DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

Size: px

Start display at page:

Download "DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0"

Leona Doyle
5 years ago
Views:

1 DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0 i

2 Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where you purchase their products. Hangzhou DPtech Technologies Co., Ltd. Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi Address code: ii

3 Declaration Copyright 2013 Hangzhou DPtech Technologies Co., Ltd. All rights reserved. No Part of the manual can be extracted or copied by any company or individuals without written permission, and cannot be transmitted by any means. Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind express or implied. iii

4 Table of Contents CHAPTER 1 PRODUCT OVERVIEW PRODUCT INTRODUCTION WEB MANAGEMENT LOGGING IN TO THE WEB MANAGEMENT INTERFACE WEB INTERFACE LAYOUT 2 CHAPTER 2 SYSTEM MANAGEMENT INTRODUCTION TO SYSTEM MANAGEMENT DEVICE MANAGEMENT DEVICE INFORMATION DEVICE STATUS DEVICE SETTINGS SNMP CONFIGURATION INTRODUCTION TO SNMP SNMPV ADMINISTRATOR INTRODUCTION TO ADMINISTRATOR CURRENT ADMINISTRATOR ADMINISTRATOR SETTINGS ADMINISTRATOR AUTHENTICATION SETTINGS LOGON PARAMETER SETTINGS PERMISSION MANAGEMENT WEB ACCESS PROTOCOL CONFIGURATION FILE SIGNATURE DATABASE INTRODUCTION TO SIGNATURE DATABASE IPS SIGNATURE AV SIGNATURE URL CLASSIFICATION FILTERING SIGNATURE LICENSE MANAGEMENT SOFTWARE VERSION NTP TIME SYNCHRONIZATION NTP SERVER MODE NTP CLIENT MODE VIRTUAL SYSTEM VIRTUAL SYSTEM VIRTUAL SYSTEM SETTING DIGITAL CERTIFICATION CERTIFICATION CONFIGURATION CERTIFICATION MANAGEMENT CERTIFICATE APPLICATION AND MANAGEMENT TIME OBJECT 48 iv

5 2.13 HOT STANDBY 48 CHAPTER 3 NETWORK MANAGEMENT INTRODUCTION TO NETWORK MANAGEMENT NETWORK MODE INTRODUCTION TO NETWORK MODE NETWORK MODE USER GROUP USER GROUP IP USER GROUP SERVICE INTERFACE CONFIGURATION SERVICE INTERFACE MANAGEMENT INTERFACE CONFIGURATION IPV4 UNICAST ROUTING STATIC ROUTE MONITORING BASIC ROUTING TABLE DETAILED ROUTING TABLE IPV6 UNICAST ROUTING CONFIGURE IPV6 STATIC ROUTE BASIC ROUTING TABLE DETAILED ROUTING TABLE DNS INTRODUCTION TO DNS DNS CONFIGURATION BYPASS INTRODUCTION TO BYPASS SOFTWARE BYPASS DIAGNOSTIC TOOLS DIAGNOSTIC TOOL TRAFFIC MIRRORING CAPTURE ACL CONFIGURATION BASIC ACL ADVANCED ACL 70 CHAPTER 4 IPS INTRODUCTION TO IPS IPS RULE INTRODUCTION TO IPS RULE CUSTOMIZED IPS SIGNATURE IPS POLICY INTERFACE IPS POLICY GLOBAL IPS POLICY 74 v

6 4.3.3 IPS BLACKLIST COOPERATION IDS COOPERATION PROTOCOL PROTECTION POLICY SSL CERTIFICATION IMPORT FIXED PORT SETTING IPS LOG INTRODUCTION TO IPS LOG IPS LATEST LOG IPS LOG QUERY IPS SIGNATURE MANAGEMENT INTRODUCTION TO IPS SIGNATURE MANAGEMENT TYPICAL CONFIGURATION NETWORK REQUIREMENT 84 CHAPTER 5 ANTI-VIRUS INTRODUCTION TO ANTI-VIRUS ANTI-VIRUS POLICY ANTI-VIRUS POLICY VIRUS WARNING PUSH CONFIGURATION VIRUS QUARANTINE CONFIGURATION ANTI-VIRUS SIGNATURE MANAGEMENT ANTI-VIRUS LOG INTRODUCTION LATEST LOG ANTI-VIRUS LOG QUERY TYPICAL CONFIGURATION 94 CHAPTER 6 LOG MANAGEMENT INTRODUCTION TO LOG MANAGEMENT SYSTEM LOG LATEST LOG SYSTEM LOG QUERY SYSTEM LOG FILE OPERATION SYSTEM LOG CONFIGURATION OPERATION LOG LATEST LOG OPERATION LOG QUERY LOG FILE OPERATION OPERATION LOG CONFIGURATION SERVICE LOG SERVICE LOG CONFIGURATION 104 CHAPTER 7 ACCESS CONTROL 106 vi

7 7.2 RATE LIMITATION RATE LIMITATION SINGLE USER LIMIT TYPICAL CONFIGURATION ACCESS CONTROL TYPICAL CONFIGURATION NET APPLICATION MANAGER BROWSING USER-DEFINED APPLICATION URL FILTERING INTRODUCTION TO URL FILTERING URL CLASSIFY FILTERING CUSTOMIZE URL CLASSIFICATION ADVANCED URL FILTERING URL FILTER PAGE PUSH WEBSITE PROTECTION TYPICAL CONFIGURATION 120 CHAPTER 8 TRAFFIC ANALYSIS TRAFFIC ANALYSIS CONFIGURATION 122 CHAPTER 9 COMPREHENSIVE PROTECTION BASIC ATTACK PROTECTION INTRODUCTION TO BASIC ATTACK PROTECTION BASIC ATTACK PROTECTION IPV6 ATTACK PROTECTION BASIC ATTACK PROTECTION QUERY BLACK/WHITE LIST BLACK LIST BLACKLIST QUERY BLACKLIST LOG QUERY WHITE LIST CONFIGURATION PASSWORD CRACKING PROTECTION HTTP FORM IP FORGERY 129 CHAPTER 10 DDOS PROTECTION INTRODUCTION TO DDOS PROTECTION SYN FLOOD PROTECTION FINGERPRINT PROTECTION TCP PROTECTION UDP PROTECTION ICMP PROTECTION 131 vii

8 OTHER PROTECTION LOG QUERY UMC LOG CONFIGURATION 132 viii

9 List of Figures Figure1-1 WEB management interface... 2 Figure1-2 Deployment of WEB Interface... 2 Figure2-1 System Menu... 7 Figure2-2 Device Information... 7 Figure2-3 Device Status... 9 Figure2-4 Device Information Settings Figure2-5 System name Figure2-6 System Time Figure2-7 System Threshold Figure2-8 System Parameter Settings Figure2-9 Clear Database Figure2-10 SNMP configuration Figure2-11 Device information Figure2-12 NAT traverse Figure2-13 IP address list Figure2-14 SNMPv Figure2-15 Current administrator Figure2-16 Administrator settings Figure2-17 Administrator authentication settings Figure2-18 Logon Parameter Settings Figure2-19 Permission Management Figure2-20 WEB access protocol Figure2-21 Configuration file Figure2-22 IPS signature Figure2-23 Signature version information Figure2-24 Auto-upgrade settings Figure2-25 Manual upgrade Figure2-26 Upgrade progress on the page Figure2-27 AV signature Figure2-28 Signature version information Figure2-29 Auto-upgrade settings Figure2-30 Manual Upgrade Figure2-31 Upgrade progress interface Figure2-32 URL classification filtering Figure2-33 Version information Figure2-34 Auto-upgrade settings Figure2-35 Manual upgrade Figure2-36 License Management Figure2-37 Software Version Figure2-38 NTP server mode Figure2-39 NTP client mode Figure2-40 Virtual system Figure2-41 Virtual System Figure2-42 Certification Configuration ix

10 Figure2-43 Device Information Configuration Figure2-44 CA server configuration Figure2-45 CRL Server Configuration Figure2-46 Certification Management Figure2-47 Key Management Figure2-48 Certificate Application Figure2-49 Certificate Management Figure2-50 CRL management Figure2-51 Time object Figure2-52 Time object Figure2-53 Hot standby Figure3-1 Network management menu Figure3-2 Online mode diagram network Figure3-3 Bypass mode network Figure3-4 Network mode Figure3-5 IP user group Figure3-6 IP user group Figure3-7 IPv6 address Figure3-8 Service interface Figure3-9 Management interface Figure3-10 Static route Figure3-11 Monitoring Figure3-12 Basic routing table Figure3-13 Detailed routing table Figure3-14 Configure IPv6 static route Figure3-15 Basic routing table Figure3-16 Detailed routing table Figure3-17 DNS configuration Figure3-18 Network diagram for software bypass Figure3-19 Software bypass Figure3-20 Diagnostic Tool Figure3-21 Test result of PING Figure3-22 Traffic mirroring Figure3-23 Capture Figure3-24 Basic ACL Figure3-25 Advanced ACL Figure4-1 IPS Menu Figure4-2 IPS rule Figure4-3 Copy IPS rule Figure4-4 Customize IPS signature Figure4-5 Interface IPS policy Figure4-6 Global IPS policy Figure4-7 IPS blacklist cooperation Figure4-8 IDS cooperation Figure4-9 Protocol protection policy Figure4-10 SSL Certification Import Figure4-11 Fixed port setting x

11 Figure4-12 Latest log Figure4-13 IPS log query Figure4-14 IPS signature database Figure4-15 IPS configuration network mode Figure4-16 Add an IPS Rule Figure4-17 And an Interface IPS policy Figure5-1 Anti-virus menu Figure5-2 Anti-virus policy Figure5-3 Virus warning push configuration Figure5-4 Virus isolation configuration Figure5-5 Anti-virus signature Figure5-6 Anti-virus latest log Figure5-7 Anti-virus log query Figure5-8 Network diagram for anti-virus configuration Figure6-1 Log management menu Figure6-2 Latest log Figure6-3 System log query Figure6-4 System log file operation Figure6-5 System log configuration Figure6-6 Latest log Figure6-7 Operation log query Figure6-8 Log File Operation Figure6-9 Operation log configuration Figure6-10 Service log configuration Figure7-1 Network access control menu Figure7-2 Rate limitation per IP address Figure7-3 Rate-limit parameter Figure7-4 Single user limit Figure7-5 Network diagram of IPS device Figure7-6 Network access control Figure7-7 Network structure of IPS device Figure7-8 Browsing Figure7-9 User-defined application Figure7-10 URL classify filtering Figure7-11 Customize URL classification Figure7-12 Advanced URL filtering Figure7-13 Advanced URL filtering configuration Figure7-14 URL filter page push Figure7-15 Website protection Figure7-16 Network deployment of URL configuration Figure8-1 Traffic statistic Figure9-1 Basic attack protection Figure9-2 Basic attack protection Figure9-3 Basic attack protection query Figure9-4 Black/white list Figure9-5 Blacklist query Figure9-6 Blacklist log query xi

12 Figure9-7 White list configuration Figure9-8 Password cracking protection Figure9-9 HTTP form Figure9-10 IP forgery list Figure10-1 DDoS protection menu Figure10-2 SYN flood protection Figure10-3 TCP protection Figure10-4 UDP protection Figure10-5 Protect object Figure10-6 Other protection Figure10-7 Log query Figure10-8 UMC log configuration xii

13 List of Tables Table1-1 Latest log configuration items... 3 Table2-1 Latest log configuration items... 8 Table2-2 Device status... 9 Table2-3 System threshold settings Table2-4 User management Table2-5 Current administrator Table2-6 Administrator settings configuration items Table2-7 Administrator authentication settings Table2-8 Logon parameter settings configuration items Table2-9 The configure range Table2-10 WEB access protocol settings Table2-11 Configuration file Table2-12 Version information Table2-13 Auto-upgrade settings Table2-14 Manual upgrade Table2-15 Software version Table2-16 Auto-upgrade settings Table2-17 Manual upgrade Table2-18 Version information Table2-19 Auto-upgrade settings configuration items Table2-20 The manual upgrade Table2-21 Software version Table2-22 NTP server mode Table2-23 NTP client mode configuration items Table2-24 Virtual system configuration items Table2-25 Device information configuration Table2-26 CA Server configuration Table2-27 CRL server configuration Table2-28 Certification management table Table2-29 CRL Management Table3-1 IP user group Table3-2 IP user group Table3-3 IPv6 address Table3-4 Service interface Table3-5 Management interface Table3-6 Basic routing table Table3-7 Detailed routing table Table3-8 Basic Routing Table Table3-9 Detailed routing table Table3-10 Software Bypass Table3-11 Diagnostic Tool Table3-12 Capture packets Table3-1 Basic ACL configuration i

14 Table4-1 IPS rule Table4-2 Customized IPS signature Table4-3 Interface IPS policy Table4-4 Global IPS policy Table4-5 Latest log Table4-6 IPS log query Table4-7 IPS signature management Table5-1 Anti-virus policy Table5-2 Anti-virus querying Table5-3 Latest log Table5-4 Anti-virus log query Table6-1 Latest log Table6-2 System log query Table6-3 System log file operation Table6-4 System log configuration Table6-5 Latest log Table6-6 Querying operation log Table6-7 Log file operation Table6-8 Operation log configuration Table6-9 Service log configuration items Table7-1 Rate limitation IP address Table7-2 Rate-limit parameter Table7-3 Single user group Table7-4 Access control Table7-5 URL classify filtering Table7-6 Customize URL classification Table7-7 The Advanced URL filter Table7-8 The URL filter parameter Table8-1 Traffic statistic Table9-1 Basic attack protection Table9-2 Black list configuration Table9-3 Black list query Table9-4 Blacklist log query Table9-5 White list configuration ii

15 Chapter 1 Product Overview 1.1 Product introduction With the increases of network intrusion event and attack level of attacker, on the one hand, enterprise s network infected virus and suffered attack more and more quickly than before, on the other hand the enterprise network make a response for they suffered attack more and more slowly. To solve this problem, intrusion prevention system comes on the stage owing to traditional firewall or intrusion detection system cannot meet user s demand. Different from the passive work mode of the majority of detection system, intrusion protection system provides active protection, which blocks network intrusion and attack traffic in advance, so that it can avoid user s lost rather than simple alarm after malicious traffic transmission. DPtech IPS2000 Series are new generation intrusion prevention products facing enterprise, industry user and telecommunication user, which are the important products of DPtech permeating into intelligence security network. IPS2000 series deploys on the key path of network as online mode, through layer 2-7 deep analysis, which block and restrict various network attacks accurately and in-time. The IPS2000 series also support bypass mode, similar to Intrusion Detection System (IDS), which receives and captures data packets through mirroring traffic method, so that it can provide intelligence security detection in their network. IPS2000 intrusion prevention system can not only meet the application layer detection and prevention in various environments, but also provides strong flow control, anti-virus and webpage filtering function. 1.2 WEB management Logging in to the Web management interface This section introduces how to log in to the Web Management Interface: Make sure that the host can communicate with the management port of the IPS. Open an IE browser and access the IP address of the management port using HTTP Type in the username and password in the interface shown in Figure1-1, and click login to access the Web management interface of the IPS device. 1

16 Figure1-1 WEB management interface! Caution: It is recommended that you should use IE 6.0 or higher. The resolution should be 1024 x 768 or higher. <Backward>, <Forward> and <Refresh> are not supported on the Web management interface. If you use these buttons, the Web page may not be displayed properly. By default, the name of the management port is meth0_0, and the IP address is The username is admin and the password is admin_default. You can use the default username for the first login, but it is strongly recommended that you should change your password. For how to change your password, see the Section xxxx. After you log in, if you don t perform any operations within 5 minutes, the connection will timeout and go back to the login page. Up to 5 administrators are allowed to log in to the Web management interface at the same time Web interface layout Figure1-2 shows the main page of the Web management interface of the IPS device. Figure1-2 Deployment of WEB Interface 2

17 (1)Navigation bar (2)Shortcut area (3)Configuration area Navigation bar: Lists all of the Web management function menus. You can choose the desired function menu, which is shown in the configuration area. Shortcut area: Shows the directory of the current page, as well as the status of the device. This area also provides function buttons, including Collapse, Homepage, Restart, Help and Logout. Configuration area: Provides an area for configuring and viewing the device. Table1-1 is he DPtech IPS web-based configuration guide describes the following features Table1-1 Latest log configuration items Feature System management Device management SNMP Administrator Configuration file Signature database NTP Virtual system Describes basic configurations for IPS management. Displaying system status, system information, and system time. Configuring SNMP and select SNMP version number. Configuring administrator settings and administrator authentication settings and login parameter settings. Configuring the configuration file that can save configuration or export configuration to other devices. Configuring signature database that can manual update signature database or auto update the signature database. Configuring NTP server and client time synchronization, including server mode and client mode. Configuring the virtual system that IPS system can be virtualized as several systems 3

18 Feature Digital configuration Network mode User group Interface Configuring digital certification function. Allows you to select a network mode. Allows you to configure IPv4 address and object, configure IPv6 IP address. Allows you to configure the interface configuration. IPv4 routing unicast Allows you to configure a static route or import static route in batch. Network management IPv6 routing unicast Allows you to configure IPv6 static route or import IPv6 static route in batch. DNS Allows you to configure DNS configuration. Software bypass Diagnostic tools ACL Allows you to configure whether to enable the software bypass function. Allows you to configure the parameters of diagnostic tools. Allows you to configure the ACL configuration. Describes the attack prevention configurations for the IPS. IPS Creating an IPS policy Configuring rules for a policy Applying an IPS policy to a segment Describes anti-virus configurations for the IPS. Creating an anti-virus policy Anti-virus Configuring rules for a policy Applying a policy to a segment Querying viruses Describes log management configurations for the IPS. Log management Displaying, querying, deleting system logs, and configuring service log Querying service logs and URL logs Configuring device logs, data logs, and logs Access control Audit analysis Rate limit Access control URL filtering Configuring the rate limit, including user group rate limitation, single user rate limitation, network group user management and network group user browsing Configuring access control Configuring URL filtering, including classified URL filtering, customized URL filtering, and advanced URL filtering, page push, and website protection Allows you to configure the traffic analysis function. Web application firewall Allows you to configure the web application firewall. Comprehensive Basic attack Allows you to configure configuring basic attack protection 4

19 Feature protection Black/white list Password cracking Weak password scanning Configuring the black/whitelist function Configuring the password cracking function. Configure the weak password scanning function. 5

20 Chapter 2 System Management 2.1 Introduction to system management System management module provides system related configurations for user. System management includes the following features: Device Management SNMP Administrator Configuration File Signature Update Software Version NTP Time Synchronization Virtual System Digital Certification Hot Standby In the navigation tree, you can view the system management menu, as shown in Figure2-1. 6

21 Figure2-1 System Menu 2.2 Device Management Device Information Device Information helps users to know the information about system and device, including system name, system time and system time zone, memory, external memory, serial number, PCB hardware version, software version, default management interface information, CPLD hardware version, Conboot version and power supply. To enter the device information page, you choose Basic > System management > Device management > Device information, as shown in Figure2-2. Figure2-2 Device Information 7

22 Table2-1 describes the details of Device Information fields. Table2-1 Latest log configuration items System name System time System time zone Memory External memory size Serial number PCB hardware version Software version Default management interface information CPLD hardware version Conboot version Power Displays the name of the system. Displays the current time of the system. Displays the time zone of the system. Displays the memory capacity. Displays the type of the external memory and its capacity. Displays the hardware serial number. Displays the PCB hardware version. Displays the information about system software version. Displays the default management interface and its IP address. Displays the CPLD hardware version. Displays the Conboot basic segment version. Displays the power of device power supplies. Note: When you login to the IPS Web interface, you can see that the homepage is the Device Information page Device status Device status module displays the current health status of the system, which can help user to view the information about CPU, memory, hardware, CF card threshold, and view the status of fan and power supply, and view the CPU temperature and main board temperature. To enter the device status page, you choose Basic > System management > Device management > Device status, as shown in Figure2-3. 8

23 Figure2-3 Device Status Table2-2 describes the details of device status. Table2-2 Device status CPU usage If the CPU usage exceeds the threshold, is displayed; otherwise, is displayed. Memory usage If the memory usage exceeds the threshold, is displayed; otherwise, is displayed. Harddisk usage If the harddisk usage exceeds the threshold, is displayed; otherwise, is displayed. CF usagge If the CF usage exceeds the threshold, is displayed; otherwise, is displayed. Fan status If any fan fails, are displayed; otherwise, are displayed. Power status If any power supply unit (PSU) fails, are displayed; otherwise, are displayed. CPU Temperature If the temperature exceeds the threshold, is displayed; otherwise, is displayed. Mainboard Temperature If the temperature exceeds the threshold, is displayed; otherwise, is displayed. Note: Hover over your mouse cursor on or on a field, you can view the corresponding data of the item. For example, if you hover the cursor over or of the fan status field, current status of each fan will be displayed Device settings Device information settings The device information settings page provides device information related parameter for users. User can set the system name, system time, system threshold according to their requirement and user can select whether to enable remote diagnostic tool. To enter device information settings page, you choose Basic > System management > Device management > Device settings > Information settings, as shown in Figure2-4. 9

24 Figure2-4 Device Information Settings System function allows user to customize a system name for the device, so that it convenient for user to manage the device. To enter device information settings page, you choose Basic > System management > Device management > Information settings, as shown in Figure2-5. Figure2-5 System name To modify system name, you can take the following steps: Select Device Information Settings tab and type a system name. Click OK button in the upper right corner on the webpage. New settings take effect immediately. The system time feature can help user to set the system data, time, and time zone. To enter the device information settings page and configure system time, you choose Basic > System management > Device management > Information settings, as shown in Figure

25 Figure2-6 System Time To modify system time, you can take the following steps: Select Device Information Settings tab, select a time zone and customize date and time. Click OK button in the upper right corner on the webpage. New settings will take effect immediately. The system threshold feature allows you to set hardware utilization and temperature threshold. To enter device information settings page, you choose Basic > System management >Device management > Information settings, as shown Figure2-7. Figure2-7 System Threshold Table2-3 describes the details system threshold settings. Table2-3 System threshold settings CPU utilization Memory utilization Hardware utilization CPU temperature threshold Mainboard temperature threshold Lower limit of Mainboard Problem Upper Limit of Mainboard Problem Sets proper threshold of CPU utilization. Sets proper threshold of Memory utilization. Sets proper threshold of Disk utilization. Sets proper threshold of lower limit of CPU temperature. Sets proper threshold of lower limit of mainboard temperature. Sets proper threshold of upper limit of CPU temperature. Sets proper threshold of Upper limit of mainboard temperature. To modify the system threshold, you can take the following steps: 11

26 Select Device information configuration tab. And then type new threshold in the correct places. Click OK button in the upper right corner on the webpage. New setting takes effect immediately.! Caution: If there is no requirement, you can adopt default setting and set the proper threshold according to hardware specification and capacity. When hardware utilization and CPU and mainboard temperature exceed threshold, the indicator on device status page will become red, then contact administrator to solve the problem System parameter settings System parameter settings is mainly to configure fast forwarding parameter settings, high-end session parameter settings, TCP session parameter settings, UDP session parameter settings, drive queue parameter settings, checksum check, high-end mode settings, DPI depth, and DDOS parameter settings. To enter System Parameter Settings page, you can choose Basic > System management >Device management > System parameter settings, as shown in Figure2-8. Figure2-8 System Parameter Settings 12

27 Clear Database Clear database allows you to clear database and restart the system. Click the Clear Database and Restart button that system will be cleared and restarted. To enter clear database page, you can choose Basic > System management >Device management > System parameter settings, as shown in Figure2-9. Figure2-9 Clear Database 2.3 SNMP Configuration SNMP (Simple Network Management Protocol) ensure management information transmitted in the network between any two nodes, which convenient for network administrator retrieve information, modify information, locate fault, complete fault diagnosis, plan capacity and generate reports. 13

28 2.3.1 Introduction to SNMP SNMP version configuration Currently, SNMP includes three versions: SNMPv1, SNMPv2c and SNMPv3. SNMP v1 adopts Community Name authentication. The Community Name is used to define SNMP NMS and SNMP Agent relationship. If the device don t permit SNMP packet community name, the SNMP packet will be discarded. Community Name has the similar function with password which is used to restrict SNMP NMS access SNMP Agent. SNMP v2c adopts Community Name authentication. Compatible with SNMP v1, the SNMP v2c expand the function of SNMP v1: provides more operation types (GetBulk and InformRequest); Support more data types (such as Counter 64); Support a lot of errors which allows distinguishing error. SNMP v3 provides USM (User-Based Security Model) authentication mechanism. User configure authentication and encryption function that authentication function can verify packet sender to avoid illegal user and encryption function is to encrypt the packets transmitted between SNMP NMS and Agent so that it can avoid interception. With the combination of using authentication function or not using authentication function and using encryption function or not using encryption, SNMP NMS and SNMP Agent communication is more secure. SNMP NMS and Agent must adopt the same SNMP version, so that SNMP NMS and Agent connected successfully. To enter SNMP version configuration page, you can choose Basic > System management > SNMP configuration, as shown in Figure

29 Figure2-10 SNMP configuration To configure SNMP version configuration, you can take the following steps: Choose SNMP tab Select the SNMP version number Configure the community string to be defined in the parameter configuration Click OK button in the upper right corner on the webpage. New settings will take effect immediately Device information Device information allows you to configure device information of the SNMP configuration. To enter device information page, you choose Basic > System management > SNMP, as shown in Figure

Figure2-11 Device information 2.3.1.3 NAT Traverse The Nat-traverse module can establish connections between each node behind the NAT gateways.

30 Figure2-11 Device information NAT Traverse The Nat-traverse module can establish connections between each node behind the NAT gateways. On the NAT traverse page, you can configure primary channel and command channel for the NAT traverse. To enter the NAT traverse page and configure NAT traverse, you choose Basic > System management > SNMP configuration, as shown in Figure2-12. Figure2-12 NAT traverse To configure NAT traverse, you can take the following steps: Select NAT traverse channel and type in source port, server IP, server port, and time interval for sending. Click Ok button. New configurations will take effect IP address list IP address list can help user to specify an administrator which has the MIB access permission. To enter the IP address list page, you choose Basic > System management > SNMP configuration, as shown in Figure2-13. Figure2-13 IP address list 16

31 2.3.2 SNMPv3 To enter the SNMPv3 page, you choose Basic > System management > SNMP, as shown in Figure2-14. Figure2-14 SNMPv3 2.4 Administrator Introduction to administrator The administrator feature allows users to add, modify and delete users function. User can log into the web management interface according to different authority, different authentication, and different Web access protocol and port. Table2-4 describes the details of administrator. Table2-4 User management Current administrator Administrator settings Lists all of the logged in administrators and it can kick out others. Provides the function of adding or deleting administrators, modifying their password and login permission if the administrator is not logged into the interface, it also provides the function of modifying administrators status except itself. Administrator settings authentication Provides the function of setting the login authentication configuration, includes the Local Authentication and the Radius Authentication. Logon configuration parameter Provides the function of setting login configuration, includes the Timeout Time, the Times of Error Login, and the Unlock Time After It Locked Current administrator Display a list that all administrators have logged into web management interface. To enter the current administrator page, you choose Basic > System management > Administrator > Administrator, as shown in Figure

32 Figure2-15 Current administrator Table2-5 describes the details of current administrator. Table2-5 Current administrator Administrator Logon time Last access time Logon IP address Displays the name of current login administrator. Displays the specific time that administrator login to Displays the last access time on the Web Displays the IP address of the logon administrator. Operation Click the icon, the logon administrator can be kicked out forcedly Administrator settings The administrator settings allow user to add, delete, and modify an administrator. To enter administrator settings page, you choose Basic > Administrator > Administrator, as shown in Figure2-16. Figure2-16 Administrator settings Table2-6 describes the configuration items of administrator settings. Table2-6 Administrator settings configuration items Administrator Lists all of the administrators created in the system. It consists of letters, figures, and lines. The initial word must be letter or figure, and the length is within 3 to 20 characters. 18

