H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

Similar documents
SecBlade Firewall Cards NAT Configuration Examples

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

H3C SecBlade NetStream Card Configuration Examples

SecBlade Firewall Cards Log Management and SecCenter Configuration Example

SecBlade Firewall Cards Attack Protection Configuration Example

SecBlade Firewall Cards Stateful Failover Configuration Examples

H3C S12500 sflow Configuration Examples

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

H3C SecPath Series High-End Firewalls

Stateful Failover Technology White Paper

HPE IMC NTA MPLS VPN Traffic Analysis Configuration Examples

H3C S12500 Unauthorized DHCP Server Detection Configuration Examples

SecBlade Firewall Cards ARP Attack Protection Configuration Examples

H3C SecPath Series High-End Firewalls

User FAQ for H3C Security Products

H3C SecPath Series High-End Firewalls

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples

Log Management. Configuring Syslog

HP High-End Firewalls

H3C S7500E-X OSPF Configuration Examples

Enabling ALGs and AICs in Zone-Based Policy Firewalls

H3C S10500 IP Unnumbered Configuration Examples

Enabling ALGs and AICs in Zone-Based Policy Firewalls

HP Firewalls and UTM Devices

SecPath Series Firewalls Virtual Firewall Configuration Examples

HP Load Balancing Module

H3C S12500 VLAN Configuration examples

H3C SecPath Series High-End Firewalls

AuditConfigurationArchiveandSoftwareManagementChanges (Network Audit)

H3C SecPath Series Firewalls and UTM Devices

CCNA Course Access Control Lists

HPE IMC UAM 802.1X Access Control and RSA Authentication Configuration Examples

Audit report and analyse overview. Audit report user guide v1.1

NEC: SIP Trunking Configuration Guide V.1

Nested Class Map Support for Zone-Based Policy Firewall

DPtech ADX3000 Series Application Delivery Gateway User Configuration Guide

SYN Flood Attack Protection Technology White Paper

Bulk Logging and Port Block Allocation

In ZENworks, Join Proxy is a role that is by default assigned to Primary Servers; you can also assign this role to Satellites.

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

ASA 8.X and later: Add or Modify an Access List through the ASDM GUI Configuration Example

Zone-Based Policy Firewall High Availability

HP High-End Firewalls

HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples

Table of Contents 1 TCP Proxy Configuration 1-1

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

H3C S9800 Switch Series

Sun RPC ALG Support for Firewall and NAT

H3C S10500 Attack Protection Configuration Examples

Object Groups for ACLs

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example

GSS Administration and Troubleshooting

H3C SR6600 Routers DVPN Configuration Example

H3C Intelligent Management Center

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

H3C S9500 QoS Technology White Paper

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

Network Address Translation Bindings

RSA NetWitness Logs. F5 Big-IP Advanced Firewall Manager. Event Source Log Configuration Guide. Last Modified: Friday, May 12, 2017

IMC Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP

H3C SR6600/SR6600-X Routers

Three interface Router without NAT Cisco IOS Firewall Configuration

Lab Configure Cisco IOS Firewall CBAC

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Summer Webinar Series

H3C S7500E Switch Series

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

H3C SecBlade IPS Cards

H3C Access Controllers

HP High-End Firewalls

CCNA Discovery 3 Chapter 8 Reading Organizer

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Cisco IOS Firewall Intrusion Detection System Commands

Stateful Network Address Translation 64

CISCO EXAM QUESTIONS & ANSWERS

Configuring System Logs

McAfee Network Security Platform Administration Course

Exam Questions PCNSE6

DPtech WCS7000 Series Wireless Access Controller User Configuration Guide

Attack Prevention Technology White Paper

H3C SecPath Series Security Products

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Junos Security (JSEC)

Paloalto Networks. Exam Questions PCNSE6. Palo Alto Networks Certified Network Security Engineer 6.0. Version:Demo

NAT Support for Multiple Pools Using Route Maps

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

H3C SecPath Series High-End Firewalls

ASA Access Control. Section 3

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

HPE IMC UAM LDAP Authentication Configuration Examples

Using the Terminal Services Gateway Lesson 10

Juniper JN DX Specialist (JNCIS-DX) Download Full Version :

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

HP 6125G & 6125G/XG Blade Switches

Transcription:

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

Contents Introduction 1 Prerequisites 1 Example: Configuring the firewall to generate and send logs to IMC Firewall Manager 1 Network requirements 1 Software version used 2 Configuration restrictions and guidelines 2 Configuration procedures 3 Configuring the firewall 3 Adding the firewall to IMC Firewall Manager 11 Verifying the configuration 12 Displaying system logs 13 Displaying interzone policy logs 14 Displaying flow logs 15 Complete CLI configuration 16 Related documentation 17 i

Introduction This document provides examples for configuring the firewall to generate flow logs and system logs and to send the logs to a log host installed with IMC Firewall Manager. Prerequisites This document is not restricted to specific software or hardware versions. The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network. This document assumes that you have basic knowledge of the following features: NAT Security zones Inter-zone policies Information center Flow logging SNMP Example: Configuring the firewall to generate and send logs to IMC Firewall Manager Network requirements As shown in Figure 10: The host accesses the Internet through the firewall. The firewall performs network address translation for the host. IMC Firewall Manager is deployed on the log server at 192.168.250.13/24. Configure the firewall to perform the following operations: Generate flow logs and inter-zone policy logs. Send system logs and flow logs to IMC Firewall Manager for analysis. 1

Figure 10 Network diagram Software version used This configuration example was created and verified on SecPath F5000-A5 Feature 3213. Configuration restrictions and guidelines When you configure the firewall to send logs to IMC Firewall Manager, follow these restrictions and guidelines: Make sure the information center is enabled by using the info-center enable command. By default, the information center is enabled. You can export flow logs to log hosts or the information center, but not both. If you configure both methods, the system exports flow logs to the information center. In the Web interface, to configure the firewall to export flow logs to IMC Firewall Manager, make sure the Output flow logs to information center option is not selected on the flow log configuration page, as shown in Figure 11. If you select the option, the firewall outputs flow logs to the information center instead of the specified log host. 2

Figure 11 Flow log configuration page Configuration procedures Configuring the firewall Configuring the firewall in the Web interface 1. Configure IP addresses for the interfaces: a. From the navigation tree, select Device Management > Interface. b. Click the icon for GigabitEthernet 1/0. The Edit Interface page appears. c. Configure the IP address of the interface as 192.168.250.12, as shown in Figure 12. d. Click Apply. e. Repeat steps b through d to configure IP addresses for GigabitEthernet 1/1 and GigabitEthernet 1/2. 3

Figure 12 Configuring the IP address for an interface GigabitEthernet1/0 192.168.250.12 2. Configure an ACL: a. From the navigation tree, select Firewall > ACL. b. Click Add. The Add ACL page appears. c. Create ACL 2000 as shown in Figure 13. Figure 13 Adding an ACL d. Click Apply. ACL 2000 appears on the ACL list, as shown in Figure 14. Figure 14 Viewing the ACL on the ACL list e. Click the icon for ACL 2000. The ACL rule configuration page appears. 4

Figure 15 ACL rule configuration page f. Click Add. The Add Basic ACL Rule page appears. g. Add an ACL permit rule to match packets sourced from the host at 192.168.1.2, as shown in Figure 16 h. Click Apply. Figure 16 Adding a basic ACL rule for ACL 2000 3. Configure dynamic NAT on GigabitEthernet 1/2: a. Select Firewall > NAT Policy > Dynamic NAT. The dynamic NAT configuration page appears. Figure 17 Dynamic NAT configuration page b. In the Dynamic NAT area, click Add. The Add Dynamic NAT page appears. c. Add a dynamic NAT rule as shown in Figure 18. d. Click Apply. 5

Figure 18 Adding a dynamic NAT rule 4. Add interfaces GigabitEthernet 1/0 and GigabitEthernet 1/1 to zone Trust, and interface GigabitEthernet 1/2 to zone Untrust. a. From the navigation tree, select Device Management > Zone. The security zone management page appears. b. Click the icon for security zone Trust. c. Select the interface GigabitEthernet1/0. d. Click Apply. e. Repeat steps b through d to add GigabitEthernet 1/1 to zone Trust and GigabitEthernet 1/2 to zone Untrust. 6

Figure 19 Adding GigabitEthernet 1/0 to zone Trust 5. Configure an interzone policy to permit all traffic from zone Untrust to zone Trust: a. From the navigation tree, select Firewall > Security Policy > Interzone Policy. b. Click Add. The interzone policy configuration page appears. c. Configure the interzone policy as shown in Figure 20. d. Click Apply. 7

Figure 20 Configuring the interzone policy 6. Configure syslog export to IMC Firewall Manager: a. From the navigation tree, select Log Report > Syslog. The syslog configuration page appears. b. Specify the IP address of IMC Firewall Manager as the destination for syslog export, and set the port number to 30514, as shown in Figure 21. c. Click Apply. Figure 21 Configuring syslog 7. Configure flow log export to IMC Firewall Manager: 8

a. From the navigation tree, select Log Report > Userlog. The flow logging configuration page appears. b. Specify the IP address of IMC Firewall Manager as the destination for flow log export, and set the port number to 30017, as shown in Figure 22. c. Make sure the Output userlog to information center option is not selected. d. Click Apply. Figure 22 Configuring flow logging 8. Configure a session log policy to record the session logs for traffic between zones Trust and Untrust. a. From the navigation tree, select Log Report > Session Log > Log Policy. b. Add a policy for logging sessions between zones Untrust and Trust, as shown in Figure 23. Figure 23 Session log policy between zones Untrust and Trust 9. Configure the time- and traffic-based thresholds for generating session logs: a. From the navigation tree, select Log Report > Session Log > Global Setup. b. Configure the time- and traffic-based thresholds as shown in Figure 24. c. Click Apply. If both thresholds are not configured, session logs are generated only when NAT sessions are established or removed. 9

Figure 24 Configuring session logging thresholds 10. Enable the SNMP agent. The firewall supports enabling the SNMP agent only at the CLI. For information about how to enable the SNMP agent at the CLI, see "Configuring the firewall at the CLI." Configuring the firewall at the CLI # Configure IP addresses for interfaces GigabitEthernet 1/0, GigabitEthernet 1/1, and GigabitEthernet 1/2. <Firewall> system-view [Firewall] interface gigabitethernet 1/0 [Firewall-GigabitEthernet1/0] ip address 192.168.250.12 24 [Firewall-GigabitEthernet1/0] quit [Firewall] interface gigabitethernet 1/1 [Firewall-GigabitEthernet1/1] ip address 192.168.1.1 24 [Firewall-GigabitEthernet1/0] quit [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] ip address 220.1.1.1 24 [Firewall-GigabitEthernet1/2] quit # Create an ACL. [Firewall] acl number 2000 [Firewall-acl-basic-2000] rule 0 permit source 192.168.1.2 0 [Firewall-acl-basic-2000] quit # Configure NAT. [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] nat outbound 2000 [Firewall-GigabitEthernet1/2] quit # Add interfaces GigabitEthernet 1/0 and GigabitEthernet 1/1 to zone Trust, and interface GigabitEthernet 1/2 to zone Untrust. [Firewall] zone name trust [Firewall-zone-trust] import interface gigabitethernet 1/0 [Firewall-zone-trust] import interface gigabitethernet 1/1 [Firewall-zone-trust] quit [Firewall] zone name untrust [Firewall-zone-untrust] import interface gigabitethernet 1/2 [Firewall-zone-trust] quit # Configure an interzone policy to permit all traffic from zone Untrust to zone Trust. [Firewall] interzone source untrust destination trust [Firewall-interzone-untrust-trust] rule permit logging 10

[Firewall-interzone-untrust-trust-rule-0] source-ip any_address [Firewall-interzone-untrust-trust-rule-0] destination-ip any_address [Firewall-interzone-untrust-trust-rule-0] service any_service [Firewall-interzone-untrust-trust-rule-0] rule enable [Firewall-interzone-untrust-trust-rule-0] quit [Firewall-interzone-untrust-trust] quit # Specify the log host running IMC Firewall Manager as the destination for syslog export. Set the UDP port number to 30514. [Firewall] info-center loghost 192.168.250.13 port 30514 # Set the flow log version to 3.0. [Firewall] userlog flow export version 3 # Specify the log host running IMC Firewall Manager as the destination for flow log export. Set the UDP port number to 30017. [Firewall] userlog flow export host 192.168.250.13 30017 # Enable session logging for traffic between zones Trust and Untrust. [Firewall] interzone source trust destination untrust [Firewall-interzone-trust-untrust] session log enable [Firewall-interzone-trust-untrust] quit # Enable the SNMP agent. [Firewall] snmp-agent [Firewall] snmp-agent community read public [Firewall] snmp-agent community write private [Firewall] snmp-agent sys-info version all Adding the firewall to IMC Firewall Manager 1. Log in to the Web interface of IMC Firewall Manager at http://192.168.250.13/imcfirewallmanager/. 2. Click the System tab. 3. From the navigation tree, select Device Management > Device List. The device list page appears. 4. Click Add. The Add Device page appears. 5. Configure the firewall parameters, as shown in Figure 25. 6. Click Add. 11

Figure 25 Adding the firewall to IMC Firewall Manager Verifying the configuration The host accesses the Internet through the firewall. The firewall generates NAT session logs and interzone policy logs. In the Web interface of the firewall, you can view the logs stored in the log buffer. Alternatively, you can view the logs on IMC Firewall Manager. If the firewall uses the UTC time, IMC Firewall Manager uses the GMT time. If the firewall uses the GMT+8 time, IMC Firewall Manager uses the local time. 12

Displaying system logs Displaying system logs on the firewall From the navigation tree, select Log Report > Report > System Log. The system log list displays all system logs. Figure 26 Displaying system logs on the firewall Displaying system logs on IMC Firewall Manager From the navigation tree, select Firewall > Event Auditing > Operation Logs. The Operation Log List displays all operation logs. 13

Figure 27 Displaying system logs on IMC Firewall Manager Displaying interzone policy logs Displaying interzone policy logs on the firewall From the navigation tree, select Log Report > Report > Interzone Policy Log. The interzone policy log list displays all interzone policy logs. Figure 28 Displaying interzone policy logs on the firewall Displaying interzone policy logs on IMC Firewall Manager From the navigation tree, select Firewall > Event Auditing > Inter-Zone Access Logs. The Inter-Zone Access Control Log List displays all interzone policy logs. 14

Figure 29 Displaying interzone policy logs on IMC Firewall Manager Displaying flow logs Displaying flow logs on the firewall From the navigation tree, select Log Report > Report > Userlog. Figure 30 Displaying flow logs on the firewall Displaying flow logs on IMC Firewall Manager From the navigation tree, select Firewall > Event Auditing > NAT Logs. 15

Figure 31 Displaying flow logs on IMC Firewall Manager Complete CLI configuration # userlog flow export version 3 userlog flow export host 192.168.250.13 30017 # acl number 2000 rule 0 permit source 192.168.1.2 0 # interface GigabitEthernet1/0 port link-mode route ip address 192.168.250.12 # interface GigabitEthernet1/1 port link-mode route 16

ip address 192.168.1.1 # interface GigabitEthernet1/2 port link-mode route nat outbound 2000 ip address 220.1.1.1 # zone name Trust id 2 priority 85 import interface GigabitEthernet1/1 import interface GigabitEthernet1/0 zone name Untrust id 4 priority 5 import interface GigabitEthernet1/2 interzone source Trust destination Untrust session log enable interzone source Untrust destination Trust rule 0 permit logging source-ip any_address destination-ip any_address service any_service rule enable # info-center loghost 192.168.250.13 port 30514 # snmp-agent snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all # Related documentation H3C SecPath Series Firewalls and UTM Devices System Management and Maintenance Configuration Guide H3C SecPath Series Firewalls and UTM Devices System Management and Maintenance Command Reference H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference H3C SecPath Series Firewalls and UTM Devices NAT and ALG Configuration Guide H3C SecPath Series Firewalls and UTM Devices NAT and ALG Command Reference 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback