2. Computers & electronics
  3. Networking
  4. H3C
  5. H3C SecPath F1800-A

H3C H3C SecPath F1800-A Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C H3C SecPath F1800-A Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
H3C SecPath F1800-A Firewall
Operation Manual
Hangzhou Huawei-3Com Technology Co., Ltd.
http://www.huawei-3com.com
Manual Version: T2-081659-20061015-C-1.01
Product Version: VRP3.30
Copyright © 2006, Hangzhou Huawei-3Com Technology Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou Huawei-3Com Technology Co., Ltd.
Trademarks
H3C, Aolynk, , IRF, H3Care,
, Neocean, , TOP G, SecEngine,
SecPath, COMWARE, VVG, V2G, VnG, PSPT, NetPilot, and XGbus are trademarks of
Hangzhou Huawei-3Com Technology Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their
respective owners.
Notice
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
the warranty of any kind, express or implied.
To obtain the latest information, please access:
http://www.huawei-3com.com
Technical Support
customer_service@huawei-3com.com
http://www.huawei-3com.com
About This Manual
Related Documentation
In addition to this manual, each SecPath F1800-A documentation set includes the
following:
Manual Description
H3C SecPath F1800-A Firewall
Installation Manual
Introduces the installation process,
startup as well as the software/hardware
maintenance and monitoring of SecPath
F1800-A firewall.
H3C SecPath F1800-A Firewall
Operation Manual
Introduces the operation guidance about
getting started, working mode, security
zone, system management, interface,
link layer protocol, network and routing
protocol, security defence, VPN and
reliability of SecPath F1800-A firewall.
H3C SecPath F1800-A Firewall
Command Reference
Introduces commands used in working
mode, security zone, system
management, interface, link layer
protocol, network and routing protocol,
security defence, VPN and reliability of
SecPath F1800-A firewall corresponding
to the operation manual.
Organization
H3C SecPath F1800-A Firewall Operation Manual is organized as follows:
Part Contents
1 Getting Started begins with the firewall development and
security concept, introducing the
security features, configuration
environment setup, management and
working mode of SecPath F1800-A
firewall.
2 System Management introduces the usage of SecPath
F1800-A firewall file system, software
upgrading, displaying and debugging
tools and information center as well as
the usage and operation guidance of log
maintenance, NTP, SNMP, RMON and
RMON2.
Part Contents
3 Interface presents various parameter
configurations on the interfaces
provided, such as Ethernet interface,
AUX interface and logical interface.
4 Link Layer Protocol describes the fundamentals and
configurations of various link layer
protocols supported by the SecPath
F1800-A firewall, including PPP,
PPPoE, and VLAN.
5 Network and Routing Protocol explains the IP address, IP
performance, address resolution, DHCP
relay and routing principle, and
describes static route, RIP route, OSPF
route, BGP route, policy route and
related configuration.
6 Security Defence details the virtual firewall, ACL basics,
security policy, NAT, IDS Cooperation
and AAA configuration.
7 VPN deals with the principle and
configuration of VPN solution provided
by the SecPath firewalls (eg., L2TP),
Dynamic VPN, including IPSec
configuration.
8 Reliability covers the reliability measures adopted
by the SecPath F1800-A firewall,
including route redundancy and
dual-system hot backup, and the
configuration.
9 Abbreviations lists abbreviations used in this manual
and their full names.
10 Index lists important keywords as index entries
to help the reader to fetch the required
information quickly.
Conventions
The manual uses the following conventions:
I. Command conventions
Convention Description
Boldface
The keywords of a command line are in Boldface.
italic
Command arguments are in italic.
Convention Description
[ ]
Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by
vertical bars. One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets
and separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets
and separated by vertical bars. Many or none can be
selected.
# A line starting with the # sign is comments.
II. GUI conventions
Convention Description
< >
Button names are inside angle brackets. For example, For
example, click <OK>.
[ ]
Window names, menu items, data table and field names
are inside square brackets. For example, pop up the [New
User] window.
/
Multi-level menus are separated by forward slashes. For
example, [File/Create/Folder].
III. Symbols
Convention Description
Caution
Means reader be careful. Improper operation may cause
data loss or damage to equipment.
Note Means a complementary description.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Table of Contents
i
Table of Contents
Chapter 1 Firewall Overview ........................................................................................................1-1
1.1 Overview of Network Security............................................................................................ 1-1
1.1.1 Security Threats ...................................................................................................... 1-1
1.1.2 Classification of Network Security Services............................................................ 1-2
1.1.3 Implementation of Network Security Services ........................................................ 1-2
1.2 Overview of Firewall System ............................................................................................. 1-5
1.2.1 First Safeguard........................................................................................................ 1-5
1.2.2 Evolution of the Firewall .......................................................................................... 1-5
1.3 Overview of the SecPath F1800-A .................................................................................... 1-7
1.3.1 SecPath F1800-A.................................................................................................... 1-7
1.3.2 Overview of the SecPath F1800-A.......................................................................... 1-8
1.3.3 Function Features List of the SecPath F1800-A ..................................................... 1-9
Chapter 2 Basic SecPath F1800-A Configuration....................................................................1-12
2.1 Establishment of Configuration Environment Through the Console Interface ................ 1-12
2.1.1 Establishing Configuration Environment ............................................................... 1-12
2.1.2 Configuring Successful Ping Between a Device and a SecPath F1800-A ........... 1-15
2.1.3 Configuring Successful Ping between Two Devices across a SecPath F1800-A 1-17
2.2 Establishment of Configuration Environment by Other Means........................................ 1-19
2.2.1 Establishment through the AUX interface ............................................................. 1-19
2.2.2 Establishment through Telnet ............................................................................... 1-21
2.2.3 Establishment Through SSH................................................................................. 1-24
2.3 Command-line Interface Management ............................................................................ 1-25
2.3.1 Command-Line Level ............................................................................................ 1-25
2.3.2 Command-Line View............................................................................................. 1-26
2.3.3 Online Help of Command Line.............................................................................. 1-37
2.3.4 Error Information of Command Line...................................................................... 1-38
2.3.5 History Commands................................................................................................ 1-39
2.3.6 Edition Feature...................................................................................................... 1-40
2.3.7 Display Feature ..................................................................................................... 1-40
2.3.8 Hotkey ................................................................................................................... 1-41
2.4 Basic Configuration of the SecPath F1800-A .................................................................. 1-44
2.4.1 Entering and Quitting System View....................................................................... 1-44
2.4.2 Changing Language Mode.................................................................................... 1-44
2.4.3 Defining the SecPath F1800-A Name................................................................... 1-44
2.4.4 Configuring System Clock..................................................................................... 1-45
2.4.5 Configuring Command Privilege Level.................................................................. 1-45
2.4.6 Displaying System Status Information .................................................................. 1-46
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Table of Contents
ii
2.5 User Management ........................................................................................................... 1-47
2.5.1 Overview of User Management............................................................................. 1-47
2.5.2 User Management Configuration .......................................................................... 1-49
2.5.3 User Login Information Configuration ................................................................... 1-51
2.5.4 Typical Examples of Configuration........................................................................ 1-53
2.6 User Interface .................................................................................................................. 1-53
2.6.1 User Interface Overview........................................................................................ 1-53
2.6.2 Entering User Interface View ................................................................................ 1-54
2.6.3 Configuring Asynchronous Interface Attributes..................................................... 1-55
2.6.4 Configuring Terminal Attributes............................................................................. 1-57
2.6.5 Configuring Modem Attributes............................................................................... 1-58
2.6.6 Configuring Redirection......................................................................................... 1-58
2.6.7 Configuring Call-in or Call-out Restriction on VTY User Interface ........................ 1-60
2.6.8 Displaying and Debugging User Interface ............................................................ 1-60
2.7 Terminal Service.............................................................................................................. 1-61
2.7.1 Configuring Terminal Service on the Console Interface ....................................... 1-61
2.7.2 Configuring Terminal Service on the AUX Port..................................................... 1-61
2.7.3 Configuring Telnet Terminal Service..................................................................... 1-62
2.7.4 Configuring SSH Terminal Service ....................................................................... 1-65
Chapter 3 Working Mode............................................................................................................ 1-71
3.1 Working Mode Overview.................................................................................................. 1-71
3.1.1 Introduction to Working Mode ............................................................................... 1-71
3.1.2 Working Process of Route Mode .......................................................................... 1-73
3.1.3 Working Process of Transparent Mode ................................................................ 1-74
3.1.4 Working Process of Composite Mode................................................................... 1-78
3.2 Route Mode Configuration............................................................................................... 1-78
3.2.1 Configuring the SecPath F1800-A to Work in Route Mode .................................. 1-78
3.2.2 Setting Other Parameters in Route Mode............................................................. 1-79
3.3 Transparent Mode Configuration..................................................................................... 1-79
3.3.1 Configuring Transparent Mode for the SecPath F1800-A .................................... 1-79
3.3.2 Configuring Address Entries ................................................................................. 1-79
3.3.3 Configuring Processing Mode of IP Packets with Unknown MAC Address.......... 1-80
3.3.4 Setting Aging Time of MAC Address Forwarding Table ....................................... 1-80
3.4 Composite Mode Configuration ....................................................................................... 1-81
3.4.1 Configuring the SecPath F1800-A to Work in Composite Mode........................... 1-81
3.4.2 Setting Other Parameters in Composite Mode ..................................................... 1-81
3.5 Displaying and Debugging Firewall Working Mode ......................................................... 1-81
3.6 Typical Example for Configuring Firewall Working Mode................................................ 1-82
3.6.1 Processing IP Packet with Unknown MAC Address ............................................. 1-82
3.6.2 Connecting Multiple LANs with the SecPath F1800-A in Transparent Mode ....... 1-83
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-1
Chapter 1 Firewall Overview
1.1 Overview of Network Security
As the rapid development of the Internet, more and more enterprises turn to network
services to speed up their development. How to protect confidential data, resources
and reputation in an open network environment has become a focus of attention.
Therefore, network security is a very critical task in network construction.
1.1.1 Security Threats
At present, common security threats on the Internet are shown in Table 1-1.
Table 1-1 Common security threats on the Internet
Type Description Example
Unauthorized use
Resources are used by an
unauthorized user (also
called illegal user) or in
unauthorized mode.
An intruder can guess
a combination of user
name and password to
enter a computer
system and use
resources illegally.
Denial of Service (DoS)
The server denies legal
access request from the
legal user.
An intruder sends a
large number of data
packets or defective
packets to the server
within a short time, so
that the server cannot
process the legal task
due to overload.
Information theft -
An intruder does not
intrude a destination
system directly, but
intercepts significant
data or information on
the network.
Data juggle -
An intruder
intentionally destroys
the consistency of
data through
modifying, deleting,
delaying, reordering
the system data or
message stream, or
inserting fraud
messages.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-2
1.1.2 Classification of Network Security Services
Network security services are a set of security measures taken against the above
security threats. They are shown in Table 1-2.
Table 1-2 Network security services
Type Description
Availability service
Ensures information or services can be accessed if
required.
Confidentiality service
Ensures that sensitive data or information is not
disclosed or exposed to an unauthorized entity.
Integrality service
Ensures that data cannot be modified or destroyed in
an unauthorized mode.
Verification Ensures the legality of an entity ID.
Authorization
Specifies the access authority for a user to control
resources.
1.1.3 Implementation of Network Security Services
I. Encryption
It is a process to translate a readable message into an unreadable encrypted text.
It can:
z Provide users with communication security;
z Become the basis of many security mechanisms.
For example, password mechanism includes:
z Authentication password design
z Security communication protocol design
z Digital signature design
Encryption methods are of three types. They are shown in Table 1-3.
Table 1-3 Encryption methods
Type Description Remark
Symmetric password
mechanism
Its security key of
encryption and decryption
is identical. One pair of
users share one password
to exchange message,
and keys must be private.
It includes:
z Data Encryption
Standard (DES)
z Triple DES (3DES)
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-3
Type Description Remark
Public key password
mechanism
It has two different
security keys that
separate the process of
encryption from that of
decryption. One key is
called private key that
must be stored secretly;
the other is called public
key that can be distributed
publicly.
It includes:
z Diffie-Hellman (DH)
z Rivest, Shamir,
Adleman (RSA)
Hash
It is used to compress a
variable message into an
invariable code and
enable it to become a
hash or message digest.
It includes:
z Message Digest 5
(MD5)
z Secure Hash
Algorithm (SHA)
II. Authentication
It is used to verify the legality of the user ID before a user accesses the network or
obtains services.
It can be either provided locally by each device on the network, or carried out through
a dedicated authentication server. The latter has better flexibility, controllability and
expandability.
Now, in a hybrid network, Remote Access Dial-In User Service (RADIUS), as an open
standard, is widely used for an authentication service.
III. Access Control
It is an enhanced authorization method. Generally, it is divided into two types:
z Access control based on an operating system
It authorizes a user to access resources on a certain computer. Access control
policies can be set based on user ID, groups or rules.
z Access control based on the network
It authorizes a legal user to access the network. Its mechanism is much more complex
than the access control based on an operating system. Usually, the access control
component (such as firewall) is configured on some intermediate points between a
requester and his destination to achieve access control.
IV. Security Protocol
It plays an extremely significant role in network security. Following describes widely
used security protocols in terms of TCP/IP layered model.
1) Application layer security
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-4
It provides the end-to-end security from this application on a host to that application
on another host across the network. Application layer security mechanism depends
on the specific application, and its security protocol is a supplement of the application
protocol. Therefore, general application layer security protocol does not exist.
For example, the Secure Shell (SSH) protocol can:
z Establish secure remote login session;
z Connect other TCP applications through channels.
2) Transport layer security
It provides a process-to-process security service on a host or multiple hosts.
Transport layer security mechanism is based on the security of Inter-Process
Communication (IPC) interface and applications.
Providing security service at transport layer is to strengthen its IPC interface, such as
BSD socket.
Specific process includes:
z Authentication of entities at both ends
z Exchange of data encryption security keys
Based on this idea, Secure Socket Layer (SSL) is developed on the basis of reliable
transmission service.
SSL v3 includes two protocols:
z SSL record protocol
z SSL handshake protocol
3) Network layer security
Security provided at network layer, even if the upper layers fail to implement the
security, can also automatically protect the data of the user.
Therefore, IP security is:
z The basis of the whole TCP/IP security
z The core of the Internet security
At present, the most significant security protocol at transport layer is IP Security
Protocol (IPSec). IPSec is a generic term for a series of network security protocols,
including:
z Security protocols
z Encryption protocols
IPSec can provide communication parties with services:
z Access control
z Connectionless integrality
z Data source authentication
z Anti-replay
z Encryption
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-5
z Classification encryption of data flow
4) Data link layer security
It provides a point-to-point security service, such as on a point-to-point link. Data link
layer security is implemented through encryption and decryption at each end on the
link using dedicated devices.
1.2 Overview of Firewall System
1.2.1 First Safeguard
In practical application, since a single security defense technology cannot construct a
secure network system, multiple technologies should be used together to control the
security hazard within the least limit.
In general, the fist step to implement security defense is to construct a barrier, known
as a firewall, between internal networks and external networks to defend the large
majority of attacks from the external.
Similar to partition wall used to prevent fire from spreading in the building, the firewall
is one or a group of system(s) to implement access control policy. It can monitor the
access channels between the Trust zone (the internal network) and the Untrust zone
(the external network) to prevent the hazard from external networks.
The firewall is mainly used for the following purposes:
z Restrict entry of users or information from a specific and strictly controlled
website;
z Prevent intruders from approaching other security defense facilities;
z Restrict exit of users or information from a specific and strictly controlled website.
The firewall is usually placed at the entry of a protected zone to perform security
defense based on access control policy.
When the firewall is located in the joint between the internal network and the external
network, it can protect the internal network and its data from unauthorized or
unverified access and malicious attack from external networks.
When the firewall is located in the joint between a relatively open network segment
and a comparatively sensitive network segment (on which sensitive or private data is
stored), it will filter access to sensitive data even if the access is an internal one.
1.2.2 Evolution of the Firewall
The evolution of the firewall technology goes through the following stages.
I. The First Generation Firewall ——Packet Filtering Firewall
Packet filtering is to check each packet at network layer, and then to forward or deny
packets based on the security policy.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-6
The basic principle of packet filtering firewall is that: It filters packets through
configuring Access Control List (ACL), based on:
z The source and destination IP address
z The source and destination port number
z IP identifier
z Packet delivery direction
With moderate cost and simple design, the first generation firewall can be
implemented easily.
However, its disadvantages are obvious:
z As the complexity and length of ACL increase, its filtering performance will
degrade greatly;
z Static ACL rules are difficult to adapt to dynamic security requirement;
z Packet filtering neither checks session state nor analyzes data. That is, it cannot
filter data at user levels, which helps the hacker to spoof. For example, an
intruder can configure his host IP address to a legal host IP address to pass
through packet filter.
II. The Second Generation Firewall——Proxy Firewall
The proxy service acts on application layer. In essence, a proxy takes over the
services between internal network users and external network users. The working
principle is that the proxy first checks the request from a user, if the authentication is
passed, it establishes connection with a genuine server and forwards the request, and
finally it sends back the request response.
The proxy firewall has higher security. It can completely control network information
exchange and session process.
However, it has obvious disadvantages:
z Low processing speed due to software restriction
z Vulnerable to DoS attack
z Difficult to upgrade for requiring developing application proxy for each protocol
III. The Third Generation Firewall——Stateful Firewall
The stateful analysis technology is an extension of packet filtering technology (also
informally called “dynamic packet filtering”). When checking packets, packet filtering
based on connection state not only treats each packet as an independent unit, but
also takes its history association into account.
The basic principle is described as follows:
z The stateful firewall uses various state tables to keep track of activated TCP
session and UDP pseudo session. Then ACL determines which sessions are
allowed to be established. Finally only the packets associated with allowed
sessions are forwarded.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-7
z The stateful firewall can capture packets at network layer. Then the firewall
extracts the state information needed by security policy from application layer,
and saves it in the dynamic state tables. Finally it analyzes the state tables and
the subsequent connection request related to the data packet to make a proper
decision.
For the external network, the stateful firewall seems to act as a proxy system because
any external service request comes from the same host.
For the internal network, the stateful firewall seems to act as a packet filtering system
because internal users feel that they directly interwork with the external network.
The stateful firewall has the following advantages:
z High speed
They can record the connection state of packets while performing ACL check on the
initial packets. ACL check is not required for the subsequent packets. Thus, the
firewall only needs to check the connection record of the packet based on the state
table. After passing the check, the connection state records will be refreshed. In this
case, packets with the same connection state are no longer repeatedly checked.
Different from fixed arrangement of ACL, the records in the connection state table can
be arranged randomly. Thus, the firewall can fast search the records using such
algorithms as binary tree or hash, so as to improve the transmission efficiency of the
system.
z Reliable security
The connection state list is managed dynamically. After completing sessions, the
temporary return packet entry created on the firewall will be closed, so as to ensure
the security of internal networks. Meanwhile, in virtue of a realtime connection state
monitoring technology, the firewall can identify the connection state based on state
factors in the state table. Thus, the system security is enhanced.
1.3 Overview of the SecPath F1800-A
1.3.1 SecPath F1800-A
The SecPath F1800-A of Huawei-3Com is enhanced stateful firewall.
Combined with the Huawei-3Com ASPF technology, it is featured in:
z High security of the proxy firewall
z High speed of the stateful firewall
The SecPath F1800-A of Huawei-3Com adopt:
z Specially designed and highly reliable hardware system
z Dedicated operating system with independent intellectual property right
It is integrated with:
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-8
z High efficient packet filtering
z Transparent proxy service
z Improved stateful inspection security technology
z Many analysis and statistics
z Multiple security measures
In addition, it provides:
z Multiple types of interfaces
z Multiple working modes
It supports the processing capability from low end (tens of megabits) to high end
(thousands of megabits).
With a combination of the firewalls and Huawei-3Com’s existing routers and switches,
Huawei-3Com provides customers with an advanced and overall security solution for
small, medium and large-sized Intranet.
1.3.2 Overview of the SecPath F1800-A
The SecPath F1800-A is a new generation high-speed stateful firewall; it ensures
cost-effective network security for medium and large-sized customers.
I. Enhanced Security
Compared with those software firewalls based on a common operating system, the
SecPath F1800-A adopts a specially designed hardware platform and a secure
operating system with independent intellectual property right. Its packet processing is
totally separated from operating system, which greatly increases the security of the
system.
With its own ASPF state inspection technology, the SecPath F1800-A is capable of:
z Monitoring the connection process and malicious commands
z Cooperating with ACL to achieve packet filtering
z Providing a number of attack defense capabilities
All of the above features ensure the security of networks.
II. High-speed Processing Capability
Oriented to medium and large-sized enterprise and industry users, the SecPath
F1800-A provides wire-rate, high-performance security defense and packet
processing capabilities by using the Network Processor (NP) technology.
III. High Reliability
Various attack details have been taken into account in the software design. The
SecPath F1800-A achieves great robustness by means of priority scheduling and flow
control.
In addition, the SecPath F1800-A supports:
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-9
z Dual-system hot backup so that the service is not interrupted when state
switches
z Load balancing for multiple machines so that state switches automatically when
a fault occurs
IV. Powerful Networking and Service Support Capability
With integrated high-speed Ethernet interfaces, the SecPath F1800-A supports many
protocols:
z H.323
z File Transfer Protocol (FTP)
z Simple Mail Transfer Protocol (SMTP)
In addition, the SecPath F1800-A has the following features:
z Supports detection to bad commands.
z Supports Network Address Translation (NAT) application.
z Supports filtering static and dynamic black list.
z Supports proxy-based SYN Flood defense flow control.
Besides the security and safety capabilities, the SecPath F1800-A is integrated with
part routing capabilities:
z Static routing
z Routing Information Protocol (RIP) dynamic routing
z Open Shortest Path First (OSPF) dynamic routing
Such capabilities lead to a more flexible networking of the SecPath F1800-A.
V. Powerful Log and Statistic
Based on powerful log and statistic provided by the SecPath F1800-A, you can obtain
useful help in security analysis and event tracing.
1.3.3 Function Features List of the SecPath F1800-A
Table 1-4 Function feature list of the SecPath F1800-A
Attribute Description
Security
defense
Working
mode
z Supports route mode.
z Supports transparent mode.
z Supports composite mode.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-10
Attribute Description
Packet
filtering
z Supports basic ACL, advanced ACL and
firewall ACL.
z Supports time range ACL.
z Supports blacklist, MAC and IP addresses
binding.
z Supports the ASPF and the state inspection.
z Provides the port mapping.
NAT
z Supports address translation (NAT and
NAPT).
z Provides the internal server.
z Supports multiple NAT ALGs, including FTP,
NBT, RAS, ICMP, and H.323.
Attack
defense
z Defends multiple DoS attacks, such as SYN
Flood, ICMP Flood, UDP Flood, WinNuke,
ICMP redirection and unreachable packet,
Land, Smurf and Fraggle.
z Defends scanning and snooping, such as
address scanning, port scanning, IP source
routing option, IP routing record option and
ICMP snooping packet.
z Defends other attacks, such as IP Spoofing.
IDS
cooperation
z IDS cooperation.
Traffic
monitoring
z Supports the limit to connection rate and
connection number based on IP.
z Supports CAR.
z Supports realtime traffic statistic and attack
packet statistic.
Link layer
protocol
z Supports Ethernet.
z Supports VLAN.
z Supports PPP, PPPoE.
IP service
z Supports ARP.
z Supports static domain name resolution.
z Supports DHCP relay.
Network
interconnection
Routing
protocol
z Supports static routing.
z Supports dynamic routing (RIP, OSPF, BGP).
z Supports policy-based routing.
z Supports route policy and route iteration.
AAA
z Supports AAA, the RADIUS protocol and the
HWTACACS protocol.
z Supports AAA domain.
z Supports local user management.
Service
application
QoS
z Supports congestion management.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-11
Attribute Description
Command
line interface
z Prompt and help information in English and
Chinese.
z Hierarchical protection of command lines from
the intrusion from the unauthorized users.
z Detailed debugging information helps network
fault diagnosis.
z Network test tools, such as tracert and ping.
System
management
z Supports programs upload or download or
configuration files through FTP.
z Supports programs upload or download or
configuration files through TFTP.
z Supports program files upload in XModem
mode.
Configuration
and
management
Terminal
service
z Supports terminal services of the console port
and the AUX interface.
z Supports terminal services of Telnet and
SSH.
z Supports the send function so that terminal
users can communicate with each other.
Reliability
z Supports VRRP.
z Supports VGMP.
z Supports HRP hot backup.
Maintenance
and reliability
System
management
z Supports standard network management
protocol SNMPv1/v2c/v3.
System log
z Provides the log server for browsing and querying log
information.
z Provides input and output IP packets statistic, NAT log, ASPF
log, attack defense log and blacklist log.
Note:
ASPF = Application Specific Packet Filter
NAPT = Network Address Port Translation
ALG = Application Level Gateway
NBT = NetBIOS over TCP/IP
RAS = Remote Access Server
ICMP = Internet Control Message Protocol
VRRP = Virtual Router Redundancy Protocol
VGMP = VRRP Group Management Protocol
HRP = Huawei Redundancy Protocol
SNMP = Simple Network Management Protocol
CAR=Committed Access Rate
AAA=Authorization, Authentication and Accounting
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-12
Chapter 2 Basic SecPath F1800-A Configuration
2.1 Establishment of Configuration Environment Through
the Console Interface
2.1.1 Establishing Configuration Environment
You can configure the SecPath F1800-A locally through the console interface, which
is a reliable configuration and maintenance mode. When the SecPath F1800-A
powers on for the first time or when it is disconnected with external networks or other
faults occur, you can use this mode to configure it.
Perform the following steps.
Step 1: Establish the local configuration environment. Connect the serial interface on
your computer (PC or terminal) to the console interface of the SecPath F1800-A with a
standard RS-232 cable. It is shown in Figure 2-1.
RS-232 serial
interface
Console cable
Console port
SecPath
PC
Figure 2-1 Establishing local configuration environment through the console port
Step 2: Run the terminal emulation program (such as HyperTerminal in Windows 9X)
on your computer to establish a new connection. It is shown in Figure 2-2 and Figure
2-3.
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-13
Figure 2-2 Establishing a new connection
Figure 2-3 Selecting serial interface
Step 3: Select RS-232 serial interface on your computer.
Step 4: Set terminal communication parameters as follows. It is shown in Figure 2-4
and Figure 2-5:
z Baud rate is 9600 bit/s.
z Data bits is 8.
z Stop bits is 1.
z Check is none.
/