33 Password Confirm Password Virtual system Configure range Configure authority Status Operation It is the password when administrator log into the interface. It consists of letters, figures. It allows user to use special characters, such as ()-+= []:;/_, and the length is within 3 to 128 characters. The confirm password must be correspond with the password. Otherwise, the system will pop up a warning message when you submit it. Configuring the description of the administrator. It consists of letters, figures, space, and lines, and the length is within 0 to 40 characters. Allows you to select a virtual system. Provides you with the System configuration, Business configuration and Log configuration. System configuration: allows you to configure system management module and network management module. Business configuration: allows you to configure all service modules Log configuration: allow you to view IPS log, Anti-virus log and configure log management module. It also allows you to view basic attack protection log and black/white log. Allows you to select a level for the administrator It shows administrator status, includes Lock or Unlock: Lock: means that the administrator has been locked which cannot log in to the web interface. Unlock: means that the administrator is in normal status. Click the copy icon or the delete icon to do the operations. To add an administrator: Click Add to add an administrator. Set name, password, and the confirm password and description for the administrator. Select virtual machine and permission range. Click Ok button in the upper right corner. To modify the administrator properties: Make sure that this entry of administrator to be modified. If you want to modify an administrator s password, please hover your mouse pointer over password, as the cursor become a pencil icon, you can single click the mouse left button. Password and confirm password should be same. Click OK button in the upper right corner. 19

34 Please repeat the above step if you want to modify the administrator s other properties, such as permission and status. To delete an administrator: Make sure that the entry of administrator list to be deleted. Click delete icon to delete an administrator in the operation list. Click OK button in the upper right corner on the webpage.! Caution: Default password cannot be used when you add an administrator. By default, the administrator is unlocked. It cannot be locked when you creating it. If an administrator is required to lock, you can set it after is created. When you delete an administrator, the system pop up a window that warns you did the operation carefully Administrator authentication settings Administrator authentication settings allows administrator to authenticate the logon user s identification through local authentication function and radius authentication function. To enter the administrator authentication settings page, you choose Basic > System management > Administrator, as shown in Figure2-17. Figure2-17 Administrator authentication settings Table2-7 describes the details of administrator authentication settings. 20

35 Table2-7 Administrator authentication settings Local settings Authenticates the administrator name and password through the device. Radius settings Authenticates the administrator name and password through Radius server, shown as the following: Type in the server address Type in the authenticated port number Type in the shared key Type in the time out time of authenticated packet Type in the times of retransmit packet Select a group for the Radius authenticated user Logon parameter settings You can set several parameters about WEB safety, including time out settings, logon lock settings, and unlock time. To enter the login parameter settings page, you choose Basic > System management > Administrator, as shown in Figure2-18. Figure2-18 Logon Parameter Settings Table2-8 describes the configuration items of Login Parameter Settings. Table2-8 Logon parameter settings configuration items Timeout settings Logon lock settings Unlock time Configuring the time out time of the current administrator. The administrator will be kicked out if you didn t perform any operations for the WEB during the set time. The administrator will be locked if you type in wrong password several times. Sets the locking time of one administrator. Lock means the definite locking time of one user. When the set time is over, the user will be 21

36 unlocked Permanent lock means that if one user is locked, it cannot unlock by itself. It can be unlocked by the administrator who has the system configuration permission in the administrator configuration list.! Caution: Whether the typed password is correct or not, the system will pop up a window to warn you that the system has been locked, please try it again later Permission management User can select different permission to login to the web management interface and also can use the user-defined permission to login to the web. To enter the Permission Management page, you can click Basic > System management > Permission, as shown in Figure2-19. Figure2-19 Permission Management Table2-9 describe the details of configure range. Table2-9 The configure range Supper System configuration Business configuration Log management configure range The administrator has the permission to login into web management interface, and configure all components. The administrator has the permission to login into web management interface, allows configuring system management and network management component, without other configuration authority. The administrator has the permission to login into web management interface, allows to configure IPS, anti-virus, access control, auditing analysis and WEB application firewall, DDOS protection, integrated defend component, without other configuration authority. The administrator has the permission to login into web management interface, allows to view service log, system log, operation log, comprehensive defend, without other configuration authority. 22

37 User customize configure range The administrator has the permission to login into web management interface, with the customized configuring range WEB access protocol You can set the web access protocol and port. To enter the WEB access protocol page, you choose Basic > System management > Administrator > WEB access protocol, as shown in Figure2-20. Figure2-20 WEB access protocol Table2-10 describes the details of WEB access protocol. Table2-10 WEB access protocol settings HTTP protocol configuration Allows you to select whether to enable the HTTP protocol and port. HTTPS configuration protocol Allows you to select whether to enable the HTTPS protocol and port number. If you configure the digital certification and enable the administrator authentication, it will enhance safety. IP address table Allows you to configure the IP address range for logging the web management interface. 23

38 2.5 Configuration file Configuration file provides the function of saving the current system configuration to the disk. Through this function, if there are many devices in the network with same configuration, user can configure on of them and export it to your local device, and then import the configuration file to other devices, so that it can ensure network use to do the repeat configurations. To enter the configuration file page, you choose Basic > System management > Administrator > Configuration, as shown in Figure2-21. Figure2-21 Configuration file Table2-11 describes the details of configuration file. Table2-11 Configuration file Configuration file Displays the name of the configuration file. The first line of the configuration file displays factory default configuration file. Last save time The software version number for the latest saved file Displays the configuration file last saving time. Displays the version number of the configuration file saved last time. Operation You can click the switch icon to switch configuration file. Factory default configuration file only can be switched. To create the configuration file, you can take the following steps: 24

39 Click Create Configuration File button on the left top In the new entry of the configuration file, enter a name for the configuration file and click Save icon in the operation column. To import a configuration file to the local system, you can take the following steps: Click Browse button beside the file path, select the configuration to be downloaded, and then click the Download configuration file button. The downloaded configuration file emerges in the list, click Switch button. A system pop-up window displays Device will reboot after you switch the configuration file, continue? Click OK button. Note: Please refer to the above operations if you want save, export and delete other configuration files. 2.6 Signature database Introduction to signature database IPS signature IIPS signature module is used to display IPS signature database version information, which allows user to update IPS signature database automatically or manually. To enter the IPS signature page, you choose Basic > System management > Signature > IPS Signature, as shown in Figure2-22. Figure2-22 IPS signature 25

40 Version information Version information is used to display the IPS signature database version information. To enter the version information page, you choose Basic > System management > Signature > IPS Signature, as shown in Figure2-23. Figure2-23 Signature version information Table2-12 describes the details of the version information. Table2-12 Version information IPS signature Current version History version Valid period Downgrade Allows you to view the IPS signature. Displays the current IPS signature release date, signature database version and update time. Displays the signature release date and version of the history version. Displays the valid period of the signature database upgrade. Click the downgrade button, and you can downgrade the IPS database to a previous version. To downgrade the signature database, you take the following steps: Click the downgrade button in the upper right corner, a pop-up window displays: signature will reverse to the history version, continue? Click Ok button to reverse signature database version. After that, you can view the current version become history version Auto-upgrade IPS signature database records the device recognizable access control signatures, therefore, the IPS signature database must upgrade its signature database in real time and get the newest signature from office website in every time intervals. To enter the auto-upgrade settings page, you choose Basic > System management > Signature > IPS signature, as shown in Figure

41 Figure2-24 Auto-upgrade settings Table2-13 describes the details of auto-upgrade settings. Table2-13 Auto-upgrade settings IPS signature database Current version History version Valid time Downgrade Select the IPS signature database. Displays the released date, signature database, and update time of the current IPS signature version. Displays the release time and signature database version before last time update. Displays the time that signature database can be updated. Click this button to downgrade to the current IPS signature database to the database version before latest update. To auto-upgrade the signature database, you take the following steps: Click the auto-upgrade selection box. Open the time table and select a time rage. Set the auto-upgrade time intervals Click Apply icon after you finished the above configurations Manual upgrade When the signature database needs to be upgrade, user can specify a file path to update signature database manually. To enter the manual upgrade page, you choose Basic > System management > Signature > IPS Signature, as shown in Figure2-25. Figure2-25 Manual upgrade Table2-14 describes the details of the manual upgrade. 27

42 Table2-14 Manual upgrade File path Select the file path and name for the update packet. To manual upgrade the signature database, you should take the following steps: Click Browse button Select the update packet to be downloaded. Click Confirm button after you finish the above steps. Note: When signature upgrades, the upgrade interface will skip to the upgrade progress interface, as shown in Figure2-26. Figure2-26 Upgrade progress on the page AV signature Introduction to AV signature AV signature module is used to display AV signature database version information, which allows user to update AV signature database automatically or manually. To enter the AV signature database page, you choose Basic > System management > Signature > AV Signature, as shown in Figure

43 Figure2-27 AV signature Version information Version information is used to display the AV signature database version information. To enter the version information page, you choose Basic > System management > Signature > AV Signature, as shown in Figure2-28. Figure2-28 Signature version information Table2-15 describes the details of software version. Table2-15 Software version AV signature database Current version History version Valid time Select the AV signature database. Displays the released date, signature database, and update time of the current AV signature version. Displays the release time and signature database version before last time update. Displays the time that signature database can be updated. To downgrade the signature database, you take the following steps: Click the downgrade button in the upper right corner, a pop-up window displays: signature will reverse to the history version, continue? Click Ok button to reverse signature database version. After that, you can view the current version become history version. 29

44 Auto-upgrade AV signature database records system recognizable signatures for access control, therefore, the AV signature database must be upgraded to the latest version in real time and it allows users to get the latest signature from office website in the desired time. To enter the auto-upgrade settings page, you can click Basic > System management > Signature > AV signature, as shown in Figure2-29. Figure2-29 Auto-upgrade settings Table2-16 describes the details of auto-upgrade settings. Table2-16 Auto-upgrade settings Enable Auto-upgrade Start time Time interval Upgrade address Select the AV signature database. Displays the released date, signature database, and update time of the current IPS signature version. Displays the release time and signature database version before last time update. Displays the time that signature database can be updated. To auto-upgrade the signature database, you take the following steps: Click the auto-upgrade selection box. Open the time table and select a time rage. Set the auto-upgrade time intervals Click Apply icon after you finished the above configurations Manual Upgrade If the signature database is required to be upgrade manually, users can upgrade the database file from the local system and upgrade it. To enter the manual upgrade page, you can click Basic > System management > Signature > AV Signature, as shown in Figure

45 Figure2-30 Manual Upgrade Table2-17 describes the details of the manual upgrade. Table2-17 Manual upgrade File path Select the file path and name for the update packet. To manual upgrade the signature database, you should take the following steps: Click Browse button Select the update packet to be downloaded. Click Confirm button after you finish the above steps. Note: When signature upgrade is begin, the upgrade interface will change to upgrade progress interface, as shown in Figure2-31. Figure2-31 Upgrade progress interface URL classification filtering signature Introduction to URL classification filtering signature URL classification filtering signature module is used to display URL signature database version information, which allows user to update URL signature database automatically or manually. To enter the URL classification filtering page, you choose Basic > System management > Signature > URL Signature, as shown in Figure

46 Figure2-32 URL classification filtering Version information Version information provides URL signature database information for users. To enter the version information page, you choose Basic > System management > Signature > URL Signature, as shown in Figure2-33. Figure2-33 Version information Table2-18 describes the details of the version information. Table2-18 Version information IPS signature Current version History version Valid period Downgrade Allows you to view the URL signature. Displays the current URL signature release date, signature database version and update time. Displays the signature release date and version of the history version. Displays the valid period of the signature database upgrade. Click the downgrade button, and then you can downgrade the URL database to a previous version. To downgrade the signature database, you take the following steps: Click the downgrade button in the upper right corner, a pop-up window displays: signature will reverse to the history version, continue? Click Ok button to reverse signature database version. 32

47 After that, you can view the current version become history version Auto-upgrade URL signature database records system recognizable signatures for access control, therefore, the URL signature database must be upgraded to the latest version in real time and it allows users to get the latest signature from office website in the desired time. To enter the auto-upgrade settings page, you can click Basic > System management > Signature > URL signature, as shown in Figure2-34. Figure2-34 Auto-upgrade settings Table2-19 describes the configuration items of auto-upgrade settings. Table2-19 Auto-upgrade settings configuration items Enable Auto-upgrade Start time Time interval Upgrade address Select the URL signature database. Displays the released date, signature database, and update time of the current IPS signature version. Displays the release time and signature database version before last time update. Displays the time that signature database can be updated. To auto-upgrade the signature database, you take the following steps: Click the auto-upgrade selection box. Open the time table and select a time rage. Set the auto-upgrade time intervals Click Apply icon after you finished the above configurations Manual upgrade If the signature database is required to be upgrade manually, users can upgrade the database file from the local system and upgrade it. 33

48 To enter the manual upgrade page, you can click Basic > System management > Signature > IPS Signature, as shown in Figure2-35. Figure2-35 Manual upgrade Table2-20 describes the details of the manual upgrade. Table2-20 The manual upgrade File path Select the file path and name for the update packet. To manual upgrade the signature database, you should take the following steps: Click Browse button Select the update packet to be downloaded. Click Confirm button after you finish the above steps. Note: Initially, the URL signature cannot be seen, which need you to update it manually or automatically. 2.7 License management License management module is used to register the license information file, which also can export license file. To enter the license management page, you choose Basic > System management > Signature database > License management, as shown in Figure

49 Figure2-36 License Management To export license file to your local system, you should take the following steps Click Export file button in the upper right corner Select a file path and click Save button To export license file to the local system, you should take the following steps: Click Browse button. Select the file path to download license Click Import file button after you finished the above steps. 2.8 Software version Web management interface provides the function of managing and updating software version for users. Through web management interface, user can upgrade software version, specify software version status and delete software version conveniently. To enter the software version page, you choose Basic > System management > Software version, as shown in Figure

50 Figure2-37 Software Version Table2-21 describes the configuration items of software version. Table2-21 Software version Image name Image version Current status Operation The software version for the next boot File path Displays the in-used and backup software version name. Displays the version number of the software version. Displays the current status of the software version, including in-used software version and other You can save or delete a software version by clicking save and delete button. In-used status software version cannot be deleted. Set the next-time reboot software version, which will be run when the device reboot. To download software, you can click Browse button and select a file path, and then click the Download image button. Note: You can store up to three software version files on the device. If you download a software version file that has the same name as a current version file through the web interface, no matter how many version files are stored on the device, the following prompt appears Overwrite? You should make sure that the disk has enough space; otherwise, the downloading of the software version fails when the size of the software version to be downloaded exceeds the available space of the disk partition no matter whether a software version with the same name exists in the disk partition. To download a software version and apply it, you can take the following steps: 36

51 Click Browse button beside the file path, select a software version to be downloaded, click Download software version button. The downloaded software version emerges in the list, hover your mouse pointer to the software version for the next boot, then your mouse pointer become pencil icon, Click your mouse left button, a drop-down list displayed. Select a software version, that is, the software version to be downloaded. Click OK button after you finished the above steps The above configurations take effect after you reboot device. 2.9 NTP time synchronization NTP time synchronization module can synchronize the clock of the device in the network, keeping all devices in the network with the same time. So that it can ensure the device provide multiple applications based on time NTP server mode To enter NTP server mode page, you choose Basic > System management > NTP configuration, as shown in Figure2-38. Figure2-38 NTP server mode Table2-22 describes the configuration items of NTP server mode. Table2-22 NTP server mode NTP server address Configure the IP address and domain name for the NTP server. 37

52 Master server NTP client subnet Mask Operation Select whether the server is the master server. Set the NTP client subnet; select whether to enable the authentication function. Set the subnet master of the client subnet. Click copy icon or delete icon to do the operations for NTP server and NTP client. To configure NTP server mode configuration, you can take the following steps: Select NTP work mode as server mode. Configure the IP address and domain name for NTP server, select whether this NTP server to be NTP master server. Configure NTP client segment and mask. Click Ok button in the upper right corner on the webpage NTP client mode To enter the NTP client mode page, you choose Basic > System management > NTP configuration, as shown in Figure2-39. Figure2-39 NTP client mode Table2-23 describes the configuration items of NTP client mode. Table2-23 NTP client mode configuration items Configures NTP server address. Enable authentication Configure the IP address and domain name of the NTP server; select whether to enable NTP authentication. Select whether to enable authentication. 38

2.10 Virtual system 2.10.1 Virtual system Virtual system is the mirroring system generated by the existing operation system, which has the same function with the existing system and can be switched flexibly.

53 2.10 Virtual system Virtual system Virtual system is the mirroring system generated by the existing operation system, which has the same function with the existing system and can be switched flexibly. To enter the virtual system page, you choose Basic > System management > Virtual system >, as shown in Figure2-40. Figure2-40 Virtual system Table2-24 describes the configuration items of virtual system. Table2-24 Virtual system configuration items Enable virtual system configuration Virtual system configuration Name Interface Click the enable virtual system configuration selection box. Set the virtual system configuration. Create or modify the virtual system name. Select virtual system packet inbound interface. Operation Click copy icon to do the operation Virtual system setting You should configure the virtual system settings, including system name and session limit. To enter the virtual system configuration page, you can click Basic > System management > Virtual system setting, as shown in Figure

54 Figure2-41 Virtual System 2.11 Digital Certification A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the identity information of the entity, the public key of the entity, the name and signature of the CA, and the validity period of the certificate, where the signature of the CA ensures the validity and authority of the certificate. This manual involves two types of certificates: local certificate and CA certificate. A local certificate is a digital certificate signed by a CA for an entity, while a CA certificate is the certificate of a CA. If multiple CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level Certification configuration To enter the certification configuration page, you choose Basic > System management > Digital certification > Certification configuration, as shown in Figure

55 Figure2-42 Certification Configuration Certification configuration can be used in configuring basic information of certification. To enter the device information configuration page, you can click Basic > System management > Digital certification > Certification configuration, as shown in Figure2-43. Figure2-43 Device Information Configuration Table2-25 describes the details of device information configuration. Table2-25 Device information configuration Common name IP address Sets the common name within 1 to 31 character, such as device name Sets the IP address for applying the certificate 41

56 Country State/Municipality City Company Department RSA key length Select a country for applying the certificate Selects the state or municipality Sets the city name for applying a certificate Sets the company name for applying a certificate Sets the department name for applying a certificate Sets the RSA key length for applying a certificate To configure the device information: Type in all the information Select the RSA key length After the above steps are finished, click the OK button. CA server configuration is used in CA server certification To enter to the CA server page, you can click the Basic > System management > Digital certification > Certification configuration, as shown in Figure2-44. Figure2-44 CA server configuration Table2-26 describes the details of CA server configuration. Table2-26 CA Server configuration CA ID Certificate application URL Sets the CA server identification Sets the certificate applying URL 42

57 How to apply for a certificate Root certificate authentication algorithm Root certificate fingerprint Select how to apply for a certificate Select root certificate authentication algorithm Set the root certificate fingerprint To configure a CA server: Type in CA server identification and URL. Select how to apply for a certificate. Select a root authentication algorithm and finger print if you enable checking CA root certificate fingerprint. Click the OK button if you finish the above steps. An existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an effective way for checking the validity of certificates. To enter to the CRL server configuration page, you can click Basic > System management > Digital certification, as shown in Figure2-45. Figure2-45 CRL Server Configuration Table2-27 describes the details of CRL server configuration. Table2-27 CRL server configuration How to get URL Obtain CRL URL Select how to get the URL. Set the URL for manual configuring the CRL. To configure the CRL server Select an option for the how to get the URL 43

Configure the CRL for the obtain CRL URL After you finished the above steps, you can click the OK button. 2.11.

To enter to the certification management page, you can click Basic > System management > Digital certification >certification management, as shown in Figure2-46.

58 Configure the CRL for the obtain CRL URL After you finished the above steps, you can click the OK button Certification management Certification management can obtain the certificate key and apply certificate, manage certificate and CRL. To enter to the certification management page, you can click Basic > System management > Digital certification >certification management, as shown in Figure2-46. Figure2-46 Certification Management Key management can used in generating key for users and provides view or hide key information To enter to the key management page, you can click the Basic > System management > Digital certification > Certification management, as shown in Figure2-47. Figure2-47 Key Management To generate a new key: 44

Sets the certificate applying information Click the Ok button, and then the new key is generated. Note: The factory default is that there is no key in key management.

Certification application can generate certificate application information and provides obtain certificate online or offline for users.

59 Sets the certificate applying information Click the Ok button, and then the new key is generated. Note: The factory default is that there is no key in key management. The Hide key information button can display or hide key information. Certification application can generate certificate application information and provides obtain certificate online or offline for users. To enter the certification management page, you can click the Basic > System management > Digital certification > Certification management, as shown in Figure2-48. Figure2-48 Certificate Application Certificate application provides the offline and online obtaining certificate for users, and allows users to manage the certificate after they obtain it, such as view the certification detailed information or delete a certification. To enter the certification application page, you can click Basic> System management > Digital certification > Certification application, as shown in Figure2-49. Figure2-49 Certificate Management Table2-28 describes the details of certification management. 45

Table2-28 Certification management table Certificate file name Certificate issuer Certificate subject/identification name(dn) Certificate expiration date Certificate type Certificate operation

60 Table2-28 Certification management table Certificate file name Certificate issuer Certificate subject/identification name(dn) Certificate expiration date Certificate type Certificate operation Displays the name of the certificate file Shows the issuer of the certificate. Shows the subject of the certificate and the certificate identification name. Shows the valid time of the certificate. Shows the type of the certificate. The certificate can be managed through the followings: The The icon is used in view the certificate detailed information. icon is used in delete the designed certification. CRL management provides the offline import CRL function for users and allows users to start or stop CRL query, and export CRL files to the local system, also the users can manage CRL such as view the CRL detailed information and delete a certificate. To enter the certificate management page, you can click Basic > System management > Digital certification > Certificate application, as shown in Figure2-50. Figure2-50 CRL management Table2-29 describes the details of the CRL management. Table2-29 CRL Management CRL file name CRL issuer Current CRL update date Next CRL update date Shows the CRL file name Shows the issuer of CRL Shows the date of CRL update Shows the date of next CRL update 46

61 CRL operation To search or delete a certificate: Click the Click the search icon, you can view certificate detailed information. delete icon, you can delete a certificate Certificate application and management Certificate application and management is used to obtain the certificate key, certificate application information, management certificate and CRL. To enter the certificate application and management page, you choose Basic > System management > Hot standby, as shown in Figure2-51. Figure2-51 Time object 47

62 2.12 Time object To enter the time object page, you choose Basic > System management > Time object, as shown in Figure2-53. Figure2-52 Time object 2.13 Hot standby IPS device provides hot standby function for transmitting configuration file to the backup device when the network is failure. So that it can ensure the network work normally. To enter the hot standby page, you choose Basic > System management > Hot standby, as shown in Figure2-53. Figure2-53 Hot standby 48

63 Chapter 3 Network Management 3.1 Introduction to network management Network Management provides the related network management function for users, including: Network Mode User Group Interface Configuration IPv4 Unicast Routing IPv6 Unicast Routing DNS Software Bypass Diagnostic Tool ACL Figure3-1 Network management menu 3.2 Network mode Introduction to network mode In the network, IPS device will perform all kinds of access control according to user s behavior, and the access control methods are different as network mode. At present, the system support four kinds of network mode: transparent, transparent-bridge mode, online mode, bypass mode. 49

64 Note: Online mode and bypass mode are included in the transparent mode. The basic function of transparent mode and online mode are similar that the transparent- bridge mode only provides authentication function for the interface pairs. Their network diagrams are similar. Online mode means that the IPS device is deployed on the data transmitting link of a network, capturing network data packets directly and performs safety action. Online mode network diagram is shown in Figure3-2. Figure3-2 Online mode diagram network Bypass mode means that the IPS device is not deployed on the data transmitting link. Usually, it captures network data packets through receiving mirroring traffic and detecting the copied packets, but it cannot performs safety action directly, and performs action through the respond packet. Bypass mode network, as shown in Figure

65 Figure3-3 Bypass mode network Network Mode To enter the network mode page, you choose Basic > Network management > Network mode, as shown in Figure3-4. Figure3-4 Network mode To switch network mode, you should take the following steps: Select a network mode to be changed. 51

66 Select a network mode for the interface pair in the interface switch table. Click OK button. 3.3 User group User group Network user group can be set as internal network segment applied to the extended function such as bandwidth rate limitation, access control, URL filtering, flow analysis, and the session limit IP user group IP user group contains the IP address group, IP address class and IP address cluster IP address object To enter to the IP user group page, you can click Basic > Network management > Network user group > IP user group > IP user group, as shown in Figure3-5. Figure3-5 IP user group Table3-1 describes the details of IP user group. Table3-1 IP user group No. Name Content Displays the serial number of the address object which is created in the address object table. Displays the name of the address object which is created in the address object table. Displays the IP address range of the address object. Displays the description of the IP address object. 52

67 Policy reference Operation Displays the address object at which the policy is applied. Click the copy icon or the delete icon to do the operations.! Caution: Click modify icon to modify the address object group and click delete icon to delete the address object group IP user group To enter the IP user group page, you choose Basic > Network management > User group > IP user group > IP user class, as shown in Figure3-6. Figure3-6 IP user group Table3-2 describes the details of IP user group. Table3-2 IP user group Address object Address object group Displays the user group which is created in the IP user group. Create the IP user group and add the address object into IP user group.! Caution: Click modify icon to modify the address object group and click delete icon to delete the address object group IPv6 address To enter the IPv6 address page, you choose Basic > Network management > IP user group > IPv6 address, as shown in Figure

Figure3-7 IPv6 address Table3-1 describes the details of IPv6 address. Table3-3 IPv6 address No. Name Content Policy reference Operation Displays the serial number of the IPv6 address.

68 Figure3-7 IPv6 address Table3-1 describes the details of IPv6 address. Table3-3 IPv6 address No. Name Content Policy reference Operation Displays the serial number of the IPv6 address. Displays the name of the IPv6 address. Configure the IP address range and IP address/mask. Displays the IPv6 address object description. Whether reference this address to the policy. Click the copy icon or the delete icon to do the operations Service interface configuration Service interface Service interface configuration module is used to configure the properties of all service interfaces of the device. To enter the service interface configuration page, you choose Basic > Network management > Interface configuration > Service configuration, as shown in Figure

69 Figure3-8 Service interface Table3-4 describes the details of service interface. Table3-4 Service interface Interface Physical status Enable/disable Rate settings Rate status Duplex setting Duplex status Displays the type and number of the interface. Displays current physical connection status. Displays the management status of the service interfaces. All interfaces are enabled by default. Displays the transmitting rate of the interfaces, including: 10M: 10Mbit/s 100M: 100Mbit/s 1000M: 1000Mbit/s auto-negotiation Displays the interface rate. Displays the duplex mode of the interfaces. Displays the duplex status of the interfaces. Duplex Half-duplex 55

70 Auto-negotiation Duplex status Flow (byte) TX/RX Packet (number) TX/RX bps(tx/rx) Displays the duplex status of the interface. Displays in and out direction flow byte. Displays in and out direction flow packets. Displays how many bits of an interface transmitting per second. Clear to zero Click clear icon to clear the transceiving packets of the service interface. To modify the parameter of service interfaces, you can take the following steps: Hover your mouse pointer to the parameter you want to modified, and then your mouse pointer will become a pencil icon. Click your mouse left button to modify the parameter of the service interfaces rom the drop-down list. After you finish the above configurations, click OK button in the upper right corner. Note: Only the interface status, rate setting and duplex setting can be modified Management interface configuration Management interface configuration module is used to configure the IP address and subnet mask of the management interface. User login to the device through the management interface that they can configure, manage and maintain the device. To enter the management page, you choose Basic > Network management > Interface configuration > Management interface, as shown in Figure3-9. Figure3-9 Management interface 56

71 Table3-5 describes the details of management interface. Table3-5 Management interface Management mode Management interface binding IP address Subnet IPv6 address IPv6 subnet Rate Set the management interface mode, including in-band and out-band mode. The out-band management means that you can select an interface as the management interface, whose traffic is not detected by the device. In the out-band mode, select an interface as the management interface. Set the IPv4 address for the management interface. Sets the management interface subnet. Set IPv6 address for the management interface. Set IPv6 subnet mask. Sets the management transmitting rate 10M:10Mbit/s 100M:100Mbit/s 1000M:1000Mbit/s Auto-negotiation Duplex Sets the mode of management interface Duplex Half-duplex Auto-negotiation To configure the management interface, you should take the following steps Select the out-band mode. Select the management interface from the drop-down list of the management binding interface. Enter management interface IP address. Enter subnet mask Sets the management interface rate and duplex mode. Click Confirm button in the upper right corner.! Caution: You cannot access to the WEB interface after you modify the management interface IP address. You should enter the modified IP address in your browser address bar. 57

72 3.4 IPv4 unicast routing IPv4 unicast routing provides the IPv4 static route manual configuration for users. After you configure static route, data packet will be transferred as the designated destination Static route To enter the static route page, you choose Basic > Network management > IPv4 unicast routing > Static route, as shown in Figure3-10. Figure3-10 Static route To configure static route in batch, you should take the following steps: Click Browse button to select the configuration file from your local disk. Click Ok button that the static routes can be imported in batch. Click Export button to export all static routes. To configure static route manually, you can take the following steps: Set the destination IP address and subnet mask. Select the outbound interface of the network gateway (next hop) and set the net ho address. In the advanced configuration, select route priority, route type and route weight. Click Ok button that the manually-configured static route takes effect immediately Monitoring To enter the monitoring page, you choose Basic > Network management > IPv4 unicast routing > Monitoring, as shown in Figure

Figure3-11 Monitoring 3.4.3 Basic routing table Basic routing table displays basic information about routing table, which allows users to specify the query item according to their requirement.

