User FAQ for H3C Security Products

Transcription

1 User FAQ for H3C Security Products Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

2 Contents FAQ on Hardware... 1 What device models does the security product series include?... 1 What security cards do H3C devices support?... 1 What interface cards do security devices support?... 1 Are the interface cards and power modules hot swappable for the centralized devices?... 2 Must the 12GE or 2 10GE interface card for F5000-A5 be installed into a specific slot?... 3 Which firewalls support fan speed adjustment?... 3 What are the power consumptions of H3C firewall products?... 3 What are the dimensions of H3C firewall products?... 3 What are the H3C firewall devices that provide USB interface?... 4 What services do the interfaces on the panel of the firewall card support?... 4 What are the differences between FW card and FW enhanced card?... 4 FAQ on Software... 4 How to view the software version and running time on security devices?... 4 Why do security devices need software upgrade?... 5 How to view the files in the recycle bin on security devices?... 5 How to delete the files in the recycle bin on security devices?... 5 How to restore removed files on security devices?... 5 Why does the HyperTerminal connected to the console port of the security device display abnormally?... 5 Do security devices support hot patching?... 6 What are the default password and user name used to log in to a security device through telnet or Web interface?... 6 FAQ on Processing Procedure... 7 What are the differences between firewall card and firewall device in forwarding flow?... 7 FAQ on Service Functions... 7 Firewall device FAQ... 7 Does the number of security zones in the specifications list apply to the whole device or a virtual device?... 7 How do security zones on different virtual devices communicate?... 7 Does a port permit access by default?... 8 How to deny user access to the IP address of a local port?... 8 Is the ALG function of firewall devices enabled? How to disable ALG function?... 9 What virtual devices do the ports of a firewall device belong to by default?... 9 What are the possible reasons that a firewall device does not forwarding packets?... 9 How is adding a Layer-2 bridge port to a security zone different from adding a Layer-3 route port to a security zone? Do the Layer-2 sub-interfaces and physical ports on the firewall card need to be added to the security zone for inter-vlan Layer-2 forwarding? i

3 Traffic is forwarded between two logical interfaces. Add the logical interfaces to the security zone. Do the physical ports that belong to the logical interfaces need to be added to the security zone? What inter-zone policies take effect? Why is a specific flow that should be denied by the firewall permitted? How are sessions identified on firewall devices? What are the differences between firewall session logs and NAT logs? What are the relations between ASPF sessions and NAT sessions? How do long sessions work? What are the restrictions to ACLs used? Does the session state transition mechanism change after unidirectional flow detection is enabled? Why cannot I view expected sessions on virtual devices through the Web interface? Why is a session state incorrect? Why doesn t a changed ACL take effect? Why cannot the log server receive logs? Why cannot I view logs through the Web interface? Why cannot I view VPN instance information in session logs? How does NAT process ARP packets? How can a GRE tunnel interface go up? Why cannot a GRE tunnel interface go up? How to set an ACL used in an IPsec policy? What are the features of IPsec policy template? Why cannot the two stateful failover devices enter synchronized state? What are the SSH versions supported by firewall devices? Does F5000-A5 support cross-card link aggregation? Must the ports in a link aggregation group be consecutive in number? Do firewall devices support 802.1X? Do firewall devices support jumbo frames? Is HTTPS supported? How to enable it? Netstream card FAQ How is the Netstream card different from other security cards? Why doesn t the Seccenter show traffic statistics when the Netstream card is used to collect flow logs? How does the Netstream card differentiate flows in non-aggregation mode? How to check whether Netstream card settings take effect? Other FAQ How to handle a faulty card that lights red? Do the forced duplex and rate settings need to be configured on the connected fiber and copper ports?. 18 ii

4 FAQ on Hardware User FAQ for H3C Security Products What device models does the security product series include? The security product series comprises the following security devices and cards. 1. Security devices: H3C SecPath F5000-A5 H3C SecPath F5000-S/F5000-C H3C SecPath F1000-E H3C SecPath F1000-S-EI H3C SecPath F1000-S-AI/F1000-A-EI/F1000-E-SI H3C SecPath F100-C-G/F100-S-G/F100-M-G/F100-A-G/F100-E-G H3C SecPath U200-A/U200-M/U200-S H3C SecPath U200-CA/U200-CM/U200-CS 2. Security cards: H3C SecBlade Series Firewall (FW) Card H3C SecBlade Series Firewall Enhanced (FW Enhanced) Card H3C SecBlade Series NetStream (NS) Card H3C SecBlade Series Load Balancing (LB) Card H3C SecBlade Series SSL VPN Card What security cards do H3C devices support? The following table shows the H3C devices and supported security cards. Security card FW card FW enhanced card LB card NS card SSL VPN card H3C devices supporting the card H3C S5800/S7500E/S9500E/S10500/S12500/SR6600/SR8800/CR16000 H3C S10500/S12500 H3C S7500E/S9500E/S12500/SR8800/CR16000 H3C S7500E/S9500E/S12500/CR16000 H3C S7500E/SR6600/SR8800 What interface cards do security devices support? The following table shows the security devices and supported interface cards. 1

5 Device F5000-A5 F5000-S/F5000-C F1000-E F1000-S-EI F1000-S-AI/F1000-A-EI/F1000-E-SI F100-C-G/F100-S-G F100-M-G/F100-A-G/F100-E-G U200-A/U200-M/U200-CA U200-S/U200-CM/U200-CS Supported cards NSQ1GT8C40: 12-port GE interface card (8 copper ports and 4 combo ports) NSQ1GT8P40: 12-port GE interface card (8 fiber ports and 4 combo ports) NSQ1XP20: 2-port 10-GE interface card NSQ1G24XS60: 24-port GE (12 copper ports and 12 fiber ports) and 6-port 10-GE fiber interface card 8GBE: 8-port GE copper interface card 4GBE: 4-port GE copper interface card 4GBP: 4-port GE fiber interface card 1EXP: 1-port 10-GE fiber interface card NSQ1GT2UA0: 2-port GE copper interface card NSQ1GP4U0: 4-port GE fiber interface card NSQ1XS2U0: 2-port 10-GE fiber interface card NSQ1GT2UA0: 2-port GE copper interface card NSQ1GP4U0: 4-port GE fiber interface card 2GE: 2-port GE copper interface card NSQ1GT2UA0: 2-port GE copper interface card NSQ1GP4U0: 4-port GE fiber interface card NSQ1GT2UA0: 2-port GE copper interface card NSQ1GP4U0: 4-port GE fiber interface card 2GE: 2-port GE copper interface card Are the interface cards and power modules hot swappable for the centralized devices? The following table shows the support for hot swapping of the centralized devices. Device model F5000-A5 F5000-S/F5000-C F1000-E F1000-S-EI F1000-S-AI/F1000-A-EI/F1000-E-SI Hot swapping Not supported by interface cards Supported by power modules. Before hot swapping a power module, make sure the redundant power module can properly provide power supply. Not supported by interface cards Supported by power modules. Before hot swapping a power module, make sure the redundant power module can properly provide power supply. Not supported by interface cards Not supported by interface cards Not supported by interface cards Supported by power modules. Before hot swapping a power module, make sure the redundant power module can properly provide power supply. 2

6 Device model F100-C-G/F100-S-G F100-M-G/F100-A-G/F100-E-G U200-A/U200-M/U200-CA U200-S/U200-CM/U200-CS Hot swapping Not supported by interface cards Not supported by interface cards Not supported by interface cards Not supported by interface cards Must the 12GE or 2 10GE interface card for F5000-A5 be installed into a specific slot? No. The 12GE interface card or the 2 10GE interface card can be installed into any of the four service slots on the F5000-A5. Which firewalls support fan speed adjustment? F5000-A5, F5000-S, F5000-C, and F1000-A-EI/F1000-E-SI/F1000-S-AI can automatically adjust fan speed according to the temperature in the chassis. You can use the display fan command to view fan status. What are the power consumptions of H3C firewall products? The following table shows the power consumptions of H3C firewall products: Product F5000-A5 F1000-E F1000-E-SI/F1000-A-EI/F1000-S-AI F1000-S-EI/U200-A/U200-CA/F100-M-G/F100-A-G/F10 0-E-G U200-S/U200-CM/U200-CS/F100-C-G/F100-S-G Power consumption 189 W to 460 W 64 W to 110 W 57 W to 133 W 30 W to 46 W 20 W to 27 W What are the dimensions of H3C firewall products? The following table shows the dimensions of H3C firewall products: Product Dimensions (H W D) F5000-A5 F1000-E F1000-E-SI/F1000-A-EI/F1000-S-AI F1000-S-EI/U200-A/U200-M/U200-CA/F100-M-G/F100-A-G/ F100-E-G mm ( in) (7RU) mm ( in) mm ( in) mm ( in) 3

7 Product Dimensions (H W D) U200-S/U200-CM/U200-CS/F100-C-G/F100-S-G mm ( in) What are the H3C firewall devices that provide USB interface? H3C firewall devices provide a USB interface but the software does not support the USB interface. What services do the interfaces on the panel of the firewall card support? The interfaces on the panel of the firewall card are used as management interfaces, stateful failover interfaces, or log output interfaces, and they do not provide specific services. What are the differences between FW card and FW enhanced card? Software: The FW card and FW enhanced card provide the same software functions. The FW enhanced card delivers higher performance in throughput, session establishment, and concurrent session processing. Internal port: The FW card provides only one 10GE port to connect to the switch. The FW enhanced card provides multiple ports (4 10GE ports for S10500 series switches and 2 10GE ports for S12500 series switches, for example) to connect to the switch. Ports on the panel: The FW card provides 4 combo ports on its panel as management ports. The FW enhanced card provides 2 combo ports on its panel as management ports. FAQ on Software How to view the software version and running time on security devices? You can use the display version command to view the system software version, BootWare version, and system running time. <H3C>display version H3C Comware Platform Software Comware Software, Version 5.20, Release 3166P14 //System software version Copyright (c) Hewlett-Packard Development Company, L.P. H3C F1000-E uptime is 0 week, 0 day, 1 hour, 18 minutes //System running time CPU type: RMI XLR MHz CPU 2048M bytes DDR2 SDRAM Memory 4M bytes Flash Memory 4

8 249M bytes CF0 Card 249M bytes CF1 Card PCB Version:Ver.B Logic Version: 2.0 Basic BootWare Version: 1.28 //Basic BootWare version Extend BootWare Version: 1.38 //Extended BootWare version Why do security devices need software upgrade? To improve performance, stability, and security for security devices, H3C will add new features and functions, fix software bugs, and modify existing programs in software releases. You can select an appropriate version for software upgrade. How to view the files in the recycle bin on security devices? The delete command moves the specified file to the recycle bin. The delete/unreserved command deletes the specified file permanently. The dir command does not display the files in the recycle bin. The dir /all command displays the files in the recycle bin, and the names of such files are included in brackets []. How to delete the files in the recycle bin on security devices? You can use the reset recycle-bin command to permanently delete the files in the recycle bin to release storage space for the flash or CF card. How to restore removed files on security devices? Files in the recycle bin can be restored while permanently deleted files cannot be restored. You can use the undelete filename command in user view to restore a file in the recycle bin. The filename argument specifies the name of the file to be restored. Why does the HyperTerminal connected to the console port of the security device display abnormally? If the terminal parameters are set incorrectly, the HyperTerminal may fail to display or display garbled characters. The following describes the solutions to these problems. No information displayed on the terminal Check that the power system works normally. Check that the security device works normally. Check that the cable is connected to the console port of the security device. If all the conditions above are met, the problem may be caused by the following factors. The console cable is connected to a wrong serial port, which is different from the terminal setting. 5

