DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

Similar documents
DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

DPtech FW1000 Series Firewall Products User Configuration Guide v1.0

User Guide TL-R470T+/TL-R480T REV9.0.2

DPtech ADX3000 Series Application Delivery Gateway User Configuration Guide

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

DPtech WCS7000 Series Wireless Access Controller User Configuration Guide

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

VPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Configuring OpenVPN on pfsense

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Manual Overview. This manual contains the following sections:

5.4 Release README January 2005

Systrome Next Gen Firewalls

Gigabit SSL VPN Security Router

Monitoring Remote Access VPN Services

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Barracuda Link Balancer

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Release README August 2005

High Availability Synchronization PAN-OS 5.0.3

L2TP IPsec Support for NAT and PAT Windows Clients

Table of Contents 1 IKE 1-1

vcloud Director Tenant Portal Guide vcloud Director 8.20

Configuring L2TP over IPsec

USR-G808 User Manual

HP FlexFabric 5700 Switch Series

AT&T Cloud Web Security Service

Virtual Private Networks.

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

D-Link Central WiFiManager Configuration Guide

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

Remote Access via Cisco VPN Client

SonicOS Enhanced Release Notes

Microsoft Microsoft TS: MS Internet Security & Acceleration Server 2006, Configuring. Practice Test. Version:

User Manual. SSV Remote Access Gateway. Web ConfigTool

Barracuda Firewall Release Notes 6.6.X

Hillstone IPSec VPN Solution

How to Configure a Remote Management Tunnel for an F-Series Firewall

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

NetExtender for SSL-VPN

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

REMOTE ACCESS SSL BROWSER & CLIENT

Setting up L2TP Over IPSec Server for remote access to LAN

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Wireless Data Privacy Configuration Guide. HP ProCurve Secure Access 700wl Series.

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Series 5000 ADSL Modem / Router. Firmware Release Notes

HP Load Balancing Module

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

Overview 1. Service Features 1

This release of the product includes these new features that have been added since NGFW 5.5.

SYSLOG Enhancements for Cisco IOS EasyVPN Server

Version No. Build Date No./ Release Date. Supported OS Apply to Models New Features/Enhancements. Bugs Fixed/Changes

G806+H3C WSR realize VPN networking

Chapter 8. User Authentication

L2TP Network Server. LNS Service Operation

Standalone DVR User s Manual. Figure 4-81

Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router

Configuring a Hub & Spoke VPN in AOS

6. 3. Media Sharing Access the USB disk. 5. Click OK. Tips:

VPN Auto Provisioning

Configuring High Availability (HA)

Step-by-Step Configuration

Double-clicking an entry opens a new window with detailed information about the selected VPN tunnel.

How to Configure a Client-to-Site L2TP/IPsec VPN

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

Configuring the PPPoE Client

VI. Corente Services Client

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

High Availability Options

A-B I N D E X. backbone networks, fault tolerance, 174

Defining IPsec Networks and Customers

Wireless a CPE User Manual

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

FileCruiser. Administrator Portal Guide

Sample excerpt. Virtual Private Networks. Contents

QoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T

vrealize Operations Management Pack for NSX for vsphere 2.0

Appliance Manual. 2.4 Web-Based Manager-Basic Settings.. 14

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

AT&T SD-WAN Network Based service quick start guide

H3C SecBlade SSL VPN Card

Vigor2910 Dual-WAN Security Router User s Guide

RX3041. User's Manual

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

LKR Port Broadband Router. User's Manual. Revision C

G-4200 SMB PAC with built-in AAA

Getting Started Guide

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

ISG-600 Cloud Gateway

Transcription:

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0 i

Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where you purchase their products. Hangzhou DPtech Technologies Co., Ltd. Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi Address code: 310051 ii

Declaration Copyright 2013 Hangzhou DPtech Technologies Co., Ltd. All rights reserved. No Part of the manual can be extracted or copied by any company or individuals without written permission, and cannot be transmitted by any means. Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind express or implied. iii

Table of Contents CHAPTER 1 LOAD BALANCING 2 1.1 LINK LOAD BALANCING 2 1.1.1 INTRODUCTION 2 1.1.1 LINK INTERFACE CONFIGURATION 2 1.1.2 LINK HEALTHY CHECK 2 1.1.3 ISP DOMAIN TABLE 3 1.1.4 LINK FLUX STATISTIC 3 CHAPTER 2 ACCESS CONTROL 5 2.1 RATE LIMITATION 5 2.1.1 INTRODUCTION TO RATE LIMITATION 5 2.1.2 RATE LIMIT 5 2.1.3 SINGLE USER LIMIT 7 2.1.4 GROUP MANAGEMENT 8 2.1.5 NETWORK APPLICATION BROWSING 9 2.2 ACCESS CONTROL 9 2.2.1 INTRODUCTION TO ACCESS CONTROL 9 2.2.2 ACCESS CONTROL 10 2.2.3 GROUP MANAGEMENT 10 2.2.4 BROWSING 11 2.3 URL FILTERING 11 2.3.1 URL CLASSIFICATION FILTERING 12 2.3.2 CUSTOMIZED URL CLASSIFICATION 12 2.3.3 ADVANCED URL FILTERING 13 2.3.4 URL FILTERING PAGE PUSH 14 2.3.5 TYPICAL CONFIGURATION FOR THE RATE LIMITATION 15 2.4 SQL INJECTION PROTECTION 16 CHAPTER 3 VPN 17 3.1.1 INTRODUCTION TO IPSEC 17 3.1.2 IPSEC SYSCONFIG 17 3.1.3 IPSEC POLICY MODE 20 3.1.4 IPSEC ROUTE MODE 21 3.1.5 NET PROTECT 21 3.1.6 SA 21 3.1.7 IPSEC INTERFACE 22 3.2 L2TP 22 3.2.1 INTRODUCTION TO L2TP 22 3.2.2 L2TP 22 3.2.3 L2TP USER AUTHENTICATION 24 3.2.4 L2TP IP POOL 24 iv

3.2.5 L2TP ONLINE STATUS 25 3.3 PPTP 25 3.4 GRE 26 3.4.1 INTRODUCTION TO THE GRE 26 3.4.2 GRE CONFIGURATION 26 3.5 SSL VPN 27 3.5.1 INTRODUCTION TO SSL VPN 27 3.5.2 SSL VPN 27 3.5.3 RESOURCES MANAGEMENT 29 3.5.4 USER MANAGEMENT 30 3.5.5 AUTHENTICATION KEY 30 3.5.6 SECURITY POLICY 31 3.5.7 LOG MANAGEMENT 32 CHAPTER 4 ONLINE BEHAVIOR MANAGEMENT 33 4.1 INTRODUCTION TO ONLINE BEHAVIOR MANAGEMENT 33 4.2 TRAFFIC ANALYSIS 34 4.2.1 TRAFFIC ANALYSIS 34 4.3 BEHAVIOR ANALYSIS 35 4.3.1 POLICY CONFIGURATION 35 4.3.2 ADVANCED CONFIGURATION 35 4.3.3 LOG MANAGEMENT 36 4.3.4 MAIL DELAY LOG 36 4.3.5 KEYWORD FILTERING 37 CHAPTER 5 PORTAL AUTHENTICATION 40 5.1 INTRODUCTION TO THE PORTAL AUTHENTICATION 40 5.1.1 AUTHENTICATION CONFIGURATION 40 5.1.2 WEB AUTHENTICATION NOTICE 44 5.1.3 WEB LISTEN 45 5.1.4 PROSCENIUM MANAGEMENT 45 5.1.5 ONLINE USER 47 5.1.6 LOCAL ACCOUNT USER 48 CHAPTER 6 IDS COOPERATION 50 6.1 INTRODUCTION 50 6.2 IDS INTEGRATION 50 6.2.1 DISPLAY IDS COOPERATION LOG 50 CHAPTER 7 HIGH AVAILABILITY 51 7.1 VRRP 51 v

7.1.1 INTRODUCTION TO VRRP GROUP 51 7.1.2 MONITORING 53 7.1.3 BFD OPTION 54 7.2 HOT STANDBY 54 7.2.1 HOT STANDBY 54 7.2.2 HANDWORK SYNCHRONIZATION 55 7.2.3 BACKUP REBOOT 56 7.3 INTERFACE SYNCHRONIZATION GROUP 56 vi

List of Figures Figure1-1 Link interface configuration... 2 Figure1-2 Link health check... 3 Figure1-3 ISP domain table... 3 Figure1-4 ISP auto update... 3 Figure1-5 Link flux statistic... 4 Figure2-1 Access control menu... 5 Figure2-2 Rate limit... 5 Figure2-3 User group parameter... 6 Figure2-4 Single user limit... 7 Figure2-5 Rate limitation... 8 Figure2-6 Group management... 9 Figure2-7 Network application browsing... 9 Figure2-8 Access control... 10 Figure2-9 Group management... 11 Figure2-10 Network application browsing... 11 Figure2-11 URL classification filtering... 12 Figure2-12 Customize URL classification... 12 Figure2-13 Advanced URL filtering... 13 Figure2-14 Advanced URL filtering configuration... 14 Figure2-15 URL filter page push... 15 Figure2-16 URL page push... 15 Figure2-17 SQL injection prevention... 16 Figure3-1 IPsec sysconfig... 18 Figure3-2 IPsec policy mode... 21 Figure3-3 IPsec route mode... 21 Figure3-4 Net protect... 21 Figure3-5 SA... 22 Figure3-6 IPsec interface... 22 Figure3-7 L2TP configuration... 23 Figure3-8 L2TP user authentication... 24 Figure3-9 L2TP IP pool... 24 Figure3-10 L2TP online status... 25 Figure3-11 PPTP... 25 Figure3-12 GRE configuration... 26 Figure3-13 SSL VPN... 28 Figure3-14 IP pool configuration... 28 Figure3-15 Domain configuration... 29 Figure3-16 License management... 29 Figure3-17 Resource configuration... 29 Figure3-18 Share space... 30 Figure3-19 User configuration... 30 Figure3-20 User status... 30 Figure3-21 Authentication key... 31 Figure3-22 Security set... 31 vii

Figure3-23 Security rule... 31 Figure3-24 Security rule group... 32 Figure3-25 Policy configuration... 32 Figure3-26 Log query... 32 Figure3-27 Log configuration... 33 Figure3-28 Log manage... 33 Figure4-1 Traffic analysis... 34 Figure4-2 Traffic analysis... 34 Figure4-3 Policy configuration... 35 Figure4-4 Advanced configuration... 36 Figure4-5 Advanced configuration... 36 Figure4-6 Mail delay log... 37 Figure4-7 Keyword filtering... 37 Figure4-8 Keyword filtering... 38 Figure4-9 Keyword filtering... 39 Figure5-1 Security center... 40 Figure5-2 Basic authentication... 40 Figure5-3 Webauth configuration... 42 Figure5-4 TAC configuration... 43 Figure5-5 Customer configuration... 44 Figure5-6 Web authentication notice... 44 Figure5-7 Web listen... 45 Figure5-8 Proscenium management... 45 Figure5-9 Hotel user online management... 46 Figure5-10 Online user... 47 Figure5-11 Local Account Authentication... 48 Figure6-1 Display IDS cooperation log... 50 Figure7-1 High availability... 51 Figure7-2 VRRP configuration... 52 Figure7-3 Monitoring... 53 Figure7-4 BFD option... 54 Figure7-5 Hot standby... 55 Figure7-6 Handwork synchronization... 55 Figure7-7 Backup reboot... 56 Figure7-8 Interface synchronization group... 56 viii

List of Tables Table2-1 User group rate limitation... 5 Table2-2 User group parameter... 6 Table2-3 Single user limit... 7 Table2-4 Single user rate limit... 8 Table2-5 Access control configuration items... 10 Table2-6 URL classification filtering configuration items... 12 Table2-7 Customize URL classification... 13 Table2-8 Advanced URL filtering configuration items... 13 Table2-9 URL filter parameter configuration items... 14 Table2-10 SQL injection protection configuration items... 16 Table3-1 IPsec VPN configuration... 18 Table3-2 IPsec VPN client access mode and gateway-gateway mode... 18 Table3-3 LNS configuration items... 23 Table3-4 LNS configuration items... 23 Table3-5 PNS configuration... 25 Table3-6 Customer information... 26 Table3-7 GRE configuration items... 27 Table3-8 SSL VPN configuration items... 28 Table4-1 Traffic statistic configuration items... 34 Table4-2 Policy configuration... 35 Table4-3 Keyword filtering configuration items... 37 Table4-4 Keyword filtering configuration items... 38 Table4-5 Keyword filtering configuration items... 39 Table5-1 Basic authentication configuration items... 41 Table5-2 Webauth configuration items... 42 Table5-3 TAC configuration items... 43 Table5-4 Customer configuration... 44 Table5-5 Web listen configuration items... 45 Table5-6 Proscenium management... 46 Table5-7 Hotel user online management... 46 Table5-8 Online user... 47 Table5-9 Local account authentication... 48 Table6-1 Display IDS integration log configuration items... 50 Table7-1 VRRP configuration items... 52 Table7-2 Monitor IP address object configuration items... 53 Table7-3 Hot standby details of the hot standby feature... 55 Table7-4 Interface synchronization group... 56 1

Chapter 1 Load balancing Load balancing is a kind of cluster technology, which shares multiple network devices (including server, firewall etc.) or multiple links for the specific business (such as network service, network flow), thereby improving the business processing capabilities, ensuring high reliability service. Link load balance feature has multiple operator interfaces, which adopts link dynamic load balancing technology, which realizes dynamic option and enhances the service reliability. 1.1 Link load balancing 1.1.1 Introduction Link load balance function establishes a lot of export links according to different operators, which guarantee the bandwidth resources fully utilized and several links backup at the same, so that it guarantees the network operation stability. 1.1.1 Link interface configuration To enter the link interface configuration page, you choose Probe module > Load balancing > Link load balancing > Link interface configuration, as shown in Figure1-1. Figure1-1 Link interface configuration 1.1.2 Link healthy check To enter the link health check configuration page, you choose Probe module > Load balancing > Link load balancing > Link healthy check, as shown in Figure1-2. 2

Figure1-2 Link health check 1.1.3 ISP domain table 1.1.3.1 ISP domain table To enter the ISP domain table page, you choose Probe module > Load balancing > ISP domain table, as shown in Figure1-3 Figure1-3 ISP domain table 1.1.3.2 ISP auto update To enter the auto update page, you choose Probe module > Load balancing > ISP domain auto update, as shown in Figure1-4. Figure1-4 ISP auto update 1.1.4 Link flux statistic To enter the link flux statistic page, you choose Probe module > Load balancing > Link flux statistic, as shown in Figure1-5. 3

Figure1-5 Link flux statistic 4

Chapter 2 Access control 2.1 Rate limitation 2.1.1 Introduction to rate limitation Network traffic can be divided into several service types according to different network protocols such as HTTP service, FTP service, E-mail service that can be implemented different rate limitation is call bandwidth rate limitation. To access the access control menu, you choose Probe module > Rate limitation, as shown in Figure2-1. Figure2-1 Access control menu 2.1.2 Rate Limit 2.1.2.1 Rate limit To enter the rate limit page, you choose Service > Access control > Rate limit > Rate limit, as shown in Figure2-2. Figure2-2 Rate limit Table2-1 describes the details of user group rate limitation. Table2-1 User group rate limitation Name Limit parameter Time Configure a name for the user group rate limitation. Configure the limit parameter of the user group rate limitation. Select a time range. The time range is the valid time of the rate limitation. 5

Disable Operation Select whether to enable or disable the operations. Click copy delete insert icon to do the operations. To create an entry of the user group limit, you should: Configure a name for the user group limit. And then select a status for the rule of rate limitation. Select a service and then configure upstream and downstream parameter for the service. Click Ok button in the upper right corner on the webpage. 2.1.2.2 User group parameter You can configure the user group parameter, including net user group, uplink and downlink rate speed, unit (bps). Figure2-3 User group parameter Table2-2 describes the configuration items of user group parameter Table2-2 User group parameter NetUserGroup Up Unit(bps) Down Configure a name for the user group parameter. Configure the rate speed for the uplink. Select a unit for the uplink rate limit. Configure the rate speed for the downlink. 6

Units(bps) Operation Select a unit for the downlink rate limit. Click copy or delete to do the operations. 2.1.3 Single user limit To enter the single user limit interface, you choose Service > Access control > Rate limitation > Single user limit, as shown in Figure2-4. Figure2-4 Single user limit Table2-3 describes the configuration items of single user limit. Table2-3 Single user limit Name Limit parameter Time Disable Operation Configure a name for the single user limit. Select a status for the rule of rate limitation. Select a service and then configure upstream and downstream parameter for the service. Click the option that user group limitation will be disabled. Click copy delete insert icon to do the operations. To create the rule of the rate limitation, you should: Configure a name for the rule of rate limitation. And then select a status for the rule of rate limitation. Select a service and then configure upstream and downstream parameter for the service. Click Ok button in the upper right corner on the webpage. 7

Figure2-5 Rate limitation Table2-4 describes the configuration items of the single user rate limit parameter. Table2-4 Single user rate limit NetUserGroup Up Unit(bps) Down Units(bps) Operation Configure a name for the user group parameter. Configure the rate speed for the uplink. Select a unit for the uplink rate limit. Configure the rate speed for the downlink. Select a unit for the downlink rate limit. Click copy or delete to do the operations.! Caution: Rate limitation limits the inside network and outside network user s communication, which cannot not be used in the same network. Rate limitation controls the total bandwidth of all network users correspond. Rate limitation per IP address controls the single user s network bandwidth. 2.1.4 Group management To enter group management page, you choose Service > Access control > Rate limitation > Group management, as shown in Figure2-6. 8

Figure2-6 Group management 2.1.5 Network Application Browsing To enter network application browsing interface, you choose Service > Access control > Rate limitation > Browsing, as shown in Figure2-7. Figure2-7 Network application browsing 2.2 Access control 2.2.1 Introduction to access control The device according to the application protocol to which receiving packets belong decides the service to which packet belongs and blocks all packets for this kind of service. 9

2.2.2 Access control To enter the access control page, you choose Probe module > Access control > Access control, as shown in Figure2-8. Figure2-8 Access control Table2-5 describes the configuration items of access control. Table2-5 Access control configuration items Name Network application group Action set Send log Operation Configure a name for the access control rule. Select a name for the network application group. Select black list or white list for the rule of access control. Select whether to enable the send log function. Click copy or delete icon to do the operations. To create the access control rule, you should: Configure a name for the rule. Select network application group, and select an action for the rule, select whether to enable send log function. Click Ok button in the upper right corner on the webpage.! Caution: Access control restricts the network users communication between inside network and outside network, but it cannot restrict the network user s communication in the same network. Rate limitation limits the inside network and outside network user s communication, which cannot not be used in the same network. 2.2.3 Group management To enter group management page, you choose Probe module > Access control > Rate limitation > Group management, as shown in Figure2-9. 10

Figure2-9 Group management 2.2.4 Browsing To enter network application browsing page, you choose Probe module > Access control > Rate limitation > Browsing, as shown in Figure2-10. Figure2-10 Network application browsing 2.3 URL Filtering Uniform Resource Locator (there refer to URL hereinafter) is a kind of webpage filtering function, support HTTP request packet filtering according to IP address, host name, regular expression. The realization of URL filtering function rely on the URL filtering database which allow user to flexible configure URL filtering rule for the URL filtering. 11

2.3.1 URL Classification Filtering To enter the URL classification filtering page, you choose Probe module > Access control > URL filtering > Classification, as shown in Figure2-11. Figure2-11 URL classification filtering Table2-6 describes the configuration items of the URL classification filtering. Table2-6 URL classification filtering configuration items Name Filtering classification Black/white list Send log Page push Operation Configure a name for the URL filtering rule. Upgrade the signature database to obtain the system classification or customize your classification. Configure URL filtering parameter; you can select the customized URL classification. Select an action for the rule of URL filtering. Select whether to enable send log function: Blacklist White list Select whether to enable the page push function. Click copy or delete icon to do the operations. 2.3.2 Customized URL Classification To enter the customized URL classification page, you choose Probe module > Access control > URL filtering > Customize, as shown in Figure2-12. Figure2-12 Customize URL classification 12

Table2-7 describes the configuration items of the customize URL filtering Table2-7 Customize URL classification Classification name URL list Operation Configure a name for the URL classification name. Configure the URL list Click copy or delete icon to do the operations. 2.3.3 Advanced URL Filtering To enter the advanced URL filtering page, you choose Probe module > Access control > URL filtering > Advanced URL filtering, as shown in Figure2-13. Figure2-13 Advanced URL filtering Table2-8 describes the configuration items of the advanced URL filtering. Table2-8 Advanced URL filtering configuration items Name Filter parameter Black/white list Send log Operation Configure a name for the advanced URL filtering rule. Configure the advanced URL filtering parameter, including: IP address: filtering according to the IP address. Host name: filtering according to the host name. Regular expression: filtering according to the content restricted by regular expression. Select an action for the advanced URL filtering rule. Blacklist log White list log Select whether to enable the send log function. Click copy or delete icon to do the operations. To create an advanced URL filtering rule, you can take the following steps: 13

Configure the URL filtering policy and configure name for the rule Configure filtering parameter for the rule. Select blacklist and then enable the send log function and the page push function. Click Ok button in the upper right corner on the webpage. Figure2-14 Advanced URL filtering configuration Table2-9 describes the configuration items of the filter parameter. Table2-9 URL filter parameter configuration items Filter type Filter parameter Operation Select a type of the filter parameter. In the filter parameter column, you should configure the filter parameter: IP address: filtering according to the IP address. Host name: filtering according to the host name. Regular expression: filtering according to the content restricted by regular expression. Click copy or delete icon to do the operations. 2.3.4 URL filtering page push To enter the URL filtering page push page, you choose Probe module > Access control > URL filter page push, as shown in Figure2-15. 14

Figure2-15 URL filter page push The URL filter page push provides allows user to customize the template of URL page push, as shown in Figure2-16. Figure2-16 URL page push 2.3.5 Typical configuration for the Rate Limitation 2.3.5.1 Network requirement On the firewall device, you can configure rate limitation, working mode of the network configuration is layer 3 interface, and then you can configure marketing department IP segment is 192.168.3.2-192.168.3.10, exclude the IP address192.168.3.6, research department IP segment is 192.168.4.0/24, exclude IP address 192.168.4.8, and then you can do the following operations, and view the logs by using of the 3CDaemon Allow marketing department access IP address: 202.202.100.101, hostname: news.sina.com.cn Prohibit research and development access the website contains sports in URL, regular expression: sports.* 15

2.4 SQL injection protection SQL injection is a technique often used to attack databases through a website. SQL injection attack a website through WWW normal port and it seems like the common webpage, firewall device cannot alarm for the SQL injection and if an administrator does not view the IIS log, SQL injection for a long time will not detected, so that the SQL injection protection is especially important. To enter the SQL injection protection page, you choose Probe module > Access control > SQL injection protection, as shown in Figure2-17. Figure2-17 SQL injection prevention Table2-10 describes the configuration items of the SQL injection protection. Table2-10 SQL injection protection configuration items Name Exceptional interface Exceptional parameter Action Operation Configure a name for the SQL injection protection rule. Configure the exceptional interface. Configure the exceptional parameter Select an action for the rule, including warning and block Click copy or delete icon to do the operations. 16

Chapter 3 VPN A virtual private network (VPN) is a private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to securely connect the branch offices of an organization to a head office network through the public Internet. IPsec L2TP PPTP GRE 3.1.1 Introduction to IPsec Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. 3.1.2 IPsec sysconfig To enter the IPsec sysconfig page, you choose Probe module > VPN > IPsec > IPsec sysconfig, as shown in Figure3-1. 17

Figure3-1 IPsec sysconfig Table3-1 describes the configuration items of the IPsec VPN configuration. Table3-1 IPsec VPN configuration Enable IPsec Advanced configuration Select whether to enable the IPsec function. Select whether to enable the NAT traverse function Select whether to enable the NAT session keepalive mechanism, configuring the intervals for sending NAT session keepalive packets (default is 20 Sec) Select whether to user IPsec acceleration Select whether to enable the layer 2 IPsec Select whether to enable UDP checksum Select a mode for the route add mode ( This configuration takes effect after restart IPsec) Table3-2 describes the configuration items of the IPsec VPN client access mode and gateway-gateway mode. Table3-2 IPsec VPN client access mode and gateway-gateway mode Connection Name Bind Interface Advanced Configuration Status Displays the name of the IPsec rule. Display the status of the IPsec rule. 18

Local IP Address Remote IP address Displays the local IP address for the IPsec rule. Displays the remote IP address for the IPsec rule. Local Device ID Auto:(The system auto-select the local IP address as the local device ID) Host Name:(Required when NAT traverse is configured) IP Address:(Manually input any IP address on the local device as the local ID) Local Certificate ID Alias:(Required when it is required to strictly check the validity of the remote certification ID alias) Remote device ID Auto:(The system auto-select the local IP address as the local device ID) Host Name:(Required when NAT traverse is configured) IP Address:(Manually input any IP address on the local device as the local ID) Local Certificate ID Alias:(Required when it is required to strictly check the validity of the remote certification ID alias) Client ID Subnets Available to the clients Authentication Mode Configure the client ID number List The Encryption Protection Subnets To The Clients There are four kinds of authentication method provided for you, including Pre-shared key: Digital Certificate: usercert.cer(select the local certificate for certificate authentication) Xauth Authentication Assign private IP address for clients Advanced configuration Click the including pencil icon that you can enter the advanced configuration interface, Negotiation mode IPsec Encryption Failed Action IPsec Security Protocol IKE Security Proposal IPsec Security Proposal Operation Click copy or delete icon to do the operations. To configure IPsec VPN client access mode, you can take the following steps: Configure a correct name for the IPsec rule Select the Enable status for the rule Configure local IP address example: 10.66.0.11 19

Configure local device ID and then from the four options you should select the obtaining method as your requirement example: auto Configure client ID and then from the four options you should select the obtaining method as your requirement example: auto Add the encryption protection subnets to the clients. Configure authentication method and then from the four options you should select an authentication as your requirement example: pre-shared key 1234. Configure the advanced configuration. After you finished the above steps, click Ok button up in the upper right corner. To configure the IPsec VPN gateway-gateway mode: Configure a correct name for the IPsec rule Select the Enable status for the rule. Configure local IP address example:10.66.0.11 Configure remote IP address example: 10.66.0.12 Configure local device ID, and then from the four options you should select the obtaining method as your requirement example: auto Configure remote device ID and then from the four options you should select the obtaining method as your requirement example: auto Configure an IP segment for the source IP address packet, example: 1.1.1.0\24, configure an IP segment for the destination IP address packet, example: 2.2.2.0\24 Configure authentication method then you should select the two options as your requirement example: pre-shared key 1234. After you finished the above steps, click Ok button in the upper right corner on the webpage. 3.1.3 IPsec policy mode To enter the IPsec policy mode page, you choose Probe module > VPN > IPsec > IPsec policy mode, as shown in Figure3-2. 20

Figure3-2 IPsec policy mode 3.1.4 IPsec route mode To enter the IPsec policy mode page, you choose Probe module > VPN > IPsec > IPsec policy mode, as shown in Figure3-3. Figure3-3 IPsec route mode 3.1.5 Net protect To enter the Net protect page, you choose Probe module > VPN > IPsec > Net protect, as shown in Figure3-4. Figure3-4 Net protect 3.1.6 SA To enter the SA page, you choose Probe module > VPN > IPsec > SA, as shown in Figure3-5. 21

Figure3-5 SA 3.1.7 IPsec interface To enter the IPsec page, you choose Probe module > VPN > IPsec > IPsec interface, as shown in Figure3-6. Figure3-6 IPsec interface 3.2 L2TP 3.2.1 Introduction to L2TP L2TP is a standard Internet tunnel protocol similar to the PPTP protocol, and both of them can encrypt network on the network stream. But the difference is that PPTP required to be IP network and L2TP is the peer-to-peer connection facing to data packet; PPTP is to use a single tunnel whereas L2TP is to use multi tunnel; And the L2TP provides the packet header compressing, tunnel verification, and vice versa, the it cannot supported by PPTP. 3.2.2 L2TP To enter the L2TP configuration page, you can click Probe module > VPN > L2TP, as shown in Figure3-7. 22

Figure3-7 L2TP configuration Table3-3 describes the configuration items of LNS. Table3-3 LNS configuration items Tunnel name Tunnel interface IP PPP authentication mode Client IP address range Displays the tunnel name of the LNS rule. Configure the IP address of the tunnel interface. Select an option from PPP authentication mode drop-down list, such as CHAP, PAP, MSCHAP, and MSCHAPV2. Configure the client IP address range and from the address pool to allocate local tunnel IP address. Advanced configuration Operation Click the Click the modify icon that you can configure the advanced configuration. delete icon that you can delete the rule. Table3-4 describes the configuration items of the LAC. Table3-4 LNS configuration items Enable L2TP Tunnel Name Remote LNS IP Trigger Mode Advanced Configuration Displays whether to enable the L2TP function. Displays the tunnel name. Displays the remote LNS. Displays the IP trigger mode. Displays the advanced configuration. 23

To batch import configuration, you should: To batch import the configuration, you can click Browse button and then select file a path on the pop-up window for the configuration file and click Import. To export the configuration, click Export and then click Save as button select file path for the configuration file and then click Save button. 3.2.3 L2TP user authentication To enter the L2TP configuration page, you choose Probe module > VPN > L2TP, as shown in Figure3-8. Figure3-8 L2TP user authentication 3.2.4 L2TP IP pool To enter the L2TP IP pool page, you choose Probe module > VPN > L2TP IP pool, as shown in Figure3-9. Figure3-9 L2TP IP pool 24

3.2.5 L2TP online status To enter the L2TP online status page, you choose Probe module > VPN > L2TP online status, as shown in Figure3-10. Figure3-10 L2TP online status 3.3 PPTP Point to Point Tunneling Protocol (PPTP) is a kind of technology support multiple protocol VPN, working at layer 2. To enter the L2TP configuration page, you choose Probe module > VPN > PPTP, as shown in Figure3-11. Figure3-11 PPTP Table3-5 describes the configuration items of the PNS configuration. Table3-5 PNS configuration Tunnel name Local tunnel IP PPP authentication mode Client IP address range DNS server Displays the name of the tunnel. Configure local tunnel IP address. Select PPP authentication method Configure the start IP address of the IP address pool and configure a size of the IP address pool. Configure the DNS server address. 25

Operation Click the delete icon that you can delete PNS configuration. Table3-6 describes the configuration items of the customer configuration. Table3-6 Customer information User name Password Confirm password Operation Configure a user name for the customer information. Configure the corresponding password for the username. Configure the configuration password. Click copy or delete icon to do the operations. 3.4 GRE 3.4.1 Introduction to the GRE Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol. A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets. 3.4.2 GRE configuration To enter the GRE configuration page, you choose Probe module > VPN > GRE, as shown in Figure3-12. Figure3-12 GRE configuration Table3-7 describes the configuration items of GRE. 26

Table3-7 GRE configuration items Tunnel interface NO Configure the GRE tunnel interface number (the number is from 1 to 64). Tunnel interface IP address Tunnel source interface/ip address Tunnel destination IP address Advanced configuration Operation Configure the GRE tunnel interface IP address. Displays GRE tunnel source interface IP address, select tunnel interface or the corresponding IP address. IP address of the remote device GRE configuration Configure the advanced configuration, including MTU discovery and checksum checkout and tunnel key. Click copy or delete icon to do the operations. To configure the GRE VPN rule, you should: Configure a name corresponding to the GRE rule. Configure the tunnel IP address, example: 6.6.6.1/24. Configure the tunnel source interface/ip address, example: 10.66.0.12 or eth0_7. Configure the tunnel destination IP address, such as 6.6.6.2/24. Configure the advanced configuration, including the MTU discovery, checksum checkout and tunnel key. After you finished the above steps, click Ok button in the upper right corner on the webpage. 3.5 SSL VPN 3.5.1 Introduction to SSL VPN SSL VPN is the most simple and the safest technology to resolve remote user access sensitive company data. Compare with the complicated IPsec VPN, SSL VPN use the simple method to realize remote connection. Every computer with browser can use SSL VPN software, for the reason of SSL VPN embedded into the browser, which don t need you to set up client software on every host like traditional IPsec VPN. 3.5.2 SSL VPN 3.5.2.1 Basic configuration To enter the basic configuration page, you choose Probe module > VPN > SSL VPN, as shown in Figure3-13. 27

Figure3-13 SSL VPN Table3-8 describes the configuration items of the SSL VPN. Table3-8 SSL VPN configuration items Enable SSL VPN server Select a digital certificate for the server Select the CA digit certificate Select whether to enable the client certificate authentication. Advanced configuration User login port number configuration Allow user to access the interface configuration Maximum user number Free authentication configuration. Select whether to allow access VPN only. 3.5.2.2 IP pool configuration To enter the IP pool configuration page, you choose Probe module > VPN > SSL VPN > IP pool configuration, as shown in Figure3-14. Figure3-14 IP pool configuration 3.5.2.3 Domain configuration To enter the domain configuration page, you choose Probe module > VPN > SSL VPN > IP pool configuration, as shown in Figure3-15. 28

Figure3-15 Domain configuration 3.5.2.4 License management To enter the license management page, you choose Probe module > VPN > SSL VPN > License management, as shown in Figure3-16. Figure3-16 License management 3.5.3 Resources management 3.5.3.1 Resource configuration To enter the resource configuration page, you choose Probe module > VPN > SSL VPN > Resource, as shown in Figure3-17. Figure3-17 Resource configuration 3.5.3.2 Share space To enter the share space page, you choose Probe module > VPN > SSL VPN > Share space, as shown in Figure3-18. 29

Figure3-18 Share space 3.5.4 User management 3.5.4.1 User management To enter the share space page, you choose Probe module > VPN > SSL VPN > Share space, as shown in Figure3-19. Figure3-19 User configuration 3.5.4.2 User status To enter the user status page, you choose Probe module > VPN > SSL VPN > User status, as shown in Figure3-20. Figure3-20 User status 3.5.5 Authentication key To enter the authentication key page, you choose Probe module > VPN > SSL VPN > Authentication key, as shown in Figure3-21. 30

Figure3-21 Authentication key 3.5.6 Security policy 3.5.6.1 Security set To enter the security set page, you choose Probe module > VPN > SSL VPN > Security set, as shown in Figure3-22. Figure3-22 Security set 3.5.6.2 Security rule To enter the security rule page, you choose Probe module > VPN > SSL VPN > Security rule, as shown in Figure3-23. Figure3-23 Security rule 3.5.6.3 Security rule group To enter the security rule group page, you choose Probe module > VPN > SSL VPN > Security rule group, as shown in Figure3-24. 31

Figure3-24 Security rule group 3.5.6.4 Policy configuration To enter the policy configuration page, you choose Probe module > VPN > SSL VPN > Policy configuration, as shown in Figure3-25. Figure3-25 Policy configuration 3.5.7 Log management 3.5.7.1 Log query To enter the log query page, you choose Probe module > VPN > SSL VPN > Log query, as shown in Figure3-26. Figure3-26 Log query 3.5.7.2 Log configuration To enter the log configuration page, you choose Probe module > VPN > SSL VPN > Log configuration, as shown in Figure3-27. 32

Figure3-27 Log configuration 3.5.7.3 Log manage To enter the log manage page, you choose Probe module > VPN > SSL VPN > Log manage, as shown in Figure3-28. Figure3-28 Log manage Chapter 4 Online behavior management 4.1 Introduction to online behavior management Online behavior management module provides the following features: Traffic analysis Behavior analysis 33

Keyword filtering To view the online behavior management menu, you choose Probe module > Behavior > Traffic analysis, as shown in Figure4-1. Figure4-1 Traffic analysis 4.2 Traffic analysis 4.2.1 Traffic analysis To enter the traffic analysis page, you choose Probe module > Behavior > Traffic analysis, as shown in Figure4-2. Figure4-2 Traffic analysis Table4-1 describes the configuration items of traffic statistic. Table4-1 Traffic statistic configuration items Interface traffic statistics Traffic statistics per IP address Exception web config Enable whether to enable the interface traffic statistic. Select whether to enable the traffic statistics per IP address function, and configure the sending interval and network user group. Configure the exception website. 34

4.3 Behavior Analysis 4.3.1 Policy configuration To enter the policy configuration page, you choose Probe module > Behavior > Behavior analysis > Policy configuration, as shown in Figure4-3. Figure4-3 Policy configuration Table4-2 describes the details of policy configuration Table4-2 Policy configuration Policy name User/User group Configure audit object Save details Operation Displays the name of behavior analysis policy Select an user or an user group for the behavior analysis policy Allows you to select behavior analysis objects Allows you to select to the save details objects Click copy or delete icon to do the operations. To create a behavior analysis policy: Enter a name for the behavior analysis policy Select a user or an user group for the behavior analysis policy In the save detail column, you can select an item and several items of behavior analysis policy After you finish the above steps, you can click the Ok button in the upper right corner. 4.3.2 Advanced configuration To enter the advanced configuration page, you choose Probe module > Behavior > Behavior analysis > Advanced configuration, as shown in Figure4-4. 35

Figure4-4 Advanced configuration 4.3.3 Log management To enter the log management page, you choose Probe module > Behavior > Behavior analysis > Advanced configuration, as shown in Figure4-4. Figure4-5 Advanced configuration 4.3.4 Mail delay log To enter the mail delay log page, you choose Probe module > Behavior > Behavior analysis > Mail delay log, as shown in Figure4-4. 36

Figure4-6 Mail delay log 4.3.5 Keyword Filtering 4.3.5.1 Keyword Filtering To enter the keyword filtering page, you choose Probe module > Behavior > Keyword filtering, as shown in Figure4-7. Figure4-7 Keyword filtering Table4-3 describes the configuration items of keyword filtering function Table4-3 Keyword filtering configuration items Name Action Operation Enter a name for the keyword filtering rule. Select an action for the keyword filtering rule, including warning or block. Click copy or delete icon to do the operations. To create a keyword filtering rule, you should: 37

Enable the keywords filtering function And then enter a name for the keyword filtering rule And then select an action for the rule. Click Ok button in the upper right corner on the webpage. 4.3.5.2 Latest Log To enter the latest log page, you choose Probe module > Behavior > Keyword filtering, as shown in Figure4-7. Figure4-8 Keyword filtering Table4-3 describes the configuration items of keyword filtering function Table4-4 Keyword filtering configuration items Name Action Operation Enter a name for the keyword filtering rule. Select an action for the keyword filtering rule, including warning or block. Click copy or delete icon to do the operations. To create a keyword filtering rule, you can take the following steps: Enable the keywords filtering function And then enter a name for the keyword filtering rule And then select an action for the rule. Click Ok button in the upper right corner on the webpage. 4.3.5.3 Search and delete logs To enter the latest log page, you choose Probe module > Behavior > Keyword filtering, as shown in Figure4-7. 38

Figure4-9 Keyword filtering Table4-3 describes the configuration items of keyword filtering function Table4-5 Keyword filtering configuration items Name Action Operation Enter a name for the keyword filtering rule. Select an action for the keyword filtering rule, including warning or block. Click copy or delete icon to do the operations. 39

Chapter 5 Portal Authentication 5.1 Introduction to the Portal Authentication Portal authentication provides several authentication mechanisms, which allows user to authenticate their user name and password before access to the Internet. Authentication Config Web Auth Notice Behavior Listen Proscenium Management Online User Local User To enter the user authentication menu, you choose Probe module > User authentication, as shown in Figure5-1. Figure5-1 Security center 5.1.1 Authentication Configuration 5.1.1.1 Basic authentication To enter the basic authentication page, you choose Probe module > User authentication > Basic authentication, as shown in Figure5-2. Figure5-2 Basic authentication 40

Table5-1 describes the details of basic authentication. Table5-1 Basic authentication configuration items description Web auth Terminal auth Avoid auth IP User group Auth mode Unique authentication User aging time Quick offline Allows you to enable or disable web auth function. Allows you to enable or disable terminal auth function. Allows you to set the free authentication IP address. Allows you to select a user group. Allows you to select and configure authentication mode. Allows you to select whether to enable unique authentication function. Allows you to set the user aging time. Allows you to select whether to enable quick offline function. 5.1.1.2 Webauth Configuration To enter the webauth configuration page, you choose Probe module > User authentication > Webauth configuration, as shown in Figure5-3. 41

Figure5-3 Webauth configuration Table5-2 describes the configuration items of webauth configuration. Table5-2 Webauth configuration items NAT traverse configuration Login state Notice Enable proxy authentication HTTP/HTTPS Using USB key Temporary user login Tem background photo Login interface image Get MAC Allows you to configure the NAT traverse configuration, including authenticated protocol configuration, authentication policy configuration. Allows you to select whether to show the login state window. Allows you to select no notice, web auth notice and URL address option for web authentication. Allows you to use proxy server to authenticate web users and allows you to configure the proxy server IP address. Allows you to enable authenticate HTTP/HTTPS configuration. Allows you to enable usbkey authentication function (Require importing certificate and corresponding CA reboot are required, to take effect). Allows you to enable temporary user login function. Allows you to select the background image. Allows you to select the login interface image. Allows you to enable the get MAC function and then you can get MAC from SNMP. 42

5.1.1.3 TAC configuration To enter the TAC configuration page, you choose Probe module > User authentication > Webauth configuration > TAC configuration, as shown in Figure5-4. Figure5-4 TAC configuration Table5-3 describes the configuration items of TAC. Table5-3 TAC configuration items Management server IP address Client download URL MAC match Aged by traffic User group Configure an IP address for the management server. Type client download URL for the TAC configuration Select whether to enable the MAC match function. Select whether to enable the aged by traffic function. Select an user group for the TAC configuration 5.1.1.4 Customer Configuration To enter customer configuration page, you choose Probe module > User authentication > Webauth configuration > Customer configuration, as shown in Figure5-5. 43

Figure5-5 Customer configuration Table5-4 describes the configuration items of the customer configuration. Table5-4 Customer configuration Login page Customize web authentication interface Select an option that the login page will skip to the specific page Default Upload the return page URL address (http://www.baidu.com) Allows you to customize the web authentication interface. 5.1.2 Web Authentication Notice To enter the web authentication notice page, you choose Probe module > User authentication > Web authentication notice, as shown in Figure5-6. Figure5-6 Web authentication notice 44

Table5-5 describes the configuration items of web listen. Table5-5 Web listen configuration items Serial number Title Content Operation Displays the sequence number of the web auth notice. Configure the title of the notice. Configure the notice content. Click copy or delete icon to do the operations. 5.1.3 Web Listen If the web authentication function isn t enabled, you can enable the web listen function for user authentication. To enter the web listen page, you choose Probe module > User authentication > Web listen, as shown in Figure5-7. Figure5-7 Web listen 5.1.4 Proscenium Management To enter the proscenium management page, you choose Probe module > User authentication > Portal authentication, as shown in Figure5-8. Figure5-8 Proscenium management Table5-6 describes the configuration items of the proscenium management. 45

Table5-6 Proscenium management Proscenium administrator Configure the user name for proscenium administrator. Password Configure the password for the proscenium administrator. Access address of proscenium Configure the device bridge interface IP address or WAN interface address. Email address (addressee) Configure the e-mail address of the mail receiver(addressee) Operation You can copy or delete the proscenium administrator configuration by click the copy icon or delete icon. Click the administrator. e-mail icon that you can send e-mail to the specific proscenium To configure the proscenium management configuration, you should: In the operation column, you can click the copy icon And then configure the proscenium administrator Configure the proscenium administrator s password. Configure the access address of the proscenium, which is the WAN interface address or bridge address of the device. After you finished the above steps, click Ok button in the upper right corner on the webpage. After you configured the proscenium configuration, click the email button that proscenium administrator can receive an email which contains the user name, password and URL. When you log into the online management interface, you can create user information, as shown in Figure5-9. Figure5-9 Hotel user online management Table5-7 describes the configuration items of the hotel user online management. Table5-7 Hotel user online management User name Password Room number of the user Displays the user name of the online user. Configure the password of the online user. Room number of the user. 46

Real name of the user Identification card Operation Real name of the user. Configure the identification card number of the user. Allows you to modify, add or delete an administrator. To configure the hotel user online management, you should: In the operation column, click copy icon Configure user name for the hotel user. Configure password for the hotel user Configure room number for the hotel user. Configure real name for the hotel user. Configure identification number of the hotel user. After you finished the above steps, Click Ok button in the upper right corner on the webpage. 5.1.5 Online User After the user is authenticated, the user s authentication information will be displayed on the online user interface. To enter the online user page, you choose Service > User authentication > Portal authentication > Online user, as shown in Figure5-10. Figure5-10 Online user Table5-8 describes the details of the online user. Table5-8 Online user Username IP Enter net time Displays the user name of the authentication user. Displays the IP address of the authentication host. Displays the time when the authentication user is online Operation Click the icon that you can log out an administrator forcibly on the online user page. 47

5.1.6 Local account user 5.1.6.1 Local account authentication user Local account authentication user is mainly to authenticate and manage local user. To enter the local authentication user page, you choose Service > User authentication > Portal > Local authentication user, as shown in Figure5-11. Figure5-11 Local Account Authentication Table5-9 describes the configuration items of the local account authentication. Table5-9 Local account authentication Username Password Repeat password User account group Real name group Status Operation Configure an user for the local authentication user Configure a password for the local authentication user. Configure the confirm password for the local authentication user. Select user account group for the local authentication user. Select real name group for the local authentication user. Select the Normal status or Locked status for the local authentication user. Configure the local authentication user description Click copy icon or delete icon to do the operations. To configure local authentication user: Configure a name for the local authentication user. Configure the password for the local authentication user. Configure the repeat password for the local authentication user. Select user account group and select the real name user group. 48

Configure the description for the local account user. Select Normal status or Locked status for the authentication user. Click Ok button in the upper right corner on the webpage. To import or export local authentication users in batch, you can: Click Browse button and select a file from your local system Click Import button To query local authentication users in batch, you can: Enter the username or description you want to query Click Search button 49

Chapter 6 IDS cooperation 6.1 Introduction Firewall device added up with IDS cooperation function in order to cooperate with IDS device. IDS device can detect network traffic if attacks exist and sent SNMIP Trap information to the firewall device with blocking information, including source IP address and destination IP address of the packets. When IDS cooperation function enabled, the firewall receives SNMP Trap information and generates blocked entry for the follow-up traffic. 6.2 IDS Integration 6.2.1 Display IDS cooperation log To enter the display IDS cooperation log page, you choose Service > IDS integration > Display IDS cooperation log, as shown in Figure6-1. Figure6-1 Display IDS cooperation log Table6-1 describes the configuration items of the display IDS integration log. Table6-1 Display IDS integration log configuration items Serial number Source IP Destination IP Whether or not bidirectional Valid time (Second) Time stamp Operation Displays the serial number of the IDS integration log. Displays the source IP address of the attack event. Displays the destination IP address of the attack event. Displays the direction of the attack event. Displays the valid time of the IDS integration. Displays the time stamp of the attack event. Click copy icon or delete icon to do the operations. 50

Chapter 7 High Availability 7.1 VRRP High availability module provides the following features: VRRP Hot standby Interface synchronization group To enter the VRRP page, you choose Probe module > High availability > VRRP, as shown in Figure7-1. Figure7-1 High availability 7.1.1 Introduction to VRRP Group During data communication process, software and hardware error may result network disconnection, causing data transmission failure. To avoid data communication disconnected, DPtech Probe service board module has provides Virtual Router Redundancy Protocol (VRRP) technology using backup solution when communication line or device failure, so that it ensure data communication smoothly and enhance network robustness and availability. Enhancing local network and outside network connection availability, VRRP is fit for the local area network which support multicast and broadcast (such as Ethernet). Through many devices forming a backup group, they have an exit gateway for the local network and they are all transparent inside the local network. In the back up group, if an FW device failure, it will be substituted by other device. So that the local host can still work without any modification, greatly enhance network communication availability. To enter the VRRP page, you choose Probe module > High availability > VRRP, as shown in Figure7-2. 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback