher the possibility that the route is preferred. Select an attribute for the route. Reject: Specifies that the route s destination is unreachable. Any IP packet destined for this destination will be discarded, with a destination-unreachable message sent to the source host. Blackhole: Specifies that the route s destination is a blackhole. Any IP packet destined for this destination will be discarded, without a message sent to the source host. 1-2

33 Web-Based Configuration Manual Network Configuration Chapter 2 PPPoE Client Configuration Chapter 2 PPPoE Client Configuration 2.1 PPPoE Overview The Point-to-Point Protocol over Ethernet (PPPoE) technique connects Ethernet hosts to a remote access concentrator via a simple bridging device. Through PPPoE, a remote access device can implement control and accounting of each access user. Compared with traditional access methods, PPPoE has a higher performance-to-cost ratio and is therefore widely used in applications like residential networking. ADSL is an example that uses PPPoE. PPPoE employs the client/server architecture. It encapsulates PPP packets in Ethernet frames to provide point-to-point connections over Ethernet. 2.2 PPPoE Client Configuration Tasks Select Network > PPPoE Client from the navigation tree to enter the PPPoE client configuration page, as shown in Figure 2-1. Figure 2-1 PPPoE client configuration page Complete these tasks to configure a PPPoE client: Task Configuring a PPPoE Client Using Wizard Configuring a Dialer Interface Configuring the Session Information Description Select PPPoE Client to fast configure a PPPoE client using Wizard. Select Dialer to create and configure a dialer interface. Select Session Information to display the current PPPoE session information. 2-1

34 Web-Based Configuration Manual Network Configuration Chapter 2 PPPoE Client Configuration 2.3 PPPoE Client Configuration Details Configuring a PPPoE Client Using Wizard Select the PPPoE Client tab to enter the PPPoE client configuration page, as shown in Figure 2-2 Figure 2-2 PPPoE client configuration page Click Start Wizard to enter the configuration Wizard page. Table 2-1 Configuration items in the wizard page Wizard page Item Description Wizard page User Name Password Authentication Bind interface Specify a user name for the client. Specify a password. Select a PPP authentication mode. Select a physical interface to bind with the dialer interface. Configuration summary page View summary information of the dialer interface, dialer binding number, user name and the bound interface. After completing the above configuration, you can click Bind in Figure 2-2 to modify the interface binding information of the related entry, and perform advanced settings. Click Unbind to remove the corresponding binding entry. Table 2-2 Interface binding configuration items 1 Dialer Bundle Number Binding number of the dialer interface. 2 PPPoE Bind Interface 3 Always Online Select a new physical interface to bind with the dialer interface. Select a PPPoE connection mode. The firewall supports two PPPoE connection modes: packet trigger mode and always online mode. 2-2

35 Web-Based Configuration Manual Network Configuration Chapter 2 PPPoE Client Configuration 4 Idle Timeout 5 Queue Length Configure the idle timeout time for PPPoE sessions. If the idle timeout time is not configured, the PPPoE session will operate in the always online mode; if the idle timeout time is configured, the PPPoE session will operate in packet trigger mode. Specify the number of packets that can be cached before a PPPoE session is established Configuring a Dialer Interface Select the Dialer tab to enter the dialer interface configuration page, as shown in Figure 2-3. Click Create to create a dialer interface, or click Configure to configure an existing dialer interface. Figure 2-3 Dialer interface configuration page Table 2-3 Dialer interface configuration items 1 Dialer Interface Number of the dialer interface. 2 Dialer Bundle Number Binding number of the dialer interface. 3 Authentication Mode Select an authentication mode for the client, PAP or CHAP. 4 User Name Specify a user name for the client. 5 Password Type a password. 6 Address Assign Mode Select an address assignment mode, which can be Manual or PPP negotiate. 2-3

36 Web-Based Configuration Manual Network Configuration Chapter 2 PPPoE Client Configuration 7 IP Address & Mask 8 Security Zone Specify an IP address and subnet mask for the dialer interface. This option is available only when IP address assignment mode is Manual. Add the dialer interface into a security zone. The firewall uses security zone to represent the network connected to it. Before the firewall can be interconnected with another device, you need to add the corresponding interface to a security zone. 2-4

37 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration Chapter 3 SNMP Configuration 3.1 SNMP Overview Currently, the most widely used network management protocol in computer network is the Simple Network Management Protocol (SNMP), which is an applicable, widely used industrial standard. Its purpose is to guarantee the transmission of management information between any two points. This enables the network administrator to search and modify information, troubleshoot the network, plan the network capacity and create reports on any node on the network. SNMP adopts a polling mechanism and offers an underlying function set, which make it suitable for small-sized, high-speed, and low-cost networks. As SNMP only requires the connectionless transport layer protocol UDP, it has become a widely supported network management protocol. The structure of SNMP is composed of two parts, network management station (NMS) and agent. The NMS is a workstation on which the client program runs. Currently, commonly used network management platforms are Sun NetManager and IBM NetView. The agent is a server-side software running on a network device. The NMS sends GetRequest, GetNextRequest, GetbulkRequest, and SetRequest packets to the agent. Once the agent receives a request packet from the NMS, it performs Read or Write operation on manager variables according to the type of the packet and generate a Response packet to return to the NMS. On the other hand, when an abnormal event happens, like a cold/warm start, the agent sends a trap to the NMS to report the event. 3.2 SNMP Configuration Tasks Select Network > SNMP from the navigation tree to enter the SNMP configuration page, as shown in Figure 3-1. You need to enable SNMP on the firewall before performing any configuration. 3-1

38 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration Figure 3-1 SNMP configuration page Complete these tasks to configure SNMP: Task Configuring Basic Information Managing User Managing Group Managing View Managing Community Name Configuring Traps Description Select Setup to configure SNMP basic attributes. Select Users to create or configure SNMP users. Select Groups to create or configure SNMP groups. Select Views to create SNMP views. Select Community String to create or configure SNMP communities. Select Trap to configure SNMP traps. 3.3 SNMP Configuration Details Configuring Basic Information Select the Setup tab to enter the SNMP basic configuration page, as shown in Figure 3-2. Enable SNMP on the firewall first, and then click Configure to configure SNMP basic attributes. 3-2

39 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration Figure 3-2 SNMP basic configuration page Table 3-1 SNMP basic configuration items 1 SNMP 2 Local Engin ID Select Enable or Disable to enable or disable the SNMP agent. Type the engine ID of the local device, which must be a hexadecimal string of at least five characters. It can be an IP address, MAC address, or a user-defined text string. The default engine ID is the manufacturer number + device information. 3 Maximum Packet Size Specify the maximum size of packets the SNMP agent can receive and send. 4 Contact 5 Location 6 SNMP Version Specify the identification and means of contact of the administrator. This field is a manager variable in the system group of MIB II, by which you can save important contact information for use in emergency. Specify the physical location of the firewall. This field is by a manager variable in the system group of MIB, by which you can save the location information of the managed device. Select one or more SNMP versions. The default version is SNMPv3. You can select multiple versions at a time Managing Users Select the Users tab to enter the user management configuration page, as shown in Figure 3-3. Click Create to create a user, or click Modify to configure existing users. 3-3

40 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration Figure 3-3 User management configuration page Table 3-2 SNMP user configuration items 1 User Name 2 Group Name 3 Security Model 4 Authentication Mode Type a user name, in the case of user creation. Select or type the SNMP group to which the user belongs. If you specify a non-existing group name, you will be prompted to create the group later. Select an SNMP version, which can be v1, v2c or v3. Select an authentication mode, which can be MD5, SHA, or None. 5 Password Type an authentication password. 6 Confirm Password Confirm the password. 7 ACL 8 Privacy Mode Specify an ACL number for user access control. Specify whether to use DES56 encryption. This option is available only when the security mode is SNMPv3. 9 Privacy Mode Password Specify a privacy mode password. 10 Confirm Privacy Mode Password Confirm the password Managing Groups Select the Groups tab to enter the group management configuration page, as shown in Figure 3-4. Click Create to create a group, or click Modify to configure existing groups. 3-4

41 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration Figure 3-4 Group management configuration page Table 3-3 SNMP group configuration items 1 Group Name 2 Security Model Type an SNMP group name, in the case of group creation. Select an SNMP version. SNMPv1 and SNMPv2c provide no security levels. 3 Security Level 4 Read View SNMP read-only view. 5 Write View SNMP read-write view. 6 Notify View SNMP notification view. Select a security level. This option is available only when the security model is SNMPv3. Security levels include: Auth/NoPriv: Specifies that the packets are authenticated but not encrypted. Auth/Priv: Specifies that the packets are authenticated and encrypted. NoAuth/NoPriv: Specifies that the packets are neither authenticated nor encrypted. 7 ACL Specify an ACL number for user access control Managing Views Select the Views tab to enter the view management configuration page, as shown in Figure 3-5. Click Create to create an SNMP view. 3-5

42 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration Figure 3-5 SNMP view management configuration page Table 3-4 SNMP view configuration items 1 View Name Specify a view name. 2 MIB Subtree ObjectID Specify a MIB subtree object ID, which can be a variable OID string, or a variable name string. 3 Rule Select a rule, which can be Included or Excluded. Included: Specifies that the subtree is included in the view. Excluded: Specifies that the subtree is excluded from the view Managing Community Names Select the Community String tab to enter the community name management configuration page, as shown in Figure 3-6. Click Create to create an SNMP community, or click Modify to configure existing communities. Figure 3-6 SNMP community name management Table 3-5 SNMP community name configuration items 1 Community String 2 Access Type a community name, in the case of community name creation. Select an access level for the community, which can be Read-Write or Read-Only. 3-6

43 Web-Based Configuration Manual Network Configuration Chapter 3 SNMP Configuration 3 MIB View Selects a MIB view. 4 ACL Specify an ACL number for user access control Configuring Traps Select the Trap tab to enter the trap configuration page, as shown in Figure 3-7. Click Create to create a trap destination host, or click Configure to select whether to enable sending traps of all modules. Figure 3-7 SNMP trap configuration page Table 3-6 Trap configuration items 1 Destination Address 2 Destination UDP Port 3 Security Name 4 Security Model 5 Security Level Type the IP address of a new destination host, in the case of trap destination host creation. Specify a UDP port number, if you do not wish to use the default UDP port. Specify a security name to be used for sending traps. Select an SNMP version, which can be v1, v2c, or v3. Select a security level. This option is available only when the security model is SNMPv3. Security levels include: Authentication: Specifies that the packets are authenticated but not encrypted. Privacy: Specifies that the packets are authenticated and encrypted. None: Specifies that the packets are neither authenticated nor encrypted. 3-7

44 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration Chapter 4 AAA Configuration 4.1 AAA Overview Introduction to AAA Authentication, authorization and accounting (AAA) provides a uniform framework for network security management. The term network security here refers to access control, which addresses the following questions: What users can access the network server? What services can authorized users get? How to do accounting for online users? Specific to these questions, AAA provides the following functionalities: I. Authentication AAA supports the following authentication methods: None authentication: All users are trusted and are not authenticated. Generally, this method is not recommended. Local authentication: User information (including username, password, and attributes) is configured on the broadband access server (BAS). Local authentication features high speed and low cost; however, the information can be stored in this approach is subject to the limitation of the hardware capacity. Remote authentication: AAA supports remote authentication through Remote Authentication Dial-In User Service (RADIUS) or Huawei Terminal Access Controller Access Control System (HWTACACS). In remote authentication, the BAS acts as the client to communicate with the RADIUS or TACACS server. In the case of RADIUS, you can use the standard RADIUS protocol or extended RADIUS protocol to complete authentication in collaboration with a device like itellin or CAMS. II. Authorization AAA supports the following authorization methods: Direct authorization: Users are trusted and directly authorized. Local authorization: Users are authorized according to the account-related attributes configured on the BAS. HWTACACS authorization: Users are authorized using a TACACS server. If-authenticated authorization: Users are authorized to pass if they pass the authentication while the authentication mode is not none. 4-1

45 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration RADIUS authentication and then authorization: With RADIUS, user authentication and authorization are implemented together. In other words, authorization cannot be implemented alone in RADIUS. III. Accounting AAA supports the following accounting methods: None: No accounting operation is implemented for access users. Remote accounting: Conducted through a RADIUS server or TACACS server. AAA uses the client/server structure, where the client controls user access and the server stores user information. Thus, the framework of AAA allows for good scalability and centralized user information management. As a management framework, AAA can be implemented using multiple protocols. In the firewall, AAA is implemented based on RADIUS or HWTACACS Introduction to RADIUS RADIUS is a distributed client/server protocol that protects the network against unauthorized access. It is typically deployed in network environments where remote user access must be maintained while access security must be guaranteed. For example, it is typically used for managing a large number of distributed dial-in users that use serial ports and modems. The RADIUS system is an important auxiliary part of a network access server (NAS). The RADIUS service involves three components: Protocol: RFC 2865 and RFC 2866 define the UDP/IP-based RADIUS frame format and message transfer mechanism, with port 1812 as the authentication port and port 1813 as the accounting port. Server: The RADIUS server runs on a central computer or workstation, and it contains the information about user authentication and network service access. Client: The RADIUS client can run on NAS devices located all over the network. As a RADIUS client device, a NAS (a firewall or a router) is responsible for passing user information to the designated RADIUS server and making actions according to the response from the server (such as connecting/disconnecting users). The RADIUS server receives user connection requests, authenticates users, and responds with required information to the NAS Introduction to HWTACACS HWTACACS is an enhanced security protocol based on TACACS (documented in RFC 1492). Similar to RADIUS, it is a server/client system that implements AAA for different types of users (such as PPP/VPDN access users and login users) through communications with the TACACS server. 4-2

46 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. The following table lists the primary differences between HWTACACS and RADIUS. Table 4-1 HWTACACS vs. RADIUS HWTACACS RADIUS Uses TCP to provide more reliable network transmission. Encrypts the entire packet except the standard HWTACACS header. Separates authentication from authorization. For example, you can provide authentication and authorization on different TACACS servers. Suitable for security control. Supports authorization for configuration commands on the firewall. Uses UDP. Encrypts only the password field in authentication packets. Implements authentication and authorization on the same server. Suitable for accounting. Does not support authorization for configuration commands. 4.2 AAA Configuration Tasks Select Network > AAA from the navigation tree to enter the AAA configuration page, as shown in Figure 4-1. Figure 4-1 AAA configuration page Complete these tasks to configure AAA: Task Configuring RADIUS Configuring HWTACACS Description Select the RADIUS tab to perform RADIUS configuration. Select the HWTACACS tab to perform HWTACACS configuration. 4-3

47 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration 4.3 AAA Configuration Details Configuring RADIUS Select the RADIUS tab to enter the RADIUS configuration page, as shown in Figure 4-2. Click Create to create a RADIUS policy, or click Configure to configure an existing RADIUS policy. Figure 4-2 RADIUS configuration page Table 4-2 RADIUS configuration items 1 RADIUS Policy Name Specify a RADIUS policy name, in the case of RADIUS policy creation. 2 3 Primary Authentication IP/Port Primary Accounting IP/Port Specify the IP address and port number of the primary authentication server. Specify the IP address and port number of the primary accounting server. 4 Authentication Key 5 Accounting Key Specify a shared key for packet authentication/authorization. The RADIUS client (the firewall) and RADIUS server use the MD5 algorithm to encrypt packets to be exchanged between them. Both ends verify the packets using a shared key. There is no default shared key. Specify a shared key for accounting packets. The RADIUS client (the firewall) and RADIUS server use the MD5 algorithm to encrypt packets between to be exchanged them. Both ends verify the packets using a shared key. There is no default shared key. Advanced settings (Click Display Advanced to perform advanced settings) 4-4

48 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration 6 7 Secondary Authentication IP/Port Secondary Accounting IP/Port Specify the IP address and port number of the secondary authentication server. Specify the IP address and port number of the secondary accounting server. 8 NAS IP 9 RADIUS Server Type 10 Data Format 11 Packet Format 12 Accounting Optional 13 Stop Accounting Buffer Specify the Source IP address in RADIUS packets sent by the NAS (the firewall). Select a RADIUS server type, which can be extended or standard. extended: Specifies the extended type of RADIUS server (generally CAMS server), that is, the RADIUS client (the firewall) and RADIUS server exchange packets based on extended RADIUS rules and packet format. standard: Specifies the standard type of RADIUS server, that is, the RADIUS client (the firewall) and RADIUS server exchange packets based on standard RADIUS rules and packet format (as defined in RFC 2138/2139 or later). Select byte, kilo-byte, mega-byte, or giga-byte as the unit of data to be sent to the RADIUS server. Specify one-packet, kilo-packet, mega-packet, or giga-packet as the unit of data packets to be sent to the RADIUS server. Select to enable optional accounting functions. With this option enabled, if no accounting server is unavailable or if communication with the accounting server fails, the network resource remains available for the user; otherwise, the user will be disconnected. This option is typically used for authentication without accounting. Select to enable the stop-accounting packet buffer on the firewall. Since a stop-accounting packet affects the bill settlement and eventually user accounting and this is important to both users and the ISP. Therefore, the NAS should make its best effort to send every stop-accounting packet to the RADIUS accounting server. If the NAS receives no response from the RADIUS accounting server to a stop-accounting packet, it buffers and resends stop-accounting requests until the RADIUS accounting server responds or the maximum number of transmission attempts is reached. 4-5

49 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration 14 Active 15 Retry Times Select to set the corresponding server to the active state. For a given RADIUS policy, when the primary server (authentication, authorization or accounting server) fails and is disconnected from the NAS, the NAS automatically turns to the secondary server. However, when the primary server resumes operation, the NAS does not come back to it immediately; instead, the NAS continues to communicate with the secondary server until the secondary server fails. To enable the NAS to communicate with the primary server right after the primary server resumes operation, you can manually set the primary server state to active. When both the primary and secondary servers are active or block, the NAS sends packets to the primary server only. Set the maximum number of RADIUS request attempts. Since RADIUS uses sends data in UDP packets, the communication is unreliable. If the RADIUS server fails to respond to the NAS before the response timer expires, the NAS retransmits the RADIUS request. 16 Sever Response Timeout(s) Set the RADIUS server response timeout timer. If the NAS receives no response with the specified period from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request), the NAS sends the request to the RADIUS server again. 17 Timer Quiet(m) Set the time the primary RADIUS server waits before it comes back to the active state. 18 Realtime Accounting(m) Set the realtime accounting interval. The NAS sends the accounting information of online users to the RADIUS accounting server at the specified interval Configuring HWTACACS Select the HWTACACS tab to enter the HWTACACS configuration page, as shown in Figure 4-3. Click Create to create a HWTACACS policy, or click Configure to configure an existing HWTACACS policy. 4-6

50 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration Figure 4-3 HWTACACS configuration page Table 4-3 HWTACACS configuration items 1 Policy Name Specify a HWTACACS policy name, in the case of HWTACACS policy creation Primary Authentication IP/Port Number Primary Authorization IP/Port Number Primary Accounting IP/Port number Specify the IP address and port number of the primary authentication server. Specify the IP address and port number of the primary authorization server. Specify the IP address and port number of the primary accounting server. Advanced settings (Click Display Advanced to perform advanced settings) Secondary Authentication IP/Port Number Secondary Authorization IP/Port Number Secondary Accounting IP/Port Number Specify the IP address and port number of the secondary authentication server. Specify the IP address and port number of the secondary authorization server. Specify the IP address and port number of the secondary accounting server. 8 Authentication Key Specify the shared key of the authentication server. The TACACS client (the firewall) and TACACS server use the MD5 algorithm to encrypt the packets exchanged between them. Both ends verify the packets using a shared key. They can properly receive packets and make responses only if the same shared key is used. 4-7

51 Web-Based Configuration Manual Network Configuration Chapter 4 AAA Configuration 9 Authorization Key 10 Accounting Key 11 User Name Format 12 NAS Packet Source IP 13 Data Format 14 Packet Format 15 Response Timeout(s) 16 Restore Timeout(m) 17 Accounting Interval(m) Specify the shared key of the authorization server. The TACACS client (the firewall) and TACACS server use the MD5 algorithm to encrypt the packets to be exchanged between them. Both ends verify the packets using a shared key. They can properly receive packets and make responses only if the same shared key is used. Specify a shared key for the accounting server. The TACACS client (the firewall) and TACACS server use the MD5 algorithm to encrypt the packets to be exchanged between them. Both ends verify the packets using a shared key. They can properly receive packets and make responses only if the same shared key is used. Select the format of the user name to be sent to the TACACS server. An access user name typically appears in the format of userid@isp-name. The part is the ISP domain name. The system identifies users of different ISP domains according to the ISP domain names. However, some earlier RADIUS servers reject a user name that includes an ISP domain name. In this case, the ISP domain name needs to be removed before the user name is sent to the TACACS server. Specify the source IP address in packets sent by the NAS (the firewall). Select the unit of data to be sent to the TACACS server. Select the unit of packets to be sent to the TACACS server. Set the TACACS server response timeout timer. Set the time the primary server waits before it comes back to the active state. Set the realtime accounting interval. The NAS sends the accounting information of online users to the TACACS server at the specified interval. 4-8

52 Firewall Configuration

53 Web-Based Configuration Manual Firewall Configuration Table of Contents Table of Contents Chapter 1 Security Zone Configuration Security Zone Overview Configuring Security Zone Chapter 2 NAT Configuration NAT Overview Configuration Tasks NAT Configuration Details Configuring a NAT Address Pool Configuring Network Address Translation Configuring Inside Server Configuring Aging Time Configuring Static Table Chapter 3 ACL Configuration ACL Overview Configuration Tasks ACL Configuration Details Configuring Time Ranges Configuring ACL Applying ACL Chapter 4 Attack Defense Configuration Attack Defense Overview Configuration Tasks Attack Defense Configuration Details Configuring Advanced Attack Defense Configuring Flood Attack Defense Chapter 5 Mail Filtering Configuration Configuration Tasks Mail Filtering Configuration Details Configuring Recipient Address Filtering Configuring Subject Filtering Configuring Content Filtering Configuring Attachment Filtering Chapter 6 Web Filtering Configuration Web Filtering Overview Configuration Tasks Web Filtering Configuration Details i

54 Web-Based Configuration Manual Firewall Configuration Table of Contents Configuring URL Filtering Configuring Content Filtering Configuring SQL Filtering Chapter 7 Blacklist Configuration Blacklist Overview Configuring Blacklist Chapter 8 IP-MAC Address Binding Configuration IP-MAC Address Binding Overview Configuring IP-MAC Address Binding Chapter 9 Firewall Session Configuration Configuring Firewall Session Chapter 10 ASPF Configuration ASPF Overview Configuration Tasks ASPF Configuration Details Configuring Policy List Configuring the Policy on Interface Chapter 11 TCP Proxy Configuration TCP Proxy Overview Configuring TCP Proxy ii

55 Web-Based Configuration Manual Firewall Configuration Chapter 1 Security Zone Configuration Chapter 1 Security Zone Configuration 1.1 Security Zone Overview Firewall uses security zone to identify its connected networks. Firewall predefines four security zones: local, trust, untrust, and demilitarized zone (DMZ). These security zones are also called system security zones, representing different security levels. From high to low level, they are local, trust, DMZ, and untrust. Local security zone represents the firewall local system. All packets destined for the firewall itself are regarded as packets sent to the local security zone of the firewall. Trust security zone represents a user private network. Untrust security zone represents the public network or an unsafe network, Internet for instance. DMZ is a relatively independent zone that used between an internal network and an external network. For example, in a network providing E-commerce, some hosts, like Web servers, FTP servers and servers, need to provide services to the external. In order to provide services with high quality, as well as effectively protect the internal network security, you need to isolate these hosts from the internal network into a DMZ security zone. In this way, you can apply different firewall policies to the internal network devices and the hosts providing services, so that the hosts can provide friendly external services and the internal network is well protected at the same time. 1.2 Configuring Security Zone Select Firewall > Security Zone from the navigation tree to enter the security zone configuration page, as shown in Figure 1-1. Click Create to create a security zone, and click Configure to configure the existing security zones. Figure 1-1 Security zone configuration page 1-1

56 Web-Based Configuration Manual Firewall Configuration Chapter 1 Security Zone Configuration Table 1-1 Security zone configuration items 1 Zone Name Name a security zone. 2 Zone Priority 3 Interface Specify the priority of a security zone. A greater priority value represents a more secure zone. By default, the system predefines four security zones. The local security zone has a priority of 100, trust security zone 85, untrust security zone 5, and DMZ security zone 50. Add an interface to a security zone. To implement the communication between the firewall and other devices, you need to add a corresponding interface to a security zone. 1-2

57 Web-Based Configuration Manual Firewall Configuration Chapter 2 NAT Configuration Chapter 2 NAT Configuration 2.1 NAT Overview Network Address Translation (NAT) is to translate the IP address in the IP datagram header into another IP address. In practice, NAT is mainly used for a private network to access the public network. In this implementation, NAT translates many private IP addresses into several public IP addresses, thus slowing the exhaustion of IP address resource. Network Address Port Translation (NAPT) allows multiple internal IP addresses to be mapped onto the same public IP address, therefore is also called many-to-one address translation or address multiplexing. NAPT maps the IP address and port number of a datagram. Datagrams with different internal addresses can be translated into datagrams with the same public IP address and different port numbers. That is, NAPT realizes the translation between private address + port and public address + port. 2.2 Configuration Tasks Select Firewall > Zone Policy > NAT from the navigation tree to enter the NAT configuration page, as shown in Figure 2-1. Figure 2-1 NAT configuration page Complete these tasks to configure NAT: Task Configuring a NAT Address Pool Configuring Network Address Translation Configuring Inside Server Configuring Aging Time Description Click the Address Group tab to create and configure a NAT address pool. Click the NAT Outbound tab to configure various address translations. Click the Inside Server tab to make the internal servers available for external users. Click the Aging Time tab to configure the NAT aging time for various protocols. 2-1

58 Web-Based Configuration Manual Firewall Configuration Task Chapter 2 NAT Configuration Description Configuring Static Table Click the Static Table tab to create NAT static table entries. 2.3 NAT Configuration Details Configuring a NAT Address Pool The address pool is a group of consecutive IP addresses. When an internal data packet reaches the external network through NAT, an IP address in the address pool is selected as the source IP address of the packet after translation. Click the Address Group tab to enter the NAT address pool configuration page, as shown in Table 2-2. Click Create to create a NAT address pool. Figure 2-2 Address pool configuration page Table 2-1 NAT address pool configuration items 1 Address Group ID Specify the address pool ID. 2 Start IP Address Specify the start IP address of the address pool. 3 End IP Address Specify the end IP address of the address pool Configuring Network Address Translation Click the NAT Outbound tab to enter the address translation configuration page, as shown in Figure 2-3. Click Create to configure the address translation type of an interface. 2-2

59 Web-Based Configuration Manual Firewall Configuration Chapter 2 NAT Configuration Figure 2-3 Address translation configuration page Table 2-2 Address translation configurations items Interface Name Converse Type Address Group Select the external interface used to translate the internal addresses. Select the translation type: EASY-IP: Use the IP address of the selected interface rather than that in the address pool as the translated IP address. NO-PAT: Specify the many-to-many (net-to-net) NAT. When you associate an ACL with a NAT address pool, if NO-PAT is chosen, NAT only translates the IP address rather than the port number of data packets. NAPT: Specify the NAPT, that is, the many-to-one translation. In this case, NAT translates the IP address and port number of data packets. This option is available only when ACL is selected. Specify the ID of the address pool used for NAT. The internal addresses are to be translated into the addresses in this address pool. This option is available only when ACL is selected. 4 Static 5 ACL Specify to use static address translation on the interface. For configurations of static address translation entries, refer to Configuring Static Table. Specify the basic or advanced ACL numbers used in NAT. Address translation can be implemented once after you associate an ACL with an address pool (or an interface address). When there are data packets destined for the external network from an internal network, the system checks whether the packets are permitted by the ACL, and then finds the corresponding address pool or interface address based on the association to perform NAT Configuring Inside Server NAT can make the inside servers available for external users to access. The corresponding external addresses and ports can be mapped to the inside servers. 2-3

60 Web-Based Configuration Manual Firewall Configuration Chapter 2 NAT Configuration Through the mappings, the external network can access the inside server resources and the security of the inside servers is improved as well. Click the Inside Server tab to enter the inside server configuration page, as shown in Figure 2-4. Click Create to configure and issue an inside server to the outside. Figure 2-4 Inside server configuration page Table 2-3 Inside server configuration items 1 Interface Name Select the interface used to listen to the outside. 2 Protocol Type 3 Outer Address 4 Outer Start Port 5 Outer End Port Select the protocol type to be listened to. You can define the protocol number by selecting the Other option. Specify the IP address used to listen to the external requests on the interface. Specify the external port(s). You can specify all the external port numbers by selecting Any. To specify a port range, type the start port number in the Outer Start Port bar. This option is available only when the protocol type is TCP or UDP. Specify the end port number of the port range. This option is available only when the protocol type is TCP or UDP. 6 7 Inner Start Address Inner End Address Specify the start address of the internal IP address range to which NAT maps the external requests. You can also specify a single internal address instead of an address range. Specify the end address of the internal IP address range. 8 Inner port Specify the port number listened by inside servers. You can specify all ports by selecting Any. This option is available only when the protocol type is TCP or UDP. 2-4

61 Web-Based Configuration Manual Firewall Configuration Chapter 2 NAT Configuration Caution: The number of port numbers in the external port range must equal that of the addresses in the internal IP address range. Otherwise, the system prompts error Configuring Aging Time The entries in the address translation table are not valid permanently. If a translation entry is not used within the specified period, the entry gets invalid. You can specify the aging time for each protocol. Click the Aging Time tab to enter the aging time configuration page, as shown in Figure 2-5. Figure 2-5 Aging time setting page Configuring Static Table NAT can perform one-to-one internal-to-external static address translation. The static translation entries are set manually in advance. Click the Static Table tab to enter the static translation table configuration page, as shown in Figure 2-6. Figure 2-6 Static table configuration page 2-5

62 Web-Based Configuration Manual Firewall Configuration Chapter 2 NAT Configuration Table 2-4 Static table configuration items 1 Type Select the type of a NAT static entry, one-to-one or net-to-net. one-to-one 1 Inside IP Specify the internal address to be translated. 2 Global IP Specify the external address used to translate the internal address. net-to-net 1 Inside IP Range 2 Global IP&Mask Specify the start and end addresses of the internal IP address range. Specify the external addresses and masks used to translate the internal addresses. 2-6

63 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration Chapter 3 ACL Configuration 3.1 ACL Overview Access Control List (ACL) allows the firewall to filter data packets. ACL filters IP datagram by defining specific rules. When forwarding a datagram, the firewall first obtains the header information of the datagram, including the upper layer protocol number over the IP layer, the source address, destination address, source port and destination port of the datagram, and so on, then compares the information with the preset ACL rules, and finally forwards or drops the datagram according to the comparison result. 3.2 Configuration Tasks Select Firewall > Zone Policy > ACL from the navigation tree to enter the ACL configuration page, as shown in Figure 3-1. Figure 3-1 ACL configuration page Complete these tasks to configure ACL: Task Configuring Time Ranges Configuring ACL Applying ACL Description Click the ACL Time Range button in the ACL configuration page to create an ACL time range which can be referenced by ACL. Click the ACL Setting button in the ACL configuration page to create and configure an ACL. After selecting an interface in the ACL configuration page, click Set to implement the packet filtering function of the firewall. 3-1

64 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration 3.3 ACL Configuration Details Configuring Time Ranges A time range defines a specific period of time for ACL rules. You may want some ACL rules to take effect only in a specific time range or some specific time ranges, so called the time-based ACL. In this case, you can configure a time range or multiple time ranges first, and then reference a time range or time ranges through the time range name(s) for the corresponding ACL rules, so that the ACL rules can filter packets in specific time range(s). Click the ACL Time Range button in the ACL configuration page to enter the time range configuration page as shown in Figure 3-2. Figure 3-2 Time range configuration page Table 3-1 Time range configuration items Configure a periodical time range: 1 Time Range Name Specify the time range name. 2 Start Time Specify the start time of the time range. 3 End Time Specify the end time of the time range. 4 Effective Date Specify the days in a week when the time range takes effect. Configure an absolute time range 1 Time Range Name Specify the time range name. 2 Start Date Time Specify the start date and time of the time range. 3 End Date Time Specify the end date and time of the time range. 3-2

65 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration Configuring ACL Click the ACL Setting button in the ACL configuration page to enter the configuration page as shown in Figure 3-3. Input the ACL number to be created in the ACL Number text box. The interface-based ACL number ranges from 1000 to 1999; the basic ACL number ranges from 2000 to 2999; the advanced ACL number ranges from 3000 to 3999; the Ethernet frame ACL number ranges from 4000 to Select the match order of the ACL rule in the Match Order drop-down list box. Auto: Packets are matched against the ACL rules in the depth-first order. Depth-first order gives priority to the rule which specifies the smallest range of packets. This can be achieved by comparing the address wildcard. A smaller wildcard specifies a smaller range of hosts. For example, specifies a host: ; while specifies a network segment: to Thus the former takes precedence over the latter in ACL rules. The specific criteria: for basic ACL rules, compare their source IP address wildcards first; if the wildcards are the same, match the rules in the configuration order. For interface-based ACL rules, the one configured with any is matched last, and others are matched in the configuration order. For advanced ACL rules, first compare their source IP address wildcards; if they are the same, compare the destination IP address wildcards, the smaller the higher priority; if they are the same, compare the port number ranges, the smaller the higher priority; and if they are the same, match the rules in the configuration order. Config: Packets are matched against ACL rules in the order in which they are configured. Figure 3-3 ACL configuration page I. Configuring an interface-based ACL An interface-based ACL defines rules based on the interface receiving packets. 3-3

66 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration Table 3-2 Interface-based ACL configuration items 1 Rule ID Specify the rule number. When a rule number is specified, if the ACL rule corresponding to the specified rule number already exists, the newly defined rule will overwrite the old one. This is equal to modifying an existing ACL rule. If the rule corresponding to the specified rule number does not exist, you will create a new rule with this number. If you do not specify a rule number, a new rule will be created, and the system will automatically assign a number for the rule and add the rule to the ACL. 2 Operation Specify the operation behavior: Permit or Deny. 3 Interface Name Specify an interface for the rule. 4 Time Range To make the rule effective in a specific time range, specify the time range for it. 5 Log Enable log recording for the rule. II. Configuring a basic ACL A basic ACL defines rules based on the source IP address information only. Table 3-3 Basic ACL configuration items 1 Rule ID Specify the rule number. When a rule number is specified, if the ACL rule corresponding to the number already exists, the newly defined rule will overwrite the old one. This is equal to modifying an existing ACL rule. If the rule corresponding to the specified rule number does not exist, you will create a new rule with this number. If you do not specify a rule number, a new rule will be created, and the system will automatically assign a number for the rule and add the rule to the ACL. 2 Operation Specify the operation behavior: Permit or Deny. 3 Source IP Specify the source address information in the rule. 4 Wildcard Specify the wildcard of the source IP address. 5 Fragment If this option is selected, only the non-first fragments are checked. 6 Log Enable log recording for the rule. 3-4

67 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration 7 Time Range To make the rule effective in a specific time range, specify the time range for it. III. Configuring an advanced ACL Advanced ACLs define rules based on the source and destination IP addresses of packets, the type of protocol over IP, such as TCP source and destination ports, ICMP message type and code, and so on. Using advanced ACLs, you can define rules that are more precise, diversified, and flexible than those defined by basic ACLs. The upper layer applications of the Internet are transmitted through TCP or UDP packets. So that you can use the advanced ACL to filter the upper layer applications by matching the packets coming from certain port numbers. Table 3-4 Advanced ACL configuration items 1 Rule ID Specify the rule number. When a rule number is specified, if the ACL rule corresponding to the specified number already exists, the newly defined rule will overwrite the old one. This is equal to modifying an existing ACL rule. If the rule corresponding to the specified rule number does not exist, you will create a new rule with this number. If you do not specify a rule number, a new rule will be created, and the system will automatically assign a number for the rule and add the rule to the ACL. 2 Operation Specify the operation behavior: Permit or Deny. 3 Protocol Type 4 Source IP 5 Destination IP 6 Source Port Specify the type of protocol over IP. You can specify the protocol number, or you can select the protocol type from the drop-down list box. Specify the source address as well as the wildcard of the source address in the ACL rule. If you do not specify them, all the source addresses are matched. Specify the destination address as well as the wildcard of the destination address in the ACL rule. If you do not specify them, all the destination addresses are matched. Specify the source port information in the rule. Available only when the protocol type is TCP or UDP. If you do not specify the source port, all source ports of TCP/UDP packets are matched. You can also select a port name from the drop-down list box. 3-5

68 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration 7 Destination Port 8 ICMP Type 9 Priority 10 TOS 11 Time Range Specify the destination port information in the rule. Available only when the protocol type is TCP or UDP. If you do not specify the destination port information, all source ports of TCP/UDP packets are matched. You can also select a port name from the drop-down list box. ICMP message type and code. Available only when the protocol type is ICMP. If you do not specify the ICMP message type and code, all ICMP messages are matched. You can also select the ICMP type from the drop-down list box. Select the IP priority of packets. ACL rules can match packets according to the IP priority. Specify a ToS value or select a ToS value from the drop-down list box. ACL rules can match packets according to the ToS value. To make the rule effective in a specific time range, specify the time range for it. 12 Fragment Specify to check the non-first fragments only. 13 Log Enable log recording for the rule. IV. Configuring an Ethernet frame ACL Ethernet frame ACL defines filtering rules based on MAC addresses. Table 3-5 Ethernet frame ACL configuration items 1 Rule ID Specify the rule number. When a rule number is specified, if the ACL rule corresponding to the number already exists, the newly defined rule will overwrite the old one. This equals to modify an existing ACL rule. If the rule corresponding to the specified rule number does not exist, you will create a new rule with this number. If you do not specify a rule number, a new rule will be created, and the system will automatically assign a number for the rule and add the rule to the ACL. 2 Operation Specify the operation behavior: Permit or Deny. 3-6

69 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration 3 4 Source MAC Address Destination MAC Address Specify the source MAC address and its wildcard. If you do not specify them, all the source MAC addresses are matched. Specify the destination MAC address and its wildcard. If you do not specify them, all the destination MAC addresses are matched. 5 Protocol Type 6 LSAP Specify the protocol number and wildcard. Available only when LSAP is not selected. Specify the LSAP code and wildcard. Available only when Protocol Type is not selected. 7 Timerange Setting To make the rule effective in a specific time range, specify the time range for it Applying ACL After configuring an ACL, you can apply the ACL to the specified interface. When applying an ACL to an interface, you can specify rules for the packets received on and sent from the interface respectively. In addition, you can also apply the ASPF policy to the specified interface, so as to check the traffic passing through the interface. Select the interface to be configured in the ACL Configuration of Interfaces Survey page, and then click Set to enter the configuration page as shown in Figure 3-4. Figure 3-4 Interface ACL configuration page Table 3-6 Interface ACL configuration items 1 Interface Name Specify the interface to which the ACL applies. 2 Filter Type Select the filter type applied on the interface: packet-filter (ACL/packet filtering), ethernet-frame-filter or aspf. 3-7

70 Web-Based Configuration Manual Firewall Configuration Chapter 3 ACL Configuration 3 ACL Number 4 Filter Direction When the filter type is packet-filter, input the interface-based ACL number, basic ACL number or advanced ACL number; when the filter type is ethernet-frame-filter, input the Ethernet frame ACL number; when the filter type is aspf, input the ASPF policy number. Specify to apply the policy to the outbound or inbound data flows. 3-8

71 Web-Based Configuration Manual Firewall Configuration Chapter 4 Attack Defense Configuration Chapter 4 Attack Defense Configuration 4.1 Attack Defense Overview Network attacks usually refer to the actions of intruding or destroying network servers (hosts) to steal sensitive data or interfere the servers operation, and the actions of destroying network devices, which result in abnormalities or even breakdown of the network services. The attack defense function of the firewall can detect multiple kinds of network attacks, and adopt corresponding measures to protect the internal network against malicious attacks, ensuring normal operation of the internal network and systems. Following are the most common attacks: I. IP spoofing attack IP spoofing changes the datagram header to use the forged source IP address to communicate with the target. For applications using the IP address-based authentication, IP spoofing allows unauthorized users to access the target system even with the root right. IP spoofing uses a forged IP address to hide the real IP address of an attacker, allowing attackers to launch various attacks by combining IP spoofing with other attacks. For example, the SYN flood attack can use a forged IP address to create a half-open connection. In this case, clients never respond to the SYN-ACK message from the server, because the message uses a nonexistent destination IP address. II. WinNuke attack WinNuke is to attack a target host installed with Windows by sending the out-of-band (OOB) datagram to the NetBIOS port (139) of the host, causing a NetBIOS fragment overlap to break down the target host. Besides, IGMP fragments can also be used to attack systems. Usually IGMP packets are not fragmented, so that many systems cannot process IGMP fragments properly. If a system receives IGMP fragments, you can almost determine that the system is under attack. III. Ping of Death attack The Ping of Death attack is to attack the system using oversized ICMP packets. The field length of an IP packet is 16 bits, indicating that the maximum length of an IP packet is Therefore, if the data length of an ICMP request is larger than 65507, the entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) will be larger than 65535, which may make some routers or systems crash, die or reboot. 4-1

72 Web-Based Configuration Manual Firewall Configuration Chapter 4 Attack Defense Configuration IV. Tear Drop attack Tear Drop attack differs with Ping of Death attack, but they have the same result. Tear Drop program fragments an original IP datagram into a large number of IP fragments. These fragments traverse the network to the target host, which then reassembles them into the original IP datagram. However, the offset fields of these fragments are maliciously designed that each part (in bytes) of the original datagram overlaps, causing the target to consume large system resources to reassemble, even collapse. V. Land attack As a variation of SYN attack, Land attack is to change both the source and destination addresses of the TCP SYN packet to the IP address of the target. Thus, the target sends the SYN-ACK message to itself and then it replies the ACK message and creates a null connection. Each null connection will be saved till it times out. Different attacked targets respond differently to Land attack. For instance, once attacked, many UNIX hosts crash down and Windows NT hosts slow down. To avoid Land attack, you can filter the source IP addresses of the hosts in the internal networks. VI. SYN Flood attack Because of the limited resources, TCP/IP stacks only permit a limited number of TCP connections. The SYN Flood attack forges an SYN packet whose source address is a forged or nonexistent address and initiates a connection to the server. Accordingly, the server will respond with a SYN-ACK packet, but not receive ACK packets from clients, thus forming a half-open connection. A large number of half-open connections will exhaust the network resources so that normal clients cannot access the network until the half-open connections time out. The SYN Flood attack also takes effect in the applications whose connection number is not limited by consuming the system resources, such as the system memories. VII. UDP Flood attack A UDP flooding attack utilizes UDP and a kind of service that can respond with packets to create numerous UDP packets and send them between two target systems, making the systems unable to handle valid connections. VIII. ICMP Flood and Ping attacks These two types of attacks defeat the target systems by exhausting the resources on them. An attack of this nature sends a great deal of ICMP packets, preventing the target system from responding to normal ping requests and further more, making the connections to the server time out. 4-2

73 Web-Based Configuration Manual Firewall Configuration Chapter 4 Attack Defense Configuration IX. Smurf attack A simple Smurf attack targets a network. It sends ICMP echo requests that use the broadcast address of the target network as the destination. All hosts on the network will respond to the packets and therefore block the network finally. An advanced Smurf attack targets hosts. It sends ICMP echo requests that use the address of the target host as the source address, which will overwhelm the target host with ICMP echo replies. In theory, the more the hosts on a network, the more serious the effect of the attack. To prevent a network from being targeted by a Smurf attack, you can disable the routers from forwarding broadcast packets. X. Fraggle attack Fraggle attack is a variation of Smurf attack. A Fraggle attack uses the IP address of the target host as the source address of forged ping packets and broadcasts the packets on the network, causing all hosts on the network to send responses to the host. XI. Address sweep and port scan attack An address sweep or port scan attack employs scanning tools to detect addresses or ports responding, thus uncovering addresses or ports to target for future attack. 4.2 Configuration Tasks Select Firewall > Attack & Defense from the navigation tree to enter the attack defense configuration page, as shown in Figure 4-1. Figure 4-1 Attack defense configuration page Complete these tasks to configure attack defense: 4-3

74 Web-Based Configuration Manual Firewall Configuration Task Configuring Basic Attack Defense Configuring Advanced Attack Defense Configuring Flood Attack Defense Chapter 4 Attack Defense Configuration Description In the Attack & Defense Type area, select the corresponding attack check box to enable the defense against attacks of the selected type. Click the Advance button in the page to configure the advanced attack defense. Click the buttons in the Select Flood Attack Type area to configure defense against various Flood attacks. 4.3 Attack Defense Configuration Details Configuring Advanced Attack Defense Click the Advance button in the Attack & Defense Type area to enter the attack defense advanced configuration page, as shown is Figure 4-2. Figure 4-2 Attack defense advanced configuration page Table 4-1 Attack defense advanced configuration items 1 2 Large ICMP Attack packet size threshold arp-flood attack rate threshold Specify the ICMP packet length. Specify the ARP packet rate triggering the ARP Flood attack detection. 4-4

75 Web-Based Configuration Manual Firewall Configuration Chapter 4 Attack Defense Configuration IP-sweep attack rate threshold IP-sweep attacher blacklist restrict time port-scan attack rate threshold port-scan attacher blacklist restrict time identical frag packet rate threshold Specify the packet rate triggering the IP sweeping attack detection Specify the time after which the system adds the attacker to the blacklist when it detects an IP sweeping attack. Specify the packet rate triggering the port scanning attack detection. Specify the time after which the system adds the attacker to the blacklist when it detects an IP scanning attack. Specify the maximum number of identical fragments allowed per second. 8 frag packet rate Specify the maximum number of fragments allowed per second. 9 ARP-spoofing attack defence level Specify the ARP spoofing attack defense level: ARP spoofing attack prevention falls into two modes: loose mode and non-loose mode. In non-loose mode (default is selected), the firewall regards the ARP requests destined for a unicast MAC address as attack packets and drops them. On the contrary, in loose mode (loose is selected), those ARP request packets are not regarded as attack packets and are not discarded by the firewall Configuring Flood Attack Defense Select Firewall > Attack & Defense, then click the SYN Flood, UDP Flood, or ICMP Flood button to enter the corresponding Flood attack defense configuration pages, and then click Create to perform the configurations. Table 4-2 Flood attack defense configuration items SYN Flood attack 1 IP Address/Zone Name Select Created by IP Address from the Creation Mode drop-down list to specify the IP address of a host to be protected. Select Created by Security Zone to specify a security zone to be protected. 4-5

76 Web-Based Configuration Manual Firewall Configuration Chapter 4 Attack Defense Configuration 2 Max. Connection Rate Specify the threshold of the rate of SYN packets connecting the specified IP address, that is, the maximum number of SYN packets destined for the specified IP address in a second. A greater rate indicates the presence of an SYN Flood attack. 3 TCP Proxy Specifies whether to enable the TCP proxy. If you select AUTO, the TCP proxy is enabled automatically when a SYN Flood attack is detected, and is disabled automatically when no SYN Flood attack is present any more. UDP Flood attack 1 IP Address/Zone Name Select Created by IP Address in Creation Mode to specify the IP address of a host to be protected. Select Created by Security Zone to specify a security zone to be protected. 2 Max. Rate Specify the threshold of the rate of UDP packets destined for the specified IP address, that is, the maximum number of UDP packets allowed per second. A greater rate indicates the presence of a UDP Flood attack. ICMP Flood attack 1 IP Address/Zone Name Select Created by IP Address in the Creation Mode down-drop list box to specify the IP address of a host to be protected. Select Created by Security Zone to specify a security zone to be protected. 2 Max. Rate Specify the threshold of the rate of ICMP packets destined for the specified IP address, that is, the maximum number of ICMP packets allowed per second. A greater rate indicates the presence of an ICMP Flood attack. 4-6

77 Web-Based Configuration Manual Firewall Configuration Chapter 5 Mail Filtering Configuration Chapter 5 Mail Filtering Configuration 5.1 Configuration Tasks Select Firewall > Mail Filter from the navigation tree to enter the mail filtering configuration page, as shown in Figure 5-1. Figure 5-1 Mail filtering configuration page Complete these tasks to configure mail filtering: Task Configuring Recipient Address Filtering Configuring Subject Filtering Configuring Content Filtering Configuring Attachment Filtering Description Click the Recipients Filter tab to configure the recipient address filtering. Click the Subject Filter tab to configure the mail subject filtering. Click the Content Filter tab to configure the mail content filtering. Click the Attach Filter tab to configure the mail attachment filtering. 5-1

78 Web-Based Configuration Manual Firewall Configuration Chapter 5 Mail Filtering Configuration 5.2 Mail Filtering Configuration Details Configuring Recipient Address Filtering You can specify the firewall to filter s sent from the internal networks to the external networks by recipient address, preventing internal users from sending s to illegal addresses on the external networks. Click the Recipients Filter tab to enter the recipient address filtering configuration page, as shown in Figure 5-2. Click Enable to enable recipient address filtering, and click Disable to disable recipient address filtering. Figure 5-2 Recipient address filtering configuration page Table 5-1 Recipient address filtering configuration items 1 Default Filter Mode 2 Filter-file Name 3 Mail Address Select the default operation, that is, the operation taken by the firewall when no keyword is to match. Specify a name for the recipient address filter file. After you configure a filter keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the current Mail Address List to the filter file. To make the entries in the mail address filter file take effect to filter the recipient addresses, you need to load the file by clicking the Load button on the right side. Specify the keyword for recipient address filtering, and select the operation to take. 5-2

79 Web-Based Configuration Manual Firewall Configuration Chapter 5 Mail Filtering Configuration Caution: A recipient address can be up to 128 English characters or 64 Chinese characters (including the user name, the symbol and the host name afterwards). The user name part can be a complete user name or *, but not the combination of the user name and *. A recipient address can adopt one of the following formats: test@363.com: Specifies to perform an exact address matching. *@363.com: Specifies to ignore the user name and match the host name only. *@*.sina.com: Specifies to match addresses such as mail.sina.com and smtp.sina.com, instead of sina.com and smtp.sina.com.cn. The following formats are not supported: *@*.*.com.cn, *@news.*.com, *@music.*, That is, the symbol * can only appear in a position right before or after the and the cannot appear at the beginning of an address Configuring Subject Filtering You can specify the firewall to filter s sent from the internal networks to the external networks by subject. Click the Subject Filter tab to enter the mail subject filtering configuration page, as shown in Figure 5-3. Click Enable to enable mail subject filtering, and click Disable to disable mail subject filtering. Figure 5-3 Mail subject filtering configuration page 5-3

80 Web-Based Configuration Manual Firewall Configuration Chapter 5 Mail Filtering Configuration Table 5-2 Mail subject filtering configuration items 1 Filter-file Name Specify a name for the subject filter file. After you configure a filter keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the Mail Subject List to the filter file. To make the entries in the mail subject filter file take effect to filter the mail subjects, you need to load the file by clicking the Load button on the right side. 2 Mail Subject Specify the keyword for mail subject filtering. Caution: A keyword for subject filtering can be up to 128 English characters or 64 Chinese characters. Subject filtering supports wildcard search, that is, you can specify a subject with *. The * symbol represents 0 to 2 Chinese characters or 0 to 4 English characters. It cannot appear at the beginning or end of a subject, and up to one * can be used in a subject. For example, test1 and te*st2 are valid, while te**st and t*es*t are not. To avoid confusion brought about by *, it is recommended that you use * in a subject with caution Configuring Content Filtering You can specify the firewall to filter s sent from the internal networks to the external networks by body information, preventing sensitive internal information from being easily sent out to the external networks. Click the Content Filter tab to enter the mail content filtering configuration page, as shown in Figure 5-4. Click Enable to enable mail content filtering, and click Disable to disable mail content filtering. 5-4

81 Web-Based Configuration Manual Firewall Configuration Chapter 5 Mail Filtering Configuration Figure 5-4 Mail content filtering configuration page Table 5-3 Mail content filtering configuration items 1 Filter-file Name Specify a name for the mail content filter file. After you configure a filter keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the Keywords List to the filter file. To make the entries in the mail content filter file take effect to filter the mail contents, you need to load the file by clicking the Load button on the right side. 2 Keywords Specify the keyword for mail content filtering. Caution: A keyword for filtering can be up to 128 English characters or 64 Chinese characters. Keyword filtering supports wildcard search, that is, you can specify a keyword with *. The * symbol represents 0 to 2 Chinese characters or 0 to 4 English characters. It cannot appear at the beginning or end of a keyword, and up to one * can be used in a keyword. For example, test1 and te*st2 are valid, while te**st and t*es*t are not. To avoid confusion brought about by *, it is recommended that you use * in a keyword with caution Configuring Attachment Filtering You can specify the firewall to filter s sent from the internal networks to the external networks by attachment. 5-5

82 Web-Based Configuration Manual Firewall Configuration Chapter 5 Mail Filtering Configuration Click the Attach Filter tab to enter the mail attachment filtering configuration page, as shown in Figure 5-5. Click Enable to enable mail attachment filtering, and click Disable to disable mail attachment filtering. Figure 5-5 Mail attachment filtering configuration page Table 5-4 Mail attachment filtering configuration items 1 Filter-file Name Specify a name for the mail attachment filter file. After you configure a filter keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the Attach Keywords List to the filter file. To make the entries in the mail attachment filter file take effect to filter the mail attachments, you need to load the file by clicking the Load button on the right side. 2 Mail Attach File Specify the keyword for mail attachment filtering. Caution: The attachment file name can contain up to 128 English characters or 64 Chinese characters. The name of an attachment file can be a complete file name, or a file name in the format of *.ext. The second format specifies that the firewall filters an attachment only by the extension of the file name. Entries such as *.exe and abc.exe can coexist in a filter file. When the *.exe entry is deleted, the abc.exe entry still functions. 5-6

83 Web-Based Configuration Manual Firewall Configuration Chapter 6 Web Filtering Configuration Chapter 6 Web Filtering Configuration 6.1 Web Filtering Overview In traditional network security schemes, network attack defense focuses on attacks from external networks. However, with the popularity of networks in every walk of life, attacks from LANs are increasing, which requires network devices to be designed with internal network security features to establish secure internal networks. The H3C SecPath firewalls support Web filtering. This function enables firewalls to check Web requests from clients and filter out requests to the screened sites, preventing access to illegal or malicious sites. In addition, the H3C SecPath firewalls can also filter by the contents of the requested Web pages, blocking access to Web pages with illegal contents. H3C SecPath series firewalls also prevent Structure Query Language (SQL) injecting attack. The firewall checks the HTTP command in the received HTTP packet to determine whether it is an attack on the database or not, thus ensuring network security effectively. 6.2 Configuration Tasks Select Firewall > Web Filter from the navigation tree to enter the Web filtering configuration page, as shown in Figure 6-1. Figure 6-1 Web filtering configuration page 6-1

84 Web-Based Configuration Manual Firewall Configuration Chapter 6 Web Filtering Configuration Complete these tasks to configure Web filtering: Task Configuring URL Filtering Configuring Content Filtering Configuring SQL Filtering Description Click the URL Filter tab to configure the Web URL filtering. Click the Content Filter tab to configure the Web content filtering. Click the SQL Inject Attach Filter tab to configure the SQL injecting attack filtering. 6.3 Web Filtering Configuration Details Configuring URL Filtering Click the URL Filter tab to enter the Web URL filtering configuration page, as shown in Figure 6-2. Click Enable to enable Web URL filtering, and click Disable to disable Web URL filtering. Figure 6-2 Web URL filtering configuration page Table 6-1 URL filtering configuration items 1 The IP-formated website access Click Permit/Deny to enable/disable the IP-formatted website access. 6-2

85 Web-Based Configuration Manual Firewall Configuration Chapter 6 Web Filtering Configuration 2 Config ACL-Number 3 Default filter Mode 4 Filter-file Name 5 URL To filter the request packets selectively, you need to specify the basic ACL number in the Config ACL-Number text box. Note that you need to disable the IP-formatted website access before using ACL. Otherwise, the firewall permits all the IP-formatted access requests, and the ACL configuration is not available. If you disable the IP-formatted website access, and do not configure the ACL, the firewall denies all the IP-formatted access requests. Select the default filtering operation, that is, the operation taken by the firewall when no keyword is to match, which can be Permit or Deny. Specify a name for the Web URL filter file. After you configure a filtering keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the URL List to the filter file. To make the entries in the Web URL filter file take effect to filter the Web URLs, you need to load the file by clicking Load on the right side. Specify the keyword for Web URL filtering, and select the operation to take. Caution: A URL added can be up to 128 characters, or else the URL is considered illegal and thus rejected. If you input a wildcard URL of *.sina.com, the system matches URLs such as and news.sina.com, but not The following URL formats are not supported: *.*.com.cn, news.*.com, and sina.com.*. can not be added before the URL, that is, the URL address is illegal input. The right format is Configuring Content Filtering Click the Content Filter tab to enter the Web content filtering configuration page, as shown in Figure 6-3. Click Enable to enable Web content filtering, and click Disable to disable Web content filtering. 6-3

86 Web-Based Configuration Manual Firewall Configuration Chapter 6 Web Filtering Configuration Figure 6-3 Web content filtering configuration page Table 6-2 Web content filtering configuration items 1 Filter-file Name Specify a name for the Web content filter file. After you configure a filtering keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the Keywords List to the filter file. To make the entries in the Web content filter file take effect to filter the Web contents, you need to load the file by clicking Load on the right side. 2 Keywords Specify the keyword for Web content filtering. 6-4

87 Web-Based Configuration Manual Firewall Configuration Chapter 6 Web Filtering Configuration Caution: A keyword for Web content filtering can be up to 128 English characters or 64 Chinese characters. Keyword filtering supports wildcard search, that is, you can use a string with *, ^,?, or spaces to specify a keyword. A * represents 0 to 2 Chinese characters or 0 to 4 English characters. Up to one * can be used in a keyword, and the * symbol cannot appear at the beginning or end of a keyword, and cannot be next to ^ or?. For example, test1 and te*st2 are valid, while te**st, t*es*t, and *test are not. To avoid confusion brought about by *, it is recommended that you use * in a keyword with caution. ^ can only appear at the beginning or end of a keyword, and up to two ^ symbols can be used in a keyword. For example, ^hello matches any string starting with hello (such as helloworld and hello), but does not match ahelloworld. you^ matches any string ending with you (such as thankyou and you), but does not match thankyour, or your.? represents an English character and?? represents a Chinese character.? can appear at any position of the keyword for any times, whether consecutive or not, but cannot be next to *. If? is used at the beginning or end of a keyword, it must be next to ^. You must not input a? by command line but load it from a file only. A space matches one space or multiple consecutive spaces. There is no restriction on the number and position of spaces in a keyword Configuring SQL Filtering Click the SQL Inject Attach Filter tab to enter the SQL injecting attack filtering configuration page, as shown in Figure 6-4. Click Enable to enable SQL injecting attack filtering, and click Disable to disable SQL injecting attack filtering. Figure 6-4 SQL injecting attack filtering configuration page 6-5

88 Web-Based Configuration Manual Firewall Configuration Chapter 6 Web Filtering Configuration Table 6-3 SQL injecting attack filtering configuration items 1 Filter-file Name 2 Keywords Specify a name for the SQL injecting attack filter file. After you configure a filtering keyword, you can save it to the filter file. To configure or modify the keyword, load the filter file. Click Save on the right side to save all the entries in the Keywords List to the filter file. To make the entries in the SQL injecting attack filter file take effect to filter the HTTP commands in HTTP packets, you need to load the file by clicking Load on the right side. Specify a keyword for SQL injecting attack filtering. By default, the system presets the following keywords: ^select^, ^insert^, ^update^, ^delete^, ^drop^, --,, ^exec^ and %27. Click Add Default and the system adds the default keywords automatically. If you delete some keywords unintentionally, the system can resume the default configuration shortly. Note: A keyword for filtering can be up to 128 English characters or 64 Chinese characters. Keyword filtering supports wildcard search, that is, you can use a string with *, ^,?, or spaces to specify a keyword. A * represents 0 to 2 Chinese characters or 0 to 4 English characters. The * symbol cannot appear at the beginning or end of a keyword, and cannot be next to ^ or?. Up to one * can be used in a keyword. For example, test1 and te*st2 are valid, while te**st, t*es*t, and *test are not. To avoid confusion brought about by *, it is recommended that you use * in a keyword with caution. ^ can only appear at the beginning or end of a keyword, and up to two ^ symbols can be used in a keyword. For example, ^hello matches any string starting with hello (such as helloworld and hello), but does not match ahelloworld. you^ matches any string ending with you (such as thankyou and you), but does not match thankyour, or your.? represents an English character and?? represents a Chinese character.? can appear at any position of the keyword for any times, whether consecutive or not, but cannot be next to *. If? is used at the beginning or end of a keyword, it must be next to ^. You must not input a? by command line but load it from a file only. A space matches one space or multiple consecutive spaces. There is no restriction on the number and position of spaces in a keyword. 6-6

89 Web-Based Configuration Manual Firewall Configuration Chapter 7 Blacklist Configuration Chapter 7 Blacklist Configuration 7.1 Blacklist Overview Blacklist is a mechanism for filtering traffic by the source IP address in a packet. Compared with ACL-based packet filtering, blacklist employs a very simple field for matching, and therefore can filter packets at a very high rate, effectively screening packets from specific IP addresses. Blacklist entries can be added or deleted manually or dynamically by the related modules of a firewall. When the firewall detects an attack attempt from a specific IP address based on the packets behavior, it can automatically modify the blacklist to filter out packets from the IP address. Therefore, blacklist is an important security feature of the firewall. At present, the attack defense module of the firewall can automatically add blacklist entries. For details, refer to Attack Defense Configuration Details. 7.2 Configuring Blacklist Select Firewall > Black List from the navigation tree to enter the blacklist configuration page, as shown in Figure 7-1. Click Enable to enable the blacklist function of the firewall, and click Create to add a blacklist entry manually. Figure 7-1 Blacklist configuration page Table 7-1 Blacklist entry manual configuration items 1 IP Address Specify the source address to be screened. 2 Aging Time Specify the aging time of a blacklist entry. The blacklist entry is deleted automatically after the aging time. 7-1

90 Web-Based Configuration Manual Firewall Configuration Chapter 8 IP-MAC Address Binding Configuration Chapter 8 IP-MAC Address Binding Configuration 8.1 IP-MAC Address Binding Overview The firewall supports binding an IP address to a MAC address. Any packet with a source IP address of the bound IP address but a MAC address other than the bound MAC address will be dropped by the firewall. IP-MAC address binding is a method to prevent IP Spoofing attacks. 8.2 Configuring IP-MAC Address Binding Select Firewall > IP-MAC Bind from the navigation tree to enter the IP-MAC address binding configuration page, as shown in Figure 8-1. Click Enable to enable the IP-MAC address binding function of the firewall, and click Create to add an IP-MAC binding entry manually. Figure 8-1 IP-MAC address binding configuration page Table 8-1 IP-MAC address binding configuration items 1 IP Address Specify the IP address to be bound. 2 MAC Address Specify the MAC address to be bound. The IP-MAC address binding function only takes effect on the network segment where the interface of the firewall resides, that is, the IP address to be bound and the firewall interface should be in the same network segment. If you bind an IP address that is in the different network segment from the firewall interface, the system displays prompt information but still creates a binding entry. 8-1

91 Web-Based Configuration Manual Firewall Configuration Chapter 8 IP-MAC Address Binding Configuration Caution: IP-MAC address binding is another expression of static ARP, so that the address binding configuration and the static ARP configuration have the same effect on packets. With the IP-MAC address binding function enabled in the system, if you bind an IP address that is already in a static ARP entry, the static ARP entry will be removed; if you configure a static ARP entry whose IP address is already in an IP-MAC address binding entry, you will fail to create the static ARP entry. However, identical IP address can be configured in both IP-MAC address binding and static ARP entries if the IP-MAC address binding function is disabled in the system. IP-MAC address binding does not take effect on PPPoE addresses, because the system cannot identify and process the PPP packets carried over the Ethernet frames. Do not bind the broadcast addresses of class A, B, and C. 8-2

92 Web-Based Configuration Manual Firewall Configuration Chapter 9 Firewall Session Configuration Chapter 9 Firewall Session Configuration 9.1 Configuring Firewall Session The firewall session table can monitor the traffic of protocols such as TCP, UDP, FTP, HTTP, SMTP, NetBIOS, RSTP, and H.323. Select Firewall > Firewall Session from the navigation tree to enter the firewall session configuration page, as shown in Figure 9-1. Click Globe Session Query to view all the firewall session information. Click Session Query Based on IP to view the firewall session information based on source IP address and destination IP address. After you enter the corresponding session query page, you can click Delete sessions to clear the firewall session(s). Figure 9-1 Firewall session configuration page Click Configuration of Aging Time in the above page, as shown in Figure 9-1, to configure the aging time for various protocols, as shown in Figure 9-2. Type the aging times in each of the protocol text box, and then click Configure to apply the configurations. You can also click Default to restore the default settings. Figure 9-2 Firewall aging time configuration page 9-1

93 Web-Based Configuration Manual Firewall Configuration Chapter 10 ASPF Configuration Chapter 10 ASPF Configuration 10.1 ASPF Overview An ACL/packet filter is a static firewall. Presently, the following problems exist: In the case of multi-channel application layer protocols, such as FTP and H.323, some security policy configurations are unpredictable. An ACL/packet filtering firewall cannot detect some attacks from the application layer, such as TCP SYN, Java Applet, and ActiveX. ASPF is thus proposed to address these problems. Application Specific Packet Filter (ASPF) implements application- and transport-layer specific, namely status-based, packet filtering. An ASPF provides the following functions: An ASPF can check application layer information, including protocol type and port number of packets, and monitor the connection-oriented application layer protocol status. For each connection, an ASPF maintains the status information, which is used for dynamically determining whether a packet should be permitted to pass through the firewall to the internal network, so as to defense against malicious attacks. An ASPF supports transport layer protocol information detection (namely, general TCP and UDP detection), and is able to determine whether to permit a TCP/UDP packet to pass through the firewall and get into the internal network based on the packet s source and destination addresses and port number. An ASPF can detect and prevent the Denial of Service (DoS) attacks. An ASPF can both filter packets based on connection status and detect packet contents at the application layer. An ASPF supports enhanced session logging. An ASPF can record the information of each connection, including the duration, source and destination addresses of the connection, the port used by the connection and number of bytes transmitted. At the border of a network, the ASPF can work in coordination with a common static filter to provide a security policy that is more comprehensive and better satisfies the actual needs for the intranet. Fundamentals of application layer protocol detection: 10-1

94 Web-Based Configuration Manual Firewall Configuration Chapter 10 ASPF Configuration Client A Packets of other sessions are blocked Client A initializes a session WAN Returned packets of Client A Server are permitted to pass SecPath Protected network Figure 10-1 Fundamentals of application protocol layer detection As shown above, to protect the internal network, it is usually necessary to configure a static ACL on the firewall for the purpose of permitting internal hosts to access external networks while prohibiting hosts on external networks from accessing the internal network. However, a static ACL would filter out the returned packets after a user initiates a connection as a result, the connection setup would fail. After application protocol detection is enabled on the firewall, the ASPF can detect each application layer session and create a status table and a temporary access control list (TACL). The status table is created when ASPF detects the first packet. The ASPF uses this table to maintain the status of an ongoing session at a certain point of time and detect whether the conversion of session status is correct. The TACL is created at the same time the status table is created, and is deleted when at the end of the session. It is equivalent to a permit statement in an advanced ACL. The TACL is mainly used to match all the returned packets in a session, and can set up a temporary return channel on the external interface of the firewall for packets returned by an application Configuration Tasks Select Firewall > ASPF from the navigation tree to enter the ASPF configuration page, as shown in Figure Figure 10-2 ASPF configuration page Complete these tasks to configure ASPF: 10-2

95 Web-Based Configuration Manual Firewall Configuration Task Configuring Policy List Configuring the Policy on Interface Chapter 10 ASPF Configuration Description Click the Policy List tab to create or configure ASPF policies. Click the Policy on Interface tab to apply an ASPF policy to an interface ASPF Configuration Details Configuring Policy List Click the Policy List tab to enter the ASPF policy configuration page, as shown in Figure Click Create to create a new ASPF policy, and click Configure to configure the existing ASPF policies. Figure 10-3 ASPF policy configuration page Table 10-1 ASPF policy configuration items 1 Policy Number The ASPF policy number 2 ftp h323 http rtsp smtp tcp udp Select the protocol to be detected. Note: The Web management interface does not support the configuration of the aging-time for ASPF detection. If you use the Web management interface to configure ASPF policy, the aging time will be restored to the default value Configuring the Policy on Interface Click the Policy on Interface tab to enter the ASPF policy application configuration page, as shown in Figure Select the interface to be configured, and then click Configure. 10-3

96 Web-Based Configuration Manual Firewall Configuration Chapter 10 ASPF Configuration Figure 10-4 ASPF policy on interface configuration page Table 10-2 ASPF policy application configuration items 1 Interface 2 Inbound Policy 3 Outbound policy Interface on which the ASPF policies are to be applied. Select the ASPF policies to be applied to the inbound direction of the interface. Select the ASPF policies to be applied to the outbound direction of the interface. 10-4

97 Web-Based Configuration Manual Firewall Configuration Chapter 11 TCP Proxy Configuration Chapter 11 TCP Proxy Configuration 11.1 TCP Proxy Overview The TCP proxy protects the destination hosts and all hosts in the destination security zones from SYN Flood attacks. When an external host tries to set up a TCP connection with a host on which the TCP proxy is enabled or a host in a security zone where the TCP proxy is enabled, it must complete the three-phase TCP handshake with the firewall before it can set up connection with the host. This protects internal hosts from SYN Flood attacks efficiently Configuring TCP Proxy Select Firewall > TCP-Proxy from the navigation tree to enter the TCP proxy configuration page, as shown in Figure Figure 11-1 TCP proxy configuration page Table 11-1 TCP proxy configuration items 1 Destination IP Specify the IP address of the host to be protected. 2 Destination Zone Select the security zone to be protected. 11-1

98 Web-Based Configuration Manual Firewall Configuration Chapter 11 TCP Proxy Configuration Note: If you enable the TCP proxy when configuring SYN Flood attack defense type (refer to section Configuring Flood Attack Defense) and also enable the TCP proxy on this Web page, the latter takes precedence over the former, that is, the TCP proxy is enabled to protect the destination hosts and/or destination security zones no matter whether a SYN Flood attack is present or not. 11-2

99 Object-Oriented Management

100 Web-Based Configuration Manual Object-Oriented Management Table of Contents Table of Contents Chapter 1 Object Configuration Object-Oriented Management Overview Object Configuration Tasks Object Configuration Details Configuring an Address Object Configuring a Service Object Configuring a Time Range Object Configuring a Flow Object Chapter 2 Policy Configuration Policy Configuration Tasks Policy Configuration Details Configuring a Flow Filtering Policy Configuring a NAT Policy Configuring a Policy Through Wizard i

101 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration Chapter 1 Object Configuration 1.1 Object-Oriented Management Overview Object-oriented management employs the concept of object to help simplifying configuration and management tasks. It uses an address object or address group object to represent one or more IP addresses or domain names, uses a service object or service group object to represent one or more combinations of source ports, destination ports and protocol numbers, and uses a flow object to represent a quintuplet. In a flow object you can reference address objects (or address group objects) and service objects (or service group objects). This significantly simplifies the configuration tasks, and enhances the usability and user-friendliness of configuration management. 1.2 Object Configuration Tasks Complete these tasks to perform object configuration: Task Configuring an Address Object Configuring a Service Object Configuring a Time Range Object Configuring a Flow Object Description Select Objects > Addresses from the navigation tree to configure address and address group objects. Select Objects > Services from the navigation tree to configure service and service group objects. Select Objects > Time Range from the navigation tree to configure time range objects. Select Objects > Flow from the navigation tree to configure flow objects. 1.3 Object Configuration Details Configuring an Address Object Select Objects > Addresses from the navigation tree to enter the address object configuration page, as shown in Figure

102 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration Figure 1-1 Address object configuration page I. Configuring an address object Before creating an address group object or flow object, you need to create an address object. Address object is a basic unit in object-oriented management. An address object can be referenced in one or more flow objects. You can create an address object that represents either an IP address or a domain name. Select the Address tab to enter the address object configuration page, as shown in Figure 1-2. Click Create to create an address object. Figure 1-2 Address object configuration page Table 1-1 Address object configuration items 1 Name Specify an address object name. 2 Domain 3 IP/Mask Specify a domain name for the address object. You can specify either a domain name or an IP address and a subnet mask. Specify an IP address and a subnet mask for the address object. You can specify either a domain name or an IP address and a subnet mask. II. Configuring an address group You can group multiple address objects into an address group object to simplify your configuration and save time. 1-2

103 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration Select the Address Group tab to enter the address group object configuration page, as shown in Figure 1-3. Click Create to create an address group object. Figure 1-3 Address group object configuration page Specify an address group object name in the Name text box, select one or more address objects in the Options List box, and then add them into the Group Member box. Then, click OK to finish Configuring a Service Object Select Objects > Services from the navigation tree to enter the service object configuration page, as shown in Figure 1-4. Figure 1-4 Service object configuration page I. Configuring a predefined service object The system supports service objects for ICMP, TCP, UDP and other types of protocols. You can group a combination of protocol number, source port, destination port, or ICMP message type into a service object. The system has predefined a number of service objects, which can be directly referenced in service group objects and flow objects. Select the Predefined tab to view the predefined service objects, as shown in Figure

104 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration Figure 1-5 Predefined service objects II. Configuring a user-defined service object Before creating a service group object or flow object, you need to create a service object. Service object is a basic unit in object-oriented management. You can reference service objects in flow object management to simplify your configuration tasks. Select the Custom tab to enter the user-defined service object configuration page, as shown in Figure 1-5. Click Create to create a service object. Figure 1-6 User-defined service object configuration page Table 1-2 User-defined service object configuration items 1 Object Specify a service object name. 2 TCP 3 UDP Select to specify the TCP service object type. Specify the source port and destination port information in the text box. Select to specify the UDP service object type. Specify the source port and destination port information in the text box. 1-4

105 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration 4 ICMP Select to specify the ICMP service object type. Specify the ICMP type and code in the text box. 5 other Specify the number of another protocol. III. Configuring a service group object You can add multiple service objects into a service group object to simplify your configuration tasks and save time. Select the Service Group tab to enter the service group configuration page, as shown in Figure 1-7. Click Create to create a service group object. Figure 1-7 Service group object configuration page Specify a service group object name in the Object Name text box, select one or more predefined or created service objects in the Available List box, and then add them into the Group Members box. Then, click OK to finish Configuring a Time Range Object You may want some ACLs to take effect in a specific time range or some time ranges and do not work in other time ranges. This is commonly called filtering by time range. To implement this kind of filtering, you can configure one or more time ranges, and then apply the time ranges in ACLs. Select Objects > Time Range from the navigation tree to enter the time range object configuration page, as shown in Figure 1-8. Figure 1-8 Time range object configuration page 1-5

106 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration To create a time range object, click Create, specify an object name, and then click Next to enter the page shown in Figure 1-9. Figure 1-9 Configure a time range object Table 1-3 Time range object configuration items 1 During 2 Recurring Select to configure an absolute time range, and set the start time and end time in the format of YYYY/MM/DD hh:mm. You can also select the time points by clicking the calendar icon on the right of each text box. Select to configure a periodic time range, specify one or more weekdays and set the start time, end time in the format of hh:mm. A time range object can include multiple time ranges of different types Configuring a Flow Object A flow object represents a quintuplet. It can include address (group) object, service (group) object, and time range object information. This helps memorize the usage of configured rules and simplifies the configuration by referencing flow objects in various applications. Select Objects > Flow from the navigation tree to enter the flow object configuration page, as shown in Figure

107 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration Figure 1-10 Flow object configuration page To create a flow object, click Create, specify a flow object name, and then click Next to enter the page shown in Figure Figure 1-11 Configure a flow object Table 1-4 Flow object configuration items 1 Rule ID 2 Source Address Specify a rule ID for the flow object. If you specify an existing rule ID, you are actually editing the rule by adding new conditions in it. If the rule ID you specify does not exist, you are creating a new rule with that ID. A flow object can contain multiple rules, which work together to filter data flows. Select a created source address object or source address group object for the rule from the drop-down box. 3 Destination Address Select a created destination address object or destination address group object for the rule from the drop-down box. 1-7

108 Web-Based Configuration Manual Object-Oriented Management Chapter 1 Object Configuration 4 Service 5 Time 6 Action Select a created service object or service group object for the rule from the drop-down box. Select a created time range object for the rule from the drop-down box. Select the action (permit or deny) to be taken on data flows that match the rule. 1-8

109 Web-Based Configuration Manual Object-Oriented Management Chapter 2 Policy Configuration Chapter 2 Policy Configuration 2.1 Policy Configuration Tasks Complete these tasks to configure a policy: Task Configuring a Flow Filtering Policy Configuring a NAT Policy Configuring a Policy Through Wizard Description Select Policies > Flow Filter from the navigation tree to configure the flow filtering policy. Select Policies > Nat from the navigation tree to configure the NAT policy. Select Policies > Wizard from the navigation tree to configure the flow filtering policy and NAT policy. 2.2 Policy Configuration Details Configuring a Flow Filtering Policy By configuring a flow filtering policy, that is, applying flow objects to an interface, you can enable the firewall to filter traffic passing through the interface. Select Policies > Flow Filter from the navigation tree to enter the flow filtering policy configuration page, as shown in Figure 2-1. Figure 2-1 Flow filtering policy configuration page Before applying a flow object to an interface, make sure that the flow filtering function (packet filter) is enabled (default) on the firewall. You can select an action on this page 2-1

110 Web-Based Configuration Manual Object-Oriented Management Chapter 2 Policy Configuration as the default action so that the firewall will determine whether to permit or deny packets that match no defined rules. By applying a flow object to an interface, you can enable the firewall to filter traffic passing the interface based on the rules defined in the flow object. Click Create in Figure 2-1 to create a flow filtering policy. Table 2-1 Flow filtering policy configuration items 1 Interface Select an interface. 2 Flow Object 3 Direction Select a created flow object. A flow object not only identifies a specific type of data flow, but also includes the action to be taken on the data flow. Specify to apply the flow filtering policy on the inbound or outbound flow Configuring a NAT Policy With a flow object referenced in a Network Address Translation (NAT) policy, NAT processing will be implemented on the specified data flows. Select Policies > Nat from the navigation tree to enter the NAT policy configuration page, as shown in Figure 2-2. Click Create to create a NAT policy. Figure 2-2 NAT policy configuration page 2-2

111 Web-Based Configuration Manual Object-Oriented Management Chapter 2 Policy Configuration Table 2-2 NAT policy configuration items 1 Interface Select an interface for address translation. 2 Flow Object 3 Policy Select a created flow object. A packet of the internal network needs to be matched against the flow object before being sent to the external network. If the packet is permitted, address translation will be performed based on the mapping entries of the corresponding address pool (or interface address). Easy IP: Select to specify the Easy IP mode. During address translation, the IP address of the interface instead of the IP address of the configured address pool is used as the address after translation. New Address Pool: Select to use the IP addresses in the address pool for address translation. You can create an address pool by specifying the start IP address and end IP address, or simply select a created address pool. no-pat: Select to use NAT many-to-many address translation. With a flow object associated with a NAT pool, the no-pat mode means that only the IP address, without the port information, will be translated, that is, the NAPT function will not be used; while without no-pat selected, the NAPT function will be used, that is, both the IP address and the port number will be translated (many-to-one address translation) Configuring a Policy Through Wizard Besides the above-mentioned ways of configuring a flow object, flow filtering policy, and NAT policy, you can also complete those tasks through the configuration wizard page provided by the Web-based management system. The wizard page helps you perform basic configurations, including creating flow objects, adding flow rules, selecting policy modes (flow filtering policy/nat policy), and detailed configurations. Select Policies > Wizard from the navigation tree to enter the policy configuration wizard page, as shown in Figure 2-3. Click Next to start configuration. 2-3

112 Web-Based Configuration Manual Object-Oriented Management Chapter 2 Policy Configuration Figure 2-3 Policy wizard configuration page Table 2-3 Policy wizard configuration items Wizard page Item Description Flow Object Object Name Specify a flow object name. Flow Object -> Flow Rule1 Source Address Destination Address Select a created address object or address group object from the Address drop-down box, or select New Address to create a new address object on this page, which can be used in the future. The type of the new address can be either an IP address or a domain name, and the address object name is the input one, that is, the IP address or domain name. Select a created address object or address group object from the Address drop-down box, or select New Address to create a new address object on this page, which can be used in the future. The type of the new address can be either an IP address or a domain name, and the address object name is the input one, that is, the IP address or domain name. 2-4

113 Web-Based Configuration Manual Object-Oriented Management Chapter 2 Policy Configuration Wizard page Item Description Flow Object -> Flow Rule2 Policy Type Service Timerange Action Log Type Select a created service or service group object. Select a created time range object. Select an action for the flow rule, permit or deny. Select to enable logging matched packets. Select an application type for the flow object, Flow Filter Policy or Address Translation Policy. Flow Filter Policy Address Translation Policy Configuration Summary After selecting Flow Filter Policy from Type, click Next to enter the Flow Filter policy page. Refer to Configuring a Flow Filtering Policy for configuration details. After selecting Address Translation Policy from Type, click Next to enter the Address Translation Policy page. Refer to Configuring a NAT Policy for configuration details. Displays the summary information of the flow filtering policy or NAT policy created through the wizard page. 2-5

114 VPN Configuration

115 Web-Based Configuration Manual VPN Configuration Table of Contents Table of Contents Chapter 1 L2TP Configuration L2TP Overview Background of L2TP Typical L2TP Network Application L2TP Specifications L2TP Configuration Tasks Configuration Details Configuring an L2TP Group Configuring a Virtual Template Configuring a Domain Configuring a User Chapter 2 IPSec Configuration IPSec Overview IKE Overview IPSec Configuration Tasks IPSec Configuration Details Configuring IPSec Through the Wizard Configuring an IPSec Policy Configuring an IPSec Proposal Configuring an IKE Peer IKE Global Configuration Configuring an IPSec Policy Template Chapter 3 GRE Configuration GRE Overview GRE Configuration Tasks GRE Configuration Details Configuring a GRE Tunnel Chapter 4 PKI Configuration PKI Overview Introduction to PKI Related Terms Main Applications PKI Configuration Tasks PKI Configuration Details Configuring a PKI Entity Configuring a PKI Domain Configuring a Certificate i

116 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Chapter 1 L2TP Configuration 1.1 L2TP Overview Background of L2TP The Point-to-Point Protocol (PPP) defines a kind of encapsulation technology that allows data packets of multiple protocols to be transmitted over Layer 2 point-to-point links. In a PPP application, the PPP protocol runs between users and the network access server (NAS), and the endpoint of a Layer 2 link and the PPP session endpoint reside on the same hardware. The Layer 2 Tunneling Protocol (L2TP) extends the PPP protocol. It tunnels PPP link layer packets, permits a Layer 2 link endpoint and the PPP session endpoint to reside on different devices, and employs packet switching network technologies for information exchange. By combining the best features of the Layer 2 Forwarding (L2F) protocol and Point-to-Point Tunneling Protocol (PPTP), L2TP becomes the Layer 2 tunneling industry standard defined by the Internet Engineering Task Force (IETF) Typical L2TP Network Application Figure 1-1 shows a typical virtual private dial-up network (VPDN) constructed by using L2TP. Remote user PC LAC LNS PSTN/ISDN NAS Internet backbone L2TP tunnel Remote branch Internal server Figure 1-1 Network diagram for VPDN built by using L2TP As shown in Figure 1-1, a VPDN built by using L2TP includes two key components: L2TP access concentrator (LAC) and L2TP network server (LNS). An LAC, attached to a packet-switched network, has a PPP end system and the L2TP handling capability. An LAC is usually an NAS that provides access services to users over PSTN or ISDN networks. An LNS is a device providing the L2TP server side services on the PPP end system. 1-1

117 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration An LAC lies between LNSs and remote systems (remote users or branches). It encapsulates the packets received from a remote system by using L2TP and sends them to the LNS, and decapsulates the packets received from the LNS and sends them to the remote system. Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used in a VPDN application. An LNS, an end system of an L2TP tunnel, is the peer of an LAC. It is the logical termination point of a PPP session that is tunneled by the LAC L2TP Specifications I. L2TP architecture PPP frame L2TP data message L2TP data channel ( unreliable) L2TP control message L2T P control tunnel ( reliable) Packet transmission network ( UDP, ) Figure 1-2 L2TP architecture Figure 1-2 depicts the relationship among PPP frames, the control tunnel and the data tunnel. PPP frames are transmitted in the unreliable L2TP data channel, while control messages are transmitted in the reliable L2TP control channel. Usually, L2TP data is transferred in the form of user data protocol (UDP) packets. The well-known UDP port for L2TP is 1701, which is only used in the initial tunnel creation stage. The L2TP tunnel initiator selects an idle port (which is unnecessarily 1701) to send a packet to port 1701 of the receiver. After receiving the packet, the receiver also selects an idle port (which is unnecessarily 1701 either) to return a packet to the specified port of the initiator. From then on, the two parties use the negotiated ports to communicate until the tunnel is disconnected. II. Tunnel and session Two types of connections are present between an LNS and an LAC: tunnel and session. A tunnel is between an LNS and an LAC. A session is multiplexed on a tunnel and represents a PPP session carried within the tunnel. Multiple L2TP tunnels can exist between an LNS-LAC pair. A tunnel consists of a control connection and one or more sessions. 1-2

118 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration A session can be set up only after a tunnel is created successfully (including such information exchange as ID protection, L2TP version, frame type, hardware transmission type, and so on). A session corresponds to one PPP data stream between the LAC and the LNS. Both control messages and PPP frames are transferred on the tunnel. L2TP uses Hello packets to check the connectivity of a tunnel. The LAC and LNS regularly send Hello packets to each other. If no response packet is received in a certain period of time, the tunnel is torn down. III. Control message and data message L2TP supports two types of messages: control message and data message. Control messages are intended for establishment and maintenance of tunnels and sessions and for transmission control. Control messages are transmitted over a reliable channel, which supports flow control and congestion control. Data messages are intended to encapsulate PPP frames to be tunneled. Data messages are transmitted over an unreliable channel without flow control, congestion control, and retransmission mechanisms. Control messages and data messages share the same header structure. An L2TP header contains a tunnel ID and a session ID for identifying the tunnel and session respectively. Packets with the same tunnel ID but different session IDs are multiplexed to the same tunnel. The tunnel ID and session ID in a header are those of the intended receiver, not the sender. 1.2 L2TP Configuration Tasks Select VPN > L2TP from the navigation tree to enter the L2TP configuration page, as shown in Figure 1-3. Figure 1-3 L2TP configuration page Complete these tasks to configure L2TP: 1-3

119 Web-Based Configuration Manual VPN Configuration Task Chapter 1 L2TP Configuration Description Configuring an L2TP Group Configuring a Virtual Template Configuring a Domain Configuring a User Display L2TP information Select the L2TP tab to enter the L2TP group configuration page, where you can create an L2TP group or configure an existing L2TP group. You also can configure an LNS through the wizard. Select the Virtual Template tab to enter the virtual template configuration page, where you can create or configure a virtual template for an LAC to receive PPP requests from clients. Select the Domain tab to enter the domain configuration page, where you can create or configure a domain. Select the PPP User tab to enter the PPP user configuration page, where you can create or configure a PPP user for authentication of the user. Select the L2TP Status tab to enter the L2TP status page. You can display information about the active L2TP tunnels, L2TP sessions, and L2TP users. 1.3 Configuration Details Configuring an L2TP Group Select the L2TP tab to enter the L2TP group configuration page, and then click Create to create an L2TP group or click Config to configure an existing L2TP group, as shown in Figure 1-4. Figure 1-4 L2TP group configuration page I. Configuring an L2TP group manually Since the firewall can act as either an LAC or an LNS, you need to specify the node type for the firewall when configuring an L2TP group. After clicking Create on the L2TP group configuration page, select LAC to enter the LAC configuration page or select LNS to enter the LNS configuration page. 1-4

120 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Table 1-1 L2TP group configuration items LAC 1 L2TP Group Type the number of the L2TP group 2 Tunnel Authentication Select this box to enable the L2TP tunnel authentication function, and then type a password and select a password display mode (simple or cipher) in the Password/Type text boxes. 3 Triggering 4 FullUserNam e/domain 5 New LNS IP 6 LNS IP List Select an L2TP tunneling triggering mode: Fullusername: Triggers an L2TP tunneling request by full user name. Domain: Triggers an L2TP tunneling request by domain name. Type the full user name or domain name, depending on the selected triggering mode Type the IP address of the LNS. You can specify multiple LNS IP addresses to enable LNS redundancy. After typing an IP address, click add to add it into the LNS address list. List of LNS IP addresses You can click remove to remove an IP address. Advanced configuration (click Show Advance to configure advanced items) 7 Local Name 8 Hello Interval Type the local name of the L2TP tunnel, which must be consistent with the remote name of the L2TP tunnel set on the LNS. Type the interval for sending Hello packets. To check the connectivity of a tunnel, the LAC and the LNS regularly send Hello packets to each other. Upon receipt of a Hello packet, the LAC or LNS returns a response. When the LAC or LNS fails to receive a Hello response in a specified period of time, it retransmits the Hello packet. If it receives no response packet after transmitting the Hello packet for three times, it considers that the L2TP tunnel is down and tries to re-establish a tunnel with the peer. 9 Session Idle Time Type the session idle timeout time. Once an L2TP session times out, it gets cleared. 1-5

121 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration 10 AVP Hidden 11 Flow Control Select this box to enable the attribute value pair (AVP) hidden function. L2TP employs AVPs to transfer and negotiate some L2TP attributes. By default, AVPs are transmitted in plain text. For the sake of security, you can hide these AVPs for transmission. The AVP hidden function takes effect only when tunnel authentication is enabled on both ends of the L2TP tunnel. Select this box to enable the L2TP tunnel flow control function. 12 LNS Keep Standing Select this box to enable the keep standing function. In general, an LAC establishes an L2TP tunnel with an LNS upon receiving L2TP tunneling requests, and the tunnel will be torn down automatically once all PPP sessions in the tunnel are disconnected. In some applications, however, a tunnel is required to be present all the time so that a PPP session can be established immediately whenever there is a request for PPP session. The keep standing function takes effect only when it is enabled on both ends of an L2TP tunnel. 1 L2TP Group Type the number of the L2TP group Virtual Template Tunnel Authentication Validate LAC Name Validate Domain More Domain Function Select the virtual template to be bound with the L2TP group. Select this box to enable the L2TP tunnel authentication function, and then type a password and select a password display mode (simple or cipher) in the Password/Type text boxes. Select the check box to enable LAC side name validation and type the remote name of the L2TP tunnel in the text box. The name typed here must be consistent with the local name set on the LAC. Select the check box to enable domain validation and type the name of the domain in the text box. Enable the L2TP more domain function. This function must be enabled to provide L2TP more domain services. Advanced configuration (click Show Advance to configure advanced items) 7 Local Name Type the local name of the L2TP tunnel, which must be consistent with the remote name set on the LAC. 1-6

122 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration 8 Hello Interval Type the interval for sending Hello packets. To check the connectivity of a tunnel, the LAC and the LNS regularly send Hello packets to each other. Upon receipt of a Hello packet, the LAC or LNS returns a response packet. When the LAC or LNS fails to receive a Hello response in a specified period of time, it retransmits the Hello packet. If it receives no response from the peer after transmitting the Hello packet for three times, it considers that the L2TP tunnel is down and tries to re-establish a tunnel with the peer. 9 Session Idle Time Type the session idle timeout time. Once a session times out, it gets cleared. 10 AVP Hidden 11 Flow Control Select this box to enable the attribute value pair (AVP) hidden function. L2TP employs AVPs to transfer and negotiate some L2TP attributes. By default, AVPs are transmitted in plain text. For the sake of security, you can hide these AVPs for transmission. The AVP hidden function takes effect only when tunnel authentication is enabled on both ends of the L2TP tunnel. Select this box to enable the L2TP tunnel flow control function Keep Standing Mandatory CHAP Select this box to enable the keep standing function. In general, an LAC establishes an L2TP tunnel with an LNS upon receiving L2TP tunneling requests, and the tunnel will be torn down automatically once all PPP sessions in the tunnel are disconnected. In some applications, however, a tunnel is required to be present all the time so that a PPP session can be established immediately whenever there is a request for PPP session. The keep standing function takes effect only when it is enabled on both ends of an L2TP tunnel. Select this box to force the LNS to perform a CHAP authentication of a user that has passed authentication on the LAC. Only after both authentications succeed can an L2TP tunnel be set up. 1-7

123 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration 14 Mandatory LCP Select this box to force the LNS to perform LCP negotiation with users. In an NAS-initiated VPN, a user first negotiates with the NAS at the beginning of a PPP session. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends the user information to the LNS. The LNS then determines whether the user is valid according to the proxy authentication information received. In some circumstances (when authentication and accounting is also necessary on the LNS, for example), another round of LCP negotiation is required between the LNS and the user. In this case, the proxy authentication information from the NAS is neglected. If you enable LCP negotiation but do not configure authentication for the corresponding virtual interface template, the LNS will not perform additional authentication of users (in this case, users are authenticated only once on the LAC) and will directly allocate addresses from the global address pool to the users. II. Configuring the LNS through the wizard On the L2TP group configuration page, click Start Wizard to enter the wizard page. In this mode, if the L2TP group 1 does not exist, the wizard will create L2TP group 1 first. The configuration of L2TP group 1 is slightly different from that of other L2TP groups. Table 1-2 L2TP group 1 configuration items in the wizard pages Wizard page Item Description LNS Configuration VT IP&Mask Type the IP address and mask for the virtual template to be created. 1-8

124 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Wizard page Item Description LNS Configuration (continued) New User Password Type User List Authentication Tunnel Authentication Type the user name for the user to be created. Type the password for the user. Select the password display mode (simple or cipher). List of all users created You can select a user and click Remove to remove the user. Select the authentication method (PAP or CHAP). Select this box to enable the L2TP tunnel authentication function, and then type a password and select a password display mode (simple or cipher) in the Password/Type text boxes. LNS Configuration Summary Display the configuration information of the created L2TP group and virtual template. Table 1-3 Non-L2TP group 1 configuration items in the wizard pages Wizard page Item Description LNS Configuration LAC Name VT IP&Mask Domain New Domain IP Pool New Pool Type the name of the L2TP tunnel on the LAC, which must be consistent with the local name set on the LAC. Type the IP address and mask for the virtual template to be created. Select a domain used for authentication. Type a domain name, which can be that of a nonexistent domain. Select the IP address pool to be used to assign IP addresses to users. Here displays the IP address pool(s) of the domain selected in the Domain drop-down box. This option is not available when the New Domain option is selected. Type an IP address range for the pool. After selecting the New Domain option, you need to create an IP address pool for the newly created domain. 1-9

125 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Wizard page Item Description LNS Configuration (continued) New User Password Type User List Authentication Tunnel Authentication Type the name for the user to be created. Type the password for the user. Select the password display mode (simple or cipher). List of all users created. You can select a user and click Remove to remove the user. Select the authentication method (PAP or CHAP). Select this box to enable the L2TP tunnel authentication function, and then type a password and select a password display mode (simple or cipher) in the Password/Type text boxes. LNS Configuration Summary Display the configuration information of the created L2TP group, virtual template, domain, and address pool Configuring a Virtual Template A virtual template listens to PPP requests from clients. It can be used in both the LNS and LAC. With the LNS, a virtual template is required; with the LAC, it is required only when the LAC listens to PPP requests from remote users through PPPoE, in which case the firewall acts as the PPPoE server to connect PPPoE clients. Select the Virtual Template tab from the L2TP configuration page to enter the virtual template configuration page, as shown in Figure 1-5. You can click Create to create a virtual template or click Config to configure an existent virtual template. After clicking Create, you can select LAC on the page to enter the LAC configuration page or select LNS to enter the LNS configuration page. Figure 1-5 Virtual template configuration page 1-10

126 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Table 1-4 Virtual template configuration items LAC 1 Virtual Template Type the number of the virtual template. 2 Authen Mode 3 Authen Domain 4 Security Zone 5 Bind Interface Select the authentication method, which can be PAP or CHAP and is PAP in this example. Select the domain for authentication. With no domain specified, the system domain is used by default. Select the security zone to add the virtual template into it. The firewall uses security zones to identify the connected networks. An interface of the firewall must be added to the corresponding security zone to communicate with other devices. Select the physical interface for the virtual template to be bound to. LNS 1 Virtual Template Type the number of the virtual template. 2 Authen Mode 3 Authen Domain 4 Security Zone 5 IP Address & Mask Select the authentication method, which can be PAP or CHAP and is PAP in this example. Select the domain for authentication. With no domain specified, the system domain is used by default. Select the security zone to add the virtual template into it. The firewall uses security zones to identify the connected networks. An interface of the firewall must be added to the corresponding security zone to communicate with other devices. Type the IP address and mask for the virtual template manually. This means that PPP negotiation is not to be used here Remote Address: IP Remote Address: IP Pool Force Allocate Remote Address Select the IP option and type an IP address for the user in the IP text box. Select the IP Pool option and select from the drop-down box the IP address pool of the domain to be used to assign IP addresses to users. Type whether to assign IP addresses to a user forcibly, that is, whether to allow users to configure IP addresses by themselves. 1-11

127 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Configuring a Domain Select the Domain tab from the L2TP configuration page to enter the domain configuration page, as shown in Figure 1-6. You can click Create to create a domain or click Configure to configure an existing domain. Figure 1-6 Domain configuration page Table 1-5 Domain configuration items 1 Domain Name Type the name of the domain. 2 Domain Scheme Select the scheme for the domain. 3 Access Limit Type the maximum number of users that the domain can accommodate. 4 Account Scheme Select the accounting scheme for the domain. 5 Account Optional Select this box to enable the account optional function. With the account optional function enabled, a user that will be disconnected otherwise because no accounting server is available or communication with the current accounting server fails can continue to use the network resources. This function is normally enabled when authentication is required but accounting is not. 6 7 Authentication Scheme Authorization Scheme Select the authentication scheme for the domain. Select the authorization scheme for the domain. 8 Low IP Type the start address of the domain IP pool. 9 High IP Type the end address of the domain IP pool. When configuring an existing domain, you can add multiple address pools for the domain, but only the one with the smallest number will appear in the domain configuration page. 1-12

128 Web-Based Configuration Manual VPN Configuration Chapter 1 L2TP Configuration Configuring a User When you configure the LNS to authenticate PPP clients, you can create users locally for authentication. Select the PPP User tab from the L2TP configuration page to enter the user configuration page, as shown in Figure 1-7. You can click Create to create a user or click Configure to configure an existing user. Figure 1-7 User configuration page Table 1-6 User configuration items 1 User Name Type the name of the user. 2 Password Type the password of the user. 3 Confirm Password Type the password of the user again to confirm the password. 1-13

129 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Chapter 2 IPSec Configuration 2.1 IPSec Overview IP Security (IPSec) refers to a series of protocols defined by IETF to provide high-quality, interoperable, and cryptology-based security for IP packets. By means of facilities including encryption and data origin authentication, it delivers confidentiality, data integrity, authenticity and anti-replay security services at the IP layer: To achieve the above goals, IPSec employs two security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). IPSec can also use Internet Key Exchange (IKE) to automatically negotiate and exchange keys, and to establish and maintain security associations (SAs), simplifying the use and management of IPSec. AH provides data origin authentication, data integrity, and anti-replay services. However, AH does not encrypt the packets to be protected. ESP provides all the functions that AH supports, except that it does not perform data integrity check of IP headers. In addition, ESP can encrypt IP packets. IKE negotiates the encryption algorithms used by AH and ESP, and establishes SAs and exchanges keys automatically. 2.2 IKE Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPSec, simplifying the application and maintenance of IPSec dramatically. Network security involves two aspects: internal LAN security and data exchange security on the public networks. The former can be implemented by means of firewall, Network Address Translation (NAT), and the like; while the latter can be implemented by approaches like IPSec. With IPSec, you can manually establish IPSec SAs. When the number of nodes in the network increases, however, manual configuration proves to be tough and time consuming, and cannot meet the security requirement. In this case, you need to use IKE to automatically establish SAs and exchange shared keys. IKE has a series of self-protection mechanisms. It supports identity authentication, key distribution, and IPSec SA establishment on unsecured networks. 2.3 IPSec Configuration Tasks Select VPN > IPSEC from the navigation tree to enter the IPSec configuration page, as shown in Figure

130 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Figure 2-1 IPSec configuration page Complete these tasks to configure IPSec: Task Configuring IPSec Through the Wizard Configuring an IPSec Policy Configuring an IPSec Proposal Configuring an IKE Peer IKE Global Configuration Configuring an IPSec Policy Template Display IPSec configuration information Description Select the IPSec tab to enter the IPSec configuration page, where you can configure IPSec rapidly through the wizard. Select the IPSec Policy tab to enter the IPSec policy configuration page, where you can create an IPSec policy or configure an existing IPSec policy. Select the IPSec Proposal tab to enter the IPSec proposal configuration page, where you can create an IPSec proposal or configure an existing IPSec proposal. Select the IKE Peer tab to enter the IKE peer configuration page, where you can create an IKE peer or configure an existing IKE peer. Select the IKE Global tab to enter the IKE global configuration page, where you can configure an IKE local name, an IKE proposal, and IKE DPD. Select the IPSec Template tab to enter the IPSec policy template configuration page, where you can create an IPSec policy template or configure an existing IPSec policy template. Select the IPSec Info tab to enter the IPSec configuration information page, where you can view information about active IKE SAs, IPSec SAs, IPSec tunnels, and IPSec packets statistics. 2-2

131 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration 2.4 IPSec Configuration Details Configuring IPSec Through the Wizard Select the IPSec tab from the IPSec configuration page to enter the IPSec configuration (through the wizard) page, as shown in Figure 2-2. The configuration wizard provides two configuration modes: center-branch and peer-peer. Figure 2-2 IPSec configuration (through the wizard) page I. Center-branch mode Click Start Wizard on the IPSec configuration (through the wizard) page to enter the IPSec VPN wizard page, and then select Center-Branch and click Next. Table 2-1 IPSec configuration items on the wizard pages (center-branch mode) Wizard page Item Description Center IPSec VPN Configuration IPSec VPN Configuration (continued) IPSec VPN Name Bind Interface Node Type Encryption Suite Pre-shared-key PKI Domain Type the name of the IPSec VPN. Select the interface to reference the IPSec policy. Select a node type. For the configuration of the center node, select Center and type the branch IKE name in the Branch IKE Name text box. Select an encryption suite for encrypting data flows from the drop-down list. Select Pre-shared-key and type a pre-shared key to use pre-shared key authentication mode. Select PKI Domain and select a PKI domain to use RSA signature authentication mode. For PKI configuration, refer to PKI Configuration. 2-3

132 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Wizard page Item Description IPSec VPN Configuration Summary Display information about the created IPSec policy, IPSec policy template, IPSec proposal, IKE peer, IKE proposal, DPD, and interfaces referencing the IPSec policy. Branch IPSec VPN Configuration IPSec VPN Configuration (continued) IPSec VPN Name Bind Interface Node Type Source Destination Protocol Encryption Suite Pre-shared-key PKI Domain Type the name of the IPSec VPN. Select the interface to reference the IPSec policy. Select a node type. For the configuration of branch nodes, select Branch and type the IKE name and address of the center node in the following text boxes. Type the source IP address of the data flow to be IPSec protected. Type the destination IP address of the data flow to be IPSec protected. Select a protocol from the drop-down list for data flows of the protocol to be IPSec protected. Select an encryption suite for encrypting data flows from the drop-down list. Select pre-shared-key and type a pre-shared key to use pre-shared key authentication mode. Select PKI Domain and select a PKI domain to use RSA signature authentication mode. For PKI configuration, refer to PKI Configuration. IPSec VPN Configuration Summary Display information about the created IPSec policy, ACL, IPSec proposal, IKE peer, IKE proposal, DPD, and interfaces referencing the IPSec policy. II. Peer-peer mode Click Start Wizard on the IPSec configuration (through the wizard) page to enter the IPSec VPN wizard page, and then select Peer-Peer and click Next. 2-4

133 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Table 2-2 IPSec configuration items on the wizard pages (peer-peer mode) Wizard page Item Description IPSec VPN Configuration IPSec VPN Configuration (continued) IPSec VPN Name Bind Interface Remote Address Source Destination Protocol Encryption Suite Pre-shared-key PKI Domain Type the name of the IPSec VPN. Select the interface to reference the IPSec policy. Type the IP address of the remote peer. Type the source IP address of the data flow to be IPSec protected. Type the destination IP address of the data flow to be IPSec protected. Select a protocol from the drop-down list for data flows of the protocol to be IPSec protected. Select an encryption suite for encrypting data flows from the drop-down list. Select pre-shared-key and type a pre-shared key to use pre-shared key authentication mode. Select PKI Domain and then select a PKI domain to use RSA signature authentication mode. For PKI configuration, refer to PKI Configuration. IPSec VPN Configuration Summary Display information about the created IPSec policy, ACL, IPSec proposal, IKE peer, IKE proposal, DPD, and interfaces referencing the IPSec policy. After above configuration, the created IPSec policy will be referenced by the corresponding interfaces. As shown in Figure 2-2, you can select an interface bound with an IPSec policy and then click Unbind to remove the IPSec policy that the interface references. You also can select an interface binding with no IPSec policy and then click Bind to select the IPSec policy for the interface to reference Configuring an IPSec Policy IPSec policies define which IPSec proposals should be used to protect which data flows. IPSec policies fall into two categories: manual IPSec policy and IKE-dependent IPSec policy. The former requires that the parameters be configured manually, such as the keys and SPI, as well as IP addresses of two ends in tunnel mode. As for the latter, these parameters are automatically negotiated through IKE. The Web-based 2-5

134 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration management interface of the firewall supports only configuring an IKE-dependent IPSec policy. Select the IPSec Policy tab from the IPSec configuration page to enter the IPSec policy configuration page, as shown in Figure 2-3. You can click Create to create an IPSec policy or click Configure to configure an existing IPSec policy that is not referencing an IPSec policy template. To configure an IPSec policy template, refer to Configuring an IPSec Policy Template. Figure 2-3 IPSec policy configuration page Table 2-3 IPSec policy configuration items 1 Policy Name Type the name of the IPSec policy. 2 Sequence 3 Policy Template 4 ACL Type the sequence number of the IPSec Policy. An IPSec policy group consists of IPSec policies with the same name but different sequence numbers. For IPSec policies in an IPSec policy group, a smaller sequence number means a higher priority. Type the IPSec policy template to be referenced to create the IPSec policy. If a policy template is selected, the following options in this page are not available. Select the ACL for the IPSec policy to reference from the drop-down list or select New and then click Edit to create an ACL. You can also select an existing ACL and click Edit to edit the ACL. IPSec protects packets permitted by ACL rules. 5 IPSec Proposal Add the IPSec proposal(s) for the IPSec policy. 6 IKE Peer Select the IKE peer for the IPSec policy. 2-6

135 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration 7 PFS(Optional) 8 Time(seconds) 9 Traffic(kilobytes) Select an option to enable or disable the PFS function. The Perfect Forward Secrecy (PFS) feature is a security feature based on the Diffie-Hellman (DH) algorithm. It guarantees that decryption of a key makes no impact on the security of other keys (because the keys have no derivative relations). In IPSec, PFS is implemented by adding an additional key exchange in IKE negotiation phase 2. When IKE uses an IPSec policy with PFS enabled to initiate a negotiation, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same DH group; otherwise, the negotiation will fail. Type a time period (in seconds) for the SA lifetime. Time-based SA lifetime refers to the period from the establishment of an SA to the expiration of the SA. When negotiating to set up SAs, IKE prefers the lifetime of the used IPSec policy. If the IPSec policy is not configured with its own lifetime, IKE uses the global SA lifetime. Type a number (in kilobytes) for the SA lifetime. Traffic-based SA lifetime refers to the maximum traffic that an SA can process. When negotiating to set up an SA, IKE prefers the lifetime of the used IPSec policy. If the IPSec policy is not configured with its own lifetime, IKE uses the global SA lifetime Configuring an IPSec Proposal An IPSec proposal defines the security parameters for IPSec SA negotiation, including the security protocol and encryption/authentication algorithms. For both ends of an IPSec tunnel to negotiate SAs successfully, they must use the same IPSec proposal. Select the IPSec Proposal tab from the IPSec configuration page to enter the IPSec proposal configuration page, as shown in Figure 2-4. You can click Create to create an IPSec proposal or click Configure to configure an existing IPSec proposal. 2-7

136 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Figure 2-4 IPSec proposal configuration page Table 2-4 IPSec proposal configuration items 1 Proposal Name Type the name of the IPSec proposal. 2 Encrypt Card 3 Encryption Suite 4 Security Protocol Specify that an encryption card be used for IPSec services and select the encryption card to be used. Select the encryption suite for the IPSec proposal to use. The system has several pre-defined encryption suits for your choice. If you select None, you can customize the encryption and authentication algorithms to be used. Select the security protocol(s) to be used, which can be AH, ESP, or both. This option is available only when you select None from the Encryption Suite drop-down list. Selecting AH, you need to select the AH authentication algorithm to be used; selecting ESP, you need to select the authentication and encryption algorithms; selecting AH-ESP, you need to select the AH authentication algorithm and ESP authentication and encryption algorithms. You cannot create nor configure IPSec proposals that use the transport mode through the Web-based management interface Configuring an IKE Peer Select the IKE Peer tab from the IPSec configuration page to enter the IKE peer configuration page, as shown in Figure 2-5. You can click Create to create an IKE peer or click Configure to configure an existing IKE peer. 2-8

137 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Figure 2-5 IKE peer configuration page Table 2-5 IKE peer configuration items 1 IKE Peer Name Type the name of the IKE peer. 2 Key Exchange Mode Select the negotiation mode in IKE Phase 1 (Main or Aggressive). In main mode, only IP addresses can be used for IKE SA negotiation. This applies when both ends of an IPSec tunnel have fixed IP addresses. In aggressive mode, not only the IP addresses but also the names can be used for IKE SA negotiation. When one end of an IPSec tunnel automatically obtains an IP address (for example, it dials in the peer), however, the negotiation mode must be aggressive. 3 ID Type Select the local ID type. In main mode, it can only be IP address. In aggressive mode, it can be either IP address or name. 4 Remote Address (Range) Type the IP address or IP address range of the remote IKE peer. For the initiator of IKE negotiation, it cannot be an IP address range. 5 Remote Name Type the name of the remote IKE peer. 6 Local IP Address Type the local IP address. 7 Pre-shared-key 8 PKI Domain 9 DPD Select Pre-shared-key and type a pre-shared key to use pre-shared key authentication mode. Select PKI Domain and then select a PKI domain to use RSA signature authentication mode. For PKI configuration, refer to PKI Configuration. Select this box to enable IPSec DPD and then select a DPD name from the drop-down list. For DPD configuration, refer to Configuring IKE DPD. 2-9

138 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration 10 NAT Traversal Select this box to enable NAT traversal. If one or more NAT devices exist in IPSec/IKE VPN tunnels, you must enable IPSec/IKE NAT traversal. To save IP addresses, ISPs often deploy NAT gateways on public networks so as to allocate private IP addresses to users. In this case, one end of an IPSec/IKE tunnel may have a public address while the other end may have a private address, and therefore NAT traversal must be configured at both ends to set up the tunnel IKE Global Configuration Select the IKE Global tab from the IPSec configuration page to enter the IKE global configuration page, as shown in Figure 2-6. IKE global configuration includes configuration of IKE local name, IKE proposal and IKE DPD. Figure 2-6 IKE global configuration page I. Configuring an IKE local name In Figure 2-6, select IKE Local Name from the IKE Global drop-down list to enter the IKE local name configuration page, where you can configure the IKE local name. II. Configuring an IKE proposal An IKE proposal defines a set of attributes describing how IKE negotiation should take place. IKE proposal configuration includes IKE proposal number, encryption algorithm, authentication mode, authentication algorithm, Diffie-Hellman group and SA lifetime. In main mode, multiple IKE proposals with different priorities can be created. However, for IKE negotiation to succeed, both ends must have at least one IKE proposal matched. In aggressive mode, the initiator of IKE negotiation uses only the proposal with the highest priority to negotiate with the peer. If the peer has a matched proposal, the negotiation succeeds. Otherwise, the negotiation fails, and the initiator will not use another proposal with a lower priority for IKE negotiation. 2-10

139 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Select IKE Proposal from the IKE Global drop-down list to enter the IKE proposal page, as shown in Figure 2-6. The system has a default IKE proposal, which has the lowest priority. Table 2-6 IKE proposal configuration items 1 Proposal Number 2 Authentication Mode Type the sequence number of the IKE proposal. You may create multiple IKE proposals with different priorities for each end of IKE negotiation. The priority of an IKE proposal is represented by its sequence number; the lower the sequence number, the higher the priority. The system has a default IKE proposal, which has the lowest priority. After a device initiates IKE negotiation, the peer searches for an IKE proposal matching that of the initiator. The search starts from the one with the lowest sequence number and proceeds in the ascending order of sequence number until a match is found or all the IKE proposals are found mismatching. Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. Select an IKE authentication mode (Preshared Key or RSA Signature). 3 Authentication Algorithm Select an authentication algorithm (MD5 or SHA1). 4 Encryption Algorithm Select an encryption algorithm. 5 DH Group Select a DH group. 6 Duration (seconds) Type a time period (in seconds) to be used as the ISAKMP SA lifetime. An SA becomes invalid when its lifetime expires. Before an SA becomes invalid, IKE will negotiate to set up a new SA and, once created, the new SA takes over the responsibility immediately. III. Configuring IKE DPD Dead peer detection (DPD) is used for detecting the status of IPSec/IKE peers. With the DPD function enabled, if an end receives no IPSec protected packets from its peer in the DPD query triggering interval, it sends a request to the peer to detect whether the peer still exists. 2-11

140 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration Compared with the inherent keepalive function of IPSec, DPD uses less traffic and features real-time detection and rapid tunnel recovery. On the page shown in Figure 2-6, select IKE DPD from the IKE Global drop-down list to enter the IKE DPD configuration page. Table 2-7 IKE DPD configuration items 1 IKE DPD Name Type the name of the IKE DPD. 2 Interval Time (second(s)) Type the interval for triggering DPD query. 3 Timeout (second(s)) Type the interval for retransmitting DPD packets Configuring an IPSec Policy Template The parameters configurable for an IPSec policy template are the same as those you can configure when directly configuring an IKE-dependent IPSec policy. The difference is that more parameters are optional and only the IPSec proposals and IKE peer are required (you do not need to configure the IP address of the IKE peer). You do not need to configure the data flows to be IPSec protected or the PFS feature. However, if you configure one or more of these optional parameters, configurations of these parameters must match on both ends of an IPSec tunnel for the negotiation to succeed. Select the IPSec Template tab from the IPSec configuration page to enter the IPSec policy template configuration page, as shown in Figure 2-7. You can click Create to create an IPSec policy template or click Configure to configure an existing IPSec policy template. Figure 2-7 IPSec policy template configuration page Table 2-8 IPSec policy template configuration items 1 Template Name Type the name of the IPSec policy template. 2 Sequence Type the sequence number of the IPSec policy template. 2-12

141 Web-Based Configuration Manual VPN Configuration Chapter 2 IPSec Configuration 3 IKE Peer Select an IKE peer for the IPSec policy template. 4 IPSec Proposal 5 PFS 6 Time(seconds) 7 Traffic(kilobytes) Add one or more IPSec proposals for the IPSec policy template. Select a value other than None to enable the PFS function. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. It guarantees that decryption of a key makes no impact on the security of other keys (because the keys have no derivative relations). In IPSec, PFS is implemented by adding an additional key exchange in IKE negotiation phase 2. When IKE uses the IPSec policy with PFS enabled to initiate a negotiation, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same DH group; otherwise, the negotiation will fail. Type a time period (in seconds) for the SA lifetime. Time-based SA lifetime refers to the period from the establishment of an SA to the expiration of the SA. When negotiating to set up SAs, IKE prefers the lifetime of the used IPSec policy. If the IPSec policy is not configured with its own lifetime, IKE uses the global SA lifetime. Type a number (in kilobytes) for the SA lifetime. Traffic-based SA lifetime refers to the maximum traffic that an SA can process. When negotiating to set up an SA, IKE prefers the lifetime of the used IPSec policy. If the IPSec policy is not configured with its own lifetime, IKE uses the global SA lifetime. 2-13

142 Web-Based Configuration Manual VPN Configuration Chapter 3 GRE Configuration Chapter 3 GRE Configuration 3.1 GRE Overview Generic Routing Encapsulation (GRE) is a protocol designed for performing encapsulation of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE uses the tunneling technology and serves as a Layer 3 tunneling protocol of virtual private network (VPN). A tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are encapsulated at one end of the tunnel and decapsulated at the other end. A packet transferred through a tunnel undergoes an encapsulation process and a decapsulation process. Figure 3-1 illustrates these two processes. Nov ell IPX Protocol Group1 SecPath A Tunnel Internet SecPathB Nov ell IPX Protocol Group2 Figure 3-1 IPX networks interconnected through the GRE tunnel I. Encapsulation process 1) After receiving an IPX packet through the interface connected to IPX network Group 1, SecPath A submits it to the IPX module for processing. 2) The IPX module checks the destination address field in the IPX header to determine how to route the packet. 3) If the packet must be tunneled through network numbered 1f (the virtual network number of the tunnel) to reach its destination, SecPath A sends it to the tunnel interface of the 1f network. 4) Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet and submits to the IP module. 5) The IP module encapsulates the packet in an IP packet, and then forwards the IP packet out through the corresponding network interface determined by its destination address and the routing table. II. Decapsulation process Decapsulation is the reverse process of encapsulation: 1) Upon receiving an IP packet from the tunnel interface, SecPath B checks the destination address. 2) If the destination is itself, SecPath B strips off the IP header of the packet and submits the resulting packet to the GRE module. 3-1

143 Web-Based Configuration Manual VPN Configuration Chapter 3 GRE Configuration 3) The GRE module checks the key, checksum and sequence number, and then strips off the GRE header and submits the payload to the IPX module. 4) The IPX module performs the subsequent forwarding processing for the packet. A packet that needs to be encapsulated and routed is called the payload. Upon receipt of the payload, the system encapsulates it in a GRE packet, and then encapsulates the GRE packet in an IP packet. In this way, the IP layer takes over the responsibility of forwarding the resulting packet. The protocol responsible for forwarding IP packets is usually known as the delivery or transport protocol. Figure 3-2 shows the format of an encapsulated packet. Delivery header (Transport protocol ) GRE header (Encapsulation protocol ) Payload packet (Passenger protocol ) Figure 3-2 Format of an encapsulated packet As an example, Figure 3-3 shows the format of an IPX packet encapsulated for transmission over an IP tunnel. IP GRE IPX Passenger protocol Carrier protocol / encapsulation protocol Transport protocol Figure 3-3 Format of an IPX packet encapsulated for transmission over an IP tunnel 3.2 GRE Configuration Tasks Select VPN > GRE from the navigation tree to enter the GRE configuration page, as shown in Figure

144 Web-Based Configuration Manual VPN Configuration Chapter 3 GRE Configuration Figure 3-4 GRE configuration page Complete the following tasks to configure GRE: Task Configuring a GRE Tunnel Display GRE Tunnel information Description Select the GRE Tunnel tab to enter the GRE tunnel configuration page, where you can click Create to create a GRE tunnel or click Configure to configure an existing GRE tunnel. Select the GRE Tunnel Status tab to enter the GRE tunnel status page, where you can display information about tunnel interface configuration, status and statistics. 3.3 GRE Configuration Details Configuring a GRE Tunnel Select the GRE Tunnel tab from the GRE configuration page to enter the GRE tunnel configuration page, as shown in Figure 3-5. You can click Create to create a GRE tunnel or click Configure to configure an existing GRE tunnel. Figure 3-5 GRE tunnel configuration page Table 3-1 GRE tunnel configuration items 1 Tunnel No. Type the number of the tunnel interface. 2 IP Address Type the IP address of the tunnel interface. 3-3

145 Web-Based Configuration Manual VPN Configuration Chapter 3 GRE Configuration 3 Mask Type the mask of the tunnel interface. 4 Source 5 Destination IP 6 Zone Type the source address or interface of the tunnel interface. After creating a tunnel interface, you need to specify the source address or interface of the tunnel interface, that is, the real interface address for sending GRE packets. The source address and destination address of a tunnel uniquely identify a path. They must be configured at both ends of the tunnel and the source address at one end must be the destination address at the other end and vice versa. Type the destination address of the tunnel interface. The destination address of a tunnel is the IP address of the physical interface receiving GRE packets, which must be consistent with the source address specified for the remote tunnel interface. Furthermore, be sure that there is a route to the remote physical interface. Select the zone to add the tunnel interface into it. The firewall uses security zones to identify the connected networks. An interface of the firewall must be added to the corresponding security zone to communicate with other devices. Advanced configuration (Click Display Advanced to configure advanced items) 7 Checksum 8 Key Select this box to enable the GRE packet end-to-end checksum function. With checksum enabled, the system can verify the validity of GRE packets, and then drop the unqualified packets. You can enable or disable the checksum function at both ends of a tunnel as needed. If the checksum function is enabled at the local end but not at the remote end, the local end calculates the checksum of a packet to be sent but does not check the checksum of a received packet. Contrarily, if the checksum function is enabled at the remote end but not at the local end, the local end checks the checksum of a received packet but does not calculate the checksum of a packet to be sent. Select this option and type a key in the text box. By implementing this weak security mechanism, you can prevent a tunnel interface from mistakenly identifying and receiving GRE packets from any places other than its peer. The key must be the same at both ends of a tunnel. Otherwise, packets delivered over the tunnel will be dropped. 3-4

146 Web-Based Configuration Manual VPN Configuration Chapter 3 GRE Configuration 9 Keepalive Select this box to enable the GRE keepalive function. With the GRE keepalive function enabled on a tunnel interface, the device sends GRE keepalive packets from the tunnel interface periodically. If no response is received from the peer within the specified interval, the device retransmits a keepalive packet. If the device still receives no response from the peer when a keepalive packet is transmitted for the maximum number of attempts, the local tunnel interface goes down Keepalive Period(s) Keepalive Retries Type the interval for transmitting keepalive packets. Type the maximum number of keepalive packet transmission attempts. 3-5

147 Web-Based Configuration Manual VPN Configuration Chapter 4 Chapter 4 PKI Configuration 4.1 PKI Overview Introduction to PKI Public Key Infrastructure (PKI) is a system designed for providing information security through public key technologies and digital certificates and for verifying the identities of the digital certificate owners. It combines a set of hardware and software and security policies and provides a full set of security mechanisms. PKI employs digital certificates, which are bindings of certificate owner identity information and public keys. PKI allows users to flexibly adopt encryption and digital signature technologies in a variety of network environments, guaranteeing the confidentiality, integrity and validity of data. Data confidentiality means that the data is not visible for unauthorized users during transmission; data integrity means that the data cannot be tampered when it is transmitted; data validity means that the data cannot be repudiated. A PKI system consists of digital certificates, a certificate authority (CA), a registration authority (RA), a PKI repository, and the public key technology, as shown in Figure 4-1. PKI application Digital certificate CA RA PKI repository Figure 4-1 PKI architecture A CA is a trusted entity responsible for issuing and managing digital certificates. An RA provides functions including identity authentication and CRL management. A PKI repository stores and manages information like certificates and logs while providing a simple query function. Digital certificate, also known as public key certificate (PKC), is an authentication-specific technology built on the public key technology. It is the basis of PKI applications and the security guarantee of PKI systems. A digital certificate is a file signed by a CA that contains a public key and the related user identity information. Entities can use certificates as their identities for communications and transactions over the Internet. A certificate has its lifetime. A CA can revoke a certificate before it expires. 4-1

148 Web-Based Configuration Manual VPN Configuration Chapter Related Terms Public key algorithm: An algorithm that uses two different keys for encryption and description respectively, one is open to the public and is therefore called the public key, and the other is kept secret and therefore called the private key. Data that encrypted by one of the key pair can only be decrypted by the other. During communications, the sender signs data with its private key and the intended receiver uses the public key of the sender to verify the signature; or the sender encrypts data with the public key of the intended receiver and the intended receiver uses its private key to decrypt the data. CA: A trusted entity responsible for issuing and managing digital certificates. A CA receives certificate requests, verifies the applicants identity information based on CA policies, uses its private key to sign certificates and issues certificates. RA: An extended part of CA. On the one hand, an RA forwards certificate requests from entities to a CA. On the other hand, it forwards certificates and CRLs issued by the CA to an LDAP server to provide directory navigation and querying services. Light-weight directory access protocol (LDAP): A protocol for accessing and managing PKI information. An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service. From an LDAP server, an entity can retrieve local and CA certificates of its own as well as certificates of other entities. Certificate revocation list (CRL): An existing certificate may need to be revoked when, for example, the certificate expires, the private key leaks, or the user stops the business. Whenever a certificate is revoked, the CA publishes one or more CRLs to announce that the certificate is invalid. The CRLs contain the serial numbers of all certificates that are revoked and provide an effective way of checking the validity of certificates. Stored in databases on the LDAP server, CRLs provide a centralized management way of notifying users and other applications of invalid certificates Main Applications As a set of security services offered by using the public key technology and X.509 certificates in distributed systems, PKI can issue certificates for various purposes like Web user authentication, Web server authentication, secure using the Secure/Multipose Internet Mail Extensions (S/MIME) protocol, Virtual Private Network (VPN), IPSec, Internet Key Exchange (IKE), Secure Sockets Layer/Transport Layer Security (SSL/TLS), and digital signature. Certificates can also be issued by one CA to another CA to form a certificate hierarchy. 4-2

149 Web-Based Configuration Manual VPN Configuration Chapter PKI Configuration Tasks Select VPN > PKI from the navigation tree to enter the PKI configuration page, as shown in Figure 4-2. Figure 4-2 PKI configuration page Complete the following tasks to configure PKI: Task Configuring a PKI Entity Configuring a PKI Domain Configuring a Certificate Description Select the PKI Entity tab to enter the PKI entity configuration page, where you can create a PKI entity or configure an existing PKI entity. Select the PKI Domain tab to enter the PKI domain configuration page, where you can create a PKI domain or configure an existing PKI domain. Select the Certificate tab to enter the certificate configuration page, where you can request or query certificates, or perform other certificate related operations. 4.3 PKI Configuration Details Configuring a PKI Entity Select the PKI Entity tab from the PKI configuration page to enter the PKI entity configuration page, as shown in Figure 4-3. You can create a PKI entity or configure an existing PKI entity. Figure 4-3 PKI entity configuration page 4-3

150 Web-Based Configuration Manual VPN Configuration Chapter 4 Table 4-1 PKI entity configuration items 1 Entity Name 2 Common Name 3 FQDN 4 Country 5 State 6 Locality 7 Organization 8 Unit Type the name of the entity. A PKI entity includes a variety of local attributes. Type the common name of the entity. You must configure a common name for a PKI entity. Type the fully qualified domain name (FQDN) of the entity. An FQDN is the unique identifier of an entity on a network. Type the code of the country that the entity belongs to. It is a standard 2-character code, for example, CN for China, and US for United States of America. Type the name of the state or province that the entity belongs to. Type the name of geographical locality that the entity belongs to, for example, a city name. Type the name of the organization that the entity belongs to. Type the name of the organization unit that the entity belongs to. 9 IP Address Type the IP address of the entity. Currently, up to two PKI entities can be created on a device Configuring a PKI Domain Select the PKI Domain tab from the PKI configuration page to enter the PKI domain configuration page, as shown in Figure 4-4. You can click Create button to create a PKI domain or click Configure button to configure an existing PKI domain. Figure 4-4 PKI domain configuration page 4-4

151 Web-Based Configuration Manual VPN Configuration Chapter 4 Table 4-2 PKI domain configuration items 1 Domain Name Type the name of the PKI domain. 2 CA Identifier Type the name of the trusted CA. 3 PKI Entity name Select the entity for requesting certificates. 4 Registration Organization Select the authority for registration (CA or RA). An RA is an extended part of a CA. It records and inspects information about certificate applicants and issues certificates; it does not sign certificates. In some smaller PKI systems, a CA takes over the responsibilities of an RA. In this case, no independent RA is required. 5 Request URL 6 LDAP Server IP Type the URL of the server through which the device requests certificates using the SCEP protocol. The SCEP protocol is specifically designed for communications with CAs. Type the IP address of the LDAP server when certificates are stored on the LDAP server. In a PKI system, the storage of certificates and CRLs is crucial, and an LDAP server is usually deployed to store certificates and CRLs. 7 Port Number Type the port number of the LDAP server. 8 Version Number Select the LDAP version number. 9 Request Mode Select the certificate request mode (Manual or Auto). In Auto mode, if the device has no certificates locally, it automatically requests a certificate from an RA and will automatically request a new certificate when the original certificate is about to expire. In Manual mode, certificate request must be completed manually. 10 Password Encryption Select this box to use a password for certificate revocation. This option is available only when the certificate request mode is set to Auto. 11 Password 12 RSA Key Length Type the password for certificate revocation. This option is available only when the certificate request mode is set to Auto. Type the length of the RSA key. This option is available only when the certificate request mode is set to Auto. 4-5

152 Web-Based Configuration Manual VPN Configuration Chapter 4 13 Finger Print Algorithm Select the hash algorithm for validating the CA root certificate. Upon receiving the root certificate of the CA, the firewall needs to validate the fingerprint of the root certificate, namely the hash value of the root certificate content. This hash value is unique to every certificate. The firewall will reject the root certificate if the fingerprint of the root certificate does not match the one configured here. A fingerprint can be an MD5 one or an SHA1 one. This option is available only when the certificate request mode is set to Auto. 14 Finger Print Type the fingerprint of the CA root certificate. An MD5 fingerprint must be a hexadecimal string of 32 characters, and an SHA1 fingerprint must be a hexadecimal string of 40 characters. This option is available only when the certificate request mode is set to Auto. Advanced configuration (Click Show Advance to configure advanced items) 15 Polling Count Type the maximum number of attempts to poll the status of the certificate request. After an applicant makes a certificate request, the CA may need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. 16 Polling Interval (minutes) Type the interval for querying the request status. After an applicant makes a certificate request, the CA may need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. 17 Enable CRL Check Select the box to enable CRL checking. 4-6

153 Web-Based Configuration Manual VPN Configuration Chapter 4 18 CRL Update Period(hour(s)) Type the CRL update period. The CRL update period refers to the interval at which the entity downloads CRLs from the CRL server. The CRL update period configured manually is prior to that specified in the CRLs. This option is available only when CRL checking is enabled. 19 URL of CRL Type the URL of the CRL distribution point. This option is available only when CRL checking is enabled. Currently, up to two PKI domains can be created on a device Configuring a Certificate Select the Certificate tab from the PKI configuration page to enter the certificate configuration page, as shown in Figure 4-5. Figure 4-5 Certificate configuration page Table 4-3 Certificate configuration items 1 Create RSA Key 2 Request Certificate 3 Request CRL List Click this button to have the system generate an RSA key pair. Click this button to enter the certificate request page, where you can select a PKI domain from the Domain Name drop-down list and select a type from the Certificate Type drop-down list to request a CA or local certificate. Before requesting a certificate, you need to create an RSA key pair and configure the PKI entity and PKI domain properly. Click this button to obtain CRLs from the specified place. Before obtaining CRLs, you need to obtain the CA certificate and local certificate. 4-7

154 Web-Based Configuration Manual VPN Configuration Chapter 4 4 Check CRL List 5 Check Certificate 6 Delete Certificate Click this button to view the CRLs that have been downloaded and stored locally. Click this button to view the contents of a selected certificate. Click this button to delete a selected certificate. 4-8

155 System Report

156 Web-Based Configuration Manual System Report Table of Contents Table of Contents Chapter 1 Log Configuration Information Center Overview Configuring the Log Host Log Host Configuration Tasks Log Host Configuration Details Configuring the Log Buffer Viewing the Log Information Firewall Log Statistics Introduction to Firewall Log Statistics Log Statistics Configuration Tasks Chapter 2 Flow Statistics Configuring Flow Statistics Flow Statistics Configuration Tasks Flow Statistics Configuration Details Viewing Flow Statistics i

157 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Chapter 1 Log Configuration 1.1 Information Center Overview As an indispensable part of the main software of the firewall, the information center acts as an information hub of the firewall. It manages most information outputs, sorts the information, and hence can filter the information efficiently. Coupled with the debug program, the information center can provide powerful support for the network administrators and developers to monitor network operation conditions and diagnose network faults. The information center of the system features the following: Three types of information available, namely, log information, trap information, and debug information. Eight levels by severity to allow hierarchical filtering. Ten channels, with the first six channels (Channels 0 through 5) having their default channel names and associated with six output directions by default. The channel names and the associations between the channels and output directions can be changed through commands. Six information output directions, including console, telnet terminal and console terminal (monitor), logbuffer, loghost, trapbuffer and SNMP. A variety of protocol modules, board drivers, and configuration modules. The information can be classified and filtered based on the source modules. Each information header consists of fixed parts, which are time stamp, information source module, information level, slot number of the information source, and information summary. To sum up, the major task of the information center is to output the three types of information of the modules to the ten channels based on the eight severity levels and the user s settings, and then redirect the ten information channels to the six output directions. 1.2 Configuring the Log Host Log Host Configuration Tasks Select System View > InfoCenter > Loghost from the navigation tree to enter the log host configuration page, as shown in Figure

158 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Figure 1-1 Log host configuration page Complete these tasks to configure a log host: Task Configuring a log host Configuring the log information Description Select the LogHost tab to create a log host through Wizard, or configure an existing log host. Select the LogInfo tab to configure the output information to the log hosts Log Host Configuration Details I. Configuring a log host Select the LogHost tab to enter the log host configuration page, as shown in Figure 1-2. Click Create to create a log host through Wizard, or click Configure to configure an existing log host. Figure 1-2 Log host configuration page Select the InfoCenter Enable check box to enable the information center function and make the information center configuration take effect. 1-2

159 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Table 1-1 Log host configuration items in the Wizard page Wizard page Item Description Set Logging Host IP Address Set Language Environment of Logging Host Logging Host IP Address Logging Host Facility Language Environment Specify the IP address of the log host to which the log information will be sent. Select a log host tool. Select a language for the log information. II. Configuring the log information Select the LogInfo tab to enter the log information configuration page, as shown in Figure 1-3. Figure 1-3 Log information configuration page 1-3

160 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Table 1-2 Log information configuration items 1 Log information level Select a log information level. 2 3 Source address of packets sent to Loghost Time stamp type of log information Select a source IP address in packets to be sent to the log host. Configure different IP addresses for different devices so that you can judge the source of the log information, to facilitate searching log information. Select a time stamp format of the log information sent to the log host. Date: Specifies the time stamp format to be date with year. No-year-date: Specifies the time stamp format to be date without year. None: Specifies no-information time stamp. 1.3 Configuring the Log Buffer Select System View > InfoCenter > LogBuffer from the navigation tree to enter the log buffer configuration page, as shown in Figure 1-4. Click Clear All to clear the log buffer. Figure 1-4 Log buffer configuration page 1-4

161 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Table 1-3 Log buffer configuration items 1 Size of log buffer Specify the size of the log buffer. 2 Time stamp of log Select the format of the time stamp of the log information output to the terminal and log buffer. Boot: Specifies absolute information time stamp, in the format of xxxxxx.yyyyyy, where xxxxxx is the higher-order 32 bits and yyyyyy the lower-order 32 bits of the number of milliseconds passed since the system boots. Date: Specifies the date type of information time stamp, in the format of mm/dd/yyyy-hh:mm:ss. None: Specifies no-information time stamp. 1.4 Viewing the Log Information Select System View > Log View from the navigation tree to enter the interface log information page. Select the Interface tab to view the interface information (such as up or down), or select the Security tab to view the system security log information, as shown in Figure 1-5. Figure 1-5 Log information page 1.5 Firewall Log Statistics Introduction to Firewall Log Statistics I. Log categories The H3C SecPath series firewalls log all kinds of attacks and events and provide logs and statistics information with standardized format and contents and consistent style. The H3C SecPath series firewalls support the following log categories: NAT/ASPF log Defense log 1-5

162 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Statistics log Blacklist log Address binding log II. About log output on the firewall Figure 1-6 illustrates the log output modes. Binary log NAT/ASPF Defense Log information Logged information Syslog logs Log server Statistics Blacklist Address binding Log information Log information Log information Log information Information center Redirect Terminal Console Buffers Figure 1-6 Log output on the firewall On a SecPath firewall, the amount of information from the defense log, statistics log, blacklist log, and address binding log is small. Therefore, these four types of log information is output in syslog format as text files, and must be managed and redirected by the information center, for example, displayed on the terminal screen or sent to the log server for storage and analysis Log Statistics Configuration Tasks Select System View > Log Statistics from the navigation tree to enter the firewall log statistics page, as shown in Figure 1-7. Click Configure to configure the firewall log statistics utility. 1-6

163 Web-Based Configuration Manual System Report Chapter 1 Log Configuration Figure 1-7 Firewall log statistics Complete these tasks to configure firewall log statistics: Task Enable Log Function of Inter-Zones Set Scan-Time of Log Function Set Output Styles Reset Log-Buffers Description This feature is not supported for Web-based management currently. Click Configure to enter the log buffer scan time configuration page. You can set the intervals for scanning the defense log buffer and the statistics log buffer. This feature is not supported for Web-based management currently. Click Configure to enter the log buffer clearing page, in which you can clear the defense log buffer and statistics log buffer. 1-7

164 Web-Based Configuration Manual System Report Chapter 2 Flow Statistics Chapter 2 Flow Statistics 2.1 Configuring Flow Statistics Flow Statistics Configuration Tasks Select System View > Flow Statistics > Configuration from the navigation tree to enter the flow statistics configuration page, as shown in Figure 2-1. Figure 2-1 Flow statistics configuration page Complete these tasks to configure flow statistics: Task Configuring system flow statistics Configuring security zone flow statistics Description Select the System tab to set the number of connections and the flow percentage. Select the Security Zone tab to configure flow statistics for a specific security zone Flow Statistics Configuration Details I. Configuring system flow statistics The system flow statistics function of your SecPath firewall allows you to set limits on the numbers of connections and the flow percentage for the output of alarm information. 2-1

165 Web-Based Configuration Manual System Report Chapter 2 Flow Statistics Select the System tab to enter the system flow statistics configuration page, as shown in Figure 2-2. Figure 2-2 System flow statistics configuration page Click Enable to enable the system flow statistics function before the system flow statistics configuration can take effect. Table 2-1 System flow statistics configuration items 1 2 Upper limit/lower limit for TCP Upper limit/lower limit for UDP Set the upper and lower limits of the numbers of TCP connections. If the number of connections exceeds the upper limit, the system outputs an alarm; if the number of connections is less than the lower limit, the system has come back to the normal state. Set the upper and lower limits to the numbers of UDP connections. If the number of connections exceeds the upper limit, the system outputs an alarm; if the number of connections is less than the lower limit, the system has come back to the normal state. 3 TCP Percentage Specify the TCP traffic percentage. 4 UDP Percentage Specify the UDP traffic percentage. 5 ICMP Percentage Specify the ICMP traffic percentage. 2-2

166 Web-Based Configuration Manual System Report Chapter 2 Flow Statistics 6 Alternate Percentage 7 Check Time Value Specify the variation range for packets of all protocols. If the actual traffic percentage of a protocol (TCP, UDP, ICMP, or any other protocol) exceeds the upper limit (the set traffic percentage plus the variation range) or is less than the lower limit (the traffic percentage minus the variation range), the system outputs an alarm. Specify the interval of checking traffic percentages. II. Configuring security zone flow statistics Your SecPath firewall allows you to configure the upper and lower limits of the number of TCP and UDP connections and the per-second rates of TCP and UDP connections initiated to and from a security zone. Select the Security Zone tab to enter the security zone based flow statistics configuration page. Select a security zone and then click Configure, as shown in Figure 2-3. Figure 2-3 Security zone based flow statistics configuration page Before the security zone flow statistics configuration can take effect, you need to select a zone direction from the drop-down list, and then click Enable to enable flow statistics function based on security zone and IP address in the inbound or outbound direction. Table 2-2 Security zone based flow statistics configuration items 1 IP/Zone Select to perform the configuration based on IP address or security zone. 2 Direction Select a direction, inzone or outzone. 2-3

167 Web-Based Configuration Manual System Report Chapter 2 Flow Statistics 3 Connect Type Select a connection type, TCP or UDP. 4 Statistics Type 5 Upper Limit 6 Lower Limit Select a statistics type, connect-number or connect-speed. Specify the upper limit: For security zone based flow statistics, the upper limit of the number of connections defaults to and ranges from 1 to For IP address based flow statistics, the upper limit of the number of connections defaults to and ranges from 1 to For security zone based flow statistics, the upper limit of the traffic rate defaults to and ranges from 1 to For IP address based flow statistics, the upper limit of the traffic rate defaults to and ranges from 1 to Specify the lower limit: For security zone based flow statistics, the lower limit of the number of connections defaults to and ranges from 1 to For IP address based flow statistics, the lower limit of the number of connections defaults to and ranges from 1 to For security zone based flow statistics, the lower limit of the traffic rate defaults to 9000 and ranges from 1 to For IP address based flow statistics, the lower limit of the traffic rate defaults to 9000 and ranges from 1 to Viewing Flow Statistics Select System View > Flow Statistics > Query&Reset from the navigation tree to enter the flow statistics summary page, as shown in Figure 2-4. Select the System tab to view the system flow statistics; select the Security Zone tab to view the view the flow statistics of a security zone; select the IP tab and specify an IP address to view the flow statistics about the specified IP address. 2-4

168 Web-Based Configuration Manual System Report Chapter 2 Flow Statistics Figure 2-4 Flow statistics summary page 2-5

169 Commonly Used Utilities

170 Web-Based Configuration Manual Commonly Used Utilities Table of Contents Table of Contents Chapter 1 Commonly Used Utilities Ping Tracert i

171 Web-Based Configuration Manual Commonly Used Utilities Chapter 1 Commonly Used Utilities Chapter 1 Commonly Used Utilities 1.1 Ping The Web-based management interface of your SecPath firewall provides two network utilities, ping and tracert, which facilitate network troubleshooting. The ping utility is primarily used to check network connectivity or host reachability. The output of the command includes: The response to each ping packet. If the system receives no response packets within the specified period of time, it outputs messages indicating the request has timed out; otherwise, it displays the number of bytes of data, sequence number, TTL value, and response time of each response packet. Ping statistics, including the number of packets sent, the number of packets received, the percentage of packet loss, and the minimum, maximum, and average response time. Select Tools from the navigation tree, and then select the Ping tab to enter the ping operation page, as shown in Figure 1-1. Type the IP address of the target host, and then click Start. The result will be displayed in the Summary section. Figure 1-1 shows the result of a successful ping. Figure 1-2 shows the result of an unsuccessful ping. 1-1

172 Web-Based Configuration Manual Commonly Used Utilities Chapter 1 Commonly Used Utilities Figure 1-1 Output of a successful ping Figure 1-2 Output of an unsuccessful ping 1-2

173 Web-Based Configuration Manual Commonly Used Utilities Chapter 1 Commonly Used Utilities 1.2 Tracert The tracert utility is used to test the gateways the tracert packets pass on their way to the destination. From the output of the utility, you can check whether a network connection is normal, and locate the possible network problems. The execution process of the tracert utility is as follows: The source host sends a packet with a TTL of 1. The first hop discards the packet and sends back an ICMP time exceeded message. The source host sends another packet with a TTL of 2. The second hop sends back an ICMP time exceeded message. The source host repeats this process until a packet reaches the destination. The aim of the above process is to record the source addresses of the ICMP time exceeded messages and thereby figure out the path for a packet to reach the destination. Generally, no application program listens to the port number in the UDP packets sent by the tracert program, so the destination will return a port unreachable message to the source upon receiving the tracert packet. When the tracert program receives the port unreachable message, the whole process is completed. Select Tools from the navigation tree, and then select the Tracert tab to enter the tracert operation page, as shown in Figure 1-3. Type the IP address of the target host, and then click Start. The result will be displayed in the Summary section. From the output of the utility, you can view the gateways on the path from source to destination, as shown in Figure 1-3. Figure 1-3 Output of the tracert command 1-3