9 The terminal parameters are incorrect. (Correct settings: bits per send 9600, data bits 8, parity none, stop bits 1, flow control none) The console cable itself loses connectivity. The console cable is connected to a USB interface on the terminal and connected to the serial port on the security device. The serial-to-usb driver may cause display failure. Garbled characters displayed on the terminal Check that the terminal settings are as follows: Bits per second 9,600 Data bits 8 Parity None Stop bits 1 Flow control None Emulation VT100 Figure 1 Port settings Do security devices support hot patching? Yes. All new security devices support hot patching. For whether the previous devices support hot patching, ask local technical engineers. What are the default password and user name used to log in to a security device through telnet or Web interface? User name: admin Password: admin The privilege level is 3 (administrator). 6

10 FAQ on Processing Procedure What are the differences between firewall card and firewall device in forwarding flow? Service port: The firewall card has only one 10GE service port connected to the switch. Configure logical sub-interfaces or VLAN interfaces on the 10GE port to communicate with the switch. Layer-2 forwarding: The firewall card can only perform inter-vlan forwarding between Layer-2 subinterfaces and it cannot perform forwarding within a VLAN. The firewall device has no such restriction. Layer-3 forwarding: The firewall card can perform Layer-3 forwarding only between 10GE subinterfaces or between VLAN interfaces. The firewall device has no such restriction. FAQ on Service Functions Firewall device FAQ Does the number of security zones in the specifications list apply to the whole device or a virtual device? It refers to the maximum number of security zones that can be created on the whole device. How do security zones on different virtual devices communicate? VFW A, VFW B, and VFW Root are virtual devices. The Untrust zone of VFW Root and the DMZ zone of VFW B are shared zones. Traffic from VFW A can pass the Untrust zone of VFW Root but cannot pass the private zone Trust. The virtual devices access each other through the shared zones. A private zone of a virtual device can communicate with a shared zone of another virtual device, but not vice versa. 7

11 Figure 2 Communication between virtual devices Does a port permit access by default? Yes. A port permits access by default. To configure a port to deny access, configure an inter-zone policy with the destination zone as the local zone. How to deny user access to the IP address of a local port? The following describes how to deny user access to the IP address /24 of the interface GE0/1. Add GE0/1 to the Untrust zone. Create a host address ge01_address. Figure 3 Create a host address Create an inter-zone policy from Untrust zone to Local zone, with the destination address as ge01_address and action as deny. 8

12 Figure 4 Untrust-to-Local inter-zone policy Is the ALG function of firewall devices enabled? How to disable ALG function? The ALG function is enabled by default. To disable all ALG functions, issue the undo alg all command in system view. To disable one ALG function, SIP for example, issue the undo alg sip command in system view. To disable ALG function in the Web interface, select Firewall->ALG from the navigation tree to enter the following page, select an option in the left box, and click the >> button to disable the selected ALG function. Figure 5 Disable ALG functions What virtual devices do the ports of a firewall device belong to by default? A firewall device has two types of ports, Layer-3 Route port and Layer-2 Bridge port. A Layer-3 Route port belongs to the virtual device root by default. To add it to another virtual device, select the security zone for the port in the page Device Management > Virtual Device > interface. The virtual device to which a Layer-2 Bridge port belongs is determined by the port and the bound VLAN. For example, VLAN 100 is bound to virtual device VD1, VLAN 200 is bound to virtual device VD2, and GE0/1 is added both VLAN 100 and VLAN 200. GE0/1+VLAN 100 belongs to virtual device VD1, and GE0/1+VLAN 200 belongs to virtual device VD2. What are the possible reasons that a firewall device does not forwarding packets? The following are the possible reasons. 9

13 The port is not added to the security zone. No inter-zone policy is configured or the policy gets lost. You can troubleshoot the problem by using the following debugging command in user view. <H3C>debugging firewall packet-filter? all Debug information about all the packets icmp Debug information about ICMP packets others Debug information about other packets ( except TCP,UDP and ICMP ) tcp Debug information about TCP packets udp Debug information about UDP packets The session state is incorrect and packets are discarded. You can troubleshoot the problem with the following debugging command. <H3C>debugging session session-table all Packets are discarded by ASPF. You can troubleshoot the problem with the following debugging command. <H3C>debugging aspf packet A blacklist filters the packets. Check whether a blacklist exists through the Web interface. The routing configuration is incorrect. MAC address entries for Layer-2 forwarding are unavailable. How is adding a Layer-2 bridge port to a security zone different from adding a Layer-3 route port to a security zone? 1. You can add a Layer-2 bridge port to different security zones by adding it to different VLANs. For example, add a trunk port GE0/1 to VLAN 100 and VLAN 200. GE0/1 in VLAN 100 can be added to the Trust zone, and GE0/1 in VLAN 200 can be added to the DMZ zone. Add GE0/1 to the Trust zone. Figure 6 Add GE0/1 to Trust zone Add GE0/1 to the DMZ zone. 10

14 Figure 7 Add GE0/1 to DMZ zone On GE0/1, packets tagged with VLAN 100 belong to the Trust zone, and packets tagged with VLAN 200 belong to the DMZ zone. 2. A Layer-3 route port can be added to only one security zone. Do the Layer-2 sub-interfaces and physical ports on the firewall card need to be added to the security zone for inter-vlan Layer-2 forwarding? You need to add the Layer-2 sub-interfaces to the security zone. The physical ports need not be added to the security zone. Traffic is forwarded between two logical interfaces. Add the logical interfaces to the security zone. Do the physical ports that belong to the logical interfaces need to be added to the security zone? What inter-zone policies take effect? Only the logical interfaces need to be added to the security zone. The inter-zone policy for the security zone of the logical interfaces takes effect. Why is a specific flow that should be denied by the firewall permitted? The following are the possible reasons. If no inter-zone policy exists, the flow may travel from a higher-priority security zone to a lower-priority security zone. A permit-type inter-zone policy exists. Another matching session already exists. How are sessions identified on firewall devices? A session comprises two flows in opposite directions. Traffic attributes are used to identify each flow. The following describes different sets of attributes used to identify different flows. 11

15 The following 6-tuple identifies a TCP flow: protocol + source IP + source port + destination IP + destination port + VPN instance ID (or VLAN ID); The following 6-tuple identifies a UDP flow: protocol + source IP + source port + destination IP + destination port + VPN instance ID (or VLAN ID); The following 6-tuple identifies an ICMP flow: protocol + source IP + destination IP + ICMP type + ICMP code + VPN instance ID (VLAN ID); The following 4-tuple identifies a RAW IP flow: protocol + source IP + destination IP + VPN instance ID (or VLAN ID) What are the differences between firewall session logs and NAT logs? Session logs include NAT logs. You can view address translation information in session logs. What are the relations between ASPF sessions and NAT sessions? A firewall device has only one session table, which includes both ASPF and NAT sessions. A NATed ASPF session includes address translation information. How do long sessions work? What are the restrictions to ACLs used? You can set specific sessions to have long lifetimes. Such sessions are called long sessions. Long sessions will not have their lifetimes changed due to state changes and will not be deleted when no packets are sent. You can also set them as permanent sessions, which will not be aged out unless the initiator or responder closes the session or the administrator deletes the session. Long sessions must be TCP sessions in TCP-EST state. ACLs used must be in the range of 2000 to The matching ACLs must be permit type; otherwise, the long sessions do not take effect. Does the session state transition mechanism change after unidirectional flow detection is enabled? TCP sessions UDP sessions When unidirectional flow detection is enabled, the state transition mechanisms for TCP/UDP/RAWIP sessions are changed as follows to ensure successful session establishment. When unidirectional flow detection is not enabled, the state machine considers a session is illegal if the first packet is a SYN_ACK. When unidirectional flow detection is enabled, SYN packets may not pass the device, and the first packet may be a SYN_ACK. The SYN_ACK packet will create a session and change the session state to SYN_RECV. When unidirectional flow detection is not enabled, the state machine considers an ACK received in SYN_SENT state is illegal. When unidirectional flow detection is enabled, SYN_ACK packets may not pass the device, an ACK packet received in SYN_SENT state is considered legal, and the session state is changed to TCP_ESTABLISHED. When unidirectional flow detection is not enabled, the state machine does not change the state upon receiving a request in UDP_OPEN state. When unidirectional flow detection is enabled, the state machine changes the state to UDP_READY upon receiving a request in UDP_OPEN state, that is, two requests received can enable the session to enter UDP_READY state. 12

16 RAWIP sessions When unidirectional flow detection is not enabled, the state machine does not change the session state upon receiving a request in RAWIP_OPEN state. When unidirectional flow detection is enabled, the state machine changes the session state to RAWIP_READY upon receiving a request in RAWIP_OPEN state, that is, two requests received can enable the session to enter RAWIP_READY state. Why cannot I view expected sessions on virtual devices through the Web interface? The following are the possible reasons. The sessions have aged out. Sessions established across virtual devices can only be displayed on the source virtual device. The existing sessions have reached the maximum number. No new sessions can be established. Why is a session state incorrect? The following are the possible reasons. The unidirectional flow detection function is enabled, and the state machine works differently from normal cases. Some other packets have changed the session state. Issue the debugging session engine event command in user view to view session debug information to find the reason. Why doesn t a changed ACL take effect? The following are the possible reasons. The original ACL has been enabled with acceleration. After you modify the ACL, you must reconfigure ACL acceleration so the modification can take effect. To check whether ACL acceleration is enabled, enter the Firewall > ACL page from the navigation tree. Figure 8 ACL page The red rectangle part indicates some settings of the ACL are not effective. You must click the Start Accelerating link to validate the settings. For inter-zone policies, enter the Firewall > Security Policy > Interzone Policy Accelerate page from the navigation tree. The red rectangle part indicates some settings of the ACL are not effective. You must click the Start Accelerating link to validate the settings. 13

17 ACL settings are incorrect. Why cannot the log server receive logs? The following are the possible reasons. Devices are not incorrectly added to the log server or their states are abnormal. The SNMP agent is not enabled on the firewall or the SNMP connection is abnormal. Check that the log server address is configured for syslog as follows. Figure 9 Syslog settings Check that the log server address is configured for flow log as follows. Figure 10 Flow log settings Check whether sessions destined for the log server address exist. If yes, logs have been sent. If not, logs have not been sent. Why cannot I view logs through the Web interface? The following are the possible reasons. Use the display info-center command to check that the information center has been enabled. [H3C]display info-center 14

18 Information Center:enabled If the information center is not enabled, use the following command to enable it. [H3C]info-center enable Info: Information center is enabled. When the information center is enabled, the syslog information cannot be shown if the log buffer is full. Click the Clear Log button on the following page to clear the log buffer. Figure 11 Clear the log buffer When the information center is enabled, the flow log information cannot be shown if the following box is not selected. Select this box to enable outputting flow logs. Enabling the Web interface to display flow log information is not recommended. This function is used only for debugging. Figure 12 Select the box to output flow logs Why cannot I view VPN instance information in session logs? You must use flow log 3.0 rather than 1.0 to view VPN instance information. 15

19 Figure 13 Select flow log 3.0 How does NAT process ARP packets? A packet sourced from the private network is NATed and then sent to the public network. The destination host in the public network does not know the MAC address corresponding to the NATed IP address. Therefore, it sends an ARP request to the NAT device. The NAT device looks up the routing table to find the route entry containing the target IP address. If a match is found, it sends the MAC address of the interface in the entry in an ARP reply to the public network host. If no match is found, it checks whether the target IP address exists in the addresses configured for NAT. If yes, it sends the MAC address of the receiving interface in an ARP reply to the public network host. In addition, when the interface goes up or down, the NAT device sends gratuitous ARP packets for the NATed IP addresses. How can a GRE tunnel interface go up? The tunnel management module determines that a tunnel interface goes up if all the required parameters have been set. For a GRE tunnel to go up on the firewall, the tunnel source address must match an InLoopBack 32-bit host route, and the tunnel destination address must be reachable. Why cannot a GRE tunnel interface go up? The following are the possible reasons. The source physical port of the tunnel is not up, or it is up but it has no IP address. The source physical port of the tunnel is bound with a VPN instance and the tunnel interface thus cannot go up. If multiple tunnel interfaces has the same source port, only the first created tunnel interface can go up. How to set an ACL used in an IPsec policy? IPsec uses ACLs to identify traffic to be filtered. The permit keyword in an ACL rule means the matching traffic will be protected by IPsec, and the deny keyword in an ACL rule means the matching traffic will not be protected by IPsec. If an ACL rule on one end specifies the source, the counterpart ACL rule on the other end must specify the destination. 16

20 What are the features of IPsec policy template? The IPsec policy template can only act as the IPsec responder. Related command: ipsec policy-template. The template can be used for one-to-multiple mode. If the match mode is name, all the branches must have the same ike local-name settings, and all branches and the center must have remote-name configured. If the match mode is IP address, the end using the template does not need the local-address and remote-address settings. Why cannot the two stateful failover devices enter synchronized state? Check that: The HA interface is up. The HA interface is directly connected to the other device rather than connected through a switch. What are the SSH versions supported by firewall devices? The releases only support SSH2.0 compatible with SSH1.5, and the firewall device can act as the SSH server or client. Does F5000-A5 support cross-card link aggregation? No. F5000-A5 does not support cross-card link aggregation. Must the ports in a link aggregation group be consecutive in number? No. They do not need to be consecutive. Do firewall devices support 802.1X? No. Do firewall devices support jumbo frames? Firewall cards support jumbo frames, but firewall devices do not support jumbo frames. Is HTTPS supported? How to enable it? Yes. To enable HTTPS, use the following command in system view. [H3C]ip https enable Netstream card FAQ How is the Netstream card different from other security cards? It does not support Web-based configuration. Its ports need not be added to the security zone. It does not support the functions of other security cards. 17

21 Its 10GE port can only receive traffic. Its traffic statistics only cover inbound traffic without outbound traffic. Why doesn t the Seccenter show traffic statistics when the Netstream card is used to collect flow logs? Check that: Devices are correctly added. The log server and the device are time synchronized. Traffic entering the 10GE port is forwarded to the black hole Inline group. The ip netstream or ipv6 netstream command is correctly configured. How does the Netstream card differentiate flows in non-aggregation mode? It uses the following 7-tuple to identify different flows: source IP address, destination IP address, source port number, destination port number, protocol ID, interface information, and TOS. The interface information only contains the 10GE interface and has no specific meaning. How to check whether Netstream card settings take effect? Issue the display ip netstream cache command to check whether flow entries exist. Issue the debugging ip netstream packet command to check whether flow log packets have been sent. Issue the display ip netstream export command to check whether log statistics are available. Check whether statistics are available on the log server (if connected). Other FAQ How to handle a faulty card that lights red? The card temperature exceeds the upper threshold. Check that the air filter is clean. If not, clean it in time. The temperature of the environment is high. You can use the display environment command to view current card temperature, and use the temperature-limit command to view the lower and upper temperature thresholds. Some fans are faulty. Do the forced duplex and rate settings need to be configured on the connected fiber and copper ports? A copper port does not need such settings because it can perform auto-negotiation successfully. Some fiber ports may fail to perform auto-negotiation. Therefore, a fiber port is generally configured with forced duplex and rate settings, but this mechanism may hide some problems. A copper port and a fiber port which are connected follow these rules to perform negotiation. Both sides adopt automatic negotiation unless there is a specific reason. 18

22 The two sides must have the same duplex and rate settings. 19