H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

Size: px
Start display at page:

Download "H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W"

Transcription

1 H3C SecPath UTM Series Configuration Examples Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

2 Copyright , Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Technical Support customer_service@h3c.com

3 About This Manual Organization H3C SecPath UTM Series Configuration Examples is organized as follows: Configuration Maintenance Example Signature Upgrade Configuration Example PPPoE Configuration Example NAT Configuration Example Layer 2 and Layer 3 Forwarding Configuration Examples DHCP Configuration Examples TR-069 Configuration Example Interzone Policy Configuration Example ARP Attack Protection Configuration Example Attack Protection Configuration Example (SmartBits) Bandwidth Management Configuration Example IPS Configuration Example Anti-Virus Configuration Example Flow Logging Configuration Example Protocol Auditing Configuration Example Protocol Auditing and SecCenter Configuration Example Anti-Spam Configuration Example URL Filtering Configuration Example IPsec Configuration Example L2TP Configuration Example Conventions The manual uses the following conventions: Command conventions Boldface italic Convention Description The keywords of a command line are in Boldface. Command arguments are in italic. [ ] Items (keywords or arguments) in square brackets [ ] are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Alternative items are grouped in braces and separated by vertical bars. One is selected. Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. The argument(s) before the ampersand (&) sign can be entered 1 to n times. # A line starting with the # sign is comments.

4 GUI conventions Boldface > Convention Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. Related Documentation In addition to this manual, each H3C SecPath UTM series documentation set includes the following: Manual H3C SecPath U200 Series Unified Threat Management Products Installation Manual H3C SecPath U Series Unified Threat Management Products User Manual Description Briefly introduces the H3C SecPath U200 series Unified Threat Management products, and presents the methods for software maintenance, hardware maintenance, troubleshooting, preparations before installation, installation procedure, interface cards and interface modules. Describes the features, operation fundamentals, and configuration commands of the H3C SecPath U series United Threat Management products, guides you through Web configuration, and provides command description for supplementary configuration. Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions. [Technical Support & Document > Technical Documents]: Provides several categories of product documentation, such as installation, configuration, and maintenance. [Technical Support & Document > Software Download]: Provides the documentation released with the software version.

5 Documentation Feedback You can your comments about product documentation to We appreciate your comments.

6 UTM Series Configuration Maintenance Example UTM Series Configuration Maintenance Example Keywords: Configuration maintenance, backup Abstract: The configuration maintenance module is used to save the configuration (with/without encryption), back up the configuration, restore the configuration, and restore the configuration to the factory defaults. You can easily implement configuration maintenance and management on the Web interface. Acronyms: Acronym Full spelling Hangzhou H3C Technologies Co., Ltd. 1/10

7 UTM Series Configuration Maintenance Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Maintenance Example 3 Network Requirements 3 Configuration Considerations 3 Software Version Used 3 Configuration Procedures 4 Basic Configuration 4 Configuration Maintenance 6 Verification 9 Hangzhou H3C Technologies Co., Ltd. 2/10

8 UTM Series Configuration Maintenance Example Feature Overview The configuration maintenance page has four tabs: Save, Backup, Restore, and Initialize. Saving the configuration encrypts the saved file at the same time. The saved file is displayed in cipher text. You can also back up and restore the configuration information on the configuration maintenance page. Besides, you can upgrade the system software and restart the system through the web interface. Application Scenarios Configuration maintenance is used for routine device maintenance. When the configuration is changed, you can save the configuration in case of configuration loss due to power interruption. You can also back up the configuration for future configuration restoration. To clear the configuration that you have made, you can restore the device to the factory defaults. Configuration Guidelines When upgrading the software, select a time range with small traffic to avoid affecting users. When performing configuration file backup or restoration, back up and restore the two files, startup.cfg and system.xml, together. Configuration Maintenance Example Network Requirements Figure 1 Network diagram for configuration maintenance Configuration Considerations Interface GigabitEthernet 0/1 in the internal network is assigned with IP address /24, and resides in the Trust zone. Software Version Used F5118 Hangzhou H3C Technologies Co., Ltd. 3/10

9 UTM Series Configuration Maintenance Example Configuration Procedures Basic Configuration Assigning an IP address to an interface 1) Select Device Management > Interface from the navigation tree. 2) Click of GigabitEthernet 0/1 to enter the Edit Interface page. Configure GigabitEthernet 0/1 and click Apply, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. 4/10

10 UTM Series Configuration Maintenance Example Adding GigabitEthernet 0/1 to Trust zone 1) Select Device Management > Zone from the navigation tree. 2) Click of Trust to enter the Modify Zone page. Add interface GigabitEthernet 0/1 to the Trust zone, and click Apply to return to the Zone page. Hangzhou H3C Technologies Co., Ltd. 5/10

11 UTM Series Configuration Maintenance Example Configuration Maintenance Saving the current configuration 1) Select Device Management > Maintenance from the navigation tree, click the Save tab, and click Apply to save the current configuration. The page displays a prompt that the system is saving the configuration. Hangzhou H3C Technologies Co., Ltd. 6/10

12 UTM Series Configuration Maintenance Example 2) To encrypt the saved configuration file, select Encrypt the configuration file before clicking Apply. Backing up the current configuration 1) Select Device Management > Maintenance from the navigation tree, click the Backup tab, and click the Backup button. 2) Specify the path and file for storing the configuration on the popup dialog box, and click Save. Restoring the configuration 1) Select Device Management > Maintenance from the navigation tree, click the Restore tab, and click the Browse button to specify the configuration file. 2) Click Apply to import the configuration file. The page will display the following prompt after finishing the import. The restored configuration file takes effect at next startup. Hangzhou H3C Technologies Co., Ltd. 7/10

13 UTM Series Configuration Maintenance Example Restoring to the factory defaults Select Device Management > Maintenance from the navigation tree, click the Initialize tab, and click the Restore Factory-Default Settings button. Upgrading the software Select Device Management > Software Upgrade from the navigation tree, and click the Browse button. Specify the upgrade file, and click Open. Hangzhou H3C Technologies Co., Ltd. 8/10

14 UTM Series Configuration Maintenance Example Rebooting the device Select Device Management > Reboot from the navigation tree, and click Apply. Verification Verifying configuration saving When the current configuration is saved, the configuration information is not lost when you reboot the device. If the saved configuration file is encrypted, the configuration information in the file is displayed in cipher text. Verifying configuration backup You can back up the saved configuration file to a PC or other storage media. Verifying configuration restoration After the configuration file is imported, the Web page displays success of import. After the device is rebooted, the configuration information and the imported configuration file are consistent. Hangzhou H3C Technologies Co., Ltd. 9/10

15 Verifying configuration restoration to the factory defaults UTM Series Configuration Maintenance Example The system can automatically reboot, delete the current configuration information, and restore to the factory defaults. Verifying software upgrade The system displays upgrading during the software upgrade. If you select Reboot after the upgrade is finished, the system will reboot after the upgrade finishes. If you do not select Reboot after the upgrade is finished, you need to manually reboot the device. Verifying device reboot After clicking Apply, the device automatically reboots. If you select Check whether the configuration is saved to the configuration file for next boot, and click Apply, the system gives prompt in the case that the configuration is not saved, and the system does not reboot automatically. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 10/10

16 UTM Series Signature Upgrade Configuration Example UTM Series Signature Upgrade Configuration Example Keyword: Signature, signature database Abstract: This document describes configuration examples of signature upgrade for UTM series devices. Acronyms: Acronym Full spelling UTM AV IPS Unified Threat Management Anti-virus Intrusion Prevention System Hangzhou H3C Technologies Co., Ltd. 1/8

17 UTM Series Signature Upgrade Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Signature Upgrade Configuration Example 3 Network Requirements 3 Configuration Consideration 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration 4 Configuring Signature Upgrade 5 Verification 7 References 8 Related Documentation 8 Hangzhou H3C Technologies Co., Ltd. 2/8

18 UTM Series Signature Upgrade Configuration Example Feature Overview Signature databases maintain the attack signatures and virus signatures that can be recognized by the device. Therefore, for security devices to work properly, their signature databases must be upgraded in real time and must be of the latest version. Signature databases can be upgraded either automatically or manually: Auto upgrade: Automatically obtains the latest signature files from a certain signature server to the device at a specified interval by using a specific protocol. Manual upgrade: Allows you to perform signature upgrade when needed. You can specify the protocol for obtaining the signature file, the server address, and the signature file name. In addition, manual upgrade allows you to obtain any version of the signature file that is compatible with the device. Manual upgrade is generally performed within the LAN. Application Scenarios The signature upgrade is required in scenarios where the signature database needs to be upgraded for UTM devices with IPS and anti-virus enabled. Configuration Guidelines When upgrading the signature databases, make sure that the current license file is valid and has not expired. To automatic upgrade the signature database, make sure the UTM device can reach the website Signature Upgrade Configuration Example Network Requirements As shown in Figure 1, the Device connects the internal network /24 through GigabitEthernet 0/0 and connects the external network through GigabitEthernet 0/2. You can log in to the IP address of GigabitEthernet 0/0 or GigabitEthernet 0/2 to configure auto upgrade of signatures, so that the Device can automatically complete signature upgrade at a specified interval. Figure 1 Network diagram for configuring signature upgrade Hangzhou H3C Technologies Co., Ltd. 3/8

19 UTM Series Signature Upgrade Configuration Example Configuration Consideration Manage the signature package version Manual upgrade the signature package Auto upgrade the signature package Software Version Used F5118 Configuration Procedures Basic Configuration Configuring interfaces Assign the IP address /24 to GigabitEthernet 0/0, and add the interface to zone Trust. Assign the IP address /22 to GigabitEthernet 0/2, and add the interface to zone Untrust. Figure 2 Configure interfaces Configuring NAT Configure dynamic NAT on GigabitEthernet 0/2, selecting ACL 3000 and configuring Easy IP as the address translation mode. Figure 3 Configure NAT Configure a rule for ACL 3000 to permit packets sourced from /24. Figure 4 Configure the ACL Hangzhou H3C Technologies Co., Ltd. 4/8

20 UTM Series Signature Upgrade Configuration Example Configuring a static route Add a default static route with the next hop being , which is the IP address of the gateway for accessing the interface. Figure 5 Configure a default static route Configuring DNS Configure the IP address of the DNS server so that the website for signature upgrade, namely can be resolved. Figure 6 Configure the IP address of the DNS server Configuring Signature Upgrade Perform signature upgrade configurations on the Application Security Policy page. To enter the page, select IPS AV Application Control > Advanced Configuration from the navigation tree and click the Application Security Policy link. Figure 7 Application Security Policy page Managing signature database versions Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. In the Current Version area and History Version area, you can view the current version and previous version of each type of signature database. In the History Version area, you can click the icon to roll back a certain type of signature database to the previous version. Hangzhou H3C Technologies Co., Ltd. 5/8

21 UTM Series Signature Upgrade Configuration Example Figure 8 Current version and history version Upgrading signature database manually Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. You can upgrade signature databases manually in the Manual Upgrade area. Select IPS as the signature database type, select HTTP as the protocol, and click Browse to select the upgrade file. Figure 9 Upgrade signature database manually Click OK. The signature upgrade starts. Figure 10 Upgrade progress indicator Hangzhou H3C Technologies Co., Ltd. 6/8

22 Configuring auto upgrade of signature database UTM Series Signature Upgrade Configuration Example Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. You can configure auto upgrade parameters in the Auto Upgrade area. On the page, you can view the types of signature databases from the leftmost list, enable/disable the auto upgrade function, and set the time and interval of auto upgrade on the right side of the page. For example, you can enable auto upgrade for anti-virus signature database and set the first upgrade time to 17: and upgrade interval to 3 days, while disabling the auto upgrade for IPS signature database. Figure 11 Configure auto upgrade Auto upgrade will start as scheduled and the upgrade progress will be indicated in the manual upgrade area. Figure 12 Upgrade progress indicator Verification Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. The IPS signature database is up-to-date after the manual upgrade and the anti-virus signature database is up-to-date after the auto upgrade. Hangzhou H3C Technologies Co., Ltd. 7/8

23 UTM Series Signature Upgrade Configuration Example Figure 13 View signature database version References Related Documentation Device Management in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 8/8

24 UTM Series PPPoE Configuration Example UTM Series PPPoE Configuration Example Keywords: PPPoE Abstract: The PPPoE dial-up method is typically used for ADSL access, through which you can access resources on the public network. Acronyms: Acronym Full spelling PPPoE Point-to-Point Protocol over Ethernet Hangzhou H3C Technologies Co., Ltd. 1/9

25 UTM Series PPPoE Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 PPPoE Configuration Example 3 Network Requirements 3 Configuration Considerations 3 Software Version Used 4 Configuration Procedures 4 Basic Configurations 4 Adding Interfaces to Zones and Configuring Inter-Zone Policies 5 Configuring PPPoE 7 Configuring NAT on the Outgoing Interface 8 Verification 8 Verifying the PPPoE Configuration 8 References 9 Related Documentation 9 Hangzhou H3C Technologies Co., Ltd. 2/9

26 UTM Series PPPoE Configuration Example Feature Overview Point-to-Point Protocol (PPP) is a link layer protocol that carries network layer packets over point-topoint links. It gains popularity because it provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension. PPP contains a set of protocols, including the Link Control Protocol (LCP), the Network Control Protocol (NCP), and authentication protocols such as the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Among these protocols, LCP is responsible for establishing, tearing down, and monitoring data links; NCP is used to negotiate the format and type of the packets over data links; PAP and CHAP are used for network security. Application Scenarios PPPoE is often used by medium and small-sized enterprises in ADSL broadband access applications. You can use the PPPoE dialup function of the UTM device to access ADSL networks, and then you can further access resources on the public network. Configuration Guidelines You can only create dialer interfaces through the interface management module. To set parameters such as username, password, and bundled physical interfaces for a dialer interface, you need to go to the Web page of PPPoE. PPPoE Configuration Example Network Requirements Figure 1 Network diagram for PPPoE dialup configuration Configuration Considerations Specify the private IP address of GigabitEthernet 0/2 as /24 and add the interface to the Trust zone. Configure GigabitEthernet 0/1 as a dialer interface and add the interface to the Untrust zone. Hangzhou H3C Technologies Co., Ltd. 3/9

27 UTM Series PPPoE Configuration Example Software Version Used F5118 Configuration Procedures Basic Configurations Configuring the IP address of GigabitEthernet 0/2 Select Device Management > Interface from the navigation tree. Click the icon of GigabitEthernet 0/2 to enter the Edit Interface page. Configure the interface as shown in the figure below, and then click Apply to return to the Interface page. Hangzhou H3C Technologies Co., Ltd. 4/9

28 UTM Series PPPoE Configuration Example Configuring ACL Select Firewall > ACL from the navigation tree and then click Add on the page that appears. Create ACL 2000 as shown in the figure below. Click the icon of ACL 2000 and then click Add to add a basic ACL rule for ACL Click Apply. Adding Interfaces to Zones and Configuring Inter-Zone Policies Adding GigabitEthernet 0/2 to the Trust zone Select Device Management > Zone from the navigation tree. Hangzhou H3C Technologies Co., Ltd. 5/9

29 UTM Series PPPoE Configuration Example Click the icon of the zone named Trust to enter the Modify Zone page. Add GigabitEthernet 0/2 to zone Trust as shown in the figure below, and then click Apply to return to the Zone page. Configuring inter-zone policies Select Firewall > Security Policy > Interzone Policy from the navigation tree. Click Add and then configure a policy to control traffic from zone Untrust to zone Trust as shown in the figure below. Hangzhou H3C Technologies Co., Ltd. 6/9

30 UTM Series PPPoE Configuration Example Configuring PPPoE Select Network > PPPoE > Client from the navigation tree, and then click Add on the page that appears to enter the page for creating a PPPoE client, as shown in the following figure. Configure the PPPoE client as shown in the figure, and then click Apply. Hangzhou H3C Technologies Co., Ltd. 7/9

31 UTM Series PPPoE Configuration Example Configuring NAT on the Outgoing Interface Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Click Add in the Dynamic NAT field. Configure NAT on outgoing interface Dialer 1 as shown in the figure below, and then click Apply. Verification Verifying the PPPoE Configuration If the PPPoE username and password are set correctly, you should be able to see the following information on the serial port. The information shows that the link status and protocol status of interface Dialer 1 are both up, and that a PPPoE connection is established. <Device> %Apr 2 16:43:59: Device IFNET/4/LINK UPDOWN: Dialer1:0: link status is UP %Apr 2 16:44:02: Device IFNET/4/UPDOWN: Line protocol on the interface Dialer1:0 is UP %Apr 2 16:44:02: Device IFNET/4/UPDOWN: Protocol PPP IPCP on the interface Dialer1:0 is UP <Device>dis i i br *down: administratively down (s): spoofing Interface Physical Protocol IP Address Description Dialer1 up up Dialer1 I... GigabitEthernet0/0 up up GigabitEt... GigabitEthernet0/1 up down unassigned GigabitEt... GigabitEthernet0/2 up up GigabitEt... Hangzhou H3C Technologies Co., Ltd. 8/9

32 UTM Series PPPoE Configuration Example GigabitEthernet0/3 down down unassigned GigabitEt... GigabitEthernet0/4 down down unassigned GigabitEt... PCs in the network can access public network by using the PPPoE dialup method. References Related Documentation PPPoE Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 9/9

33 H3C SecPatch UTM Series NAT Configuration Example UTM Series NAT Configuration Example Keywords: NAT, NAPT Abstract: Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a smaller number of public IP addresses are used to meet public network access requirements from a larger number of private hosts, and thus NAT effectively alleviates the depletion of IP addresses. Acronyms: Acronym Full spelling NAPT NAT Network Address Port Translation Network Address Translation Hangzhou H3C Technologies Co., Ltd. 1/15

34 H3C SecPatch UTM Series NAT Configuration Example Table of Contents Feature Overview 3 Many-to-Many NAT and NAT Control 3 NAPT 3 Easy IP 4 Internal Server 4 Application Scenarios 4 Configuration Guidelines 4 NAT Configuration Example 5 Network Requirements 5 Configuration Considerations 5 Software Version Used 5 Configuration Procedures 5 Basic Configuration 5 NAT Configuration 9 Verification 13 References 15 Protocols and Standards 15 Related Documentation 15 Hangzhou H3C Technologies Co., Ltd. 2/15

35 H3C SecPatch UTM Series NAT Configuration Example Feature Overview Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address. A private or internal IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique. According to RFC 1918, three blocks of IP addresses are reserved for private networks: In Class A: to , In Class B: to , In Class C: to No hosts with an IP address in the above three ranges can exist on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or a registration center. Many-to-Many NAT and NAT Control NAPT A NAT gateway can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, NAT chooses an available public IP address (if any) to replace the source IP address, forwards the packet, and records the mapping between the two addresses. In this way, multiple internal hosts can access external networks simultaneously. This is called many-to-many NAT. In practice, an enterprise may need to allow some internal hosts to access external networks while prohibiting others. This can be achieved through the NAT control mechanism. If a source IP address is among addresses denied, the NAT gateway will not translate the address. Many-to-many NAT can be implemented through an address pool. An address pool is a collection of consecutive public IP addresses for address translation. The NAT gateway will select an address from the address pool during operation. The number of addresses in the pool depends on the number of available public IP addresses, the number of internal hosts, and network requirements. NAT control can be achieved through access control lists (ACLs). Only packets matching the ACL rules are served by NAT. Network Address Port Translation (NAPT) is a variation of NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT or address multiplexing. Hangzhou H3C Technologies Co., Ltd. 3/15

36 Easy IP H3C SecPatch UTM Series NAT Configuration Example NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts have their source IP addresses mapped to the same public IP address but have their source port numbers mapped to different port numbers. Easy IP uses the public IP address of an interface on the device as the translated source address, and uses ACLs to permit only certain private IP addresses to be NATed. Internal Server NAT hides the internal network structure, including the identities of internal hosts. However, internal hosts such as a web server or an FTP server may need to be accessed by external hosts in practice. NAT satisfies this requirement by supporting internal servers. With NAT, you can deploy an internal server easily and flexibly. For instance, you can use as the web server s external address and as the FTP server s external address. You can even use an address like :8080 as the web server s external address. Currently, the device supports this feature. When a packet destined for an internal server arrives, NAT translates the destination address in the packet to the private IP address of the internal server. When a response packet from the internal server arrives, NAT translates the source address (a private IP address) of the packet into a public IP address. Application Scenarios NAT enables users on a private campus network or enterprise network using private IP addresses to access public networks. Configuration Guidelines When configuring the NAT policy module, note that: 1) An address pool to be configured on the device cannot overlap any existing NAT address pool, IP addresses of the interfaces with Easy IP enabled, and public IP addresses of internal servers. 2) A low priority address pool cannot overlap any non-low priority address pool, public IP address in a one-to-one NAT entry, or public IP addresses of internal servers. 3) If the protocol type is not 6(TCP) or 17(UDP), you can configure mappings between internal IP address and external IP address, but cannot configure External Port and Internal Port. 4) You can modify address pools, dynamic NAT entries, static NAT entries, and internal servers through the web interface. Note that the system actually removes the former entries and creates new entries according to the configuration. Hangzhou H3C Technologies Co., Ltd. 4/15

37 H3C SecPatch UTM Series NAT Configuration Example NAT Configuration Example Network Requirements The UTM 200-S is used in this configuration example. Figure 1 Network diagram for NAT configuration Configuration Considerations Specify the internal IP address of GigabitEthernet 0/2 as /24 and add the interface to the Trust zone. Specify the external IP address of GigabitEthernet 0/1 as /24 and add the interface to the Untrust zone. Software Version Used F5118 Configuration Procedures Basic Configuration Specify interface IP addresses Select Device Management > Interface from the navigation tree. Hangzhou H3C Technologies Co., Ltd. 5/15

38 H3C SecPatch UTM Series NAT Configuration Example Click the icon of GigabitEthernet 0/1 to enter the Edit Interface page. Configure the interface as shown in the figure below. Then click Apply to return to the Interface page. Click the icon of GigabitEthernet 0/2 to enter the Edit Interface page. Configure the interface as shown in the figure below. Then click Apply to return to the Interface page. Hangzhou H3C Technologies Co., Ltd. 6/15

39 H3C SecPatch UTM Series NAT Configuration Example Configure ACL 2000 Select Firewall > ACL from the navigation tree and click Add. Define ACL 2000 as shown in the figure below. Click the icon of ACL 2000 and then click Add. Define a basic ACL rule as shown in the figure below. Hangzhou H3C Technologies Co., Ltd. 7/15

40 H3C SecPatch UTM Series NAT Configuration Example Click Apply. Add interfaces to the Trust zone Select Device Management > Zone from the navigation tree. Click the icon of the Trust zone to enter the Modify Zone page. Add GigabitEthernet 0/2 to the Trust zone as shown in the figure below. Click Apply to return to the Zone page. Add GigabitEthernet 0/1 to the Untrust zone in a similar way. Hangzhou H3C Technologies Co., Ltd. 8/15

41 H3C SecPatch UTM Series NAT Configuration Example Configure policies Select Firewall > Security Policy > Interzone Policy from the navigation tree. Click Add and then configure a policy to control traffic from the Untrust zone to the Trust zone as shown in the figure below. NAT Configuration Create an address pool Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Click Add in the Address Pool field. Hangzhou H3C Technologies Co., Ltd. 9/15

42 H3C SecPatch UTM Series NAT Configuration Example Create an address pool containing IP addresses through , and then click Apply. Configure dynamic NAT Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Click Add in the Dynamic NAT field. Configure dynamic NAT on GigabitEthernet 0/1 as shown in the figures below. Then click Apply. Hangzhou H3C Technologies Co., Ltd. 10/15

43 H3C SecPatch UTM Series NAT Configuration Example Configure static NAT Select Firewall > NAT Policy > Static NAT from the navigation tree. Click Add in the Static Address Mapping field. Configure a static mapping between and Hangzhou H3C Technologies Co., Ltd. 11/15

44 H3C SecPatch UTM Series NAT Configuration Example Select Firewall > NAT Policy > Static NAT from the navigation tree. Click Add in the Interface Static Translation field. Select GigabitEthernet0/1 for Interface and click Apply. Configure an internal server Select Firewall > NAT Policy > Internal Server from the navigation tree. Click Add in the Internal Server field. Configure an FTP server on internal PC1 as shown in the figure below. Hangzhou H3C Technologies Co., Ltd. 12/15

45 H3C SecPatch UTM Series NAT Configuration Example Verification PAT PC1 accesses PC2 via FTP. Select Firewall > Session Table > Session Summary from the navigation tree to view session information. The source IP address ( ) and port number (2357) are translated into and 1027 respectively. No-PAT PC1 accesses PC2 via FTP. Select Firewall > Session Table > Session Summary from the navigation tree to view session information. The source IP address ( ) is translated into , but the source port number is unchanged. Hangzhou H3C Technologies Co., Ltd. 13/15

46 H3C SecPatch UTM Series NAT Configuration Example Easy IP PC1 accesses PC2 via FTP. Select Firewall > Session Table > Session Summary from the navigation tree to view session information. The source IP address is translated into the IP address of the external interface ( ), and the source port number 2575 is translated into One-to-one static NAT FTP to from PC2. Actually you FTP to the private IP address (PC1). Select Firewall > Session Table > Session Summary from the navigation tree to view session information. Internal server FTP to from PC2. Actually you FTP to the private IP address (PC1). Select Firewall > Session Table > Session Summary from the navigation tree to view session information. Hangzhou H3C Technologies Co., Ltd. 14/15

47 H3C SecPatch UTM Series NAT Configuration Example References Protocols and Standards RFC 1631: The IP Network Address Translator (NAT) Related Documentation NAT Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 15/15

48 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Keywords: Transparent mode, routing mode, hybrid mode, VLAN Abstract: This document presents configuration examples for the UTM operating in transparent mode, routing mode, and hybrid mode respectively. Acronyms: Acronym Full spelling UTM VLAN Unified Threat Management Virtual Local Area Network Hangzhou H3C Technologies Co., Ltd. 1/30

49 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Examples 3 Network Requirements 3 Configuration Considerations 3 Software Version Used 4 Configuration Procedures 4 Transparent Mode 4 Routing Mode 12 Hybrid Mode 23 Hangzhou H3C Technologies Co., Ltd. 2/30

50 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Feature Overview For enterprise networks with broadband access devices, the UTM series operate in transparent mode to deliver only security protection and auditing functions, minimizing their impact to the networks. The UTM series operating in routing mode or hybrid mode are applicable to enterprise networks that have no access gateways, serving as protection and access devices. Application Scenarios The three operating modes are applicable to prevalent multilayer switched networks, providing rich security features such as firewall, VPN, intrusion prevention, anti-virus, URL filtering, and application control. Configuration Guidelines Refer to the configuration guidelines mentioned in configuration steps. Configuration Examples Network Requirements Figure 1 Network diagram for Layer 2 and Layer 3 forwarding configuration example (I) Figure 2 Network diagram for Layer 2 and Layer 3 forwarding configuration example (II) Configuration Considerations Configure the operating mode for interfaces. Hangzhou H3C Technologies Co., Ltd. 3/30

51 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Add interfaces to security zones. Configure NAT entries, ACLs, routes, and other necessary information. Software Version Used F5118 Configuration Procedures Transparent Mode Configuring general Layer 2 forwarding 1) Configuration description Configure hosts in the same VLAN with IP addresses on the same network segment, so that the hosts can communicate with each other. 2) Configuration procedure (see Figure 1) Select Device Management > Interface from the navigation tree. Configure GigabitEthernet 0/1 and GigabitEthernet 0/2 as Layer 2 interfaces. Figure 3 Configure GigabitEthernet 0/1 as a Layer 2 interface Hangzhou H3C Technologies Co., Ltd. 4/30

52 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 4 Configure GigabitEthernet 0/2 as a Layer 2 interface Select Network > VLAN > VLAN from the navigation tree, create VLAN 2, and add GigabitEthernet 0/1 and GigabitEthernet 0/2 to VLAN 2. Figure 5 Add interfaces to VLAN 2 Configure IP addresses for PCs: /24 for PC1 and /24 for PC2. Select Device Management > Zone from the navigation tree and edit the Trust zone of the root virtual device. Add GigabitEthernet 0/1 to the Trust zone, and GigabitEthernet 0/2 to the Untrust zone. Ping PC2 from PC1. Result A is obtained. Edit the Trust zone and modify the VLAN for GigabitEthernet 0/1 from the default to 2, as shown in the figure below. Modify the VLAN for GigabitEthernet 0/2 to 2 and add the interface to the Untrust zone. Ping PC2 from PC1. Result B is obtained. Hangzhou H3C Technologies Co., Ltd. 5/30

53 Figure 6 Modify the Trust zone (1) H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Edit the Trust zone again. Set the VLAN for GigabitEthernet 0/1 to a value different from the PVID 2. In this example, the VLAN is set to 1, as shown in the figure below. Ping PC2 from PC1. Result C is obtained. Figure 7 Modify the Trust zone (2) 3) Verification Result A: The ping operation succeeds. Result B: The ping operation succeeds. Result C: The ping operation fails. Layer 2 packets are forwarded between security zones according to those zones where the interfaces' VLANs reside. In this example, GigabitEthernet 0/1 rejects VLAN 2 packets because VLAN 2 to which GigabitEthernet 0/1 belongs is not added to the Trust zone, though GigabitEthernet 0/1 is added to the Trust zone. 4) Configuration guidelines Hangzhou H3C Technologies Co., Ltd. 6/30

54 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples When editing VLANs for a Layer 2 interface in a security zone, pay attention to the VLANs you specify, as the Layer 2 interface may be used by other security zones on the virtual device. Configuring inline Layer 2 forwarding 1) Configuration description Add interfaces to an inline forwarding group. 2) Configuration procedure (see Figure 1) Select Network > Forwarding from the navigation tree, type 1 for Policy ID, and select GigabitEthernet 0/1 and GigabitEthernet 0/2 as Port 1 and Port 2 respectively. Note that you need to configure the two interfaces as Layer 2 interfaces in advance. Figure 8 Create an inline forwarding policy Configure IP addresses for PCs: /24 for PC1 and /24 for PC2. Add GigabitEthernet 0/1 to the Trust zone, and GigabitEthernet 0/2 to the Untrust zone. Ping PC2 from PC1. Result A is obtained. Add GigabitEthernet 0/1 to VLAN 2, and GigabitEthernet 0/2 to VLAN 3. Ping PC2 from PC1. Result B is obtained. Configure GigabitEthernet 0/1 as an access port, and GigabitEthernet 0/2 as a trunk port. Ping PC2 from PC1. Result C is obtained. 3) Verification Result A: The ping operation succeeds. Result B: The ping operation succeeds. Result C: The ping operation succeeds. Inline Layer 2 forwarding is not affected by the VLAN configurations or the port type. 4) Configuration guidelines Inline Layer 2 forwarding is implemented through inline forwarding groups, but not MAC addresses. Inline Layer 2 forwarding can be configured on Layer 2 interfaces only. You cannot configure it on a subinterface or a virtual interface. In the process of inline Layer 2 forwarding, the tag of an incoming packet is checked at the ingress only to determine whether to forward the packet at Layer 3. Note that the VLANs specified for the interface in a security zone are used, instead of the PVID. That is, inline Layer 2 Hangzhou H3C Technologies Co., Ltd. 7/30

55 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples forwarding permits a packet if its VLAN tag is configured in the security zone of the virtual device, and rejects the packet if not. If the input interface is an access port, the interface does not check the VLAN tag against the PVID upon receiving packets with different VLAN tags. When general Layer 2 forwarding is implemented, the interface accepts packets with no tag or with the same VLAN tag as the PVID. Inline Layer 2 forwarding on a trunk port is not affected by the permitted VLANs configured on the ingress. In the process of general Layer 2 forwarding on a trunk port, a packet is forwarded only if its VLAN is permitted. In this example, a packet forwarded by GigabitEthernet 0/2 is transparently transmitted without having the tag removed. That is, the packet is received on one interface of the inline forwarding group, and after processed by the security module, is forwarded through the other interface transparently. Configuring inter-vlan Layer 2 forwarding 1) Configuration description Configure hosts in different VLANs but with IP addresses on the same network segment to communicate with each other. 2) Configuration procedure (see Figure 2) Configure devices through CLI On the switch: # interface GigabitEthernet1/0/1 port access vlan 102 # interface GigabitEthernet1/0/10 port access vlan 103 # interface GigabitEthernet1/0/16 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 102 to 103 # On the Device: # vlan 102 to 103 # vlan 1000 # interface GigabitEthernet0/1 port link-mode bridge port link-type trunk port trunk permit vlan to 103 # Configure the Device through the web interface Hangzhou H3C Technologies Co., Ltd. 8/30

56 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Device Management > Interface from the navigation tree and create Layer 2 subinterfaces GigabitEthernet 0/1.102 and GigabitEthernet 0/ Figure 9 Create GigabitEthernet 0/1.102 Select Network > VLAN > VLAN from the navigation tree, and add GigabitEthernet 0/1.102 and GigabitEthernet 0/1.103 to VLAN Figure 10 Add subinterfaces to VLAN 1000 Select Device Management > Zone from the navigation tree. Add GigabitEthernet 0/1 and GigabitEthernet 0/1.102 to the Trust zone and make sure that VLAN 1000 is included in the VLANs permitted on the interfaces. Add GigabitEthernet 0/1.103 to the Untrust zone and make sure that VLAN 1000 is included in the VLANs permitted on the interface. Hangzhou H3C Technologies Co., Ltd. 9/30

57 Figure 11 Edit the Trust zone H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Configure IP addresses for PCs: /24 for PC1 and /24 for PC2. Ping PC2 from PC1. Result A is obtained. Ping PC1 from PC2. Result B is obtained. Add GigabitEthernet 0/1 to the Untrust zone and then ping PC2 from PC1. Result C is obtained. Delete VLAN 1000 and configure VLAN 102 and VLAN 103 on the Device. Ping PC2 from PC1. Result D is obtained. Delete VLAN 102 and VLAN 103 and configure VLAN 1000 on the Device. Ping PC2 from PC1. Result E is obtained. Configuring Inter-VLAN Layer 2 forwarding on a non default virtual device: Select Device Management > Virtual Device > Configuration from the navigation tree and click Add to create a virtual device named H3C. Figure 12 Create a virtual device Select Device Management > Virtual Device > VLAN from the navigation tree, and configure VLAN 1000 as the VLAN member of the virtual device H3C. Hangzhou H3C Technologies Co., Ltd. 10/30

58 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 13 Configure the VLAN member for the virtual device Select Device Management > Zone from the navigation tree. Create security zones H3C_trust and H3C_untrust for the virtual device. Figure 14 Create security zone H3C_trust Figure 15 Create security zone H3C_untrust Add GigabitEthernet 0/1.102 to H3C_trust, and GigabitEthernet 0/1.103 to H3C_untrust. Ping PC2 from PC1. Result F is obtained. 3) Verification Result A: The ping operation succeeds. Result B: The ping operation fails. This is because PC2 resides in the Untrust zone, whereas PC1 resides in the Trust zone, which has a higher priority than the Untrust zone. Hangzhou H3C Technologies Co., Ltd. 11/30

59 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Result C: The ping operation succeeds. On a physical port working in bridge mode, Layer 2 subinterfaces are configured to implement inter-vlan Layer 2 forwarding. Packets are forwarded between security zones according to those permitted on the Layer 2 subinterfaces, instead of the security zone where the physical interface resides. Therefore, the forwarding is not affected after GigabitEthernet 0/1 is added to the Untrust zone. Result D: The ping operation succeeds. Although VLAN 1000 is deleted, traffic can be forwarded because the PVID of GigabitEthernet 0/1.102 and GigabitEthernet 0/1.103 is VLAN 1. Result E: The ping operation fails. No Layer 2 forwarding entry is created because VLAN 102 and VLAN 103 do not exist. Result F: The ping operation succeeds. 4) Configuration guidelines To implement Inter-VLAN Layer 2 forwarding, make sure that the VLAN with the same ID as the Layer 2 subinterface ID exists. On a physical port working in bridge mode, Layer 2 subinterfaces are configured to implement inter-vlan Layer 2 forwarding. Packets are forwarded between security zones according to those permitted on the Layer 2 subinterfaces, instead of the security zone where the physical interface resides. To implement inter-vlan Layer 2 forwarding, make sure that you add the PVID of the subinterface to the VLAN range of the security zone. If no VLAN is configured for a subinterface, the PVID is 1, and therefore, you need to add VLAN 1 in the VLAN range of the security zone. When configuring inter-vlan Layer 2 forwarding, do not set the PVID of a subinterface to the subinterface ID; otherwise, the downstream switches may fail to learn the MAC address of the subinterface. This is a defect at present. Routing Mode Configuring Layer 3 interface forwarding 1) Configuration description Configure the Device to route packets between hosts on different network segments. 2) Configuration procedure (see Figure 1) Select Device Management > Interface from the navigation tree. Configure the router mode for GigabitEthernet 0/1 and specify the IP address as /24. Configure the router mode for GigabitEthernet 0/2 and specify the IP address as /24. Hangzhou H3C Technologies Co., Ltd. 12/30

60 Figure 16 Configure GigabitEthernet 0/1 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Hangzhou H3C Technologies Co., Ltd. 13/30

61 Figure 17 Configure GigabitEthernet 0/2 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Device Management > Zone from the navigation tree. Add GigabitEthernet 0/1 to the Trust zone and GigabitEthernet 0/2 to the Untrust zone. Figure 18 Add GigabitEthernet 0/1 to the Trust zone Hangzhou H3C Technologies Co., Ltd. 14/30

62 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 19 Add GigabitEthernet 0/2 to the Untrust zone Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Apply ACL 3000 to GigabitEthernet 0/2 and enable Easy IP. ACL 3000 allows packets from /24 to pass. Figure 20 Configure dynamic NAT Figure 21 Configure ACL ) Verification Configure IP address /24 and gateway for PC1, and IP address /24 and gateway for PC2. Ping PC2 from PC1. The ping operation succeeds and the session information displayed on the Device is as follows: Hangzhou H3C Technologies Co., Ltd. 15/30

63 Figure 22 Session information H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Configuring inter-vlan Layer 3 forwarding 1) Configuration description Configure the Device to forward packets through VLAN virtual interfaces. 2) Configuration procedure (see Figure 1) Select Device Management > Interface from the navigation tree. Configure the access mode for GigabitEthernet 0/1, add the interface to VLAN 2, create VLAN-interface 2 and specify the IP address as /24. Configure the access mode for GigabitEthernet 0/2, add the interface to VLAN 3, create VLAN-interface 3 and specify the IP address as /24. Figure 23 Create VLAN-interface 2 Hangzhou H3C Technologies Co., Ltd. 16/30

64 Figure 24 Create VLAN-interface 3 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Device Management > Zone from the navigation tree. Add VLAN-interface 2 to the Trust zone, and add VLAN-interface 3 to the Untrust zone. Hangzhou H3C Technologies Co., Ltd. 17/30

65 Figure 25 Add interfaces to the Trust zone H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 26 Add interface to the Untrust zone Hangzhou H3C Technologies Co., Ltd. 18/30

66 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Apply ACL 3000 to VLANinterface 3 and enable Easy IP. ACL 3000 allows packets from /24 to pass. Figure 27 Configure dynamic NAT Figure 28 Configure ACL ) Verification Configure IP address /24 and gateway for PC1, and IP address /24 and gateway for PC2. Ping PC2 from PC1. The ping operation succeeds and the session information displayed on the Device is as follows: Figure 29 Session information Configuring Layer 3 subinterface forwarding 1) Configuration description Configure the Device to forward packets through Layer 3 subinterfaces. 2) Configuration procedure (see Figure 2) Configure the switch interface GigabitEthernet1/0/1 port access vlan 102 # interface GigabitEthernet1/0/10 port access vlan 103 # interface GigabitEthernet1/0/16 Hangzhou H3C Technologies Co., Ltd. 19/30

67 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 102 to 103 # Configure the Device Select Device Management > Interface from the navigation tree. Configure the router mode for GigabitEthernet 0/1. Create subinterface GigabitEthernet 0/1.1 and specify the VID as 102, and the IP address as /24. Create subinterface GigabitEthernet 0/1.2 and specify the VID as 103, and the IP address as /24. Figure 30 Configure GigabitEthernet 0/1 Hangzhou H3C Technologies Co., Ltd. 20/30

68 Figure 31 Create GigabitEthernet 0/1.1 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 32 Create GigabitEthernet 0/1.2 Select Device Management > Zone from the navigation tree. Add GigabitEthernet 0/1 and GigabitEthernet 0/1.1 to the Trust zone, and GigabitEthernet 0/1.2 to the Untrust zone. Hangzhou H3C Technologies Co., Ltd. 21/30

69 Figure 33 Add interfaces to the Trust zone H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Configure IP address and default gateway for PC1, and IP address and default gateway for PC2. Ping PC2 from PC1. Result A is obtained. Ping PC1 from PC2. Result B is obtained. Add GigabitEthernet 0/1 to the Untrust zone, and then ping PC2 from PC1. Result C is obtained. Remove the VID specified for the Layer 3 subinterfaces of the Device and then ping PC2 from PC1. Result D is obtained. Configure Layer 3 subinterface forwarding on a non-default virtual device. Create a virtual device named H3C, create H3C_trust and H3C_untrust zones for the virtual device, and add subinterface GigabitEthernet 0/1.1 and GigabitEthernet 0/1.2 to the virtual device as interface members. Figure 34 Add interfaces to the virtual device Hangzhou H3C Technologies Co., Ltd. 22/30

70 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Add GigabitEthernet 0/1.1 to H3C_trust, and GigabitEthernet 0/1.2 to H3C_untrust. Ping PC2 from PC1. Result E is obtained. 3) Verification Result A: The ping operation succeeds. Result B: The ping operation fails. Result C: The ping operation succeeds. After Layer 3 subinterfaces are configured on a physical port working in router mode, packets are forwarded between security zones according to the security zones where Layer 3 subinterfaces reside. Result D: The ping operation fails. The VID is needed to specify the tag type and VLAN. Result E: The ping operation succeeds. 4) Configuration guidelines After Layer 3 subinterfaces are configured on a physical port working in router mode, packets are forwarded between security zones according to the security zones where Layer 3 subinterfaces reside. To implement Layer 3 subinterface forwarding in a non-default virtual device, you need to configure the subinterfaces used for forwarding packets as the interface members of the virtual device. Hybrid Mode Configuring general hybride mode 1) Configuration description Configure VLAN virtual interfaces and Layer 3 interfaces on the Device to forward packets. 2) Configuration procedure (see Figure 1) Select Device Management > Interface from the navigation tree. Configure GigabitEthernet 0/1 as an access port working in bridge mode, add the interface to VLAN 2, create VLAN-interface 2 and specify the IP address as /24. Configure the router mode for GigabitEthernet 0/2 and specify the IP address as /24. Hangzhou H3C Technologies Co., Ltd. 23/30

71 Figure 35 Create VLAN-interface 2 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 36 Configure GigabitEthernet 0/2 Hangzhou H3C Technologies Co., Ltd. 24/30

72 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Device Management > Zone from the navigation tree. Add VLAN-interface 2 to the Trust zone, and GigabitEthernet 0/2 to the Untrust zone. Figure 37 Add interfaces to the Trust zone Figure 38 Add GigabitEthernet 0/2 to the Untrust zone Hangzhou H3C Technologies Co., Ltd. 25/30

73 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Apply ACL 3000 to GigabitEthernet 0/2 and enable Easy IP. ACL 3000 allows packets from /24 to pass. Figure 39 Configure dynamic NAT Figure 40 Configure ACL ) Verification Configure IP address /24 and gateway for PC1, and IP address /24 and gateway for PC2. Ping PC2 from PC1. The ping operation succeeds and the session information displayed on the Device is as follows: Figure 41 Session information Configuring Layer 2 and Layer 3 hybrid forwarding 1) Configuration description Configure Layer 2 and Layer 3 hybrid forwarding on the Device. 2) Configuration procedure (see Figure 2) Configure devices through CLI On the switch: # interface GigabitEthernet1/0/1 port access vlan 102 # interface GigabitEthernet1/0/10 Hangzhou H3C Technologies Co., Ltd. 26/30

74 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples port access vlan 103 # interface GigabitEthernet1/0/16 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 102 to 103 # On the Device: # vlan 100 to 103 # interface GigabitEthernet0/1 port link-mode bridge port link-type trunk port trunk permit vlan to 103 # Configure the Device through the web interface Select Device Management > Interface from the navigation tree. Create Layer 2 subinterface GigabitEthernet 0/1.102, add it to VLAN 100. Create VLAN-interface 100 and specify the IP address as /24. Create VLAN-interface 103 and specify the IP address as /24. Figure 42 Create GigabitEthernet 0/1.102 Hangzhou H3C Technologies Co., Ltd. 27/30

75 Figure 43 Create VLAN-interface 100 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 44 Create VLAN-interface 103 Select Device Management > Zone from the navigation tree. Add VLAN-interface 100 to the Trust zone. Add VLAN-interface 103 to the Untrust zone. Hangzhou H3C Technologies Co., Ltd. 28/30

76 Figure 45 Add interfaces to the Trust zone H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Figure 46 Add VLAN-interface 103 to the Untrust zone Configure IP address and default gateway for PC1, and IP address and default gateway for PC2. Ping the IP address of PC2 from PC1. Result A is obtained. Hangzhou H3C Technologies Co., Ltd. 29/30

77 H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples Select Firewall > Security Policy > Interzone Policy from the navigation tree. Define a policy to permit all traffic from the Untrust zone to the Trust zone. Ping the gateway of PC1 from PC2. Result B is obtained. Figure 47 Define an inter-zone policy Configure Layer 2 and Layer 3 hybrid forwarding on a non-default virtual device. Create a virtual device named H3C and configure VLAN 100 and VLAN 103 as the device members of the virtual device. Type 100 in the VLAN text box next to GigabitEthernet 0/1.102 and add VLAN-interface 100 to the H3C_trust zone. Type 103 in the VLAN text box next to GigabitEthernet 0/1 and add VLAN-interface 103 to the H3C_untrust zone. Ping PC2 from PC1. Result C is obtained. 3) Verification Result A: The ping operation succeeds. Result B: The ping operation succeeds. Result C: The ping operation succeeds. 4) Configuration guidelines The PVID of a Layer 2 subinterface cannot be the same as the subinterface ID, or the same as the ID of the VLAN to which a Layer 3 VLAN virtual interface belongs. In this example, the ID of the Layer 2 subinterface is 102, the PVID is 100, and the VLAN ID of the Layer 3 virtual interface is 103. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 30/30

78 H3C SecPath UTM Series DHCP Configuration Examples UTM Series DHCP Configuration Examples Keywords: DHCP Abstract: This document describes DHCP configuration methods and configuration examples. Acronyms: Acronym Full spelling DHCP Dynamic Host Configuration Protocol Hangzhou H3C Technologies Co., Ltd. 1/14

79 H3C SecPath UTM Series DHCP Configuration Examples Table of Contents Feature Overview 3 DHCP Overview 3 Address Allocation Mechanisms 3 IP Address Allocation Sequence 3 Application Scenarios 3 DHCP Configuration Example I 3 Network Requirements 3 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration 4 Configuration on the DHCP Server 6 Configuration on DHCP Clients 7 Verification 8 Configuration Guidelines 9 Troubleshooting 9 DHCP Configuration Example II 10 Network Requirements 10 Configuration Considerations 10 Software Version Used 10 Configuration Procedure 11 Configuration on the DHCP Server 11 Configuration on the DHCP Relay 11 Configuration on DHCP Client 12 Verification 13 Configuration Guidelines 13 Troubleshooting 13 References 14 Protocols and Standards 14 Related Documentation 14 Hangzhou H3C Technologies Co., Ltd. 2/14

80 H3C SecPath UTM Series DHCP Configuration Examples Feature Overview DHCP Overview A DHCP client sends a configuration request and then a DHCP server returns a reply to send configuration parameters such as an IP address to the client. Address Allocation Mechanisms DHCP supports three mechanisms for IP address allocation. Manual allocation: The network administrator assigns an IP address to a client like a web server, and DHCP conveys the assigned address to the client. Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way. IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence: 1) The IP address manually bound to the client s MAC address or ID 2) The IP address that was ever assigned to the client 3) The IP address designated by the Option 50 field in the DHCP-DISCOVER message 4) The first assignable IP address found in a proper common address pool 5) The IP address that was a conflict or passed its lease duration If no IP address is assignable, the server does not respond. Application Scenarios As many people need to take their laptops across networks, the IP addresses need to be changed accordingly. Therefore, related configurations on hosts become more complex. Built on a client-server model, DHCP provides dynamic address allocation to simplify host configuration. DHCP Configuration Example I Network Requirements The U200-S is used in this configuration example. Hangzhou H3C Technologies Co., Ltd. 3/14

81 H3C SecPath UTM Series DHCP Configuration Examples As shown in Figure 1, two DHCP clients, the router and PC, reside on the same subnet as the DHCP server. The router is connected to the DHCP server through GigabitEthernet 0/1, and the PC is connected to the DHCP sever through a network interface card. The IP address of the GigabitEthernet 0/1 of the DHCP server is /24. Configure the devices to allow the PC to obtain an IP address and other parameters dynamically from the DHCP server, and to allow the router to obtain a fixed IP address and other parameters from the DHCP server. Figure 1 Network diagram for DHCP configuration example I Client 1 Client 2 GE 0/ /24 GE 0/1 DHCP Server Configuration Considerations Configure the UTM as the DHCP server. Configure the PC and the router as DHCP clients. Software Version Used F5118 Configuration Procedures Basic Configuration Specify the IP address of GigabitEthernet 0/1 Select Device Management > Interface from the navigation tree. Hangzhou H3C Technologies Co., Ltd. 4/14

82 H3C SecPath UTM Series DHCP Configuration Examples Click the icon of GigabitEthernet 0/1 to enter the Edit Interface page. Configure the interface as shown in the figure below, and then click Apply to return the Interface page. Add GigabitEthernet 0/1 to the Trust zone Select Device Management > Zone from the navigation tree. Click the icon of the Trust zone to enter the Modify Zone page. Add GigabitEthernet 0/1 to the Trust zone as shown in the figure below, and then click Apply to return to the Zone page. Hangzhou H3C Technologies Co., Ltd. 5/14

83 H3C SecPath UTM Series DHCP Configuration Examples Configuration on the DHCP Server Enable DHCP. Select Network > DHCP > DHCP Server from the navigation tree, and then click on the Enable radio button, as shown in the figure below. Create a dynamic DHCP address pool On the DHCP Server page, click on the Dynamic radio button and click Add to enter the page shown below: Hangzhou H3C Technologies Co., Ltd. 6/14

84 H3C SecPath UTM Series DHCP Configuration Examples Create a static DHCP address pool On the DHCP Server page, click on the Static radio button and click Add to enter the page shown below: Configuration on DHCP Clients Configure GigabitEthernet 0/1 of the router to obtain an IP address through DHCP. Hangzhou H3C Technologies Co., Ltd. 7/14

85 H3C SecPath UTM Series DHCP Configuration Examples Configure the PC (running Window XP in the example) as a DHCP client. Right-click Network Neighborhood on the desktop and select Properties from the shortcut menu to enter the Network Connections window. Right-click Local Area Connection and select Properties from the shortcut menu to enter the Local Area Connection Properties window. Select a proper network interface card for Connect using and select Internet Protocol (TCP/IP). Click Internet Protocol (TCP/IP) and then click Properties to enter the Internet Protocol (TCP/IP) Properties window. Click on radio buttons next to Obtain an IP address automatically and Obtain DNS server address automatically. Verification After the preceding configurations are complete, you can see that the router obtains a fixed IP address , and the PC obtains an IP address on subnet /24. 1) View the detailed information of GigabitEthernet 0/1 on the router. You can view the IP address that the interface has obtained. 2) Run the ipconfig/all command in the Command Prompt window. You can see configuration information including that the corresponding network interface card has obtained IP address from the DHCP server. Hangzhou H3C Technologies Co., Ltd. 8/14

86 H3C SecPath UTM Series DHCP Configuration Examples Configuration Guidelines 1) When a DHCP client resides on the same subnet as the DHCP server, to ensure communication between them after the client obtains an IP address, it is recommended that you configure the interface through which the server is connected to the client with an IP address from the address pool and with the same mask as the address pool. 2) To configure a valid static binding, you need to bind an IP address to a MAC address or a client ID. In this example, you can also bind the MAC address of the PC to the IP address, so that the PC can obtain a fixed IP address. 3) If you bind an IP address to both a client ID and a MAC address, the IP-to-client ID binding is preferential. 4) You can use the display shcp client verbose command on a DHCP client to view the client ID. 5) Currently, a static DHCP address pool supports one static binding only. That is, each static binding is a static address pool. 6) The DHCP server does not perform address conflict detection on the IP address in a static binding. To ensure communication after the client obtains the IP address, it is recommended that you specify the static binding with the IP address on the same network segment as the server's interface. 7) To exclude specific IP addresses from dynamic allocation, use the dhcp server forbidden-ip command in system view. Troubleshooting Symptom The router in the preceding example obtains no IP address. Analysis The network connection fails or the interface of the DHCP server does not reside on the network segment of the DHCP address pool. Hangzhou H3C Technologies Co., Ltd. 9/14

87 H3C SecPath UTM Series DHCP Configuration Examples Solution 1) Check that the interface through which the DHCP server is connected to the client resides in the address pool. 2) Check that the dhcp enable command is configured on the DHCP server. 3) Configure the interface of the router with an IP address from the address pool and ping from the IP address to the UTM to ensure the network connectivity. 4) Use the debug command on the DHCP server and the client respectively to verify that the packet exchange process is normal. DHCP Configuration Example II No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way. The DHCP relay agent works as follows: 1) A DHCP client broadcasts a DHCP-DISCOVER message. 2) The DHCP relay agent forwards the message to the designated DHCP server in unicast mode. 3) The DHCP server returns an IP address and other configuration parameters to the relay agent, which conveys them to the client. Network Requirements As shown in Figure 2, Device B is connected to the network where the DHCP client (PC) resides through GigabitEthernet 0/1, and is connected to the DHCP server (Device A) through GigabitEthernet 0/2. The IP address of GigabitEthernet 0/1 on Device A is /24, and that of GigabitEthernet 0/2 on Device B is /24. Device B serves as a DHCP relay agent to forward DHCP messages, so that the DHCP client can obtain an IP address and other parameters from the DHCP server. Figure 2 Network diagram for DHCP configuration example II Configuration Considerations Configure Device A as the DHCP server. Configure Device B as the DHCP replay. Configure the PC as the DHCP client. Software Version Used F5118 Hangzhou H3C Technologies Co., Ltd. 10/14

88 H3C SecPath UTM Series DHCP Configuration Examples Configuration Procedure Configuration on the DHCP Server Specify the IP address of GigabitEthernet 0/1 on Device A as /24 and add the interface to the Trust zone. For details, refer to Basic Configuration. Select Network > DHCP > DHCP Server from the navigation tree, click on the Enable radio button, and configure a dynamic DHCP address pool, as shown in the figure below. Add a static route to the network segment Select Network Management > Routing Management > Static Routing from the navigation tree, click Add, and then perform the operations as shown in the figure below. Configuration on the DHCP Relay Specify the IP address of GigabitEthernet 0/2 on the Device B as /24 and that of GigabitEthernet 0/1 as /24. Add GigabitEthernet 0/1 and GigabitEthernet 0/2 to the security zones as needed. For detailed configurations, refer to Basic Configuration. Select Network > DHCP > DHCP Relay from the navigation tree, click on the Enable radio button and then click Apply. Create a server group with IP address , that is, the IP address of GigabitEthernet on the DHCP server, as shown in the figure below. Hangzhou H3C Technologies Co., Ltd. 11/14

89 H3C SecPath UTM Series DHCP Configuration Examples On the Interface Config field, click the icon of GigabitEthernet 0/1. Click on the Enable radio button next to DHCP Relay, select 0 for Server Group ID, and click Apply. Configuration on DHCP Client Configure the PC (running Window XP in the example) as a DHCP client. Right-click Network Neighborhood on the desktop and select Properties from the shortcut menu to enter the Network Connections window. Right-click Local Area Connection and select Properties from the shortcut menu to enter the Local Area Connection Properties window. Select a proper network interface card for Connect using and select Internet Protocol (TCP/IP). Click Internet Protocol (TCP/IP) and then click Properties to enter the Internet Protocol (TCP/IP) Properties window. Click on radio buttons next to Obtain an IP address automatically and Obtain DNS server address automatically. Hangzhou H3C Technologies Co., Ltd. 12/14

90 H3C SecPath UTM Series DHCP Configuration Examples Verification After the preceding configurations are complete, you can see that the PC obtains an IP address from the address pool configured on the DHCP server (Device A). Run the ipconfig/all command in the Command Prompt window and you can see detailed configuration information. Configuration Guidelines 1) When the DHCP server resides on a different network from the DHCP client, the interface through which the DHCP server is connected to the DHCP relay agent can be configured with any IP address not belonging to the address pool, whereas the interface through which the DHCP relay agent is connected to the DHCP client needs to be configured with an IP address from the address pool. To ensure normal communication after the client obtains an IP address, you need to configure the interface with the same mask as the address pool. 2) You can configure static bindings in a similar way as that of configuration example I. The DHCP server does not perform conflict detection on the IP address of a static binding. Therefore, to ensure the interconnection after the client obtains the IP address, it is recommended that you specify the static binding with the IP address on the same network segment as the DHCP relay agent's interface. 3) Configure a reachable route between the DHCP server and the DHCP client; otherwise, the client may fail to communicate with the server after obtaining an IP address, or the client cannot obtain an IP address because the server cannot forward the DHCP-OFFER message to the client. In this example, static routes are configured on the server and the client. You can use other routing protocols as well. 4) When multiple DHCP relay agents exist, you need to configure the interface address, relay agent mode and the corresponding next server group for each DHCP relay agent, and ensure that the route is reachable. You can also select the DHCP server address as the server group and ensure the route to the DHCP server is reachable. 5) To enhance security, you can enable the invalid IP address check feature on the interface through which the DHCP relay agent is connected to the client. With this feature enabled, the DHCP relay agent checks whether a requesting client s security entry exists on the DHCP relay agent. If not, the client cannot access outside networks via the DHCP relay agent. Note that the security entry of a client is added in the user information. Troubleshooting Symptom The DHCP client (PC) cannot obtain an IP address. Analysis The network connection fails, the routes are unreachable, or the interface enabled with DHCP relay agent does not belong to the DHCP address pool configured on the DHCP server. Hangzhou H3C Technologies Co., Ltd. 13/14

91 H3C SecPath UTM Series DHCP Configuration Examples Solutioin 1) Check that the IP address of GigabitEthernet 0/1 of the DHCP relay agent (Device B) belongs to the DHCP address pool. 2) Check that the DHCP service is enabled on Device B. 3) Check that routes between devices are reachable. You can manually configure an IP address for the PC and ping the DHCP server and relay agent to check connectivity. 4) Check that the invalid IP address check feature is disabled on GigabitEthernet 0/2. If the feature is enabled, remove the configuration or add a static security entry for the server on the DHCP relay agent, so as to ensure the normal packet exchange between the server and the client. 5) View the server group information on the DHCP relay agent and make sure that the relay agent interface address is not used as the IP address of the server group. 6) Run the debug command on the server and the relay agent respectively to verify that the packet exchange process is normal. References Protocols and Standards Routing TCP/IP, Volume II RFC 2131, Dynamic Host Configuration Protocol RFC 2132, DHCP Options and BOOTP Vendor Extensions RFC 1542, Clarifications and Extensions for the Bootstrap Protocol Related Documentation H3C MSR 20/30/50 Series Routers User Manual Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 14/14

92 UTM Series TR-069 Configuration Example UTM Series TR-069 Configuration Example Keywords: TR-069, CWMP, CPE, ACS Abstract: The CPE WAN Management Protocol (CWMP) is initiated and developed by the Digital Subscriber s Line (DSL) Forum. CWMP is numbered TR-069 by the forum, and is thus also called the TR-069 protocol. It can be used for the management and configuration to remote devices. Acronyms: Acronym Full spelling CWMP DSL ACS CPE WAN Management Protocol Digital Subscriber's Line Auto-Configuration Server Hangzhou H3C Technologies Co., Ltd. 1/11

93 UTM Series TR-069 Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 4 Network Requirements 4 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Basic Configurations 4 Configuring Zones and Interzone Policies 7 Configuring TR-069 Parameters 9 Configuring NAT for the Outbound Interface 10 Verification 10 TR-069 Verification 10 Debugging Information 11 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

94 UTM Series TR-069 Configuration Example Feature Overview The CPE WAN Management Protocol (CWMP) is initiated and developed by the Digital Subscriber s Line (DSL) Forum. CWMP is numbered TR-069 by the forum, and is thus also called the TR-069 protocol. It defines the general framework, message format, management method, and data model for the management and configuration of home network devices in next-generation networks. The following figure illustrates the basic framework of a CWMP network. Figure 1 Network diagram for CWMP As shown in the figure, the basic network elements of CWMP include: ACS: Auto-configuration server, the management device in the network. CPE: Customer premise equipment, the managed device in the network. DNS server: Domain name system server. CWMP defines that an ACS and a CPE use URLs to identify and access each other. DNS is used to resolve the URLs. DHCP server: Dynamic Host Configuration Protocol server, which assigns IP addresses to ACSs and CPEs, and uses the options field in the DHCP packet to provide configuration parameters to the CPE. H3C SecPath U200-S is the CPE and uses CWMP to communicate with the ACS. Application Scenarios CWMP is mainly applied to DSL access networks, which are hard to manage because user devices are located at the customer premise, dispersed, and large in number. CWMP makes the management easier by using an ACS to perform remote centralized management of CPE. Configuration Guidelines When configuring TR-069, note the following: 1) Check that the ACS server operates normally and make sure that the background database of the ACS server is open. 2) The username and password of the ACS server are obtained. Hangzhou H3C Technologies Co., Ltd. 3/11

95 UTM Series TR-069 Configuration Example 3) The username and password of the CPE are configured. 4) TR-069 configuration through the ACS is of higher priority than that through Web. You cannot use a configuration mode to modify parameters configured through a configuration mode with a higher priority. Configuration Example Network Requirements In this example, the UTM device used is an UTM200-S; the simplest networking is applied; the CPE and ACS are directly connected. When you connect the CPE with an ACS of the public network, a DNS is needed. Figure 2 Network diagram for TR-069 Configuration Considerations Configure the IP address for the LAN (internal network) interface GigabitEthernet 0/2 as /24, and add it to zone Trust. Configure the IP address for the LAN egress interface GigabitEthernet 0/1 as /24, and add it to zone Untrust. Software Version Used F5118 Configuration Procedures Basic Configurations Assigning IP addresses to interfaces Select Device Management > Interface from the navigation tree to enter the interface management page. Hangzhou H3C Technologies Co., Ltd. 4/11

96 UTM Series TR-069 Configuration Example Click the icon of GigabitEthernet 0/1 to enter the Edit Interface page, and then configure the interface as shown in the following figure. Click Apply to return to the interface management page. Click the icon of GigabitEthernet 0/2 to enter the Edit Interface page, and then configure the interface as shown in the following figure and click Apply to return to the interface management page. Hangzhou H3C Technologies Co., Ltd. 5/11

97 UTM Series TR-069 Configuration Example Configuring an ACL Click Firewall > ACL from the navigation tree to enter the ACL management page, and then click Add to create ACL On the ACL management page, click the icon of ACL 2000 and then click Add to create a rule. Hangzhou H3C Technologies Co., Ltd. 6/11

98 UTM Series TR-069 Configuration Example Click Apply. Configuring Zones and Interzone Policies Adding interfaces to zones Select Device Management > Zone from the navigation tree to enter the zone management page. Click the icon of zone Trust to enter the zone modification page, add interface GigabitEthernet 0/2 to the zone as shown in the following figure, and then click Apply to return to the zone management page. Hangzhou H3C Technologies Co., Ltd. 7/11

99 UTM Series TR-069 Configuration Example Add interface GigabitEthernet 0/1 to zone Untrust in the same way. Configuring interzone policies Select Firewall > Security Policy > Interzone Policy from the navigation tree. Click Add and then configure an interzone policy from Trust to Untrust as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. 8/11

100 UTM Series TR-069 Configuration Example Configuring TR-069 Parameters TR-069 parameters Assume the ACS server and CPE parameters are as follows: ACS server address: ACS username: 1234 ACS password: 5678 CPE username: bbms CPE password: bbms All ACS server and CPE parameters are provided by the ACS server. Configure the ACS server address. The port number and the URL address must be correct and the letters are case sensitive. Select Device Management > TR-069 from the navigation tree, and configure TR-069 parameters as shown in the following figure. Then, click Apply. Hangzhou H3C Technologies Co., Ltd. 9/11

101 UTM Series TR-069 Configuration Example Configuring NAT for the Outbound Interface Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Then click Add. Configure NAT for interface GigabitEthernet 0/1 as shown in the following figure, and then click Apply. Verification TR-069 Verification Log in to the ACS server website, and you can see that the CPE (UTM device) is online. And then, you can send configurations to the UTM device. Hangzhou H3C Technologies Co., Ltd. 10/11

102 UTM Series TR-069 Configuration Example Debugging Information If the ACS fails to connect with the CPE, you can display the following debugging information on the UTM device to locate the problem. In addition, you need to check whether the following parameters of the ACS server are correctly configured on the UTM device. 1) Check that the ACS username and password are correct. 2) Check that the database of the ACS server is open. 3) Check that the CPE username and password are correct. 4) Enable TR-069 debugging: <U200-S>debugging cwmp? all All error Error information Information packet Packet <U200-S>debugging cwmp all <U200-S>t d Info: Current terminal debugging is on. <U200-S>t m 5) To connect to the ACS server immediately after modifying the CWMP configurations, execute the following commands. To view the detailed information of the connection, enable TR-069 debugging again. [U200-S]undo cwmp enable [U200-S]cwmp enable Related Documentation TR-069 Configuration in the Web configuration documentation set. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

103 UTM Series Interzone Policy Configuration Example UTM Series Interzone Policy Configuration Example Keyword: interzone policy Abstract: Interzone policies, based on ACLs, are used for identification and monitoring of traffic between zones. Acronyms: Acronym Full name ACL Access Control List Hangzhou H3C Technologies Co., Ltd. 1/11

104 UTM Series Interzone Policy Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Interzone Policy Configuration Example 3 Network Requirements 3 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Assigning IP Addresses to Interfaces 4 Adding Interfaces to Zones 5 Configuring a Time Range Resource 7 Configuring an Address Resource 7 Configuring an Interzone Policy 8 Verification 10 Accessing the External Network from Host Public in Working Hours 10 Accessing the External Network from Other Hosts in Working Hours 11 References 11 Protocols and Standards 11 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

105 UTM Series Interzone Policy Configuration Example Feature Overview Interzone policies, based on access control lists (ACLs), are used for identification of traffic between zones. An interzone policy references one ACL for a pair of source zone and destination zone. This ACL contains a group of ACL rules, each of which permits or denies packets matching the match criteria. Interzone policies can reference address resources and service resources to define the packet match criteria and reference time range resources to specify the effective time ranges of the rules. Application Scenarios The interzone policies can be used for Identifying traffic and monitoring traffic. Configuration Guidelines The number of an ACL referenced by an interzone policy is assigned automatically by the system. When you create the first rule for two zones, the system automatically creates an ACL, and assigns it an ACL number that is one more than the last assigned ACL number, starting from If you remove all rules of the interzone policy, the system automatically removes the ACL. Rules for a pair of source zone and destination zone are listed in match order on the web page. A rule listed earlier has a higher priority, and is matched earlier. By default, the rules are in the order they are created, and you can manually adjust the order. Interzone Policy Configuration Example Network Requirements U200-S of the UTM series is used in this example. As shown in Figure 1, Device connects the corporate network to the Internet. The corporate network belongs to zone Trust, while the external network belongs to zone Untrust. Configure an interzone policy, allowing internal host Public to access the external network at any time and denying all the other internal hosts access to the external network during working hours (from 8:00 to 18:00) on working days (Monday through Friday). Hangzhou H3C Technologies Co., Ltd. 3/11

106 Figure 1 Network diagram for configuring interzone policies UTM Series Interzone Policy Configuration Example Configuration Considerations Assign IP addresses to the interfaces Configure zones Configure a time range resource Configure an address resource Configure an interzone policy Software Version Used F5118 Configuration Procedures Assigning IP Addresses to Interfaces Configuring GigabitEthernet 0/2 From the navigation tree, select Device Management > Interface to enter the interface management page. Figure 2 Interface management page Click the icon of interface GigabitEthernet 0/2 to enter the page for configuring the interface. Configure the interface information as shown in the following figure, and then click Apply. The interface management page appears, displaying the configuration result. Hangzhou H3C Technologies Co., Ltd. 4/11

107 UTM Series Interzone Policy Configuration Example Figure 3 Configure interface GigabitEthernet 0/2 Configuring GigabitEthernet 0/1 Follow the same procedure to configure GigabitEthernet 0/1. Figure 4 shows the configuration result. Figure 4 Interface management page Adding Interfaces to Zones Adding GigabitEthernet 0/2 to the Trust zone Select Device Management > Zone from the navigation tree to display the zone list. Hangzhou H3C Technologies Co., Ltd. 5/11

108 UTM Series Interzone Policy Configuration Example Figure 5 Zone list Click the icon of zone Trust to enter the page for modifying the zone. Add interface GigabitEthernet 0/2 to zone Trust as shown in the following figure, and then click Apply. Figure 6 Add GigabitEthernet 0/2 to the Trust zone Adding GigabitEthernet 0/1 to the Untrust zone Follow the same procedure to add GigabitEthernet 0/1 to zone Untrust. Select Device Management > Zone from the navigation tree to display the zone list. The interface management page appears, displaying the configuration result. Hangzhou H3C Technologies Co., Ltd. 6/11

109 UTM Series Interzone Policy Configuration Example Figure 7 Interface management page Configuring a Time Range Resource Configure a time range from 8:00 to 18:00 on working days (Monday through Friday). Select Resource > Time Range from the navigation tree, and click Add. Perform the configurations shown in Figure 8. Figure 8 Configure a time range resource Type worktime in the Name text box. Select the Periodic Time Range check box. Set the start time to 8:00. Set the end time to 18:00. Select the Mon., Tues., Wed., Thurs., and Fri., check boxes. Click Apply. Configuring an Address Resource Configuring an IP address resource Select Resource > Address > IP Address from the navigation tree, and then click Add. Perform the configurations shown in Figure 9. Hangzhou H3C Technologies Co., Ltd. 7/11

110 UTM Series Interzone Policy Configuration Example Figure 9 Create an IP address resource Select the IP Address option. Type public as the name. Type as the IP address. Then click Add to add the address to the IP address list. Click Apply. Configuring an Interzone Policy Configure an access rule for host public to access the external network at any time Select Firewall > Security Policy > Interzone Policy from the navigation tree, and then click Add. Perform the configurations shown in Figure 11. Hangzhou H3C Technologies Co., Ltd. 8/11

111 Figure 10 Allow host public to access the external network at any time UTM Series Interzone Policy Configuration Example Select Trust as the source zone and Untrust as the destination zone. Select public as the source address. Select Permit as the filter action. Select the Enable Syslog check box. Select the Status check box. Select the Continue to add next rule check box. Click Apply. Configuring a rule to deny access of all the other hosts to the external network during working time After the last configuration step, the interzone policy rule configuration page appears, with the source and destination zones selected for the last rule. Perform the configurations shown in Figure 11. Hangzhou H3C Technologies Co., Ltd. 9/11

112 UTM Series Interzone Policy Configuration Example Figure 11 Deny all the other hosts' access to the external network during working time Select Deny as the filter action. Select worktime as the time range. Select the Enable Syslog check box. Select the Status check box. Click Apply. Verification Accessing the External Network from Host Public in Working Hours You are allowed to access the external network from host Public in working hours. Select Log Report > Report > Interzone Policy Log to enter the interzone policy log page. The log shows that access to the external network is permitted. Figure 12 Interzone policy log Hangzhou H3C Technologies Co., Ltd. 10/11

113 UTM Series Interzone Policy Configuration Example Accessing the External Network from Other Hosts in Working Hours In working hours, you cannot access the external network from any other hosts, for example a host at /24. Select Log Report > Report > Interzone Policy Log to enter the interzone policy log page. The log shows that access to the external network is denied. Figure 13 Interzone policy log References Protocols and Standards TCP/IP Routing, Volume II Related Documentation Interzone Policy Configuration in the web configuration manual Address Resource Configuration in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

114 H3C SecPath UTM Series ARP Attack Protection Configuration Example UTM Series ARP Attack Protection Configuration Example Keywords: UTM, ARP Abstract: ARP provides no security mechanism and thus is prone to network attacks. The device provides multiple features to detect and prevent ARP attacks. This document describes a configuration example using these features. Acronyms: Acronym Full spelling UTM ARP Unified Threat Management Address Resolution Protocol Hangzhou H3C Technologies Co., Ltd. 1/12

115 H3C SecPath UTM Series ARP Attack Protection Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 ARP Attack Protection Configuration Example 3 Network Requirements 3 Configuration Considerations 3 Software Version Used 4 Configuration Procedures 4 Specify Interface Addresses 4 Add Interfaces to Zones 5 Configure Gratuitous ARP 7 Configure ARP Automatic Scanning 8 Configure Fixed ARP 9 Verification 10 References 11 Protocols and Standards 11 Related Documentation 12 Hangzhou H3C Technologies Co., Ltd. 2/12

116 H3C SecPath UTM Series ARP Attack Protection Configuration Example Feature Overview Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device provides multiple features to detect and prevent such attacks. Application Scenarios ARP attack protection is applicable to LANs such as a cybercafe and a campus network. Configuration Guidelines Sending of gratuitous ARP packets takes effect on an interface only when the link of the interface goes up and an IP address has been assigned to the interface. If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval. Do not enable gratuitous ARP on an interface configured with a VRRP group. You are recommended not to perform other operations during an ARP automatic scan. Fixed ARP changes dynamic ARP entries into static only when these entries are learnt on a Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, or VLAN interface. ARP Attack Protection Configuration Example Network Requirements The U200-S is used in this configuration example. Figure 1 Network diagram for ARP attack protection configuration example Configuration Considerations Specify interface addresses. Hangzhou H3C Technologies Co., Ltd. 3/12

117 H3C SecPath UTM Series ARP Attack Protection Configuration Example Add interfaces to security zones. Configure gratuitous ARP. Configure ARP automatic scanning. Configure fixed ARP. Software Version Used F5118 Configuration Procedures Specify Interface Addresses Specify the IP address of GigabitEthernet 0/1 Select Device Management > Interface from the navigation tree. Figure 2 Interfaces Click the icon of GigabitEthernet 0/1 to enter the Edit Interface page. Configure the interface as shown in the figure below, and then click Apply to return to the Interface page. Hangzhou H3C Technologies Co., Ltd. 4/12

118 Figure 3 Edit interface GigabitEthernet 0/1 H3C SecPath UTM Series ARP Attack Protection Configuration Example Specify the IP address of GigabitEthernet 0/2 Specify the IP address of GigabitEthernet 0/2 in a similar way, as shown in the figure below. Figure 4 Interfaces Add Interfaces to Zones Add GigabitEthernet 0/1 to the Trust zone Select Device Management > Zone from the navigation tree. Hangzhou H3C Technologies Co., Ltd. 5/12

119 H3C SecPath UTM Series ARP Attack Protection Configuration Example Figure 5 Security zones Click the icon of the Trust zone to enter the Modify Zone page. Add GigabitEthernet 0/1 to the Trust zone as shown in the figure below, and then click Apply to return to the Zone page. Figure 6 Add GigabitEthernet 0/1 to the Trust zone Add GigabitEthernet 0/2 to the Untrust zone Add GigabitEthernet 0/2 to the Untrust zone in a similar way, and the output is shown in the figure below. Hangzhou H3C Technologies Co., Ltd. 6/12

120 H3C SecPath UTM Series ARP Attack Protection Configuration Example Figure 7 Interfaces Configure Gratuitous ARP Introduction to gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. A device implements the following functions by sending gratuitous ARP packets: Determining whether its IP address is already used by another device. Informing other devices about the change of its MAC address so that they can update their ARP entries. A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry exists in the cache. Configuring sending of gratuitous ARP packets Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree. Select GigabitEthernet 0/1, leave the default sending interval unchanged or type a specific value, click <<, and then click Apply. After that, all devices on the internal network will record an ARP entry for the internal interface GigabitEthernet 0/1. Hangzhou H3C Technologies Co., Ltd. 7/12

121 Figure 8 Configure sending of gratuitous ARP packets H3C SecPath UTM Series ARP Attack Protection Configuration Example Configure ARP Automatic Scanning Introduction to ARP automatic scanning With ARP automatic scanning enabled on an interface, the device scans neighbors on the interface, requests their MAC addresses, and creates dynamic ARP entries. Configuring ARP automatic scanning Select Firewall > ARP Anti-Attack > Scan from the navigation tree. Select GigabitEthernet 0/1 and type the start IP address and the end IP address, as shown in the figure below. If no start IP address and end IP address are specified, the system scans the network segment according to the mask of the interface address. Figure 9 Configure ARP automatic scanning Hangzhou H3C Technologies Co., Ltd. 8/12

122 H3C SecPath UTM Series ARP Attack Protection Configuration Example Configure Fixed ARP Introduction to Fixed ARP Fixed ARP allows the device to change dynamic ARP entries (including those generated automatically) into static ARP entries, thus effectively preventing attackers from modifying ARP entries. Configuring Fixed ARP Select Firewall > ARP Anti-Attack > Fix from the navigation tree. All dynamic and static ARP entries learnt by the UTM are displayed, including those obtained by ARP automatic scanning. Figure 10 ARP entries Select one or multiple dynamic ARP entries you want to change into static, and click Fix. Select one or multiple static ARP entries you want to remove, and click Del Fixed. To change all dynamic ARP entries into static, click Fix All. To delete all static ARP entries, click Del All Fixed. Figure 11 Configure fixed ARP Hangzhou H3C Technologies Co., Ltd. 9/12

123 H3C SecPath UTM Series ARP Attack Protection Configuration Example Verification Verify gratuitous ARP Capture packets on the internal network /24. A gratuitous ARP packet sent from GigabitEthernet 0/1 is captured every two seconds. Figure 12 Capture gratuitous ARP packets Verfiy automatic ARP scanning After an automatic ARP scan is complete, all ARP entries of the internal network are displayed in the ARP table. Select Firewall > ARP Management > ARP Table from the navigation tree to view all ARP entries. For example, you can view the ARP entries for network segment /24 as shown in the figure below: Figure 13 ARP entries Verify fixed ARP On the Firewall > ARP Anti-Attack > Fix page, select the ARP entry containing , and click Fix. When a dynamic ARP entry is changed into static, it is displayed on the beginning of the ARP table. Hangzhou H3C Technologies Co., Ltd. 10/12

124 H3C SecPath UTM Series ARP Attack Protection Configuration Example Figure 14 Verify fixed ARP Verfiy deletion of fixed ARP entries On the Firewall > ARP Anti-Attack > Fix page, select the static ARP entry containing , and click Del Fixed. A message box is displayed as shown in the figure below. Click OK. After that, the static ARP entry is removed. This entry is displayed when it is learnt again or an ARP scan is carried out on corresponding interfaces. Figure 15 Verify deletion of fixed ARP entries References Protocols and Standards RFC 826: An Ethernet Address Resolution Protocol Hangzhou H3C Technologies Co., Ltd. 11/12

125 H3C SecPath UTM Series ARP Attack Protection Configuration Example Related Documentation ARP Attack Protection Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 12/12

126 UTM Series Attack Protection Configuration Example UTM Series Attack Protection Configuration Example Keywords: Attack protection, scanning, blacklist Abstract: This document describes the attack protection functions of the H3C UTM firewalls, including SYN flood attack protection, UDP flood attack protection, ICMP flood attack protection, scanning attack protection, single-packet attack protection, static blacklist, and dynamic blacklist. This document also presents the configuration and verification methods in detail through examples. Acronyms: Acronym Full spelling DDOS HTTP ICMP IP TCP UDP Distributed Denial of Service Hypertext Transfer Protocol Internet Control Message Protocol Internet Protocol Transfer Control Protocol User Datagram Protocol Hangzhou H3C Technologies Co., Ltd. 1/18

127 UTM Series Attack Protection Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 3 Network Requirements 3 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Basic Configurations 4 Configuring Attack Protection 9 Configuring the Static Blacklist Function 9 Configuring the Dynamic Blacklist Function 9 Configuring ICMP Flood Attack Protection 10 Configuring UDP Flood Attack Protection 10 Configuring SYN Flood Attack Protection 11 Configuring Scanning Prevention 11 Configuring Packet Inspection 11 Verification 12 Static Blacklist 12 Dynamic Blacklist 13 ICMP Flood Attack Protection 13 UDP Flood Attack Protection 14 SYN Flood Attack Protection 15 Scanning Prevention 16 Packet Inspection 17 Hangzhou H3C Technologies Co., Ltd. 2/18

128 UTM Series Attack Protection Configuration Example Feature Overview Attack protection is an important firewall feature. It allows a firewall to detect attacks by analyzing the contents and behavior characteristics of received packets and, based on the analysis result, takes countermeasures such as blacklisting the source IP addresses, outputting alarm logs, and/or discarding packets. The attack protection feature can detect kinds of Denial of Service (DoS) attacks, scanning attacks, and malformed packet attacks, and take actions in response. It does so by using blacklists, matching packets against attack signatures, and detecting traffic abnormalities. The attack protection feature also provides attack statistics. Application Scenarios The attack protection feature is usually deployed at the egress of a campus network or corporate network to detect and handle with possible attack packets between the internal network and external network, so as to protect the security of the internal network. Configuration Guidelines 1) Packet inspection and scanning prevention apply to only the inbound direction, that is, the internal zone. When deployed in the outbound direction, that is, the external zone, they do not take effect. 2) The flood attack protection functions apply to only the outbound direction. When deployed in the inbound direction, they do not take effect. Configuration Example Network Requirements In this configuration example, the model of the UTM device is UTM200-S. Hangzhou H3C Technologies Co., Ltd. 3/18

129 Figure 1 Network diagram for attack protection configuration UTM Series Attack Protection Configuration Example Configuration Considerations Add the interface connecting the internal network (that is, GigabitEthernet 0/2) to zone Trust. Add the interface connecting the external network (that is, GigabitEthernet 0/1) to zone Untrust. Software Version Used F5118 Configuration Procedures Basic Configurations Assigning IP addresses to interfaces From the navigation tree, select Device Management > Interface to enter the interface management page. Click the icon of GigabitEthernet 0/1 to enter the interface configuration page. Then, configure the interface as follows and click Apply to return to the interface management page. Hangzhou H3C Technologies Co., Ltd. 4/18

130 UTM Series Attack Protection Configuration Example Click the icon of GigabitEthernet 0/2 to enter the interface configuration page. Then, configure the interface as follows and click Apply to return to the interface management page. Hangzhou H3C Technologies Co., Ltd. 5/18

131 UTM Series Attack Protection Configuration Example Configuring the ACL From the navigation tree, click Firewall > ACL to enter the ACL management page. Then, click Add to create ACL On the ACL management page, click the icon of ACL 2000 and then click Add to create a rule that allows all packets to pass. Click Apply. Adding interfaces to zones From the navigation tree, select Device Management > Zone to enter the security zone management page. Click the icon of zone Trust to enter the security zone modification page. Then, add interface GigabitEthernet 0/2 to the zone as follows and click Apply to return to the security zone management page. Hangzhou H3C Technologies Co., Ltd. 6/18

132 UTM Series Attack Protection Configuration Example Add interface GigabitEthernet 0/1 to zone Untrust in the same way. Configuring interzone policies From the navigation tree, select Firewall > Security Policy > Interzone Policy. Click Add and then configure an interzone policy from Untrust to Trust as follows: Hangzhou H3C Technologies Co., Ltd. 7/18

133 UTM Series Attack Protection Configuration Example Configuring NAT for the outbound interface From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. Then click Add. Configure NAT for interface GigabitEthernet 0/1 as follows, and then click Apply. Hangzhou H3C Technologies Co., Ltd. 8/18

134 UTM Series Attack Protection Configuration Example Configuring Attack Protection Configuring the Static Blacklist Function From the navigation tree, select Intrusion Detection > Blacklist. Then, select the Enable Blacklist check box and click Apply to enable the blacklist function. Click Add. Type the address to be blacklisted and specify the lifetime of the blacklist entry. Then, click Apply. Configuring the Dynamic Blacklist Function From the navigation tree, select Intrusion Detection > Blacklist. Then, select the Enable Blacklist check box and click Apply to enable the blacklist function. Hangzhou H3C Technologies Co., Ltd. 9/18

135 UTM Series Attack Protection Configuration Example Configuring ICMP Flood Attack Protection From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood. Then, select security zone Trust and select Discard packets when the specified attack is detected and click Apply. In the ICMP Flood Configuration area, click Add and add host address as an object to be protected. Configuring UDP Flood Attack Protection From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood. Then, select security zone Trust and select Discard packets when the specified attack is detected and click Apply. In the UDP Flood Configuration area, click Add and add host address as an object to be protected. Hangzhou H3C Technologies Co., Ltd. 10/18

136 UTM Series Attack Protection Configuration Example Configuring SYN Flood Attack Protection From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. Then, select security zone Trust and select Discard packets when the specified attack is detected and click Apply. In the SYN Flood Configuration area, click Add and add host address as an object to be protected. Configuring Scanning Prevention From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection. Then, select security zone Untrust and select Enable Scanning Detection and Add a source IP to the blacklist and click Apply. Configuring Packet Inspection Packet inspection is used to detect single-packet attacks, which has nothing to do with traffic and sessions. Packet inspection is implemented by checking whether a packet has the specified signatures. From the navigation tree, select Intrusion Detection > Packet Inspection. Then, select security zone Untrust and the types of attacks to be detected, and click Apply. Hangzhou H3C Technologies Co., Ltd. 11/18

137 UTM Series Attack Protection Configuration Example Verification On PC 2, use a packet constructing tool to simulate various attacks targeting the host or server of the internal network. Static Blacklist Before the static blacklist entry expires or is cleared, PC 2 cannot ping the IP address ( ) of the UTM device s interface GigabitEthernet 0/1. When PC 2 is not in the blacklist, PC 2 can ping the IP address ( ) of the UTM device s interface GigabitEthernet 0/1. Hangzhou H3C Technologies Co., Ltd. 12/18

138 UTM Series Attack Protection Configuration Example Dynamic Blacklist Use a PC ( , for example) in the external network to log in to the server in the internal network, inputting the correct username but a wrong password for five times. Selecting Intrusion Detection > Blacklist from the navigation tree, you can see that the IP address of the PC ( ) has been added to the blacklist. Because you selected Add a source IP to the blacklist when configuring scanning prevention, the device also automatically adds scanning sources to the blacklist. For details, refer to Scanning Prevention. ICMP Flood Attack Protection Use SmartBits to send ICMP packets with the destination address to zone Trust at a rate higher than 1000 frames per second, changing the source address frequently. Hangzhou H3C Technologies Co., Ltd. 13/18

139 UTM Series Attack Protection Configuration Example SmartBits is a data protocol analyzer from Spirent Communications. For ICMP flood, UDP flood, and SYN flood attacks, the sampling interval of the device is one second. If the number of half-open connections or the session establishment rate exceeds the threshold in three consecutive sampling intervals, the device considers that an attack has occurred. Therefore, when using SmartBits to simulate a flood attack, be sure to send attack packets for at least four seconds. Select Intrusion Detection > Statistics from the navigation tree and then select zone Trust. You can view the number of ICMP flood attacks and the number of dropped ICMP flood attack packets. UDP Flood Attack Protection Use SmartBits to send UDP packets from zone Untrust to in zone Trust at a rate higher than 1000 frames per second, changing the source address frequently. Select Intrusion Detection > Statistics from the navigation tree and then select zone Trust. You can view the number of UDP flood attacks and the number of dropped UDP flood attack packets. Hangzhou H3C Technologies Co., Ltd. 14/18

140 UTM Series Attack Protection Configuration Example SYN Flood Attack Protection Use SmartBits to send TCP SYN packets from zone Untrust to in zone Trust at a rate higher than 1000 frames per second, changing the source address frequently. Select Intrusion Detection > Statistics from the navigation tree and then select zone Trust. You can view the number of SYN flood attacks and the number of dropped SYN flood attack packets. Hangzhou H3C Technologies Co., Ltd. 15/18

141 UTM Series Attack Protection Configuration Example Scanning Prevention Use SmartBits to send packets from zone Untrust to zone Trust at a rate higher than 500 frames per second, keeping the source address the same and changing the destination address frequently. Select Intrusion Detection > Statistics from the navigation tree and then select zone Untrust. You can view the number of scanning attacks and the number of dropped scanning attack packets. Because you selected Add a source IP to the blacklist when configuring scanning prevention, the device automatically adds scanning sources to the blacklist. You can see the source address used in the attack packets is on the blacklist. Hangzhou H3C Technologies Co., Ltd. 16/18

142 UTM Series Attack Protection Configuration Example Packet Inspection Construct test packets as described in the following table. This table lists the types of attacks that the device can detect and protect against. No. Attack type Packet characteristics 1 Tracert ICMP packets with an increasing TTL (starting from 1) on Windows system, or UDP packets with a large destination port number and an increasing TTL (starting from 1) 2 Large_ICMP ICMP packets larger than the allowed size 3 Smurf ICMP packets whose destination address is a broadcast address or a subnet address 4 ICMP Redirect ICMP redirect packets (type 5) 5 ICMP Unreachable ICMP unreachable packets (type 3) Hangzhou H3C Technologies Co., Ltd. 17/18

143 UTM Series Attack Protection Configuration Example No. Attack type Packet characteristics 6 Fraggle UDP packets with the destination port number of 19 or 7 7 WinNuke TCP packets with the destination port number of 139, with the URG bit set, and with a non-null urgent pointer. 8 TCP Flag TCP packets with improper flags 9 Land TCP SYN packets whose source address is on the segment, or is the same as the destination address. 10 Route Record IP data packets with the Route Record option (0x07) selected 11 Source Route IP data packets with the Source Route option select and with the code field set to loose source routing (0x83) or strict source routing (0x89). Select Intrusion Detection > Statistics from the navigation tree and then select zone Untrust, you can view the counts of kinds of attacks and the counts of dropped attack packets. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 18/18

144 UTM Series Bandwidth Management Configuration Example UTM Series Bandwidth Management Configuration Example Keyword: Bandwidth management Abstract: The UTM bandwidth management function can block some applications and perform application bandwidth control and policy bandwidth control as required. Acronyms: Acronym Full spelling HTTP Hypertext Transfer Protocol Hangzhou H3C Technologies Co., Ltd. 1/11

145 UTM Series Bandwidth Management Configuration Example Table of Contents Overview 3 Introduction to Bandwidth Management 3 Introduction to Services 3 Application Scenarios 3 Precautions 3 Configuration Example 4 Network Requirements 4 Configuration Considerations 4 Applicable Versions 4 Configuration Procedures 5 Basic Configuration 5 Configuring a Bandwidth Management Policy 8 Verification 11 Hangzhou H3C Technologies Co., Ltd. 2/11

146 UTM Series Bandwidth Management Configuration Example Overview Introduction to Bandwidth Management By purposes, network traffic can be divided into multiple service types, such as the service and VoIP service. Bandwidth management refers to performing different management and control behaviors for different service types. Therefore, bandwidth management includes two major components: service and service-specific control behavior. A service can be system-defined or user-defined. All services are organized into a tree, which is called a service tree. A node of the service tree represents a service. The device determines the service type of a received packet by its application protocol and IP address, and then performs the corresponding action (block or rate-limit) for the packet according to the user-defined rule for the service. Additionally, you can configure per-segment bandwidth management policies so that you can more flexibly control the network traffic. Introduction to Services A service is a set of match rules. All network behaviors conforming to the match rules belong to the service. A match rule consists of protocol, node, and direction, where protocol indicates the network protocol, node indicates a certain device or devices in a certain network segment, and direction indicates the probe direction. The three factors together determine that packets of a certain protocol sent or received by a specific device (or devices in the specific network segment) match the rule. The service itself does not manage or control the network. A service can be referenced by a policy in the system. Then, the policy cooperates with the service to manage and control the network. In the system, services are organized into a tree with only one root node. Except the root node, any other service can be appended to another service, with the former as the child service and the latter as the parent service. Application Scenarios Bandwidth management is applicable to enterprises and campuses. It guarantees bandwidth for mission-critical applications of the user network by performing flexible bandwidth controls for applications and limiting non-critical applications. Precautions When configuring bandwidth management, note that: Hangzhou H3C Technologies Co., Ltd. 3/11

147 UTM Series Bandwidth Management Configuration Example 1) A bandwidth management policy applied to a segment cannot be deleted. In this case, when you delete the bandwidth management policy on the bandwidth management displaying page, you just delete its application. 2) A packet can match only one bandwidth management policy on a segment. When multiple bandwidth management policies are configured for a segment, a policy configured with a smaller IP address range has a higher priority. When multiple policies are configured with the same IP address range, the policy configured first is preferentially matched. Configuration Example Network Requirements The UTM device used in this example is an UTM200-S. The internal network segment of the company is /24. Configure a bandwidth management policy on the Device to perform the following actions for the services of the incoming and outgoing traffic of the users in the company (excluding the host with IP address ). Block the FTP service. Rate-limit the BitTorrent service. Figure 1 Network diagram for bandwidth management configuration Configuration Considerations Redirect the traffic to be detected into the Device. Configure a bandwidth management policy. Activate the configuration. Applicable Versions F5118 Hangzhou H3C Technologies Co., Ltd. 4/11

148 UTM Series Bandwidth Management Configuration Example Configuration Procedures Basic Configuration Configure interface GigabitEthernet 0/2 Select Device Management > Interface from the navigation tree. Click the icon corresponding to GigabitEthernet 0/2 to enter the Edit Interface page. Configure interface GigabitEthernet 0/2 as shown in the following figure, and then click Apply. Select Device Management > Zone from the navigation tree. Click the icon corresponding to zone Trust to enter the Modify Zone page. In the following page, add GigabitEthernet 0/2 to zone Trust and click Apply to return to the Zone page. Hangzhou H3C Technologies Co., Ltd. 5/11

149 UTM Series Bandwidth Management Configuration Example Configure interface GigabitEthernet 0/1 In a similar way, configure the IP address of interface GigabitEthernet 0/1 as /24, and add the interface to zone Untrust. After the configuration, select Device Management > Interface from the navigation tree, and you can see information about interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2. Configure NAT Because the internal network and external network are on different network segments, for the internal users to access the external network through the Device, you must configure a NAT policy on interface GigabitEthernet 0/1. In this example, configure ACL 2000 to match the traffic, and configure the NAT method as Easy IP. Hangzhou H3C Technologies Co., Ltd. 6/11

150 UTM Series Bandwidth Management Configuration Example Select Firewall > ACL from the navigation tree and then click Add on the displayed page. On the Add ACL page, create ACL Then configure rules for the ACL. In this example, configure the ACL to permit packets with source address /24. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree, click Add in the Dynamic NAT field, and perform configuration as shown in the following figure. Configure a flow redirecting policy Configure a flow redirecting policy to redirect the traffic matching ACL 3000 between zone Trust and zone Untrust to segment 0. First, select Firewall > ACL from the navigation tree and then click Add on the displayed page. On the Add ACL page, create ACL Then configure rules for ACL 3000 as shown in the following figure. Select IPS AV Application Control > Advanced Configuration from the navigation tree, click Add in the Flow Redirect Policy field, and configure redirecting traffic matching ACL 3000 between zone Trust and zone Untrust to segment 0, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. 7/11

151 UTM Series Bandwidth Management Configuration Example Configuring a Bandwidth Management Policy Enter the application security policy configuration page Select IPS AV Application Control > Advanced Configuration from the navigation tree, and click Application Security Policy to enter the application security policy configuration page. Configure a bandwidth management policy Configure rules for the default bandwidth management policy Service Control Policy, and apply the policy to segment 0. On the Bandwidth Management > Bandwidth Policies page, select the icon corresponding to policy Service Control Policy. On the Rule Configuration page, click Add to create a rule and then click the icon of the rule. On the Select Service page that appears, select BitTorrent, and then click Apply. On the Rule Configuration page, click Add to create a rule and then click the icon of the rule. On the Select Service page that appears, select File Server, and then click Apply. On the Rule Configuration page, select action set Block for the File Server service. On the Rule Configuration page, select action set Rate Limit for the BitTorrent service, and set both the up bandwidth and down bandwidth to 400 kbps. On the Apply Policy to page, click Add to add a scope, and click the icon of the new entry. On the Apply Policy page that appears, perform the configuration as follows: Hangzhou H3C Technologies Co., Ltd. 8/11

152 UTM Series Bandwidth Management Configuration Example Select segment 0. Select Internal Zone for the Management Zone. Add IP addresses /24 to Internal Zone IP Addresses. Add IP addresses /32 to Internal Zone Excluded IP Addresses. Click Apply. After the configuration above, the Bandwidth Management Policy Application page appears. On the page, click Apply. Hangzhou H3C Technologies Co., Ltd. 9/11

153 UTM Series Bandwidth Management Configuration Example Activate the configuration After the configuration above, the policy application displaying page appears, as shown in the following figure. Click Activate, and a confirmation dialog box appears. Click OK on the dialog box to activate the configuration. Hangzhou H3C Technologies Co., Ltd. 10/11

154 UTM Series Bandwidth Management Configuration Example Verification 1) The internal user with IP address tries to access the external FTP server and download external BT resources. Because the IP address of the user is an excluded IP address, the user is not restricted by the bandwidth management policy. As a result, the user can successfully access the FTP server, and the BT downloading rate of the user can reach 280 kbps. 2) The other internal network users try to access the external FTP server and download external BT resources. Because of the bandwidth management policy, the users fail to access the FTP server, and the BT downloading rate is about 50 kbps. Copyright 2010Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

155 UTM Series IPS Configuration Example UTM Series IPS Configuration Example Keywords: IPS Abstract: This document describes IPS configuration example for the UTM device. Acronyms: Acronym Full spelling UTM IPS Unified Threat Management Intrusion prevention system Hangzhou H3C Technologies Co., Ltd. 1/11

156 UTM Series IPS Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 IPS Configuration Example 3 Network Requirements 3 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration 4 IPS Detection Configuration 8 Verification 10 References 11 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

157 UTM Series IPS Configuration Example Feature Overview Intrusion Prevention System (IPS) runs on network trunks. It analyzes packets and traffic passing through it and automatically blocks the abnormal ones. Generally, an IPS can block, isolate or interfere these abnormal traffics to prevent suspicious code from being injected into target hosts and executed. You can configure policies to implement real-time analysis, traffic detection, and execute predefined actions through the IPS. Application Scenarios The IPS feature is used to analyze and detect abnormal traffic and packets in the network, and perform corresponding actions to protect the host from being attacked. Configuration Guidelines All configurations are based on the default configurations of the device. When configuring IPS, note that: You cannot delete an IPS policy that has been applied to a segment. You cannot delete the system default IPS policy and rules. For a packet of a segment, the system can use up to one IPS policy application scheme. If you configure multiple application schemes for a segment, the system will, for each packet to be processed, sort the application schemes matching the packet by IP address scope and use the scheme with the smallest IP address scope for the packet. If two schemes have the same IP address scope, the one configured earlier has a higher priority. IPS Configuration Example Network Requirements A company s internal network segment is /24, and the external network segment is /22. The host at acts as the Web server in the internal network, and connects to interface GigabitEthernet 0/2 of the UTM device. Configure IPS policy on the UTM device to protect the host from attacks from external networks. Figure 1 Network diagram for IPS configuration Hangzhou H3C Technologies Co., Ltd. 3/11

158 UTM Series IPS Configuration Example Configuration Considerations Redirect the traffic requiring detection to depth detection. Create an IPS policy Configure rules for the IPS policy Apply the IPS policy to a segment Software Version Used F5118 Configuration Procedures Basic Configuration Configuring interface GigabitEthernet 0/1 Select Device Management > Interface from the navigation tree, and click of GigabitEthernet 0/1 to enter the page for editing the interface. Perform the configurations as in the following figure and click Apply to finish the configuration. Hangzhou H3C Technologies Co., Ltd. 4/11

159 UTM Series IPS Configuration Example Select Device Management > Zone from the navigation tree, and click of the Untrust zone to enter the page for modifying the zone. Add interface GigabitEthernet 0/1 to the Untrust zone, and click Apply to return to the Zone page. Configuring interface GigabitEthernet 0/2 Assign IP address /24 to interface GigabitEthernet 0/2, and add the interface to the Trust zone. Select Device Management > Interface to view the configuration result, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. 5/11

160 UTM Series IPS Configuration Example Configuring the NAT server In this example, a NAT server is required to assign an external IP address to the internal Web server at Select Firewall > NAT Policy > Internal Server from the navigation tree, and click Add in the Internal Server area. On the Add Internal Server page, configure interface as GigabitEthernet 0/1, protocol type as TCP, external IP address as , internal IP address as , and both the global port and internal port as 80, as shown in the following figure. Configuring interzone policy Configure to allow PCs in the Untrust zone to access the internal Web server in the Trust zone. Select Firewall > Security Policy > Interzone Policy from the navigation tree, and click Add to enter the Hangzhou H3C Technologies Co., Ltd. 6/11

161 UTM Series IPS Configuration Example page for adding an interzone policy. Configure the source zone as Untrust, destination zone as Trust, source IP address as any_address, destination IP address as /24, and filter action as Permit, as shown in the following figure. Configuring flow redirect policy This configuration is to redirect the flow matching ACL 3000 between Trust and Untrust to segment 0. Select Firewall > ACL from the navigation tree, and create an ACL with ID being Configure rules to ACL 3000, allowing traffic sourced from Untrust zone, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. 7/11

162 UTM Series IPS Configuration Example Select IPS AV Application Control > Advanced Configuration from the navigation tree, and create a flow redirect policy to redirect the flow matching ACL 3000 to segment 0. IPS Detection Configuration Select IPS AV Application Control > Advanced Configuration from the navigation tree, and click the Application Security Policy link to enter the depth detection page. Creating an IPS policy Select IPS > IPS Policies to enter the IPS policy list page, as shown in the following figure. Click Add to enter the IPS policy configuration page. Configure the policy name as IPS enable, description as IPS enable all, specify to copy rules from Attack Policy, and click Apply. Hangzhou H3C Technologies Co., Ltd. 8/11

163 UTM Series IPS Configuration Example Configuring rules for the IPS policy After the above configuration, the Rule Management page appears. Policy IPS enable has been selected by default. Select the Modify all matched rules option, and click Enable Rule. Applying the IPS policy to a segment Select IPS > Segment Policies from the navigation tree, and click Add to enter the page for applying an IPS policy to a segment. Specify the segment to be associated as 0, the policy as IPS enable, and the direction as Both, and then click Apply. Hangzhou H3C Technologies Co., Ltd. 9/11

164 UTM Series IPS Configuration Example Activating the configuration After the above configuration, the page turns to the segment policy list page. Click Activate. A confirmation dialog box appears. Click OK to confirm to activate the configuration. Verification A PC in the external network acts as the attacker, and it is installed with X-Scan V3.3, which can scan the ports of the target host. X-Scan is a commonly used scanner, adopting multi-thread to detect vulnerabilities of a specified IP address range or a single host, and supporting plug-in function. It can scan such contents as remote service type, operating system type and version, weak password, backdoor, application service vulnerabilities, network device vulnerabilities, and DoS vulnerabilities. An external user at enables X-Scan and scans the target host Select Log Management > Attack Logs > Recent Logs from the navigation tree to view the generated block logs and alarm logs. Hangzhou H3C Technologies Co., Ltd. 10/11

165 UTM Series IPS Configuration Example References Related Documentation UTM Series Signature Update Configuration Example IPS Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

166 UTM Series Anti-Virus Configuration Example UTM Series Anti-Virus Configuration Example Keywords: Anti-virus Abstract: This document presents the typical methods for anti-virus configuration on the UTM devices. Acronyms: Acronym Full spelling UTM AV Unified Threat Management Anti-virus Hangzhou H3C Technologies Co., Ltd. 1/10

167 UTM Series Anti-Virus Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 3 Network Requirements 3 Configuration Considerations 3 Software Version Used 4 Configuration Procedures 4 Basic Configurations 4 Anti-Virus Configurations 7 Verification 9 References 10 Related Documentation 10 Hangzhou H3C Technologies Co., Ltd. 2/10

168 UTM Series Anti-Virus Configuration Example Feature Overview The UTM anti-virus feature can be deployed on the network backbone in inline mode to analyze packets in real time and take countermeasures against packets with viruses and abnormal traffic automatically, so as to prevent viruses from spreading. Application Scenarios The UTM anti-virus feature can be applied to scenarios where it is required to analyze network traffic and detect traffic abnormalities so as to prevent viruses from spreading. Configuration Guidelines When performing anti-virus configurations, note that: 1) You cannot delete an anti-virus policy that has been applied to a segment. 2) You cannot delete the system default anti-virus policy and rules. 3) On a segment, only one anti-virus policy application will be used for a packet, if any. If a packet matches multiple anti-virus policy applications, the policy application with the smallest IP address scope is used. If two policy applications have the same IP address scope, the one configured earlier has a higher priority. 4) To perform anti-virus configurations, you need to enter the application security policy page first by selecting IPS AV Application Control > Advanced Configuration from the navigation tree and then clicking the Application Security Policy link. Configuration Example Network Requirements The address of the internal network of a company is /24. Perform anti-virus policy configurations on the Device, so that internal users cannot upload viruses through FTP or send viruses through mails to the Internet. Figure 1 Network diagram for anti-virus configuration /24 Trust GE0/ /24 Device GE0/ /24 Untrust Internet Configuration Considerations Redirect the traffic for in-depth detection Hangzhou H3C Technologies Co., Ltd. 3/10

169 UTM Series Anti-Virus Configuration Example Create an anti-virus policy Configure an anti-virus rule Apply the policy to a specific segment Software Version Used F5118 Configuration Procedures Basic Configurations Configuring interface GE 0/2 Select Device Management > Interface from the navigation tree and then click the icon of interface GE 0/2, configure the interface as follows, and click Apply. Select Device management > Zone from the navigation tree and then click the icon of zone Trust. Then, add interface GE 0/2 to zone Trust and click Apply, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. 4/10

170 UTM Series Anti-Virus Configuration Example Configuring interface GE 0/1 Similarly, assign IP address /24 to interface GE 0/1 and add the interface to zone Untrust. Then, select Device Management > Interface from the navigation tree to verify your configuration: Configuring NAT Because the internal network and external network are two different network segments, to allow internal users to access the external network through the Device, you need to configure a NAT policy on interface GE 0/1. In this example, ACL 2000 is configured and the easy IP mode is used. Select Firewall > ACL from the navigation tree. Create ACL 2000 and add a rule to permit the traffic to be processed by NAT. In this example, the rule permits packets from /24. Hangzhou H3C Technologies Co., Ltd. 5/10

171 UTM Series Anti-Virus Configuration Example Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Then under Dynamic NAT, click Add and perform the following configurations: Configuring flow redirect policies This task is to configure flow redirect policies to redirect traffic between zones Trust and Untrust to segment 0. First, select Firewall > ACL from the navigation tree. Create ACL 3000 and add the rules shown in the following figure: Then, select IPS AV Application Control > Advanced Configuration from the navigation tree, create flow redirect policies and apply them to segment 0, as shown in the following figure: Hangzhou H3C Technologies Co., Ltd. 6/10

172 UTM Series Anti-Virus Configuration Example Anti-Virus Configurations Creating anti-virus policy RD Enter the application security policy page by selecting IPS AV Application Control > Advanced Configuration from the navigation tree and then clicking the Application Security Policy link. Then, select Anti-Virus > Anti-Virus Policies from the navigation tree to enter the anti-virus policy management page. Click Add and configure the policy as follows: Type RD as the policy name. Type AV policy for RD as the description. Select Anti-Virus Policy for the Copy Rules from drop-down list. Click Apply. Configuring anti-virus rule Virus After the policy configuration is complete, the rule management page appears. Leave the default policy RD unchanged and perform the following configurations: Hangzhou H3C Technologies Co., Ltd. 7/10

173 UTM Series Anti-Virus Configuration Example Select RD as the policy name. Type virus in the Name field in the query area. Click Query to find the rule named Virus. Select the check box before rule Virus. Select Block+Notify as the action set and click Modify Action Set. Click Enable Rule. Applying the anti-virus policy to segment 0 Select Anti-Virus > Segment Policies from the navigation tree and then click Add and perform the following configurations: Select segment 0. Select the policy of RD. Select External zone to Internal zone. Click Apply. Activiating configurations After the configuration is complete, the policy application management page appears. Click Activate and confirm your operation to activate the configurations. Hangzhou H3C Technologies Co., Ltd. 8/10

174 UTM Series Anti-Virus Configuration Example Verification To verify the configurations, simulate an Eicar virus first. You may follow these steps: On a host in the internal network, launch Notepad and copy the following text into it. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Save the file, selecting All Files for the Save as type field and naming the file EICAR.COM. Compress the file into a WinRAR file named eicar.rar. Eicar is a harmless test virus developed by Computer Antivirus Research (EICAR) and global antivirus companies for testing the anti-virus function of anti-virus products. Using the host, access and upload file eicar.rar to FTP server , which resides on the Internet. The upload operation will fail. Selecting Log Management > Virus Log > Recent Logs from the navigation tree, you can see a block log. Using the host, access mail server , which resides on the Internet. Then, try to send a mail appended with file eicar.rar. The sending operation will fail. Selecting Log Management > Virus Log > Recent Logs from the navigation tree, you can see the block logs. Hangzhou H3C Technologies Co., Ltd. 9/10

175 UTM Series Anti-Virus Configuration Example References Related Documentation Anti-Virus Configuration in the Web configuration manual. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 10/10

176 UTM Series Flow Logging Configuration Example UTM Series Flow Logging Configuration Example Keywords: Flow logging Abstract: This document describes the flow logging configuration method of the H3C UTM devices. Acronyms: Acronym Full spelling UTM Unified Threat Management Hangzhou H3C Technologies Co., Ltd. 1/11

177 UTM Series Flow Logging Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 3 Network Requirements 3 Configuration Considerations 3 Software Version Used 4 Configuration Procedures 4 Basic Configurations 4 Configuring Flow Logging 7 Verification 9 Troubleshooting 10 References 11 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

178 UTM Series Flow Logging Configuration Example Feature Overview UTM devices can provide in-depth inspection and recognition to Layer 4 to Layer 7 applications. Based on the system configurations, a UTM device generates and transmits various kinds of flow logs, and sends them to the management host installed with the UTM Manager, which then collects and analyzes the current traffic. Application Scenarios Flow logging collects real-time traffic on the network, analyzes various applications, and records users access to the network. Configuration Guidelines At present, only the U200-A, U200-M, and U200-CA devices support flow logging. Configuration Example Network Requirements Internal user Client with the IP address of connects to interface GigabitEthernet 0/4 on the Device and accesses the external network through the Device. Flow logging is configured on the Device, which sends logs to the remote UTM Manager with the IP address of for data collection and analysis. Figure 1 Network diagram for flow logging Trust Device Untrust Client GE0/ GE0/ Internet UTM Manager Configuration Considerations Configure flow logging on the Device Add the Device on the SecCenter (UTM Manager), which receives flow logs reported by the Device. Hangzhou H3C Technologies Co., Ltd. 3/11

179 UTM Series Flow Logging Configuration Example Software Version Used F5118 Configuration Procedures Basic Configurations Configuring interface GigabitEtherent 0/1 Select Device Management > Interface from the navigation tree to enter the interface management page. Click the icon of GigabitEthernet 0/1 to enter the interface configuration page. Configure the interface as shown in the following figure, and click Apply to return to the interface management page. Select Device Management > Zone from the navigation tree to enter the Modify Zone page. Click the icon of zone Untrust to enter the zone modification page, add interface GigabitEthernet 0/1 to the zone as shown in the following figure, and then click Apply to return to the Zone page. Hangzhou H3C Technologies Co., Ltd. 4/11

180 UTM Series Flow Logging Configuration Example Configuring interface GigabitEthernet 0/4 Configure the IP address of GigabitEthernet 0/4 as /24 and add it to zone Trust in the same way. To view the interface after the configuration, select Device Management > Interface from the navigation tree. Configuring NAT To make the internal host be able to connect to the external network through the Device, configure NAT policies on interface GigabitEthernet 0/1. In this example, the ACL number is 3004, and the address translation method is Easy IP. Select Firewall > ACL from the navigation tree to enter the ACL management page, and then click Add to create ACL On the ACL management page, click the icon of ACL 3004 and then Hangzhou H3C Technologies Co., Ltd. 5/11

181 UTM Series Flow Logging Configuration Example click Add to create a rule to define the traffic to be configured. In this example, the rule is to permit the packets with the source IP address of /24, as shown in the following figure: Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Then click Add and perform the configuration shown in the following figure. Routing information Select Network > Routing Management > Static Routing from the navigation tree. Add a static route with the next hop , which is the IP address of the external router s interface that is within the same network segment as GigabitEthernet 0/1. Configuring a flow redirect policy Redirect the traffic to be managed to the i-ware platform for in-depth inspection configuration. In this example, redirect the traffic between zone Trust and zone Untrust that match ACL 3000 to segment 0. Select Firewall > ACL from the navigation tree. Create ACL 3000 and add rules for the ACL to define the traffic to be configured, as shown in the following figure: Select IPS AV Application Control > Advanced Configuration from the navigation tree to add a flow redirect policy, redirecting the traffic that matches ACL 3000 to segment 0. Hangzhou H3C Technologies Co., Ltd. 6/11

182 UTM Series Flow Logging Configuration Example Enabling the SNMP agent [U200S] snmp-agent sys-info version all [U200S] snmp-agent community read public [U200S] snmp-agent community write private Configuring Flow Logging Configuring flow logging on the Device Configure flow control communication parameters Select Log Management > Flow Log > Configure Communication Parameters from the navigation tree to enter the page as shown in the following figure. You can set the IP address for the remote log server, port number and log sending rate. Configure flow logging Select Log Management > Flow Log > Configure Flow Logging from the navigation tree to enter the page as shown in the following figure. Select the checkboxes, click Apply, and then click Activate to activate the configuration. In the above figure, to record the traffic of various services on the entire link, select Link Logs; to record user-specific traffic of various services, select User Logs; to record session-specific traffic of various services, select Session Logs. Generally, Link Logs is selected. Hangzhou H3C Technologies Co., Ltd. 7/11

183 UTM Series Flow Logging Configuration Example Before selecting Session Logs, select Bandwidth Management > Service Management from the navigation tree and then select the Record Logs check box to enable the recording of logs. Adding the Device to the SecCenter On the SecCenter interface, select the System Management tab to enter the system management configuration page. Then from the navigation tree, select Device List under Device Management to enter the device management page. Then, click Add to enter the page for adding a device. Type the IP address of the external interface of Device as the host IP address. Specify the device label. If the Device system time zone is UTC, select Greenwich Mean Time for the time calibration. Leave the default settings for other parameters. Hangzhou H3C Technologies Co., Ltd. 8/11

184 UTM Series Flow Logging Configuration Example Verification The host can browse web pages through HTTP, and download files through FTP. By selecting Bandwidth Management > Traffic Snapshot, you can display the statistics of the traffic passing through this device. Network traffic snapshot: Service traffic distribution graph: Hangzhou H3C Technologies Co., Ltd. 9/11

185 UTM Series Flow Logging Configuration Example Top users statistics graph: Troubleshooting If you have configured flow logging, but the SecCenter does not output statistics, check the following: The traffic is redirected to the i-ware platform. The configuration is activated after flow logging is configured. The remote network management host and the device can reach each other and the port number is correctly configured. The device is added to the SecCenter. Capture packets on the host and check whether there is traffic corresponding to the destination port. Hangzhou H3C Technologies Co., Ltd. 10/11

186 UTM Series Flow Logging Configuration Example References Related Documentation UTM Series Signature Upgrade Configuration Example UTM Series Protocol Auditing and SecCenter Configuration Example Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

187 UTM Series Protocol Auditing Configuration Example UTM Series Protocol Auditing Configuration Example Keywords: protocol auditing, syslog Abstract: This document describes configuration examples of protocol auditing for UTM series devices. Acronyms: Acronym Full spelling UTM Unified Threat Management Hangzhou H3C Technologies Co., Ltd. 1/11

188 UTM Series Protocol Auditing Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Protocol Auditing Configuration Example 3 Network Requirements 3 Configuration Consideration 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration 4 Configuring Protocol Auditing 8 Verification 11 References 11 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

189 UTM Series Protocol Auditing Configuration Example Feature Overview You can configure protocol auditing to audit the following protocols: HTTP protocol: Audits the URL that users have accessed and the host field. SMTP/POP3 protocols: Audits receivers, senders, those mails that are carbon copied or blind carbon copied, and mail subjects. FTP protocol: Audits information of the file that users upload or download, like the file name. The logs of the protocol auditing are output to a syslog host. Application Scenarios Protocol auditing can be used to audit and analyze user behavior, helping you analyze which are the popular websites, who are the most active users in the network, and what are the network trends. Configuration Guidelines When configuring protocol auditing, note that: You cannot delete a protocol auditing policy that has been applied to a segment. The logs generated during protocol auditing can be output to only syslog hosts. To output protocol auditing logs to a syslog host, be sure to specify the syslog host. A packet of a segment can use up to one protocol auditing application scheme. If you configure multiple application schemes for a segment, the system will, for each packet to be processed, sort the application schemes matching the packet by IP address scope and use the scheme with the smallest IP address scope for the packet. If two schemes have the same IP address scope, the one configured earlier has a higher priority. Protocol Auditing Configuration Example Network Requirements The Device connects the internal network /24 through GigabitEthernet 0/2 and connects the external network through GigabitEthernet 0/1. Configure a protocol auditing policy on the Device to audit the SMTP and POP3 traffic of all internal users except for the host at Configure the Device to send logs to syslog server , which is in the external network. Hangzhou H3C Technologies Co., Ltd. 3/11

190 Figure 1 Network diagram for configuring protocol auditing UTM Series Protocol Auditing Configuration Example Configuration Consideration Configure a redirect policy for in-depth inspection Create a protocol auditing policy Configure rules in the protocol auditing policy Configure the notify action so that the auditing log files are sent to the destination syslog host Apply the policy to a segment Software Version Used F5118 Configuration Procedures Basic Configuration Configuring GigabitEthernet 0/2 Select Device Management > Interface from the navigation tree. Click the icon of interface GigabitEthernet 0/2 to enter the page for configuring the interface. Perform the configurations shown in Figure 2, and click Apply. Hangzhou H3C Technologies Co., Ltd. 4/11

191 UTM Series Protocol Auditing Configuration Example Figure 2 Configure GigabitEthernet 0/2 Select Device Management > Zone from the navigation tree to enter the zone list page. Click the icon of zone Trust to enter the page for editing the zone. Add GigabitEthernet 0/2 to zone Trust as shown in Figure 3. Click Apply. The zone list page appears again. Figure 3 Add GigabitEthernet 0/2 to zone Trust Hangzhou H3C Technologies Co., Ltd. 5/11

192 UTM Series Protocol Auditing Configuration Example Configuring GigabitEthernet 0/1 Follow the same procedure to assign IP address /24 to GigabitEthernet 0/1 and add the interface to zone Untrust. Then, select Device Management > Interface from the navigation tree to view the configuration result, as shown in Figure 4. Figure 4 Interface list Configuring NAT As the internal network and external network are on different network segments, you need to configure a NAT policy to allow internal users to access the external network. In this example, configure dynamic NAT on GigabitEthernet 0/1, referencing ACL 2000 and configuring Easy IP as the address translation mode. To do so, follow these steps: 1) Select Firewall > ACL from the navigation tree. Add ACL 2000 and configure a rule for the ACL to permit packets sourced from /24, as shown in Figure 5. Figure 5 Configure ACL ) Select Firewall > NAT Policy > Dynamic NAT, and click Add in the Dynamic NAT area. Perform the configurations shown in Figure 6. Hangzhou H3C Technologies Co., Ltd. 6/11

193 UTM Series Protocol Auditing Configuration Example Figure 6 Configure dynamic NAT Configuring a redirect policy For in-depth inspection, you need to configure a redirect policy to redirect all traffic flows between zones Trust and Untrust that match ACL 3000 to segment 0. Follow these steps: 1) Select Firewall > ACL from the navigation tree. Create ACL 3000 and configure rules for the ACL as shown in Figure 7. Figure 7 Configure ACL ) Select IPS AV Application Control > Advanced Configuration to enter the advanced configuration page. Create a redirect policy to redirect all traffic flows that match ACL 3000 to segment 0. Figure 8 Configure a redirect policy Hangzhou H3C Technologies Co., Ltd. 7/11

194 UTM Series Protocol Auditing Configuration Example Configuring Protocol Auditing Entering the application security policy configuration page Select IPS AV Application Control > Advanced Configuration to enter the advanced configuration page. Click the Application Security Policy link to enter the application security policy configuration page. Figure 9 Application security policy link Creating a protocol auditing policy Select Protocol Audit > Policy Management from the navigation tree to enter the policy configuration page. Click Add to enter the page for creating a protocol auditing policy. Perform the configurations shown in Figure 10. Figure 10 Create a protocol auditing policy Type SMTP+POP3 as the policy name. Type Audit policy for SMTP+POP3 as the policy description. Specify to copy rules from Audit Policy. Click Apply. Configuring rules for the protocol auditing policy After the policy is created, the page for configuring rules appears. The policy you have just created is selected by default. Perform the configurations shown in Figure 11. Hangzhou H3C Technologies Co., Ltd. 8/11

195 UTM Series Protocol Auditing Configuration Example Figure 11 Configure rules Select check boxes HTTP and FTP. Click Disable Rule. Configuring the notify action Select System Management > Action Management > Notify Actions to enter the page that displays the notify actions. Click the icon of the Notify action to enter the page for configuring the actions. Perform the configurations shown in Figure 12. Figure 12 Configure the notify action Select the Output to syslog host check box. Type host1 as the name. Type as the IP address. Type 514 as the port number. Click Add to add the host to the syslog host list. Hangzhou H3C Technologies Co., Ltd. 9/11

196 UTM Series Protocol Auditing Configuration Example Select host1 in the list box. Click Apply. Applying the protocol auditing policy to segment 0 Select Protocol Audit > Segment Policy Management from the navigation tree and then click Add to enter the page for applying a policy to a segment. Perform the configurations shown in Figure 13. Figure 13 Apply the protocol auditing policy Select segment 0. Select SMTP+POP3 as the policy. Select Both for Direction. Add /24 to the IP address list of the internal zone. Add /32 to the excluded IP address list for the internal zone. Click Apply. Activating the configuration After the configuration above, the policy application list page appears, as shown in Figure 14. Click Activate and confirm your operation to activate the configuration. Hangzhou H3C Technologies Co., Ltd. 10/11

197 UTM Series Protocol Auditing Configuration Example Figure 14 Activate the configuration Verification The mail server is at in the external network. When internal users receive and send mails, the syslog host will receive SMTP and POP3 protocol auditing logs like the following: Jan 31 10:55: H3C %%11DATALOG/ 3/AUDIT(l):-DEV_TYPE=UTM-PN=210235A312A08B data_type(1)=audit;log_type(2)=smtp audit;app_protocol_name(6)=( )smtp;src_ip(22)= ;src_port(23)=1645;dst_ip( Jan 31 10:55: H3C %%11DATALOG/ 3/AUDIT(l):-DEV_TYPE=UTM-PN=210235A312A08B data_type(1)=audit;log_type(2)=pop3 audit;app_protocol_name(6)=( )pop3(tcp);src_ip(22)= ;src_port(23)=1647;ds t_ip(24)= ;dst_port(25)=110;ifname_in(16)=eth0/1;ifname_out(17)=eth0/1;from(94)=a References Related Documentation Protocol Auditing Configuration in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

198 UTM Series Protocol Auditing and SecCenter Configuration Example UTM Series Protocol Auditing and SecCenter Configuration Example Keywords: protocol auditing, syslog, SecCenter Abstract: This document descries an example of configuring UTM device protocol auditing and the SecCenter. Acronyms: Acronym Full spelling UTM SNMP Unified Threat Management Simple Network Management Protocol Hangzhou H3C Technologies Co., Ltd. 1/12

199 UTM Series Protocol Auditing and SecCenter Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 3 Network Requirements 3 Configuration Consideration 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration on the Device 4 Configuring Protocol Auditing on the Device 8 Configuring the SecCenter 10 Verification 11 References 12 Related Documentation 12 Hangzhou H3C Technologies Co., Ltd. 2/12

200 UTM Series Protocol Auditing and SecCenter Configuration Example Feature Overview You can configure protocol auditing to audit the following protocols: HTTP protocol: Audits the URL that users have accessed and the host field. SMTP/POP3 protocols: Audits receivers, senders, those mails that are carbon copied or blind carbon copied, and mail subjects. FTP protocol: Audits information of the file that users upload or download, like the file name. When the protocol auditing logs are sent to SecCenter that acts as the syslog host, SecCenter will analyze and audit the log data. Analyzes the popular websites, active users, website visit trend, and the possible spam senders. Audits details about user website visit behaviors, FTP downloading, and operations. Application Scenarios The protocol auditing function and the SecCenter cooperate to audit and analyze user behavior, helping you analyze which are the popular websites, who are the most active users in the network, and what are the network trends. Configuration Guidelines When configuring the UTM device and SecCenter, note that: Enable SNMP for communications between the UTM device and SecCenter. A reachable route exists from the UTM device to the SecCenter. Configuration Example Network Requirements The Device connects the internal network /24 through GigabitEthernet 0/2 and connects the external network through GigabitEthernet 0/1. Configure a protocol auditing policy on the Device to audit HTTP, FTP, SNMP, and POP3 traffic when internal users (excluding user ) access the external network through the Device. Configure the Device to send logs to the syslog server with IP address in the external network. Hangzhou H3C Technologies Co., Ltd. 3/12

201 UTM Series Protocol Auditing and SecCenter Configuration Example Figure 1 Network diagram for configuring protocol auditing on the Device and the SecCenter Configuration Consideration Create a protocol auditing policy on the Device. Add the Device to the SecCenter system so that the SecCenter system can receive the syslog files from the Device. Software Version Used The Device F5118 The SecCenter Figure 2 SecCenter version information Configuration Procedures Basic Configuration on the Device Configuring GigabitEthernet 0/2 Select Device Management > Interface from the navigation tree. Click the icon of interface GigabitEthernet 0/2 to enter the page for editing the interface. Perform the configurations shown in Figure 3, and click Apply. Hangzhou H3C Technologies Co., Ltd. 4/12

202 UTM Series Protocol Auditing and SecCenter Configuration Example Figure 3 Configure GigabitEthernet 0/2 Select Device Management > Zone from the navigation tree. Click the icon of zone Trust to enter the page for editing the zone. Add GigabitEthernet 0/2 to zone Trust as shown in Figure 4. Click Apply. The zone list page appears. Figure 4 Add GigabitEthernet 0/2 to zone Trust Hangzhou H3C Technologies Co., Ltd. 5/12

203 UTM Series Protocol Auditing and SecCenter Configuration Example Configuring GigabitEthernet 0/1 Follow the same procedure to assign IP address /24 to GigabitEthernet 0/1 and add the interface to zone Untrust. Then, select Device Management > Interface from the navigation tree to view the configuration result, as shown in Figure 5. Figure 5 Interface list Configuring NAT As the internal network and external network are on different network segments, you need to configure a NAT policy to allow internal users to access the external network. In this example, configure dynamic NAT on GigabitEthernet 0/1, referencing ACL 2000, and configuring Easy IP as the address translation mode. Select Firewall > ACL to enter the ACL configuration page. Create ACL 2000, and configure a rule for the ACL to permit packets sourced from /24. Figure 6 Configure ACL 2000 Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Dynamic NAT area, click Add and perform the configurations shown in Figure 7. Hangzhou H3C Technologies Co., Ltd. 6/12

204 UTM Series Protocol Auditing and SecCenter Configuration Example Figure 7 Configure dynamic NAT Configuring a redirect policy For in-depth inspection, configure a redirect policy to redirect all traffic flows between zones Trust and Untrust that match ACL 3000 to segment 0. Create ACL 3000 first. Select Firewall > ACL from the navigation tree. Create ACL 3000 and configure rules for the ACL as shown in Figure 8. Figure 8 Configure a redirect policy Select IPS AV Application Control > Advanced Configuration to enter the advanced configuration page. Create a redirect policy to redirect all traffic flows that match ACL 3000 to segment 0. Figure 9 Configure a redirect policy Hangzhou H3C Technologies Co., Ltd. 7/12

205 UTM Series Protocol Auditing and SecCenter Configuration Example Configuring SNMP on the Device Enable the use of SNMP function of all versions. Create a community with the name of public, allowing read-only access right using this community name. Create a community with the name of private, allowing write operations using the community name. [U200S] snmp-agent sys-info version all [U200S] snmp-agent community read public [U200S] snmp-agent community write private Configuring Protocol Auditing on the Device Entering the protocol auditing policy configuration page Select IPS AV Application Control > Advanced Configuration to enter the advanced configuration page. Click the Application Security Policy link to enter the application security policy configuration page. Figure 10 Application security policy link Configuring the notify action Select System Management > Action Management > Notify Actions to enter the page displaying the notify actions. Click the icon of the Notify action to enter the page for configuring the actions. Perform the configurations shown in Figure 11. Figure 11 Configure the notify action Select the Output to syslog host check box. Hangzhou H3C Technologies Co., Ltd. 8/12

206 UTM Series Protocol Auditing and SecCenter Configuration Example Type host1 as the name. Type as the IP address. Type as the port number. Click Add to add the host to the syslog host list. Select host1 in the list box. Click Apply. Applying the protocol auditing policy to segment 0 Select Protocol Audit > Segment Policy Management from the navigation tree and then click Add to enter the page for applying a policy to a segment. Perform the configurations shown in Figure 12. Figure 12 Apply the protocol auditing policy Select segment 0. Select Audit Policy as the policy. Select Both as the direction. Add /24 to the IP address list of the internal zone. Add /32 to the excluded IP address list for the internal zone. Click Apply. Activating the configuration After the configuration above, the policy application list page appears, as shown in Figure 13. Click Activate and confirm your operation to activate the configuration. Hangzhou H3C Technologies Co., Ltd. 9/12

207 UTM Series Protocol Auditing and SecCenter Configuration Example Figure 13 Activate the configuration Configuring the SecCenter Adding the Device to the SecCenter Select the System Management tab to enter the system management configuration page. Then from the navigation tree, select Device List under Device Management to enter the device management page. Then, click Add to enter the page for adding a device. Type the IP address of GigabitEthernet 0/1 of Device as the host IP address. Specify the device label. If the Device system time zone is UTC, select Greenwich Mean Time for the time calibration. Leave the default settings for other parameters. Figure 14 Add the Device to the SecCenter Specifying the syslog port for receiving syslogs The default syslog port is 30514, which is consistent with that configured on the Device. Therefore, no modification is needed. Make sure that the syslog port on the SecCenter must be identical to that on the Device so that the SenCenter can receive syslogs from the Device. Hangzhou H3C Technologies Co., Ltd. 10/12

208 UTM Series Protocol Auditing and SecCenter Configuration Example Figure 15 Specify the syslog port Verification After finishing the configuration, follow the following steps to check whether the SecCenter receives the protocol auditing logs sent from the Device and makes analysis and auditing. This example uses web application for illustration. From host , access web server , which is in the external network. In the SecCenter system, select the Behavior Auditing tab to enter the behavior auditing configuration page. Then from the navigation tree, select Web Applications under User Behavior Auditing to view the web access details. Figure 16 View web access details From host , access the FTP server , which is in the external network. In the SecCenter system, select the Behavior Auditing tab to enter the behavior auditing configuration page. Then from the navigation tree, select FTP Applications under User Behavior Auditing to view FTP access details. Hangzhou H3C Technologies Co., Ltd. 11/12

209 UTM Series Protocol Auditing and SecCenter Configuration Example Figure 17 View FTP access details From host , send and receive s to and from the mail server , which is in the external network. In the SecCenter system, select the Behavior Auditing tab to enter the behavior auditing configuration page. Then from the navigation tree, select Applications under User Behavior Auditing to view the application details. Figure 18 View application details References Related Documentation Protocol Auditing Configuration in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 12/12

210 UTM Series Anti-Spam Configuration Example UTM Series Anti-Spam Configuration Example Keywords: Anti-spam, SMTP, POP3 Abstract: This document presents an anti-spam configuration example for UTM devices. Acronyms: UTM SMTP Acronym Unified Threat Management Simple Mail Transfer Protocol Full spelling POP3 Post Office Protocol, Version 3 Hangzhou H3C Technologies Co., Ltd. 1/11

211 UTM Series Anti-Spam Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Anti-Spam Configuration Example 3 Network Requirements 3 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration 4 Anti-Spam Configuration 7 Verification 10 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

212 UTM Series Anti-Spam Configuration Example Feature Overview By cooperating with a Commtouch mail server (a third-party mail server), the anti-spam feature of an H3C UTM device can inspect all s sent from external networks to the internal network and process the s as configured, so as to prevent spam from wasting the resources of the internal network. With the anti-spam feature configured, the device forwards all s received from external networks to the Commtouch mail server for inspection and, after receiving the inspection results, processes the s based on the actions specified in the anti-spam policy. The anti-spam feature supports inspecting Simple Mail Transfer Protocol (SMTP) s and Post Office Protocol, Version 3 (POP3) s: SMTP: In a scenario where the SMTP clients are on the external network and the SMTP server is on the internal network. POP3: In a scenario where the POP3 clients are on the internal network and the POP3 server is on the external network. Application Scenarios The anti-spam feature can be deployed to check s entering an internal network to prevent spam from occupying resources of the internal network. Configuration Guidelines Before configuring the anti-spam feature, ensure that: The device can communicate with the Commtouch mail server normally. The address of the Commtouch mail server is where %d indicates a number in the range from 1 to 10. The device has a legal, effective license of the anti-spam feature. The device can connect to to verify the validity of the license for the anti-spam feature. When the license of the anti-spam feature expires, all anti-spam configurations will not be effective any more. Anti-Spam Configuration Example Network Requirements As shown in Figure 1, the internal network of a company is /24, and the external network is /22. Configure the UTM device to inspect s received from the POP3 server and process those s as follows: Modify the subjects of s from known spam sources and log them. Modify the subjects of s from unknown spam sources and log them. Log suspicious s. Forward normal s normally. Hangzhou H3C Technologies Co., Ltd. 3/11

213 UTM Series Anti-Spam Configuration Example Figure 1 Network diagram for anti-spam configuration Configuration Considerations Redirect the traffic of interest for in-depth inspection. Configure the anti-spam policy and rules. Apply the policy to the segment. Software Version Used F5118 Configuration Procedures Basic Configuration Configuring interface GE 0/1 Select Device Management > Interface from the navigation tree and then click the icon of GE 0/1 to enter the interface configuration page. Perform the following configurations and click Apply. Hangzhou H3C Technologies Co., Ltd. 4/11

214 UTM Series Anti-Spam Configuration Example Select Device Management > Zone from the navigation tree and then click the icon of the Untrust zone to enter the page for modifying the security zone configurations. Add interface GE 0/1 to the Untrust zone as shown in the following figure, and click Apply to complete the operation and return to the security zone page. Configuring interface GE 0/4 Similarly, assign IP address /24 to interface GE 0/4 and add the interface to security zone Trust. Selecting Device Management > Interface from the navigation tree, you should see the following list: Configuring NAT To enable internal hosts to connect to the external network through the UTM device, you need to configure a NAT policy on interface GE 0/1. In this example, the policy references ACL 3004 and uses the NAT mode of Easy IP. Select Firewall > ACL from the navigation tree and then create ACL 3004 and add a rule to the ACL to identify the flow of interest. In this example, the ACL permits packets sourced from /24. The configurations are shown in the following figure: Hangzhou H3C Technologies Co., Ltd. 5/11

215 UTM Series Anti-Spam Configuration Example Select Firewall > NAT Policy > Dynamic NAT from the navigation tree and then under Dynamic NAT, click Add and then specify ACL 3004 and Easy IP for interface GigabitEthernet 0/1. The following figure shows the configuration result: Configuring DNS Configure the DNS server, so that the Commtouch mail server and license time verification server can be resolved. Select Network > DNS > Dynamic from the navigation tree and then click Add IP and configure the IP address of the DNS server. Configuring a route Select Network > Routing Management > Static Routing from the navigation tree and configure a default route, setting the next hop to the IP address for the intranet side interface of the router that connects the GE 0/1 interface of the UTM device with the external network ( in this example). Configuring a redirect policy Configure a redirect policy to redirect the flow of interest to the i-ware platform for in-depth analysis. In this example, traffic between zone Trust and zone Untrust that matches ACL 3000 will be redirected to segment 0. First, select Firewall > ACL from the navigation tree and then create ACL 3000 and add rules to the ACL to identify the traffic of interest. The configurations are shown in the following figure: Hangzhou H3C Technologies Co., Ltd. 6/11

216 UTM Series Anti-Spam Configuration Example Then, select IPS AV Application Control > Advanced Configuration from the navigation tree and create a redirect policy to redirect traffic matching ACL 3000 to segment 0. Anti-Spam Configuration Select IPS AV Application Control > Advanced Configuration from the navigation tree and click the Application Security Policy link to enter the in-depth inspection configuration page. Enabling anti-spam inspection Select Anti-Spam > Anti-Spam from the navigation tree and perform the following configurations in the Server Configuration area: Select the Antispam inspection check box. Click Apply. After a while, you will see that the operation status becomes normal. Hangzhou H3C Technologies Co., Ltd. 7/11

217 UTM Series Anti-Spam Configuration Example If the UTM device connects to the Commtouch mail server through a proxy server, you need to configure the proxy server according to the networking scheme. The anti-spam signature database stores all spam signatures that the device can identify. The license of the anti-spam feature has a validity period specified. After the license expires, you need to recharge to obtain a new license before upgrading the anti-spam signature database. Creating and applying the anti-spam policy Under Policy Application List, click Add and perform the following configurations: Type test as the name. Select Modify subject and log as the action for POP3 s from known spam sources. Select Modify subject and log as the action for POP3 s from unknown spam sources. Select Log as the action for suspicious POP3 s. Select Log as the action for normal POP3 s. Hangzhou H3C Technologies Co., Ltd. 8/11

218 UTM Series Anti-Spam Configuration Example Under Apply Policy, click Add and perform the following configurations on the page that appears: Select segment 0. Click Apply. Now, segment 0 should appear on the list under Apply Policy. Click Apply to complete the operation. Hangzhou H3C Technologies Co., Ltd. 9/11

219 UTM Series Anti-Spam Configuration Example Activating configurations After the application operation is complete, the anti-spam configuration page appears again, as shown in the following figure. Click Activate and confirm your operation. Verification On internal host , configure Outlook Express to receive s. Then, on the web interface of the device, select Log Management > Anti-Spam Logs from the navigation tree. Logs about inspection and processing of s destined for the user should appear on the list. Hangzhou H3C Technologies Co., Ltd. 10/11

220 UTM Series Anti-Spam Configuration Example Related Documentation Anti-Spam Configuration in the web configuration manual. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

221 UTM Series URL Filtering Configuration Example UTM Series URL Filtering Configuration Example Keywords: URL, category Abstract: This document presents an URL filtering configuration example for UTM devices. Acronyms: Acronym Full spelling UTM URL Unified Threat Management Uniform Resource Locator Hangzhou H3C Technologies Co., Ltd. 1/18

222 UTM Series URL Filtering Configuration Example Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 URL Filtering Configuration Example 4 Network Requirements 4 Configuration Considerations 4 Software Version Used 4 Configuration Procedures 4 Basic Configuration 4 URL Filtering Configuration 7 Verification 13 URL Filtering Rule Configuration Guidelines 13 Usage Guide for URL Category Query Server 15 References 18 Related Documentation 18 Hangzhou H3C Technologies Co., Ltd. 2/18

223 UTM Series URL Filtering Configuration Example Feature Overview The URL filtering function is used to filter HTTP requests. URL filtering includes user-defined URL filtering and category-based URL filtering. User-defined URL filtering: Allows you to specify the matching criteria for a domain name and Uniform Resource Identifier (URI) path, and configure the corresponding actions to be performed on matched HTTP request packets. Category-based URL filtering: Refers to the process in which the device, upon receiving an HTTP request, sends a URL category request to the specified URL category server, obtains the category result, and processes the HTTP request based on predefined category-based URL filtering rules. Application Scenarios URL filtering can control accesses to the Internet. You can use URL filtering rules to define when employees can do personal affairs using the Internet in the company. For example, you can configure different filtering rules for different time ranges to implement that employees can access sports websites after work or at lunch time but cannot do so during work time. Configuration Guidelines When performing URL filtering configurations, note that: You cannot delete a URL filtering policy that has been applied to a segment. You cannot delete the system default URL filtering policy and rule. On a segment, only one URL filtering policy application will be used for a packet, if any. If a packet matches multiple URL filtering policy applications, the policy application with the smallest IP address scope is used. If two policy applications have the same IP address scope, the one configured earlier has a higher priority. If a step fails during the creation of a URL filtering policy, all executed steps are cancelled. However, the failure of a step during the modification of a URL filtering policy does not cancel executed steps. To implement category-based URL filtering, make sure the normal communications between the device and the specified URL category server. After specifying a URL category server properly and activating the configurations, you can view the connection status between the device and the URL category server by displaying the system logs. A valid, unexpired license has been imported to the device. Make sure that the device is able to connect to for license validity checking. Expiration of the license for category-based URL filtering disables category-based URL filtering, but does not impact user-defined URL filtering. Hangzhou H3C Technologies Co., Ltd. 3/18

224 URL Filtering Configuration Example Network Requirements UTM Series URL Filtering Configuration Example As shown in Figure 1, the internal network segment and external network segment of a company are /24 and /22 respectively. On the UTM, configure a URL filtering policy with rules to prohibit users except user from accessing website during the work time 8:30 to 12:00, and record user access logs. Figure 1 Network diagram for URL filtering configuration Configuration Considerations Import the traffic of interest for in-depth inspection. Configure the URL filtering policy and rules. Apply the URL filtering policy to the specified segment. Software Version Used F5118 Configuration Procedures Basic Configuration Configuring interface GE 0/1 Select Device Management > Interface from the navigation tree and then click the icon of interface GigabitEthernet 0/1 to enter the page for editing the interface. Perform the configurations shown in the following figure for the interface, and then click Apply. Hangzhou H3C Technologies Co., Ltd. 4/18

225 UTM Series URL Filtering Configuration Example Select Device Management > Zone from the navigation tree and then click the icon of zone Untrust to enter the page for modifying the zone configuration. As shown in the following figure, add interface GigabitEthernet 0/1 to zone Untrust and then click Apply to complete the configuration and return to the security zone page. Hangzhou H3C Technologies Co., Ltd. 5/18

226 UTM Series URL Filtering Configuration Example Configuring interface GE 0/4 Similarly, assign IP address /24 to interface GigabitEthernet 0/4 and add this interface to zone Trust. After the configuration, select Device Management > Interface from the navigation tree, and you should see the interface information you configured just now. Configuring NAT To let the internal host be able to access the Internet through UTM, you need to configure a NAT policy on interface GigabitEthernet 0/1. In this example, configure ACL 3004 and configure the address translation mode as easy IP. Select Firewall > ACL from the navigation tree. Create ACL 3004 and add a rule for the ACL to define the target traffic. In this example, create a rule to permit packets sourced from /24. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Dynamic NAT area, click Add, and then specify ACL 3004 and Easy IP for interface GigabitEthernet 0/1. The following figure shows the configuration result. Configuring a static route Select Network > Routing Management > Static Routing from the navigation tree. Add a static route with the next hop being , which is the IP address of the interface on the router Hangzhou H3C Technologies Co., Ltd. 6/18

227 UTM Series URL Filtering Configuration Example that connects to the external network and the interface of the router is within the same network segment as GigabitEthernet 0/1 of the UTM device. Configuring DNS Specify the DNS server to be used to resolve the address of the license validity checking server ( Select Network > DNS > Dynamic from the navigation tree. Click Add IP to add the IP address of the DNS server. Configuring a redirect policy Configure a redirect policy to redirect the traffic of interest to the i-ware platform for in-depth analysis. In this example, traffic between zone Trust and zone Untrust that matches ACL 3000 will be redirected to segment 0. First, select Firewall > ACL from the navigation tree. Create ACL 3000 and add rules to identify the traffic of interest. The configurations are shown in the following figure: Then, select IPS AV Application Control > Advanced Configuration from the navigation tree to add a flow redirect policy to redirect traffic matching ACL 3000 to segment 0. URL Filtering Configuration Select IPS AV Application Control > Advanced Configuration from the navigation tree. Then, click the Application Security Policy link to enter the in-depth inspection configuration page. Hangzhou H3C Technologies Co., Ltd. 7/18

228 UTM Series URL Filtering Configuration Example Creating a time table named morning Select System Management > Time Table List from the navigation tree and then click Add to enter the time table configuration page. Type the name of the time table and select the time range 8:30 to 12:00 from Monday to Friday, as shown in the following figure: Configuring global parameters for URL filtering Select URL Filtering > Global Configuration from the navigation tree and then perform the following configurations: Select Enable category-based URL filtering. Select Enable user-defined URL filtering. Type as the IP address of the URL category server. Type 5000 as the port number of the URL category server. Click Apply. Hangzhou H3C Technologies Co., Ltd. 8/18

229 UTM Series URL Filtering Configuration Example Creating and applying a URL filtering policy Click Add in the Policy Application List area to enter the policy application configuration page and perform the following configurations: Type the policy name URL policy for company. Click the expansion button before Category-Based URL Rule. Click category group Information Technology in the Category-Based URL Rule area. Select Never from the Block at drop-down list and Any time from the Log at drop-down list for category Software/Hardware. Click the expansion button before User-Defined URL Rule. Click Add in the User-Defined URL Rule area, and perform the following configurations on the pop-up page: Type h3c as the rule name. Select By fixed string for the Domain Name Filtering field, and type domain name string Hangzhou H3C Technologies Co., Ltd. 9/18

230 UTM Series URL Filtering Configuration Example Select By fixed string for the URI Filtering field, and type URI string /Training?. Select morning from the Block at drop-down list as the blocking time. Select Any time from the Log at drop-down list as the logging time. Click Apply. Click Cancel to close the Add-User-Defined URL Filtering Rule page. Click Add in the Apply Policy to area and on the pop-up page perform the following configurations: Select segment 0. Add /24 to the IP addresses list. Add /32 to the Excluded IP addresses list. Click Apply. Click Cancel to close this configuration page. After the preceding configurations are complete, the following page appears, displaying the policy application configuration. Click Apply. Hangzhou H3C Technologies Co., Ltd. 10/18

231 UTM Series URL Filtering Configuration Example Note: 1) For a user-defined URL filtering rule, the configuration of domain name filtering is required, while URI path filtering configuration is optional. The following table describes the configuration effects of domain name filtering and URI path filtering of a rule: Domain name string Domain name regular expression URI path string URI regular expression Configuration effect Filtering out all web pages on Hangzhou H3C Technologies Co., Ltd. 11/18

232 UTM Series URL Filtering Configuration Example Domain name string Domain name regular expression URI path string URI regular expression Configuration effect /index.html /index.html? Filtering out web page /index.html on Filtering out /index.html and /index.htm web pages on (news tech)\.abc\.com Filtering out all web pages on news.abc.com and tech.abc.com (news tech)\.abc\.com /index.html Filtering out the /index.html web pages on news.abc.com and tech.abc.com (news tech)\.abc\.com /index.html? Filtering out the /index.html and /index.htm web pages on news.abc.com and tech.abc.com 2) You can specify the rule to trigger different action sets in different time ranges. However, if the time ranges defined in two time tables overlap, the action set that corresponds to the upper time table in the Time Table-Action Set list will be carried out. The available time tables are those configured on the page you enter by selecting System Management > Time Table List. The available action sets are those configured on the page you enter by selecting System Management > Action Management. Up to six Time Table-Action Set combinations can be configured. 3) If both user-defined URL filtering and category-based URL filtering enabled, for a URL that does not match any user-defined URL filtering rule, the device will match the URL against with the category-based URL filtering rules; if only the user-defined URL filtering function is enabled, the device will process the URLs that do not match the user-defined URL rules according to other rules; if neither user-defined URL filtering nor category-based URL filtering is enabled, the device will forward the HTTP packets. Activating configurations After the configurations, the URL filtering policy application list appears, as shown in the following figure. Click Activate and confirm your action. Click OK. Hangzhou H3C Technologies Co., Ltd. 12/18

233 UTM Series URL Filtering Configuration Example Verification Using the IE browser, the internal user ( ) can access normally but cannot access Selecting Log Management > URL Logs from the navigation tree, you should see URL filtering logs. URL Filtering Rule Configuration Guidelines The following contents are supplementary to the previous mentioned precautions in user-defined rule configuration. Hangzhou H3C Technologies Co., Ltd. 13/18

234 UTM Series URL Filtering Configuration Example As shown in the figure, the domain name filtering configuration is required while the URI path filtering configuration is optional. The domain name filtering and URI path filtering each has two configuration methods, and therefore there are totally six configuration methods: Domain name filtering by fixed string Domain name filtering by regular expression Domain name filtering by fixed string + URI path filtering by fixed string Domain name filtering by fixed string + URI path filtering by regular expression Domain name filtering by regular expression + URI path filtering by fixed string Domain name filtering by regular expression + URI path filtering by regular expression The configured domain name string will exactly match the whole contents after the Host filed in an HTTP request; the configured URI string will exactly match the whole contents after the Get field in an HTTP request. If you configure domain name filtering or URI path filtering by fixed string but input a string containing only part of a URL address, the URL address will not be matched. The URI in an HTTP request starts from the first left slash (/). Do note drop some contents. If you want to match URIs that containing a specific string, you need to use a regular expression. The following contents are examples for the six URL filtering configuration methods: 1) Filters all HTTP requests with the domain name being 2) (news sports)\.sina\.com\.cn Filters all HTTP requests with the domain name being news.sina.com.cn or sports.sina.com.cn. Note that you need to escape dots (.) by right slashes (\); otherwise dots (.) will be misunderstood as wildcards in the regular expression. 3) Domain name: URI: /index=1.html Filters HTTP requests to 4) Domain name: URI:.*badthing.* Filters all web pages containing badthing on Hangzhou H3C Technologies Co., Ltd. 14/18

235 UTM Series URL Filtering Configuration Example 5) Domain name:.*sina.*; URI: /index.php Filters all HTTP requests whose host name contains sina and URI is /index.php. 6) Domain name:.*sina.*; URI:.*badthing.* Filters all HTTP requests whose host name contains sina and URI contains badthing. URL filtering configuration is case sensitive unless a regular expression is used and the regular expression starts with (?i). Usage Guide for URL Category Query Server 1) Copy the server installation package to a PC that can access the Internet. Double click the package to install the server. URLCatServer-setup-v1.0.exe 2) Select a language. 3) Select an installation folder. Hangzhou H3C Technologies Co., Ltd. 15/18

236 UTM Series URL Filtering Configuration Example 4) After the installation, select Start > All Programs > URLCatServer > URLCatServer Parameter Setting, or, double click the server icon in the notification area to bring up the parameter setup page. 5) After you install the server, the server loads the category database automatically. You can view whether the category database is loaded successfully in the DB Status field. Hangzhou H3C Technologies Co., Ltd. 16/18

237 UTM Series URL Filtering Configuration Example 6) If the category database upgrade fails, its most possible reason is that the category database server is unreachable. Locate configuration file URLCatServer.conf from the installation folder. 7) Open the configuration file and check whether the URL category database server configured in this file is accessible by using, for example, the IE browser. The configuration is the default access path to the URL category database server and normally, you need not to modify the path. 8) You can modify the listening port on the server parameter configuration page. The listening port is the port from which the listening device sends URL category requests. It must be consistent with that configured on the device and defaults to Normally, you need not to modify this value. Note that you need to restart the service to make the change take effect. 9) As the category database will be upgraded periodically, you need to specify an upgrade interval and upgrade time for the URL category server to download the up-to-date category database periodically. In this example, the server is configured to upgrade the category database at 0 o'clock every day. Hangzhou H3C Technologies Co., Ltd. 17/18

238 UTM Series URL Filtering Configuration Example 10) Click OK to save the configuration parameter. Click Upgrade Now to upgrade the category database immediately. Click Start, Stop, or Restart to start, stop or restart the URL category filtering service. References Related Documentation URL Filtering Configuration in the web configuration manual. Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 18/18

239 UTM Series IPsec Configuration Example UTM Series IPSec Configuration Examples Keyword: IKE, IPSec Abstract: This document describes basic concepts of IKE and IPsec, and provides configuration examples for UTM series devices. Acronyms: Acronym Full spelling IKE IPsec Internet Key Exchange IP Security Hangzhou H3C Technologies Co., Ltd. 1/35

240 UTM Series IPsec Configuration Example Table of Contents IPsec Configuration 3 IPsec Overview 3 Implementation of IPsec 3 Basic Concepts of IPsec 4 Application Scenarios 5 Configuration Guidelines 5 Configuring IPsec 5 Configuring ACLs 6 Configuring IKE 7 Configuring Global IKE Parameters 7 Configuring an IKE Proposal 8 Configuring an IKE Peer 9 Configuring an IPsec Proposal 11 Configuring an IPsec Policy Template 13 Configuring an IPsec Policy 15 Applying an IPsec Policy Group 17 IPsec Configuration Example I: Basic Application 18 Network Requirements 18 Software Version Used 18 Configuration Procedures 19 Verification 26 Viewing IPsec SAs 27 Viewing Packet Statistics 27 IPsec Configuration Example: Working with NAT 27 Network Requirements 27 Configuration Procedures 28 Verification 34 Viewing IPSec SAs 34 Viewing Packet Statistics 34 Configuration Guidelines 35 References 35 Protocols and Standards 35 Related Documentation 35 Hangzhou H3C Technologies Co., Ltd. 2/35

241 UTM Series IPsec Configuration Example IPsec Configuration IPsec Overview IP Security (IPsec) refers to a series of protocols defined by the Internet Engineering Task Force (IETF) to provide high quality, interoperable, and cryptology-based security for IP packets. By means of facilities including encryption and data origin authentication, it delivers these security services at the IP layer: Confidentiality: The sender encrypts packets before transmitting them over the Internet. Data integrity: The receiver verifies the packets received from the sender to ensure they are not tampered during transmission. Data origin authentication: The receiver authenticates the legality of the sender. Anti-replay: The receiver examines packets and rejects outdated or repeated packets. IPsec delivers these benefits: Reduced key negotiation overheads and streamlined IPsec maintenance by supporting the Internet Key Exchange (IKE) protocol, which provides automatic key negotiation and automatic IPsec security association (SA) setup and maintenance. Good compatibility. IPsec can be applied to all IP-based application systems and services without any modification to them. Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly enhances IP security. Implementation of IPsec IPsec consists of a series of protocols for IP data security, including Authentication Header (AH), Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption. AH and ESP provides security services and IKE performs key exchange. For how IKE works, refer to IKE Configuration. IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered. The encryption mechanism ensures data confidentiality and protects data from being eavesdropped en route. IPsec is available with two security protocols: AH (protocol 51): Provides data origin authentication, data integrity, and anti-replay services. For these purposes, an AH header is added to each IP packet. AH is suitable for transmitting non-critical data, because it cannot prevent eavesdropping even though it works fine in preventing data tampering. AH supports authentication algorithms such as Message Digest (MD5) and Secure Hash Algorithm (SHA-1). ESP (protocol 50): Provides data encryption in addition to origin authentication, data integrity, and anti-replay services. ESP works by inserting an ESP header and an ESP tail in IP packets. Unlike AH, ESP encrypts data before it is encapsulated in the IP header to ensure data confidentiality. ESP supports the encryption algorithms including Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES), and authentication algorithms such as MD5 and SHA-1 algorithms. Hangzhou H3C Technologies Co., Ltd. 3/35

242 UTM Series IPsec Configuration Example Both AH and ESP provide authentication services. However, the authentication service provided by AH is stronger than that provided by ESP. In practice, you can choose either or both security protocols as required. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Basic Concepts of IPsec Security association IPsec enables secure communication between two ends, which are called IPsec peers. Security associations (SAs) are fundamental to IPsec. An SA is a set of elements including the protocols (AH, ESP or both), encapsulation mode (transport mode or tunnel mode), encryption algorithm (DES, 3DES, or AES), shared key used for flow protection, and key lifetime. An SA can be created with IKE. Encapsulation modes IPsec can work in the following two modes: Tunnel mode: The whole IP packet is used to calculate the AH/ESP header, which will be encapsulated into a new IP packet together with the ESP-encrypted data. Generally, tunnel mode is used for communication between two security gateways. Transport mode: Only the transport layer data is used to calculate the AH/ESP header, which will be put after the original IP header and before the ESP-encrypted data. Generally, transport mode is used for communication between two hosts or a host and a security gateway. Figure 1 illustrates how data are encapsulated by different security protocols in tunnel and transport modes. Here, the term data refers to the transport layer data. Figure 1 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms 1) Authentication algorithms Authentication algorithms are implemented through hash functions. A hash function takes a message of arbitrary length and generates a message digest of fixed length. IPsec peers calculate the message digests respectively. If the resulting digests are identical, the packet is considered intact and not tampered. There are two types of IPsec authentication algorithms: MD5: Takes a message of arbitrary length and generates a 128-bit message digest. SHA-1: Takes a message less than the 64th power of 2 in bits and generates a 160-bit message digest. Hangzhou H3C Technologies Co., Ltd. 4/35

243 UTM Series IPsec Configuration Example Slower than MD5, SHA-1 provides higher security. 2) Encryption algorithms Most encryption algorithms depend on symmetric key systems, which decrypt data by using the same keys for encryption. Currently, three encryption algorithms are available for IPsec on the device: DES: Data encryption standard, encrypts a 64-bit block of plain text with a 56-bit key. 3DES: Triple DES, encrypts a plain text with three 56-bit DES keys, which total up to 168 bits. AES: Advanced encryption standard, encrypts a plain text with a 128-bit, 192-bit, or 256-bit key. AES, 3DES, and DES are in descending order in terms of security. Higher security means more complex implementation and lower speed. DES is enough to meet general requirements. Application Scenarios IPsec is a VPN technology that delivers the security services of confidentiality, data integrity, and origin authentication at the IP layer. IPsec can use IKE to update keys periodically, enhancing system security. IPsec is widely used for transmitting sensitive data in VPN networks. Configuration Guidelines Configuring IPsec At present, the device supports IPsec tunnel setup with IPsec polices. In this approach, ACLs are used in IPsec policies to identify data flows to be protected. The use of ACLs adds flexibility to IPsec policies. IPsec policies can take effect only after they are applied to physical interfaces. The following is the generic IPsec policy configuration procedure: 1) Configure ACLs for identifying data flows to be protected. 2) Configure IPsec proposals to speficy the security protocols, authentication and encryption algorithms, and encapsulation mode. 3) Configure IPsec policies to associate data flows with IPsec proposals and specify the SA negotiation mode, peer IP addresses (namely the start and end points of the IPsec tunnel), required keys, and SA lifetime. 4) Apply the IPsec policies to interfaces to finish IPsec tunnel configuration. Perform the tasks in Table 1 to configure IPsec. Table 1 IPsec configuration task list Task Configuring ACLs Remarks Required One important function of ACLs is identifying traffic based on matching criteria. They are widely used in scenarios where traffic identification is desired such as QoS and IPsec. This document covers only referencing ACLs in IPsec. To create ACLs, select Firewall > ACL from the navigation tree. Hangzhou H3C Technologies Co., Ltd. 5/35

244 UTM Series IPsec Configuration Example Configuring IKE Task Configuring an IPsec Proposal Remarks Required IKE provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically. Required An IPsec proposal defines a set of security parameters for IPsec SA negotiation, including the security protocol, encryption/authentication algorithms, and encapsulation mode. Configuring an IPsec Policy Template Configuring an IPsec Policy Changes to an IPsec proposal affect only SAs negotiated after the changes. Required when an IPsec policy needs to reference an IPsec policy template group. An IPsec policy template group is a collection of IPsec policy templates with the same name but different sequence numbers. In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Required Configure an IPsec policy by specifying the parameters directly or by referencing a created IPsec policy template. The Web interface supports only IKE-dependent IPsec policies. An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. Applying an IPsec Policy Group Viewing IPsec SAs Viewing Packet Statistics An IKE-dependent IPsec policy created by referencing a template cannot be used to initiate SA negotiation, but it can be used to respond to a negotiation request. The parameters specified in the IPsec policy template must match those of the remote end, while the parameters not defined in the template are determined by the initiator. Required Apply an IPsec policy group to an interface (logical or physical) to protect certain data flows. Optional View brief information about established IPsec SAs to verify your configuration. Optional View packet statistics to verify your configuration. Configuring ACLs IPsec uses ACLs to identify data flows. Each ACL rule contains a deny or permit keyword and is regarded as a deny or permit statement. A rule with the permit keyword identifies a data flow to be protected by IPsec, while a rule with the deny keyword identifies a data flow that does not need to be protected by IPsec. Hangzhou H3C Technologies Co., Ltd. 6/35

245 UTM Series IPsec Configuration Example To configure ACLs, select Firewall > ACL to enter the ACL configuration page, and peform the following configurations: 1) Create an ACL. 2) Configure rules for the ACL. Ensure that all permit statements applied in the inbound direction are for IPsec protected traffic flows only. This is to avoid normal incoming packets from being dropped because of permit statement hits. Configuring IKE An SA can be created with IKE. This section describes how to configure IKE. Configuring Global IKE Parameters Select VPN > IKE > Global from the navigation tree to enter IKE global configuration page, as shown in Figure 2. Figure 2 IKE global configuration Table 2 describes the configuration items for configuring global IKE parameters. Table 2 Global IKE configuration items Item IKE Local Name NAT Keepalive Interval Description Type a name for the local security gateway. If the local device needs to act as the IKE negotiation initiator and use the local gateway name for IKE negotiation, you need to configure this argument on the local device. Then, the local device sends its gateway name as identification to its peer and the peer uses the locally configured remote gateway name to authenticate the local device. Therefore, make sure that the local gateway name configured here is identical to the remote gateway name configured on its peer. By default, the device name is used as the local gateway name. Set the interval at which the ISAKMP SA sends NAT keepalive packets to its peer. NAT mappings on a NAT gateway may get aged. If no packet traverses an IPsec tunnel in a certain period of time, the NAT mapping will be deleted, disabling the tunnel beyond the NAT gateway from transferring data. To prevent NAT mappings from being aged, an ISAKMP SA sends to its peer NAT keepalive packets at a certain interval to keep the NAT session alive. Hangzhou H3C Technologies Co., Ltd. 7/35

246 UTM Series IPsec Configuration Example Configuring an IKE Proposal Select VPN > IKE > Proposal from the navigation tree to display existing IKE proposals, as shown in Figure 3. Then, click Add to enter the IKE proposal configuration page, as shown in Figure 4. Figure 3 IKE proposal list Typically, IKE proposal configuration is omitted and the default IKE proposal named default is used. Figure 4 Add an IKE proposal Table 3 describes the configuration items for creating an IKE proposal. Table 3 IKE proposal configuration items Item IKE Proposal Number Authentication Method Description Type the IKE proposal number. The number also stands for the priority of the IKE proposal, with a smaller value meaning a higher priority. During an IKE negotiation, the system matches IKE proposals in order of proposal number, starting from the smallest one. Select the authentication method to be used by the IKE proposal. Preshared Key: Uses the pre-shared key method. RSA Signature: Uses the RSA digital signature method. Hangzhou H3C Technologies Co., Ltd. 8/35

247 UTM Series IPsec Configuration Example Item Authentication Algorithm Encryption Algorithm DH Group SA Lifetime Description Select the authentication algorithm to be used by the IKE proposal. SHA1: Uses HMAC-SHA1. MD5: Uses HMAC-MD5. Select the encryption algorithm to be used by the IKE proposal. DES-CBC: Uses the DES algorithm in CBC mode and 56-bit keys for encryption. 3DES-CBC: Uses the 3DES algorithm in CBC mode and 168-bit keys for encryption. AES-128: Uses the AES algorithm in CBC mode and 128-bit keys for encryption. AES-192: Uses the AES algorithm in CBC mode and 192-bit keys for encryption. AES-256: Uses the AES algorithm in CBC mode and 256-bit keys for encryption. Select the DH group to be used in key negotiation phase 1. Group1: Uses the 768-bit Diffie-Hellman group. Group2: Uses the 1024-bit Diffie-Hellman group. Group5: Uses the 1536-bit Diffie-Hellman group. Group14: Uses the 2048-bit Diffie-Hellman group. Type the ISAKMP SA lifetime of the IKE proposal. Before an SA expires, IKE negotiates a new SA. As soon as set up, the new SA takes effect immediately and the old one is cleared automatically when it expires. If the SA lifetime expires, the system automatically updates the ISAKMP SA. As DH calculation in IKE negotiation takes time, especially on low-end devices, it is recommended to set the lifetime greater than 10 minutes to prevent the SA update from influencing normal communication. Configuring an IKE Peer Select VPN > IKE > Peer from the navigation tree to display existing IKE peers, as shown in Figure 5. Then, click Add to enter the IKE peer configuration page, as shown in Figure 6. Figure 5 IKE peer list Hangzhou H3C Technologies Co., Ltd. 9/35

248 UTM Series IPsec Configuration Example Figure 6 Add an IKE peer Table 4 describes the configuration items for creating an IKE peer. Table 4 IKE peer configuration items Item Description Peer Name Type a name for the IKE peer. Select the IKE negotiation mode for phase 1, which can be Main or Aggressive. IKE Negotiation Mode Local ID Type If one end of an IPsec tunnel is configured to obtain an IP address dynamically, the IKE negotiation mode must be Aggressive. In this case, SAs can be established as long as the username and password are correct. The specified negotiated mode is used when the local peer is the negotiation initiator. When acting as the responder, the negotiation mode of the initiator is used. Select the local ID type for IKE negotiation phase 1. IP Address: Uses an IP address as the ID in IKE negotiation. Gateway Name: Uses a gateway name as the ID in IKE negotiation. In main mode, only the ID type of IP address can be used in IKE negotiation and SA establishment. Hangzhou H3C Technologies Co., Ltd. 10/35

249 UTM Series IPsec Configuration Example Item Description Type the IP address of the local security gateway. By default, it is the primary IP address of the interface referencing the security policy. Configure this item when you want to specify a special address for the local security gateway. Local IP Address Remote Gateway Remote ID IP Address Hostname Normally, you do not need to specify the local IP address. You only need to do so when you want to specify a special address, such as the loopback interface address. For the local peer to act as the initiator, you need to configure the remote security gateway name or IP address, so that the local peer can find the remote peer during the negotiation. Type the IP address or host name of the remote security gateway. You can specify an IP address or a range of IP addresses for the remote gateway. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP address must match the local IP address configured on its peer. If the local end is the responder of IKE negotiation, it can have more than one remote IP address and one of its remote IP addresses must match the local IP address configured on its peer. The host name of the remote gateway is the only identifier of the IPsec peer in the network. The host name can be resolved into an IP address by the DNS server. If host name is used, the local end can serve as the initiator of IKE negotiation. Type the name of the remote security gateway. If the local ID type configured for the IKE negotiation initiator is Gateway Name, the initiator sends its gateway name (IKE Local Name) to the responder for identification. The responder then uses the locally configured remote gateway name (Remote ID) to authenticate the initiator. Therefore, make sure that the remote gateway name configured here is identical to the local gateway name (IKE Local Name) configured on its peer. Pre-Shared Key PKI Domain Enable DPD Enable the NAT traversal function Configure one of these two items according to the authentication method: If the authentication method is pre-shared key, select Pre-Shared Key and then type the pre-shared key in the following text box. If the authentication method is RSA signature, select PKI Domain and then select the PKI domain to which the certificate belongs in the following drop-down box. Select the IKE DPD to be applied to the IKE peer. Enable the NAT traversal function for IPsec/IKE. The NAT traversal function must be enabled if a NAT security gateway exists in an IPsec/IKE VPN tunnel. In main mode, IKE does not support NAT traversal and therefore this item is unavailable. To save IP addresses, ISPs often deploy NAT gateways on public networks to allocate private IP addresses to users. In this case, one end of an IPsec/IKE tunnel may have a public address while the other end may have a private address, and therefore NAT traversal must be configured at the private network side to set up the tunnel. Configuring an IPsec Proposal Select VPN > IPSec > Proposal from the navigation tree to display existing IPsec proposals. Hangzhou H3C Technologies Co., Ltd. 11/35

250 UTM Series IPsec Configuration Example The Web interface provides two modes for configuring an IPsec proposal, suite mode and custom mode. Suite mode: This mode allows you to select a pre-defined encryption suite. Figure 7 shows the IPsec proposal configuration in suite mode. Figure 7 IPsec proposal configuration in suite mode Table 5 describes the configuration items in this mode. Table 5 IPsec proposal configuration items in suite mode Item Proposal Name Encryption Suite Type the name for the IPsec proposal. Description Select the encryption suite for the proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used. Following are the available encryption suites, of which Tunnel means that a security protocol encapsulates IP packets in tunnel mode: Tunnel-ESP-DES-MD5: Uses the ESP security protocol, the DES encryption algorithm, and the MD5 authentication algorithm. Tunnel-ESP-3DES-MD5: Uses the ESP security protocol, the 3DES encryption algorithm, and the MD5 authentication algorithm. Tunnel-AH-MD5-ESP-DES: Uses the ESP and AH security protocols successively, making ESP use the DES encryption algorithm and perform no authentication and making AH use the MD5 authentication algorithm Tunnel-AH-MD5-ESP-3DES: Uses the ESP and AH security protocols successively, making ESP use the 3DES encryption algorithm and perform no authentication, and making AH use the MD5 authentication algorithm. Custom mode: This mode allows you to configure IPsec proposal parameters discretionarily. Figure 8 shows the IPsec proposal configuration in custom mode. Figure 8 IPsec proposal configuration in custom mode Hangzhou H3C Technologies Co., Ltd. 12/35

251 UTM Series IPsec Configuration Example Table 6 describes the configuration items in this mode. Table 6 IPsec proposal configuration items in custom mode Item Proposal Name Encapsulation Mode Security Protocol AH Authentication Algorithm ESP Authentication Algorithm Type the name for the IPsec proposal. Description Select the IP packet encapsulation mode for the IPsec proposal. Tunnel: Uses the tunnel mode. Transport: Uses the transport mode. Select the security protocol for the proposal. AH: Uses the AH protocol. ESP: Uses the ESP protocol. AH-ESP: Uses ESP first and then AH. Select an authentication algorithm for AH when the security protocol is AH or AH-ESP. Available authentication algorithms include MD5 and SHA1. Select an authentication algorithm for ESP when the security protocol is ESP or AH-ESP. You can select MD5 or SHA1, or leave it null so the ESP performs no authentication. The ESP authentication algorithm and ESP encryption algorithm cannot be both null. ESP Encryption Algorithm Select an encryption algorithm for ESP when the security protocol is ESP or AH-ESP. DES: Uses the DES algorithm and 56-bit keys for encryption. 3DES: Uses the 3DES algorithm and 168-bit keys for encryption. AES128: Uses the AES algorithm and 128-bit keys for encryption. AES192: Uses the AES algorithm and 192-bit keys for encryption. AES256: Uses the AES algorithm and 256-bit keys for encryption. Leave it null so the ESP performs no encryption. Higher security means more complex implementation and lower speed. DES is enough to meet general requirements. Use 3DES when there are very high confidentiality and security requirements. The ESP authentication algorithm and ESP encryption algorithm cannot be both null. Configuring an IPsec Policy Template Select VPN > IPSec > Policy-Template from the navigation tree to display existing IPsec policy templates, as shown in Figure 9. Then, click Add to enter the IPsec policy template configuration page, as shown in Figure 10. Hangzhou H3C Technologies Co., Ltd. 13/35

252 UTM Series IPsec Configuration Example Figure 9 IPsec policy template list Figure 10 IPsec policy template configuration page Table 7 describes the configuration items for creating an IPsec policy template. Table 7 Configuration items for an IPsec policy template Item Template Name Sequence Number IKE Peer IPSec Proposal Description Type the name for the IPsec policy template. Type the sequence number for the IPsec policy template. In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Select the IKE peer for the IPsec policy template to reference. Available IKE peers are those configured by selecting VPN > IKE > Peer from the navigation tree. Select up to six IPsec proposals for the IPsec policy template to reference. The IKE negotiation process will search for and use the exactly matching IPsec proposal. If no matching IPsec proposal is found, the expected SAs cannot be established and the packets that need to be protected will be discarded. Hangzhou H3C Technologies Co., Ltd. 14/35

253 UTM Series IPsec Configuration Example Item Description PFS Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature. dh-group1: Uses the 768-bit Diffie-Hellman group. dh-group2: Uses the 1024-bit Diffie-Hellman group. dh-group5: Uses the 1536-bit Diffie-Hellman group. dh-group14: Uses the 2048-bit Diffie-Hellman group. dh-group14, dh-group5, dh-group2, and dh-group1 are in the descending order of security and calculation time. When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an additional key exchange is performed in phase 2 for higher security. Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail. ACL SA Lifeti me Time Based Traffic Based Select the ACL for the IPsec policy template to reference. The specified ACL must be created already and contains at least one rule. ACL configuration supports VPN multi-instance. Type the SA lifetime, which can be time-based or traffic-based. When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set locally and the lifetime proposed by the peer. Configuring an IPsec Policy Select VPN > IPSec > Policy from the navigation tree to display existing IPsec policies, as shown in Figure 11. Then, click Add to enter the IPsec policy configuration page, as shown in Figure 12. Figure 11 IPsec policy list Hangzhou H3C Technologies Co., Ltd. 15/35

254 UTM Series IPsec Configuration Example Figure 12 IPsec policy configuration page Table 8 describes the configuration items for creating an IPsec policy. Table 8 IPsec policy configuration items Item Policy Name Sequence Number Type the name for the IPsec policy. Description Type the sequence number for the IPsec policy. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. Select the IPsec policy template to be referenced. Template IKE Peer IPSec Proposal If you select an IPsec policy template, all subsequent configuration items are unavailable but the aggregation setting. Select the IKE peer for the IPsec policy to reference. Available IKE peers are those configured by selecting VPN > IKE > Peer from the navigation tree. Select up to six IPsec proposals for the IPsec policy to reference. The IKE negotiation process will search for and use the exactly matched IPsec proposal. If no IPsec proposal is found exactly matched, the expected SAs cannot be established and the packets that need to be protected will be discarded. Hangzhou H3C Technologies Co., Ltd. 16/35

255 UTM Series IPsec Configuration Example Item Description Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature. PFS dh-group1: Uses the 768-bit Diffie-Hellman group. dh-group2: Uses the 1024-bit Diffie-Hellman group. dh-group5: Uses the 1536-bit Diffie-Hellman group. dh-group14: Uses the 2048-bit Diffie-Hellman group. dh-group14, dh-group5, dh-group2, and dh-group1 are in the descending order of security and calculation time. When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an additional key exchange is performed in phase 2 for higher security. Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail. ACL Select the ACL for the IPsec policy to reference. The specified ACL must be created already and contains at least one rule. ACL configuration supports VPN multi-instance. Select this check box to specify to protect traffic in aggregation mode. If you do not select check box, the standard mode is used. Aggregation This setting takes effect only when you specify an ACL for the IPsec policy to reference. SA Life tim e Time Based Traffic Based When configuring devices supporting both the standard mode and aggregation mode, be sure to configure the two ends of a tunnel to work in the same mode. Type the SA lifetime, which can be time-based or traffic-based. When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set locally and the lifetime proposed by the peer. Applying an IPsec Policy Group Select VPN > IPSec > IPSec Application from the navigation tree to display the IPsec policy application situation, as shown in Figure 13. Find the interface to which you want to apply an IPsec policy group and then click the corresponding shown in Figure 14. icon to enter the IPsec policy application page, as Figure 13 IPsec policy application Hangzhou H3C Technologies Co., Ltd. 17/35

256 UTM Series IPsec Configuration Example Figure 14 IPsec policy application page Table 9 describes the configuration items for applying an IPsec policy group. Table 9 Configuration items for IPsec policy group application Item Interface Policy Description Displays the interface to which you want to apply an IPsec policy group. Select the IPsec policy group to be applied. Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application and then apply the new one to the interface. An IPsec policy group can be applied to more than one interface. IPsec Configuration Example I: Basic Application Network Requirements As shown in Figure 15, an IPsec tunnel is established between Device A and Device B to protect traffic between subnet /24 (where Host A resides) and subnet /24 (where Host B resides). The security protocol to be used is ESP, encryption algorithm is DES, and authentication algorithm is MD5. Figure 15 Network diagram for IPsec configuration Software Version Used F5118 Hangzhou H3C Technologies Co., Ltd. 18/35

257 UTM Series IPsec Configuration Example Configuration Procedures Configuring Device A # Assign IP addresses to the interfaces and add them to their target zones. (Omitted) # Define ACL 3101 to permit packets from subnet /24 to subnet /24. Select Firewall > ACL from the navigation tree, and then click Add. Configure the ACL as shown in Figure 16. Figure 16 Create ACL 3101 Type 3101 as the ACL number. Select the match order of Config. Click Apply. From the ACL list, select ACL 3101 and click the corresponding icon. Then, click Add to enter the ACL rule configuration page. Create an ACL rule as shown in Figure 17. Figure 17 Configure a rule to permit packets from /24 to /24 Hangzhou H3C Technologies Co., Ltd. 19/35

258 UTM Series IPsec Configuration Example Select Permit from the Operation drop-down box. Select the Source IP Address check box and type and respectively in the following text boxes. Select the Destination IP Address check box and type and respectively in the following text boxes. Click Apply. Note that on an outbound interface where both NAT and IPsec are configured, if an ACL is configured to identify the traffic for NAT, the target traffic is translated first. If the NATed traffic does not match any ACL for IPsec, the traffic cannot be IPsec protected. To solve this problem, you need to configure an additional rule in the ACL for NAT. For example, if ACL 3901 shown in Figure 18 is configured on GigabitEthernet 0/0 for NAT to process traffic sourced from /24, you need to add rule 1 to ACL 3901 as shown in Figure 19 so that traffc from /24 to /24 are not translated, but protected by IPsec. Figure 18 ACL 3101 Figure 19 Add rule 1 for ACL 3901 # Configure a static route to Host B. Select Network > Routing Management > Static Routing from the navigation tree, and then click Add. Create a static route as shown in Figure 20. Figure 20 Configure a static route to Host B Hangzhou H3C Technologies Co., Ltd. 20/35

259 UTM Series IPsec Configuration Example Type as the destination IP address. Type as the mask. Type as the next hop. Select GigabitEthernet0/1 as the outbound interface. Click Apply. # Configure the IKE peer. Select VPN > IKE > Peer from the navigation tree and then click Add. Perform the configurations shown in Figure 21. Figure 21 Configure an IKE peer Type peer as the peer name. Select Main as the negotiation mode. Type as the IP address of the remote gateway. Select Pre-Shared Key and type as the pre-shared key. Click Apply. # The default IKE proposal is used. # Configure an IPsec proposal named proposal as follows: Select VPN > IPSec > Proposal from the navigation tree and then click Add. Select Custom mode from the IPSec Proposal Configuration Wizard page. Make the configuration as shown in Figure 22. Hangzhou H3C Technologies Co., Ltd. 21/35

260 UTM Series IPsec Configuration Example Figure 22 Configure an IPsec proposal Type proposal as the name of the IPsec proposal. Select Tunnel as the packet encapsulation mode. Select ESP as the security protocol. Select MD5 as the ESP authentication algorithm. Select DES as the ESP encryption algorithm. Click Apply. # Configure an IPsec policy. Select VPN > IPSec > Policy from the navigation tree and then click Add. Perform the configurations shown in Figure 23. Figure 23 Configure an IPsec policy Type policy as the policy name. Type 1 as the sequence number. Select the IKE peer of peer. Select the IPsec proposal of proposal and click <<. Hangzhou H3C Technologies Co., Ltd. 22/35

261 UTM Series IPsec Configuration Example Type 3101 as the ACL. Click Apply. # Apply the IPsec policy to interface GigabitEthernet 0/0. Select VPN > IPSec > IPSec Application from the navigation tree, and then click the icon of interface GigabitEthernet 0/0. Perform the configurations shown in Figure 24. Figure 24 Apply the IPsec policy to interface GigabitEthernet 0/0 Select the policy of policy. Click Apply. Configure Device B # Assign IP addresses to the interfaces and then add them to their target zones. (Omitted) # Define an ACL to permit traffic from subnet /24 to subnet /24. Select Firewall > ACL from the navigation tree, and then click Add. Type 3101 as the ACL number. Select the match order of Config. Click Apply. From the ACL list, select ACL 3101 and click the corresponding icon. Then, click Add to enter the ACL rule configuration page. Configure a rule for ACL 3101 as shown in the following figure. Figure 25 Configure a rule for ACL 3101 # Configure a static route to Host A. Select Network > Routing Management > Static Routing from the navigation tree, and then click Add. Perform the configurations shown in Figure 26. Hangzhou H3C Technologies Co., Ltd. 23/35

262 UTM Series IPsec Configuration Example Figure 26 Configure a static route to Host A # Configure IKE peer peer. Select VPN > IKE > Peer from the navigation tree and then click Add. Perform the configurations shown in Figure 27. Figure 27 Configure an IKE peer Type peer as the peer name. Select Main as the negotiation mode. Type as the IP address of the remote gateway. Select Pre-Shared Key and type as the pre-shared key. Click Apply. # The default IKE proposal is used. Hangzhou H3C Technologies Co., Ltd. 24/35

263 UTM Series IPsec Configuration Example # Configure an IPsec proposal. Select VPN > IPSec > Proposal from the navigation tree and then click Add. Select Custom mode from the IPSec Proposal Configuration Wizard page. Perform the configureations shown in Figure 28. Figure 28 Configure an IPsec proposal Type proposal as the name of the IPsec proposal. Select Tunnel as the packet encapsulation mode. Select ESP as the security protocol. Select MD5 as the ESP authentication algorithm. Select DES as the ESP encryption algorithm. Click Apply. # Configure IPsec policy policy. Select VPN > IPSec > Policy from the navigation tree and then click Add. Perform the configureations shown in Figure 29. Hangzhou H3C Technologies Co., Ltd. 25/35

264 UTM Series IPsec Configuration Example Figure 29 Configure an IPsec policy Type policy as the policy name. Type 1 as the sequence number. Select the IKE peer of peer. Select the IPsec proposal of proposal and click <<. Type 3101 as the ACL. Click Apply. # Apply IPsec policy policy to GigabitEthernet 0/0. Select VPN > IPSec > IPSec Application from the navigation tree, and then click the icon of interface GigabitEthernet 0/0. Select the policy of policy. Click Apply. Figure 30 Apply the IPsec policy to GigabitEthernet 0/0 Verification After configuration, packets to be exchanged between subnet /24 and subnet /24 will trigger the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are Hangzhou H3C Technologies Co., Ltd. 26/35

265 UTM Series IPsec Configuration Example established, traffic between subnet /24 and subnet /24 will be protected by IPsec. Viewing IPsec SAs Select VPN > IPSec > IPSec SA from the navigation tree to display brief information about established IPsec SAs, as shown in Figure 31. Figure 31 IPsec SAs Viewing Packet Statistics Select VPN > IPSec > Statistics from the navigation tree to view packet statistics, as shown in Figure 32. Figure 32 Packet statistics IPsec Configuration Example: Working with NAT Network Requirements This example descirbes the combination of IPsec and ADSL, which is a popular application of IPsec. As shown in Figure 33, Device B uses an ADSL card to connect to the DLSAM access side of the public network directly, and functions as the PPPoE client. Because Device B obtains only a private address dynamically from its ISP, you must configure NAT traversal on both Device A and Device B. The headquarters LAN connects to the intranet network through Device A. To ensure data security, IPsec/IKE is adopted to create an IPsec tunnel. Hangzhou H3C Technologies Co., Ltd. 27/35

266 UTM Series IPsec Configuration Example Because the branch obtains an IP address dynamicllay, the IKE negotiation mode must be aggressive. Configure the local peer to use the gateway name as the ID type, and enable NAT traversal. Figure 33 Network diagram for configuring IPsec to work with NAT Configuration Procedures Configuring DeviceA # Assign IP addresses to the interfaces and add the intrfaces to their target zones. (Omitted) # Configure the IKE local name as head. Figure 34 IKE global configuration # Configure the IKE peer. Select VPN > IKE > Peer from the navigation tree and then click Add. Type gate as the peer name. Select Aggressive as the negotiation mode. Type branch as the host name of the remote gateway. Select Pre-Shared Key and type as the pre-shared key. Select the Enable NAT traversal function check box. Click Apply. Hangzhou H3C Technologies Co., Ltd. 28/35

267 UTM Series IPsec Configuration Example Figure 35 Configure an IKE peer # Configure an IPsec proposal named proposal. Select VPN > IPSec > Proposal from the navigation tree and then click Add. Select Custom mode from the IPSec Proposal Configuration Wizard page. Type proposal as the IPsec proposal name, and use the default settings for the proposal, as shown in Figure 36. Figure 36 Configure an IPsec proposal # Configure an IPsec policy template. Type 1 as the sequence number. Select gate as the IKE peer. Select IPsec proposal proposal, and click <<. Click Apply. Hangzhou H3C Technologies Co., Ltd. 29/35

268 UTM Series IPsec Configuration Example Figure 37 Add an IPsec policy template # Configure an IPsec policy named policy_nat. Select VPN > IPSec > Policy from the navigation tree and then click Add. Perform the configureations shown in Figure 38. Figure 38 Configure an IPsec policy # Apply the IPsec policy to interface GigabitEthernet 0/0. Hangzhou H3C Technologies Co., Ltd. 30/35

269 UTM Series IPsec Configuration Example Figure 39 Apply the IPsec policy Configuring Device B # Assign IP addresses to the interfaces and add the intrfaces to their target zones. (Omitted) # Configure ACL 3101 to permit packets from subnet /24 to subnet /24. Figure 40 Configure a rule for ACL 3101 Note that on an outbound interface where both NAT and IPsec are configured, if an ACL is configured to identify the traffic for NAT, the target traffic is translated first. If the NATed traffic does not match any ACL for IPsec, the traffic cannot be IPsec protected. To solve this problem, you need to configure an additional rule in the ACL for NAT. For example, if ACL 3901 shown in Figure 41 is configured on GigabitEthernet 0/0 for NAT to process traffic sourced from /24, you need to add rule 1 to ACL 3901 as shown in Figure 42 so that traffc from /24 to /24 are not translated, but protected by IPsec. Figure 41 ACL 3101 Figure 42 Add rule 1 to ACL 3901 Hangzhou H3C Technologies Co., Ltd. 31/35

270 UTM Series IPsec Configuration Example # Configure the IKE local name named branch. Figure 43 Configure the IKE local name # Configure an IKE peer named gate. Select VPN > IKE > Peer from the navigation tree and then click Add. Type gate as the peer name. Select Aggressive as the negotiation mode. Select IP Address as the gateway name. Type as the IP address of the remote gateway. Type head as the remote ID. Select Pre-Shared Key and type as the pre-shared key. Select the Enable NAT traversal function check box. Click Apply. Figure 44 Configure an IKE peer # Configure an IPsec proposal named proposal. Select VPN > IPSec > Proposal from the navigation tree and then click Add. Hangzhou H3C Technologies Co., Ltd. 32/35

271 UTM Series IPsec Configuration Example Select Custom mode from the IPSec Proposal Configuration Wizard page. Type proposal as the proposal name, and use the default settings for the proposal, as shown in Figure 45. Figure 45 Configure an IPsec proposal # Configure an IPsec policy named policy_nat. Select VPN > IPSec > Policy from the navigation tree and then click Add. Perform the configureations shown in Figure 46. Figure 46 Configure an IPSec policy Type policy_nat as the policy name. Type 1 as the sequence number. Selete gate as the IKE peer. Select proposal for the IPsec policy, and click <<. Type 3101 in the ACL text box. Click Apply. Hangzhou H3C Technologies Co., Ltd. 33/35

272 UTM Series IPsec Configuration Example # Apply IPsec policy policy_nat to interface Dialer 1. Figure 47 Apply the IPsec policy to an interface Verification After configuration, packets to be exchanged between subnet and subnet will trigger the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are established, traffic between subnet and subnet will be protected by IPsec. Viewing IPSec SAs Select VPN > IPSec > IPSec SA from the navigation tree to display brief information about established IPsec SAs, as shown in Figure 48. Figure 48 IPsec SAs Viewing Packet Statistics Select VPN > IPSec > Statistics from the navigation tree to view packet statistics, as shown in Figure 49. Figure 49 Packet statistics Hangzhou H3C Technologies Co., Ltd. 34/35

273 UTM Series IPsec Configuration Example Configuration Guidelines When configuring IPsec, follow these guidelines: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50 respectively. Therefore, you need to make sure that flows of these protocols are not denied on the interfaces with IKE and/or IPsec configured. If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction may be discarded, resulting in packet loss. Therefore, when using IPsec together with QoS, ensure that they use the same classification rules. IPsec classification rules depend on the referenced ACL rules. References Protocols and Standards RFC 2401: Security Architecture for the Internet Protocol RFC 2402: IP Authentication Header RFC 2406: IP Encapsulating Security Payload Related Documentation IPsec Configuration in the web configuration manual Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 35/35

274 UTM Series L2TP Configuration Example UTM Series L2TP Configuration Example Keywords: VPDN, L2TP Abstract: This document introduces basic concepts of L2TP, describes how to configure L2TP on a UTM device, and presents an L2TP configuration example for UTM devices. Acronyms: Acronym Full spelling VPDN L2TP LNS Virtual Private Dial-up Network Layer 2 Tunneling Protocol L2TP Network Server Hangzhou H3C Technologies Co., Ltd. 1/18

275 UTM Series L2TP Configuration Example Table of Contents Feature Overview 3 Typical Networking Application of L2TP 3 L2TP Tunnel Modes 4 Application Scenarios 5 Configuration Guidelines 5 L2TP Configuration Task List 5 Enabling L2TP 5 Adding an L2TP Group 6 Displaying L2TP Tunnel Information 13 Client-Initiated L2VPN Configuration Example 14 Software Version Used 14 Network Requirements 14 Configuration Procedure 14 Configuring the VPN User 14 Configuring the LNS 15 Verification 17 References 18 Protocols and Standards 18 Related Documentation 18 Hangzhou H3C Technologies Co., Ltd. 2/18

276 UTM Series L2TP Configuration Example Feature Overview A virtual private dial-up network (VPDN) is a virtual private network (VPN) that utilizes the dial-up function of public networks such as ISDN or PSTN networks to provide access services for enterprises, small Internet service providers (ISPs), and telecommuters. VPDN provides an economical and effective point-to-point method for remote users to connect to their home LANs. A VPDN tunnel can be NAS-initiated or client-initiated: NAS-initiated VPDN tunnel. The network access server (NAS) connects a user s PPP connection to the corporate VPDN gateway through a VPDN tunneling protocol, establishing a tunnel with the VPDN gateway. The tunneling is transparent to users. A user only needs to perform login operation once to access the enterprise network, which authenticates the user and assigns the user a private IP address, eliminating the necessity of the user for a public address. This mode requires that the NAS support VPDN and the authentication system support VPDN attributes. Client-initiated VPDN tunnel. A user accesses the Internet first, and then establishes a tunnel with the VPDN gateway through dedicated client software, such as the L2TP client software offered by Windows In this mode, a user can access the enterprise network anytime from any place, without the involvement of any ISP. However, users must install dedicated software, which means that users must use platforms supporting the L2TP client. Usually, Windows 2000 platform is used. In general, a VPDN gateway can be a router or a dedicated VPN server. There are primarily three VPDN tunneling protocols: PPTP: Point-to-Point Tunneling Protocol L2F: Layer 2 Forwarding L2TP: Layer 2 Tunneling Protocol L2TP is currently the most widely-used VPDN tunneling protocol. Typical Networking Application of L2TP Figure 1 shows a typical VPDN built by using L2TP. Figure 1 VPDN built by using L2TP A VPDN built by using L2TP consists of three components: Remote system Hangzhou H3C Technologies Co., Ltd. 3/18

277 UTM Series L2TP Configuration Example A remote system is usually a remote user s host or a remote branch s routing device that needs to access the VPDN network. LAC An L2TP access concentrator (LAC) is a device that has PPP and L2TP capabilities. An LAC is usually a Network Access Server (NAS) located at a local ISP, which provides access services mainly for PPP users. An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system using L2TP and then sends the resulting packets to the LNS. It de-encapsulates packets received from the LNS and then sends the resulting packets to the intended remote system. The connection between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used in a VPDN application. LNS An L2TP network server (LNS) functions as both the L2TP server and the PPP end system. It is usually an edge device on an enterprise network. An LNS is the other endpoint of an L2TP tunnel and is a peer to the LAC. It is the logical termination point of a PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS to an LNS, logically. L2TP Tunnel Modes There are two typical L2TP tunnel modes: NAS-initiated and client-initiated. NAS-initiated In this mode, a remote system dials in the LAC through a PPPoE/ISDN network, and the LAC initiates a tunneling request to the LNS over the Internet, as shown in Figure 2. The LNS will assign the remote system a private IP address. Authentication and accounting of the remote system can be implemented on the LAC by an agent or on the LNS. Figure 2 NAS-initiated tunnel mode Client-initiated In this mode, after obtaining the access right to the Internet, a remote system running the L2TP client software (LAC client) initiates a tunneling request to the LNS directly without requiring a separate LAC. The LNS will assign the LAC client a private IP address. An LAC client needs a public IP address to communicate with the LNS directly through the Internet. Hangzhou H3C Technologies Co., Ltd. 4/18

278 UTM Series L2TP Configuration Example Figure 3 Client-initiated tunnel mode Application Scenarios L2TP can be used to build secure VPNs for enterprises across public networks. Branch offices and traveling staff can remotely access the headquarters Intranet resources through a virtual tunnel over public networks. Other users on the public networks are not permitted access. Configuration Guidelines L2TP Configuration Task List At present, you can perform only the LNS configuration through Web. Perform the tasks in Table 1 to configure L2TP on the LNS. Table 1 L2TP configuration task list Task Remarks Enabling L2TP Adding an L2TP Group Displaying L2TP Tunnel Information Required By default, L2TP is disabled. Required Create a L2TP group and configure L2TP group related parameters. By default, no L2TP group is created. Optional View the L2TP tunnel information. Enabling L2TP Select VPN > L2TP > L2TP Configuration from the navigation tree to enter the L2TP configuration page, as shown in Figure 4. On the upper part of the page, you can enable or disable L2TP. Hangzhou H3C Technologies Co., Ltd. 5/18

279 UTM Series L2TP Configuration Example Figure 4 L2TP configuration page Table 2 describes the configuration item for enabling L2TP. Table 2 Configuration item for enabling L2TP Item Enable L2TP Description Specify whether to enable L2TP globally. Adding an L2TP Group Select VPN > L2TP > L2TP Configuration from the navigation tree to enter the L2TP configuration page, as shown in Figure 4. On the lower part of the page, you can view and configure L2TP groups. Click Add to add an L2TP group, as shown in Figure 5. Hangzhou H3C Technologies Co., Ltd. 6/18

280 UTM Series L2TP Configuration Example Figure 5 Add an L2TP group Table 3 describes the L2TP group configuration items. Table 3 Configuration items for adding an L2TP group Item L2TP Group Name Peer Tunnel Name Local Tunnel Name Description Specify the name of the L2TP group. Specify the peer name of the tunnel. Specify the local name of the tunnel. Hangzhou H3C Technologies Co., Ltd. 7/18

281 UTM Series L2TP Configuration Example Item Tunnel Authentication Authentication Password Authentic ation Method Description Enable or disable L2TP tunnel authentication in the group. If you enable tunnel authentication, you need to set the authentication password. The tunnel authentication request can be initiated by the LAC or LNS. Once tunnel authentication is enabled on one end, a tunnel can be established if tunnel authentication is also enabled on the other end and the passwords configured on the two ends are the same and not null; if these requirements cannot be satisfied, the tunnel initiator will tear down the tunnel connection automatically. If tunnel authentication is disabled on both ends, the tunnel authentication passwords configured will not take effect. You are recommended to enable tunnel authentication on both ends of the tunnel for security. You can disable tunnel authentication if you want to test the network connectivity or let the local end receive connections initiated by unknown peers. If you modify the tunnel authentication password when the tunnel is working, you need to tear down the tunnel, so that the modified authentication password can take effect when the tunnel is reestablished. Select the authentication method for PPP users on the local end. You can select PAP or CHAP. If you do not select an authentication method, no authentication will be performed. PPP Authentica tion Configurat ion ISP Domain Specify the ISP domain for PPP user authentication. You can: Click Add to enter the page for adding an ISP domain, as shown in Figure 6. Refer to Table 4 for further details. Select an ISP domain and click Modify to enter the ISP domain modification page. Refer to Table 4 for configuration details. Select an ISP domain and click Delete to delete the ISP domain. Note that: If you specify an ISP domain, the specified domain will be used for authentication, and IP addresses must be assigned from the address pool configured in the specified domain. Refer to description on the User Address parameter for details. If you do not specify any ISP domain, the system will check whether domain information is carried in a username. If yes, the domain will be used for authentication (if the domain does not exist, the authentication will fail); otherwise, the default domain (system by default) will be used for authentication. Hangzhou H3C Technologies Co., Ltd. 8/18

282 UTM Series L2TP Configuration Example PPP Address Item PPP Server IP/Mask PPP Server Zone User Address Assign Address Forcibly Description Specify the IP address and mask of the local end. Specify the security zone to which the local end belongs. If you do not select a zone, the global address pool will be used. Specify the address pool for assigning IP addresses to users on the peer end, or assign an IP address to a user directly. If you have specified an ISP domain in PPP authentication configuration, the address pools in the ISP domain will be listed in the User Address drop-down list. You can: Click Add to add an address pool, as shown in Figure 7. Refer to Table 5 for further details. Select an address pool and click Modify to enter the address pool modification page. Refer to Table 5 for configuration details. Select an address pool and click Delete to delete the address pool. Specify whether to force the peer end to use the IP address assigned by the local end. If you enable this function, the peer end is not allowed to use its locally configured IP address. Hello Interval Specify the interval between sending hello packets. To check the connectivity of a tunnel, the LAC and LNS regularly send Hello packets to each other. Upon receipt of a Hello packet, the LAC/LNS returns a response packet. If the LAC or LNS receives no Hello response packet from the peer within a specified period of time, it retransmits the Hello packet. If it receives no response packet from the peer after transmitting the Hello packet for three times, it considers that the L2TP tunnel is down and tries to re-establish a tunnel with the peer. The Hello intervals on the LAC and LNS ends of the tunnel can be different. Advanced Configurat ion AVP Hidden Flow Control Mandator y CHAP Mandator y LCP Specify whether to transfer attribute value pair (AVP) data in hidden mode. With L2TP, some parameters are transferred as AVP data. You can configure an LAC to transfer AVP data in hidden mode, so that AVP data is encrypted before transmission for higher security. This configuration takes effect only on an LAC. Specify whether to enable flow control for the L2TP tunnel. The L2TP tunnel flow control function is for control of data packets in transmission. The flow control function helps in buffering and adjusting the received out-of-order data packets. Specify user authentication on the LNS end. After the LAC authenticates the client, the LNS may re-authenticate the client for higher security. In this case, only when both the authentications succeed can an L2TP tunnel be set up. On an L2TP network, an LNS authenticates users in three ways: mandatory CHAP authentication, LCP re-negotiation, and proxy authentication. Mandatory CHAP authentication: With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate tunneling requests is authenticated twice: once when accessing the NAS and once on the LNS by using CHAP. Hangzhou H3C Technologies Co., Ltd. 9/18

283 UTM Series L2TP Configuration Example Item Description LCP re-negotiation: For a PPP user that depends on a NAS to initiate tunneling requests, the user first performs PPP negotiation with the NAS. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends the user s authentication information to the LNS. The LNS then determines whether the user is valid according to the user authentication information received. Under some circumstances (when authentication and accounting are required on the LNS for example), another round of Link Control Protocol (LCP) negotiation is required between the LNS and the user. In this case, the user authentication information from the NAS will be neglected. Proxy authentication: If neither LCP re-negotiation nor mandatory CHAP authentication is configured, an LNS performs proxy authentication of users. In this case, the LAC sends to the LNS all authentication information from users as well as the authentication mode configured on the LAC itself. Among these three authentication methods, LCP re-negotiation has the highest priority. If both LCP re-negotiation and mandatory CHAP authentication are configured, the LNS uses LCP re-negotiation and the PPP authentication method configured in the L2TP group, Some PPP clients may not support re-authentication, in which case LNS side CHAP authentication will fail. With LCP re-negotiation, if no PPP authentication method is configured in the L2TP group, the LNS will not re-authenticate users; it will assign public addresses to the PPP users immediately. In other words, the users are authenticated only once at the LAC end. When the LNS uses proxy authentication and the user authentication information passed from the LAC to the LNS is valid: if the authentication method configured in the L2TP group is PAP, the proxy authentication succeeds and a session can be established for the user; if the authentication method configured in the L2TP group is CHAP but that configured on the LAC is PAP, the proxy authentication will fail and no session can be set up. This is because the level of CHAP authentication, which is required by the LNS, is higher than that of PAP authentication, which the LAC provides. Hangzhou H3C Technologies Co., Ltd. 10/18

284 UTM Series L2TP Configuration Example Figure 6 Add an ISP domain Table 4 Configuration items for adding an ISP Item Description ISP Domain Specify the name of the ISP domain. Select the authentication server type for PPP users. Authentication Methods Primary Server Type HWTACACS: Uses HWTACACS authentication. Local: Uses local authentication. None: All users are trusted and no authentication is performed. Generally, this method is not recommended. RADIUS: Uses RADIUS authentication. If you do not select any authentication method, the default authentication method of the ISP domain will be used, which is Local by default. Scheme Scheme for the primary authentication method, which is displayed when you select HWTACACS or RADIUS as the server type. At present, the scheme is always system. Backup Specify whether to enable the backup authentication method. Hangzhou H3C Technologies Co., Ltd. 11/18

285 UTM Series L2TP Configuration Example Item Description Select the authorization server type for PPP users. HWTACACS: Uses HWTACACS authorization. Local: Uses local authorization. None: No authorization exchange is performed. Every user is trusted and has the corresponding default rights of the system. RADIUS: Uses RADIUS authorization. If you do not select any authorization method, the default authorization method of the ISP domain will be used, which is Local by default. Authorization Methods Primary Server Type Scheme Scheme for the primary authorization method, which is displayed when you select HWTACACS or RADIUS as the server type. At present, the scheme is always system. Backup Specify whether to enable the backup authorization method. Accounting Methods Accounting Optional Primary Backup Server Type Scheme Specify whether to enable the accounting optional function. For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current accounting server fails, the user will be disconnected. However, with the accounting optional function enabled, the user can still use the network resources in such case, but the system will not send the accounting information of the user to the accounting server any more. Select the accounting server type for PPP users. HWTACACS: Uses HWTACACS accounting. Local: Uses local accounting. None: The system does not perform accounting for the users. RADIUS: Uses RADIUS accounting. If you do not select any accounting method, the default accounting method of the ISP domain will be used, which is Local by default. Scheme for the primary accounting method, which is displayed when you select HWTACACS or RADIUS as the server type. At present, the scheme is always system. Specify whether to enable the backup accounting method. Max. Number of Users Specify the maximum number of users the ISP domain can accommodate. If you do not specify the maximum number, the system will not limit the number of users of the ISP domain. As users may compete for resources, setting a proper limit on the number of users of an ISP domain helps guarantee performance for the users of the ISP domain. Hangzhou H3C Technologies Co., Ltd. 12/18

286 UTM Series L2TP Configuration Example Figure 7 Add an address pool Table 5 Configuration items for adding an IP address pool Item ISP Domain IP Address Pool Number Start IP End IP Description Select the ISP domain for the IP address pool to be created. Specify the number of the IP address pool. If you set the IP address pool number to 1, the name of the IP address pool is pool1. Specify the start IP address and end IP address of the IP address pool. The number of addresses between the start IP address and end IP address must not exceed If you specify only the start IP address, the IP address pool will contain only one IP address, namely, the start IP address. Displaying L2TP Tunnel Information Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page, as shown in Figure 8. Figure 8 L2TP tunnel information Table 6 describes the L2TP tunnel information in details. Table 6 L2TP tunnel information Item Description Local Tunnel ID Peer Tunnel ID Local ID of the tunnel Peer ID of the tunnel Hangzhou H3C Technologies Co., Ltd. 13/18

287 UTM Series L2TP Configuration Example Item Description Peer Tunnel Port Peer Tunnel IP Session Count Peer Tunnel Name Peer port of the tunnel Peer IP address of the tunnel Number of sessions on the tunnel Peer name of the tunnel Client-Initiated L2VPN Configuration Example Software Version Used F5118 Network Requirements As shown in Figure 9, a VPN user accesses the corporate headquarters as follows: 1) The user first connects to the Internet, and then initiates a tunneling request to the LNS directly. 2) After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the VPN user. 3) The VPN user communicates with the headquarters over the tunnel. Figure 9 Network diagram for client-initiated VPN configuration Configuration Procedure Configuring the VPN User On the user host, create a virtual private network connection using the Windows operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode. Assign an IP address ( in this example) to the user host and then configure a route to ensure the connectivity between the user host and the LNS ( ). Perform the following configurations on the user host (the configuration procedure depends on the client software): Specify the VPN username as ppp and the password as ppp. Set the Internet interface address of the security gateway as the IP address of the LNS. In this example, the Ethernet interface on the LNS, the interface for the tunnel, has an IP address of Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to customized and the authentication mode to CHAP. Hangzhou H3C Technologies Co., Ltd. 14/18

288 UTM Series L2TP Configuration Example Configuring the LNS Step1 Configure IP addresses for interfaces (omitted). Step2 Configure a route to ensure the reachability of the LNS to the user host (omitted). Step3 Create a local user named ppp, and set the password to ppp and the service type to PPP. Select User > Local User from the navigation tree and then click Add. Perform the configurations shown in Figure 10. Figure 10 Add a local user Type ppp as the username. Select PPP as the user type. Type password ppp. Type ppp to confirm the password. Click Apply. Step4 Enable L2TP. Select VPN > L2TP > L2TP Configuration from the navigation tree. Then, perform the configurations shown in Figure 11. Figure 11 Enable L2TP Select the check box before Enable L2TP. Click Apply. Step5 Add an L2TP group On the L2TP configuration page, click Add and then perform the following configurations. Hangzhou H3C Technologies Co., Ltd. 15/18

289 UTM Series L2TP Configuration Example Type the L2TP group name test. Type the peer tunnel name user. Type the local tunnel name lns. Select Disable for Tunnel Authentication. Select CHAP as the PPP authentication method. Select ISP domain system (the default ISP domain). Click the Modify button of the ISP domain to perform the configurations shown in Figure 12. Figure 12 Configure local authentication method for VPN users Select the server type Local as the PPP authentication method. Click Apply to return to the L2TP group configuration page. Type / as the PPP server IP address/mask. Select Trust from the PPP Server Zone drop-down list. (Select a security zone according to your network configuration.) Click the Add button of the User Address parameter and then perform the configurations shown in Figure 13. Figure 13 Add an IP address pool Select domain system. Type 0 as the IP address pool number. Hangzhou H3C Technologies Co., Ltd. 16/18

290 UTM Series L2TP Configuration Example Type the start IP address Type the end IP address Click Apply to finish the IP address pool configuration and return to the L2TP group configuration page. Select pool0 from the User Address drop-down list. Select Enable from the Assign Address Forcibly drop-down list. Figure 14 shows the L2TP group configuration page after the above configurations. Click Apply. Figure 14 L2TP group configurations Verification # On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address ( ) and will be able to ping the private address of the LNS ( ). # On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information of the established L2TP tunnel should appears, as shown in Figure 15. Hangzhou H3C Technologies Co., Ltd. 17/18

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

SecBlade Firewall Cards NAT Configuration Examples

SecBlade Firewall Cards NAT Configuration Examples SecBlade Firewall Cards NAT Configuration Examples Keywords: NAT, PAT, private IP address, public IP address, IP address pool Abstract: This document describes the characteristics, applications scenarios,

More information

H3C WA Series WLAN Access Points. Layer 2 WAN Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C WA Series WLAN Access Points. Layer 2 WAN Command Reference. Hangzhou H3C Technologies Co., Ltd. H3C WA Series WLAN Access Points Layer 2 WAN Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W100-20100910 Copyright 2010, Hangzhou H3C Technologies Co., Ltd.

More information

H3C SecBlade SSL VPN Card

H3C SecBlade SSL VPN Card H3C SecBlade SSL VPN Card License Registration and Activation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW100-20101220 Copyright 2010, Hangzhou H3C Technologies Co.,

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series IP Multicast Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2210 Document version: 6W100-20110915 Copyright 2011, Hangzhou

More information

H3C S9500 Series Routing Switches

H3C S9500 Series Routing Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08194S-20081225-C-1.24 Product Version: S9500-CMW310-R1648 Copyright 2007-2008, Hangzhou H3C Technologies Co., Ltd.

More information

H3C SecBlade SSL VPN Card

H3C SecBlade SSL VPN Card H3C SecBlade SSL VPN Card Super Administrator Web Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW105-20130801 Copyright 2003-2013, Hangzhou H3C Technologies

More information

H3C S5120-SI Switch Series

H3C S5120-SI Switch Series H3C S5120-SI Switch Series Layer 3 - IP Routing Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1505 Document version: 6W101-20111108 Copyright 2011,

More information

H3C SecPath SSL VPN. Administrator Manual. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW

H3C SecPath SSL VPN. Administrator Manual. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW H3C SecPath SSL VPN Administrator Manual Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW100-20090624 Copyright 2009, Hangzhou H3C Technologies Co., Ltd. and its licensors H3C Technologies Co.,

More information

Layer 3 - IP Routing Command Reference

Layer 3 - IP Routing Command Reference H3C WA Series WLAN Access Points Layer 3 - IP Routing Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W100-20100910 Copyright 2010, Hangzhou H3C Technologies

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series High Availability Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright

More information

H3C imc. Branch Intelligent Management System. User Manual. Hangzhou H3C Technologies Co., Ltd.

H3C imc. Branch Intelligent Management System. User Manual. Hangzhou H3C Technologies Co., Ltd. H3C imc Branch Intelligent Management System User Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: imc BIMS 5.0 (E0102) Document version: 5PW103-20150427 Copyright 2011-2015,

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls Attack Protection Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series OpenFlow Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 213x Document version: 6W101-20151130 Copyright 2015, Hangzhou H3C

More information

H3C SecPath Series Security Products

H3C SecPath Series Security Products Web-Based Configuration Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08018U-20070625-C-2.01 Copyright 2007, Hangzhou H3C Technologies Co., Ltd. and its licensors All

More information

SecBlade Firewall Cards ARP Attack Protection Configuration Examples

SecBlade Firewall Cards ARP Attack Protection Configuration Examples SecBlade Firewall Cards ARP Attack Protection Configuration Examples Keywords: ARP Abstract: ARP provides no security mechanism and can be easily utilized by attackers to launch attacks. The device provides

More information

H3C SecBlade IPS Cards

H3C SecBlade IPS Cards H3C SecBlade IPS Cards User Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW104-20101210 Copyright 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All

More information

H3C SecPath Series Firewalls and UTM Devices

H3C SecPath Series Firewalls and UTM Devices H3C SecPath Series Firewalls and UTM Devices Attack Protection Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F100 series: ESS 5132 F1000-A-EI: Feature 3722

More information

SecBlade Firewall Cards Attack Protection Configuration Example

SecBlade Firewall Cards Attack Protection Configuration Example SecBlade Firewall Cards Attack Protection Configuration Example Keywords: Attack protection, scanning, blacklist Abstract: This document describes the attack protection functions of the SecBlade firewall

More information

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Configuration Guide Part number:5998-2649 Document version: 6PW100-20110909 Legal and notice information Copyright 2011 Hewlett-Packard Development Company,

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou

More information

H3C SecPath Series Firewalls and UTM Devices

H3C SecPath Series Firewalls and UTM Devices H3C SecPath Series Firewalls and UTM Devices High Availability Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F100 series: ESS 5132 F1000-A-EI: Feature 3722

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series MCE Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls Attack Protection Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5) H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual

More information

H3C S5130-EI Switch Series

H3C S5130-EI Switch Series H3C S5130-EI Switch Series OpenFlow Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 311x Document version: 6W102-20180323 Copyright 2016-2018, New H3C Technologies

More information

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C S7500E Series Ethernet Switches Network Management and Monitoring Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100722-C-1.01 Product Version: Release

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series MPLS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright 2011, Hangzhou

More information

SecBlade Firewall Cards Stateful Failover Configuration Examples

SecBlade Firewall Cards Stateful Failover Configuration Examples SecBlade Firewall Cards Stateful Failover Configuration Examples Keywords: Stateful failover, active/standby mode, active/active mode, data synchronization, traffic switchover Abstract: A network that

More information

H3C S5500-HI Switch Series

H3C S5500-HI Switch Series H3C S5500-HI Switch Series Layer 2 - LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5101 Document version: 6W100-20111031 Copyright 2011,

More information

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5) H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced

More information

H3C S12500 Series Routing Switches

H3C S12500 Series Routing Switches H3C S12500 Series Routing Switches Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S12500-CMW710-R7128 Document version: 6W710-20121130 Copyright 2012,

More information

H3C SR G Core Routers

H3C SR G Core Routers H3C SR8800 10G Core Routers Layer 2 LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR8800-CMW520-R3347 Document version: 6W103-20120224 Copyright

More information

H3C S3600V2 Switch Series

H3C S3600V2 Switch Series H3C S3600V2 Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2101 Document version: 6W100-20110905 Copyright 2011,

More information

H3C S3100V2 Switch Series

H3C S3100V2 Switch Series H3C S3100V2 Switch Series Layer 3 IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5203P05 and Release 5203P12 Document version: 6W101-20150530

More information

H3C S5120-SI Switch Series

H3C S5120-SI Switch Series H3C S5120-SI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1505 Document version: 6W101-20111108 Copyright 2011,

More information

H3C S3100V2 Switch Series

H3C S3100V2 Switch Series H3C S3100V2 Switch Series Layer 2 - LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5103 Document version: 6W100-20110620 Copyright 2011,

More information

H3C S5120-EI Series Ethernet Switches. Layer 3 - IP Services. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5120-EI Series Ethernet Switches. Layer 3 - IP Services. Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C S5120-EI Series Ethernet Switches Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W102-20100722 Product Version: Release 2202 Copyright

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2210 Document version: 6W100-20110915 Copyright 2011,

More information

H3C Intelligent Management Center v7.3

H3C Intelligent Management Center v7.3 H3C Intelligent Management Center v7.3 inode Installation Guide (Mac OS) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: inode PC 7.3 (E0501) Document version: 5PW101-20161224

More information

H3C S12500-X & S12500X-AF Switch Series

H3C S12500-X & S12500X-AF Switch Series H3C S12500-X & S12500X-AF Switch Series Layer 3 IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1135 and later Document version: 6W101-20151130

More information

HP High-End Firewalls

HP High-End Firewalls HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2639 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright 2011,

More information

H3C S5820X&S5800 Series Ethernet Switches

H3C S5820X&S5800 Series Ethernet Switches H3C S5820X&S5800 Series Ethernet Switches Layer 2 - LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W103-20100716 Product Version: Release 1110

More information

H3C S7500E-XS Switch Series

H3C S7500E-XS Switch Series H3C S7500E-XS Switch Series Layer 3 IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2418P05 Document version: 6W100-20150702 Copyright 2015

More information

H3C Firewall Devices. High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd.

H3C Firewall Devices. High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd. H3C Firewall Devices High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F5020/F5040 firewalls M9006/M9010/M9014 security gateways

More information

H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C S5120-EI Series Ethernet Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W102-20100722 Product Version: Release 2202 Copyright 2009-2010,

More information

H3C S9500 Series Routing Switches

H3C S9500 Series Routing Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08165E-20081225-C-1.24 Product Version: S9500-CMW310-R1648 Copyright 2007-2008, Hangzhou H3C Technologies Co.,

More information

H3C S7500E Switch Series

H3C S7500E Switch Series H3C S7500E Switch Series Comware 7 EVB Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 7557 and later versions Document version: 6W100-20170831 Copyright

More information

H3C MSR Series Routers

H3C MSR Series Routers H3C MSR Series Routers Layer 2 - WAN Command Reference(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0007 Document version: 6W100-20140320 Copyright 2014, Hangzhou

More information

H3C S9500E Series Routing Switches

H3C S9500E Series Routing Switches H3C S9500E Series Routing Switches IRF Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S9500E-CMW520-R1725 Document version: 6W170-20111118 Copyright 2011,

More information

H3C Intrusion Prevention System. Command Reference. Hangzhou H3C Technologies Co., Ltd. Document Version: 5PW

H3C Intrusion Prevention System. Command Reference. Hangzhou H3C Technologies Co., Ltd.   Document Version: 5PW H3C Intrusion Prevention System Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 5PW103-20101027 Copyright 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its

More information

H3C S9500 Series Routing Switches

H3C S9500 Series Routing Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08194S-20081225-C-1.24 Product Version: S9500-CMW310-R1648 Copyright 2007-2008, Hangzhou H3C Technologies Co., Ltd.

More information

H3C S5130-EI Switch Series

H3C S5130-EI Switch Series H3C S5130-EI Switch Series OpenFlow Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 311x Document version: 6W102-20180323 Copyright 2016-2018, New H3C Technologies

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series MPLS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1201 and Later Document version: 6W101-20120903 Copyright 2012, Hangzhou

More information

H3C S5120-SI Series Ethernet Switches Security Configuration Guide

H3C S5120-SI Series Ethernet Switches Security Configuration Guide H3C S5120-SI Series Ethernet Switches Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All

More information

H3C S6300 Switch Series

H3C S6300 Switch Series H3C S6300 Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2416 Document version: 6W100-20150126 Copyright 2015,

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,

More information

H3C License Server. Installation Guide. Hangzhou H3C Technologies Co., Ltd. Document version: 5W

H3C License Server. Installation Guide. Hangzhou H3C Technologies Co., Ltd.   Document version: 5W H3C License Server Installation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5W201-20151123 Copyright 2015, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights

More information

H3C SR6600 Routers. Layer 3 IP Services. Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C SR6600 Routers. Layer 3 IP Services. Command Reference. Hangzhou H3C Technologies Co., Ltd. H3C SR6600 Routers Layer 3 IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100930-C-1.08 Product Version: SR6600-CMW520-R2420 Copyright 2007-2010,

More information

H3C S5130-HI Switch Series

H3C S5130-HI Switch Series H3C S5130-HI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1111 Document version: 6W100-20150615 Copyright 2015,

More information

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module About the HP 830 Series Switch and HP 10500/7500 20G Unified Module s Part number: 5998-3903 Software version: 3308P29 (HP 830 Series Switch) 2308P29 (HP 10500/7500 20G Unified Module) Document version:

More information

H3C S5120-HI Switch Series

H3C S5120-HI Switch Series H3C S5120-HI Switch Series Layer 3 - IP Routing Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 52xx Document version: 6W101-20140523 Copyright 2013-2014,

More information

H3C Intelligent Management Center

H3C Intelligent Management Center H3C Intelligent Management Center TACACS+ Authentication Manager Administrator Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: IMC TAM 7.3 (E0501) Document version: 5PW105-20170515

More information

HP Firewalls and UTM Devices

HP Firewalls and UTM Devices HP Firewalls and UTM Devices NAT and ALG Configuration Guide Part number: 5998-4166 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall

More information

H3C SR6600 Routers. Network Management and Monitoring. Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C SR6600 Routers. Network Management and Monitoring. Command Reference. Hangzhou H3C Technologies Co., Ltd. H3C SR6600 Routers Network Management and Monitoring Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100930-C-1.08 Product Version: SR6600-CMW520-R2420 Copyright

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any

More information

H3C S5820X&S5800 Switch Series

H3C S5820X&S5800 Switch Series H3C S5820X&S5800 Switch Series OAA Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1211 Document version: 6W100-20110415 Copyright 2011, Hangzhou H3C

More information

H3C SR6600/SR6600-X Routers

H3C SR6600/SR6600-X Routers H3C SR6600/SR6600-X Routers Layer 2 - LAN Switching Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6602X-CMW710-R7103 SR6600X-CMW710-R7103-RSE3 SR6600-CMW710-R7103-RPE3

More information

H3C Intelligent Management Center v7.3

H3C Intelligent Management Center v7.3 H3C Intelligent Management Center v7.3 inode Installation Guide (Windows) New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: inode PC 7.3 (E0511) Document version: 5PW102-20170711 Copyright

More information

H3C S5820X&S5800 Switch Series

H3C S5820X&S5800 Switch Series H3C S5820X&S5800 Switch Series Network Management and Monitoring Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1211 Document version: 6W100-20110415

More information

About the Configuration Guides for HP Unified

About the Configuration Guides for HP Unified About the Configuration Guides for HP Unified Wired-W Products HP 830 Unified Wired-W PoE+ Switch Series HP 850 Unified Wired-W Appliance HP 870 Unified Wired-W Appliance HP 11900/10500/7500 20G Unified

More information

H3C S6300 Switch Series

H3C S6300 Switch Series H3C S6300 Switch Series OpenFlow Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2416 Document version: 6W100-20150126 Copyright 2015, Hangzhou H3C

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2220 Document version: 6W100-20130810 Copyright 2013,

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series IP Multicast Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2210 Document version: 6W100-20110915 Copyright 2011, Hangzhou

More information

H3C SR8800-F Routers. Comware 7 BRAS Services Configuration Guide. New H3C Technologies Co., Ltd.

H3C SR8800-F Routers. Comware 7 BRAS Services Configuration Guide. New H3C Technologies Co., Ltd. H3C SR8800-F Routers Comware 7 BRAS Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: SR8800FS-CMW710-R7655P05 or later Document version: 6W100-20170825

More information

H3C S5500-HI Switch Series

H3C S5500-HI Switch Series H3C S5500-HI Switch Series IP Multicast Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5101 Document version: 6W100-20111031 Copyright 2011, Hangzhou

More information

H3C SR6600 Routers. MPLS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C SR6600 Routers. MPLS Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C SR6600 Routers MPLS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100930-C-1.08 Product Version: SR6600-CMW520-R2420 Copyright 2007-2010, Hangzhou H3C

More information

H3C EPON. OLT Command Manual. Hangzhou H3C Technologies Co., Ltd. Manual Version: T M C-1.02

H3C EPON. OLT Command Manual. Hangzhou H3C Technologies Co., Ltd.   Manual Version: T M C-1.02 H3C EPON OLT Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08193M-20070415-C-1.02 Product Version: Release 5200 Series Copyright 2006-2007, Hangzhou H3C Technologies

More information

H3C S5500-HI Switch Series

H3C S5500-HI Switch Series H3C S5500-HI Switch Series Layer 3 - IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5101 Document version: 6W100-20111031 Copyright 2011,

More information

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series Layer 3 IP Services Configuration Guide H3C S5560S-EI Switch Series H3C S5130S-HI Switch Series H3C S5130S-EI Switch Series H3C S5110V2

More information

H3C MSR Router Series

H3C MSR Router Series H3C MSR Router Series Comware 7 OpenFlow Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0615P08 Document version: 6W201-20180803 Copyright 2017-2018,

More information

H3C SR G Core Routers

H3C SR G Core Routers H3C SR8800 10G Core Routers IP Multicast Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR8800-CMW520-R3347 Document version: 6W103-20120224 Copyright 2011-2012,

More information

H3C S6520XE-HI Switch Series

H3C S6520XE-HI Switch Series H3C S6520XE-HI Switch Series EVPN Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017, New H3C Technologies

More information

H3C S9500E Series Routing Switches

H3C S9500E Series Routing Switches H3C S9500E Series Routing Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S9500E-CMW520-R1728 Document version: 6W170-20120306 Copyright

More information

CHAPTER 7 ADVANCED ADMINISTRATION PC

CHAPTER 7 ADVANCED ADMINISTRATION PC ii Table of Contents CHAPTER 1 INTRODUCTION... 1 Broadband ADSL Router Features... 1 Package Contents... 3 Physical Details... 4 CHAPTER 2 INSTALLATION... 6 Requirements... 6 Procedure... 6 CHAPTER 3 SETUP...

More information

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee HC-711 Q&As HCNA-CBSN (Constructing Basic Security Network) - CHS Pass Huawei HC-711 Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money

More information

H3C S3100V2 Switch Series

H3C S3100V2 Switch Series H3C S3100V2 Switch Series IP Multicast Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5103 Document version: 6W100-20110620 Copyright 2011, Hangzhou

More information

H3C S5120-SI Series Ethernet Switches Layer 2 LAN Switching Configuration Guide

H3C S5120-SI Series Ethernet Switches Layer 2 LAN Switching Configuration Guide H3C S5120-SI Series Ethernet Switches Layer 2 LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors

More information

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0 Configuration Guide TL-ER5120/TL-ER6020/TL-ER6120 1910012186 REV3.0.0 June 2017 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Viewing Status Information... 2 System

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 2150 and later Document version: 6W101-20170608 Copyright

More information

H3C S7500E-XS Switch Series

H3C S7500E-XS Switch Series H3C S7500E-XS Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S7500EXS-CMW710-R7523P01 Document version: 6W100-20160830

More information

H3C S12500 Series Routing Switches

H3C S12500 Series Routing Switches H3C S12500 Series Routing Switches Layer 3 IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S12500-CMW710-R7128 Document version: 6W710-20121130 Copyright

More information

User Guide TL-R470T+/TL-R480T REV9.0.2

User Guide TL-R470T+/TL-R480T REV9.0.2 User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface

More information

PPPoE Technology White Paper

PPPoE Technology White Paper PPPoE Technology White Paper Keywords: PPP, Ethernet, PPPoE Abstract: Point-to-Point Protocol over Ethernet (PPPoE) provides access to the Internet for hosts on an Ethernet through a remote access device

More information

Stateful Failover Technology White Paper

Stateful Failover Technology White Paper Stateful Failover Technology White Paper Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization, link switching Abstract: A firewall device is usually the access point

More information

H3C S6520XE-HI Switch Series

H3C S6520XE-HI Switch Series H3C S6520XE-HI Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017,

More information