H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.
Contents Introduction 1 Prerequisites 1 Example: Configuring the firewall to generate and send logs to IMC Firewall Manager 1 Network requirements 1 Software version used 2 Configuration restrictions and guidelines 2 Configuration procedures 3 Configuring the firewall 3 Adding the firewall to IMC Firewall Manager 11 Verifying the configuration 12 Displaying system logs 13 Displaying interzone policy logs 14 Displaying flow logs 15 Complete CLI configuration 16 Related documentation 17 i
Introduction This document provides examples for configuring the firewall to generate flow logs and system logs and to send the logs to a log host installed with IMC Firewall Manager. Prerequisites This document is not restricted to specific software or hardware versions. The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network. This document assumes that you have basic knowledge of the following features: NAT Security zones Inter-zone policies Information center Flow logging SNMP Example: Configuring the firewall to generate and send logs to IMC Firewall Manager Network requirements As shown in Figure 10: The host accesses the Internet through the firewall. The firewall performs network address translation for the host. IMC Firewall Manager is deployed on the log server at 192.168.250.13/24. Configure the firewall to perform the following operations: Generate flow logs and inter-zone policy logs. Send system logs and flow logs to IMC Firewall Manager for analysis. 1
Figure 10 Network diagram Software version used This configuration example was created and verified on SecPath F5000-A5 Feature 3213. Configuration restrictions and guidelines When you configure the firewall to send logs to IMC Firewall Manager, follow these restrictions and guidelines: Make sure the information center is enabled by using the info-center enable command. By default, the information center is enabled. You can export flow logs to log hosts or the information center, but not both. If you configure both methods, the system exports flow logs to the information center. In the Web interface, to configure the firewall to export flow logs to IMC Firewall Manager, make sure the Output flow logs to information center option is not selected on the flow log configuration page, as shown in Figure 11. If you select the option, the firewall outputs flow logs to the information center instead of the specified log host. 2
Figure 11 Flow log configuration page Configuration procedures Configuring the firewall Configuring the firewall in the Web interface 1. Configure IP addresses for the interfaces: a. From the navigation tree, select Device Management > Interface. b. Click the icon for GigabitEthernet 1/0. The Edit Interface page appears. c. Configure the IP address of the interface as 192.168.250.12, as shown in Figure 12. d. Click Apply. e. Repeat steps b through d to configure IP addresses for GigabitEthernet 1/1 and GigabitEthernet 1/2. 3
Figure 12 Configuring the IP address for an interface GigabitEthernet1/0 192.168.250.12 2. Configure an ACL: a. From the navigation tree, select Firewall > ACL. b. Click Add. The Add ACL page appears. c. Create ACL 2000 as shown in Figure 13. Figure 13 Adding an ACL d. Click Apply. ACL 2000 appears on the ACL list, as shown in Figure 14. Figure 14 Viewing the ACL on the ACL list e. Click the icon for ACL 2000. The ACL rule configuration page appears. 4
Figure 15 ACL rule configuration page f. Click Add. The Add Basic ACL Rule page appears. g. Add an ACL permit rule to match packets sourced from the host at 192.168.1.2, as shown in Figure 16 h. Click Apply. Figure 16 Adding a basic ACL rule for ACL 2000 3. Configure dynamic NAT on GigabitEthernet 1/2: a. Select Firewall > NAT Policy > Dynamic NAT. The dynamic NAT configuration page appears. Figure 17 Dynamic NAT configuration page b. In the Dynamic NAT area, click Add. The Add Dynamic NAT page appears. c. Add a dynamic NAT rule as shown in Figure 18. d. Click Apply. 5
Figure 18 Adding a dynamic NAT rule 4. Add interfaces GigabitEthernet 1/0 and GigabitEthernet 1/1 to zone Trust, and interface GigabitEthernet 1/2 to zone Untrust. a. From the navigation tree, select Device Management > Zone. The security zone management page appears. b. Click the icon for security zone Trust. c. Select the interface GigabitEthernet1/0. d. Click Apply. e. Repeat steps b through d to add GigabitEthernet 1/1 to zone Trust and GigabitEthernet 1/2 to zone Untrust. 6
Figure 19 Adding GigabitEthernet 1/0 to zone Trust 5. Configure an interzone policy to permit all traffic from zone Untrust to zone Trust: a. From the navigation tree, select Firewall > Security Policy > Interzone Policy. b. Click Add. The interzone policy configuration page appears. c. Configure the interzone policy as shown in Figure 20. d. Click Apply. 7
Figure 20 Configuring the interzone policy 6. Configure syslog export to IMC Firewall Manager: a. From the navigation tree, select Log Report > Syslog. The syslog configuration page appears. b. Specify the IP address of IMC Firewall Manager as the destination for syslog export, and set the port number to 30514, as shown in Figure 21. c. Click Apply. Figure 21 Configuring syslog 7. Configure flow log export to IMC Firewall Manager: 8
a. From the navigation tree, select Log Report > Userlog. The flow logging configuration page appears. b. Specify the IP address of IMC Firewall Manager as the destination for flow log export, and set the port number to 30017, as shown in Figure 22. c. Make sure the Output userlog to information center option is not selected. d. Click Apply. Figure 22 Configuring flow logging 8. Configure a session log policy to record the session logs for traffic between zones Trust and Untrust. a. From the navigation tree, select Log Report > Session Log > Log Policy. b. Add a policy for logging sessions between zones Untrust and Trust, as shown in Figure 23. Figure 23 Session log policy between zones Untrust and Trust 9. Configure the time- and traffic-based thresholds for generating session logs: a. From the navigation tree, select Log Report > Session Log > Global Setup. b. Configure the time- and traffic-based thresholds as shown in Figure 24. c. Click Apply. If both thresholds are not configured, session logs are generated only when NAT sessions are established or removed. 9
Figure 24 Configuring session logging thresholds 10. Enable the SNMP agent. The firewall supports enabling the SNMP agent only at the CLI. For information about how to enable the SNMP agent at the CLI, see "Configuring the firewall at the CLI." Configuring the firewall at the CLI # Configure IP addresses for interfaces GigabitEthernet 1/0, GigabitEthernet 1/1, and GigabitEthernet 1/2. <Firewall> system-view [Firewall] interface gigabitethernet 1/0 [Firewall-GigabitEthernet1/0] ip address 192.168.250.12 24 [Firewall-GigabitEthernet1/0] quit [Firewall] interface gigabitethernet 1/1 [Firewall-GigabitEthernet1/1] ip address 192.168.1.1 24 [Firewall-GigabitEthernet1/0] quit [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] ip address 220.1.1.1 24 [Firewall-GigabitEthernet1/2] quit # Create an ACL. [Firewall] acl number 2000 [Firewall-acl-basic-2000] rule 0 permit source 192.168.1.2 0 [Firewall-acl-basic-2000] quit # Configure NAT. [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] nat outbound 2000 [Firewall-GigabitEthernet1/2] quit # Add interfaces GigabitEthernet 1/0 and GigabitEthernet 1/1 to zone Trust, and interface GigabitEthernet 1/2 to zone Untrust. [Firewall] zone name trust [Firewall-zone-trust] import interface gigabitethernet 1/0 [Firewall-zone-trust] import interface gigabitethernet 1/1 [Firewall-zone-trust] quit [Firewall] zone name untrust [Firewall-zone-untrust] import interface gigabitethernet 1/2 [Firewall-zone-trust] quit # Configure an interzone policy to permit all traffic from zone Untrust to zone Trust. [Firewall] interzone source untrust destination trust [Firewall-interzone-untrust-trust] rule permit logging 10
[Firewall-interzone-untrust-trust-rule-0] source-ip any_address [Firewall-interzone-untrust-trust-rule-0] destination-ip any_address [Firewall-interzone-untrust-trust-rule-0] service any_service [Firewall-interzone-untrust-trust-rule-0] rule enable [Firewall-interzone-untrust-trust-rule-0] quit [Firewall-interzone-untrust-trust] quit # Specify the log host running IMC Firewall Manager as the destination for syslog export. Set the UDP port number to 30514. [Firewall] info-center loghost 192.168.250.13 port 30514 # Set the flow log version to 3.0. [Firewall] userlog flow export version 3 # Specify the log host running IMC Firewall Manager as the destination for flow log export. Set the UDP port number to 30017. [Firewall] userlog flow export host 192.168.250.13 30017 # Enable session logging for traffic between zones Trust and Untrust. [Firewall] interzone source trust destination untrust [Firewall-interzone-trust-untrust] session log enable [Firewall-interzone-trust-untrust] quit # Enable the SNMP agent. [Firewall] snmp-agent [Firewall] snmp-agent community read public [Firewall] snmp-agent community write private [Firewall] snmp-agent sys-info version all Adding the firewall to IMC Firewall Manager 1. Log in to the Web interface of IMC Firewall Manager at http://192.168.250.13/imcfirewallmanager/. 2. Click the System tab. 3. From the navigation tree, select Device Management > Device List. The device list page appears. 4. Click Add. The Add Device page appears. 5. Configure the firewall parameters, as shown in Figure 25. 6. Click Add. 11
Figure 25 Adding the firewall to IMC Firewall Manager Verifying the configuration The host accesses the Internet through the firewall. The firewall generates NAT session logs and interzone policy logs. In the Web interface of the firewall, you can view the logs stored in the log buffer. Alternatively, you can view the logs on IMC Firewall Manager. If the firewall uses the UTC time, IMC Firewall Manager uses the GMT time. If the firewall uses the GMT+8 time, IMC Firewall Manager uses the local time. 12
Displaying system logs Displaying system logs on the firewall From the navigation tree, select Log Report > Report > System Log. The system log list displays all system logs. Figure 26 Displaying system logs on the firewall Displaying system logs on IMC Firewall Manager From the navigation tree, select Firewall > Event Auditing > Operation Logs. The Operation Log List displays all operation logs. 13
Figure 27 Displaying system logs on IMC Firewall Manager Displaying interzone policy logs Displaying interzone policy logs on the firewall From the navigation tree, select Log Report > Report > Interzone Policy Log. The interzone policy log list displays all interzone policy logs. Figure 28 Displaying interzone policy logs on the firewall Displaying interzone policy logs on IMC Firewall Manager From the navigation tree, select Firewall > Event Auditing > Inter-Zone Access Logs. The Inter-Zone Access Control Log List displays all interzone policy logs. 14
Figure 29 Displaying interzone policy logs on IMC Firewall Manager Displaying flow logs Displaying flow logs on the firewall From the navigation tree, select Log Report > Report > Userlog. Figure 30 Displaying flow logs on the firewall Displaying flow logs on IMC Firewall Manager From the navigation tree, select Firewall > Event Auditing > NAT Logs. 15
Figure 31 Displaying flow logs on IMC Firewall Manager Complete CLI configuration # userlog flow export version 3 userlog flow export host 192.168.250.13 30017 # acl number 2000 rule 0 permit source 192.168.1.2 0 # interface GigabitEthernet1/0 port link-mode route ip address 192.168.250.12 # interface GigabitEthernet1/1 port link-mode route 16
ip address 192.168.1.1 # interface GigabitEthernet1/2 port link-mode route nat outbound 2000 ip address 220.1.1.1 # zone name Trust id 2 priority 85 import interface GigabitEthernet1/1 import interface GigabitEthernet1/0 zone name Untrust id 4 priority 5 import interface GigabitEthernet1/2 interzone source Trust destination Untrust session log enable interzone source Untrust destination Trust rule 0 permit logging source-ip any_address destination-ip any_address service any_service rule enable # info-center loghost 192.168.250.13 port 30514 # snmp-agent snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all # Related documentation H3C SecPath Series Firewalls and UTM Devices System Management and Maintenance Configuration Guide H3C SecPath Series Firewalls and UTM Devices System Management and Maintenance Command Reference H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference H3C SecPath Series Firewalls and UTM Devices NAT and ALG Configuration Guide H3C SecPath Series Firewalls and UTM Devices NAT and ALG Command Reference 17