73 Figure3-11 Monitoring Basic routing table Basic routing table displays basic information about routing table, which allows users to specify the query item according to their requirement. To enter the basis routing page, you choose Basic > Network management > IPv4 unicast routing > Basic routing table, as shown in Figure3-12. Figure3-12 Basic routing table Table3-6 describes the details of basic routing table. Table3-6 Basic routing table Destination segment Subnet mask Gateway (next hop) Outbound interface Displays the destination IP address. Displays the subnet mask of destination IP address. Displays the next hop address of the gateway. Displays the static route outbound interface Detailed routing table Detailed routing table displays detailed information about routing table, which allows users to specify the query item according to their requirement To enter the detailed routing table page, you choose Basic > Network management > IPv4 unicast routing > Monitoring, as shown in Figure

74 Figure3-13 Detailed routing table Table3-7 describes the details of detailed routing table. Table3-7 Detailed routing table Destination segment Subnet mask Gateway (next hop) Outbound interface Status Protocol Priority Cost Type Displays the destination IP address. Displays the destination subnet mask. Displays the gateway/next hop IP address. Displays the static route outbound interface. Displays the status of interface status. Displays the static routing protocol, including static, connect, rip, ospf, bgp and guard. Displays the priority of static route. Displays the cost of static route. Displays the type of static route. 3.5 IPv6 unicast routing IPv6 unicast routing provides the IPv6 static route manual configuration for users. After you configure static route, data packet will be transferred as the designated destination. 60

3.5.1 Configure IPv6 static route To enter the configure IPv6 static route page, you choose Basic > Network management > IPv6 unicast routing > Static route, as shown in Figure3-14.

Select packet outbound interface and set the IP address for next hop. Configure the IPv6 routing priority, type the route weight in the advanced configuration column.

75 3.5.1 Configure IPv6 static route To enter the configure IPv6 static route page, you choose Basic > Network management > IPv6 unicast routing > Static route, as shown in Figure3-14. Figure3-14 Configure IPv6 static route To configure a static routing, you should take the following steps: Type IPv6 destination IP address and the subnet mask in each place. Select packet outbound interface and set the IP address for next hop. Configure the IPv6 routing priority, type the route weight in the advanced configuration column. Click OK button, new configuration will take effect Basic routing table Basic routing table provides the information about basic routing table, allows users to query the routing table as the all route or the desired route. To enter the basic routing table page, you choose Basic > Network management > IPv4 unicast routing > Basic routing table, as shown in Figure3-15. Figure3-15 Basic routing table Table3-8 describes the details of Basic Routing Table. 61

Table3-8 Basic Routing Table Destination segment Subnet mask Gateway (next hop) Outbound interface Displays the destination IP address. Displays the subnet mask of destination IP address.

76 Table3-8 Basic Routing Table Destination segment Subnet mask Gateway (next hop) Outbound interface Displays the destination IP address. Displays the subnet mask of destination IP address. Displays the next hop address of the gateway. Displays the static route outbound interface Detailed routing table Detailed routing table provides the information about detail routing table and allows users to query the routing table according to their requirement. To enter the detailed routing table page, you choose Basic > Network management > IPv4 unicast routing > Detailed routing table, as shown in Figure3-16. Figure3-16 Detailed routing table Table3-9 describes the details of the detailed routing table. Table3-9 Detailed routing table Destination segment Subnet mask Gateway (next hop) Outbound interface Status Protocol Displays the destination IP address. Displays the destination subnet mask. Displays the gateway/next hop IP address. Displays the static route outbound interface. Displays the status of interface status. Displays the static routing protocol, including static, connect, rip, ospf, bgp and guard. 62

77 Priority Cost Type Displays the priority of static route. Displays the cost of static route. Displays the type of static route. 3.6 DNS Introduction to DNS DNS domain system is use to translate domain names into corresponding IP addresses DNS configuration To enter the DNS configuration page, you choose Basic > Network management > IPv4 unicast routing > DNS configuration, as shown in Figure3-17. Figure3-17 DNS configuration 3.7 Bypass Introduction to Bypass Software bypass means that the device is not on the link where data is forwarded. Therefore, the device captures data packets by receiving traffic mirroring and detecting duplicate packets, and it cannot take security actions directly and can only take security actions through response packets, as shown in Figure

78 Figure3-18 Network diagram for software bypass Software bypass The internal monitoring module of the device monitors the health status of the device periodically in a high frequency. As long as detecting a detection engine or software system fault, or a large traffic, the device can automatically fall back to be a simple Layer 2 switching device. In this way, the device does not detect any network traffic, which ensures the continuity of network services. This function is called software bypass. You can also enable or disable the software bypass manually. To enter software bypass page, you choose Basic > Network management > Software bypass, as shown in Figure3-19. Figure3-19 Software bypass Table3-10 describes the configuration items of software bypass. 64

79 Table3-10 Software Bypass Traffic type Level Status Force VIP traffic segment Displays the type of network traffic It includes VIP traffic and common traffic Displays the level of the traffic By default, the VIP traffic is higher than the common traffic. Displays the current status of software bypass It includes the online status and bypass status Sets whether to enable software bypass function and set it manually. If you click the check box, it means to enable the software bypass. If you do not click the check box, it means the software bypass is disabled. Sets whether to enable software bypass function of the VIP traffic segment manually. When software bypass function enabled automatically, the device will ensure in VIP traffic segment in advance. Manually set the software bypass function: Select which kind of bypass function will be enabled Click the Enable bypass in the force line Click the OK button on the right top 3.8 Diagnostic Tools Diagnostic Tool Diagnostic Tools contains, Ping, traffic monitoring and capture function. Ping is used to check whether a device is reachable test the reachable. The parameter s followed Ping are c, -w, -i, -s. In the following image, you can type in C 100 in the parameter item. To enter the Diagnostic Tool page, you choose Basic > Network management > Diagnostic tool, as shown in Figure

80 Figure3-20 Diagnostic Tool Table3-11 describes the configuration items of diagnostic tool. Table3-11 Diagnostic Tool Ping -c Ping -w Ping -i Ping -s Record route for count hops. Timeout in milliseconds to wait for each reply. TTL Time To Live. Count Timestamp for count hops. To use Ping command to test whether a host is alive, you can take the following steps: In the parameter item, enter -C Enter IP address, example: Click Test button to execute Ping command Ping result displayed under the test result, as shown in Figure

81 Figure3-21 Test result of PING Traffic mirroring Traffic mirroring provides user with the flow mirrored from one interface to another interface. Users can select the mirror flow and outbound interface according to IP address and protocol. To enter the traffic mirroring page, you choose Basic > Network management > Traffic mirroring, as shown in Figure3-22. Figure3-22 Traffic mirroring To enable traffic mirroring function: Click the Enable selection box, and set the source IP address and destination address for traffic mirroring, select a protocol and interface Click OK button, traffic mirroring function is enabled Capture Capture packet allows users to capture the transmitting packets of an interface and it can replay the captured packet. To enter the capture page, you choose Basic > Network management > Diagnose tool > Capture, as shown in Figure

82 Figure3-23 Capture Table3-12 describes the details of capture packet. Table3-12 Capture packets Application protocol Source IP and destination IP address Capture protocol Capture length Capture time Capture number Capture interface Replay interface Select a kind of application protocol which will be captured and select a port number. Sets the source and destination IP address. Sets the capture protocol. Sets the packet length (byte per second) and select whether the capturing packet is larger, the same as or smaller than it. Sets the capture time within 5 minutes. Sets the capture number between 1 to packets. Select the capture interface Replay the capture packet through replay interface. To capture the packets, you should take the following steps: Sets the capture function as your requirement Click Start capture button, and then you can capture, if you want to stop it, you can click Stop button. Click Replay button, and then you can replay the captured packets. Click Download button, and then you can download the capture file to the local system. 68

83 3.9 ACL configuration ACL is used for flow recongization. In ordet to filter data packet, network device needed to configure a series of match conditions to filter data packet, including packet source address and destination address, port number. After the device port receiving data packet, that is, filter the date packet accroding to the current port applied ACL rule. After some specific pakcets are recognized, the device allows or prohabits to pass through data packet according the pre-defined policy Basic ACL To enter the basic ACL page, you choose Basic > Network management > ACL, as shown in Figure3-24. Figure3-24 Basic ACL Table3-1 describes the configuration items of the basic ACL configuration Table3-1 Basic ACL configuration Priority Name Source IP/mask Destination IP/mask Physical port Action Displays the priority of the ACL rule. Set the name of the Layer 3 ACL rule. Configure the source IP address and mask. Configure the destination IP address and mask. Configure physical port. Select an action for the ACL rule. Operation Click upward icon to move the ACL rule to the top of the list. Click downward icon to move the ACL rule to bottom of the list. Click insert icon, copy icon and delete icon to do the operations. 69

84 3.9.2 Advanced ACL To enter the advancd ACL page, you choose Basic > Network management > ACL, as shown in Figure3-25. Figure3-25 Advanced ACL 70

85 Chapter 4 IPS 4.1 Introduction to IPS The IPS (which is called intrusion prevention system) device deploys in the trunk network as online mode. To analyze the network in real time and recognize the abnormal flow automatically, users can configure the IPS policy and perform predefine action in advance, so that it can prevent the defend object from suspicious code. The predefined action includes block or isolate the suspicious IP address and disturbance. IPS component provides the following functions: IPS rule IPS policy IPS signature management IPS log To access the IPS menu, you choose IPS module > IPS, as shown in Figure4-1. Figure4-1 IPS Menu 4.2 IPS rule Introduction to IPS rule Choose IPS > IPS rule from navigation tree to enter the IPS rule page. The IPS rule page allows you to configure IPS rule and to copy an existing IPS rules, as shown in Figure4-2. Figure4-2 IPS rule Table4-1 describes the details of IPS rule. 71

86 Table4-1 IPS rule Rule name Configure the IPS rule. The rule name should be alphanumeric character letter, case sensitive, and also can be Chinese character. It resource Select a kind of IT resource to be protected, including: Operating System: Windows, Unix/Linux, Novell, Sun, Solaris, Mac OS, AIX, Other OS Office Software: Microsoft Office, WPS, Adobe, Acrobat, Other Office Software Application Software: Chat Software, Download Software, Game, Media Player, Security, Anti-virus Software, Backup Software, Mail Client, Other Application Software Database: Mysql, MS-SQL, Oracle, Sybase, DB2, Access, PostgreSQL, Other Database Web Application: Apache, Microsoft IIS, WebLogic, Tomcat, Resin, CGI, WEB Browser: IE, Firefox, Netscape, Maxthon, Tencent Traveler, Other Browsers Others: Others Mail Server: MS Exchange, Postfix, SendMail, Qmail, Mdaemon, Others Web Reptile: Hostility Reptile, Business Reptile, Open Source Reptile, Other Reptile Critical action Major action Minor action Warning action Select an action for the critical signature set. Select an action for the major signature set. Select an action for the minor signature set. Select an action for the warning signature set. To create an IPS rule, you should: Click the button to create a new entry of the IPS rule, as shown in Figure4-3. Figure4-3 Copy IPS rule To add an IPS rule: Enter a name for the IPS rule. Select an IT resource. 72

87 Select an action for the critical signature action, the major signature action, minor signature action, and the warning signature action. Click Ok button in the upper right corner on the webpage Customized IPS signature Customized IPS signature is the user-defined IPS signature. After you create it, the IPS signature is added into IPS signature database. To enter the customized IPS signature page, you choose IPS module > IPS > IPS rule > Customized IPS signature, as shown in Figure4-4. Figure4-4 Customize IPS signature Table4-2 describes the details of customized IPS signature. Table4-2 Customized IPS signature Name Direction Parent protocol Payload Head Action Operation Displays the name of the customize IPS signature Allows you to select the direction for the customize IPS signature, including: Client=> Server Server=> Client Bidirectional Select a protocol to be protected. Sets the regular character string and regular expression for the customize IPS signature. Sets the packet header for the customized IPS signature, including IP, TCP, UDP, ICMP option. Select an action for the customize signature database Warning Minor Major Critical Click the copy icon or the delete icon to do the operations 73

88 4.3 IPS policy Interface IPS policy You can create an IPS policy and apply it to an interface. To enter the IPS policy page, you choose IPS module > IPS > IPS policy > Interface IPS policy, as shown in Figure4-5. Figure4-5 Interface IPS policy Table4-3 describes the details of the interface IPS policy. Table4-3 Interface IPS policy Packet inbound interface IPS rule VLAN ID Operation Select the packet inbound interface. The selected data packet protected. Displays the packet inbound interface on which the IPS rule is applied. Set the VLAN ID number. Click the copy icon or the delete icon to do the operations. To create an interface IPS policy Create an interface IPS policy, select the packet inbound interface, select the IPS rule, set the VLAN ID, set the valid time. Click Ok button in the upper right corner on the webpage Global IPS policy You can create the global IPS policy and applied it to an interface. To enter to the global IPS policy page, you choose IPS module> IPS > IPS policy > Global IPS policy, as shown in Figure

89 Figure4-6 Global IPS policy Table4-4 describes the details of global IPS policy. Table4-4 Global IPS policy IPS policy Network user group VLAN ID Operation Select an IPS rule, and apply it to the global IPS policy. Select a network user group to be protected. Set the VLAN ID number. Click the copy icon or the delete icon to do the operations. To create the global IPS policy, you should: Create an entry of the global IPS policy, select an IPS rule and apply it to the global IPS policy, select the network user group, then set the VLAN ID, and select the valid time of the global IPS policy. Set the VLAN ID number. Click Ok button in the upper right corner on the webpage IPS blacklist cooperation The IPS blacklist cooperation feature combines the IPS function with the blacklist function. When you enable the IPS blacklist function, if attacks existed in the network, the blacklist function is enabled automatically. To enter the IPS blacklist cooperation page, you choose IPS module > IPS > IPS policy > IPS blacklist cooperation, as shown in Figure4-7. Figure4-7 IPS blacklist cooperation 75

90 To enable or disable the IPS blacklist cooperation, you should: Select Turn on radio button, then you can set the attack frequency and aging time. Click Refresh configuration button to refresh the configuration. Select the Turn off radio button. Click Refresh configuration button that the IPS blacklist cooperation function is disabled IDS cooperation If the IPS device detects attacks and the IDS cooperation function is enabled, it will send SNMP Trap message to the IDS device, including source IP address, destination IP address, source port, and destination port. The IDS blocks the attack flow after it receive SNMP trap message and generates block information. To enter the IDS cooperation page, you choose IPS module > IPS > IPS policy > IDS cooperation, as shown in Figure4-8. Figure4-8 IDS cooperation Note: The IPS signature in IPS signature database cannot be deleted. The signature name in IPS signature database list is hyperlink. Hover over your mouse pointer on one of the signature name, appear a hand shape icon, which is the IPS signature link. Click your mouse to enter the detailed description page of the signature. The CVE number in IPS signature database list is hyperlink. Hover over your mouse pointer on one of the CVE number, appears a hand shape icon. Click your mouse to skip to the Common Vulnerabilities & Exposures home page. If you set nothing for IPS rule name, it means you will search all IPS rules. If you set the IPS rule name, it means you want to search the specific IPS rule name. 4.4 Protocol protection policy To enter the protocol protection policy page, you choose IPS module > IPS > IPS policy > Protocol protection policy, as shown in Figure

travels. Data is secured on road that no one can decrypt and read this data.

91 Figure4-9 Protocol protection policy 4.5 SSL certification import The SSL certification import features allows user to import SSL certificate so that all content will be encrypted before it travels. Data is secured on road that no one can decrypt and read this data. To enter SSL certification import page, you choose IPS module > IPS > IPS policy > SSL Certification Import, as shown in Figure4-10. Figure4-10 SSL Certification Import 4.6 Fixed port setting To enter the fixed port settings page, you choose IPS module > IPS > IPS policy > Fixed port seting, as shown in Figure4-11Figure4-10. Figure4-11 Fixed port setting 77

92 4.7 IPS log Introduction to IPS log IPS log allows user to search, delete and export IPS logs. On this page, users can search, delete or export the IPS warning log or block log IPS latest log Latest log provide users with the recent IPS warning log and block log, which can be view or export to the local system. To enter the latest log page, you choose IPS module > IPS > IPS log > Latest log, as shown in Figure

93 Figure4-12 Latest log Table4-5 describes the details of latest log. Table4-5 Latest log Time Attack ID Attack name Shows the specific time of the attack. Shows the IPS signature ID number Shows the name of the attack. 79

94 Inbound Source IP Destination IP Source port Destination port Hit count Attack level Shows the attack packet inbound interface. Shows the source IP address of the attack. Shows the destination IP address of the attack. Shows the source port of the attack. Shows the destination port of the attack. Displays the hit count number of the attack. Displays the attack level: Critical Major Minor Warning To view the latest IPS log and export to the local system: Click Auto-refresh select box, and then system will refresh the latest log interface as the specific time. Click Refresh button to display the latest logs will be refreshed manually. Click Block log option, the latest log interface displays block log. Click Warning log option, the latest log interface displays warning log. Click export to CSV file button, and then you can export the IPS log to CSV file. Note: You can configure the Auto-refresh time as 10, 30, and 60 seconds after you click the Auto-refresh select box Click the header entry of the IPS log list, then the IPS log can be displayed as ascending order or descending order IPS log query IPS log query provides users with the IPS log search delete and export to the IPS function. To enter the IPS log query page, you choose IPS module > IPS > IPS log > IPS log query, as shown in Figure

95 Figure4-13 IPS log query Table4-6 describes the details of IPS log query. 81

96 Table4-6 IPS log query Attack ID Attack level Action type Interface Source IP Source port Destination IP Destination port Time range Displays the ID number of attack in signature database. Set the severity level of attacks, including critical, serious, warning, and informational Displays the action type, including block and alarm. Select an interface to be queried. Specify the source IP address to be queried. Specify the source port to be queried. Specify the destination IP address to be queried. Specify the destination port to be queried. Specify the time range of the traffic statistics report to be viewed, which can be: Last hour: displays the statistics of the last full hour. Last day: displays the statistics of the last day. Last week: displays the statistics of the last week. Customize: displays the traffic statistics of the specified time range. You need to manually set the start time and the end time. (if you select Customize, you need to set the start time and end time) To query, export and delete IPS log,you should: According to what you want to query, you configure these items: attack ID, attack level, application protocol, action type, packet inbound interface, source IP, destination IP, source port, destination port and specific time to view the IPS log. Click Search button. Click the button to view first page or the previous page, click the button to the view the next page or the last page. Select a page number to view the page you want. Click Export to CSV file button to export IPS log to a CSV format file. Click the Delete button that all IPS logs can be deleted. 82

97 Note: You can set the IPS log query page displays 10, 25, 50,100,200,400,600 items IPS logs. You cannot recovery the IPS logs if you delete it. To specify a time range, you can select the starting time and ending time. Starting time must be earlier than ending time. If you do not specify the time range, you can view all IPS logs. 4.8 IPS signature management Introduction to IPS signature management The IPS signature management feature allows users to search and modify IPS signature. To enter the IPS signature management page, you choose IPS module > IPS > IPS signature management, as shown in Figure4-14. Figure4-14 IPS signature database Table4-7 describes the details of IPS signature management. Table4-7 IPS signature management ID According to the specific ID number to query IPS signature. Allows you to type an ID number to query the specific IPS signature. Type 0 for ID, which represents all IPS signature set. Type a number of for ID, which represents the IPS signature ID number you want to query. 83

98 Name CVE number Attack method Severity Specify an IPS signature name to be queried. Specify the CVE number to be queried. Displays the attack type. Displays the severity level of the attack: Warning Minor Major Critical To view and export the latest IPS log, you should: Click Refresh selection to refresh the current IPS logs automatically. IPS logs can be automatically refreshed according your selection for the auto refresh time interval. Click Manual refresh button to refresh the current IPS logs manually. Click Block log radio button and then all IPS block log displayed on this page. Click Warning log radio button and then all IPS warning log displayed on this page. Note: IPS signature can be deleted in the signature set table. Each IPS signature name is a hyperlink, provides you with the detailed information of IPS signature. If you move your mouse the hyperlink, mouse cursor will become hand shape. Each CVE is a hyperlink. When you click it, the signature set management will skip to the home page of common vulnerabilities and exposure. If you move your mouse the hyperlink, the cursor will become hand shape. If you do not type in any signature name, the interface will show all the information, if you type in a signature name, it will show you as your search. 4.9 Typical configuration Network requirement The following diagram is the IPS configuration network mode, as shown in Figure

99 Figure4-15 IPS configuration network mode 1. Add IPS rule: Choose IPS module > IPS > IPS signature management. Configure IPS rule then click Ok button, as shown in Figure4-16. Figure4-16 Add an IPS Rule 2. Apply the IPS rule to IPS policy: Choose IPS > IPS Policy, Configure the IPS policy then click Ok button, as shown in Figure

100 Figure4-17 And an Interface IPS policy 86

101 Chapter 5 Anti-virus 5.1 Introduction to anti-virus The Anti-virus module of IPS service board deploys on the network as online mode, which automatically blocks virus packets through real-time analysis. The anti-virus module provides the following features: Anti-virus policy Anti-virus signature Anti-virus log To enter the IPS2000 anti-virus page, you choose IPS module > Anti-virus, as shown in Figure5-1. Figure5-1 Anti-virus menu 5.2 Anti-virus policy Anti-virus policy You can add, delete or copy the anti-virus policy. To enter the anti-virus policy page, you choose the IPS module > Anti-virus > Anti-virus policy, as shown in Figure5-2. Figure5-2 Anti-virus policy Table5-1 describes the details of anti-virus policy. 87

102 Table5-1 Anti-virus policy Anti-virus policy name Packet inbound interface High risk Medium risk Low risk Operation Displays the existing anti-virus policy. Displays the packet inbound interface which is applied anti-virus policy to inspect viruses. Displays/selects an action for high risk level viruses. Displays/selects an action for medium risk level viruses. Displays/selects an action for high risk level viruses. Click the copy icon or the delete icon to do the operations. To create an entry of the anti-virus policy, you should: Click copy icon of the existing anti-virus policy to create a new entry of the anti-virus policy. Enter a name for the new anti-virus policy. Select the packet inbound interface. Select an action for each risk level to prevent. After you finished the above steps, click Ok button in the upper right corner. Note: Click delete icon to delete an entry of the anti-virus policy. None action represents no action Virus warning push configuration To enter the anti-virus policy page, you choose the IPS module > Anti-virus > Virus warning push configuration, as shown in Figure5-3. Figure5-3 Virus warning push configuration 88

103 5.2.3 Virus quarantine configuration The quarantine configuration can detect and isolate suspicious files before possible infection. Any files transferred in this fashion cannot be run or executed. To enter the anti-virus policy page, you choose the IPS module > Anti-virus > Anti-virus policy, as shown in Figure5-4. Figure5-4 Virus isolation configuration To set the virus quarantine configuration, you should take the following steps: Ensure that the anti-virus policy is configured. Enable the virus quarantine configuration. If the device detested data flow that contains the virus file, the device isolates the virus file. If you want to delete virus files, click Delete All. 5.3 Anti-virus signature management The anti-virus signature management feature allows user to query anti-virus signature. To enter anti-virus signature management page, you choose IPS module > Anti-virus > Anti-virus signature management, shown in Figure

104 Figure5-5 Anti-virus signature Table5-2 describes the detail of anti-virus querying. Table5-2 Anti-virus querying Virus ID Virus name Virus classification Risk Allows you to query the specified virus ID. Allows you to specify the virus name to be queried. Allows you to select a kind of virus to be queried. Allows you to select a kind of risk level to be queried. High risk Medium risk Low risk To query the anti-virus signature database: Enter the anti-virus ID, name to be queried. You can select one item or several items for anti-virus signature to query. Click Search button, and then you can search the anti-virus signature. 90

Note: Anti-virus signature cannot be deleted! If you do not type in anything for anti-virus name and ID, all anti-virus signatures will be searched out. 5.4

105 Note: Anti-virus signature cannot be deleted! If you do not type in anything for anti-virus name and ID, all anti-virus signatures will be searched out. 5.4 Anti-virus log Introduction Anti-virus log provides users with anti-virus log search, delete, and export function. You can view the anti-virus warning log and block log Latest log Latest log provides you with view the recent anti-virus log and export it to the local system. To enter latest log page, you choose IPS module > Anti-virus > Anti-virus log> Recent log, as shown in Figure5-6. Figure5-6 Anti-virus latest log Table5-3 describes the details of latest log. Table5-3 Latest log Time Virus ID Displays the anti-virus time Displays the virus ID number 91

106 Virus name Inbound interface Source IP address Destination IP address Source port Destination port Application protocol Hit count Popularity Displays the virus name Displays inbound interface Displays the source IP address of the virus Displays the destination IP address of the virus Displays the source port of the virus Displays the destination port of the virus Displays the application protocol of the virus Displays the hit count of the virus Displays the popularity High Medium Low To view and export latest virus log: Click auto refresh button, and the system will refresh anti-virus as your configuration. Click refresh button and the interface will refresh manually. Click Export to CSV button that you can export the anti-virus log to CSV file. Note: You can set auto-refresh as 10, 30, and 60 seconds if you enable the auto-fresh function and set the auto-refresh time. To sort anti-virus as ascend and descend order, you can click the anti-virus log headline Anti-virus log query Anti-virus log query provides users with anti-virus log query function. To enter the anti-virus log query page, you choose IPS module > Anti-virus > Anti-virus > anti-virus log query, as shown in Figure

Figure5-7 Anti-virus log query Table5-4 describes the details of anti-virus log query function Table5-4 Anti-virus log query Time Virus ID Virus name Packet inbound interface Source IP address

107 Figure5-7 Anti-virus log query Table5-4 describes the details of anti-virus log query function Table5-4 Anti-virus log query Time Virus ID Virus name Packet inbound interface Source IP address Destination IP address Source port Destination port Application protocol Popularity Displays the specific time when the virus is transmitted. Displays the virus ID Displays the name of virus signature Displays the packet inbound interface Displays source IP address of the virus Displays destination IP address of the virus Displays sauce port of the virus Displays destination port of the virus Displays application protocol of the virus Displays the popularity of the virus, including High Medium Low To query, export and delete anti-virus log, you should: 93

108 Select one item or several items to query, including virus ID, virus classification, protocol type, action type, interface, source IP address, destination IP address, source port, destination port. Click Search button Click Export to CSV button to export logs to CSV files Click Delete button, and then all searched log can be deleted. Note: You can set the anti-virus log list as 10, 25, 50,100,200,400,600 pieces and to sort the table as ascending or descending order, you can click the headline. Anti-virus log cannot recovery if you delete it. The specified time of anti-virus log querying includes the last day, the last two day, the last week, and specified time. 5.5 Typical configuration Figure5-8 Network diagram for anti-virus configuration 94

109 Configuration steps: Choose Basic => Anti-virus => Anti-virus policy Click icon to create an entry of the anti-virus policy Enter a name 123 Select packet inbound interface eth0_1 Select Warning action for the high risk virus Select Warning action for medium risk virus Select Warning action for low risk virus After you finished the above steps, click Ok button in the upper right corner. 95

Chapter 6 Log Management 6.1 Introduction to log management The log management feature enables you to store the system messages a log file or send system log to the log hosts.

110 Chapter 6 Log Management 6.1 Introduction to log management The log management feature enables you to store the system messages a log file or send system log to the log hosts. The analysis and archiving of the logs can enable you to check the security holes of the IPS, when and who try to disobey security policies, and the types of the network attacks. Log management component provides the following features for users: System log Operation log Service log To access the log management menu, you choose Basic > Log management, as shown in Figure6-1. Figure6-1 Log management menu 6.2 System log Latest log Latest log interface displays 25 latest logs of the system log. To enter latest log page, you choose Basic > Log management > System log > Recent log, as shown in Figure

Figure6-2 Latest log To export system log to your local system, you click Export button at the bottom of the latest log page, and then you can view a pop up window which allow you to select to open

111 Figure6-2 Latest log To export system log to your local system, you click Export button at the bottom of the latest log page, and then you can view a pop up window which allow you to select to open or save the CSV format file of the queried system logs, then click Ok button in the upper right corner on the webpage. Table6-1 describes the details of latest log. Click the g grey items of each column to sort and display the records based on the item you selected. Table6-1 Latest log Serial number Time stamp Module Displays the sequence of the latest system log. Displays the time and date when a system time was generated. Displays the system log to which module belongs. Displays the severity level of latest system log, including: Fatal error: result the system cannot be used Emergency error: warn users must take emergency measures Critical: the system is dangerous status Severity level Log content Common error: will give you a hint Warning: shows the warning information Status information: shows the import information under the normal condition Information: will show you system information Unknown: will show you the unknown information. Displays the detailed information of the system log. 97

112 Note: Select the auto-refresh checkbox and then the latest system log page will be refreshed automatically as specific time intervals. (You can set 10, 30, and 60 seconds for the auto-refresh time interval). Click Refresh button that the latest system log page will be refreshed. The system logs with different severity levels are displayed with shadings in different colors, which are used for warning users: Emergency, alert and critical information are displayed with red shadings. Errors and warnings are displayed with orange shadings. Notice and informational messages are displayed with white shadings System log query System log query module allows users to query system log according to different search conditions. To enter the system log query page, you choose Basic > Log management > System log > System log query, as shown in Figure6-3. Figure6-3 System log query Click Export button, a pop up window displayed, which allow you to open a CSV format file or save the queried logs to your local system, Click Query button that all system logs match with searching conditions displayed on the webpage. Click the drop-down on the right side of the page, the system log query page will be displayed as the page number you desired or the entries you want to display on each page. Note: Select the Customized time range and click Query button that you can view all system log contents. 98

113 Table6-2 describes the configuration items of the system log query. Table6-2 System log query Severity Keyword Starting time Ending time Allows you to select different severity level to query the system log. Allows you to select different time range to query the system log. Display or set the starting time that you want to query the system log. Display or set the ending time that you want to query the system log System log file operation System log file operation module allows user to back up and delete today or the specific day system log. To enter the system log file operation page, you choose Basic > Log management > System log > Log file operation, as shown in Figure6-4. Figure6-4 System log file operation Table6-3 describes the configuration items of the system log file operation. Table6-3 System log file operation Serial number Log file name Displays the sequence of the system log file. Show the time and date when a system time was generated. Operation Click the backup icon or delete icon to do the operations. 99

114 6.2.4 System log configuration System log configuration module allows user to configure the parameters for saving or outputting system log. To enter system log configuration page, you choose Basic > Log management > System log configuration, as shown in Figure6-5. Figure6-5 System log configuration Table6-4 describes the configuration item of the system log configuration. Table6-4 System log configuration Output to a remote syslog server Set the parameters for the system log saving or outing to a remote log host, including: Days for saving feature allows user to select a option for saving system logs, including: Days for saving Saving day Remote log host IP address Service port Time stamp format Select the maximum saving days for the system log file, and then the system will delete the expired system log file. Maximum saving day can be set as one week, two weeks, three weeks, 30 days or the customize. You can set the maximum saving day if you select the customize radio button. 6.3 Operation log Latest log Latest log interface displays 25 latest logs of the operation log. To enter the latest log page, you choose Basic > Log management > Operation log > Latest log, as shown in Figure

Figure6-6 Latest log To export system log to your local system, you click Export button at the bottom of the latest log page, and then you can view a pop up window which allow you to select to open

115 Figure6-6 Latest log To export system log to your local system, you click Export button at the bottom of the latest log page, and then you can view a pop up window which allow you to select to open or save the CSV format file of the queried system logs, then click Ok button in the upper right corner on the webpage. Table6-5 describes the details of the latest log. Click the header line of each column, then you can view the latest log displayed as ascending order or the descending order. Table6-5 Latest log Serial number Time stamp Displays the sequence number of the latest operation log. Displays the time that the operation log is generated. Displays the type of the client who login in to the web management interface. Web: means you did operations on the webpage. Client type Administrator Address Console: means you did operations on the Console port. Telnet: means you use the Telnet to connect with device. SSH: administrator manage the device through SSH service. Displays the administrator who did the operation. Displays the IP address of the operation log. Displays the result of operation log, including success and fail: Operation result Log content Success: means the operation you did is successful. Fail: means the operation you did is unsuccessful. Displays the detailed information of the operation log. 101

116 Note: The latest log interface can be auto refreshed every 10, 30, 60 seconds after you click auto-refresh button. Also, it log interface can be refreshed manually if you click the Refresh button Operation Log Query To enter operation log query page, you choose Basic > Log management > Operation log > Log query, as shown in Figure6-7. Figure6-7 Operation log query Click Export button and then a pop up window that allow you to select whether to open the CSV format file of the queried system or save the log file to your local system, then click Ok button in the upper right corner on the webpage. Click Query button that the queried system logs displays on the page. Note: For the time range, you can select the customized option that all system logs display on the log query interface. Table6-6 describes the configuration items for querying operation log. Table6-6 Querying operation log Administrator IP address Allows you to select an administrator for querying the operation log. Allows you to configure an IP address for querying the operation log. 102

Time range Allows you to select a time range for querying the operation log. Start time: select the start time for the time range. End time: select the end time for the time range. 6.3.

117 Time range Allows you to select a time range for querying the operation log. Start time: select the start time for the time range. End time: select the end time for the time range Log File Operation Operation log file operation feature allow user to back up and delete the operation log files. To enter the log file operation page, you choose Basic > Log management > Operation log > Log file operation, as shown in Figure6-8. Figure6-8 Log File Operation Table6-7 describes the details of the log file operation. Table6-7 Log file operation Serial number Log file name Displays the sequence of operation log. Show the time and date when a operation time was generated. Operation Click the backup icon or delete icon to do the operations Operation Log Configuration Operation log configuration feature allows user to output operation log file to a remote log server. To enter operation log configuration page, you choose Basic > Log management > Operation log >Log file operation, as shown in Figure

118 Figure6-9 Operation log configuration Table6-8 describes the details of operation log configuration. You can save or export the operation log to the local system. Table6-8 Operation log configuration Output to a remote log host Days for saving Outpu to a remote syslog server feature provides the following function for user: Remote Syslog Server IP Address (IPv4): configure the remote syslog server IP address in the format of Remote Syslog Server IP Address (IPv6): configure the remote syslog server IP address in format of 1:1::1:1 Local ip Address(IPV4): configure local IP address in the format of Local ip Address(IPV6): configure local IP address in the format of 1:1::1:1 Service Port: configure a number for the service port, which must be from 1 to Days for saving feature allows user to select a option for saving system logs, including: One week Two weeks Three weeks 30 days Customize days 6.4 Service Log Service log configuration Service log configuration features provide user with the related configuration for the service log. To enter service log page, you choose Basic > Log management > Service log, as shown in Figure

119 Figure6-10 Service log configuration Table6-9 describes the configuration items of the service log. Table6-9 Service log configuration items Days for saving Output to a remote syslog server Send an Days for saving feature allows user to select a option for saving system logs, including: One week Two weeks Three weeks 30 days Customize days Configuring the output to a remote syslog server function, including: Remote Syslog Server IP Address (IPv4): configure the remote syslog server IP address in the format of Service Port: configure a number for the service port, which must be from 1 to Allows you to configure the related information about send an Mail server IP address Source mail address Destination mail address User name Password The number of s sent out every minute Domain name 105

120 Chapter 7 Access control By purposes, network traffic can be divided into multiple service types, such as the HTTP service, FTP service and service. Rate limitation performs different management and control behaviors for different service types. The access control module has the following features: Rate limit Access control Net application manager URL filtering To enter network rate limitation page, you choose IPS module > Access control > Network access control, as shown in Figure7-1. Figure7-1 Network access control menu 7.2 Rate limitation Rate limitation To enter the user group limit page, you choose IPS module > Access control > Rate limitation > Rate limitation > Rate limitation per IP address, as shown in Figure3-2. Figure7-2 Rate limitation per IP address Table7-1 describes the details of rate limitation per interface. Table7-1 Rate limitation IP address 106

Priority Name Interface Interface attribute User group Rate-limit parameter Valid time Disable Operation Displays the priority of the user group limit rule.

121 Priority Name Interface Interface attribute User group Rate-limit parameter Valid time Disable Operation Displays the priority of the user group limit rule. Configure a name for the user group limit rule. Select the packet inbound interface. Select the packet interface attributes, including any, inbound interface and outbound interface. Allows you to select the network user group. Configure the rate-limit parameter for the user group limit rule. Select the valid time for the user group limit rule. Click the select box to disable the user group limit rule. Click the copy icon or the delete icon to do the operations. To configure the rate-limit parameter, you should: Select the network user group. Configure the upstream bandwidth and unit (bps). Configure the downstream bandwidth and unit (bps). Click Confirm button. Figure7-3 Rate-limit parameter Table7-2 describes the details of rate-limit parameter. Table7-2 Rate-limit parameter Network application group Upstream Unit(bps) Select a network application group for rate limitation rule Set the upstream bandwidth for the traffic to be limited. Select the upstream bandwidth rate-limit unit. 107

Downstream Unit(bps) Operation Set the downstream bandwidth for the traffic to be limited. Set the downstream bandwidth rate-limit unit. Click the copy icon or the delete icon to do the operations. 7.

122 Downstream Unit(bps) Operation Set the downstream bandwidth for the traffic to be limited. Set the downstream bandwidth rate-limit unit. Click the copy icon or the delete icon to do the operations Single user limit To enter single user limit page, you choose IPS module > Access control > Rate limitation > Rate limitation > Single user limit, as shown in Figure7-4. Figure7-4 Single user limit Table7-3 describes the details of single user limit. Table7-3 Single user group Priority Name Interface Interface attribute User group Rate-limit parameter Valid time Disable Operation Displays the priority of the single user limit rule. Configure a name for the single user limit rule. Select the packet inbound interface. Select the packet interface attributes, including any, inbound interface and outbound interface. Allows you to select the network user group. Configure the rate-limit parameter for the single user limit rule. Select the valid time for the single user limit rule. Click the select box to disable the single user limit rule. Click the copy icon or the delete icon to do the operations. To create a single user limit rule, you should: Enter a name for the rule. 108

123 Select the packet inbound interface and network user group. Select whether to enable or disable the single user limit rule. Set the rate-limit parameter Select the valid time for the single-user limit rule Click Ok button in the upper right corner Typical configuration Configuration requirement To configure bandwidth rate limitation, you select an IP segment for marking department, such as , exclude the IP address: , select an IP segment for research department, such as /24 exclude the IP address: Limit the marketing department Webpage safety access application as 10kbps, packet inbound interface is gig1_0. Limit the research department Thunder download as 1Mbps, packet inbound interface is gig1_ Network requirement The following diagram shows the network mode of rate limit configuration, as shown in Figure

124 Figure7-5 Network diagram of IPS device Configuration procedures You choose IPS module > Network management > Network user group > IP user group Add IP address into IP user group Type in the user name, example: marketing department Type in the user group description, example: marketing department Select an IP address range, such as , exceptional IP address is , then click Ok button in the upper right corner. Type in the user name, example: research department Type in the user group, example: research department Select an IP address range, such as , exceptional IP address is , and click Ok button in the upper right corner. 110

You choose IPS module > Access control > User group limit Create an entries of the user group limit rule Rule name is: bandwidth1 Select the packet inbound interface, such as gige1_0.

125 You choose IPS module > Access control > User group limit Create an entries of the user group limit rule Rule name is: bandwidth1 Select the packet inbound interface, such as gige1_0. Select the Research department user group Select the Enable status for user group limit rule. Select P2P service and set 1Mbps for rate-limit parameter Select the Single user limit tab Configure a name for single user limit rule: bandwidth2 Select the packet interface: gig1_0 Select the network user group: Marketing department Select Enable status. Select service type: Web application, set the rate limitation as 10kpbs. Select the default valid time. Click Ok button in the upper right corner on the webpage. 7.3 Access control To enter the access control page, you choose IPS module > Access control > Access control, as shown in Figure7-6. Figure7-6 Network access control Table7-4 describes the details of access control. Table7-4 Access control Name Packet inbound interface Source IP address group Set the name for access control rule Select an interface for access control rule The interface shows you source IP address group which you can you select from network user 111

126 group component. Destination IP address group Network application group Action Send log Valid time Operation The interface shows you destination IP address group which you can select from network user group component. Select an access control service Select the action for the access control rule Select if enable the send log function Select the valid time for access control rule Click the copy icon or the delete icon to do the operations. To create access control rule: Type in the name in access control line. Select an interface for inbound packet; user group and the rule enable status. Select a network application group, valid time and if enable send log. Click the Ok button in the upper right corner Typical configuration Requirement of configuring access control Create an access control rule for IPS device and you can select an IP segment for marketing department, such as exclude Select Tencent QQ and PPLive as block rule for marketing department Requirement of network mode The following diagram shows the network mode of access control configuration, as shown in Figure

127 Figure7-7 Network structure of IPS device Configuration procedures Choose IPS module > Network management > Network user group > IP user group And then you can add an IP user group Type in the name of user group, such as marketing department Type in the description of user group, such as marketing department Select an IP address scope, such as , exclude , and then click Ok button in the upper right corner. Choose IPS module > Access control > Access control > Browsing Click to enter the Access control Select block action for the access control rul. Create network application rule: bandwidth3 Select the packet inbound interface gig1_0. Select the network user group marketing department 113

128 Select the enable status Select the network application group yyz Select the access control rule default valid time Click Ok button in the right corner. 7.4 Net application manager Browsing To enter URL classify filtering page, you choose IPS module > Access control > URL filtering > URL filtering, as shown in Figure7-8. Figure7-8 Browsing User-defined application To enter the user-defined application page, you choose IPS module > Access control > URL filtering > User-defined application, as shown in Figure7-9. Figure7-9 User-defined application 114

129 7.5 URL filtering Introduction to URL filtering URL(there refer to the Uniform Resource Locator) is a kind of web page filtering, which support HTTP get filtering by IP address, host name and regular expression URL classify filtering To enter URL classify filtering page, you choose IPS module > Access control > URL filtering > URL filtering, as shown in Figure3-19. Figure7-10 URL classify filtering Table7-5 describes the details of URL classify filtering Table7-5 URL classify filtering Name Packet inbound interface Network user group Filtering classification Black/white list Send log Page push Valid time Operation Set a name for URL filtering rule Select packet inbound interface for the rule and you can select all interface The interface shows you source IP address group which you can you select from network user group component. Select a URL filtering for the rule or configure customize classification Select an action for URL filtering rule Select if send log to remote server Black list white list Select if enable URL page push for user which will take effect on black list Select valid time for the rule Click the copy icon or the delete icon to do the operations. 115

130 7.5.3 Customize URL classification To enter the customize URL classification page, you choose IPS module > Access control > URL filtering > Customize URL classification, as shown in Figure3-20. Figure7-11 Customize URL classification Table7-6 describes the details of customize URL classification. Table7-6 Customize URL classification Classification name URL list Set the name for customize URL classification Configure the customize URL list Advanced URL filtering To enter advanced URL filtering page, you can click IPS module > Access control > URL filtering > Advanced URL filtering, as shown in Figure3-21. Figure7-12 Advanced URL filtering Table7-7 describes the details of advanced URL filtering 116

131 Table7-7 The Advanced URL filter Name Packet inbound interface Network user group Status Filter parameter White/black list Send log Valid time Operation Set the name for the advanced URL rule. Select a packet inbound interface for the rule. Select a network user group for the rule. Select the status of the rule Set URL filter parameter The IP address is to filter as IP address. The Host name is to filter as host name The regular express is to filter as the content. Select perform action for the rule Select if send log to the remote host, including Blacklist log White list log Select valid time for the rule Click the copy icon or the delete icon to do the operations.! Caution: If you select black list for the rule, you cannot access the interface which matches the URL, but others can be access. If you select white list for the rule, you can access the interface which matches the URL, but others can be access To create an advanced URL filtering rule: Type in the name and password for the rule Select packet inbound interface, network user group and status Set filter parameter for the rule and select black list, select if enable send log and valid time. Click confirm button in the upper right corner 117

132 Figure7-13 Advanced URL filtering configuration Table7-8 describes the details of filter parameter. Table7-8 The URL filter parameter User/User group Filter type Filter parameter Operation Select a user or user group for the advanced URL rule. Select a filter for the advanced URL rule. Set the matching content for the advanced URL rule. Type in IP address if you select IP address as URL filter Type in host name and domain name if you select IP address as URL filter Type in character string if you select regular expression as URL filter Click the copy icon or the delete icon to do the operations. To create an advanced URL rule: Click the Create a new rule button Select an filter type and parameter Click the Confirm button in the upper right corner URL filter page push To enter the URL filter page push page, you choose IPS module > Access control > URL filter page push, as shown in Figure

133 Figure7-14 URL filter page push Website protection Website protection provides malicious network protection configuration for users and it can replace web content to warning information. To enter website protection page, you choose IPS module > Access control > Website protection, as shown in Figure7-15. Figure7-15 Website protection 119

134 7.5.7 Typical configuration Requirement Set advanced URL filter rule and select IP segment for marketing department (such as , excludes ), and for research department (such as /24, excludes ), and then you can view the URL log by 3Cdaemon. Only allow the marketing department to access the IP address: , host name: news.sina.com.cn Prohibit the research department to access the URL with sports.* character string Network requirement The following diagram shows the network mode of URL configuration, as shown in Figure7-16. Figure7-16 Network deployment of URL configuration 120

135 Configuration procedures Choose IPS module > Network management > Network user group Add an IP user group Enter a name for the user group, such as marketing department Type in the description for user group, such as marketing department. Select an IP address scope, such as , such as , and then you can click Ok button in the upper right corner. The user group name is research department The user group description is research department. Select an IP address scope, such as , such as ; Click the Ok button in the upper right corner. To create an advanced URL filter rule, you choose the IPS module > URL filter > Advanced URL filter Type in the name of advanced URL filter, such as URL1. Select the network user group: marketing department Select Enable: status Select white list Set the URL filtering parameter, such as: IP address is , the host time is news.sina.com.cn and then click Ok button. Click Ok button Create another advanced URL filtering policy Type the URL2 for advanced URL description Select the network group research department Select the Enable status Select the black list Select the filtering type regular expression and set the fixed character string sports, regular expression is and sport.* Click send log and select the default valid time. Click Ok button. The URL filtering configurations are finished. 121

Chapter 8 Traffic analysis 8.1 Traffic analysis configuration Traffic analysis is mainly used for the file transferring, P2P download, and web application statistics and analysis.

136 Chapter 8 Traffic analysis 8.1 Traffic analysis configuration Traffic analysis is mainly used for the file transferring, P2P download, and web application statistics and analysis. To enter traffic analysis page, you choose IPS module > Auditing analysis > Traffic statistic > Traffic statistic, as shown in Figure8-1. Figure8-1 Traffic statistic Table8-1 describes the details of traffic statistic. Table8-1 Traffic statistic Interface traffic statistics Traffic statistic per IP address Network user group Select whether to enable the interface traffic statistics. Select whether to enable the traffic statistics per IP address. Allows you to select the network user group. To configure the traffic statistics, you should: Click the select box of the interface traffic statistics Click the select box of the interface traffic per IP address Click Ok button in the upper right corner on the webpage. 122

Chapter 9 Comprehensive protection The comprehensive prevention feature is the IPS device performs measure for all kinds of network attacks. 9.1

137 Chapter 9 Comprehensive protection The comprehensive prevention feature is the IPS device performs measure for all kinds of network attacks. 9.1 Basic attack protection Introduction to basic attack protection There may have some attack packets transmitted in the network, generally, these packet may harmful for the destination host. Basic attack protection can block these data packets and report logs Basic attack protection To enter basic attack protection page, you can click IPS module > Comprehensive > Basic attack protection, as shown in Figure6-1. Figure9-1 Basic attack protection Table9-1 describes the details of basic attack protection. Table9-1 Basic attack protection Attack type Allows user to select the attack type to be protected: Land attack: the attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. Ping of death: involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 32 bytes in size (or 84 bytes when the Internet Protocol [IP] header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer. IP fragment attack: The IP fragment overlapped exploit occurs when two 123

138 fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram.. UDP Fraggle: an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. It is a simple rewrite of the smurf attack code WinNuke: WinNuke is also called the out-of-band transmission attack. It attacks the victim machine TCP port (139, 138, 137, 113, and 53) and set the TCP urgent as 1, causing it to lock up and display a Blue Screen of Death. ICMP Smurf: large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on. Tear drop: The Teardrop attack involves sending IP fragments with overlapping oversized payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code caused the fragments to be improperly handled, crashing the operating system as a result. Action Select the prevention action for this kind of attack. Number of attacks Clear counter Display the attack counts. Clear the attack count. To configure basic attack protection, you should: Select the attack prevention action. Prevention actions include Block, Alert Set the prevention threshold for the IP address scanning and port scanning, and select whether to add this IP address into address list. If you click the blacklist option select box, you should select the lifecycle. Click Ok button in the upper right corner IPv6 attack protection To enter the IPv6 attack protection page, you choose IPS module > Comprehensive > Basic attack protection, as shown in Figure6-1. Figure9-2 Basic attack protection 124

139 9.1.4 Basic attack protection query To enter the basic attack protection query page, you choose IPS module > Comprehensive > Basic attack protection query, as shown in Figure9-3. Figure9-3 Basic attack protection query 9.2 Black/white list Black list A blacklist allows you to filter packets based on the segment, direction, and source IP address. Blacklist employs a very simple field for matching and therefore can filter packets at a high rate. It can effectively filter packets sourced from a particular IP address. To enter black list configuration page, you choose IPS module > Comprehensive > Black/white list, as shown in Figure9-4. Figure9-4 Black/white list Table9-2 describes the details of black list configuration. 125

140 Table9-2 Black list configuration IP address/mask Remaining life time Status Last configuration record Operation Type in an IP address or IP segment. Select the remaining life time, including 5 minute, 1 hour, 8 hour, permanent and customize Select if enable black list function. Displays the last configuration record Click the copy icon or the delete icon to do the operations Blacklist query A blacklist entry can be manually or dynamically added to the blacklist. Upon detecting an attack attempt from a specific IP address based on the packet behavior, the device automatically adds the IP address in the blacklist if corresponding blocking action is configured. To enter the blacklist query page, you can click IPS module > Comprehensive > Blacklist query, as shown in Figure6-3. Figure9-5 Blacklist query Table9-3 describes the details of blacklist query. Table9-3 Black list query IP address/mask Valid time Remaining time Cause Displays the IP address/mask which is added in the blacklist. Displays when the blacklist generating Displays the lifetime for the blacklist entry. Displays the reason why this blacklist entry is added. 126

9.2.3 Blacklist log query To enter the blacklist log query page, you choose IPS module > Comprehensive > Black/white list > Blacklist log query, as shown in Figure6-4.

141 9.2.3 Blacklist log query To enter the blacklist log query page, you choose IPS module > Comprehensive > Black/white list > Blacklist log query, as shown in Figure6-4. Figure9-6 Blacklist log query Table9-4 describes the details of blacklist log query. Table9-4 Blacklist log query No. Time IP address /mask Lifecycle Adding reason Displays the sequence number of the blacklist entry. Displays when the blacklist is generated. Displays the IP address/mask is added in the blacklist. Lifetime of the blacklist entry Displays when the blacklist entry is added. It is the creation time of the blacklist entry. To query the blacklist log, you should: Type in the searching condition Click Export to CSV button, and then the result will export to CSV file Click Search button, and then you can see the result Click Delete button and then you can delete the log that you have queried White list configuration To enter the white list configuration page, you choose IPS module > Comprehensive > Black/white list > White list configuration, as shown in Figure

142 Figure9-7 White list configuration Table9-5 describes the details of white list configuration. Table9-5 White list configuration Inbound interface IP address Permission Operation Select a packet inbound interface for white list Set IP address for the white list Select send or receive permission Click the copy icon or the delete icon to do the operations. 9.3 Password cracking protection To enter the password cracking protection page, you choose IPS module > Comprehensive > Password cracking protection, as shown in Figure9-8. Figure9-8 Password cracking protection 9.4 HTTP form To enter the HTTP form page, you choose IPS module > Comprehensive >HTTP form, as shown in Figure9-9. Figure9-9 HTTP form 128

143 9.5 IP forgery IP forgery, also known as IP address forgery or a host file hijack, is a kind of hijacking technique that a cracker masquerades as a trusted host to conceal his identity, and gains access to a network. Hijacker obtains the IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source. To enter the IP forgery page, you choose IPS module > Comprehensive > IP forgery, as shown in Figure9-10. Figure9-10 IP forgery list 129

Chapter 10 DDoS Protection 10.1 Introduction to DDoS protection A Distributed Denial of Service (DDoS) attack is mounted by multiple hosts to a target.

144 Chapter 10 DDoS Protection 10.1 Introduction to DDoS protection A Distributed Denial of Service (DDoS) attack is mounted by multiple hosts to a target. Because the attacking host does not attack the target directly, it cannot be detected or tracked, and thus its identity is hard to find. DDoS attack module includes the following: Fingerprint protection SYN flood protection UMC log configuration To access the DDoS protection menu, you choose IPS module > DDoS protection, as shown in Figure10-1. Figure10-1 DDoS protection menu 10.2 SYN flood protection To enter the SYN flood protection page, you choose IPS module > DDoS protection > SYN flood protection page, as shown in Figure

145 Figure10-2 SYN flood protection 10.3 Fingerprint protection TCP protection To enter the TCP protection page, you choose IPS module > DDoS protection > Fingerprint > TCP protection, as shown in Figure10-3. Figure10-3 TCP protection UDP protection To enter the UDP protection page, you choose IPS module > DDoS > Fingerprint > UDP protection, as shown in Figure10-4. Figure10-4 UDP protection ICMP protection To enter the protect objection page, you choose IPS module > DDoS protection > Fingerprint > ICMP protection, as shown in Figure10-5. Figure10-5 Protect object 131

10.3.4 Other protection To enter the other protection page, you choose IPS module > DDoS protection > Fingerprint protection, as

5 Log query To enter the log query page, you choose IPS module > DDoS protection > Fingerprint protection, as shown in Figure10-7.

146 Other protection To enter the other protection page, you choose IPS module > DDoS protection > Fingerprint protection, as shown in Figure10-6. Figure10-6 Other protection Log query To enter the log query page, you choose IPS module > DDoS protection > Fingerprint protection, as shown in Figure10-7. Figure10-7 Log query 10.4 UMC log configuration To enter the UMC log configuration page, you choose IPS module > DDoS protection > UMC log configuration, as shown in Figure10-8. Figure10-8 UMC log configuration 132

DPtech WCS7000 Series Wireless Access Controller User Configuration Guide

DPtech WCS7000 Series Wireless Access Controller User Configuration Guide i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou