H3C H3C SecPath F1800-A Operating instructions

H3C SecPath F1800-A Firewall

Operation Manual

Hangzhou Huawei-3Com Technology Co., Ltd.

http://www.huawei-3com.com

Manual Version: T2-081659-20061015-C-1.01

Product Version: VRP3.30

No part of this manual may be reproduced or transmitted in any form or by any means

without prior written consent of Hangzhou Huawei-3Com Technology Co., Ltd.

Trademarks

H3C, Aolynk, , IRF, H3Care,

, Neocean, , TOP G, SecEngine,

SecPath, COMWARE, VVG, V2G, VnG, PSPT, NetPilot, and XGbus are trademarks of

Hangzhou Huawei-3Com Technology Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their

respective owners.

Notice

The information in this document is subject to change without notice. Every effort has

been made in the preparation of this document to ensure accuracy of the contents, but

all statements, information, and recommendations in this document do not constitute

the warranty of any kind, express or implied.

To obtain the latest information, please access:

http://www.huawei-3com.com

Technical Support

customer_service@huawei-3com.com

http://www.huawei-3com.com

About This Manual

Related Documentation

In addition to this manual, each SecPath F1800-A documentation set includes the

following:

Manual Description

H3C SecPath F1800-A Firewall

Installation Manual

Introduces the installation process,

startup as well as the software/hardware

maintenance and monitoring of SecPath

F1800-A firewall.

H3C SecPath F1800-A Firewall

Operation Manual

Introduces the operation guidance about

getting started, working mode, security

zone, system management, interface,

link layer protocol, network and routing

protocol, security defence, VPN and

reliability of SecPath F1800-A firewall.

H3C SecPath F1800-A Firewall

Command Reference

Introduces commands used in working

mode, security zone, system

management, interface, link layer

protocol, network and routing protocol,

security defence, VPN and reliability of

SecPath F1800-A firewall corresponding

to the operation manual.

Organization

H3C SecPath F1800-A Firewall Operation Manual is organized as follows:

Part Contents

1 Getting Started begins with the firewall development and

security concept, introducing the

security features, configuration

environment setup, management and

working mode of SecPath F1800-A

firewall.

2 System Management introduces the usage of SecPath

F1800-A firewall file system, software

upgrading, displaying and debugging

tools and information center as well as

the usage and operation guidance of log

maintenance, NTP, SNMP, RMON and

RMON2.

Part Contents

3 Interface presents various parameter

configurations on the interfaces

provided, such as Ethernet interface,

AUX interface and logical interface.

4 Link Layer Protocol describes the fundamentals and

configurations of various link layer

protocols supported by the SecPath

F1800-A firewall, including PPP,

PPPoE, and VLAN.

5 Network and Routing Protocol explains the IP address, IP

performance, address resolution, DHCP

relay and routing principle, and

describes static route, RIP route, OSPF

route, BGP route, policy route and

related configuration.

6 Security Defence details the virtual firewall, ACL basics,

security policy, NAT, IDS Cooperation

and AAA configuration.

7 VPN deals with the principle and

configuration of VPN solution provided

by the SecPath firewalls (eg., L2TP),

Dynamic VPN, including IPSec

configuration.

8 Reliability covers the reliability measures adopted

by the SecPath F1800-A firewall,

including route redundancy and

dual-system hot backup, and the

configuration.

9 Abbreviations lists abbreviations used in this manual

and their full names.

10 Index lists important keywords as index entries

to help the reader to fetch the required

information quickly.

Conventions

The manual uses the following conventions:

I. Command conventions

Convention Description

Boldface

The keywords of a command line are in Boldface.

italic

Command arguments are in italic.

Convention Description

[ ]

Items (keywords or arguments) in square brackets [ ] are

optional.

{ x | y | ... }

Alternative items are grouped in braces and separated by

vertical bars. One is selected.

[ x | y | ... ]

Optional alternative items are grouped in square brackets

and separated by vertical bars. One or none is selected.

{ x | y | ... } *

Alternative items are grouped in braces and separated by

vertical bars. A minimum of one or a maximum of all can be

selected.

[ x | y | ... ] *

Optional alternative items are grouped in square brackets

and separated by vertical bars. Many or none can be

selected.

# A line starting with the # sign is comments.

II. GUI conventions

Convention Description

< >

Button names are inside angle brackets. For example, For

example, click <OK>.

[ ]

Window names, menu items, data table and field names

are inside square brackets. For example, pop up the [New

User] window.

/

Multi-level menus are separated by forward slashes. For

example, [File/Create/Folder].

III. Symbols

Convention Description

Caution

Means reader be careful. Improper operation may cause

data loss or damage to equipment.

 Note Means a complementary description.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Table of Contents

i

Table of Contents

Chapter 1 Firewall Overview ........................................................................................................1-1

1.1 Overview of Network Security............................................................................................ 1-1

1.1.1 Security Threats ...................................................................................................... 1-1

1.1.2 Classification of Network Security Services............................................................ 1-2

1.1.3 Implementation of Network Security Services ........................................................ 1-2

1.2 Overview of Firewall System ............................................................................................. 1-5

1.2.1 First Safeguard........................................................................................................ 1-5

1.2.2 Evolution of the Firewall .......................................................................................... 1-5

1.3 Overview of the SecPath F1800-A .................................................................................... 1-7

1.3.1 SecPath F1800-A.................................................................................................... 1-7

1.3.2 Overview of the SecPath F1800-A.......................................................................... 1-8

1.3.3 Function Features List of the SecPath F1800-A ..................................................... 1-9

Chapter 2 Basic SecPath F1800-A Configuration....................................................................1-12

2.1 Establishment of Configuration Environment Through the Console Interface ................ 1-12

2.1.1 Establishing Configuration Environment ............................................................... 1-12

2.1.2 Configuring Successful Ping Between a Device and a SecPath F1800-A ........... 1-15

2.1.3 Configuring Successful Ping between Two Devices across a SecPath F1800-A 1-17

2.2 Establishment of Configuration Environment by Other Means........................................ 1-19

2.2.1 Establishment through the AUX interface ............................................................. 1-19

2.2.2 Establishment through Telnet ............................................................................... 1-21

2.2.3 Establishment Through SSH................................................................................. 1-24

2.3 Command-line Interface Management ............................................................................ 1-25

2.3.1 Command-Line Level ............................................................................................ 1-25

2.3.2 Command-Line View............................................................................................. 1-26

2.3.3 Online Help of Command Line.............................................................................. 1-37

2.3.4 Error Information of Command Line...................................................................... 1-38

2.3.5 History Commands................................................................................................ 1-39

2.3.6 Edition Feature...................................................................................................... 1-40

2.3.7 Display Feature ..................................................................................................... 1-40

2.3.8 Hotkey ................................................................................................................... 1-41

2.4 Basic Configuration of the SecPath F1800-A .................................................................. 1-44

2.4.1 Entering and Quitting System View....................................................................... 1-44

2.4.2 Changing Language Mode.................................................................................... 1-44

2.4.3 Defining the SecPath F1800-A Name................................................................... 1-44

2.4.4 Configuring System Clock..................................................................................... 1-45

2.4.5 Configuring Command Privilege Level.................................................................. 1-45

2.4.6 Displaying System Status Information .................................................................. 1-46

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Table of Contents

ii

2.5 User Management ........................................................................................................... 1-47

2.5.1 Overview of User Management............................................................................. 1-47

2.5.2 User Management Configuration .......................................................................... 1-49

2.5.3 User Login Information Configuration ................................................................... 1-51

2.5.4 Typical Examples of Configuration........................................................................ 1-53

2.6 User Interface .................................................................................................................. 1-53

2.6.1 User Interface Overview........................................................................................ 1-53

2.6.2 Entering User Interface View ................................................................................ 1-54

2.6.3 Configuring Asynchronous Interface Attributes..................................................... 1-55

2.6.4 Configuring Terminal Attributes............................................................................. 1-57

2.6.5 Configuring Modem Attributes............................................................................... 1-58

2.6.6 Configuring Redirection......................................................................................... 1-58

2.6.7 Configuring Call-in or Call-out Restriction on VTY User Interface ........................ 1-60

2.6.8 Displaying and Debugging User Interface ............................................................ 1-60

2.7 Terminal Service.............................................................................................................. 1-61

2.7.1 Configuring Terminal Service on the Console Interface ....................................... 1-61

2.7.2 Configuring Terminal Service on the AUX Port..................................................... 1-61

2.7.3 Configuring Telnet Terminal Service..................................................................... 1-62

2.7.4 Configuring SSH Terminal Service ....................................................................... 1-65

Chapter 3 Working Mode............................................................................................................ 1-71

3.1 Working Mode Overview.................................................................................................. 1-71

3.1.1 Introduction to Working Mode ............................................................................... 1-71

3.1.2 Working Process of Route Mode .......................................................................... 1-73

3.1.3 Working Process of Transparent Mode ................................................................ 1-74

3.1.4 Working Process of Composite Mode................................................................... 1-78

3.2 Route Mode Configuration............................................................................................... 1-78

3.2.1 Configuring the SecPath F1800-A to Work in Route Mode .................................. 1-78

3.2.2 Setting Other Parameters in Route Mode............................................................. 1-79

3.3 Transparent Mode Configuration..................................................................................... 1-79

3.3.1 Configuring Transparent Mode for the SecPath F1800-A .................................... 1-79

3.3.2 Configuring Address Entries ................................................................................. 1-79

3.3.3 Configuring Processing Mode of IP Packets with Unknown MAC Address.......... 1-80

3.3.4 Setting Aging Time of MAC Address Forwarding Table ....................................... 1-80

3.4 Composite Mode Configuration ....................................................................................... 1-81

3.4.1 Configuring the SecPath F1800-A to Work in Composite Mode........................... 1-81

3.4.2 Setting Other Parameters in Composite Mode ..................................................... 1-81

3.5 Displaying and Debugging Firewall Working Mode ......................................................... 1-81

3.6 Typical Example for Configuring Firewall Working Mode................................................ 1-82

3.6.1 Processing IP Packet with Unknown MAC Address ............................................. 1-82

3.6.2 Connecting Multiple LANs with the SecPath F1800-A in Transparent Mode ....... 1-83

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-1

Chapter 1 Firewall Overview

1.1 Overview of Network Security

As the rapid development of the Internet, more and more enterprises turn to network

services to speed up their development. How to protect confidential data, resources

and reputation in an open network environment has become a focus of attention.

Therefore, network security is a very critical task in network construction.

1.1.1 Security Threats

At present, common security threats on the Internet are shown in Table 1-1.

Table 1-1 Common security threats on the Internet

Type Description Example

Unauthorized use

Resources are used by an

unauthorized user (also

called illegal user) or in

unauthorized mode.

An intruder can guess

a combination of user

name and password to

enter a computer

system and use

resources illegally.

Denial of Service (DoS)

The server denies legal

access request from the

legal user.

An intruder sends a

large number of data

packets or defective

packets to the server

within a short time, so

that the server cannot

process the legal task

due to overload.

Information theft -

An intruder does not

intrude a destination

system directly, but

intercepts significant

data or information on

the network.

Data juggle -

An intruder

intentionally destroys

the consistency of

data through

modifying, deleting,

delaying, reordering

the system data or

message stream, or

inserting fraud

messages.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-2

1.1.2 Classification of Network Security Services

Network security services are a set of security measures taken against the above

security threats. They are shown in Table 1-2.

Table 1-2 Network security services

Type Description

Availability service

Ensures information or services can be accessed if

required.

Confidentiality service

Ensures that sensitive data or information is not

disclosed or exposed to an unauthorized entity.

Integrality service

Ensures that data cannot be modified or destroyed in

an unauthorized mode.

Verification Ensures the legality of an entity ID.

Authorization

Specifies the access authority for a user to control

resources.

1.1.3 Implementation of Network Security Services

I. Encryption

It is a process to translate a readable message into an unreadable encrypted text.

It can:

z Provide users with communication security;

z Become the basis of many security mechanisms.

For example, password mechanism includes:

z Authentication password design

z Security communication protocol design

z Digital signature design

Encryption methods are of three types. They are shown in Table 1-3.

Table 1-3 Encryption methods

Type Description Remark

Symmetric password

mechanism

Its security key of

encryption and decryption

is identical. One pair of

users share one password

to exchange message,

and keys must be private.

It includes:

z Data Encryption

Standard (DES)

z Triple DES (3DES)

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-3

Type Description Remark

Public key password

mechanism

It has two different

security keys that

separate the process of

encryption from that of

decryption. One key is

called private key that

must be stored secretly;

the other is called public

key that can be distributed

publicly.

It includes:

z Diffie-Hellman (DH)

z Rivest, Shamir,

Adleman (RSA)

Hash

It is used to compress a

variable message into an

invariable code and

enable it to become a

hash or message digest.

It includes:

z Message Digest 5

(MD5)

z Secure Hash

Algorithm (SHA)

II. Authentication

It is used to verify the legality of the user ID before a user accesses the network or

obtains services.

It can be either provided locally by each device on the network, or carried out through

a dedicated authentication server. The latter has better flexibility, controllability and

expandability.

Now, in a hybrid network, Remote Access Dial-In User Service (RADIUS), as an open

standard, is widely used for an authentication service.

III. Access Control

It is an enhanced authorization method. Generally, it is divided into two types:

z Access control based on an operating system

It authorizes a user to access resources on a certain computer. Access control

policies can be set based on user ID, groups or rules.

z Access control based on the network

It authorizes a legal user to access the network. Its mechanism is much more complex

than the access control based on an operating system. Usually, the access control

component (such as firewall) is configured on some intermediate points between a

requester and his destination to achieve access control.

IV. Security Protocol

It plays an extremely significant role in network security. Following describes widely

used security protocols in terms of TCP/IP layered model.

1) Application layer security

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-4

It provides the end-to-end security from this application on a host to that application

on another host across the network. Application layer security mechanism depends

on the specific application, and its security protocol is a supplement of the application

protocol. Therefore, general application layer security protocol does not exist.

For example, the Secure Shell (SSH) protocol can:

z Establish secure remote login session;

z Connect other TCP applications through channels.

2) Transport layer security

It provides a process-to-process security service on a host or multiple hosts.

Transport layer security mechanism is based on the security of Inter-Process

Communication (IPC) interface and applications.

Providing security service at transport layer is to strengthen its IPC interface, such as

BSD socket.

Specific process includes:

z Authentication of entities at both ends

z Exchange of data encryption security keys

Based on this idea, Secure Socket Layer (SSL) is developed on the basis of reliable

transmission service.

SSL v3 includes two protocols:

z SSL record protocol

z SSL handshake protocol

3) Network layer security

Security provided at network layer, even if the upper layers fail to implement the

security, can also automatically protect the data of the user.

Therefore, IP security is:

z The basis of the whole TCP/IP security

z The core of the Internet security

At present, the most significant security protocol at transport layer is IP Security

Protocol (IPSec). IPSec is a generic term for a series of network security protocols,

including:

z Security protocols

z Encryption protocols

IPSec can provide communication parties with services:

z Access control

z Connectionless integrality

z Data source authentication

z Anti-replay

z Encryption

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-5

z Classification encryption of data flow

4) Data link layer security

It provides a point-to-point security service, such as on a point-to-point link. Data link

layer security is implemented through encryption and decryption at each end on the

link using dedicated devices.

1.2 Overview of Firewall System

1.2.1 First Safeguard

In practical application, since a single security defense technology cannot construct a

secure network system, multiple technologies should be used together to control the

security hazard within the least limit.

In general, the fist step to implement security defense is to construct a barrier, known

as a firewall, between internal networks and external networks to defend the large

majority of attacks from the external.

Similar to partition wall used to prevent fire from spreading in the building, the firewall

is one or a group of system(s) to implement access control policy. It can monitor the

access channels between the Trust zone (the internal network) and the Untrust zone

(the external network) to prevent the hazard from external networks.

The firewall is mainly used for the following purposes:

z Restrict entry of users or information from a specific and strictly controlled

website;

z Prevent intruders from approaching other security defense facilities;

z Restrict exit of users or information from a specific and strictly controlled website.

The firewall is usually placed at the entry of a protected zone to perform security

defense based on access control policy.

When the firewall is located in the joint between the internal network and the external

network, it can protect the internal network and its data from unauthorized or

unverified access and malicious attack from external networks.

When the firewall is located in the joint between a relatively open network segment

and a comparatively sensitive network segment (on which sensitive or private data is

stored), it will filter access to sensitive data even if the access is an internal one.

1.2.2 Evolution of the Firewall

The evolution of the firewall technology goes through the following stages.

I. The First Generation Firewall ——Packet Filtering Firewall

Packet filtering is to check each packet at network layer, and then to forward or deny

packets based on the security policy.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-6

The basic principle of packet filtering firewall is that: It filters packets through

configuring Access Control List (ACL), based on:

z The source and destination IP address

z The source and destination port number

z IP identifier

z Packet delivery direction

With moderate cost and simple design, the first generation firewall can be

implemented easily.

However, its disadvantages are obvious:

z As the complexity and length of ACL increase, its filtering performance will

degrade greatly;

z Static ACL rules are difficult to adapt to dynamic security requirement;

z Packet filtering neither checks session state nor analyzes data. That is, it cannot

filter data at user levels, which helps the hacker to spoof. For example, an

intruder can configure his host IP address to a legal host IP address to pass

through packet filter.

II. The Second Generation Firewall——Proxy Firewall

The proxy service acts on application layer. In essence, a proxy takes over the

services between internal network users and external network users. The working

principle is that the proxy first checks the request from a user, if the authentication is

passed, it establishes connection with a genuine server and forwards the request, and

finally it sends back the request response.

The proxy firewall has higher security. It can completely control network information

exchange and session process.

However, it has obvious disadvantages:

z Low processing speed due to software restriction

z Vulnerable to DoS attack

z Difficult to upgrade for requiring developing application proxy for each protocol

III. The Third Generation Firewall——Stateful Firewall

The stateful analysis technology is an extension of packet filtering technology (also

informally called “dynamic packet filtering”). When checking packets, packet filtering

based on connection state not only treats each packet as an independent unit, but

also takes its history association into account.

The basic principle is described as follows:

z The stateful firewall uses various state tables to keep track of activated TCP

session and UDP pseudo session. Then ACL determines which sessions are

allowed to be established. Finally only the packets associated with allowed

sessions are forwarded.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-7

z The stateful firewall can capture packets at network layer. Then the firewall

extracts the state information needed by security policy from application layer,

and saves it in the dynamic state tables. Finally it analyzes the state tables and

the subsequent connection request related to the data packet to make a proper

decision.

For the external network, the stateful firewall seems to act as a proxy system because

any external service request comes from the same host.

For the internal network, the stateful firewall seems to act as a packet filtering system

because internal users feel that they directly interwork with the external network.

The stateful firewall has the following advantages:

z High speed

They can record the connection state of packets while performing ACL check on the

initial packets. ACL check is not required for the subsequent packets. Thus, the

firewall only needs to check the connection record of the packet based on the state

table. After passing the check, the connection state records will be refreshed. In this

case, packets with the same connection state are no longer repeatedly checked.

Different from fixed arrangement of ACL, the records in the connection state table can

be arranged randomly. Thus, the firewall can fast search the records using such

algorithms as binary tree or hash, so as to improve the transmission efficiency of the

system.

z Reliable security

The connection state list is managed dynamically. After completing sessions, the

temporary return packet entry created on the firewall will be closed, so as to ensure

the security of internal networks. Meanwhile, in virtue of a realtime connection state

monitoring technology, the firewall can identify the connection state based on state

factors in the state table. Thus, the system security is enhanced.

1.3 Overview of the SecPath F1800-A

1.3.1 SecPath F1800-A

The SecPath F1800-A of Huawei-3Com is enhanced stateful firewall.

Combined with the Huawei-3Com ASPF technology, it is featured in:

z High security of the proxy firewall

z High speed of the stateful firewall

The SecPath F1800-A of Huawei-3Com adopt:

z Specially designed and highly reliable hardware system

z Dedicated operating system with independent intellectual property right

It is integrated with:

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-8

z High efficient packet filtering

z Transparent proxy service

z Improved stateful inspection security technology

z Many analysis and statistics

z Multiple security measures

In addition, it provides:

z Multiple types of interfaces

z Multiple working modes

It supports the processing capability from low end (tens of megabits) to high end

(thousands of megabits).

With a combination of the firewalls and Huawei-3Com’s existing routers and switches,

Huawei-3Com provides customers with an advanced and overall security solution for

small, medium and large-sized Intranet.

1.3.2 Overview of the SecPath F1800-A

The SecPath F1800-A is a new generation high-speed stateful firewall; it ensures

cost-effective network security for medium and large-sized customers.

I. Enhanced Security

Compared with those software firewalls based on a common operating system, the

SecPath F1800-A adopts a specially designed hardware platform and a secure

operating system with independent intellectual property right. Its packet processing is

totally separated from operating system, which greatly increases the security of the

system.

With its own ASPF state inspection technology, the SecPath F1800-A is capable of:

z Monitoring the connection process and malicious commands

z Cooperating with ACL to achieve packet filtering

z Providing a number of attack defense capabilities

All of the above features ensure the security of networks.

II. High-speed Processing Capability

Oriented to medium and large-sized enterprise and industry users, the SecPath

F1800-A provides wire-rate, high-performance security defense and packet

processing capabilities by using the Network Processor (NP) technology.

III. High Reliability

Various attack details have been taken into account in the software design. The

SecPath F1800-A achieves great robustness by means of priority scheduling and flow

control.

In addition, the SecPath F1800-A supports:

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-9

z Dual-system hot backup so that the service is not interrupted when state

switches

z Load balancing for multiple machines so that state switches automatically when

a fault occurs

IV. Powerful Networking and Service Support Capability

With integrated high-speed Ethernet interfaces, the SecPath F1800-A supports many

protocols:

z H.323

z File Transfer Protocol (FTP)

z Simple Mail Transfer Protocol (SMTP)

In addition, the SecPath F1800-A has the following features:

z Supports detection to bad commands.

z Supports Network Address Translation (NAT) application.

z Supports filtering static and dynamic black list.

z Supports proxy-based SYN Flood defense flow control.

Besides the security and safety capabilities, the SecPath F1800-A is integrated with

part routing capabilities:

z Static routing

z Routing Information Protocol (RIP) dynamic routing

z Open Shortest Path First (OSPF) dynamic routing

Such capabilities lead to a more flexible networking of the SecPath F1800-A.

V. Powerful Log and Statistic

Based on powerful log and statistic provided by the SecPath F1800-A, you can obtain

useful help in security analysis and event tracing.

1.3.3 Function Features List of the SecPath F1800-A

Table 1-4 Function feature list of the SecPath F1800-A

Attribute Description

Security

defense

Working

mode

z Supports route mode.

z Supports transparent mode.

z Supports composite mode.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-10

Attribute Description

Packet

filtering

z Supports basic ACL, advanced ACL and

firewall ACL.

z Supports time range ACL.

z Supports blacklist, MAC and IP addresses

binding.

z Supports the ASPF and the state inspection.

z Provides the port mapping.

NAT

z Supports address translation (NAT and

NAPT).

z Provides the internal server.

z Supports multiple NAT ALGs, including FTP,

NBT, RAS, ICMP, and H.323.

Attack

defense

z Defends multiple DoS attacks, such as SYN

Flood, ICMP Flood, UDP Flood, WinNuke,

ICMP redirection and unreachable packet,

Land, Smurf and Fraggle.

z Defends scanning and snooping, such as

address scanning, port scanning, IP source

routing option, IP routing record option and

ICMP snooping packet.

z Defends other attacks, such as IP Spoofing.

IDS

cooperation

z IDS cooperation.

Traffic

monitoring

z Supports the limit to connection rate and

connection number based on IP.

z Supports CAR.

z Supports realtime traffic statistic and attack

packet statistic.

Link layer

protocol

z Supports Ethernet.

z Supports VLAN.

z Supports PPP, PPPoE.

IP service

z Supports ARP.

z Supports static domain name resolution.

z Supports DHCP relay.

Network

interconnection

Routing

protocol

z Supports static routing.

z Supports dynamic routing (RIP, OSPF, BGP).

z Supports policy-based routing.

z Supports route policy and route iteration.

AAA

z Supports AAA, the RADIUS protocol and the

HWTACACS protocol.

z Supports AAA domain.

z Supports local user management.

Service

application

QoS

z Supports congestion management.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview

1-11

Attribute Description

Command

line interface

z Prompt and help information in English and

Chinese.

z Hierarchical protection of command lines from

the intrusion from the unauthorized users.

z Detailed debugging information helps network

fault diagnosis.

z Network test tools, such as tracert and ping.

System

management

z Supports programs upload or download or

configuration files through FTP.

z Supports programs upload or download or

configuration files through TFTP.

z Supports program files upload in XModem

mode.

Configuration

and

management

Terminal

service

z Supports terminal services of the console port

and the AUX interface.

z Supports terminal services of Telnet and

SSH.

z Supports the send function so that terminal

users can communicate with each other.

Reliability

z Supports VRRP.

z Supports VGMP.

z Supports HRP hot backup.

Maintenance

and reliability

System

management

z Supports standard network management

protocol SNMPv1/v2c/v3.

System log

z Provides the log server for browsing and querying log

information.

z Provides input and output IP packets statistic, NAT log, ASPF

log, attack defense log and blacklist log.



Note:

ASPF = Application Specific Packet Filter

NAPT = Network Address Port Translation

ALG = Application Level Gateway

NBT = NetBIOS over TCP/IP

RAS = Remote Access Server

ICMP = Internet Control Message Protocol

VRRP = Virtual Router Redundancy Protocol

VGMP = VRRP Group Management Protocol

HRP = Huawei Redundancy Protocol

SNMP = Simple Network Management Protocol

CAR=Committed Access Rate

AAA=Authorization, Authentication and Accounting

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration

1-12

Chapter 2 Basic SecPath F1800-A Configuration

2.1 Establishment of Configuration Environment Through

the Console Interface

2.1.1 Establishing Configuration Environment

You can configure the SecPath F1800-A locally through the console interface, which

is a reliable configuration and maintenance mode. When the SecPath F1800-A

powers on for the first time or when it is disconnected with external networks or other

faults occur, you can use this mode to configure it.

Perform the following steps.

Step 1: Establish the local configuration environment. Connect the serial interface on

your computer (PC or terminal) to the console interface of the SecPath F1800-A with a

standard RS-232 cable. It is shown in Figure 2-1.

RS-232 serial

interface

Console cable

Console port

SecPath

PC

Figure 2-1 Establishing local configuration environment through the console port

Step 2: Run the terminal emulation program (such as HyperTerminal in Windows 9X)

on your computer to establish a new connection. It is shown in Figure 2-2 and Figure

2-3.

Operation Manual - Getting Started

H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration

1-13

Figure 2-2 Establishing a new connection

Figure 2-3 Selecting serial interface

Step 3: Select RS-232 serial interface on your computer.

Step 4: Set terminal communication parameters as follows. It is shown in Figure 2-4

and Figure 2-5:

z Baud rate is 9600 bit/s.

z Data bits is 8.

z Stop bits is 1.

z Check is none.

Page is loading ...

H3C H3C SecPath F1800-A Operating instructions

H3C H3C SecPath F1800-A Operating instructions

Related papers

Other documents