H3C SecBlade User manual

H3C SecBlade IPS Cards

User Manual

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Document version: 5PW104-20101210

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C,

, Aolynk, , H

3

Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V

2

G, V

n

G, PSPT,

XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,

Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C SecBlade IPS Cards User Manual describes the SecBlade IPS cards’ overview, features, and

login methods, and the configurations on the switches and routers that hold the cards.

This preface includes:

•

Audience

•

Conventions

•

About the H3C SecBlade IPS Cards Document Set

•

Obtaining documentation

•

Technical support

•

Documentation feedback

Audience

This documentation is intended for:

• Network planners

• Field technical support and servicing engineers

• Network administrators working with the H3C SecBlade IPS cards

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which

you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, from

which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical

bars, from which you may select multiple choices or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&) sign can

be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description

Boldface

Window names, button names, field names, and menu items are in Boldface. For

example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description

WARNING

An alert that calls attention to important information that if not understood or followed can

result in personal injury.

CAUTION

An alert that calls attention to important information that if not understood or followed can

result in data loss, data corruption, or damage to hardware or software.

IMPORTANT

An alert that calls attention to essential information.

NOTE

An alert that contains additional or supplementary information.

TIP

An alert that provides helpful information.

About the H3C SecBlade IPS Cards Document Set

The H3C SecBlade IPS cards documentation set includes:

Category Documents Purposes

Marketing brochures Describe product specifications and benefits.

Product description and

specifications

Technology white papers

Provide an in-depth description of software features

and technologies.

Card Manual

Provides the card types, hardware specifications,

and interface attributes.

Software Upgrade Guide

Guides you through the software upgrade.

Installation and

commissioning

License Registration and

Activation Guide

Provides the configuration procedure and guidelines

to activate and register the license.

User Manual

Describes the data forwarding procedure of the card

sand basic network configuration with switches

Web-Based

Configuration Guide

Describe how to configure and deploy the cards

Typical Configuration

Example

Provide configuration examples and instructions of

the cards.

Configuration Guide

Service configuration

Command Reference

Configure and maintain the card at the CLI

Obtaining documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at

http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software

upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with the

software version.

Technical support

customer_service@h3c.com

http://www.h3c.com

Documentation feedback

You can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

i

Contents

Overview ······································································································································································ 1

Introduction to the Manual ···············································································································································1

Related Manuals································································································································································1

SecBlade IPS Cards Overview····································································································································2

Introduction ········································································································································································2

Main Characteristics·························································································································································2

Main Functions ··································································································································································3

Features········································································································································································· 5

Feature List ·········································································································································································5

Login·············································································································································································· 6

Switch/Router and SecBlade IPS Card Network Configuration··············································································· 9

LSWM1IPS10 Card Configuration ·································································································································9

Configuration Overview ··········································································································································9

Configuration Procedure······································································································································· 10

Configuration Example ········································································································································· 14

LSQ1IPSSC0 Card Configuration (Only for the S7500E Switch and Supporting OAA Configuration)·············· 17

Configuration Overview ······································································································································· 17

Configuration Procedure······································································································································· 18

Configuration Example ········································································································································· 22

LSB1IPS1A0 Card Configuration ································································································································· 27

Configuration Overview ······································································································································· 27

Configuration Procedure······································································································································· 28

Configuration Example ········································································································································· 31

LSR1IPS1A1 Card Configuration ································································································································· 35

Configuration Overview ······································································································································· 35

Configuration Procedure······································································································································· 36

Configuration Example ········································································································································· 40

LST1IPS1A1 Card Configuration·································································································································· 44

Configuration Overview ······································································································································· 44

Configuration Procedure······································································································································· 45

Configuration Example ········································································································································· 49

SPE-IPS-200 Card Configuration ·································································································································· 53

Configuration Overview ······································································································································· 53

Configuration Procedure······································································································································· 53

Configuration Example ········································································································································· 57

IM-IPS Card Configuration ············································································································································ 60

Configuration Overview ······································································································································· 60

Configuration Procedure······································································································································· 61

Configuration Example ········································································································································· 64

Appendix-OAA Configuration ··································································································································69

Overview········································································································································································· 69

ACFP Architecture ················································································································································· 69

OAA Collaboration··············································································································································· 70

ACFP Management ··············································································································································· 70

Configuring OAA Client················································································································································ 70

OAA Configuration Example········································································································································ 72

ii

Index ···········································································································································································78

1

Overview

Introduction to the Manual

This manual mainly consists of the following chapters:

•

SecBlade IPS Cards Overview: Describes the functions and service features of the SecBlade IPS

cards.

•

Features: Describes the features of the SecBlade IPS cards. For how to configure these features, see

the H3C Intrusion Prevention System Web-Based Configuration Guide.

•

Login: Describes how to log in to the web interface of the SecBlade IPS cards.

•

Switch/Router and SecBlade IPS Card Network Configuration: Describes the work flow and

principles of data forwarding between a switch/router and a SecBlade IPS card, presents the

configurations on the switch/router and the SecBlade IPS card, and provides configuration

examples.

•

Appendix-OAA Configuration: Describes OAA basic principles and configuration procedure, and

gives configuration examples.

Related Manuals

For the installation, startup and configuration, software upgrade and hardware maintenance of the

SecBlade IPS cards, see the H3C SecBlade Cards Software Upgrade Guide and the hardware

documents of the devices using the cards, such as the installation guides of

S5800/S5820X/S7500E/S9500/S9500E/S12500 series switches and SR6600/SR8800 routers.

Follow these steps to obtain the product documentation from www.h3c.com:

• Select Technical Support & Document > Technical Documents from the home page.

• Select a device type, and then you can view the related manuals.

2

SecBlade IPS Cards Overview

Introduction

H3C Intrusion Prevention System (IPS) products fall into two categories.

1. H3C SecPath T series

• T200 series: T200, T200-E (enhanced), T200-A (advanced), T200-M (middle), T200-S (standard)

• T1000 series: T1000-A (advanced), T1000-M (middle), T1000-S (standard), T1000-C (compact)

• T5000 series: T5000-S3

2. H3C SecBlade IPS card series

• LSWM1IPS10: Applicable to H3C S5800/S5820X series switches that support OAA

• LSQ1IPSSC0: Applicable to H3C S7500E series switches

• LSB1IPS1A0: Applicable to H3C S9500 series switches

• LSR1IPS1A1: Applicable to H3C S9500E series switches

• LST1IPS1A1: Applicable to H3C S12500 series switches

• SPE-IPS-200: Applicable to H3C SR6600 routers

• IM-IPS: Applicable to H3C SR8800 routers

In this manual, the switches and routers that support ISP cards are referred to as main network devices.

This manual mainly describes the features and typical configuration of the two types of H3C SecBlade

IPS cards.

H3C IPS products are mainly online deployed on the key paths of user networks and perform Layer 2

through Layer 7 data analysis in real time to precisely identify and stop/limit various attacks and network

abuses such as hackers, worms, viruses, Trojans, DoS/DDoS, scans, spyware, protocol anomalies,

phishing, P2P, IM, and network games, and to ensure the security, service continuity and performance of

network applications.

H3C IPS products can also be deployed in bypass mode to implement intrusion detection. In addition,

H3C IPS products provide powerful, practical bandwidth management and URL filtering functions.

H3C SecBlade IPS cards are based on the latest hardware platform and architecture of H3C. They

support distributed deployment, centralized management and flexible scalability, and can be managed

using a web browser. H3C SecBlade IPS cards can be inserted to the main network devices to satisfy the

traffic management needs of users.

Main Characteristics

• SecBlade IPS cards enable main network devices to provide network security services without

affecting data forwarding performance.

• SecBlade IPS cards are based on the H3C Open Application Architecture (OAA). A SecBlade IPS

card is connected to a main network device through an internal 10GE Ethernet interface. The

wire-speed forwarding capability of the back card of the main network device ensures smooth data

exchange with the SecBlade IPS card.

3

• SecBlade IPS cards adopt the multi-core high-performance processor and high-speed memory, and

thus can ensure the processing of security services without affecting the normal operation of the

main network device.

• Multiple slots on the main network device can accommodate SecBlade IPS cards. You can plug

multiple SecBlade IPS cards in to a main network device for service expansion, meeting the update

requirements of enterprise and carrier networks.

Main Functions

SecBlade IPS cards provide the following main functions.

1. Application layer based attack detection and defense

SecBlade IPS cards adopt the proprietary engine of H3C, Full Inspection with Rigorous State Test (FIRST).

The FIRST engine provides multiple detection technologies, and improves the preciseness of attack

detection by implementing full inspection based on rigorous state. It adopts concurrent detection

technology and supports flexible hardware&sofware configurations, greatly improving the intrusion

detection performance. The FIRST engine integrates protocol identification and characteristic matching.

It uses protocol identification to identify application layer protocols and detect abnormal protocols, and

uses characteristic matching to determine attacks. Only the traffic matching the specific attacking

characteristics of a detected abnormal protocol is considered as an attack. This method greatly improves

inspection preciseness and reduces false positive and false negative rates.

2. DDoS defense

SecBlade IPS cards can provide Distributed Denial of Service (DDoS) defense in various network

environments by performing deep analysis of DDoS attacks (including SYN flood, RST flood, ACK flood,

UDP flood, ICMP flood, Connection flood, CPS flood, DNS query flood and HTTP get flood), and using

advanced defense algorithms.

3. AV function

SecBlade IPS cards are integrated with the KasperSky anti-virus engine and virus definitions. The engine

adopts advanced anti-virus technologies such as the second generation heuristic code analysis method,

iChecker real-time monitoring and unique script virus interception, and can scan and kill viruses of

various types, such as file type, network type and mixed type. In addition, it incorporates the next

generation virtual machine unpack engine and behavior estimation technologies to kill derived viruses

and unknown viruses accurately.

4. URL filtering

SecBlade IPS cards provide the URL filtering function, which allows you to define URL filtering rules that

support regular expression to filter specific web pages.

5. Application based bandwidth control

Based on protocol identification, which can identify more than 1000 protocols, SecBlade IPS cards can

perform flexible bandwidth control to ensure bandwidth for critical applications by limiting non-critical

applications from using bandwidth.

6. Various actions

SecBlade IPS cards provide various actions to be taken on detected abnormal traffic, including stop,

restrict, TCP reset, get original packets, redirect, isolate, report syslogs, and record local logs. You can

combine actions as needed, and SecBlade IPS cards also provide some commonly used action

combinations.

7. Unified management and policy assignment

4

SecBlade IPS cards support local and distributed management modes. For a network with one or a small

number of SecBlade IPS cards deployed, you can manage the cards through the web interface

embedded. For a network with a large number of SecBlade IPS cards deployed, you can implement

unified upgrade, monitoring, analysis and policy management for the cards through the H3C security

management center SecCenter.

5

Features

Feature List

Table 1 Feature list of SecBlade IPS cards

Module Features

Web overview Device management User management

Network management High reliability Time table management

Actions management Log management IPS

URL filtering Anti-virus DDoS protection

Web Configuration

Bandwidth management Blacklist Reports

Commonly used network

application commands

Interface management

commands

Static route configuration

commands

CLI Configuration

Device management

commands

System basic

configuration commands

Encrypted P2P traffic

identification configuration

commands

6

Login

With the web network management function, the administrator can manage and maintain a SecBlade

IPS card through the web interface.

Follow these steps to log in to the web interface of the SecBlade IPS card.

1. Connect the SecBlade IPS card to a PC

• For the LSWM1IPS10 card

Prepare a console cable with a RJ 45 connector at one end and a DB9 female connector at the other.

Connect the RJ 45 connector to the console port of the switch, and connect the DB9 female connector to

the serial port of the PC. Then connect the management port of the SecBlade IPS card to the network

interface of the PC by using a crossover Ethernet cable.

Figure 1 Connect the SecBlade IPS card to a PC

PC

Switch & IPS card

Console cable

Ethernet cable

Serial interface

Ethernet interface

Management interface

(IPS card)

Console interface

(Switch)

• For a non-LSWM1IPS10 card

Prepare a console cable with a RJ 45 connector at one end and a DB9 female connector at the other.

Connect the RJ 45 connector to the console port of the SecBlade IPS card, and connect the DB9 female

connector to the serial port of the PC. Then connect the management port of the SecBlade IPS card to the

network interface of the PC by using a crossover Ethernet cable.

Figure 2 Connect the SecBlade IPS card to a PC

2. Set terminal parameters on the PC

Run the terminal emulator on the PC (for example, Terminal of Windows 3.X, hyper terminal of Windows

9X and Windows XP).

Set the bits per second to 9600, data bits to 8, parity to none, stop bits to 1, and flow control to none,.

NOTE:

Settings of terminal parameters depend on the device model.

7

3. Enter the CLI of the device

• For the LSWM1IPS10 card

Power on the switch. As the S5800 and S5820X are centralized stacking devices, you need to execute

the command for logging into the OAP system before you can enter the CLI of the LSWM1IPS10 card.

# Enter the CLI of the LSWM1IPS10 card.

<Sysname> oap connect slot 1 system SubSlot3

Press CTRL+K to quit.

Connected to SubSlot3!

The PC then displays the Power On Self Test (POST) information of the IPS card. After the POST, you are

prompted to enter the password (the default password is H3C, which is case-sensitive). Enter the correct

password to enter the CLI of the IPS card.

• For a non-LSWM1IPS10 card

Power on the switch or router. The PC shows the POST information of the IPS card. After the POST, you are

prompted to enter the system password, which defaults to H3C (case-sensitive). After you input the

correct password, you can enter the CLI of the IPS card.

4. Configure the management IP address of the IPS card (this step is optional; the default

management IP address is 192.168.1.1).

# Configure the management IP address of the IPS card (The default management interface of

LSWM1IPS10 card is meth 0/0, and that of other cards is meth 0/2. The following takes management

interface meth0/2 as an example.)

<Sysname> system-view

[Sysname] interface meth0/2 ←Enter the management interface

[Sysname-if] ip address 10.153.17.82 255.255.255.0 ←Configure the IP address and mask of

the management interface as 10.153.17.82/24

[Sysname-if] undo shutdown←Enable the management interface

The system automatically saves the above configuration.

5. Configure an IP address for the PC to ensure connectivity with the SecBlade IPS card.

Configure an IP address in the subnet 10.153.17.0/24 (except for 10.153.17.82), for example,

10 .15 3 .17. 8 3 .

6. Open the browser to login

Open the IE browser on the PC, and input the IP address 10.153.17.82 to enter the login interface shown

in

Figure 3.

On the login interface, input the default user name admin and the default password admin, and click

Login to log in to the device through the web interface.

8

Figure 3 web interface login interface

By default, the IPS card has HTTPS enabled, but does not have HTTP enabled. Therefore, for the first login,

only the HTTPS method is available. After the first login through HTTPS, you can enable HTTP as follows:

select System Management > Network Management > Management Interface from the navigation tree

to enter the page shown in

Figure 4.

Figure 4 HTTP/HTTPS configuration

Select the checkbox before HTTP and click Apply. A confirmation dialog box pops up, showing

“Changing the IP address of the management interface may break the network connection. Continue?”.

Click OK on the dialog box to complete configuration.

WARNING!

• The PC in

Figure 2 is a common configuration terminal and is not required to be a web network

management terminal.

• Do not log in to the web interface through both HTTP and HTTPS at the same time from a PC.

After the first login, H3C recommends changing the default password. For more information, see

User

Management

in the

H3C Intrusion Prevention System Web-Based Configuration Guide.

9

Switch/Router and SecBlade IPS Card Network

Configuration

NOTE:

For more information about the commands used in this chapter, see the Configuration Guides and

Command References shipped with switch and router that installated the SecBlade IPS Card.

LSWM1IPS10 Card Configuration

NOTE:

The LSWM1IPS10 card is only for S5800&S5820X series switches and supports the OAA feature.

Configuration Overview

The switch and the SecBlade IPS card are connected through internal 10GE interfaces. The switch uses

VLAN interfaces to perform Layer 3 forwarding. Configure redirection on the internal and external

network interfaces of the switch to redirect incoming IP packets to be forwarded through the VLAN

interfaces to the internal 10GE interface connected to the SecBlade IPS card. The switch performs normal

Layer-3 forwarding to the packets and then sends them to the SecBlade IPS card through its internal

10GE interface. The detailed data forwarding process is as follows.

From internal network to external network

1. A packet from the internal network enters the switch.

2. The switch reprocesses the packet for Layer 3 forwarding, during which the switch inserts an

outgoing VLAN tag in to the packet.

3. After the Layer 3 preprocessing, the switch redirects the packet to the SecBlade IPS card according

to the receiving port, the incoming VLAN and the outgoing port.

4. After reprocessing the packet, the SecBlade IPS card forwards the packet back to the switch.

5. The switch forwards the packet out its external network interface.

From external network to internal network

1. A packet from the external network enters the switch.

2. The switch preprocesses the packet for Layer 3 forwarding, during which the switch removes the

incoming VLAN tag from the packet.

3. After the Layer 3 preprocessing, the switch redirects the packet to the SecBlade IPS card according

to the receiving port, the incoming VLAN and the outgoing port.

4. After reprocessing the packet, the SecBlade IPS card forwards the packet back to the switch.

5. The switch forwards the packet out its internal network interface.

10

Configuration Procedure

Configuring the switch

Configure the switch as follows.

• Configure the Management Information Base (MIB) style of the switch.

• Configure SNMP parameters. Configure SNMPv3 users and adopt non-authentication and

non-encryption.

• Enable the ACFP server and the ACSEI server.

• Configure a VLAN, VLAN 100, for example, which must not conflict with any existing VLANs on the

switch, and configure an IP address for the VLAN interface.

• Configure the internal 10GE interface as an Access interface, add it to a VLAN for example VLAN

100 (which must be consistent with the VLAN ID configured on the OAA configuration page of the

SecBlade IPS card), and configure the interface’s port-connect-mode as extended.

• Save the configuration.

Follow these steps to configure the switch:

To do… Use the command… Remarks

Enter system view system-view —

Configure the MIB style of the

switch

mib-style [ new |

compatible ]

Required

• new: Specifies the MIB style H3C new.

With this style, both the sysOID and

private MIB of the switch are located

under the H3C enterprise ID 25506.

• compatible: Specifies the MIB style H3C

compatible. With this style, the sysOID

of the switch is located under the H3C

enterprise ID 25506, and the private

MIB is located under the enterprise ID

2011.

By default, the MIB style of the switch is

new.

You need to reboot the switch to validate

this configuration (you can reboot the

switch after completing all configurations).

CAUTION:

Make sure that the switch’s the MIB style is

new. If you specify compatible for the switch,

the switch cannot work normally.

Enable SNMP agent snmp-agent

Required

Disabled by default.

Set the SNMP version

snmp-agent sys-info

{ contact sys-contact |

location sys-location |

version { all | { v1 | v2c |

v3 }* } }

Required

The SecBlade IPS card supports only

SNMPv3.

By default, SNMPv3 applies.

11

To do… Use the command… Remarks

Create an SNMP group and set its

access right

For SNMP v3:

snmp-agent group v3

group-name

[ authentication | privacy ]

[ read-view read-view ]

[ write-view write-view ]

[ notify-view notify-view ]

[ acl acl-number ]

Required

By default, the SNMP group configured

with the snmp-agent group v3 command

uses non-authentication and

non-encryption.

Create or update a MIB view to

specify the MIB objects that the

NMS can access

snmp-agent mib-view

{ excluded | included }

view-name oid-tree [ mask

mask-value ]

Required

The default view is ViewDefault.

Add a user to the SNMP group

snmp-agent usm-user v3

user-name group-name

[ [ cipher ]

authentication-mode

{ md5 | sha }

auth-password

[ privacy-mode { des56 |

aes128 } priv-password ] ]

[ acl acl-number ]

Required

If you execute this command for the same

user repeatedly, the last configuration takes

effect.

Enable the ACFP server acfp server enable

Required

Disabled by default.

Enable the ACSEI server acsei server enable

Required

Disabled by default.

Create a VLAN

and enter VLAN

view

vlan { vlan-id1 [ to

vlan-id2 ] | all }

Required

Return to system

view

quit Required

Enter the specified

VLAN interface

view

interface vlan-interface

vlan-interface-id

Required

Before creating the VLAN interface, you

need to create the corresponding VLAN.

Otherwise, the VLAN interface cannot be

created.

Configure an IP

address and mask

for the VLAN

interface

ip address ip-address

{ mask | mask-length }

[ sub ]

Required

Not configured by default.

In general, you need to configure only one

IP address for a VLAN interface. To enable

a VLAN to connect multiple subnets, you

can configure multiple IP addresses for the

VLAN interface. One of them is the primary

IP address and others are secondary IP

addresses. On the S5800&S5820X series

switches, a VLAN interface can have up to

10 IP addresses configured.

Configure

the internal

10GE

interface

Return to system

view

quit Required

12

To do… Use the command… Remarks

Enter the view of

the 10GE interface

connected to the

SecBlade IPS card

interface

Ten-GigabitEthernet

interface-number

Required

Configure the link

type of the

interface as access

port link-type access

Required

By default, the link type of an interface is

access.

Add the interface

to a VLAN

port access vlan vlan-id

Required

Add the internal interface to the

management VLAN.

Configure the

extended port

connection mode

for the port

port connection-mode

extend

Required

Return to system

view

quit Required

Save the configuration to a

configuration file

save [ file-name | [ safely ]

Required

Configuring the SecBlade IPS card

Configure the SecBlade IPS card as follows.

• Configure the IP address of the management interface at the CLI and use the IP address to login to

the web interface of the SecBlade IPS card.

• Configure the internal interface and the OAA client and test its connectivity to the switch.

• Create security zones and add the interfaces of the switch to corresponding security zones.

• Create a segment and add internal and external zones to the segment.

Follow these steps to configure the SecBlade IPS card:

To do… Use the command… Remarks

Configure redirection from

the device to the OAP system

(for centralized stacking

devices/distributed devices)

oap connect [ slot slot-number ] system

system-name

Required

Perform this operation in user

view to enter the CLI of the

SecBlade IPS card.

Enter system view system-view —

Enter management interface

view

interface meth interface-number Optional

Configure an IP address for

the management interface

ip address ip-address mask

Optional

By default, the IP address of the

management interface meth0/0 is

192.168.1.1.

Enable the management

interface

undo shutdown

Required

Disabled by default.

13

To do… Use the command… Remarks

Use the IP address of the

management interface to

login to the web interface of

the SecBlade IPS card

—

Required

The default username and

password are both admin.

Configure the

OAA client

and internal

interface

Select System Management > Device

Management > OAA Configuration. Input

parameters in OAA Client Configuration

and Internal Interface Configuration to

complete OAA configuration.

Required

Configure

OAA

Test the

connectivity

Click the Test Connectivity button to test

the connectivity between the OAA client

and the server.

Required

Create security zones

Select System Management > Network

Management > Security Zone. Use the

Add button to create security zones and

add the interfaces of the S5800/S5820X

switch to the security zone.

Required

The interface list of the switch is

sent to the OAA board (the

SecBlade IPS card in this case),

and you can add interfaces to

security zones.

Create a segment

Select System Management > Network

Management > Segment Configuration.

Click Add Segment. Select a segment

number, the internal zone, and the

external zone.

Required

You need to specify the internal

interface when creating the

segment. The internal interface

connects to the switch.

Displaying the configuration

After completing above configurations, you can use the display command in any view of the SecBlade

IPS card to view forwarding information on the internal 10GE interface and verify you configurations.

To do… Use the command…

Display the running status and forwarding

information of the 10GE interface

display interface [ interface-name ]

Use the following commands on the switch to display ACFP information.

To do… Use the command…

Display the ACFP server information display acfp server-info

Display the ACFP client information display acfp client-info [ client-id ]

Display the ACFP policy information

display acfp policy-info [ client client-id [ policy-index ] |

dest-interface interface-type interface-number | global |

in-interface interface-type interface-number | out-interface

interface-type interface-number ] [ active | inactive ]

Display the ACFP rule information

display acfp rule-info { global | in-interface [ interface-type

interface-number ] | out-interface [ interface-type

interface-number ] | policy [ client-id policy-index ] }

Page is loading ...

H3C SecBlade User manual

H3C SecBlade User manual

Related papers

Other documents