Upload
others
View
54
Download
0
Embed Size (px)
Citation preview
3Com® Switch 8800 Family Firewall Configuration and Command Reference Guide
Switch 8807Switch 8810Switch 8814
www.3Com.com Part No. 10015596, Rev. AA Published: January 2007
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064
Copyright © 2006-2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
CONTENTS
ABOUT THIS GUIDE
Conventions 7Related Documentation 8
1 SWITCH 8800 FIREWALL MODULE
2 FIREWALL CONFIGURATION
Firewall Configuration 13Displaying Information about the Firewall Module 15
3 NETWORK SECURITY CONFIGURATION
Introduction to the Network Security Features 17Hierarchical Command Line Protection 18RADIUS-Based AAA 18Packet Filter and Firewall 18Security Authentication before Route Information Exchange 21
4 AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Overview 23Configuring AAA 30Configuring the RADIUS Protocol 37Configuring HWTACACS Protocol 46Displaying and Debugging AAA and RADIUS/HWTACACS Protocols 51AAA and RADIUS/HWTACACS Protocol Configuration Example 52Troubleshooting AAA and RADIUS/HWTACACS Protocols 61
5 ACL CONFIGURATION
Introduction to ACL 63Configuring an ACL 74Configuring Time Range 76Displaying and Debugging ACL 77Typical Configuration Examples of ACL 77
6 NAT CONFIGURATION
NAT Overview 79Functions Provided by NAT 80
NAT Configuration 82Displaying and Debugging NAT 87NAT Configuration Example 87Troubleshooting NAT Configuration 90
7 FIREWALL CONFIGURATION
Introduction to Firewall 93Configuring Packet Filter Firewall 97Configuring ASPF 104Black List 110MAC and IP Address Binding 115Security Zone Configuration 119
8 TRANSPARENT FIREWALL
Transparent Firewall Overview 121Configuring Transparent Firewall 125Displaying and Debugging Transparent Firewall 128Transparent Firewall Configuration Example 129
9 WEB AND E-MAIL FILTERING
Introduction to Web and E-mail Filtering 133Configuring Web Filtering 133Configuring E-mail Filtering 139
10 ATTACK PREVENTION AND PACKET STATISTICS
Overview of Attack Prevention and Packet Statistics 145Configuring Attack Prevention 147Setting the Warning Level in Monitoring the Number and Rate of Connections 157Configuring System-Based Statistics 158Configuring Zone-Based Statistics 159Configuring IP-Based Statistics 161Displaying and Debugging Attack Prevention and Packet Statistics 163Configuring an SMTP Client 164Configuring DNS Client 165Attack Prevention and Packet Statistics Configuration Example 167Attack Prevention Troubleshooting 180
11 LOG MAINTENANCE
Introduction to Log 181Configuring Syslog Log 182Binary-Flow Log Configuration 183Clearing Log 184Log Configuration Example 184
12 RELIABILITY OVERVIEW
Introduction to Reliability 189
13 VRRP CONFIGURATIONS
Introduction to VRRP 191Configuring VRRP 192Displaying and Debugging VRRP 197VRRP Configuration Examples 197VRRP Troubleshooting 207
14 FIREWALL CONFIGURATION COMMANDS
Firewall Configuration Commands 209
15 AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
AAA Configuration Commands 215RADIUS Protocol Configuration Commands 231HWTACACS Configuration Commands 257
16 ACCESS CONTROL LIST CONFIGURATION COMMANDS
ACL Configuration Commands 275Time-range Configuration Commands 282
17 NAT CONFIGURATION COMMANDS
NAT Configuration Commands 285
18 FIREWALL CONFIGURATION COMMANDS
Packet Filtering Firewall Configuration Commands 299ASPF Configuration Commands 305Blacklist Configuration Commands 320MAC/IP Address Binding Configuration Commands 322Security Zone Configuration Commands 325
19 TRANSPARENT FIREWALL CONFIGURATION COMMANDS
Transparent Firewall Configuration Commands 329
20 VRRP CONFIGURATION COMMANDS
VRRP Configuration Commands 341
Conventions 7
ABOUT THIS GUIDE
This guide describes the 3Com® Switch 8800 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch.
This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches. It assumes a working knowledge of local area network (LAN) operations and familiarity with communication protocols that are used to interconnect LANs.
nAlways download the Release Notes for your product from the 3Com World Wide Web site and check for the latest updates to software and product documentation:
http://www.3com.com
Conventions Table 1 lists icon conventions that are used throughout this guide.
Table 2 lists text conventions that are used throughout this guide.
Table 1 Notice Icons
Icon Notice Type Description
nInformation note Information that describes important features or
instructions.
cCaution Information that alerts you to potential loss of data
or potential damage to an application, system, or device.
wWarning Information that alerts you to potential personal
injury.
Table 2 Text Conventions
Convention Description
Screen displays This typeface represents information as it appears on the screen.
Keyboard key names If you must press two or more keys simultaneously, the key names are linked with a plus sign (+), for example:
Press Ctrl+Alt+Del
The words “enter” and “type” When you see the word “enter” in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says “type.”
8 ABOUT THIS GUIDE
Related Documentation
The following manuals offer additional information necessary for managing your Switch 8800:
■ Switch 8800 Command Reference Guide — Provides detailed descriptions of command line interface (CLI) commands, that you require to manage your Switch 8800.
■ Switch 8800 Configuration Guide— Describes how to configure your Switch 8800 using the supported protocols and CLI commands.
■ Switch 8800 Release Notes — Contains the latest information about your product. If information in this guide differs from information in the release notes, use the information in the Release Notes.
These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the 3Com World Wide Web site:
http://www.3com.com/
Words in italics Italics are used to:
Emphasize a point.
Denote a new term at the place where it is defined in the text.
Identify menu names, menu commands, and software button names.
Examples:
From the Help menu, select Contents.
Click OK.
Words in bold Boldface type is used to highlight command names. For example, “Use the display user-interface command to...”
Table 2 Text Conventions
Convention Description
1
SWITCH 8800 FIREWALL MODULEThis chapter describes the Firewall Module (3C17546), which is available for the Switch 8800.
The SW8800 Firewall Module provides an affordable stateful security firewall designed for the needs of medium-size enterprises. Enterprises are accelerating their deployments of stateful firewalls to protect their organizations from unwanted intrusions from attackers from both outside (e.g. from the Internet), and from internal attack.
The SW8800 Firewall Module represents a new era of integrated network security for 3Com’s Switch 8800 solution. Occupying a single I/O slot, the Firewall Module:
■ Provides an onboard operating system and custom hardware designed for high speed packet filtering, switching, protection, analysis, and reporting
■ Occupies any I/O slot in the chassis and is hot swappable
■ Interfaces to the SW8800 high capacity backplane and fully uses the internal switching capabilities of the system.
■ Has eight 1G SFP ports on the front panel for switching/routing. In addition, the eight 1G ports can be used as regular switching ports.
The SW8800 Firewall features include:
■ Both routed and transparent operation modes
■ High-efficiency packet filtering, transparent proxy, stateful detection, and security technology
■ In-depth statistical analysis functions
■ A broad range of security protection measures
■ Multiple intelligent analysis and management to fully protect the enterprise’s internal network, in addition to protection at the network layer.
■ Real-time network monitoring methods to help the administrator with network security management.
Application Specific Packet filter (ASPF) aims at packets at the application layer, (status-based packets). It works with ordinary static firewalls to implement security strategies for the internal network. With the ASPF stateful detection technology, the firewall can monitor the connection process and harmful commands. It implements packet filtering by working with the ACL. In addition, it supports NAT and dozens of attack-defend capabilities.
10 CHAPTER 1: SWITCH 8800 FIREWALL MODULE
Table 1 Firewall Module Functions
Attribute Description
Network security
Authentication, authorization and accounting service
RADIUSHWTACACSCHAP authenticationPAP authenticationDomain authentication
Firewall
Packet filteringAccess control list on the basis of interfaceAccess control list on the basis of time periodASPF status firewallAnti-attack features:Land, Smurf, Fraggle, WinNuke, Ping of Death, Tear Drop, IP Spoofing, SYN Flood, ICMP Flood, UDP Flood, ARP spoofing attack-defendingInitiative and reverse ARP queryDefending illegal flag bit attack of TCP packetsDefending super ICMP packet attackDefending address/port scanningDefending DoS/DDoS attackICMP redirection and controlling unreachable packetsControlling Tracert packetsControlling IP packets with route recordStatic and dynamic blacklist functionBinding MAC and IP addressesDefending worm virusTransparent firewallReverse path forwarding function
Mail /network page filtering
Mail filtering:Filtering SMTP mail addressesFiltering SMTP mail titlesFiltering SMTP mail contentsFiltering SMTP mail attachmentsNetwork page filtering:Filtering HTTP URLsFiltering HTTP contents
Security management
Real time attack logBlacklist logAddress binding logTraffic alarm logSession logBinary format log functionTraffic statistics and analysis functionMonitoring rate globally or on the basis of security domain connectionMonitoring rate globally or on the basis of security domain protocol packetSecurity event statistics functionReal time E-Mail alarmDistributing E-Mails periodically information
NAT
Address transfer in address pool modeAddress transfer by ACLsEasy IPNAT ServerValid time configured for address transferMultiple ALGs, including FTP, H323, DNS, and SIP.
11
VPN
L2TP VPN
Initiating connection to the specified LNS according to the full user name and domain name of the VPN user
Distributing addresses for VPN users
LCP re-negotiation and CHAP re-authentication
L2TP multi-instance
GRE VPNUse Tunnel technology to encapsulate and decapsulate data packets at both sides of the Tunnel
Network interconnection
LAN protocol
Ethernet_II
Ethernet_SNAP
VLAN
Data link layer protocol
PPP
PPPoE
Network protocol
IP service
ARP
Static domain name resolution
Borrowing IP addresses
DHCP relay
DHCP server
DHCP client
IP route
Static route management
RIP-1/RIP-2
OSPF
BGP
Rout policy
Policy route
Network reliability Supporting virtual router redundancy protocol to implement device backup
Table 1 Firewall Module Functions
Attribute Description
12 CHAPTER 1: SWITCH 8800 FIREWALL MODULE
Configuration management
Command line interface
Local configuration through the Console interface
Remote configuration through the AUX interface
Local or remote configuration through Telnet or SSH
Configuring the module through the Switch 8800 Family switch
Configuring hierarchical protection commands to make sure non-authenticated users cannot configure the device
Providing detailed debugging information to diagnose network failure
Providing network test tools such as the Tracert and Ping commands to rapidly diagnose whether the network is normal
You can use the Telnet command to directly log into and manage other network devices.
FTP Server/Client; you can use FTP to load and download configuration files and applications.
Supporting TFTP to load and download files
Supporting log function
File system management
Configuring the user-interface to provide multiple authentication and authorization functions for login users
Supporting standard network management SNMPv3 and being compatible with SNMPv2C and SNMPv1
Supporting NTP time synchronization
Table 1 Firewall Module Functions
Attribute Description
2
FIREWALL CONFIGURATIONFirewall Configuration To make the Switch 8800 Family routing switch and firewall module work together, you need to configure the firewall on the switch by:
■ “Configuring the Interface Aggregation”
■ “Creating the Firewall Module”
■ “Specifying the Layer 3 Interface Connecting the Switch and the Firewall”
■ “Specifying the VLAN Protected by the Firewall”
■ “Mapping the Firewall to the Firewall Module”
■ “Logging into the Firewall module”
■ “Configuring Default Login User Function” (optional)
Configuring the Interface Aggregation
Two internal GigabitEthernet interfaces connect the Firewall module to the switch. You can aggregate these two interfaces into a logical interface to provide broader interface bandwidth.
Perform the following configuration in switch system view.
By default, the interface is not aggregated. Only one GigabitEthernet interface can be used.
c CAUTION: When you use the secblade aggregation slot command to configure aggregation of the Firewall module interface, the module will occupy the resources occupied by other aggregation groups if aggregation resources are not sufficient.
Creating the Firewall Module
To make the Firewall module and Switch 8800 Family switch work together, first create a Firewall to enter SecBlade view.
Perform the following configuration in switch system view.
Table 2 Configure the Firewall module interface aggregation
Operation Command
Configure aggregation of two GE interfaces secblade aggregation slot slot-number
Cancel the configuration undo secblade aggregation slot slot-number
Table 3 Create the Firewall
Operation Command
Create the SecBlade secblade sec-mod-name
14 CHAPTER 2: FIREWALL CONFIGURATION
By default, the Firewall is not created.
Specifying the Layer 3 Interface Connecting the
Switch and the Firewall
To enable the Firewall and Switch 8800 Family switch to communicate at Layer 3, specify the Layer 3 interface connecting the switch and the firewall.
Perform the following configuration in SecBlade view of the switch.
By default, the Layer 3 interface connecting the switch and Firewall is not configured.
Specifying the VLAN Protected by the
Firewall
To make the Firewall protect the data stream of the specific VLAN, you need to specify the protected VLAN.
Perform the following configuration in SecBlade view of the switch.
By default, no VLAN is protected.
Mapping the Firewall to the Firewall Module
After implementing the above configuration on the Firewall, you need to map it to the Firewall module to apply the configuration. Perform the following configuration in SecBlade view of the switch.
By default, the Firewall is not mapped to the Firewall module.
Logging into the Firewall module
You can directly log into the Firewall module through the Switch 8800 Family switch to configure and manage the card. Perform the following configuration in switch user view.
Remove the SecBlade undo secblade sec-mod-name
Table 3 Create the Firewall
Operation Command
Table 4 Specify the Layer 3 interface connecting the switch and the SecBlade
Command Command
Specify the Layer 3 interface connecting the switch and the Firewall secblade-interface vlan-interface
Cancel the configuration undo secblade-interface vlan-interface interface-number
Table 5 Specify the VLAN protected by the Firewall
Operation Command
Specify the protected VLAN security-vlan vlan-range
Cancel the VLAN protection undo security-vlan vlan-range
Table 6 Map the firewall to the Firewall module
Operation Command
Map the firewall to the Firewall module map to slot slot-number
Cancel the configuration undo map to slot slot-number
Displaying Information about the Firewall Module 15
Configuring Default Login User Function
For login convenience, a user whose name and password are both SecBlade is created in the Firewall module. You can use this user name and password to log into the Firewall. Perform the following configuration in SecBlade system view.
By default, default login user function is enabled. That is, the user created internally in the module is allowed to log into the Firewall.
Displaying Information about the Firewall Module
After the above configuration, execute the following command in any view to display information about the module to verity the effect of the configuration.
Table 7 Log into the Firewall
Operation Command
Log into the Firewall secblade slot slot-number
Table 8 Configure default login user function
Operation Command
Enable default login user function default-login-user
Disable default login user function undo default-login-user
Table 9 Display information about the Firewall module
Operation Command
Display information about the module display secblade [sec-mod-name ]
16 CHAPTER 2: FIREWALL CONFIGURATION
3
NETWORK SECURITY CONFIGURATIONn The content below applies to the Firewall modue, so the command views in this document apply only to the module and not the Switch 8800 Family switches.
Introduction to the Network Security Features
A security gateway must be able to withstand the various malicious attacks from the public network. On the other hand, the accidental but destructive access of the user may also result in significant performance decrease and even the operation failure.
Comware provides the following network security characteristics:
■ AAA services based on Remote Authentication Dial-In User Service (RADIUS) provide the security services of Authentication, Authorization, and Accounting on accessing users for preventing illegal accessing.
■ Authentication protocol supports CHAP and PAP authentication on PPP line.
■ Packet filter implemented through access control list (ACL) specifies the type of packets that the security gateway will permit or deny.
■ Application specific packet filter (ASPF), or status firewall, is an advanced communication filtering approach that checks the application layer information and monitors connection-oriented application layer protocol state, maintain the state information of each connection, and dynamically makes decision in permitting or deny a packet.
■ IP security (IPSec): it guarantees the privacy, integrity and validity of the data packets while transmitted on the Internet through encryption and data source authentication on the IP layer.
■ Internet key exchange (IKE) provides the services of auto-negotiated key exchange and security association (SA) establishment to simplify the use and management of IPSec.
■ Event log is used to record system security events and trace illegal access in real time.
■ Address translation provided by NAT Gateway (GW), which separates the public network from the intranet, makes the IP addresses of the internal devices unknown to the public network and hence prevents the attacks initiated from it.
■ Dynamic routing protocol authentication: ensuring reliable route information to be exchanged.
■ Hierarchical view protection divides users into four levels, each assigned with a configuration right, and a user cannot access the view of a higher level.
18 CHAPTER 3: NETWORK SECURITY CONFIGURATION
The following chapters describe how to configure AAA and RADIUS, user password, firewall and packet filtering. Refer to the VPN part of this manual for IPSec/IKE configuration; refer to “NAT Configuration” for address translation configuration.
Hierarchical Command Line Protection
The system command lines are protected in a hierarchical way. In this approach, the command lines are divided into four levels: visit, monitor, system, and manage. You will be unable to use the corresponding levels of commands unless you have provided the correct login password.
RADIUS-Based AAA AAA is used for user access management. It can be implemented via multiple protocols but the AAA discussed here is RADIUS-based.
AAA provides the functions of:
■ Hierarchical user management. The users are allowed to perform the operations like managing and maintaining the system configuration data, and monitoring and maintaining the equipment that are crucial to the normal operation of the system. Therefore, it is necessary to strictly manage the users by classifying them into different levels and granting each with a specific right. In this case, a low-level user is allowed to perform but only some viewing operations and only a high-level user can modify data, maintain the equipment, and perform some other sensitive operations.
■ PPP authentication. With it, user name authentication will be performed before the setup of a PPP connection is allowed.
■ PPP address management and allocation. When setting up a PPP connection, the system may assign the pre-specified IP address to the PPP user.
The next chapter will cover the details of RADIUS protocol and its configurations, user password configuration, and PPP user address configuration. For PPP authentication protocols, refer to the User Access module of this manual.
Packet Filter and Firewall
Firewall Concept Firewall can prevent unauthorized or unauthenticated users on the Internet from accessing a protected network while allowing the users on the internal network to access web sites on the Internet and send/receive E-mails. It can also work as an Internet access right control GW by permitting only some particular users inside the organization to access the Internet.
Packet Filter and Firewall 19
Figure 1 A firewall separating the intranet from the Internet
The firewall is not only applied to the Internet connection, but also used to protect the mainframe and crucial resources like data on the intranet of the organization. Access to the protected data should be permitted by the firewall, even if the access is initiated from the organization.
An external network user must pass through the firewall before it can access the protected network resources. Likewise, an intranet user must pass through the firewall before it can access the external network resources. Thus, the firewall plays the role of "guard" and discards the denied packets.
Firewall Classification Normally, firewalls are classified into two categories: network layer firewalls and application layer firewalls. Network layer firewalls mainly obtain the header information of packet, such as protocol, source address, destination address, and destination port. Alternatively, they can directly obtain a segment of header data. The application layer firewalls, however, analyze the whole information traffic.
Firewalls that you often meet are divided into the following categories:
■ Application gateway: It verifies all the application layer data in packets that will traverse it. Take a File Transfer Protocol (FTP) application GW as an example. From the perspective of the client of a connection, the FTP application GW is an FTP server. However, from the perspective of the server, it is an FTP client. All the FTP packets transmitted on the connection must pass this FTP application GW.
■ Circuit-Level Gateway: The "circuit" in this particular context refers to Virtual Circuit (VC). Before TCP or UDP is allowed to open a connection or VC, the session reliability must be verified. The packet transmission is allowed only if the handshake has been proved valid and accomplished. After a session is set up, its information will be written into the valid connection table maintained by the firewall. A packet can be permitted only if the session information carried by it matches an entry in the valid connection table. After the session is terminated, the session entry will be deleted from the table. Circuit-level GW authenticates a connection only at the session layer. If the authentication is passed, any application can be run on the connection. Take FTP as an example. A circuit-level GW only authenticates an FTP session at the TCP layer at the beginning of the session. If the authentication is passed, all the data can be transmitted on this connection until the session is terminated.
Ethernet
Internet
PC
Firewall
PC PC
20 CHAPTER 3: NETWORK SECURITY CONFIGURATION
■ Packet filter: Such a firewall filters each packet depending on the items that defined by the user. For example, it compares the packets with the defined rules in source and destination addresses for a match. A packet filter neither considers the status of sessions, nor analyzes the data. If the user specifies that the packets carrying port number 21 or a port number no less than 1024 are permitted, all the packets matching the condition will be able to pass through the firewall. If the configured rules are properly set for the actual applications, many packets that bring potential threat to the security can be filtered at this layer.
■ Network Address Translation (NAT): Also called address proxy, NAT makes it possible for a private network to access an external network. The NAT mechanism is to substitute an external network address and port of security gateway for the IP address and port of a host on a private network and vice versa. In other words, it fulfills the conversion between <Private address + Port number> and <Public address + Port number>. The private address discussed here refers to an internal network or host address, and public address refers to a globally unique IP address on the Internet. Internet assigned number authority (IANA) provisioned that that the following IP address ranges are reserved for private addresses:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
In other words, the addresses in these three ranges will be used inside an organization or companies rather than assigned on the Internet. A company can select a proper internal network address ranges, taking into consideration the number of the internal hosts and networks in the near future. The internal network addresses of different companies can be the same. However, it will be very likely to cause chaos if a company selects a segment beyond the three ranges given above as the internal network address. NAT allows internal hosts to access the Internet resources while keeping their "privacy".
Packet Filter Function
Normally, a packet filter filters the IP packets. For the packets that the security gateway will forward, the filter will first obtain the header information of each packet, including upper protocol carried by the IP layer, source and destination addresses of the packet, and source and destination ports. Then, it compares them with the preset rules to determine whether the packet should be forwarded or discarded.
Figure 1-2 illustrates the elements selected by a packet filter for decision making (on IP packets), given the upper layer carried by IP is TCP/UDP.
Security Authentication before Route Information Exchange 21
Figure 2 Packet filtering elements
Most packet filter systems do not make any operations on data itself or make contents-based filtering.
ACL
Before the system can filter the packets, you should configure some rules in ACLs to specify the types of packets allowed or denied.
A user should configure an ACL according to the security policy and apply it to a particular interface or the whole equipment. After that, the security gateway will examine all the packets on the interface or all the interfaces based on the ACL and make forwarding/discard decision on the packets matching the rules. In this way, it plays the role of a firewall.
Security Authentication before Route Information Exchange
The maintenance of route forwarding table depends on the dynamic route information exchanging between neighboring security gateways.
Necessity of implementing security authentication before route information exchange
As the neighboring routers on a network need to exchange enormous route information, there is the likelihood for a security gateway to receive the network equipment attacking information sent from unreliable routers. If available with the route authentication function, a security gateway will be able to authenticate the switching route update packets received from the neighboring routers and hence make sure to receive only the reliable route information.
Authentication Implementation
The routers exchanging route information share the same password key that is sent along with the route information packets. The routers receiving the route information will authenticate the packets, and verify the password key carried by the packets. If the key carried by the packets is the same as the shared password key, the packets will be accepted. If not, they will be discarded.
Authentication implementations fall into simple text authentication and MD5 authentication. The former sends password keys in plain text providing lower security, whereas the latter sends encrypted password keys providing higher security.
22 CHAPTER 3: NETWORK SECURITY CONFIGURATION
4
AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATIONOverview
Introduction to AAA Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.
The network security mentioned here refers to access control and it includes:
■ Which user can access the network server?
■ Which service can the authorized user enjoy?
■ How to keep accounts for the user who is using network resource?
Accordingly, AAA provides the following services:
Authentication
AAA supports the following authentication methods:
■ None authentication: All users are trusted and are not authenticated. Generally, this method is not recommended.
■ Local authentication: User information (including username, password, and attributes) is configured on the Broadband Access Server (BAS). Local authentication features high speed but low cost; the information can be stored in this approach is however limited depending on the hardware capacity.
■ Remote authentication: Supports both RADIUS and HWTACACS protocols. In this approach, the BAS acts as the client to communicate with the RADIUS or TACACS server. With respect to RADIUS, you can use the standard RADIUS protocol or 3Com extended RADIUS protocol to complete authentication in collaboration with devices like iTELLIN/CAMS.
Authorization
AAA supports the following authorization methods:
■ Direct authorization: All users are trusted and directly authorized to pass.
■ Local authorization: Users are authorized according to the attributes related to their accounts on the BAS.
■ HWTACACS authorization: Users are authorized using a TACACS server.
■ If-authenticated authorization: Users are authorized to pass if they are authenticated and using any allowed method other than none authentication.
■ RADIUS authorization following successful authentication: With RADIUS, users are authorized only after they pass authentication. In other words, you cannot perform RADIUS authorization without authentication.
24 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Accounting
AAA supports the following accounting methods:
■ None accounting: no accounting required.
■ Remote accounting: conducted through a RADIUS server or TACACS server.
n Currently, security gateway supports accounting of PPP users and Telnet users only, but it does not support real-time accounting of Telnet users.
AAA usually utilizes a Client/Server model, where the client controls user access and the server stores user information. The framework of AAA thus allows for good scalability and centralized user information management. Being a management framework, AAA can be implemented using multiple protocols. In Comware, AAA is implemented based on RADIUS or HWTACACS.
Introduction to the RADIUS Protocol
What is RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information switching protocol in Client/Server model. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments where both high security and remote user access are required. For example, it is often used for managing a large number of scattering dial-in users that use serial ports and modems. The RADIUS system is an important auxiliary part of a Network Access Server (NAS).
The RADIUS service involves three components:
■ Protocol: Based on the UDP/IP layer, RFC2865 and 2866 define the RADIUS frame format and the message transfer mechanism, and use 1812 as the authentication port and 1813 as the accounting port.
■ Server: RADIUS server runs on the computer or workstation at the center, and contains information on user authentication and network service access.
■ Client: Located at the Network Access Server (NAS) side. It can be placed anywhere in the network.
As the RADIUS client, the NAS (a switch or a router) is responsible for passing user information to a designated RADIUS server and acts on the response returned from the server (such as connecting/disconnecting users). The RADIUS server receives user connection requests, authenticates users, and returns the required information to the NAS.
In general, the RADIUS server maintains three databases, namely, Users, Clients and Dictionary, as shown in the following figure. "Users" stores user information such as username, password, applied protocols, and IP address; "Clients" stores information about RADIUS clients such as shared key; and "Dictionary" stores the information for interpreting RADIUS protocol attributes and their values.
Overview 25
Figure 3 Components of RADIUS server
In addition, RADIUS servers can act as the client of some other AAA server to provide the proxy authentication or accounting service. They support multiple user authentication methods, such as PPP-based PAP, CHAP and UNIX-based login.
Basic message exchange procedures in RADIUS
In most cases, user authentication using a RADIUS server always involves a device that can provide the proxy function, such as the NAS. Transactions between the RADIUS client and RADIUS server are authenticated through a shared key, and user passwords are sent encrypted over the network for the security sake. The RADIUS protocol combines the authentication and authorization processes by sending authorization information in the authentication response message. See the following figure.
Figure 4 The basic message interaction procedures of RADIUS
Following is how RADIUS operates:
1 The user enters the username and password.
2 Having received the username and password, the RADIUS client sends the authentication request (Access-Request) to the RADIUS server.
3 The RADIUS server compares the received user information against that in the Users database. If the authentication succeeds, it sends back an authentication
RADIUS Server
Users Clients Dictionary
PSTN/ISDN
RADIUS Server
The user enters the username and passwordAuthentication request (Access -request)
PC
Authentication accept (Access -accept)
Accounting -request (Start)
Accounting -response
Accounting -request (Stop)
Accounting -responseNotify the termination of the access
The user accesses the resources
Switch 8800RADIUS client
26 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
response (Access-Accept) containing the information of user’s right. If the authentication fails, it returns an Access-Reject message.
4 The RADIUS client acts on the returned authentication result to accept or deny the user. If it is allowed to accept the user, the RADIUS client sends an accounting start request (Accounting-Request) to the RADIUS server, with the value of Status-Type being "start".
5 The RADIUS server returns a start-accounting response (Accounting-Response).
6 The RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server, with the value of Status-Type being "stop".
7 The RADIUS server returns a stop-accounting response (Accounting-Response).
RADIUS packet structure
RADIUS uses UDP to transmit messages; with timer management, retransmission, and slave server mechanisms, it ensures the smooth message exchange between the RADIUS server and the client. The following figure shows the RADIUS packet structure.
Figure 5 RADIUS packet structure
The Identifier field is used for matching request packets and response packets. It varies with the Attribute field and the received valid response packets, but keeps unchanged during retransmission. The 16-byte Authenticator field is used to authenticate the request transmitted by the RADIUS server, and it also applies to the password hidden algorithm. There are two kinds of authenticators: Request and Response.
■ Request Authenticator is the random code of 16 bytes in length.
■ Response Authenticator is the result of applying the MD5 algorithm to Code, Identifier, Request Authenticator, Length, Attribute and shared-key.
1 The Code field decides the type of a RADIUS packet, as shown in the following table.
Code Identifier Length
Authenticator
Attribute
Table 10 Code values
Code Packet type Description
1 Access-Request
The packet carries user information and is transmitted by the client to the server to help the client determine whether the user can access the network. The packet carries the required attribute of User-Name and some other options, such as NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
The packet is transmitted by the server to the client. If all the attribute values carried in the Access-Request are acceptable, the server allows the user to pass authentication and sends back an Access-Accept response.
Overview 27
2 The Attribute field contains special authentication, authorization, and accounting information that provides the configuration details of a request or response. This field is represented by the triplet of Type and Length and Value. The following table lists the major standard attribute values defined by RFC:
3 Access-Reject
The packet is transmitted by the server to the client. If any attribute value carried in the Access-Request is unacceptable, the server rejects the user and sends back an Access-Reject response.
4 Accounting-Request
The packet carries user information and is transmitted by the client to the server to request the server to start accounting. The server can determine whether to start accounting according to the field of the Acct-Status-Type attribute. The attributes carried in this type of packet are basically the same as those carried by an Access-Request packet.
5 Accounting-Response
The packet is transmitted by the server to the client, notifying that the server has received the Accounting-Request and has correctly record the accounting information. The packet carries such information as input/output bytes and packets, and session duration.
Table 10 Code values
Code Packet type Description
Table 11 Attribute values
Type Attribute type Type Attribute type
1 User-Name 23 Framed-IPX-Network
2 User-Password 24 State
3 CHAP-Password 25 Class
4 NAS-IP-Address 26 Vendor-Specific
5 NAS-Port 27 Session-Timeout
6 Service-Type 28 Idle-Timeout
7 Framed-Protocol 29 Termination-Action
8 Framed-IP-Address 30 Called-Station-Id
9 Framed-IP-Netmask 31 Calling-Station-Id
10 Framed-Routing 32 NAS-Identifier
11 Filter-ID 33 Proxy-State
12 Framed-MTU 34 Login-LAT-Service
13 Framed-Compression 35 Login-LAT-Node
14 Login-IP-Host 36 Login-LAT-Group
15 Login-Service 37 Framed-AppleTalk-Link
16 Login-TCP-Port 38 Framed-AppleTalk-Network
17 (unassigned) 39 Framed-AppleTalk-Zone
18 Reply_Message 40-59 (reserved for accounting)
19 Callback-Number 60 CHAP-Challenge
20 Callback-ID 61 NAS-Port-Type
21 (unassigned) 62 Port-Limit
22 Framed-Route 63 Login-LAT-Port
28 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
The RADIUS protocol is extensible. The Attribute 26 (Vender-Specific) defined in it allows a user to define an extended attribute. The following figure illustrates the structure of a RADIUS packet:
Figure 6 A RADIUS packet segment containing the extended attribute
Features of RADIUS
RADIUS uses UDP as transfer protocol and has good capability for real-time applications. It also supports retransmission mechanism and backup server mechanism so that it boasts better reliability. RADIUS is easy to implement, and applicable to the multithreading structure of the server in the time of mass users. For all the advantages above, RADIUS protocol is used wildly.
Introduction to the HWTACACS Protocol
What is HWTACACS
HWTACACS is an enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS protocol, it implements AAA for different types of users (such as PPP/VPDN/login users) through communications with TACACS servers in the Server/Client model.
Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. The following table lists the primary differences between HWTACACS and RADIUS protocols.
In a typical HWTACACS application, a dial-up or terminal user needs to log onto the security gateway for operations. Working as the client of HWTACACS in this case, the security gateway sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user can log onto the security gateway to perform operations, as shown in the following figure.
Vendor-IDType Length
Vendor-ID length(specified)
type(specified)
specified attribute value¡−¡−
Table 12 Comparison between HWTACACS and RADIUS
HWTACACS RADIUS
Adopts TCP, providing more reliable network transmission. Adopts UDP.
Encrypts the entire packet except for the standard HWTACACS header.
Encrypts only the password field in authentication packets.
Separates authentication from authorization. For example, you can provide authentication and authorization on different TACACS servers.
Brings together authentication and authorization.
Suitable for security control. Suitable for accounting.
Supports to authorize the use of configuration commands. Not supports.
Overview 29
Figure 7 Network diagram for a typical HWTACACS application
Basic message exchange procedures in HWACACS
For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user. The basic message exchange procedures are as follows:
1 A user requests access to the security gateway; the TACACS client sends a start-authentication packet to TACACS server upon receipt of the request.
2 The TACACS server sends back an authentication response requesting for the username; the TACACS client asks the user for the username upon receipt of the response.
3 The TACACS client sends an authentication continuance packet carrying the username after receiving the username from the user.
4 The TACACS server sends back an authentication response, requesting for the login password. Upon receipt of the response, the TACACS client requests the user for the login password.
5 After receiving the login password, the TACACS client sends an authentication continuance packet carrying the login password to the TACACS server.
6 The TACACS server sends back an authentication response indicating that the user has passed the authentication.
7 The TACACS client sends the user authorization packet to the TACACS server.
8 The TACACS server sends back the authorization response, indicating that the user has passed the authorization.
9 Upon receipt of the response indicating an authorization success, the TACACS client pushes the configuration interface of the security gateway to the user.
10 The TACACS client sends a start-accounting request to the TACACS server.
11 The TACACS server sends back an accounting response, indicating that it has received the start-accounting request.
12 The user logs off; the TACACS client sends a stop-accounting request to the TACACS server.
13 The TACACS server sends back a stop-accounting packet, indicating that the stop-accounting request has been received.
The following figure illustrates the basic message exchange procedures:
TACACS server
129.7.66.66
TACACS server
129.7.66.67
ISDN \PSTN
Dialup user
Terminal user
Quidway
HWTACACS client
30 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Figure 8 The AAA implementation procedures for a telnet user
Configuring AAA AAA configuration tasks include:
1 Create an ISP domain and set the related attributes
■ Create an ISP domain
■ Configure an AAA scheme
■ Configure the ISP domain state
■ Set an access limit
■ Enable accounting optional
■ Define a local IP pool and allocate IP addresses to PPP users
2 Create a local user and set the related attributes (for local authentication only)
Creating an ISP Domain and Setting the Related
Attributes
Creating an ISP domain
An Internet service provider (ISP) domain is a group of users that belong to the same ISP. For a username in the userid@isp-name format, [email protected] for example, the isp-name (3com163.net) following the @ sign is the ISP domain name. When receiving a connection request from a
UserHWTACACS
Client
HWTACACS
Server
User logs in Authentication Start Request packet
Authentication response packet, requesting for the user name
Request User for the user name
User enters the user name Authentication continuance packetcarrying the user name
Authentication response packet, requesting for the password
Request User for the password
User enters the password Authentication continuance packet carrying the password
Authentication success packet
Authorization request packet
Authorization success packet
User is permitted
Accounting start request packet
Accounting start response packet
User quitsAccounting stop packet
Accounting stop response packet
UserHWTACACS
Client
HWTACACS
Server
User logs in Authentication Start Request packet
Authentication response packet, requesting for the user name
Request User for the user name
User enters the user name Authentication continuance packetcarrying the user name
Authentication response packet, requesting for the password
Request User for the password
User enters the password Authentication continuance packet carrying the password
Authentication success packet
Authorization request packet
Authorization success packet
User is permitted
Accounting start request packet
Accounting start response packet
User quitsAccounting stop packet
Accounting stop response packet
Configuring AAA 31
user named userid@isp-name, the security gateway system considers the userid part as the username for authentication and the isp-name part as the domain name.
The purpose of introducing ISP domain settings is to support the multi-ISP application environment, where one access device might access users of different ISPs. Because the attributes of ISP users, such as username and password formats, can be different, you must differentiate them through setting ISP domains. In ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, including an AAA scheme.
For 3Com Series Security Gateways, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system puts it into the default domain.
Perform the following configurations in system view.
By default, the default ISP domain in the system is system.
Configuring an AAA scheme
Users can configure authentication, authorization and charging schemes in the following two modes.
1 AAA binding mode
In this mode, you can use the scheme command to specify a scheme. If you choose the RADIUS or HWTACAS scheme, the corresponding RADIUS or HWTACAS server will perform the authentication, authorization and accounting tasks. That is, you cannot specify different schemes for authentication, authorization and accounting respectively. If you use the local scheme, only authentication and authorization but not accounting is implemented.
When the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.
If the local scheme applies as the first scheme, only local authentication is performed and the RADIUS, HWTACACS or none scheme cannot be adopted. If the none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.
Perform the following configuration in ISP domain view.
Table 13 Create/delete an ISP domain
Operation Command
Create an ISP domain or enter the view of a specified domain.
domain { isp-name | default { disable | enable isp-name } }
Remove a specified ISP domain. undo domain isp-name
32 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
The default AAA scheme is local.
c CAUTION:
■ An FTP user login cannot be authenticated in none mode because an FTP server implemented with Comware does not support anonymous login.
■ If the scheme none command is used, the priority level of a user logged into the system is level 0.
2 AAA separate mode
In this mode, you can use the authentication, authorization or accounting command to select schemes for the three tasks respectively. For example, you can specify the RADIUS scheme for authentication and authorization, and the HWTACACS scheme for optional accounting, so as to provide users with flexibility in scheme combination. Implementations of AAA services in this mode are listed below.
■ For terminal users
Use RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none for authentication;
Use HWTACACS or none for authorization;
Use RADIUS, HWTACACS or none for accounting.
You can custom an AAA scheme combination according to the above implementations.
■ For FTP users
Only authentication can be applied on FTP users.
Use RADIUS, HWTACACS, local, RADIUS-local or HWTACACS-local for authentication.
■ For PPP and L2TP users
Use RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none for authentication.
Use HWTACACS or none for authorization.
Use RADIUS, HWTACACS or none for accounting.
You can custom an AAA scheme combination according to the above implementations.
Table 14 Configure the related attributes of the ISP domain
Operation Command
Configure an AAA scheme for the domain.
scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
Restore the default AAA scheme. undo scheme [ radius-scheme | hwtacacs-scheme | none ]
Configuring AAA 33
■ For DVPN services
At present, only RADIUS, local and RADIUS-local support authentication and authorization, and only RADIUS supports accounting.
Perform the following configuration in ISP domain view.
1 If separate AAA schemes are configured as well as the binding AAA scheme, the former ones are used.
2 The RADIUS and local schemes do not support separated authentication and authorization. Therefore, the following should be noted:
■ When the scheme radius-scheme or scheme local command is configured, and the authentication command is not configured: If authorization none is configured, the authorization data returned by the RADIUS or local scheme is still valid; If authorization hwtacacs is configured, the HWTACACS scheme is used for authorization.
■ If the scheme radius-scheme or scheme local command is configured as well as the authentication hwtacacs-scheme command, the HWTACACS scheme is used for authentication and no authorization is performed.
Configuring the ISP domain state
Every ISP has active/block states. If an ISP domain is in active state, the users in it can request for network service, while in block state, its users cannot request for any network service, which will not affect the users already online. An ISP is in the active state when it is first created. Users in the domain are allowed to request network service.
Perform the following configuration in ISP domain view.
Table 15 Configure the related ISP domain attributes
Operation Command
Configure an authentication scheme for the domain.
authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
Restore the default authentication scheme for the domain.
undo authentication
Configure an authorization scheme for the domain.
authorization { hwtacacs-scheme hwtacacs-scheme-name | none }
Restore the default authorization scheme for the domain. undo authorization
Configure an accounting scheme for the domain.
accounting { radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | none }
Restore the default accounting scheme for the domain. undo accounting
Table 16 Configure the ISP domain state
Operation Command
Configure the ISP domain state. state { active | block }
34 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
By default, an ISP domain is active when it is created.
Setting an access limit
You can specify the maximum number of users that an ISP domain can accommodate by setting an access limit.
Perform the following configuration in ISP domain view.
By default, an ISP domain has no limit on the user number upon its creation.
Enabling accounting optional
If a user is configured with accounting optional, the device does not disconnect the user during the accounting even when it finds no available accounting server or fails to communicate with the accounting server.
Unlike the scheme none command, with the accounting optional command, the system sends accounting information to the accounting server but does not terminate the connection regardless of whether the accounting server responds or performs the accounting service. However, with the scheme none command, the system neither sends accounting information to the accounting server nor terminates the connection. If you specify RADIUS or HWTACACS in the scheme command without configuring accounting optional, the system sends accounting information to the accounting server and if the server does not respond or perform accounting service terminates the connection.
Perform the following configuration in ISP domain view.
By default, when an ISP domain is created, accounting optional is disabled.
Defining an address pool and allocating IP addresses to PPP users
PPP users can obtain IP addresses from the device through PPP address negotiation. Three approaches are available for address allocation on an interface:
■ Directly allocate IP addresses on the interface without configuring an address pool.
■ Define an address pool in system view and assign it (only one is allowed) to the interface in the view of this interface for assigning addresses to the connected ends.
■ Define address pools in domain view and directly allocate the addresses from the pools to the login domain PPP users.
Table 17 Configure an access limit
Operation Command
Set an access limit to limit the number of users that the domain can accommodate.
access-limit { disable | enable max-user-number }
Restore the default value. undo access-limit
Table 18 Enable/disable accounting optional
Operation Command
Enable accounting optional. accounting optional
Disable accounting optional. undo accounting optional
Configuring AAA 35
Perform the following configuration in ISP domain view.
By default, no address pool is configured.
The following are the principles of IP address allocation to PPP users in AAA:
1 For a domain user with a name either in the form of userid or userid@isp-name, the address is allocated as follows:
■ If RADIUS or TACACS authentication/authorization applies, the address that the server has issued to the user is allocated, if there is any.
■ If the server issues an address pool instead of an address, the device searches the address pool in domain view for an address.
■ In case no address can be allocated with the above two methods or local authentication is used, the device assigns the address configured on the interface to the user.
■ If the remote address ip-address command is issued on the interface and the specified address is not in use, the device assigns the address to the user.
■ If the remote address pool command is issued on the interface, the device searches for the address in the specified address pool in domain view and assigns the address to the user.
■ If the remote address command is not issued on the interface, the device searches for the address in all the address pools in domain view and assigns the address to the user.
2 For a user that is not to be authenticated, the device allocates address using the specified address pool (defined in system view) on the interface.
n For a user that is to be authenticated and is not assigned any address with the remote address ip-address command, you can still change how a PPP user is assigned an address.
Creating a Local User and Setting the Related
Attributes
Create a local user and configure the related attributes on the security gateway if you select the local authentication scheme in AAA.
n If you use a radius-scheme or hwtacacs-scheme to authenticate users, you must appropriately configure the RADIUS or TACACS server. The local configuration in this case does not take effect.
Creating a local user
A local user is a group of users set on NAS (a security gateway). The username is the unique identifier of a user. A user requesting network service can pass local authentication as long as its information has been added to the local user database of NAS.
Table 19 Define an IP address pool for PPP domain users
Operation Command
Define an IP address pool for allocating addresses to PPP users.
ip pool pool-number low-ip-address [ high-ip-address ]
Delete the specified address pool. undo ip pool pool-number
36 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Perform the following configuration in system view
By default, there is no local user in the system.
Setting attributes of a local user
The attributes of a local user include user password display mode, user password, user state, and the type of service that is authorized to the user.
Perform the following configuration in system view.
Where, auto means that the password display mode will be the one specified by the user at the time of configuring password (see the password command in the following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text.
Perform the following configurations in local user view.
Table 20 Create/delete a local user and the relevant properties
Operation Command
Add a local user. local-user user-name
Delete a local user or the service type of the local user.
undo local-user user-name [ service-type | level ]
Delete all local users or all local users of a specific service type.
undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]
Table 21 Set the password display mode for local users
Operation Command
Set the password display mode for all local users.
local-user password-display-mode { cipher-force | auto }
Cancel the password display mode for local users. undo local-user password-display-mode
Table 22 Set/remove the attributes concerned with a specified user
Operation Command
Set a user password. password { simple | cipher } password
Remove the user password. undo password
Set the user state. state { active | block }
Remove the user state setting. undo state { active | block }
Set a service type available for the user. service-type { telnet | ssh | terminal | pad }
Cancel the service type available for the user. undo service-type { telnet | ssh | terminal | pad }
Set a priority level for the user. level level
Restore the default priority level. undo level
Authorized DVPN service to the user service-type dvpn
Remove the DVPN service authorization undo service-type dvpn
Set the directory that can be accessed if the user is an FTP user. service-type ftp [ ftp-directory directory]
Restore the default directory that can be accessed if the user is an FTP user. undo service-type ftp [ ftp-directory ]
Configuring the RADIUS Protocol 37
By default, no service is authorized to users. The default user priority level is 0.
n If the configured authentication method requires username and password (including local, RADIUS, and HWTACACS authentication), your user priority determines which level of commands you can access after logging onto the system. If you adopt RSA authentication, your interface priority determines which level of commands you can access. If the authentication method is none or only requires password, your interface priority determines which level of commands you can access.
Configuring the RADIUS Protocol
The RADIUS protocol is configured scheme by scheme. In a real networking environment, a RADIUS scheme can comprise an independent RADIUS server or a pair of primary and secondary RADIUS servers with the same configuration but different IP addresses. Accordingly, attributes of every RADIUS scheme include IP addresses of primary and secondary servers, shared key, and RADIUS server type.
Actually, the RADIUS protocol configurations only define the parameters necessary for the information interaction between a NAS and a RADIUS server. To validate these parameter settings, you also need to reference the RADIUS scheme containing those parameter settings in ISP domain view. For more information about the configuration commands, refer to the section “Configuring AAA” “Configuring AAA”.
RADIUS protocol configuration includes:
■ Create a RADIUS scheme
■ Configure RADIUS authentication/authorization servers
■ Configure RADIUS accounting servers and the related attributes
■ Configure the shared key for RADIUS packet encryption
■ Set the maximum number of RADIUS request attempts
■ Set the supported RADIUS server type
■ Set RADIUS server state
■ Set the username format acceptable to the RADIUS server
■ Set the unit of data flows destined for the RADIUS server
■ Configure the source address in the RADIUS packets sent by NAS
■ Set timers regarding RADIUS server
■ Configure the RADIUS server to send a trap packet
Set the attributes of callback number and call number of PPP users.
service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ subcall-number ] ]
Restore the default callback number and call number of PPP users.
undo service-type ppp [ callback-nocheck | callback-number | call-number ]
Table 22 Set/remove the attributes concerned with a specified user
Operation Command
38 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Among these tasks, creating a RADIUS scheme and configuring RADIUS authentication/authorization servers are required, while other tasks are optional at your discretion.
Creating a RADIUS Scheme
As mentioned earlier, the RADIUS protocol is configured scheme by scheme. Therefore, before performing other RADIUS protocol configurations, you must create a RADIUS scheme and enter its view.
You can use the following commands to create/delete a RADIUS scheme.
Perform the following configurations in system view.
A RADIUS scheme can be referenced by several ISP domains at the same time.
By default, the system has a RADIUS scheme named system whose attributes are all default values.
c CAUTION: FTP, terminal, and SSH are not standard attribute values of the RADIUS protocol, so you need to define them in the attribute login-service (the standard attribute 15):
login-service(50) = SSH
login-service(51) = FTP
login-service(52) = Terminal
After that, reboot the RADIUS server to validate them.
Configuring RADIUS Authentication/Authoriz
ation Servers
You can use the following commands to configure IP address and port number of RADIUS authentication/authorization servers.
Perform the following configuration in RADIUS view.
Table 23 Create/delete a RADIUS scheme
Operation Command
Create a RADIUS scheme and enter its view. radius scheme radius-scheme-name
Delete a RADIUS scheme. undo radius scheme radius-scheme-name
Table 24 Configure IP address and port number of RADIUS authentication/authorization servers
Operation Command
Configure IP address and port number of the primary RADIUS authentication/authorization server.
primary authentication ip-address [ port-number ]
Restore IP address and port number of the primary RADIUS authentication/authorization server to the default values.
undo primary authentication
Configure IP address and port number of the secondary RADIUS authentication/authorization server.
secondary authentication ip-address [ port-number ]
Configuring the RADIUS Protocol 39
As the authorization information from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server.
In real networking environments, you may specify two RADIUS servers as primary and secondary authentication/authorization servers respectively, or specify one server to function as both.
Configuring RADIUS Accounting Servers and
the Related Attributes
Configuring RADIUS accounting servers
You can use the following commands to configure IP address and port number of RADIUS accounting servers.
Perform the following configuration in RADIUS view.
In practice, you can specify two RADIUS servers as the primary and the secondary accounting servers respectively; or specify one server to function as both.
For normal interaction between the NAS and a RADIUS server, you must ensure the connectivity of the routes between the RADIUS server and the NAS before configuring the IP address and UDP port of the RADIUS server. In addition, since RADIUS uses different UDP ports for authentication/authorization and accounting, you must assign different numbers to the authentication/authorization port and the accounting port, which are 1812 and 1813 respectively as recommended by RFC2138/2139. You can assign port numbers different from the two recommended in the RFC, however. (For example, in the early stage of RADIUS server implementation, 1645 and 1646 were often assigned to the authentication/authorization port and accounting port). When doing this, make sure that the port settings on the security gateway and the RADIUS server are consistent.
You can use the display radius command to view the IP addresses and port number of the primary and secondary accounting servers in the RADIUS scheme.
Restore IP address and port number of the secondary RADIUS authentication/authorization server to the default values.
undo secondary authentication
Table 24 Configure IP address and port number of RADIUS authentication/authorization servers
Operation Command
Table 25 Configure IP address and port number of RADIUS accounting servers
Operation Command
Configure IP address and port number of the primary RADIUS accounting server.
primary accounting ip-address [ port-number ]
Restore the default IP address and port number of the primary RADIUS accounting server.
undo primary accounting
Configure IP address and port number of the secondary RADIUS accounting server.
secondary accounting ip-address [ port-number ]
Restore the default IP address and port number of the secondary RADIUS accounting server.
undo secondary accounting
40 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Configuring optional accounting
If a user is configured with the accounting optional command, the device does not disconnect the user during the accounting even when it finds no available accounting server or fails to communicate with the accounting server.
Perform the following configuration in RADIUS domain view.
By default, when an RADIUS scheme is created, optional accounting is disabled.
Enabling the stop-accounting packet buffer and retransmission
Since the stop-accounting packet affects the bill and eventually the charge to a user, it has importance for both users and the ISP. Therefore, the NAS should make its best effort to send every stop-accounting packet to the RADIUS accounting server. If the NAS receives no response from the RADIUS accounting server to a stop-accounting packet that it has sent for a specified period, it buffers and resends the packet until the RADIUS accounting server responds, or discards the packet if the number of transmission attempts reaches the configured limit. You can use the following commands to enable the NAS to buffer stop-accounting packets and set the maximum number of transmission attempts.
Perform the following configuration in RADIUS view.
By default, the stop-accounting packet buffer is disabled and the maximum number of packet transmission attempts is 500.
Configuring the maximum number of real-time accounting request attempts
A RADIUS server usually determines the online state of a user using the connection timeout timer. If the RADIUS sever receives no real-time accounting packets from the NAS for a long time, it considers that the line or device fails and stops user accounting. To work with this feature of the RADIUS server, the NAS is required to terminate user connections simultaneously with the RADIUS server when unpredictable faults occur. 3Com Series Security Gateways allow you to set the maximum number of continuous real-time accounting request attempts. The NAS
Table 26 Enable/disable optional accounting
Operation Command
Enable optional accounting. accounting optional
Disable optional accounting. undo accounting optional
Table 27 Enable the stop-accounting packet buffer and set the maximum number of transmission attempts
Operation Command
Enable the stop-accounting packet buffer. stop-accounting-buffer enable
Disable the stop-accounting packet buffer. undo stop-accounting-buffer enable
Enable stop-accounting packet retransmission and specify the maximum number of transmission attempts.
retry stop-accounting retry-times
Restore the default maximum number of transmission attempts. undo retry stop-accounting
Configuring the RADIUS Protocol 41
terminates a user connection if it receives no response after the number of transmitted real-time accounting requests exceeds the configured limit.
You can use the following command to set the maximum number of real-time accounting request attempts.
Perform the following configuration in RADIUS view.
By default, the maximum number of real-time accounting request attempts is 5.
Setting the Shared Key for RADIUS Packet
Encryption
The RADIUS client (the security gateway) and RADIUS server use the MD5 algorithm to hash the exchanged packets between them. The two ends verify the packets using a shared key. Only when the same key is used can they properly receive the packets and make responses.
Perform the following configurations in RADIUS view.
By default, the shared key 3com is used for RADIUS authentication/authorization and accounting packet encryption.
Setting the Maximum Number of RADIUS Request Attempts
Since RADIUS uses UDP packets to carry data, the communication process is not reliable. If the RADIUS server does not respond to the NAS before the response timer times out, the NAS should retransmit the RADIUS request. After the number of transmission attempts exceeds the specified retry-times, the NAS considers the communication with the current RADIUS server has been disconnected and turns to another RADIUS server.
You can use the following command to set the maximum number of allowed RADIUS request attempts.
Perform the following configurations in RADIUS view.
Table 28 Set the maximum number of real-time accounting request attempts
Operation Command
Set the maximum number of real-time accounting request attempts. retry realtime-accounting retry-times
Restore the default maximum number of real-time accounting request attempts. undo retry realtime-accounting
Table 29 Set the shared key for RADIUS packet encryption
Operation Command
Set the shared key for RADIUS authentication/authorization packet encryption.
key authentication string
Restore the default shared key for RADIUS authentication/authorization packet encryption.
undo key authentication
Set the shared key for RADIUS accounting packet encryption. key accounting string
Restore the default shared key for RADIUS accounting packet encryption. undo key accounting
42 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
By default, a RADIUS request can be sent up to three times.
Setting the Supported RADIUS Server Type
You can use the following command to set the supported RADIUS server type.
Perform the following configurations in RADIUS view.
By default, in system scheme, the RADIUS server type is 3com; in the newly added RADIUS scheme, the RADIUS server type is standard.
n If a 3Com CAMS server is used, some parameters, such as service type, EXEC priority level, and FTP directory, take effect only after service-type is configured as 3com.
Setting RADIUS Server State
For primary and secondary servers (no matter they are authentication/authorization servers or accounting servers) in a RADIUS scheme, if the primary server is disconnected from the NAS due to some fault, the NAS automatically turns to the secondary server. However, after the primary one recovers, the NAS does not resume the communication with it at once; instead, the NAS continues communicating with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the primary server state to active.
When both primary and secondary servers are active or blocked, the NAS sends packets to the primary one only.
Perform the following configurations in RADIUS view.
Table 30 Set the maximum number of RADIUS request attempts
Operation Command
Set the maximum number of RADIUS request attempts. retry retry-times
Restore the default maximum number of RADIUS request attempts. undo retry
Table 31 Set the supported RADIUS server type
Operation Command
Set the supported RADIUS server type. server-type { 3com | standard }
Restore the RADIUS server type to the default setting. undo server-type
Table 32 Set RADIUS server state
Operation Command
Set the state of the primary RADIUS authentication/authorization server. state primary authentication { block | active }
Set the state of the primary RADIUS accounting server. state primary accounting { block | active }
Set the state of the secondary RADIUS authentication/authorization server. state secondary authentication { block | active }
Set the state of the secondary RADIUS accounting server. state secondary accounting { block | active }
Configuring the RADIUS Protocol 43
You can use the display radius command to view the server state in the RADIUS scheme.
Setting Username Format Acceptable to
RADIUS Server
As mentioned above, the supplicants are generally named in userid@isp-name format. The part following "@" is the ISP domain name. 3Com Series Security Gateways will put the users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server. The security gateway provides the following command to specify whether the username to be sent to the RADIUS server carries ISP domain name or not.
n If a RADIUS scheme is configured not to allow usernames to include ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)
By default, in system scheme, the NAS server sends user names without the ISP domain name to the RADIUS server; in the newly added RADIUS scheme, the NAS server sends user names with the ISP domain name to the RADIUS server.
Setting the Unit of Data Flows Destined for
RADIUS Server
3Com Series Security Gateways provide you with the following command to define the unit of the data flow sent to RADIUS servers.
In a RADIUS scheme, the default data unit is byte and the default data packet unit is one packet.
Configuring Source Address for RADIUS
Packets Sent by NAS
Perform the following configuration in the specified views.
Table 33 Set username format acceptable to RADIUS server
Operation Command
Set the username format transmitted to the RADIUS server.
user-name-format { with-domain | without-domain }
Table 34 Set the unit of data flows destined for RADIUS server
Operation Command
Set the unit of data flows transmitted to RADIUS server.
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega- packet | one-packet }
Restore the default unit. undo data-flow-format
Table 35 Configure source address for the RADIUS packets sent by the NAS
Operation Command
Configure the source address to be carried in the RADIUS packets sent by the NAS(RADIUS view).
nas-ip ip-address
Cancel the configured source address to be carried in the RADIUS packets sent by the NAS(RADIUS view).
undo nas-ip
Configure the source address to be carried in the RADIUS packets sent by the NAS(System view).
radius nas-ip ip-address
44 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
You can use either command to bind a source address with the NAS.
By default, no source address is specified and the source address of a packet is the address of the interface where it is sent.
Setting Timers Regarding RADIUS
Server
Setting the response timeout timer
If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS has to resend the request, thus ensuring the user can obtain the RADIUS service.
You can use the following commands to set the response timeout timer.
Perform the following configuration in RADIUS view.
By default, the response timeout timer for the RADIUS server is set to three seconds.
Setting the quiet timer for the primary RADIUS server
Perform the following configuration in RADIUS view.
By default, the primary RADIUS server must wait five minutes before it can resume the active state.
Setting a realtime accounting interval
The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.
Perform the following configuration in RADIUS view.
Cancel the configured source address to be carried in the RADIUS packets sent by the NAS(System view).
undo radius nas-ip
Table 35 Configure source address for the RADIUS packets sent by the NAS
Operation Command
Table 36 Set the response timeout timer
Operation Command
Set the response timeout timer. timer response-timeout seconds
Restore the default response timeout timer. undo timer response-timeout
Table 37 Configure the quiet timer for the primary RADIUS server
Operation Command
Configure the quiet timer for the primary RADIUS server.
timer quiet minutes
Restore the default setting. undo timer quiet
Configuring the RADIUS Protocol 45
In the command, minutes represents the interval for realtime accounting and it must be a multiple of three.
The setting of real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.
The realtime accounting interval defaults to 12 minutes.
Configure the RADIUS Server to Send a trap
Packet
Perform the following configuration in system view.
By default, the RADIUS server does not send a trap packet when it goes down.
Configuring Local RADIUS Authentication
Server
The security gateway provides the simple local RADIUS server function, including authentication and authorization, called RADIUS authentication server function.
By default, a local RADIUS authentication server with the NAS-IP as 127.0.0.1 and key as 3com is created.
Table 38 Set a real-time accounting interval
Operation Command
Set a real-time accounting interval. timer realtime-accounting minutes
Restore the default real-time accounting interval.
undo timer realtime-accounting
Table 39 Recommended ratio of interval to user number
User number Interval for realtime accounting (minute)
1 - 99 3
100 - 499 6
500 - 999 12
1000 15
Table 40 Configure the RADIUS server to send a trap packet
Operation Command
Configure the RADIUS server to send a trap packet when it goes down.
radius trap { authentication-server-down | accounting-server-down }
Configure the RADIUS server not to send a trap packet when it goes down.
undo radius trap { authentication-server-down | accounting-server-down }
Table 41 Configure local RADIUS authentication server
Operation Command
Configure local RADIUS authentication server. local-server nas-ip ip-address key password
Cancel the local RADIUS authentication server configuration. undo local-server nas-ip ip-address
46 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
n When the local RADIUS authentication server function is enabled, the UDP port number for the authentication/authorization services must be 1645 and that for the accounting service must be 1646.
The packet key password configured here must be the same with the authentication/authorization packet key password configured in the key authentication command in RADIUS view.
The device supports 16 local RADIUS authentication servers at most, including default ones created by the system.
Configuring HWTACACS Protocol
The configuration tasks of HWTACACS include:
■ Create a HWTACACS scheme
■ Configure TACACS authentication servers
■ Configure TACACS authorization servers
■ Configure TACACS accounting servers
■ Configure a key for securing the communication with a TACACS server
■ Set the username format acceptable to a TACACS server
■ Set the unit of data flows destined for a TACACS server
■ Configure the source address to be carried by the HWTACACS packets sent by NAS
■ Set timers regarding TACACS server
n In contrast to the settings in RADIUS server, note the following points when configuring a TACACS server:
■ The system does not check whether users are using the current HWTACACS scheme when you change most of its attributes, except when you delete the scheme.
■ By default, the TACACS server has no key.
Among these configuration tasks, creating a HWTACAS scheme and configuring TACACS authentication/authorization server are mandatory, while others are arbitrary at your discretion.
Creating a HWTACAS scheme
As aforementioned, HWTACACS protocol is configured scheme by scheme. Therefore, you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks.
Perform the following configuration in system view.
Table 42 Create a HWTACACS scheme
Operation Command
Create a HWTACACS scheme and enter HWTACACS view. hwtacacs scheme hwtacacs-scheme-name
Delete a HWTACACS scheme. undo hwtacacs scheme hwtacacs-scheme-name
Configuring HWTACACS Protocol 47
If the HWTACACS scheme you specify does not exist, the system creates it and enters HWTACACS view.
In HWTACACS view, you can configure the HWTACACS scheme.
The system supports up to 128 HWTACACS schemes. You can only delete the schemes that are not being used.
By default, no HWTACACS scheme exists.
Configuring TACACS Authentication Servers
Perform the following configuration in HWTACACS view.
The primary and secondary authentication servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.
If you execute this command repeatedly, the new settings will replace the old settings.
You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending authentication packets. This delete does not affect the packets sent before the operation.
Configuring TACACS Authorization Servers
Perform the following configuration in HWTACACS view.
n If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of its user type.
Table 43 Configure TACACS authentication servers
Operation Command
Configure the TACACS primary authentication server. primary authentication ip-address [ port ]
Delete the TACACS primary authentication server. undo primary authentication
Configure the TACACS secondary authentication server. secondary authentication ip-address [ port ]
Delete the TACACS secondary authentication server. undo secondary authentication
Table 44 Configure TACACS authorization servers
Operation Command
Configure the primary TACACS authorization server. primary authorization ip-address [ port ]
Delete the primary TACACS authorization server. undo primary authorization
Configure the secondary TACACS authorization server. secondary authorization ip-address [ port ]
Delete the secondary TACACS authorization server. undo secondary authorization
48 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
The primary and secondary authorization servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.
If you execute this command repeatedly, the new settings will replace the old settings.
You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending authorization packets.
Configuring TACACS Accounting Servers and
the Related Attributes
Configuring TACACS accounting servers
Perform the following configuration in HWTACACS view.
The primary and secondary accounting servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.
The default IP address of TACACS accounting server is 0.0.0.0.
If you execute this command repeatedly, the new settings will replace the old settings.
You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending accounting packets.
Enabling stop-accounting packet retransmission
Perform the following configuration in HWTACACS view.
By default, stop-accounting packet retransmission is enabled, and the allowed maximum number of transmission attempts is 100.
Table 45 Configure TACACS accounting servers
Operation Command
Configure the primary TACACS accounting server. primary accounting ip-address [ port ]
Delete the primary TACACS accounting server. undo primary accounting
Configure the secondary TACACS accounting server. secondary accounting ip-address [ port ]
Delete the secondary TACACS accounting server. undo secondary accounting
Table 46 Configure stop-accounting packet retransmission
Operation Command
Enable stop-accounting packet retransmission and set the allowed maximum number of transmission attempts.
retry stop-accounting retry-times
Disable stop-accounting packet retransmission. undo retry stop-accounting
Configuring HWTACACS Protocol 49
Configuring Source Address for HWTACACS
Packets Sent by NAS
Perform the following configuration.
By default, no source address is specified and the source address to be carried in a packet is the address of the interface where the packet is sent.
Setting a Key for Securing the
Communication with TACACS Server
When using a TACACS server as an AAA server, you can set a key to improve the communication security between the security gateway and the TACACS server.
Perform the following configuration in HWTACACS view.
No key is configured by default.
Setting the Username Format Acceptable to
the TACACS Server
Username is usually in the "userid@isp-name" format, with the domain name following "@".
If a TACACS server does not accept the username with domain name, you can remove the domain name and resend it to the TACACS server.
Perform the following configuration in HWTACACS view.
By default, each username sent to a TACACS server contains a domain name.
Setting the Unit of Data Flows Destined for the
TACACS Server
Perform the following configuration in HWTACACS view.
Table 47 Configure the source address to be carried in HWTACACS packets sent by the NAS
Operation Command
Configure the source address to be carried in HWTACACS packets sent by the NAS(HWTACACS view). nas-ip ip-address
Delete the configured source address to be carried in the HWTACACS packets sent by the NAS (HWTACACS view). undo nas-ip
Configure the source address to be carried in the hwtacacs packets sent by the NAS(System view). hwtacacs nas-ip ip-address
Cancel the configured source address to be carried in the hwtacacs packets sent by the NAS(System view). undo hwtacacs nas-ip
Table 48 Set a key for securing the communication with the TACACS server
Operation Command
Configure a key for securing the communication with the TACACS accounting, authorization or authentication server.
key { accounting | authorization | authentication } string
Delete the configuration. undo key { accounting | authorization | authentication }
Table 49 Set the username format acceptable to the TACACS server
Operation Command
Send username with domain name. user-name-format with-domain
Send username without domain name. user-name-format without-domain
50 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
By default, data is sent in bytes. The packets are measured in the unit of one packet.
Setting Timers Regarding TACACS
Server
Setting the response timeout timer
Since HWTACACS is implemented based on TCP, server response timeout or TCP timeout may terminate the connection to the TACACS server.
Perform the following configuration in HWTACACS view.
The default response timeout timer is set to five seconds.
Setting the quiet timer for the primary TACACS server
Perform the following configuration in HWTACACS view.
By default, the primary TACACS server must wait five minutes before it can resume the active state.
Setting a realtime accounting interval
The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.
Perform the following configuration in HWTACACS view.
Table 50 Set the unit of data flows destined for the TACACS server
Operation Command
Set the unit of data flows destined for the TACACS server.
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }
data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }
Restore the default unit of data flows destined for the TACACS server.
undo data-flow-format { data | packet }
Table 51 Set the response timeout timer
Operation Command
Set the response timeout time. timer response-timeout seconds
Restore the default setting. undo timer response-timeout
Table 52 Set the quiet timer for the primary TACACS server
Operation Command
Set the quiet timer for the primary TACACS server. timer quiet minutes
Restore the default setting. undo timer quiet
Table 53 Set a real-time accounting interval
Operation Command
Set a real-time accounting interval. timer realtime-accounting minutes
Displaying and Debugging AAA and RADIUS/HWTACACS Protocols 51
The interval is in minutes and must be a multiple of 3.
The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.
The real-time accounting interval defaults to 12 minutes.
Displaying and Debugging AAA and RADIUS/HWTACACS Protocols
After the above configuration, execute the display commands in any view to view the running of the AAA and RADIUS/HWTACACS configurations and to check the configuration effect. Execute the reset commands in user view to reset the configurations. Execute the debugging commands in user view for debugging.
Restore the default real-time accounting interval. undo timer realtime-accounting
Table 54 Recommended ratio of the interval to the number of users
User number Real-time accounting interval (in minutes)
1 - 99 3
100 - 499 6
500 - 999 12
1000 15
Table 53 Set a real-time accounting interval
Operation Command
Table 55 Display and debug the AAA protocol
Operation Command
Display the configuration information of the specified or all the ISP domains.
display domain [ isp-name ]
Display related information of user’s connection.
display connection [ domain isp-name | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | ucibindex ucib-index | user-name user-name ]
Display related information of the local user
display local-user [ domain isp-name | service-type { dvpn | telnet | ssh | terminal | ftp | ppp } | state { active | block } | user-name user-name ]
Table 56 Display and debug the RADIUS protocol
Operation Command
Display the specified or all the RADIUS schemes or display the statistics about RADIUS.
display radius [ radius-scheme-name | statistics ]
Display the statistics on RADIUS packets. display radius statistics
Display information on the stop-accounting packets in the buffer.
display stop-accounting-buffer { radius-scheme radius-server-name | session-id session-id | time-range start-time stop-time | user-name user-name }
52 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
AAA and RADIUS/HWTACACS Protocol Configuration Example
Telnet/SSH User Authentication/Accounting Using RADIUS Server
n Authentication configuration on the RADIUS server for SSH users and that for Telnet users is similar. The following uses the configuration for Telnet users as an example.
Network requirements
Configure the module to enable the RADIUS server to provide authentication and accounting services for Telnet users accessing the module (see Figure 9).
Display the statistics on the local RADIUS authentication server. display local-server statistics
Enable RADIUS packet debugging. debugging radius packet
Disable RADIUS packet debugging. undo debugging radius packet
Enable local RADIUS authentication server debugging.
debugging local-server { all | error | event | packet }
Disable local RADIUS authentication server debugging.
undo debugging local-server { all | error | event | packet }
Clear stop-accounting packets from the buffer.
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
Reset the statistics of RADIUS server. reset radius statistics
Table 57 Display and debug the HWTACACS protocol
Operation Command
Display the specified or all the HWTACACS schemes.
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]
Display information on the stop-accounting packets in the buffer.
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
Enable HWTACACS debugging. debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
Disable HWTACACS debugging. undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
Clear stop-accounting packets from the buffer.
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
Reset the statistics about TACACS servers. reset hwtacacs statistics {accounting | authentication | authorization | all }
Table 56 Display and debug the RADIUS protocol
Operation Command
AAA and RADIUS/HWTACACS Protocol Configuration Example 53
Connect the module to the RADIUS server (functions as both authentication and accounting servers) whose IP address is 10.0.0.1/24. On the module, set the shared keys both for packet exchange with the authentication server and with the accounting server as "expert".
You can use a 3Com CAMS server as the RADIUS server. Set server-type in the RADIUS scheme to standard or 3com if a third-party RADIUS server is used and to 3com if a 3Com CAMS server is used. On the RADIUS server, set the shared key for packet exchange with the module as "expert"; set the authentication and accounting port numbers; add the usernames and login passwords of the Telnet users. If the module is configured in the RADIUS scheme not to remove the domain name from the user name but send the full username to the RADIUS server, the Telnet usernames added onto the RADIUS server are in the userid@isp-name format.
Network diagram
Figure 9 Network diagram for remote RADIUS authentication on Telnet users
Configuration procedure
1 Radius Server
IP address: 10.0.0.1/24.
Gateway: 10.0.0.254.
2 Telnet User
IP address: 50.0.0.1/24.
3 Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit
SecBlade S
Vlan 30
Vlan 10
Vlan 50 Vlan 50
Radius Server
Telnet User
50 . 0 . 0 . 1 / 24
10 . 0 . 0 . 1 / 24
30 . 0 . 0 . 254 / 24
50 . 0 . 0 . 254 / 24
30 . 0 . 0 . 1 / 24
10 . 0 . 0 . 254 / 24 SecBlade
Vlan 30
Vlan 10
Vlan 50 Vlan 50
Radius Server
Telnet User
50 . 0 . 0 . 1 / 24
10 . 0 . 0 . 1 / 24
30 . 0 . 0 . 254 / 24
50 . 0 . 0 . 254 / 24
30 . 0 . 0 . 1 / 24
10 . 0 . 0 . 254 / 24
8800
54 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
[SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of the module interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create the module test.
[SW8800] secblade module test
# Specify the module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Configure the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module of the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: Secblade password: Secblade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
AAA and RADIUS/HWTACACS Protocol Configuration Example 55
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Configure the Telnet user to use AAA authentication mode.
[secblade] user-interface vty 0 4 [secblade-ui-vty0-4] authentication-mode scheme
# Configure the domain.
[secblade] domain cams [secblade-isp-cams] access-limit enable 10 [secblade-isp-cams] accounting optional [secblade-isp-cams] quit
# Configure a RADIUS scheme.
[secblade] radius scheme cams [secblade-radius-cams] primary authentication 10.0.0.1 1812 [secblade-radius-cams] primary accounting 10.0.0.1 1813 [secblade-radius-cams] key authentication expert [secblade-radius-cams] key accounting expert [secblade-radius-cams] server-type 3Com [secblade-radius-cams] user-name-format without-domain [secblade-radius-cams] quit
# Configure to associate the domain with the RADIUS.
[secblade] domain cams [secblade-isp-cams] scheme radius-scheme cams [secblade-isp-cams] quit
Telnet users use usernames in the userid@cams format to log onto the network and are to be authenticated as cams domain users.
# Quit SecBlade configuration view.
[secblade] quit <secblade> quit [SW8800]
56 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Configuring FTP/Telnet User Local
Authentication
n Configuring local authentication for FTP users is similar to that for Telnet users. The following example is based on Telnet users.
Network requirements
Configure the module to authenticate the login Telnet users at the local (see Figure 10).
Network diagram
Figure 10 Network diagram for Telnet user local authentication
Configuration procedure
1 Telnet User
IP address: 10.0.0.1/24.
Gateway: 10.0.0.254.
2 Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
Firewall S8800
AAA and RADIUS/HWTACACS Protocol Configuration Example 57
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure the aggregation of the module interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create the module test.
[SW8800] secblade module test
# Specify the module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module of the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
# Add the sub-interface of the internal network to the trust zone.
58 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Configure the Telnet user to use AAA authentication.
[secblade] user-interface vty 0 4 [secblade-ui-vty0-4] authentication-mode scheme
# Create the local user telnet.
[secblade] local-user telnet@system [secblade-luser-telnet@system] service-type telnet [secblade-luser-telnet@system] password simple 3com [secblade-luser-telnet@system] quit [secblade] domain system [secblade-isp-system] scheme local [secblade-isp-system] quit
Telnet users use usernames in the userid@system format to log onto the network and are to be authenticated as system domain users.
# Quit the Firewall module configuration view.
[secblade] quit <secblade> quit [SW8800]
Enabling the TACACS Server to Employ
One-Time Authentication
/Accounting on Telnet Users
Network requirements
In the network environment as shown in the following figure, make proper configuration to enable the TACACS server to employ one-time password authentication /accounting on Telnet users.
One TACACS server host, serving as both authentication server and accounting server, is connected to a module. The IP address of the server host is 10.0.0.1/24. Set the shared keys both for packet exchange with the authentication server and with the accounting server as "expert". The TACACS server provides one-time password authentication, and the module does not remove the domain name from the user name but sends them together to the TACACS server, so the user name you add on the TACACS server should be "test@tacacs".
AAA and RADIUS/HWTACACS Protocol Configuration Example 59
Network diagram
Figure 11 Network diagram for remote RADIUS authentication on the Telnet user
Configuration procedure
1 TACACS Server
IP address: 10.0.0.1/24.
Gateway: 10.0.0.254.
2 Telnet User
IP address: 50.0.0.1/24.
3 Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
60 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation Firewall module interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create SecBlade test.
[SW8800] secblade test
# Specify the the interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module of the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
Troubleshooting AAA and RADIUS/HWTACACS Protocols 61
# Configure the Telnet user to use AAA authentication.
[secblade] user-interface vty 0 4 [secblade-ui-vty0-4] authentication-mode scheme
# Configure the RADIUS scheme.
[secblade] hwtacacs scheme system [secblade-hwtacacs-system] primary authentication 10.0.0.1 49 [secblade-hwtacacs-system] primary accounting 10.0.0.1 49 [secblade-hwtacacs-system] key authentication expert [secblade-hwtacacs-system] key accounting expert [secblade-hwtacacs-system] server-type 3Com [secblade-hwtacacs-system] user-name-format with-domain [secblade-hwtacacs-system] quit
# Configure to associate the domain with the TACACS.
[secblade] domain tacacs [secblade-isp-tacacs] access-limit enable 10 [secblade-isp-tacacs] accounting optional [secblade-isp-tacacs] quit [secblade-isp-tacacs] scheme tacacs-scheme system
4 Configure the TACACS server
■ Configure the IP address
■ Configure the shared key
■ Add username test@ tacacs
■ Enable one-time authentication
Troubleshooting AAA and RADIUS/HWTACACS Protocols
Troubleshooting the RADIUS Protocol
The RADIUS protocol of the TCP/IP protocol suite is located at the application layer. It mainly provisions how to exchange user information between a NAS and a RADIUS server of an ISP. So it is very likely to get invalid.
■ Symptom 1: User authentication/authorization always fails
Troubleshooting:
Check that:
1 The username is in the userid@isp-name format or a default ISP domain is specified on the NAS.
2 The user exists in the database on the RADIUS server.
3 The password input by the user is correct.
4 The same shared key is configured on both the RADIUS server and the NAS.
5 The NAS can communicate with the RADIUS server (by pinging the RADIUS server).
62 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
■ Symptom 2: RADIUS packets cannot reach the RADIUS server.
Troubleshooting:
Check that:
1 The communication links (at both physical and link layers) between the NAS and the RADIUS server work well.
2 The IP address of the RADIUS server is correctly configured on the NAS.
3 Authentication/Authorization and accounting UDP ports are set in consistency with the port numbers set on the RADIUS server.
■ Symptom 3: A user passes the authentication and gets an authorization already, but its charging bill cannot be sent to the RADIUS server.
Troubleshooting:
Check that:
1 The accounting port number is correctly set.
2 The authentication/authorization and accounting servers are correctly configured on the NAS. For example, the fault can occur in the situation where one server is configured on the NAS to provide all the services of authentication/authorization and accounting, despite the fact that different server devices are used to provide the services.
Troubleshooting the HWTACACS Protocol
See the previous section if you encounter a HWTACACS fault.
Introduction to ACL 63
5ACL CONFIGURATION
Introduction to ACL
ACL Overview In order to filter data packets, a series of rules need to be configured on the security gateway to decide which data packets can pass. These rules are defined by ACL (Access Control List), which are a series of sequential rules consisting of the permit and the deny statements. The rules are described by source address, destination address and port number of data packets. ACL classifies data packets through these security gateway interface applied rules, by which the security gateway decides which packets can be received and which should be rejected.
Classification of ACL According to application purpose, ACL falls into four groups:
■ Basic ACL
■ Advanced ACL
■ Interface-based ACL
■ MAC-based ACL
The application purpose of ACL is specified by the range of the number. Interface-based ACL ranges from 1,000 to 1,999; basic ACL ranges from 2,000 to 2,999; advanced ACL ranges from 3,000 to 3,999; and MAC-based ACL ranges from 4,000 to 4,999.
Match Order of ACL An access control rule may consist of several permit and deny statements, each statement specifying different rules. In this case, match order problem exists on matching a packet and access control rule.
There are two kinds of match orders:
■ Configuration sequence: match ACL rules according to their configuration order.
■ Automatic sequencing: follow the principle of "depth priority".
Depth priority" rule puts the statement that specifies the smallest packet range into first place. This can be realized by comparing address wildcard. The smaller the wildcard is, the smaller the specified host range. For example, 129.102.1.1 0.0.0.0 specifies a host: 129.102.1.1, while 129.102.1.1 0.0.255.255 specifies a network segment: from 129.102.1.1 to 129.102.255.255. Obviously, the former is put first in access control rule. The detailed standard is: for statements of basic access control rule, directly compare their source address wildcards. If the same wildcard is shared, arrange them according to configuration sequence. For
64 CHAPTER 5: ACL CONFIGURATION
interface-based access control rules, put the rule configured with "any" behind, and arrange others according to configuration sequence. For advance access control rules, compare their source address wildcards first. If they are the same, compare their destination address wildcards. If they are also the same, compare their ranges of port number. Put those with smaller ranges before others. If the ranges of port number are still the same, arrange then according to configuration sequence.
The display acl command can be used to verify which rule takes effect first. Upon the display, the rule that is listed first takes effect first.
ACL Creation An ACL is virtually a series of rule lists that consist of permit and deny statements. Several rule lists constitute an ACL. Before configuring the rule of ACL, you need to create an ACL first.
The following command can be used to create an ACL:
acl number acl-number [ match-order { config | auto } ]
The following command can be used to delete an ACL:
undo acl { number acl-number | all }
Parameter description:
■ number acl-number: Specify an ACL.
■ acl-number: Number of ACL. An interface-based ACL takes a value in the range 1000 to 1999, a basic ACL in the range 2,000 to 2,999, an advanced ACL in the range 3,000 to 3,999, and a MAC-based ACL in the range 4,000 to 4,999.
■ match-order config: Specify to match rules according to configuration sequence of the user.
■ match-order auto: Specify to match rules by system automatic sequencing, namely in "depth priority" sequence.
■ all: Delete all configured ACL.
By default, the match order is configuration sequence of the user, namely "config" is in use. Once the user specifies the match order of a certain ACL, he can never change it, unless he deletes all the contents in the ACL and specifies its match order again.
ACL view can be entered after an ACL is created. ACL view is classified according to the application purpose of ACL. For example, advanced ACL view can be entered by creating ACL 3000. The following is the security gateway prompt:
[secblade_FW-acl-adv-3000]
After entering the ACL view, you can configure ACL rules. The rules of different ACLs are different. The detailed configuration method of each ACL rule will be introduced respectively in the following sections.
Ba
sic ACL Basic ACL can only adopt source address information to serve as element for defining ACL rule. A basic ACL can be created and basic ACL view be entered by the above-mentioned ACL command. In basic ACL view, the rule of basic ACL can be created.
The following command can be used to define a basic ACL rule:
rule [ rule-id ] { permit | deny } { source sour-addr sour-wildcard | any } ] [ time-range time-name ] [ logging ] [ fragment ]
Parameter description:
■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.
■ permit: Permits qualified data packet.
■ deny: Discards qualified data packet.
■ source: Optional parameter, used to specify source address information of ACL rule. If it is not specified, it indicates any source address of the packet matches.
■ source-addr: Source address of data packet, in dotted decimal.
■ source-wildcard: Wildcard of source address, in dotted decimal.
■ any: Used to represent all source address. It is same with setting the source address as 0.0.0.0 and wildcard as 255.255.255.255.
■ time-range: Optional parameter, used to specify effective time range of ACL.
■ time-name: Name of ACL effective time range.
■ logging: Optional parameter, indicating whether to log qualified data packet. The log content includes sequence number of access control rule, data packet permitted or discarded and the number of data packets.
■ fragment: Optional parameter, used to specify whether the rule is only valid for non-first-fragment. When this parameter is included, it indicates the rule is only valid for non-first-fragment.
For existing ACL rule, if edit is performed with specified ACL rule number, the rest part will not be affected. For example:
First configure an ACL rule:
rule 1 deny source 1.1.1.1 0
Then edit the ACL rule:
66 CHAPTER 5: ACL CONFIGURATION
rule 1 deny logging
Then, the ACL rule becomes:
rule 1 deny source 1.1.1.1 0 logging
The following command can be used to delete a basic ACL rule:
undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ]
Parameter description:
■ rule-id: Number of ACL rule, which should be an existing ACL rule number. If there is no parameter followed, the entire ACL rule will be deleted. Otherwise, only part of information related to the ACL rule will be deleted.
■ source: Optional parameter. Only the source address information setting of ACL rule with corresponding number will be deleted.
■ time-range: Optional parameter. Only the specific effective time range setting of ACL rule with corresponding number will be deleted.
■ logging: Optional parameter. Only the logging qualified packet setting of ACL rule with corresponding number will be deleted.
■ fragment: Optional parameter. Only the validation setting solely for non-first-fragment of ACL rule with corresponding number will be deleted.
Advanced ACL Advanced ACL can define rules by using such contents of data packet as source address information, destination address information, IP carried protocol type and protocol oriented feature (for example, source port and destination port of TCP, type and code of ICMP). Advance ACL can be used to define more accurate, diversified and flexible rules than basic ACL.
An advanced ACL can be created and advanced ACL view be entered by the previously mentioned ACL command. In advance ACL view, the rules of advanced ACL can be created.
The following command can be used to define an advanced ACL rule:
rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]
Parameter description:
■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. When the number is not specified, it
Introduction to ACL 67
means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.
■ deny: Discard qualified data packet.
■ permit: Permit qualified data packet.
■ protocol: IP carried protocol type represented by name or number. The number range is from 1 to 255. The name can be gre, icmp, igmp, ip, ipinip, ospf, tcp, and udp.
■ source: Optional parameter, used to specify source address information of ACL rule. If it is not configured, it indicates any source address of the packet matches.
■ source-addr: Source address of data packet, in dotted decimal.
■ destination: Optional parameter, used to specify destination address information of ACL rule. If it is not configured, it indicates any destination address of the packet matches.
■ dest-addr: Destination address of data packet, in dotted decimal.
■ dest-wildcard: Destination address wildcard, in dotted decimal.
■ any: used to represent all source or destination addresses. It is same with setting the source or destination address as 0.0.0.0 and wildcard as 255.255.255.255.
■ icmp-type: Optional parameter, used to specify type of ICMP packet and message code information, only valid when the packet protocol is ICMP. If it is not configured, it indicates any type of ICMP packet matches.
■ icmp-type: ICMP packet can be filtered according to the message type of ICMP. It is a number ranging from 0 to 255.
■ icmp-code: ICMP packet filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.
■ icmp-message: ICMP packets can be filtered according to the names of ICMP message types or the names of ICMP message types and ICMP message codes.
■ source-port: Optional parameter, used to specify source port information of UDP or TCP message, only valid when the specified protocol number is TCP or UDP. If it is not specified, it indicates any source port information of TCP/UDP packet matches.
■ destination-port: Optional parameter, used to specify destination port information of UDP or TCP packet, only valid when the protocol number specified by the rule is TCP or UDP. If it is not specified, it indicates any destination port information of TCP/UDP packet matches.
■ operator: Optional parameter. The port number operator, name and meaning of source/destination address are compared as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). Only "range" needs two port numbers as operator, others only need one port number as operator
■ port1, port2: Optional parameter, port number of TCP or UDP, represented by name or number, with the number ranging from 0 to 65535.
■ dscp dscp: Specifies a DSCP field (the DS byte in IP packets). This keyword is mutually exclusive with the precedence keyword and the tos keyword.
68 CHAPTER 5: ACL CONFIGURATION
■ established: Compares all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets.
■ precedence: Optional parameter, according to which data packet can be filtered. A number ranging from 0 to 7 or a name. This keyword is mutually exclusive with the dscp keyword.
■ tos tos: Optional parameter. Data packet can be filtered according to service type field. A number ranging from 0 to 15 or a name. This keyword is mutually exclusive with the dscp keyword.
■ logging: Optional parameter, indicating whether to log qualified data packet. The log contents include sequence number of ACL, data packet permitted/discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and the number of data packets.
■ time-range time-name: The ACL rule is valid in the time range.
■ fragment: Used to specify whether the rule is only valid for non-first-fragment. When this parameter is included, it indicates the rule is only valid for non-first-fragment.
The ToS value is the forth bit to the seventh bit from left to right (four bits in all), in the range of 0 to 15, as shown in Figure 12. However, its real value is in the range of 0 to 30.
Figure 12 The ToS field in ACL
When you use the ToS value in the ping command, the ToS value must be twice the value configured in ACL (such as 1). Only in this way can you use the ping command to test the ToS value configured in the ACL.
For existing ACL rule, if edit is performed with specified ACL rule number, the rest part will not be affected. For example:
First configure an ACL rule:
rule 1 deny ip source 1.1.1.1 0
Then edit the ACL rule:
rule 1 deny ip destination 2.2.2.1 0
Then, the ACL rule becomes:
rule 1 deny ip source 1.1.1.1 0 destination 2.2.2.1 0
The following command can be used to delete an advanced ACL rule:
Introduction to ACL 69
undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ dscp ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]
Parameter description:
■ rule-id: Number of ACL rule, which should be an existing ACL rule number. If there is no parameter followed, the entire ACL rule will be deleted. Otherwise, only part of information related to the ACL rule will be deleted.
■ source: Optional parameter. Only the source address information setting of ACL rule with corresponding number will be deleted.
■ destination: Optional parameter. Only the destination address information setting of ACL rule with corresponding number will be deleted.
■ source-port: Optional parameter. Only source port information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is TCP or UDP.
■ destination-port: Optional parameter. Only the destination port information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is TCP or UDP.
■ icmp-type: Optional parameter. Only ICMP type and message code information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is ICMP.
■ dscp: Optional parameter. Only the DSCP setting in the ACL rule with corresponding number will be deleted.
■ precedence: Optional parameter. Only the precedence setting of ACL rule with corresponding number will be deleted.
■ tos: Optional parameter. Only the tos setting of ACL rule with corresponding number will be deleted.
■ time-range: Optional parameter. Only the specific effective time range setting of ACL rule with corresponding number will be deleted.
■ logging: Optional parameter. Only the logging qualified packet setting of ACL rule with corresponding number will be deleted.
■ fragment: Optional parameter. Only the validation setting solely for non-first-fragment of ACL rule with corresponding number will be deleted.
Only TCP and UDP protocols need to specify port range. The supported operators and grammar are listed below.
Table 58 Operator meaning of advanced ACL
Operator and grammar Meaning
eq portnumber Equal to port number
gt portnumber Greater than port number
lt portnumber Lower than port number
neq portnumber Not equal to port number
range portnumber1 portnumber2 Between portnumber1 and portnumber2
70 CHAPTER 5: ACL CONFIGURATION
When specifying portnumber, part of common port numbers can use mnemonics to substitute actual numbers. The supported mnemonics are shown in the table below.
Table 59 Port number mnemonics
Protocol Mnemonics Meaning and actual value
TCP
Bgp
Chargen
Cmd
Daytime
Discard
Domain
Echo
Exec
Finger
Ftp
Ftp-data
Gopher
Hostname
Irc
Klogin
Kshell
Login
Lpd
Nntp
Pop2
Pop3
Smtp
Sunrpc
Syslog
Tacacs
Talk
Telnet
Time
Uucp
Whois
Www
Border Gateway Protocol (179)
Character generator (19)
Remote commands (rcmd, 514)
Daytime (13)
Discard (9)
Domain Name Service (53)
Echo (7)
Exec (rsh, 512)
Finger (79)
File Transfer Protocol (21)
FTP data connections (20)
Gopher (70)
NIC hostname server (101)
Internet Relay Chat (194)
Kerberos login (543)
Kerberos shell (544)
Login (rlogin, 513)
Printer service (515)
Network News Transport Protocol (119)
Post Office Protocol v2 (109)
Post Office Protocol v3 (110)
Simple Mail Transport Protocol (25)
Sun Remote Procedure Call (111)
Syslog (514)
TAC Access Control System (49)
Talk (517)
Telnet (23)
Time (37)
Unix-to-Unix Copy Program (540)
Nicname (43)
World Wide Web (HTTP, 80)
Introduction to ACL 71
For ICMP, ICMP packet type can be specified. The default is all ICMP packets. When specifying ICMP packet type, it can be a number (ranging from 0 to 255) or a mnemonic.
UDP biff
bootpc
bootps
discard
dns
dnsix
echo
mobilip-ag
mobilip-mn
nameserver
netbios-dgm
netbios-ns
netbios-ssn
ntp
rip
snmp
snmptrap
sunrpc
syslog
tacacs-ds
talk
tftp
time
who
Xdmcp
Mail notify (512)
Bootstrap Protocol Client (68)
Bootstrap Protocol Server (67)
Discard (9)
Domain Name Service (53)
DNSIX Security Attribute Token Map (90)
Echo (7)
MobileIP-Agent (434)
MobilIP-MN (435)
Host Name Server (42)
NETBIOS Datagram Service (138)
NETBIOS Name Service (137)
NETBIOS Session Service (139)
Network Time Protocol (123)
Routing Information Protocol (520)
SNMP (161)
SNMPTRAP (162)
SUN Remote Procedure Call (111)
Syslog (514)
TACACS-Database Service (65)
Talk (517)
Trivial File Transfer (69)
Time (37)
Who(513)
X Display Manager Control Protocol (177)
Table 59 Port number mnemonics
Protocol Mnemonics Meaning and actual value
72 CHAPTER 5: ACL CONFIGURATION
The user can add appropriate access rules by configuring firewall. IP packets passing the security gateway will be checked through packet filtering and the packets that the user does not want them to pass the security gateway will be ruled out. Thus, network security is protected.
Interface-Based ACL Interface-based ACL is a kind of special ACL, which specifies rules according to packet-receiving interface.
An interface-based ACL can be created and interface-based ACL view be entered by the previously mentioned ACL command. In interface-based ACL view, the rules of interface-based ACL can be created.
The following command can be used to define an interface-based ACL rule:
rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]
Parameter description:
■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the
Table 60 Mnemonics of ICMP packet type
Mnemonic Meaning
echo
echo-reply
fragmentneed-DFset
host-redirect
host-tos-redirect
host-unreachable
information-reply
information-request
net-redirect
net-tos-redirect
net-unreachable
parameter-problem
port-unreachable
protocol-unreachable
reassembly-timeout
source-quench
source-route-failed
timestamp-reply
timestamp-request
ttl-exceeded
Type=8, Code=0
Type=0, Code=0
Type=3, Code=4
Type=5, Code=1
Type=5, Code=3
Type=3, Code=1
Type=16,Code=0
Type=15,Code=0
Type=5, Code=0
Type=5, Code=2
Type=3, Code=0
Type=12,Code=0
Type=3, Code=3
Type=3, Code=2
Type=11,Code=1
Type=4, Code=0
Type=3, Code=5
Type=14,Code=0
Type=13,Code=0
Type=11,Code=0
Introduction to ACL 73
specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.
■ deny: Discards qualified data packet.
■ permit: Permits qualified data packet.
■ interface interface-type interface-number: Specifies the interface information of the packets. If no interface is specified, all interfaces can be matched. any represents all interfaces.
■ logging: Optional parameter, indicating whether to log qualified packet. Log contents include sequence number of ACL rule, packet permitted or discarded and the number of data packets.
■ time-range time-name: Optional, specifies the time range in which the rule is valid.
The following command can be used to delete an interface-based ACL rule:
undo rule rule-id [ logging ] [ time-range ]
Parameter description:
■ rule-id: Number of ACL rule, which must be an existing ACL rule number.
■ logging: Optional, indicating whether to log matched packets. The log contents include sequence number of ACL rule, packets permitted or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets.
■ time-range: Optional, specifies the time range in which the rule is valid.
MAC-Based ACL MAC-based ACLs are numbered in the range 4,000 to 4,999.
You can use the following command to configure a MAC-based ACL rule:
rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ] [ time-range time-name ] [ logging ]
The parameters are described as follows:
rule-id represents a rule number.
type-code is a hexadecimal number in the format of xxxx, used for matching the protocol type of the transmitted packets.
type-mask represents the wildcard for the protocol type. For type-code values, refer to the chapter that discusses bridge configuration in the link layer protocol part of this manual.
lsap-code is a hexadecimal number in the format of xxxx, used for matching the encapsulation format of bridged packet on an interface. lsap-wildcard represents the wildcard of protocol type.
74 CHAPTER 5: ACL CONFIGURATION
sour-addr represents the source MAC address of a data frame in the format of xxxx-xxxx-xxxx. sour-mask represents the wildcard of the source MAC address.
dest-addr represents the destination MAC address in the format of xxxx-xxxx-xxxx. dest-mask represents the wildcard of the destination MAC address.
The following command can be used to delete a MAC-based ACL rule:
undo rule rule-id [ time-range time-name ] [ logging ]
The parameters are described as follows:
rule-id: ACL rule number, which must exist already.
ACL Supporting Fragment
Traditional packet filtering does not process all IP packet fragments. Rather, it only performs matching processing on the first fragment and releases all the follow-up fragments. Thus, security dormant trouble exists, which makes attackers able to construct follow-up segments to realize traffic attack.
Packet filtering of 3Com security gateway provides fragment filtering function, including: performing Layer3 (IP Layer) matching and filtering on all fragments; at the same time, providing two kinds of matching, normal matching and exact matching, for ACL rule entries containing advanced information (such as TCP/UDP port number and ICMP type). Normal matching is the matching of Layer3 information and it omits non-Layer3 information. Exact matching matches all ACL entries, which requires firewall should record the state of first fragment so as to obtain complete matching information of follow-up fragments. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface. The default function mode is normal matching.
The keyword fragment is used in the configuration entry of ACL rule to identify that the ACL rule is only valid for non-first fragments. For non-fragments and first fragment, this rule is omitted. In contrast, the configuration rule entry not containing this keyword is valid for all packets.
For example:
[3Com-acl-basic-2000] rule deny source 202.101.1.0 0.0.0.255 fragment [3Com-acl-basic-2000] rule permit source 202.101.2.0 0.0.0.255 [3Com-acl-adv-3001] rule permit ip destination 171.16.23.1 0 fragment [3Com-acl-adv-3001] rule deny ip destination 171.16.23.2 0
In above rule entries, all entries are valid for non-first fragments. The first and the third entries are omitted for non-fragments and first fragment, only valid for non-first fragments.
Configuring an ACL ACL configuration includes:
■ Configure a basic ACL
■ Configure an advanced ACL
■ Configure an interface-based ACL
■ Configure a MAC-based ACL
Configuring an ACL 75
■ Add description to an ACL
■ Add comment to an ACL rule
■ Delete an ACL
Configuring a Basic ACL Perform the following configuration.
For detailed introduction to parameters, refer to basic ACL.
Configuring an Advanced ACL
Perform the following configuration.
Configuring an Interface-Based ACL
Perform the following configuration.
You can specify an interface by specifying its type and number or all interfaces by specifying the any keyword.
Configuring a MAC-Based ACL
Perform the following configuration.
Table 61 Configure a basic ACL
Operation Command
Create a basic ACL in system view. acl number acl-number [ match-order { config | auto } ]
Configure/delete an ACL rule in basic ACL view.
rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ]
undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ]
Table 62 Configure an advanced ACL
Operation Command
Create an advanced ACL in system view. acl number acl-number [ match-order { config | auto } ]
Configure/delete an ACL rule in advanced ACL view.
rule [ rule-id ] { permit | deny } protocol [ source {sour-addr sour-wildcard | any ] [ destination dest-addr dest-wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type {icmp-type icmp-code| icmp-message} ] [ precedence precedence ] [ dscp dscp ] [ established ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]
undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ dscp ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]
Table 63 Configure an interface-based ACL
Operation Command
Create an interface-based ACL in system view. acl number acl-number [ match-order { config | auto } ]
Configure/delete an ACL rule in interface-based ACL view.
rule { permit | deny } interface { interface-type interface-number 1 any } [ time-range time-name ] [ logging ]
undo rule rule-id [ time-range ] [ logging ]*
76 CHAPTER 5: ACL CONFIGURATION
Adding Description to an ACL
You can add description to an ACL for reminding purpose.
Perform the following configuration in ACL view.
An ACL description contains up to 127 characters.
Adding Comment to an ACL Rule
You can add comment to an ACL rule for reminding purpose.
Perform the following configuration in ACL view.
The Comment of an ACL rule contains up to 128 characters.
Deleting an ACL Perform the following configuration in system view.
Configuring Time Range
Time range configuration includes:
■ Create/Delete a time range
Creating/Deleting a Time Range
The configuration task is used to create a time range or many time ranges with the same name.
Perform the following configuration in system view.
Table 64 Configure a MAC-based ACL
Operation Command
Create a MAC-based ACL in system view. acl number acl-number
Configure/delete an ACL rule in MAC-based ACL view.
rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-wildcard ] [ dest-mac dest-addr dest-mask ] [ time-range time-name ]
undo rule rule-id
Table 65 Add description to an ACL
Operation Command
Add description to an ACL. description text
Remove the description. undo description
Table 66 Add comment to an ACL rule
Operation Command
Add comment to an ACL rule. rule rule-id comment text
Remove the comment of an ACL rule. undo rule rule-id comment
Table 67 Delete an ACL
Operation Command
Delete ACL undo acl { number acl-number | all }
Displaying and Debugging ACL 77
Displaying and Debugging ACL
After the above configuration, execute the display command in all views to display the running of the ACL configuration, and to verify the effect of the configuration. Execute the reset command in user view to rest ACL counters.
Typical Configuration Examples of ACL
Refer to the typical configuration examples in the part about packet filtering firewall.
Table 68 Configure time range
Operation Command
Create a time range time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]
Delete a time range. undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]
Table 69 Display and debug ACL
Operation Command
Display the configured ACL rules. display acl { all | acl-number }
Display information on time ranges. display time-range { all | time-name }
Reset ACL counters. reset acl counter { all | acl-number }
78 CHAPTER 5: ACL CONFIGURATION
NAT Overview 79
6NAT CONFIGURATION
NAT Overview
Introduction to NAT As described in RFC1631, Network Address Translation (NAT) is to translate the IP address in IP data packet header into another IP address, which is mainly used to implement private network accessing external network in practice. NAT can reduce the depletion speed of IP address space via using several public IP addresses to represent multiple private IP addresses.
n Private address denotes the address of network or host on intranet, whereas public address denotes the universal unique IP address on Internet.
IP addresses that RFC1918 reserves for private and private use are.
Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)
IP addresses in the above three ranges will not be assigned in the Internet, so they can be used in the intranet by a company or enterprise with no need for requesting ISP or register center.
A basic NAT application is shown in the following figure.
Figure 13 Network diagram for basic processes of address translation
NAT server such as the security gateway is located at the joint between private network and public network. When the internal PC at 192.168.1.3 sends the data
192.168.1.3
PC
Internet
192.168.1.2
Server
PC
Server
202.120.10.2
202.120.10.3
192.168.1.1 202.169.10.1
Data packet 1:Source: 192.168.1.3Destination: 202.120.10.2
Data packet 1:
Source: 202.169.10.1Destination:202.120.10.2
Data packet 2:Source: 202.120.10.2Destination:192.168.1.3
Data packet 2:Source: 202.120.10.2Destination: 202.169.10.1
192.168.1.3
PC
Internet
192.168.1.2
Server
PC
Server
202.120.10.2
202.120.10.3
192.168.1.1 202.169.10.1
Data packet 1:Source: 192.168.1.3Destination: 202.120.10.2
Data packet 1:
Source: 202.169.10.1Destination:202.120.10.2
Data packet 2:Source: 202.120.10.2Destination:192.168.1.3
Data packet 2:Source: 202.120.10.2Destination: 202.169.10.1
80 CHAPTER 6: NAT CONFIGURATION
packet1 to the external server at 202.120.10.2, the data packet will traverse the NAT server. The NAT server checks the contents in the packet header. If the destination address in the header is an extranet address, the server will translate the source address 192.168.1.3 into a valid public address on the Internet 202.169.10.1, then forward the packet to the external server and record the mapping in the network address translation list. The external server sends the response packet2 (The destination is 202.169.10.1) to the NAT server. After inquiring the network address translation list, the NAT server replaces the destination address in packet2 header with the original private address 192.168.1.3 of the internal PC.
The above mentioned NAT process is transparent for terminals such as the PC and server in the above figure. NAT "hides" the private network of an enterprise because the external server regards 202.169.10.1 as the IP address of the internal PC without the awareness of the existence of 192.168.1.3.
The main benefit NAT offers is the easy access to the outside resources for the intranet hosts while maintaining the privacy of the inner hosts.
■ Since it is necessary to translate the IP address translation of data packets, the header of the data packet related to IP address cannot be encrypted. For example, encrypted FTP connection is forbidden to be used. Otherwise, FTP port cannot be correctly translated.
■ Network debugging becomes more difficult. For instance, while a certain internal network host attempts to attack other networks, it is hard to point out which computer is malicious, for the host IP address is shielded.
Functions Provided by NAT
Many-to-Many Address Translation and Address
Translation Control
As shown in Figure 13, the source address of the intranet will be translated into an appropriate extranet address (the public address of the outbound interface on the NAT server in the above figure) via NAT. In this way, all the hosts in the intranet share one extranet address when they access the external network. In other words, only one host can access the external network at a time when there are many access requirements, which is called "one-to-one address translation".
An extended NAT implements the concurrent access, that is, multiple public IP addresses are assigned to a NAT server. The NAT server assigns a public address IP1 to a requesting host, keeps a record in the address translation list and forwards the data packet, then assigns another public address IP2 to another request host and so on. This is called "many-to-many address translation".
n The number of public IP addresses on the NAT server is far less than the number of hosts in the intranet because not all hosts will access the extranet at one time. The public IP address number is determined based on the maximum number of intranet hosts at the rush hour of the network.
In practice, it may be required that only some intranet hosts can access the Internet (external network). In other words, the NAT server will not translate source IP addresses of those unauthorized hosts, which is called address translation control.
Security gateway
implements many-to-many address translation and address translation control via address pool and ACL respectively.
■ Address pool: A set of public IP addresses for address translation. A client should configure an appropriate address pool according to its valid IP address
number, internal host number as well as the actual condition. An address will be selected from the pool as the source address during the translation process.
■ ACL-based address translation: Only the data packet matching the ACL rule can be translated, which effectively limits the address translation range and allows some specific hosts to access Internet.
NAPT There is another way to implement the concurrent access, that is, Network Address Port Translation (NAPT), which allows the map from multiple internal addresses to an identical public address. Therefore, it can be called as "many-to-one address translation" or address multiplex informally.
NAPT maps IP addresses and port numbers of data packets form various internal addresses to an identical public address with different port numbers. In this way, different internal addresses can share an identical public address.
The fundamentals of NAPT are shown in the following figure.
Figure 14 NAPT allowing multiple internal hosts to share a public address
As shown in the above figure, four data packets from internal addresses arrive at the NAT server. Among them, packet1 and packet2 come from the same internal address with different source port number; pakcet3 and packet4 come from different internal addresses with an identical source port number. After the NAT mapping, all the 4 packets are translated into an identical public address with different source port numbers, so they are still different from each other. As for the response packets, the NAT server can also differentiate these packets based on
192.168.1.3
PC
Internet
192.168.1.2
Server
PCServer
202.120.10.2
202.120.10.3
192.168.1.1 202.169.10.1
Data packet 1:Source IP:192.168.1.3Source port:1537
Data packet 2:Source IP:192.168.1.3Source port:2468
Data packet 1:Source IP:202.169.10.1Source port:1537
Data packet 2:Source IP:202.169.10.1Source port:2468
Source IP:192.168.1.1Source port:1111
Data packet 4:Source IP:192.168.1.2Source port: 1111
Source IP:202.169.10.1Source port:1111
Data packet 4:Source IP:202.169.10.1Source port:2222
82 CHAPTER 6: NAT CONFIGURATION
their destination addresses and port numbers and forward the response packets to the corresponding internal hosts.
Static Network Address Translation
This new static NAT approach converts the internal host addresses in a specified range to the specified public network addresses (only the network part is converted and the host part is unchanged). When internal hosts access the outside network, their internal addresses are converted to public network addresses if their internal addresses are in the specified range. Accordingly, outside hosts can use the public network address to access directly internal hosts if the internal host addresses which are converted from the public network addresses are in the specified range.
Static NAT function creates direct mapping between internal host addresses and public network addresses, and implement the function similar to NAT server.
However, static NAT function requires a large IP address space since it holds the one-to-one mapping between internal host addresses and public network addresses. You can combine the static and dynamic NAT function, as long as the addresses are not in conflict.
NAT Configuration NAT configuration includes:
■ Configure address pool.
■ Configure Easy IP
■ Configure static NAT
■ Configure many-to-many NAT
■ Configure NAPT
■ Configure internal server support
■ Configure NAT effective time (Optional)
Configuring Address Pool
The address pool is a collection of some consecutive IP addresses, while internal data packet needs to access external network via NAT, a certain address in the address pool will be chosen as the source address. Perform the following configurations in the system view.
c CAUTION: An address pool is irremovable while this address pool has set up the association with a certain access control list for NAT.
n If Easy IP is the one and only function supported by the security gateway, the address of the interface will be used plainly as the translated IP address, no NAT pool needed.
Table 70 Configure address pool
Operation Command
Define an address pool nat address-group group-number start-addr end-addr
Delete an address pool undo nat address-group group-number
NAT Configuration 83
Configuring NAT The NAT is accomplished by associating address pool with ACL. The association creates a relationship between such IP packets, characterized in the ACL, and that addresses, defined in the address pool. When a packet is transferred from inner network to outer network, first, the packet is filtered by the ACL to let it out, then the association between the ACL and address pool is used to find an address, which will later serve actually as the translated address.
The configuration of ACL is discussed in “ACL Configuration”.
The configuration varies from kinds to kinds of NAT.
Easy IP
The NAT command without the address-group parameter functions as the nat outbound acl-number command, implementing the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated.
Perform the following configuration under the interface view.
Associating ACL with Loopback interface address
Perform the following configuration in interface view.
The source address of the data packets that match the ACL will be replaced with the IP specified address of the Loopback interface.
Configuring static NAT table
1 Configuring static one-to-one NAT table
Perform the following configuration in system view.
Table 71 Configure Easy IP
Operation Command
Add association for access control list and address pool nat outbound acl-number
Delete association for access control list and address pool undo nat outbound acl-number
Table 72 Associate ACL with Loopback interface address
Operation Command
Associate the ACL with the specified Loopback interface address
nat outbound acl-number interface interface-type interface-number
Remove the association between the ACL and Loopback interface address
undo nat outbound acl-number interface interface-type interface-number
Table 73 Configure a one-to-one private-to-public address binding
Operation Command
Configure a one-to-one private-to-public address binding. nat static ip-addr1 ip-addr2
Delete an existing one-to-one private-to-public address binding. undo nat static ip-addr1 ip-addr2
84 CHAPTER 6: NAT CONFIGURATION
2 Configuring static inside ip NAT table
Static NAT function only converts the network addresses and remains the host addresses unchanged.
Perform the following configuration in system view.
The nat static inside ip and nat static commands create two different types of static NAT entries. Note that the two types cannot be in conflict.
c CAUTION: When configuring static inside ip NAT, you must make sure that the addresses after translation are not used by other devices in the network topology.
3 Applying static NAT entries on the interface
Perform the following configuration in interface view.
Configuring many-to-many NAT
The many-to-many NAT is accomplished by associating the ACL with the NAT pool.
Perform the following configuration under the interface view.
Configuring NAPT
While associating the ACL and NAT pool, the selected no-pat parameter denotes that only the IP address but the port information is translated, i.e. not using NAPT function; whereas the omit of the no-pat parameter denotes using the NAPT function.
By default, the NAPT function is active.
Perform the following configuration in interface view.
Table 74 Configure static inside ip NAT table
Operation Command
Configure a static inside ip NAT table
nat static inside ip inside-start-address inside-end-address global global-address mask
Remove the existing static inside ip NAT table
undo nat static inside ipinside-start-address inside-end-address global global-address mask
Table 75 Apply static NAT entries on the interface
Operation Command
Apply the configured static NAT entries on the interface nat outbound static
Disable the configured static entries on the interface undo nat outbound static
Table 76 Configure many-to-many NAT
Operation Command
Add association for access control list and address pool
nat outbound acl-number [ address-group group-number [ no-pat ] ]
Delete association for access control list and address pool
undo nat outbound acl-number [ address-group group-number [ no-pat ] ]
NAT Configuration 85
Configuring Internal Server
By configuring internal server, the related external address and port can be mapped into the internal server, thus enabling the function of external network accessing the internal server.
The mapping table for internal server and external network is configured by the nat server command.
The information user needs to provide includes external address, external port, internal server address, internal server port and the protocol type of the service.
Perform the following configuration in the interface view.
n ■ While either of global-port and inside-port is defined as "any", the other one
must either be defined as "any" or not be defined.
■ TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.
Enabling NAT ALG Perform the following configuration in system view.
Table 77 Configure NAPT
Operation Command
Add association for access control list and address pool
nat outbound acl-number [ address-group group-number ]
Delete association for access control list and address pool
undo nat outbound acl-number [ address-group group-number ]
Table 78 Configure Overlap Address
Operation Command
Configure the mapping from the overlap address pool to the temporary address pool
nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }
Remove the mapping from the overlap address pool to the temporary address pool
undo nat overlapaddress number
Table 79 Configure internal server
Operation Command
Add an internal server
nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]
nat server [ acl-number ] protocol pro-type global global-addr global-port 1 global-port2 inside host-addr1 host-addr2 host-port
Delete an internal server
undo nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]
undo nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port
86 CHAPTER 6: NAT CONFIGURATION
By default, NAT ALG is enabled.
Configuring Domain Name Mapping
If the internal network does not have the DNS server, but does have several different internal servers (such as FTP and WWW). Internal hosts want to use different domain names to differentiate the servers and access them. You can use this command to match the requirements.
Perform the following configuration in system view.
Up to 16 domain name mapping entries can be defined.
Configuring Address Translation Lifetimes
Since the Hash table used by NAT will not exist forever, the user can configure the lifetime of the Hash table for protocols such as TCP, UDP and ICMP respectively. If the Hash table is not used in the set time, the connection as well as the table it uses will be outdated.
For example, the user with the IP address 10.110.10.10 sets up an external TCP connection using port 2000, and NAT assigned corresponding address and port for it, but in a defined time, this TCP connection is not in use, the system will delete this connection.
Perform the following configuration in the system view.
If the nat aging-time default command is configured, the default address translation lifetime values of the system apply.
Following are the default address translation lifetime values for different protocols:
■ DNS: 60 seconds
■ FTP control link: 7,200 seconds
■ FTP data link: 240 seconds
Table 80 Enable NAT ALG
Operation Command
Enable NAT ALG (application level gateway) nat alg { dns | ftp | h323 | ils | msn | nbt | pptp | sip }
Disable NAT ALG undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp | sip }
Table 81 Configure domain name mapping
Operation Command
Configure a mapping entry from a domain name to the external IP address, port number and protocol type
nat dns-map domain-name global-addr global-port [ tcp | udp ]
Remove the domain name mapping entry undo nat dns-map domain-name
Table 82 Configure address translation lifetime values
Operation Command
Configure address translation lifetime values.
nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }
Displaying and Debugging NAT 87
■ PPTP: 86,400 seconds
■ TCP: 86,400 seconds
■ TCP FIN, RST or SYN connection: 60 seconds
■ UDP: 300 seconds
■ ICMP: 60 seconds
The default ALG aging time depends on the specific applications. To effectively prevent attacks, you can set the aging time of first packet to five seconds.
Displaying and Debugging NAT
After the above configuration, execute the display command in all views to display the running of the NAT configuration, and to verify the effect of the configuration.
Execute the reset command in user views to clear the running.
Execute the debugging command in user view for the debugging of NAT.
NAT Configuration Example
Network requirements
As shown in Figure 15, an enterprise is connected to the WAN by the address translation function of the module. It is required that the enterprise can access the Internet through the module, and provide www, ftp, and smtp services to the outside. The address of the internal ftp server is 10.0.1.2/24. The address of the internal www server is 10.0.1.1/24. The address of the internal smtp server is 10.0.1.3/24. It is expected to provide uniform server IP address to the outside. Internal network segment 10.0.0.0/24 may access Internet, but PC on other segments cannot access Internet. External PC may access internal server. The enterprise has six legal IP addresses from 202.38.160.100 to 202.38.160.105. Choose 202.38.160.100 to be the external IP address of the enterprise.
Table 83 Display and debug NAT
Operation Command
Check NAT status display nat { address-group | aging-time | all | outbound | server | statistics | session [ source { global global-addr | source inside inside-addr } ] }
Enable the debugging of NAT debugging nat { alg | event | packet [ interface { interface-type interface-number ] }
Disable the debugging of NAT undo debugging nat { alg | event | packet [ interface interface-type interface-number ] }
Clear NAT mapping table reset nat{ log-entry | session slot slot-number }
88 CHAPTER 6: NAT CONFIGURATION
Network diagram
Figure 15 Network diagram for NAT configuration
Configuration procedure
1 For the PC, the IP address is 10.0.0.1/24 and gateway address is 10.0.0.254.
For the WWW Server, the IP address is 10.0.1.1/24 and gateway address is 10.0.1.254.
For the FTP Server, the IP address is 10.0.1.2/24 and gateway address is 10.0.1.254.
For the SMTP Server, the IP address is 10.0.1.3/24 and gateway address is 10.0.1.254.
2 Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 20 [3Com-vlan20] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
SecBlade S8505
Vlan 30
Vlan10
Vlan 50
Vlan 50
Internet
PC 10.0.0.1/24
30.0.0.254/24
202.38.160.100
30.0.0.1/24
10.0.0.254/24
Vlan20
WWW 10.0.1.1/24
FTP 10.0.1.2/24
SMTP 10.0.1.3/24
10.0.1.254/24
Intranet
202.38.160.200 SecBlade S8800
Vlan 30
Vlan10
Vlan 50
Vlan 50
Internet
PC 10.0.0.1/24
30.0.0.254/24
202.38.160.100
30.0.0.1/24
10.0.0.254/24
Vlan20
WWW 10.0.1.1/24
FTP 10.0.1.2/24
SMTP 10.0.1.3/24
10.0.1.254/24
Intranet
202.38.160.200
NAT Configuration Example 89
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 20 [3Com-Vlan-interface20] ip address 10.0.1.254 24 [3Com-Vlan-interface20] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of the module interface (the module resides in slot 2).
[[SW8800] secblade aggregation slot 2
# Create the SecBlade test.
[[SW8800] secblade test
# Specify the module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module of the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 202.38.160.100 24 [secblade-GigabitEthernet0/0.2] quit
# Add the sub-interface of the internal network to the trust zone.
90 CHAPTER 6: NAT CONFIGURATION
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 202.38.160.200 [secblade] ip route-static 10.0.0.0 16 30.0.0.1
# Configure the address pool and ACL.
[secblade] nat address-group 1 202.38.160.101 202.38.160.105 [secblade] acl number 2001 [secblade-acl-basic-2001] rule permit source 10.0.0.0 0.0.0.255
# All 10.0.0.0/24 network segment to translation addresses.
[secblade-acl-basic-2001] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] nat outbound 2001 address-group 1
# Set the internal ftp server.
[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.2 ftp
# Set the internal WWW server.
[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.1 www
# Set the internal smtp server.
[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.3 smtp
Troubleshooting NAT Configuration
Fault 1: address translation abnormal
Troubleshooting: enable the debug for NAT, and refer to debugging nat in the debugging command for specific operation. According to the Debugging information displayed on the security gateway, initially locate the failure, and then use other commands for further check. Observe the source address after translation carefully, and make sure that it is the expected address. Otherwise, it is possible the configuration of address pool is wrong. Meanwhile, make sure that there is route in the accessed network to return to the address segment defined in the address pool. Take into consideration the influence onto the NAT by the ACL of firewall and address conversion itself, and also route configuration.
Fault 2: internal server abnormal
Troubleshooting NAT Configuration 91
Troubleshooting: if an external host can not access the internal server normally, check the configuration on the internal server host, or the internal server configuration on the security gateway. It is possible that the internal server IP address is wrong, or that the firewall has inhibited the external host to access the internal network. Use the command display acl for further check. Refer to “Firewall Configuration”.
92 CHAPTER 6: NAT CONFIGURATION
Introduction to Firewall 93
7FIREWALL CONFIGURATION
Introduction to Firewall
Network firewall serves to prevent the Internet danger from spreading to your internal network.
Firewall can prohibit unauthorized or unauthenticated access from the Internet to the protected network, and on the other hand, firewall can permit internal network subscribers to Web access the Internet or send/receive E-mails. Firewall can also serve as an authority control gateway for accessing the Internet, for example, to permit the specific subscriber(s) from the internal network to access the Internet. Besides, firewalls can also implement some other features, such as subscriber identification, information security (encryption) processing and so on.
In addition to protecting Internet connection, a firewall can protect mainframes and important resources (such as data) on your network as well. All accesses to the protected data should pass the firewall, even for internal access from inside the organization.
When users of external networks access internal network resources, they pass the firewall, so do internal network users who access external network resources. In this case, firewall plays a role like a "guard" who discards data packets that should be prohibited.
Firewall mainly refers to ACL-based packet filtering (ACL/packet filtering for short)), Application Specific packet filtering (status firewall for short) and address translation. For address translation, refer to “NAT Configuration”. The following sections in this chapter mainly introduce ACL/packet filtering firewall and status firewall.
ACL/Packet Filtering Firewall
ACL/Packet filtering overview
The application of ACL/packet filtering on the security gateway endows the security gateway with packet filtering function. ACL/packet filtering filters IP packets. For data packet that should be forwarded by the security gateway, first obtain the header information of the packet, including upper layer protocol number over IP Layer, source address, destination address, source port and destination port of the packet, then compare with the configured ACL rule. Decide whether to forward or discard the packet according to the comparison result.
Packet filtering supporting fragment filtering
ACL/packet filtering on 3Com Series Security Gateways support testing and filtering of fragments. Packet filtering firewall tests packet type (non-fragment packet, first fragment or non-first fragment), obtains such information as Layer3
94 CHAPTER 7: FIREWALL CONFIGURATION
(IP Layer) information about the packet (basic ACL rule and advanced ACL rule not containing information except Layer3) and non-Layer3 information (advanced ACL rule containing non-Layer3 information) for matching, and obtains configured ACL rule.
For advanced ACL rule that has configured exact matching filtering, packet filtering firewall need to record the non-Layer3 information of each first fragment. When the follow-up fragments arrive, the saved information will be used to perform full matching on each matching condition of ACL rule. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface.
After exact matching is used for filtering, the implementation efficiency of packet filtering firewall will be slightly reduced. The more the configured matching entries, the more the efficiency is reduced. Threshold can be configured to limit the maximum processing number of firewall.
For definitions of normal matching and exact matching, refer to “ACL Configuration”.
Application Specific Packet Filter
ACL/packet filtering firewall is a static firewall with the following problems:
■ Some security policies are unable to foresee multi-channel application protocols such as FTP and H.323.
■ It is unable to detect some attacks such as TCP SYN and Java applet from the application layer.
Therefore, the concept of status firewall -- ASPF was brought forth. Application specific packet filter (ASPF) is packet filtering oriented to the application and transport layers, namely status based packet filtering. The application layer protocol detections include FTP, HTTP, SMTP, RTSP, and H.323 (Q.931, H.245, and RTP/RTCP) ones. The transport layer protocol detection contains general TCP/UDP detection.
ASPF is able to perform the primary functions as follows:
■ Check application layer protocol information, such as the protocol type of a packet and port number. In addition, it monitors the connection-based application layer protocol status. ASPF maintains the information of each connection and dynamically decides whether to permit a data packet into the internal network for malicious-intrusion prevention.
■ Detect the transport layer protocol information, that is, general TCP and UDP protocol detection. It can also decide whether to permit a TCP/UDP packet into the internal network.
ASPF implements the following additional functions:
■ It can detect and defend the Denial of Service (DoS) attack.
■ Not only can it filter the packet based on the conncection, but it can also detect the packet content at the application layer. Java Blocking to distrusted sites provided protects the network from malicious Java Applet.
Introduction to Firewall 95
■ It enhances the session logging function and can log all the connection information including time, source address, destination address, the port in use, and the number of transmitted bytes.
■ It supports Port to Application Map (PAM) and allows user-defined application protocol to use non-general port.
On the network edge, ASPF cooperates with common static firewall to provide comprehensive and practical security policy for intranets.
Basic Concepts
■ Java blocking
Java Blocking blocks the java applet transferred by HTTP protocol. When Java Blocking is configured, ASPF will block and filter out the request commands sent by users who attempt to obtain the Java applet-included programs from web pages. If Active Blocking is configured, ASPF will block Active controls transferred through HTTP protocols to protect the user from installing unsafe or malicious controls.
■ Port to application mapping
Application layer protocols use some (well-known) port numbers pre-defined by the system for communication. PAM (Port to Application Mapping) permits subscribers to define a set of new port numbers other than port numbers pre-defined by the system for different applications. PAM provides some mechanism to maintain and use port configuration information defined by subscribers.
PAM supports two kinds of mapping mechanisms: general port mapping and ACL-based host port mapping. General port mapping is to establish mapping relationship between user-defined port numbers and application layer protocols. For example, map 8080 port as HTTP protocol so that all TCP packets with destination port of 8080 could be regarded as HTTP packets. Basic ACL-based host mapping is to establish mapping relationship between user-defined port numbers and application protocols for packets to/from some specific hosts. For example, map the TCP packets using the port 8080 and destined to the network segment 10.110.0.0 to HTTP packets. The range of hosts is specified by basic ACL.
■ Single-channel protocol/multi-channel protocol
Single-channel protocol: Only one channel is available for data interaction from the establishment of a session to the end. Such protocols include SMTP and HTTP.
Multi-channel protocol: The interaction of the control information and the transfer of data are achieved in different channels. They can be FTP and RTSP.
■ Internal interface and external interface
If a security gateway connects an internal network and the Internet and deploys ASPF to protect the server of the internal network, the interface on the security gateway connecting with the internal network is an internal interface while the one connecting with Internet is an external interface.
96 CHAPTER 7: FIREWALL CONFIGURATION
When ASPF is applied to the outbound direction of an external interface on the security gateway, a temporary channel can be opened on the firewall for the returned packets of internal network users who access the Internet.
Fundamentals of application protocol layer detection
Figure 16 Fundamentals of application protocol layer detection
As shown in the above figure, generally a static ACL is needed on the security gateway to allow a host of the internal network to access the external network and to prohibit a host of the external network to access internal network. However, a static ACL will filter out the returned packets after the user initiates a connection, so the connection cannot be established. When a security gateway is configured with application layer protocol detection, ASPF is able to detect every session on application layer and create a status table and a temporary access control list (TACL). The status table is created once the first packet is detected and is used in maintaining the status of a session at a certain time detecting the session status transition is correct. The entry of a TACL is created together with a status entry and will be deleted after a session terminates. It seems like the permit entry in an advanced ACL to match all the returned packets in a session, which functions like that a temporary channel is created at the external interface of the firewall for some returned packets.
Take FTP detection for example to illustrate the process of a multi-channel application layer protocol detection.
Figure 17 FTP detection process
Following is how an FTP connection is set up:
Suppose that an FTP Client initiates an FTP control channel connection from its port 1333 to the port 21 of FTP Server. After negotiation, Server initiates a data channel connection from its port 20 to the port 1600 of Client. The timeout or end of a data transfer makes a connection deleted.
WAN
Client A Server
Protected network
Client A initializes a session
Returned packets of client A are permitted to pass
Packets of other sessions blocked
Quidway
Switch 8800
FTPClient
FTPServer
FTP command and responseControl channel connection
Data control connection
Port command
port: 21
port: 20
port: 1333
port: 1600
FTPClient
FTPServer
FTP command and responseControl channel connection
Data control connection
Port command
port: 21
port: 20
port: 1333
port: 1600
Following is how FTP
detection operates since an FTP connection is set up till it is disconnected:
1 Check the IP packet sent from the egress interface to the outside and acknowledges it is an FTP packet based on TCP.
2 Check the port number, acknowledges it as a control connection to create a TACL and status table for returned packets.
3 Check the FTP control connection packets, makes FTP instruction resolution, and updates the status table according to the instructions. If there are data channel establish instructions, then it the TACL for other data links. It does not detect the status of data links.
4 A match detection is performed on returned packets according to protocol type and then ASPF decides if to pass the packets after referring to the status table and TACL of the protocol.
5 The status table and TACL are cleared along with the deletion of an FTP connection.
The detection of single-channel application layer protocols, such as SMTP and HTTP, is rather simple. A TACL is created and cleared together with the connection.
Fundamentals of transport protocol layer detection
Here the transport layer protocol detection refers to TCP/UDP detection. Different from the application layer protocol detection, the transport layer protocol detects the packet information of transport layer, such as source address, destination address and port number. The TCP/UDP detection requires that the packets returned back to the external interface of ASPF match exactly the packets sent out it, that is, the source address, destination address and port number are right. Otherwise, the returned packets will be blocked. Therefore, you cannot establish a connection for the multi-channel application layer protocols such as FTP and .H.323, if you just configure TCP detection, but not application layer detection.
Configuring Packet Filter Firewall
Packet filtering firewall configuration includes:
■ Enable or Disable Firewall
■ Set the Default Filtering Mode of Firewall
■ Enable Packet Filtering Firewall Fragment Detection Switch
■ Configure High/Low Threshold of Fragment Inspection
■ Apply ACL on the Interface
Enabling or Disabling Firewall
Perform the following configuration in system view.
By default, firewall is disabled.
Table 84 Enable or disable firewall
Operation Command
Enable firewall firewall packet-filter enable
Disable firewall undo firewall packet-filter enable
98 CHAPTER 7: FIREWALL CONFIGURATION
Setting the Default Filtering Mode of
Firewall
To set the default filtering mode of firewall means when there is no appropriate rule to judge whether the user packet can pass, the policy adopted by the firewall is to permit the packet to pass or not.
Perform the following configuration in system view.
When firewall is enabled, the packets are denied.
Enabling Packet Filtering Firewall Fragment Detection Switch
Perform the following configuration in system view.
n Only after fragment detection switch is enabled, can exact matching mode be valid in the real sense.
Configuring Upper/Lower Threshold of Fragment Inspection
Perform the following configuration in system view.
The default number of upper threshold fragment state records is 2000. The default number of lower threshold fragment state records is 1500.
Applying ACL on the Interface
When applying access rule on the interface, the time range filtering principle is followed at the same time. Moreover, access rule can be specified respectively for transmitting and receiving packets on the interface.
Perform the following configuration in interface view.
Table 85 Set the default filtering mode of firewall
Operation Command
Set the default filtering mode as permitting the packet to pass firewall packet-filter default permit
Set the default filtering mode as denying the packet to pass firewall packet-filter default deny
Table 86 Enable fragment detection switch
Operation Command
Enable fragment detection switch firewall packet-filter fragments-inspect
Disable fragment detection switch undo firewall packet-filter fragments-inspect
Table 87 Configure upper/lower threshold of fragment inspection
Operation Command
Specify number of upper/lower threshold fragment state records
firewall packet-filter fragments-inspect { high | low } { default | number }
Restore the default number of upper/lower threshold fragment state records
undo firewall packet-filter fragments-inspect { high | low }
Table 88 Apply ACL on the interface
Operation Command
Specify the rule of filtering transmitting and receiving packets in the interface
firewall packet-filter acl-number { inbound | outbound } [ match-fragments { normally | exactly } ]
Configuring Packet Filter Firewall 99
You can only use the parameter outbound for interface-based ACL (ACL 1000 to 1999).
An advanced ACL can perform standard matching and exact matching. The standard matching matches no information except those of the third layer; whereas the exact matching matches information by all rules of advanced ACLs. Therefore, a firewall must be able to get and keep the state information of the first fragment packet to get complete matching information of the fragments that followed.
If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface.
The standard matching is used by default.
The match-fragments keyword can be applied to advanced ACLs only.
n To apply MAC address-based ACLs to interfaces, you must set the firewall in transparent mode. Otherwise, the system prompts the information "Please firstly active the Transparent mode!". See “Transparent Firewall” for more information about Transparent Firewall.
Displaying and Debugging Packet
Filtering Firewall
After the above configuration, execute display command in all views to display the running of the packet filtering firewall configuration, and to verify the effect of the configuration.
Execute debugging command in user view to debug the packet filtering firewall.
Remove the rule of filtering transmitting and receiving packets in the interface
undo firewall packet-filter acl-number { inbound | outbound }
Table 88 Apply ACL on the interface
Operation Command
Table 89 Display and debug firewall
Operation Command
Display statistics about firewall of the interface
display firewall packet-filter statistics { all | interface type number | fragments-inspect }
Display the fragments on the firewall display firewall fragment
Enable firewall packet filtering debugging (in user view)
debugging firewall packet-filter { all | denied | permitted | icmp | packet { permitted | denied } | tcp | udp | fragments-inspect | others } [ interface type number ]
Disable firewall packet filtering debugging (in user view)
undo debugging firewall packet-filter { all | denied | permitted | icmp | packet { permitted | denied } | tcp | udp | fragments-inspect | others } [ interface type number ]
Clear firewall packet filtering statistics
reset firewall packet-filter statistics { all | interface type number }
100 CHAPTER 7: FIREWALL CONFIGURATION
Packet Filtering Firewall Configuration Example
Network requirements
The company accesses the Internet through the Firewall module. It provides WWW and SMTP services externally. The internal WWW server address is 20.0.0.1; the internal SMTP server address is 20.0.0.2. Only the external specific PCs can access the internal server. However, they cannot access other resources of the internal network. Suppose the IP address of the external specific PC is 210.1.5.1.
Network diagram
Figure 18 Network diagram for packet filtering firewall configuration
Configuration procedure
1 For the internal PC, the IP address is 15.0.0.1/24 and the gateway address is 15.0.0.254.
For the external PC, the IP address is 210.1.5.1.
For the WWW server, the IP address is 20.0.0.1/24 and the gateway address is 20.0.0.254.
For the SMTP server, the IP address is 20.0.0.2/24 and the gateway address is 20.0.0.254.
2 Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 15 [3Com-vlan15] quit [SW8800] vlan 20 [3Com-vlan20] quit [SW8800] vlan 30 [3Com-vlan30] quit
SecBlade S 8505
Vlan 30
Vlan15
Vlan 50
Vlan 50
Internet
PC 15.0.0.1/24
30.0.0.254/24
50.0.0.254/4
30.0.0.1/24
15.0.0.254/24
Vlan20
WWW20.0.0.1/24
SMT20.0.0.2/24
20.0.0.254/4
Intranet
50.0.0.1/24
External PC 210.1.5.1
SecBlade S 8800
Vlan 30
Vlan15
Vlan 50
Vlan 50
Internet
Internal PC 15.0.0.1/24
30.0.0.254/24
50.0.0.254/24
30.0.0.1/24
15.0.0.254/24
Vlan20
WWW20.0.0.1/24
SMTP20.0.0.2/24
20.0.0.254/24
Intranet
50.0.0.1/24
Configuring Packet Filter Firewall 101
[SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
[SW8800] interface vlan-interface 15 [3Com-Vlan-interface15] ip address 15.0.0.254 24 [3Com-Vlan-interface15] quit [SW8800] interface vlan-interface 20 [3Com-Vlan-interface20] ip address 20.0.0.254 24 [3Com-Vlan-interface20] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create SecBlade test.
[SW8800] secblade test
# Specify the SecBlade interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module of the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
102 CHAPTER 7: FIREWALL CONFIGURATION
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 15.0.0.0 24 30.0.0.1 [secblade] ip route-static 20.0.0.0 24 30.0.0.1
# Enable the firewall on the Firewall module.
[secblade] firewall packet-filter enable
# Create ACL 3002.
[secblade] acl number 3002
# Configure to only allow the specific external user to access the internal server from the external network and prohibit it from accessing other resources of the internal network.
[secblade-acl-adv-3002] rule permit tcp source 210.1.5.1 0 destination 20.0.0.1 0 destination-port eq 80 [secblade-acl-adv-3002] rule permit tcp source 210.1.5.1 0 destination 20.0.0.1 0 destination-port eq 25 [secblade-acl-adv-3002] rule deny ip
# Apply the ACL 3002 to the incoming data stream of the external sub-interface.
[secblade-GigabitEthernet0/0.2] firewall packet-filter 3002 inbound
Configuration Example of Fragment Packet
Filtering Through Packet Filtering Firewall
Network requirements
The company accesses the Internet through Ethernet1/0/0 on a 3Com security gateway that is connected the internal network through Ethernet0/0/0. It provides WWW and Telnet services externally. The corporate internal subnet address is 200.1.1.0/24; the internal WWW server address is 200.1.1.1; the internal Telnet server address is 200.1.1.2, and the address of the external interface Ethernet1/0/0 of the security gateway is 202.38.160.1.
To guard the internal WWW server and Telnet server against fragment packet attacks from outside, an ACL is applied on the inbound traffic through the external interface of the security gateway to prevent fragment packets from reaching the internal server.
Configuring Packet Filter Firewall 103
Network diagram
Figure 19 Network diagram of fragment packet filtering through packet filtering firewall
Configuration procedure
# Define an ACL that enables the security gateway to block the fragment packets sourced from an external network and destined for the WWW server and Telnet server.
[SW8800] acl number 3001 [3Com-acl-adv-3001] rule 1 deny ip source any destination 200.1.1.1 0 fragment [3Com-acl-adv-3001] rule 2 deny ip source any destination 200.1.1.2 0 fragment [3Com-acl-adv-3001] rule 3 permit tcp source any destination 200.1.1.1 0 destination-port eq 80 [3Com-acl-adv-3001] rule 4 permit tcp source any destination 200.1.1.2 0 destination-port eq 23 [3Com-acl-adv-3001] rule 5 deny ip [3Com-acl-adv-3001] quit
# Configure the packet filtering firewall, applying the ACL in the inbound traffic through the external interface.
[SW8800] interface Ethernet 1/0/0 [3Com-Ethernet1/0/0] firewall packet-filter 3001 inbound
The ACL defined above for inbound traffic is used to block only the fragment packets destined for the specified internal server and allow an external host to access the internal server. For the traffic returned by the session initiated by the internal host to pass through the security gateway, you need to either define a new ACL rule or enable the ASPF function on the firewall.
104 CHAPTER 7: FIREWALL CONFIGURATION
Configuring ASPF ASPF configuration includes:
■ Enable firewall
■ Configure ACL
■ Define an ASPF policy
■ Apply the ASPF policy on specified interfaces
Enabling Firewall This configuration task is the same as the configuration of packet filtering firewall.
Configuring ACL To protect internal network, access control list should be configured on the security gateway and applied to external interface, permitting the internal hosts access external network and prohibiting external hosts from accessing internal network.
Defining an ASPF Policy Define an ASPF policy according to the following steps:
■ Create an ASPF policy
■ Configure aging-time value
■ Configure application layer protocol detection
■ Configure general TCP or UDP detection
Creating an ASPF policy
Perform the following configuration in system view.
In the table, aspf-policy-number is ASPF policy number, ranging from 1 to 99. When the command is used to create an ASPF policy, the ASPF policy view is entered at the same time.
Configuring aging-time value
Perform the following configuration in ASPF policy view.
Table 90 Configure ACL
Operation Command
Configure ACL (in ACL view) rule deny
Apply ACL to external interface (in interface view) firewall packet-filter acl-num inbound
Table 91 Create an ASPF policy
Operation Command
Create an ASPF policy aspf-policy aspf-policy-number
Delete the created ASPF policy undo aspf-policy aspf-policy-number
Table 92 Configure aging-time value
Operation Command
Configure aging-time value aging-time { syn | fin | tcp | udp } seconds
Restore the default aging-time value undo aging-time { syn | fin | tcp | udp }
Configuring ASPF 105
This task is used to configure waiting timeout value in SYN state and FIN state of TCP, free timeout value of TCP and UDP session entries. The default timeout time of syn, fin, tcp and udp are 30s, 5s, 3600s and 30s respectively.
Configuring application layer protocol detection
Perform the following configuration in ASPF policy view.
The application protocol can be ftp, http, h323, smtp, rtsp, and the transport layer protocol can be tcp or udp.
The default TCP timeout time is 3600 seconds and the default UDP timeout time is 30 seconds.
When the protocol argument is set to http, Java blocking can be configured as follows.
Configuring generic TCP and UDP protocol detection
Perform the following configuration in ASPF policy view.
The TCP-based default timeout time is 3600 seconds and the UDP-based timeout time is 30 seconds.
You are recommended to use the application layer detection together with TCP/UDP detection, for a configuration of TCP/UDP detection without application layer protocol might cause packet return failures.
n For Telnet applications, just configure generic TCP detection to implement ASPF function.
Table 93 Configure application layer protocol detection
Operation Command
Configure ASPF detection for application layer protocol detect protocol [ aging-time seconds ]
Delete the configured application protocol detection undo detect protocol
Table 94 Configure Java blocking detection
Operation Command
Configure Java blocking detection detect http [ java-blocking acl-number ] [ aging-time seconds ]
Delete the configured ASPF detection rule undo detect http
Table 95 Configure general TCP and UDP protocol detection
Operation Command
Configure general TCP detection detect tcp [ aging-time seconds ]
Configure general UDP detection detect udp [ aging-time seconds ]
Delete general TCP detection undo detect tcp
Delete general UDP detection undo detect udp
106 CHAPTER 7: FIREWALL CONFIGURATION
Applying ASPF Policy on Specified Interface
The interface stream detection will take effect only after applying the pre-defined ASPF policy on the external interface.
Perform the following configuration in interface view.
The consecutive initiated packets and the returned ones should be pass the same interface as the preservation and maintenance of the application layer protocol status are both implemented at the interface.
Setting the Session Timeout Values
Perform the following configuration in system view.
Refer to the Command Manual for default values of various protocols.
Configuring a Port Mapping Entry
Configuring a port mapping entry
Perform the following configuration in system view.
The range of hosts in the host-specific PAM is specified using a basic ACL.
Displaying and Debugging ASPF
After the above configuration, execute display command in all views to display the running of the ASPF configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of ASPF.
Table 96 Apply ASPF policy on specified interface
Operation Command
Configure ASPF detection policy in specified interface
firewall aspf aspf-policy-number { inbound | outbound }
Delete the ASPF detection policy applied in the interface
undo firewall aspf aspf-policy-number { inbound | outbound }
Table 97 Set the session timeout values
Operation Command
Restore the default session timeout values of all firewall protocols. firewall session aging-time default
Set the session timeout values for different protocols.
firewall session aging-time { fin-rst | fragment | ftp | h323 | http | icmp | netbios | ras | rtsp | smtp | syn | tcp | telnet | udp } { default | seconds }
Table 98 Configure PAM
Operation Command
Configure the generic PAM function. port-mapping application-name port port-number
Delete the user-configured generic PAM. undo port-mapping application-name port port-number
Configure PAM for a host. port-mapping application-name port port-number acl acl-number
Delete the user-configured PAM of a host undo port-mapping application-name port port-number acl acl-number
Configuring ASPF 107
Cautions about ASPF Configuration
If you use the detect, aging-time, or port-mapping command to modify the ASPF policy applied on the interface, or use the firewall aspf aspf-policy-number { inbound | outbound } command to modify the policy applied on the interface, the modifications take effect on the sessions subsequently established, but not on any existing session. To inconsistency between the session and the ASPF policy, you can clear the session manually. But be cautious because this operation will interrupt the existing session.
ASPF Configuration Example
Network requirements
Configure an ASPF detection policy on the firewall to detect the FTP and HTTP traffic passing the firewall. Requirement: If the packet is a returned packet of FTP and HTTP connections initiated by internal network users, permit it to pass the firewall and enter the internal network. For other packets, deny them. In addition, this detection policy can rule out Java Applets in HTTP packets from the server 202.0.0.1. This example can be applied in the case when local user needs to access remote network service.
Table 99 Display and debug ASPF
Operation Command
Display all ASPF configurations and current traced and detected sessions
display aspf all
Display application detection policy and interface configuration of access list
display aspf interface
Display the configuration of a specific detection policy display aspf policy aspf-policy-number
Display sessions currently traced and detected by ASPF display aspf session [ verbose ]
Display the session table on the firewall display firewall session table
Display the session timeout values of various protocols display firewall session aging-time
Display port mapping information. display port-mapping [ application-name | port port-number ]
Enable ASPF debugging function debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }
Disable ASPF debugging function undo debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }
Enable HTTP debugging function debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }
Disable HTTP debugging function undo debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }
Reset firewall session table reset firewall session table
108 CHAPTER 7: FIREWALL CONFIGURATION
Network diagram
Figure 20 Network diagram for ASPF configuration
Configuration procedure
1 For the PC, the IP address and gateway address 10.0.0.1/24 are 10.0.0.254 and respectively.
For the server host, the IP address is 202.0.0.1.
2 Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of module interfaces (the module card resides in slot 2).
[SW8800] secblade aggregation slot 2
SecBlade S8505
Vlan 30
Vlan10
Router
Vlan 50
Vlan 50
Trust Zone
Untrust Zone
50.0.0.1/24
PC 10.0.0.1/24
30.0.0.254/24
50.0.0.254/24
30.0.0.1/24
10.0.0.254/24
Server Host
202.0.0.1
SecBlade S8800
Vlan 30
Vlan10
Router
Vlan 50
Vlan 50
Trust Zone
Untrust Zone
50.0.0.1/24
PC 10.0.0.1/24
30.0.0.254/24
50.0.0.254/24
30.0.0.1/24
10.0.0.254/24
Server Host
202.0.0.1
Configuring ASPF 109
# Create SecBlade test.
[SW8800] secblade test
# Specify the SecBlade interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module card of the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable the firewall on the module.
[secblade] firewall packet-filter enable
110 CHAPTER 7: FIREWALL CONFIGURATION
# Configure ACL 3111 to refuse all TCP and UDP traffic to enter internal network. ASPF will create a temporary ACL for traffic that is permitted to pass.
[secblade] acl number 3111 [secblade-acl-adv-3111] rule deny ip
# Create ASPF policy, with a policy number of 1. The policy detects two protocols on application layer, FTP and HTTP, and defines the timeout time of FTP in case of no actions as 3,000 seconds.
[secblade] aspf-policy 1 [secblade-aspf-policy-1] detect ftp aging-time 3000 [secblade-aspf-policy-1] detect http java-blocking 2001 aging-time 3000
# Configure ACL 2001 so as to filter Java Applets from the site 202.0.0.2.
[secblade] acl number 2001 [secblade-acl-basic-2001] rule deny source 202.0.0.1 0 [secblade-acl-basic-2001] rule permit
# Apply the ASPF policy on the interface.
[secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] firewall aspf 1 outbound
# Apply ACL 3111 on the interface.
[secblade-GigabitEthernet0/0.2] firewall packet-filter 3111 inbound
Black List
Introduction to Black List Black list is to filter packets based on source IP address of packets. Compared with ACL, the zones for black list to match are much simpler, and so it can filter packets in a high speed, which effectively shields the packets sent from the specific IP address. The most important feature of black list is that it can be added dynamically by the firewall module. When firewall discovers the attack attempt of a specific IP address based on the packet action, it can automatically modify its black list to filter all the packets sent from the specific address. This is one of security features of firewall.
Creating black list
Black list creation has two approaches: manual creation through command lines and dynamic creation by some modules of the firewall.
1 Creation through command lines
The following command is used to create a black list entry.
firewall blacklist sour-addr [ timeout minutes ]
Black list entry is created based on IP address. If identical IP address is configured in the black list, the newly configured entry will replace the old one. Without the parameter timeout minutes, a permanent entry is configured, that is, it will not
Black List 111
be aging. Otherwise, the blacklist entry will be removed automatically after the aging time. Accordingly, the filtering on the packets from the corresponding IP address will be invalid.
2 Dynamic creation by some modules of the firewall
Some modules of the firewall can dynamically insert an entry into the black list. For instance, when the attack prevention module discovers attack from a specific IP address, it will automatically insert the specific IP address into the black list. Therefore, any packet from the IP address will be denied in a specific period.
If identical IP addresses are inserted in the black list, the entry with a long aging period is reserved.
So far, the attack prevention firewall module can insert entries into the black list.
For the related configuration, refer to “Attack Prevention and Packet Statistics”.
In addition, if a Telnet client continuously enters a wrong password for three times when logging on the firewall, the system will automatically add its IP address into the blacklist and set a ten-minute aging time for it. In other words, once the blacklist on the firewall is enabled, the client cannot log on the firewall from that IP address in ten minutes.
Removing black list entry
Using the following command, you can remove the black list entries.
undo firewall blacklist [ sour-addr ]
With parameter sour-addr, the specific IP address entry will be removed. Without the parameter, all entries in the current black list will be removed.
The creation and deletion of black list entries is independent of the black list’s running status, that is, black list entries can be created and removed no matter whether the black list is enabled or not.
Enabling black list
Only when the black list is enabled, can the firewall filter the IP packet based on the black list. Otherwise, the IP packet will not be discarded though it is in the black list.
Use the firewall blacklist enable command to enable the black list.
Use the undo firewall blacklist enable command to disable the black list.
By default, the black list is disabled.
Configuring Black List Black list configuration includes:
■ Configure/remove black list entry
■ Configure the filtering type and range of the black list
■ Enable or disable black list
112 CHAPTER 7: FIREWALL CONFIGURATION
Configuring/removing black list entry
Perform the following configuration in system view.
The value of minutes ranges from 1 to 1000, in minutes. Without parameter timeout minutes, the configured entry is a permanent entry. Without parameter sour-addr means removing all entries in the current black list.
Enabling or disabling black list
Perform the following configuration in system view.
By default, black list is disabled.
Displaying and Debugging Black List
Execute the display command in all views to display the running of black list entry or black list configuration.
Execute the debugging command in user view to enable the debugging of the back list.
Black List Configuration Example
Network requirements
The server and the client PC are located in firewall trust zone and untrust zone respectively. It is required to filter all packets sent from the client PC within 100 minutes. The client IP address is 202.0.0.1.
Table 100 Configuring black list entry
Operation Command
Configure black list entry firewall blacklist sour-addr [ timeout minutes ]
Remove black list entry undo firewall blacklist [ sour-addr ]
Table 101 Enabling or disabling black list
Operation Command
Enable black list firewall blacklist enable
Disable black list undo firewall blacklist enable
Table 102 Display and debug black list
Operation Command
Display the current black list entry information or running status
display firewall blacklist { enable | item [ sour-addr ]
Enable the debugging for the black list debugging firewall blacklist { all | item | packet }
Black List 113
Network diagram
Figure 21 Network diagram for black list configuration
Configuration procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of module interfaces (the module card resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create SecBlade test.
[SW8800] secblade test
# Specify the module interface VLAN.
SecBlade S8505
Vlan 30
Vlan10
Router
Vlan 50
Vlan 50
Trust Zone
Untrust Zone
50.0.0.1/24
Server 10.0.0.1/24
30.0.0.254/24
50.0.0.254/24
30.0.0.1/24
10.0.0.254/24
Client 202.0.0.1
SecBlade S8807
Vlan 30
Vlan10
Router
Vlan 50
Vlan 50
Trust Zone
Untrust Zone
50.0.0.1/24
Server 10.0.0.1/24
30.0.0.254/24
50.0.0.254/24
30.0.0.1/24
10.0.0.254/24
Client 202.0.0.1
114 CHAPTER 7: FIREWALL CONFIGURATION
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Insert the IP address of the client PC into the black list.
[secblade] firewall blacklist 202.0.0.1 timeout 100
# Enable the black list.
[secblade] firewall blacklist enable
Based on the above configuration, all the packets sent from the client PC will be denied within the aging period 100 minutes. After that period, the packet sent from the client PC can pass the firewall.
MAC and IP Address Binding 115
MAC and IP Address Binding
Introduction to MAC and IP Address Binding
MAC and IP address binding means the firewall associates the specific IP address and MAC address based on the client configuration. In this way, firewall will discard the so-called packet whose MAC address does not correspond to the associated IP address and forcibly forwards the packet whose destination address is the specific IP address to the associated MAC address. This effectively avoids the imitated IP address attack to protect the network.
Creating MAC and IP address binding
Using the following commands, you can create an address binding map.
firewall mac-binding sour-addr mac-addr
Address binding map is created based on IP address. If an identical IP address is configured in the address binding map, the newly configured entry will replace the old one. One MAC address can be bound with various IP addresses.
Removing MAC and IP address binding
Using the following commands, you can remove one or all address binding map(s).
undo firewall mac-binding [ sour-addr ]
With parameter sour-addr, the specific IP address binding will be removed. Without this parameter, all entries in the current address binding list will be removed.
The creation and deletion of address binding map is independent of address binding function, that is, address binding map can be created and removed no matter whether the address binding is enabled or not.
Enabling MAC and IP address binding
Only when address binding is enabled, can firewall compare the IP address and MAC address of the packet based on the address binding map and deny the packet not meeting the binding map. Otherwise, it will not discard any packet even the packet whose IP address and MAC address do not meet the binding map.
Using the following commands, you can enable address binding.
firewall mac-binding enable
Using the following commands, you can disable address binding.
undo firewall mac-binding enable
By default, address binding is disabled.
Configuring MAC and IP Address Binding
MAC and IP address binding configuration includes:
■ Configuring MAC and IP address binding map
116 CHAPTER 7: FIREWALL CONFIGURATION
■ Enabling or disabling MAC and IP address binding
Configuring MAC and IP address binding map
Perform the following configuration in system view.
Without the parameter sour-addr, all the current address binding entries are removed.
c CAUTION:
■ Address binding is regarded as another kind of expression of static ARP. In the case of address binding being enabled, the configuration of address binding, whose IP address has been configured in the static ARP list, will cause deletion of the corresponding static ARP entry. If identical IP address has been configured in the address binding, static ARP configuration will fail and receive prompt information. However, identical IP address can be configured in both address binding and static ARP if address binding function is disabled.
■ MAC and IP address binding is ineffective to PPPoE addresses, because the system cannot identify and handle the PPP packets over Ethernet frames.
■ Broadcasting addresses of classes A, B and C cannot be bound. When the address to be bound is not in the same subnet with the IP address of the firewall interface, a message appears, prompting "The ip to be bound is not in the same subnet of the interfaces’ ip".
Enabling/disabling MAC and IP address binding
Perform the following configuration in system view.
By default, MAC and IP address binding is disabled.
Displaying and Debugging MAC and IP
Address Binding
Execute the display command in all views to display the running of address binding configuration.
Execute the debugging command in user view to debugging the address binding.
Table 103 Configuring MAC and IP address binding condition
Operation Command
Configure MAC and IP address binding map firewall mac-binding sour-addr mac-addr
Remove MAC and IP address binding map undo firewall mac-binding [ sour-addr ]
Table 104 Enabling or disabling MAC and IP address binding
Operation Command
Enable MAC and IP address binding firewall mac-binding enable
Disable MAC and IP address binding undo firewall mac-binding enable
Table 105 Display and debug MAC and IP address binding
Operation Command
Display the current MAC and IP address binding map information
display firewall mac-binding item [ sour-addr ]
Display the current running information of MAC and IP address binding function display firewall mac-binding enable
MAC and IP Address Binding 117
MAC and IP Address Binding Configuration
Example
Network requirements
The server and the client PC are located in the firewall trust zone and untrust zone respectively. The client PC is at 202.0.0.1 and the corresponding MAC address is 00e0-fc00-0100. Configure address binding map on the firewall that only the packet meeting the above map can pass the firewall and the packet sent to 202.0.0.1 is forwarded to the network card at 00e0-fc00-0100.
Network diagram
Figure 22 Network diagram for MAC and IP address binding
Configuration procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30
Enable the debugging of MAC and IP address binding
debugging firewall mac-binding [ all | item | packet ]
Table 105 Display and debug MAC and IP address binding
Operation Command
SecBlade S8505
Vlan 30
Vlan10
Vlan 50
Vlan 50
Trust Zone
Untrust Zone
Server 10.0.0.1/24
30.0.0.254/24
202.0.0.254/24
30.0.0.1/24
10.0.0.254/24 Client 202.0.0.1/24 SecBlade S8800
Vlan 30
Vlan10
Vlan 50
Vlan 50
Trust Zone
Untrust Zone
Server 10.0.0.1/24
30.0.0.254/24
202.0.0.254/24
30.0.0.1/24
10.0.0.254/24 Client 202.0.0.1/24
118 CHAPTER 7: FIREWALL CONFIGURATION
[3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of the module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create SecBlade test.
[SW8800] secblade test
# Specify the SecBlade interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 202.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
Security Zone Configuration 119
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Insert IP address and MAC address of the client PC into the address binding map.
[secblade] firewall mac-binding 202.0.0.1 00e0-fc00-0100
# Enable the address binding function.
[secblade] firewall mac-binding enable
Security Zone Configuration
Introduction to Security Zone
Security zones refer to the networks connected to the firewall. Four security zones are predefined in the system: Local, Trust, Untrust and DMZ, with descending security levels.
■ Local zone stands for the local system on the firewall.
■ Trust zone stands for the private network over user network.
■ Untrust zone stands for public or insecure network, such as Internet.
■ DMZ (demilitarized zone) is an independent zone between the intranet and outside networks. It belongs neither to the intranet nor to outside networks. For example, in a network providing E-commerce services, some hosts, such as Web server, FTP server and mail server, are required to provide these services. To provide better services and effectively protect the intranet, you can add these servers into the DMZ zone to isolate them from the intranet. Then you can apply different firewall policies to intranet devices and these servers.
Configuring Security Zone
Entering security zone view
Perform the following configuration in system view.
Enter interzone view
Perform the following configuration in system view.
Creating security zone
Perform the following configuration in system view.
Table 106 Enter security zone view
Operation Command
Enter the security zone view firewall zone zonename
Table 107 Enter interzone view
Operation Command
Enter the interzone view firewall interzone zone1 zone2
120 CHAPTER 7: FIREWALL CONFIGURATION
Four security zones are predefined in the system: Local, Trust, Untrust and DMZ. You cannot remove these security zones.
Adding interface into security zone
Perform the following configuration in zone view.
By default, all interfaces belong to the Trust zone.
An interface can belong to only one security zone. You must remove the interface from the original security zone before adding it to another security zone if an interface already belongs to a security zone.
c CAUTION: For interworking between the firewall and other devices, corresponding interfaces should be added to a security zone.
Setting priority value for the security zone
You can set priority value for the security zone. A large priority value means high security.
Perform the following configuration in zone view.
By default, the priority value for the Local zone is 100; that for the Trust zone is 85; that for Untrust zone is 5; that for DMZ zone is 50. You cannot change these priority values.
Table 108 Create security zone
Operation Command
Create a security zone firewall zone name zonename
Delete the security zone undo firewall zone name zonename
Table 109 Add interface into security zone
Operation Command
Add an interface into the security zone add interface interface-type interface-number
Remove the interface from the security zone undo add interface interface-type interface-number
Table 110 Set priority value for security zone
Operation Command
Set priority value for the security zone set priority number
Transparent Firewall Overview 121
8TRANSPARENT FIREWALL
Transparent Firewall Overview
By default, the firewall operates in route mode. When it is transparent mode (bridge mode), you cannot configure the IP address for its interfaces, the interfaces belong to Layer 2 security zones, and all outside users connected to the interfaces that belong to Layer 2 security zones are in the same subnet.
When packets are forwarded between the interfaces of Layer 2 security zones, the system determines the outgoing interfaces based the MAC addresses borne in packets. The firewall actually operates as a transparent bridge. Different from the bridge, however, the firewall matches packets against the session table and ACL rules and then determines if to forward the packets received to the upper layer for filtering other further processing. Other attack prevention checks are also implemented on the firewall. The transparent firewall supports ACL rule check, ASPF filtering, attack prevention check, flow control, and other functions.
The transparent firewall is connected to the LAN on the data link layer, and no special configuration is required for network client users, but treating them as common Ethernet switches when connecting them into the network.
Obtaining MAC Address Table
The transparent firewall forwards packets based on the MAC address table, which comprises two parts: MAC addresses and interfaces. Therefore, it must obtain the mapping between them.
Broadcasting packets
When connected with the physical network segment, the transparent firewall monitors all Ethernet frames on the segment. After detecting an Ethernet frame on an interface, the transparent firewall extracts its source MAC address and adds the mapping between the MAC address and the interface receiving the frame into the MAC address table. See Figure 23.
122 CHAPTER 8: TRANSPARENT FIREWALL
Figure 23 Broadcast packets
Stations A, B, C and D belong to two LANs. Ethernet segment 1 is connected to the interface 1 on the transparent firewall; Ethernet segment 2 is connected to the interface 2 on the firewall. When station A sends an Ethernet frame to station B, both the transparent firewall and station B can receive the frame.
Learning mapping between station A MAC address and the interface
After receiving the Ethernet frame, the transparent firewall knows station A is connected to it through interface 1 (since it receives the frame from interface 1). Therefore the transparent firewall add the mapping between station A MAC address and interface 1. See Figure 24.
Figure 24 Learn mapping between station A MAC address and the interface
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C Workstation D
00e0.fcdd.dddd 00e0.fccc.cccc
Interface 1
Interface 2
Ethernet segment 1
Ethernet segment 2
Destination
00e0.fcbb.bbbb 00e0.fcaa.aaaa
Source
Switch 8800
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbb
Workstation C Workstation D
00e0.fcdd.dddd 00e0.fccc.cccc
Interface 1
Interface 2
Ethernet segment 1
Ethernet segment 2
Destination 00e0.fcbb.bbbb 00e0.fcaa.aaaa
Source
MAC address Port 00e0.fcaa.aaaa 1
Address table
Switch 8800
Transparent Firewall Overview 123
Learning mapping between station B MAC address and the interface
When station B returns the response to the Ethernet frame, the transparent firewall also can detect the response and know that station B is connected to it through interface 1 (since it receives the frame from interface 1). Therefore the transparent firewall add the mapping between station B MAC address and interface 1. See Figure 25.
Figure 25 Learn mapping between station B MAC address and the interface
The reverse MAC address learning continues till the transparent firewall obtains the mapping entries between all MAC addresses (those of stations A, B, C and D in this example) and the interfaces (here we assume that all stations are in operation).
Forwarding and Filtering On the data link layer, the transparent firewall determines forwarding (or filtering) actions based on the following three cases:
Forwarding after successful lookup on address table
When station A sends an Ethernet frame to station C, the transparent firewall looks up on the address table and knows that station C corresponds to interface 2. It therefore forwards the frame from interface 2. See Figure 26.
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbb
Workstation C Workstation D
00e0.fcdd.dddd00e0.fccc.cccc
Interface 1
Interface 2
Ethernet segment 1
Ethernet segment 2
Destination 00e0.fcaa.aaaa 00e0.fcbb.bbbb
Source
MAC address Port 00e0.fcaa.aaaa 1 00e0.fcbb.bbbb 1
Address table
Switch 8800
124 CHAPTER 8: TRANSPARENT FIREWALL
Figure 26 Forwarding after successful lookup on address table
Note that the transparent firewall forwards to other interfaces the broadcast and multicast frames received on an interface or drop them.
No forwarding (filtering) after successful lookup on address table
When station A sends an Ethernet frame to station B, the transparent firewall filters out and does not forward the frame since stations A and B are in the same network segment.
Figure 27 No forwarding after successful lookup on address table
Forwarding after failed lookup on address table
If no mapping entry for station C MAC address is found in the MAC address table after station A sends an Ethernet frame to station C, the transparent firewall forwards the frame to all other interfaces except the source interfaces. In this case,
Workstation A
00 e 0 . fcaa . aaaa
Workstation B
00 e 0 . fcbb . bbbb
Workstation C
Workstation D
00 e 0 . fcdd . dddd 00 e 0 . fccc . cccc Interface 1
Interface 2
Ethernet segment 1
Ethernet segment 2
MAC address Port 00 e 0 . fcaa . aaaa 1 00 e 0 . fcbb . bbbb 1 00 e 0 . fccc . cccc 2
00 e 0 . fcdd . dddd 2
Address table
00 e 0 . fcaa . aaaa 00 e 0 . fccc . cccc Source Destination
00 e 0 . fccc . cccc 00 e 0 . fcaa . aaaa Source Destination
Forward
Switch 8800
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C Workstation D
00e0.fcdd.dddd 00e0.fccc.cccc
Interface 1
Interface 2
Ethernet segment 1
Ethernet segment 2
MAC address Port 00e0.fcaa.aaaa 1 00e0.fcbb.bbbb 1 00e0.fccc.cccc 2 00e0.fcdd.dddd 2
Address table
00e0.fcaa.aaaa 00e0.fcbb.bbbb Source Destination
Do not forw ard
Switch 8800
the firewall works as a
HUB to guarantee that all packets are forwarded. See Figure 28.
Figure 28 Forwarding after failed lookup on address table
Configuring Transparent Firewall
The following sections describe transparent firewall configuration tasks:
■ “Configuring Firewall Mode”
■ “Configuring System IP Address”
■ “Enabling/Disabling Dynamic ARP Learning”
■ “Configuring Handling Approach for the Packets with Unknown MAC Address”
■ “Configuring MAC Address-Based ACLs”
■ “Applying MAC Address-Based ACL to the Interface”
■ “Configuring Aging Time of the MAC Forwarding Table”
■ “Defining Allowed Packet Types”
Configuring Firewall Mode
Perform the following configuration in system view.
Workstation A
00 e 0 . fcaa . aaaa
Workstation B
00 e 0 . fcbb . bbbb
Workstation C Workstation D
00 e 0 . fcdd . dddd 00 e 0 . fccc . cccc
Interface 1
Interface 2
Ethernet segment 1
Ethernet segment 2
MAC address Port 00 e 0 . fcaa . aaaa 1 00 e 0 . fcbb . bbbb 1
Address table
00 e 0 . fcaa . aaaa 00 e 0 . fccc . cccc Source Destination
Switch 8800
Table 111 Configure firewall mode
Operation Command
Set the firewall in transparent mode firewall mode transparent
Set the firewall in route mode firewall mode route
Restore the default firewall mode undo firewall mode
126 CHAPTER 8: TRANSPARENT FIREWALL
By default, the firewall operates in route mode.
n When operating in transparent mode, the firewall automatically enables bridging function.
Configuring System IP Address
On the firewall in route mode, all interfaces work at Layer 3 and you can configure Layer 3 attributes for them. When the firewall is in transparent mode, all interfaces operate at Layer 2 and you cannot configure such Layer 3 attributes as IP address for them. The firewall must own an IP address for management over it and offerings of network services (Telnet or SNMP). To solve this problem, you can configure a system IP address, instead of interface IP address, for the transparent firewall.
Perform the following configuration in system view.
The default system IP address of the transparent firewall is 169.0.0.1/8, and you can modify its system IP with the firewall system-ip command. When in route mode, you cannot configure system IP address for the firewall.
Enabling/Disabling Dynamic ARP Learning
Communications between the intranet and outside networks must go through the transparent firewall. ARP requests and responses are generated therefore when a device accesses itself or originates a connection to an outside device. The transparent can automatically learn ARP entries for later address translation.
Only limited ARP table entries are maintained on the firewall. When ARP Flood attacks occur, the firewall may have too many ARP table entries and normal ARP resolution processes will be affected. To avoid this problem, you can disable dynamic ARP learning and manually configure static ARP entries.
Perform the following configuration in system view.
By default, ARP learning is enabled on the transparent firewall.
Configuring Handling Approach for the
Packets with Unknown MAC Address
Upon receiving the packets with unknown destination MAC address, the transparent firewall cannot determine the outgoing interfaces for them. Therefore it handle these packet in three ways:
■ Drops the IP packets with unknown destination MAC address.
■ Broadcasts the ARP request packet to the interfaces in a specific security zone other than the interface receiving the packet, and drops the IP packets with
Table 112 Configure system IP address
Operation Command
Configure system IP address for the firewall firewall system-ip system-ip-address [ address-mask ]
Restore the default system IP address undo firewall system-ip
Table 113 Enable/disable ARP learning
Operation Command
Enable dynamic ARP learning firewall arp-learning enable
Disable dynamic ARP learning undo firewall arp-learning enable
Configuring Transparent Firewall 127
unknown MAC address. The transparent firewall saves the mapping between the MAC address and the interface after receiving the ARP response packet.
■ Floods the ARP request packet to the interfaces in a specific security zone other than the interface receiving the packet. The transparent firewall saves the mapping between the MAC address and the interface after receiving the ARP response packet.
Perform the following configuration in system view.
By default, the firewall handles IP unicast packets in arp mode, and IP broadcast and multicast packets in drop mode.
Configuring MAC Address-Based ACLs
You can configure MAC address-based ACLs, whose IDs are in the range of 4,000 to 4,999.
Perform the following configuration in specified views.
By default, no MAC-address ACL is defined.
Applying MAC Address-Based ACL to
the Interface
Perform the following configuration in interface view.
Table 114 Configure handling approach for the packets with unknown MAC address
Operation Command
Configure handling approach for unicast IP packets, multicast and broadcast packets with unknown MAC address
firewall unknown-mac { drop | flood }
Configure handling approach for the unicast IP packets with unknown MAC address
firewall unknown-mac [ unicast ] { drop | arp | flood }
Configure handling approach for IP broadcast and multicast packets
firewall unknown-mac { broadcast | multicast } { drop | flood }
Restore the default handling approach for the packets with unknown MAC address
undo firewall unknown-mac [ unicast | broadcast | multicast ]
Table 115 Configure MAC address-based ACLs
Operation Command
Configure a MAC address-based ACL and enter the corresponding view (system view)
acl number acl-number
Delete the existing ACL undo acl { number acl-number | all }
Define a MAC address-based ACL rule (ACL view)
rule [ rule-id ] { permit | deny } [ type type-code type-wildcard | lsap lsap-code lsap-wildcard ] ] [ source-mac sour-addr source-wildcard ] [ dest-mac dest-addr dest-wildcard ] [ time-range time-name ] [ logging ]
Delete the existing ACL rule undo rule rule-id [ time-range time-name ] [ logging ]
Table 116 Apply MAC address-based ACL to the interface
Operation Command
Apply the MAC address-based ACL to the interface
firewall ethernet-frame-filter acl-number { inbound | outbound }
128 CHAPTER 8: TRANSPARENT FIREWALL
By default, no MAC address-based ACL is applied to the interface.
n To apply MAC address-based ACLs to interfaces, you must set the firewall in transparent mode. Otherwise, the system prompts the information "Please firstly active the Transparent mode!"
Configuring Aging Time of the MAC Forwarding
Table
Aging time of the MAC forwarding table refers to the lifetime of a MAC forwarding table entry and is determined by the aging timer. When the timer expires, the corresponding entry will be removed from the MAC forwarding table.
Perform the following configuration in system view.
By default, the aging time of the MAC forwarding table is 300 seconds.
Defining Allowed Packet Types
You can configure the transparent firewall to allow BPDU (bridge protocol data unit), DLSw (data link switching) or IPX (internetwork packet exchange) packets to pass.
Perform the following configuration in system view.
By default, the firewall filters out all packets.
Displaying and Debugging Transparent Firewall
Use the commands listed in Table 119 to view the configuration information about transparent firewall and enable debugging for transparent firewall configuration.
Execute the display command in any view, and execute the debugging and reset commands in user view.
Remove the MAC address-based ACL on the interface
undo firewall ethernet-frame-filter { inbound | outbound }
Table 116 Apply MAC address-based ACL to the interface
Operation Command
Table 117 Configure aging time of the MAC forwarding table
Operation Command
Configure the aging time of the MAC forwarding table
firewall transparent-mode aging-time seconds
Restore the default aging time of the MAC forwarding table
undo firewall transparent-mode aging-time
Table 118 Define allowed packet types
Operation Command
Define the type of packets that are allowed to pass the transparent firewall
firewall transparent-mode transmit { bpdu | dlsw | ipx }
Define the type of packets that are not allowed to pass
undo firewall transparent-mode transmit { bpdu | dlsw | ipx }
Transparent Firewall Configuration Example 129
Transparent Firewall Configuration Example
Network requirements
The Firewall module operates in transparent mode. The module allows the hosts in the trust zone to access resources in the DMZ zone and untrust zone using ACLs on the basis of MAC addresses. The Firewall module also prevents host PC_B in the untrust zone from sending all packets using black lists. The MAC address of PC_A is 000f-1f7e-fec5, and the IP address of PC_B is 172.16.0.50/24.
Table 119 Display and debug transparent firewall
Operation Command
Display the current firewall mode display firewall mode
Display statistics on Ethernet frame filtering
display firewall ethernet-frame-filter { all | interface interface-type interface-number }
Display transparent firewall configuration display firewall transparent-mode config
Display the MAC address table on the transparent firewall
display firewall transparent-mode address-table [ interface interface-type interface-number | mac mac-address ]
Display traffic on the transparent firewall
display firewall transparent-mode traffic [ interface interface-type interface-number ]
Enable debugging for Ethernet frame filtering
debugging firewall eff [ interface interface-type interface-number ]
Enable debugging for Ethernet frame forwarding
debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]
Enable debugging for IP packet forwarding debugging firewall transparent-mode ip-forwarding
Clear Ethernet frame filtering information
reset firewall ethernet-frame-filter { all | interface interface-type interface-number }
Clear MAC address table reset firewall transparent-mode address-table [ interface interface-type interface-number ]
Clear traffic statistics on the transparent firewall
reset firewall transparent-mode traffic [ interface interface-type interface-number ]
130 CHAPTER 8: TRANSPARENT FIREWALL
Network diagram
Figure 29 Network diagram for transparent firewall configuration
Configuration procedure
3Com (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure aggregation of the interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 10 50 60
# Map the module to the specified slot.
SecBlade S8505
Vlan 60
Vlan10
Vlan 50
Vlan 10
Trust Zone
Untrust Zone
PC_A 172.16.0.10/24
DMZ Zone
PC C
172.16.0.60/24 Vlan 60
Vlan 50 PC_B
SecBlade S8800
Vlan 60
Vlan10
Vlan 50
Vlan 10
Trust Zone
Untrust Zone
PC_A 172.16.0.10/24
DMZ Zone
PC C
172.16.0.60/24 Vlan 60
Vlan 50 PC_B
Transparent Firewall Configuration Example 131
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Configure the Firewall module to operate in transparent mode.
[secblade] firewall mode transparent
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add the DMZ sub-interface to the DMZ.
[secblade] firewall zone dmz [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the ACL rule on the basis of the MAC address.
[secblade] acl number 4000 [secblade-acl-ethernetframe-4000] rule permit source-mac 000f-1f7e-fec5 0000-0000-0000 [secblade-acl-adv-3000] quit
# Configure packet filtering.
[secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] firewal ethernet-frame-filter 4000 outbound [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] firewal ethernet-frame-filter 4000 outbound
132 CHAPTER 8: TRANSPARENT FIREWALL
# Add PC_B address to the black list entry.
[secblade] firewall blacklist item 172.16.0.50 timeout 60
# Enable black list function.
[secblade] firewall blacklist enable
Introduction to Web and E-mail Filtering 133
9WEB AND E-MAIL FILTERING
Introduction to Web and E-mail Filtering
As network technology increasingly gain popularity in various fields, attacks sourced from within a LAN escalate. Faced with this situation, traditional network security schemes, which only focus on attacks sourced from external networks, become obsolete. At present, network devices are required to meet the demands of establishing secure internal networks to ensure internal network security.
The Web and e-mail filtering function provided by firewalls can deny accesses to illegal Web sites or Web pages and prevent internal users from sending mails that are unnecessary to illegal external mail box. The mail alarming function can inform administrators of external attacks through alarming mails for them to take proper measures on time.
The Firewall module can also prevent SQL (structure query language) attacks by checking the HTTP command in HTTP packets and judging if they are attacks to the system.
Configuring Web Filtering
Configuring Web Address Filtering
Enabling/Disabling Web address filtering
Before configuring Web address filtering for a firewall, you must enable this function first for related configurations to take effect.
Perform the following configuration in system view.
Web address filtering is disabled by default.
c CAUTION: You must configure ASPF policies and execute the detect http and detect tcp commands first to enable Web address filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.
Table 120 Enable Web address filtering
Operation Command
Enable Web address filtering firewall url-filter host enable
Disable Web address filtering undo firewall url-filter host enable
134 CHAPTER 9: WEB AND E-MAIL FILTERING
Configuring the default filtering operation
You can configure the default filtering operation for a firewall to make the firewall to permit/deny packets that do not match the Web addresses set by the administrator.
Perform the following configuration in system view.
Packets that do not match are permitted by default.
Configuring a Web address to be filtered
Web addresses are filtered according to the address items previously configured in a Web address filtering file. The administrator can manipulate this kind of files to add or delete Web addresses in them, or even clear all the Web addresses.
Perform the following configuration in system view.
Saving/Loading a Web address filtering file
After configuring the Web addresses to be filtered, you can save them to a Web address filtering file for later use. You must load a Web address filtering file first to configure or modify items in it.
Perform the following configuration in system view.
You must load the Web addresses filtering file for items in it to take effect, that is, for Web addresses that match these items to be filtered.
Configuring IP address filtering
If users access the Web through IP addresses, you can configure the firewall to control whether to allow such access requests.
Perform the following configurations in system view.
Table 121 Configure the default filtering operation
Operation Command
Configure the default filtering operation firewall url-filter host default { permit | deny }
Table 122 Configure a Web address to be filtered
Operation Command
Add a Web address to be filtered firewall url-filter host add { permit | deny } url-address
Delete a Web address firewall url-filter host delete url-address
Clear all Web addresses firewall url-filter clear
Table 123 Save/Load a Web address filtering file
Operation Command
Save/Load a Web address filtering file firewall url-filter host { save-file | load-file } file-name
Unload the current Web address filtering file undo firewall url-filter host load-file
Configuring Web Filtering 135
By default, the firewall denies Web access requests with IP addresses as destination URLs.
Filtering IP addresses through ACL
This is to filter Web access requests with IP addresses as destination URLs through ACL.
Perform the following configurations in system view.
By default, no ACL rule is configured.
Upon receiving a Web request with the destination URL as its IP address, the firewall first matches the request against the ACL defined with the firewall url-filter host acl-number command. If the match result is permit, the firewall permits the request to pass; if the match result is deny, the firewall denies the request. If the firewall finds no matching entry in the ACL or the firewall url-filter host acl-number command is not used, it determines whether to permit the request to pass based on how the firewall url-filter host ip-address { permit | deny } command is configured.
This command can only support one ACL rule. Any newly configured rule will overwrite the original rule.
Displaying and debugging Web address filtering
Use the commands listed in Table 126 to view information about Web address filtering and enable debugging Web address filtering.
Execute the display command in any view, and execute the debugging and reset commands in user view.
Table 124 Configure IP address filtering
Operation Command
Configure IP address filtering. firewall url-filter host ip-address { permit | deny }
Table 125 Filter IP addresses through ACL
Operation Command
Filter IP addresses through ACL. firewall url-filter host acl-number number
Cancel the configured ACL rule. undo firewall url-filter host acl-number
Table 126 Display and debug Web address filtering
Operation Command
Display information about Web address filtering
display firewall url-filter host { enable | all | item { url-address | all } }
Enable debugging Web address filtering debugging firewall url-filter host { all | error | event | filter | packet }
Disable debugging Web address filtering undo debugging firewall url-filter host { all | error | event | filter | packet }
Clear statistics on Web address filtering reset firewall url-filter host counter
136 CHAPTER 9: WEB AND E-MAIL FILTERING
Configuring Web Content Filtering
Enabling/Disabling Web content filtering
Before configuring Web content filtering for a firewall, you must enable this function first for related configurations to take effect.
Perform the following configuration in system view.
Web content filtering is disabled by default.
c CAUTION: You must configure ASPF policies and execute the detect http and detect tcp commands first to enable Web content filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.
Configuring a filtering keyword for Web content filtering
Web pages can be filtered according to the filtering keyword items previously configured in a Web content filtering file. The administrator can manipulate this kind of files to add or delete Web content filtering keywords in them, or even clear all the Web content filtering keywords.
Perform the following configuration in system view.
c CAUTION: The new Web content filtering keyword cannot be an HTML tag such as <head>, <html>, <title> and <script>. Otherwise, valid web pages may be filtered.
Saving/Loading a Web content filtering file
After configuring the Web content filtering keywords, you can save them to a Web content filtering file for later use. You must load a Web content filtering file first to configure or modify items in it.
Perform the following configuration in system view.
Table 127 Enable Web content filtering
Operation Command
Enable Web content filtering firewall webdata-filter enable
Disable Web content filtering undo firewall webdata-filter enable
Table 128 Configure a filtering keyword for Web content filtering
Operation Command
Add a Web content filtering keyword firewall webdata-filter add keywords
Delete a Web content filtering keyword firewall webdata-filter delete keywords
Clear all Web content filtering keywords firewall webdata-filter clear
Table 129 Save /Load a Web content filtering file
Operation Command
Save /Load a Web content filtering file firewall webdata-filter { save-file | load-file } file-name
Unload the current Web content filtering file undo firewall webdata-filter load-file
You must load the Web
content filtering file for items in it to take effect, that is, for Web contents that match these items to be filtered.
Displaying and debugging Web content filtering
Use the commands listed in Table 130 to view information about Web content filtering and enable debugging Web content filtering.
Execute the display command in any view, and execute the debugging and reset commands in user view.
Configuring SQL Attack Prevention
Enabling/Disabling SQL attack prevention
To validate later configuration on the firewall, you must enable SQL attack prevention first before make any configuration on SQL attack prevention.
Perform the following configuration in system view.
By default, SQL attack prevention is not enabled.
c CAUTION: To enable SQL attack prevention successfully, you must first configure ASPF policies, and the detect http and detect tcp commands. Refer to section “Configuring ASPF” “Configuring ASPF” for more information about ASPF.
Configuring filter keywords for SQL attack prevention
SQL attack prevention functions filters HTTP commands based on the predefined filter keywords. If the keyword is borne in a HTTP request, the firewall will block the request. You can define table names, fields, saving process names (default or custom) as keywords depending on specific needs.
Perform the following configuration in system view.
Table 130 Display and debug Web content filtering
Operation Command
Display information about Web content filtering
display firewall webdata-filter { enable | all | item keywords | all } }
Enable debugging Web content filtering debugging firewall webdata-filter { all | error | event | filter | packet }
Disable debugging Web content filtering undo debugging firewall webdata-filter { all | error | event | filter | packet }
Clear statistics on Web content filtering reset firewall webdata-filter counter
Table 131 Enable SQL attack prevention
Operation Command
Enable SQL attack prevention firewall url-filter parameter enable
Disable SQL attack prevention undo firewall url-filter parameter enable
138 CHAPTER 9: WEB AND E-MAIL FILTERING
The system predefines these filter keywords for SQL attack prevention: ^select^, ^insert^, ^update^, ^delete^, ^drop^, -, ’, ^exec^ and %27. If you delete some keywords unconsciously or use the firewall url-filter parameter clear command by mistake, you can restore the default configuration with this command.
Saving/loading SQL attack prevention filter file
After configuring filter keywords, you can save them in the filter file. You can load the filter file later if you want to modify the existing configuration or make other settings.
Perform the following configuration in system view.
To validate the entries in SQL attack prevention filter file enable them to filter HTTP commands, you must load them.
Displaying and debugging SQL attack prevention configuration
Use the commands listed in Table 134 to display information about SQL attack prevention filtering and enable/disable debugging SQL attack prevention filtering.
Execute the display command in any view, and execute the debugging and reset commands in user view.
Table 132 Configure filter keywords for SQL attack prevention
Operation Command
Add a filter keyword for SQL attack prevention firewall url-filter parameter add keywords
Add the system-default filter keywords firewall url-filter parameter add-default
Delete a filter keyword firewall url-filter parameter delete keywords
Clear all filter keywords firewall url-filter parameter clear
Table 133 Save/load SQL attack prevention filter file
Operation Command
Save/load SQL attack prevention filter file firewall url-filter parameter { save-file | load-file } file-name
Unload the SQL attack prevention filter file undo firewall url-filter parameter load-file
Table 134 Display and debug SQL attack prevention configuration
Operation Command
Display SQL attack prevention filter configuration
display firewall url-filter parameter { enable | all | item { keywords | all } }
Display the number for matching each filter keyword
display firewall url-filter parameter counter detail
Enable debugging for SQL attack prevention debugging firewall url-filter parameter { all | error | event | filter | packet }
Disable debugging for SQL attack prevention undo debugging firewall url-filter parameter { all | error | event | filter | packet }
Clear statistics on SQL attack prevention reset firewall url-filter parameter counter
Configuring E-mail Filtering 139
Configuring E-mail Filtering
Configuring E-mail Address Filtering
E-mail filtering is needed to prevent internal users from sending out unnecessary information to illegal targets outside intranets. The module enables you to filter E-mails by their addresses.
Enabling/Disabling E-mail address filtering
Before configuring E-mail address filtering for a firewall, you must enable this function first for related configurations to take effect.
Perform the following configuration in system view.
E-mail address filtering is disabled by default.
c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail address filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.
Configuring the default filtering operation
You can configure the default filtering operation for a firewall to make the firewall to permit/deny packets that do not match the E-mail addresses set by the administrator.
Perform the following configuration in system view.
Packets that do not match are permitted by default.
Configuring an E-mail address to be filtered
E-mails are filtered according to the address items previously configured in an E-mail address filtering file. The administrator can manipulate this kind of files to add or delete E-mail addresses in them, or even clear all the E-mail addresses.
Perform the following configuration in system view.
Table 135 Enable E-mail address filtering
Operation Command
Enable E-mail address filtering firewall smtp-filter rcptto enable
Disable E-mail address filtering undo firewall smtp-filter rcptto enable
Table 136 Configure the default filtering operation
Operation Command
Configure the default filtering operation firewall smtp-filter rcptto default { permit | deny }
Revert to the default filtering operation undo firewall smtp-filter rcptto default
140 CHAPTER 9: WEB AND E-MAIL FILTERING
Saving/Loading an E-mail address filtering file
After configuring the E-mail addresses to be filtered, you can save them to an E-mail address filtering file for later use. You must load an E-mail address filtering file first to configure or modify items in it.
Perform the following configuration in system view.
You must load the E-mail addresses filtering file for items in it to take effect, that is, for E-mail addresses that match these items to be filtered.
Configuring E-mail Subject Filtering
You can also filter outgoing E-mails by their subjects.
Enabling/Disabling E-mail subject filtering
Before configuring E-mail subject filtering for a firewall, you must enable this function first for related configurations to take effect.
Perform the following configuration in system view.
E-mail subject filtering is disabled by default.
c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail subject filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.
Configuring a filtering keyword for E-mail subject filtering
E-mails can be filtered according to the filtering keyword items previously configured in an E-mail subject filtering file. The administrator can manipulate this kind of files to add or delete E-mail subject filtering keywords in them, or even clear all the E-mail subject filtering keywords.
Perform the following configuration in system view.
Table 137 Configure an E-mail address to be filtered
Operation Command
Add an E-mail address to be filtered firewall smtp-filter rcptto add { permit | deny } mail-address
Delete an E-mail address firewall smtp-filter rcptto delete mail-address
Clear all E-mail addresses firewall smtp-filter rcptto clear
Table 138 Save/Load an E-mail address filtering file
Operation Command
Save/Load an E-mail address filtering file firewall smtp-filter rcptto { save-file | load-file } file-name
Unload the current E-mail address filtering file undo firewall smtp-filter rcptto load-file
Table 139 Enable E-mail subject filtering
Operation Command
Enable E-mail subject filtering firewall smtp-filter subject enable
Disable E-mail subject filtering undo firewall smtp-filter subject enable
Configuring E-mail Filtering 141
Saving/Loading an E-mail subject filtering file
After configuring the E-mail subject filtering keywords, you can save them to an E-mail subject filtering file for later use. You must load an E-mail subject filtering file first to configure or modify items in it.
Perform the following configuration in system view.
You must load the E-mail subject filtering file for items in it to take effect, that is, for E-mails that match these items to be filtered.
Configuring E-mail Content Filtering
E-mails can also be filtered according to their content.
Enabling//Disabling/ E-mail content filtering
Before configuring E-mail content filtering for a firewall, you must enable this function first for related configurations to take effect.
Perform the following configuration in system view.
c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail content filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.
E-mail content filtering is disabled by default.
Configuring a filtering keyword for E-mail content filtering
E-mails can be filtered according to the filtering keyword items previously configured in an E-mail content filtering file. The administrator can manipulate this kind of files to add or delete E-mail content filtering keywords in them, or even clear all the E-mail content filtering keywords.
Table 140 Configure an filtering keyword for E-mail subject filtering
Operation Command
Add an E-mail subject filtering keyword firewall smtp-filter subject add mail-subject
Delete an E-mail subject filtering keyword firewall smtp-filter subject delete mail-subject
Clear all E-mail subject filtering keywords firewall smtp-filter subject clear
Table 141 Save/Load an E-mail subject filtering file
Operation Command
Save/Load an E-mail subject filtering file firewall smtp-filter subject { save-file | load-file } file-name
Unload the current E-mail subject filtering file undo firewall smtp-filter subject load-file
Table 142 Enable E-mail content filtering
Operation Command
Enable E-mail content filtering firewall smtp-filter content enable
Disable E-mail content filtering undo firewall smtp-filter content enable
142 CHAPTER 9: WEB AND E-MAIL FILTERING
Perform the following configuration in system view.
Saving/Loading an E-mail content filtering file
After configuring the E-mail content filtering keywords, you can save them to an E-mail content filtering file for later use. You must load an E-mail content filtering file first to configure or modify items in it.
Perform the following configuration in system view.
You must load the E-mail content filtering file for items in it to take effect, that is, for E-mails that match these items to be filtered.
Configuring E-mail Attachment Filtering
You can also filter outgoing E-mails by their attachments.
Enabling/Disabling E-mail attachment filtering
Before configuring E-mail attachment filtering for a firewall, you must enable this function first for related configurations to take effect.
Perform the following configuration in system view.
c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail attachment filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.
E-mail attachment filtering is disabled by default.
Configuring an attachment name for E-mail attachment filtering
E-mails can be filtered according to the attachment name items previously configured in an E-mail attachment filtering file. The administrator can manipulate
Table 143 Configure a filtering keyword for E-mail content filtering
Operation Command
Add an E-mail content filtering keyword firewall smtp-filter content add content-keywords
Delete an E-mail content filtering keyword firewall smtp-filter content delete content-keywords
Clear all E-mail content filtering keywords firewall smtp-filter content clear
Table 144 Save /Load an E-mail content filtering file
Operation Command
Save /Load an E-mail content filtering file firewall smtp-filter content { save-file | load-file } file-name
Unload the current E-mail content filtering file undo firewall smtp-filter content load-file
Table 145 Enable E-mail attachment filtering
Operation Command
Enable E-mail attachment filtering firewall smtp-filter attach enable
Disable E-mail attachment filtering undo firewall smtp-filter attach enable
Configuring E-mail Filtering 143
this kind of files to add or delete E-mail attachment names in it, or even clear all the E-mail attachment names.
Perform the following configuration in system view.
Saving/Loading an E-mail attachment filtering file
After configuring the E-mail attachment names, you can save them to an E-mail attachment filtering file for later use. You must load an E-mail attachment filtering file first to configure or modify items in it.
Perform the following configuration in system view.
You must load the E-mail attachment filtering file for items in it to take effect, that is, for E-mails that match these items to be filtered.
Displaying and Debugging E-mail
Filtering
Use the commands listed in Table 148 to display information about E-mail filtering and enable/disable debugging E-mail filtering.
Execute the display command in any view, and execute the debugging and reset commands in user view.
Table 146 Configure an attachment name for E-mail attachment filtering
Operation Command
Add an E-mail attachment name firewall smtp-filter attach add filename
Delete an E-mail attachment name firewall smtp -filter attach delete filename
Clear all E-mail attachment names firewall smtp -filter attach clear
Table 147 Save/Load an E-mail attachment filtering file
Operation Command
Save/Load an E-mail attachment filtering file firewall smtp-filter attach { save-file | load-file } file-name
Unload the current E-mail attachment filtering file undo firewall smtp-filter attach load-file
Table 148 Display and Debug E-mail filtering
Operation Command
Display information about E-mail filtering display firewall smtp-filter { all | rcptto | subject | content | attach } item { string | all } }
Enable debugging E-mail filtering debugging firewall smtp-filter
Disable debugging E-mail filtering undo debugging firewall smtp-filter
Clear statistics on E-mail filtering reset firewall smtp-filter counter [ rcptto | subject | content | attach ]
144 CHAPTER 9: WEB AND E-MAIL FILTERING
Overview of Attack Prevention and Packet Statistics 145
10ATTACK PREVENTION AND PACKET STATISTICS
Overview of Attack Prevention and Packet Statistics
Introduction to Attack Prevention
Generally, network attacks intrude or destroy network servers (hosts) for stealing the sensitive data on servers or interrupting server services. There are also the network attacks that directly destroy network devices, which can make networks service abnormal or even out of service. The attack prevention function of the firewall can detect various types of network attacks and take the corresponding measures to protect internal networks against malicious attacks so as to assure the normal operations of internal networks and systems.
Classes of Network Attacks
Network attacks can be divided into three classes, denial of service attack, scanning and snooping attack and defective packet attack.
Denial of service attack
Denial of service (DoS) attack is to attack a system by sending a large number of data packets so that the system cannot receive requests from clients normally or the host is suspended and cannot work normally. The main DoS attacks include SYN Flood and Fraggle. Different from other types of attacks, the special feature of the DoS attack is that attackers prevent valid clients from accessing network resources instead of searching for ingresses of internal networks.
Scanning and snooping attack
Scanning and snooping attack is to point out a potential target by identifying an existing system in the network by ping scanning (including ICMP and TCP). Scanning through TCP and UDP ports, the attacker can detect the running system and the monitoring service and then get a general idea of the service type and the potential security defect of the system so as to prepare for the further intrusion.
Defective packet attack
Defective packet attack is to send a defective IP packet to the destination system so that the system will crash when it processes the IP packet. The main defective packets include Ping of Death and Teardrop.
Typical Examples of Network Attacks
IP spoofing attack
To get an access authority, an intruder generates a packet carrying a bogus source address, which can make an unauthorized client access the system applying the
146 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
IP-based authentication even in the root authority. In this way, the system can also be destroyed even though the response packet does not reach the system. This is the IP Spoofing attack.
Land attack
Land attack is to configure both the source address and the destination address of the TCP SYN packet to the IP address of the attack target. Thus, the target sends the SYN-ACK message and sends back the ACK message to it, and then creates a null connection. Each of the null connection will be saved till the timeout. Different attack targets have different responses to the Land attack. For instance, many UNIX hosts will crash and Windows NT hosts will be slowdown.
Smurf attack
The simple Smurf attack is to attack a network by sending an ICMP request to the broadcast address of the target network. All the hosts in the network will respond to the request. Network congestion thus occurs.
The advanced Smurf attack is mainly used to attack the target host by configuring the source address of the ICMP packet to the address of the target host so as to make the host crash finally. It takes certain traffic and duration to send the attack packet to perform attack. Theoretically, the larger the number of the hosts is, the more obvious the effect will be. Another new form of the Smurf attack is the Fraggle attack.
WinNuke attack
WinNuke attack is to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB) data packets to the NetBIOS port (139) of the specified target installed with the Windows system so as to make the target host crash. There are also IGMP fragment packets. Because IGMP packets cannot be fragmented generally, few systems can solve the attack caused by IGMP fragment packets thoroughly.
SYN flood attack
Because of the limited resources, TCP/IP stacks only permit a restricted number of TCP connections. Based on the above defect, the SYN Flood attack forges an SYN packet whose source address is a bogus or non-existent address and initiates a connection to the server. Accordingly, the server will not receive the ACK packet for its SYN-ACK packet, which forms a semi-connection. A large number of semi-connections will exhaust the network resources so that normal clients cannot access the network until the semi-connections are timeout. The SYN Flood attack also takes effect in the applications whose connection number is not limited to consume the system resources such as memories.
ICMP and UDP flood attack
ICMP and UDP Flood attack is to send a large number of ICMP messages (such as ping) and UDP packets to the specific target in a short time so as to make the target system not be able to transmit valid packets normally.
Address/port scanning attack
Address/port scanning attack is to detect the target address and port with scanning tools to make sure the active system connected with the target network if it receives responses from the system and the port through which the host provides services.
Configuring Attack Prevention 147
Ping of death attack
The ping of death attack is to attack the system by some extra large ICMP packets. Because the field length of an IP packet is 16 bits, the maximum length of an IP packet is 65535. Therefore, if the data length of an ICMP request packet is larger than 65507, the entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) will be larger than 65535, which may make some routers or systems crash, die or reboot. This is the Ping of Death attack.
Introduction to Statistics Analysis
A firewall needs to perform a large amount of statistics calculation and analysis to monitor data traffic as well as to detect connections between intranet and extranet. On one hand, the firewall can perform after-the-fact analysis on the log information with the specific analysis software. On the other hand, the firewall can implement some analysis functions in real-time. For example, the firewall can determine whether to limit the new connections from external networks or the new connections to some internal IP address by analyzing whether the total number of TCP/UDP connections is greater than the configured value. For another example, if the firewall finds that the number of connections in the system exceeds the threshold, it speeds up the connection aging so that DoS will not occur and new connections can be set up.
The following figure shows a typical application of the firewall. If the IP-based statistics analysis function from the external network to the DMZ is enabled, the firewall will limit the new connections from the external network when the number of the TCP connections to the Web server at 129.9.0.1 is greater than the configured value until the number drops to the normal range.
Figure 30 Firewall denies the redundant external connections for the server
Configuring Attack Prevention
The attack prevention configuration includes:
■ Enabling ARP Flood attack prevention function
■ Enabling attack prevention for reverse ARP lookup
■ Enabling ARP spoofing attack prevention function
■ Enabling the IP Spoofing attack prevention function
■ Enabling the Land attack prevention function
■ Enabling the Smurf attack prevention function
TCP connection
Enable statistics function Swtich 8800
Internet
Server
PC
Internal netw ork
DMZ
Ethernet
148 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
■ Enabling the Fraggle attack prevention function
■ Enabling Frag Flood attack prevention function
■ Enabling the WinNuke attack prevention function
■ Enabling the SYN Flood attack prevention function
■ Enabling the ICMP Flood attack prevention function
■ Enabling the UDP Flood attack prevention function
■ Enabling the ICMP redirect packet control function
■ Enabling the ICMP unreachable packet attack prevention function
■ Enabling the IP Sweep attack prevention function
■ Enabling the port scan attack prevention function
■ Enabling the control on IP packets carrying the source routes
■ Enabling the attack prevention function for the IP packet carrying route record
■ Enabling the Tracert packet control function
■ Enabling the Ping of Death attack prevention function
■ Enabling the Teardrop attack prevention function
■ Enabling the TCP flag validity detection function
■ Enabling the IP fragment packet detection function
■ Enabling the large ICMP packet control function
Enabling/Disabling ARP Flood Attack Prevention
Perform the following configuration in system view.
By default, ARP Flood attack prevention is not enabled. The rate threshold for receiving ARP packets is in the range of 1 to 10000 (pps) and defaults to 100 pps.
Enabling/Disabling Attack Prevention for Reverse ARP Lookup
Perform the following configuration in system view.
By default, attack prevention for reverse ARP lookup is not enabled.
Enabling/Disabling ARP Spoofing Attack
Prevention
Perform the following configuration in system view.
Table 149 Enable/disable ARP Flood attack prevention
Operation Command
Enable ARP Flood attack prevention firewall defend arp-flood [ max-rate rate-number ]
Disable ARP Flood attack prevention undo firewall defend arp-flood
Table 150 Enable/disable attack prevention for reverse ARP lookup
Operation Command
Enable attack prevention for reverse ARP lookup firewall defend arp-reverse-query
Disable attack prevention for reverse ARP lookup undo firewall defend arp-reverse-query
Table 151 Enable/
Operation
Enable ARP spoofing
disable ARP spoofing attack prevention
Command
attack prevention firewall defend arp-spoofing
Disable ARP spoofing attack prevention undo firewall defend arp-spoofing
By default, ARP spoofing attack prevention is not enabled.
Enabling/Disabling the IP Spoofing Attack
Prevention Function
Perform the following configuration in system view.
By default, the IP Spoofing attack prevention function is disabled.
n The IP Spoofing attack prevention function cannot be used in transparent mode.
Enabling/Disabling the Land Attack Prevention
Function
Perform the following configuration in system view.
By default, the Land attack prevention function is disabled.
Enabling/Disabling the Smurf Attack Prevention
Function
Perform the following configuration in system view.
By default, the Smurf attack prevention function is disabled.
Enabling/Disabling the WinNuke Attack
Prevention Function
Perform the following configuration in system view.
Table 152 Enable/disable the IP Spoofing attack prevention function
Operation Command
Enable the IP Spoofing attack prevention function firewall defend ip-spoofing
Disable the IP Spoofing attack prevention function undo firewall defend ip-spoofing
Table 153 Enable/disable the Land attack prevention function
Operation Command
Enable the Land attack prevention function firewall defend land
Disable the Land attack prevention function undo firewall defend land
Table 154 Enable/disable the Smurf attack prevention function
Operation Command
Enable the Smurf attack prevention function firewall defend smurf
Disable the Smurf attack prevention function undo firewall defend smurf
Table 155 Enable/disable the WinNuke attack prevention function
Operation Command
Enable the WinNuke attack prevention function firewall defend winnuke
Disable the WinNuke attack prevention function undo firewall defend winnuke
150 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
By default, the WinNuke attack prevention function is disabled.
Enabling/Disabling the Fraggle Attack
Prevention Function
Perform the following configuration in system view.
By default, the Fraggle attack prevention function is disabled.
Enabling/Disabling Frag Flood Attack Prevention
Perform the following configuration in system view.
By default, Frag Flood attack prevention is not enabled.
n If a fragment packet attack is targeted at the firewall itself, the firewall gives an alarm but discards no packet; otherwise, the firewall gives an alarm and discards the packets.
Enabling/Disabling the SYN Flood Attack
Prevention Function
The SYN Flood attack prevention function can be configured to the specific security zone or the specific IP address. Only when the SYN Flood attack prevention function is enabled and the inbound IP statistics function of the protected zone (or the zone to which the protected IP belongs) is enabled can the SYN Flood attack prevention function be enabled.
Enabling/disabling the SYN flood attack prevention function
Perform the following configuration in system view.
By default, the SYN Flood attack prevention function is disabled.
Configuring the specified SYN Flood attack prevention function
Perform the following configuration in system view.
Table 156 Enable/disable the Fraggle attack prevention function
Operation Command
Enable the Fraggle attack prevention function firewall defend fraggle
Disable the Fraggle attack prevention function undo firewall defend fraggle
Table 157 Enable/disable Frag flood attack prevention
Operation Command
Enable Frag Flood attack prevention firewall defend frag-flood [ max-identical-rate max-identical-rate ] [ max-total-rate max-total-rate ]
Disable Frag Flood attack prevention undo firewall defend frag-flood
Table 158 Enable/disable the SYN Flood attack prevention function
Operation Command
Enable the SYN Flood attack prevention function
firewall defend syn-flood enable
Disable the SYN Flood attack prevention function
undo firewall defend syn-flood enable
Configuring Attack Prevention 151
By default, the SYN Flood attack prevention function is disabled. The max-rate keyword indicates the maximum connection rate of SYN packets, in the range of 1 to 1,000,000, and the default value is 1000. The TCP proxy can start automatically when the protected host is attacked by SYN Flood and close automatically when the host is safe.
n ■ When configuring SYN Flood attack prevention, the IP-based priority is higher
than the zone-based priority. If the function of SYN Flood attack prevention is enabled both specific to a particular IP address and to all the IP addresses in the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.
■ The SYN Flood attack prevention function can protect up to 1,000 IP addresses at the same time.
■ To prevent SYN Flood attacks, TCP proxy must be enabled.
c CAUTION: Following three points are necessary to enable the SYN Flood attack prevention function.
■ Enable the inbound IP statistics function in the protected zone (or the zone where the protected IP locates);
■ Enable the SYN Flood attack prevention function;
■ Configure the specific SYN Flood attack prevention function.
Enabling/disabling TCP proxy
TCP proxy is used to protect the target host or all hosts in the target security zone from SYN Flood attacks. Before establishing a TCP connection to the protected host, an outside host must first run the three-way handshake with the firewall. If the three-way handshake fails, then the outside host cannot establish the TCP connection. This can effectively block malicious attacks to the internal hosts.
Table 159 Configuring the SYN Flood attack prevention function
Operation Command
Enable the SYN Flood attack prevention function for IP addresses
firewall defend syn-flood ip ip-address [ max-rate rate-number ] [ tcp-proxy ]
Enable the SYN Flood attack prevention function for all the IP addresses in a zone
firewall defend syn-flood zone zone-name [ max-rate rate-number ] [ tcp-proxy ]
Disable the SYN Flood attack prevention function for some IP addresses
undo firewall defend syn-flood ip ip-address [ max-rate ] [ tcp-proxy ]
Disable the SYN Flood attack prevention function for all IP addresses undo firewall defend syn-flood ip
Disable the SYN Flood attack prevention function for all the IP addresses in a zone
undo firewall defend syn-flood zone zone-name [ max-rate ] [ tcp-proxy ]
Disable the SYN Flood attack prevention function for the IP addresses in all zones undo firewall defend syn-flood zone
Disable all the SYN Flood attack prevention functions undo firewall defend syn-flood
152 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
By default, TCP proxy is not enabled on any host or security zone.
n Although you can also enable TCP proxy when configuring SYN flood attack prevention, the configuration with this command takes preference over that. That is, TCP proxy will be enabled for protecting the target host or security zone no matter if SYN flood attacks occur.
Enabling/Disabling the ICMP Flood Attack
Prevention Function
The ICMP Flood attack prevention function can be configured to the specific security zone or the specific IP address. Only when the ICMP Flood attack prevention function is enabled and the inbound IP statistics function of the protected zone (or the zone to which the protected IP belongs) is enabled, can the ICMP Flood attack prevention function be enabled.
Enabling/disabling ICMP flood attack prevention function
Perform the following configuration in system view.
By default, the ICMP Flood attack prevention function is disabled.
Configuring the specified ICMP flood attack prevention function
Perform the following configuration in system view.
Table 160 Enable/disable TCP proxy
Operation Command
Enable TCP proxy on a specified host or security zone
firewall tcp-proxy { ip ip-address | zone zone-name }
Disable TCP proxy on a specified host or security zone
undo firewall tcp-proxy { ip ip-address | zone zone-name }
Table 161 Enable/disable the ICMP Flood attack prevention function
Operation Command
Enable the ICMP Flood attack prevention function firewall defend icmp-flood enable
Disable the ICMP Flood attack prevention function undo firewall defend icmp-flood enable
Table 162 Configuring the ICMP Flood attack prevention function
Operation Command
Enable the ICMP Flood attack prevention function for IP addresses
firewall defend icmp-flood ip ip-address [ max-rate rate-number ]
Enable the ICMP Flood attack prevention function for all the IP addresses in a zone
firewall defend icmp-flood zone zone-name [ max-rate rate-number ]
Disable the ICMP Flood attack prevention function for some IP addresses
undo firewall defend icmp-flood ip ip-address
Disable the ICMP Flood attack prevention function for all IP addresses undo firewall defend icmp-flood ip
Disable the ICMP Flood attack prevention function for all the IP addresses in a zone
undo firewall defend icmp-flood zone zone-name
Disable the ICMP Flood attack prevention function for the IP addresses in all zones undo firewall defend icmp-flood zone
Disable all the ICMP Flood attack prevention functions undo firewall defend icmp-flood
Configuring Attack Prevention 153
By default, the ICMP Flood attack prevention function is disabled. The max-rate keyword indicates the maximum connection rate of ICMP packets, in the range of 1 to 1,000,000. The default value is 1,000.
n When configuring ICMP Flood attack prevention, the IP-based priority is higher than the zone-based priority. If the function of ICMP Flood attack prevention is enabled both specific to a particular IP address and to all the IP addresses in the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.
The ICMP Flood attack prevention function can protect up to 1000 IP addresses at the same time.
c CAUTION: Following three points are necessary to enable the ICMP Flood attack prevention function.
■ Enable the inbound IP statistics function in the protected zone (or the zone where the protected IP locates);
■ Enable the ICMP Flood attack prevention function;
■ Configure the specific ICMP Flood attack prevention function.
Enabling/Disabling the UDP Flood Attack
Prevention Function
The UDP Flood attack prevention function can be configured to the specific security zone or the specific IP address. Only when the UDP Flood attack prevention function is enabled and the inbound IP statistics function of the protected zone (or the zone to which the protected IP belongs) is enabled, can the UDP Flood attack prevention function be enabled.
Enabling/disabling UDP Flood attack prevention function
Perform the following configuration in system view.
By default, the UDP Flood attack prevention function is disabled.
Configuring the specified UDP Flood attack prevention function
Perform the following configuration in system view.
Table 163 Enable/disable the UDP Flood attack prevention function
Operation Command
Enable the UDP Flood attack prevention function firewall defend udp-flood enable
Disable the UDP Flood attack prevention function undo firewall defend udp-flood enable
Table 164 Configuring the UDP Flood attack prevention function
Operation Command
Enable the UDP Flood attack prevention function for IP addresses
firewall defend udp-flood ip ip-address [ max-rate rate-number ]
Enable the UDP Flood attack prevention function for all the IP addresses in a zone
firewall defend udp-flood zone zone-name [ max-rate rate-number ]
Disable the UDP Flood attack prevention function for some IP addresses
undo firewall defend udp-flood ip ip-address
154 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
By default, the UDP Flood attack prevention function is disabled. max-rate indicates the maximum connection rate of UDP packets, in the range of 1 to 1,000,000. The default value is 1,000.
n When configuring UDP Flood attack prevention, the IP-based priority is higher than the zone-based priority. If the function of UDP Flood attack prevention is enabled both specific to a particular IP address and to all the IP addresses in the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.
The UDP Flood attack prevention function can protect up to 1000 IP addresses at the same time.
c CAUTION: Following three points are necessary to enable the UDP Flood attack prevention function.
■ Enable the inbound IP statistics function in the protected zone (or the zone where the protected IP locates);
■ Enable the UDP Flood attack prevention function;
■ Configure the specific UDP Flood attack prevention function.
Enabling/Disabling the ICMP Redirect Packet
Control Function
Perform the following configuration in system view.
By default, the ICMP redirect packet control function is disabled.
Enabling/Disabling the ICMP Unreachable
Packet Control Function
Perform the following configuration in system view.
Disable the UDP Flood attack prevention function for all IP addresses undo firewall defend udp-flood ip
Disable the UDP Flood attack prevention function for all the IP addresses in a zone
undo firewall defend udp-flood zone zone-name
Disable the UDP Flood attack prevention function for the IP addresses in all zones undo firewall defend udp-flood zone
Disable all the UDP Flood attack prevention functions undo firewall defend udp-flood
Table 164 Configuring the UDP Flood attack prevention function
Operation Command
Table 165 Enable/disable the ICMP redirect packet control function
Operation Command
Enable the ICMP redirect packet control function firewall defend icmp-redirect
Disable the ICMP redirect packet control function undo firewall defend icmp-redirect
Table 166 Enable/disable the ICMP unreachable packet control function
Operation Command
Enable the ICMP unreachable packet control function firewall defend icmp-unreachable
Configuring Attack Prevention 155
By default, the ICMP unreachable packet control function is disabled.
Enabling/Disabling the IP Sweep Attack
Prevention Function
Perform the following configuration in system view.
By default, the IP Sweep attack prevention function is disabled. The max-rate keyword indicates the maximum sweeping rate, in the range of 1 to 10,000. The default value is 4000. The blacklist-timeout keyword indicates the time when the address is in the blacklist, in the range of 1 to 1,000 in minutes. The default value is 0 indicating the address is not added in the blacklist.
c CAUTION:
■ To enable the IP Sweep attack prevention function, make sure you enable the outbound IP statistics function in the zone where the connection is initiated and configure the IP Sweep attack prevention function.
■ The timeout time for an address to remain blacklisted must be greater than the firewall session aging time (configured with the firewall session aging-time command); otherwise, an attack may bypass the Firewall module.
■ The blacklist function configured with this command takes effect only after the blacklist function is enabled on the firewall.
Enabling/Disabling the Port Scan Attack
Prevention Function
Perform the following configuration in system view.
By default, the port scan attack prevention function is disabled. The max-rate keyword indicates the maximum scanning rate, in the range of 1 to 10,000. The default value is 4000. The blacklist-timeout keyword indicates the time when the address is in the blacklist, in the range of 1 to 1,000 in minutes. The default value is 0 indicating the address is not added in the blacklist.
c CAUTION:
Disable the ICMP unreachable packet control function undo firewall defend icmp-unreachable
Table 166 Enable/disable the ICMP unreachable packet control function
Operation Command
Table 167 Enable/disable the IP Sweep attack prevention function
Operation Command
Enable the IP Sweep attack prevention function
firewall defend ip-sweep [ max-rate rate-number ] [ blacklist-timeout minutes ]
Disable the IP Sweep attack prevention function undo firewall defend ip-sweep
Table 168 Enable/disable the port scan attack prevention function
Operation Command
Enable the port scan attack prevention function
firewall defend port-scan [ max-rate rate-number ] [ blacklist-timeout minutes ]
Disable the port scan attack prevention function undo firewall defend port-scan
156 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
■ To enable the port scan attack prevention function, make sure you enable the outbound IP statistics function in the zone where the connection is initiated and configure the port scan attack prevention function.
■ The timeout time for an address to remain blacklisted must be greater than the firewall session aging time (configured with the firewall session aging-time command); otherwise, an attack may bypass the Firewall module.
■ The blacklist function configured with this command takes effect only after the blacklist function is enabled on the firewall.
Enabling/Disabling the Attack Prevention
Function of the IP Packet Carrying Source Route
Perform the following configuration in system view.
By default, the attack prevention function for the IP packet carrying source route is disabled.
Enabling/Disabling Attack Prevention for Route Record Options
Perform the following configuration in system view.
By default, attack prevention for route record options is not enabled.
Enabling/Disabling the Tracert Packet Control
Function
Perform the following configuration in system view.
By default, the Tracert packet control function is disabled.
Enabling/Disabling Ping of Death Prevention
Function
Perform the following configuration in system view.
Table 169 Enable/disable the attack prevention function for the IP packet carrying source route
Operation Command
Enable the attack prevention function for the IP packet carrying source route firewall defend source-route
Disable the attack prevention function for the IP packet carrying source route undo firewall defend source-route
Table 170 Enable/disable attack prevention for route record options
Operation Command
Enable attack prevention for route record options firewall defend route-record
Disable attack prevention for route record options undo firewall defend route-record
Table 171 Enable/disable the Tracert packet control function
Operation Command
Enable the Tracert packet control function firewall defend tracert
Disable the Tracert packet control function undo firewall defend tracert
Table 172 Enable/disable the ping of death prevention function
Operation Command
Enable the ping of death prevention function firewall defend ping-of-death
Disable the ping of death prevention function undo firewall defend ping-of-death
Setting the Warning Level in Monitoring the Number and Rate of Connections 157
By default, the ping of death prevention function is disabled.
Enabling/Disabling the Teardrop Attack
Prevention Function
Perform the following configuration in system view.
By default, the Teardrop attack prevention function is disabled.
Enabling/Disabling the TCP Flag Validity
Detection Function
Perform the following configuration in system view.
By default, the TCP flag validity detection function is disabled.
Enabling/Disabling the IP Fragment Packet Detection Function
Perform the following configuration in system view.
By default, the IP fragment packet detection function is disabled.
Setting the Warning Level in Monitoring the Number and Rate of Connections
The firewall can monitor the number and rate of connections by using its statistics function. When the number and rate of connections exceeds the set limit, the firewall will warn. There are two warning levels: one level is warning, that is, when the number and rate of connections exceeds the upper threshold value, only warning information is output; another level is drop, that is, when the number and rate of connections exceeds the upper threshold value, the warning information is output and the subsequent packets are dropped. When the number and rate of connections decreases to the lower threshold value, packets are not dropped.
Perform the following configuration in system view.
Table 173 Enable/disable the Teardrop attack prevention function
Operation Command
Enable the Teardrop attack prevention function firewall defend teardrop
Disable the Teardrop attack prevention function undo firewall defend teardrop
Table 174 Enable/disable the TCP flag validity detection function
Operation Command
Enable the TCP flag validity detection function firewall defend tcp-flag
Disable the TCP flag validity detection function undo firewall defend tcp-flag
Table 175 Enable/disable the IP fragment packet detection function
Operation Command
Enable the IP fragment packet detection function firewall defend ip-fragment
Disable the IP fragment packet detection function undo firewall defend ip-fragment
Table 176 Set the warning level in monitoring the number and rate of connections
Operation Command
Set the warning level to warning and drop firewall statistic warning-level drop
158 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
By default, only the warning information is output, that is, the warning level is warning by default.
Enabling/Disabling the Oversized ICMP Packet
Control Function
Perform the following configuration in system view.
By default, the oversized ICMP packet control function is disabled. The maximum length of the packet is 28 to 65535 bytes. The default value is 8000.
Configuring System-Based Statistics
The system-based statistics function of the Firewall module restricts connection number. Before configuring the traffic restriction function, you should enable the corresponding statistics function. Once the statistics function is disabled, the associated restriction alarm function will be invalid accordingly.
The system-based statistics function configuration includes:
■ Enabling the system-based statistics function
■ Enabling monitor the number of system-based connections
■ Enabling alarm detection for abnormal system packet rate
Enabling/Disabling the System-Based Statistics
Function
Enable the system-based statistics function to perform statistics on all the packets passing the firewall.
Perform the following configuration in system view.
By default, the system-based statistics function is enabled.
c CAUTION: Please use the undo firewall statistics system enable command with caution. If the system-based statistics function is disabled, the associated detection function will be invalid accordingly. If there is traffic, disabling the statistics function may cause inaccurate statistics. Thus, functions related to statistics are affected.
Set the warning level to warning only undo firewall statistic warning-level drop
Table 176 Set the warning level in monitoring the number and rate of connections
Operation Command
Table 177 Enable/disable the oversized packet attack prevention function
Operation Command
Enable the oversized ICMP packet control function firewall defend large-icmp [ length ]
Disable the oversized ICMP packet control function undo firewall defend large-icmp
Table 178 Enable/disable the system-based statistics function
Operation Command
Enable the system-based statistics function firewall statistics system enable
Disable the system-based statistics function undo firewall statistics system enable
Configuring Zone-Based Statistics 159
Enabling/Disabling the System-Based
Connection Count Monitoring
Using this command, you can configure the threshold value for the number of connections in the system. The firewall will output an alarm log if the number of TCP/UDP connections is greater than the threshold value.
Perform the following configuration in system view.
By default, restriction on the number of system-based connections is enabled and the default values apply. The default upper threshold of TCP and UDP connections allowed in the system is 500000 and the default lower threshold is 1. When this function is disabled, the firewall restricts the system-based connection count by using the default value.
Enabling/Disabling Alarm Detection for
Abnormal System Packet Rate
Using this command, you can configure the normal percentage for different types of packets and the permitted alternation percentage. The system detects in regular time the percentage of each type of packets, and compares the information with the configured values. If the percentage for one type (TCP, UDP, ICMP or others) of packets exceeds the configured upper threshold value (with the alternation added), the system exports log alarm; if the percentage for one type of packets falls below the lower threshold value (with the alternation added), the system exports log alarm.
Perform the following configuration in system view.
By default, the percentages for TCP, UDP, and ICMP packets are 75, 15, and 5; alternation percentage is 25; detection period is 60 minutes.
You must configure the percentages for the three types (TCP, UDP, and ICMP) of packets simultaneously, and the sum of the three percentage numbers cannot exceed 100, otherwise, the command will not take effect; you do not need to configure packet percentages for other packets.
Configuring Zone-Based Statistics
The zone-based statistics function configuration includes:
■ Enabling the zone-based statistics function
■ Enabling the zone-based connection count monitoring
Table 179 Enable/disable the system-based connection count monitoring function
Operation Command
Enable the system-based connection count monitoring function
firewall statistics system connect-number { tcp | udp } { high high-value low low-value }
Disable the system-based connection count monitoring function
undo statistics system connect-number { tcp | udp }
Table 180 Enable/disable alarm detection for abnormal system packet rate
Operation Command
Enable alarm detection for abnormal system packet rate
firewall statistics system flow-percent { tcp tcp-percent udp udp-percent icmp icmp-percent alteration alteration-percent [ time time-value] }
Disable alarm detection for abnormal system packet rate
undo firewall statistics system flow-percent
160 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
■ Enabling the zone-based connection rate monitoring
Enabling/Disabling the Zone-Based Statistics
Function
Perform the following configuration in zone view.
Be default, the zone-based statistics function is disabled.
c CAUTION: If the zone-based statistics function is disabled, the associated traffic monitoring function will be invalid accordingly.
Enabling/Disabling the Zone-Based Connection
Count Monitoring
Using this command, you can configure the threshold value for the number of TCP/UDP connections based on one direction in a security zone. According to the above configuration, you can restrict the number of connections to or from the current zone. In other words, the system will deny the subsequent connection requests without any alarm if the connection number is greater than the set threshold value. Once the zone-based statistics function is enabled, the default value of the connection count monitoring function takes effect automatically.
Perform the following configuration in zone view.
By default, the zone-based connection count restriction function is disabled. The default upper threshold value of the zone-based TCP/UDP connections is 500,000, and the lower threshold value is 1.
c CAUTION: The connection count restriction function of a zone will not take effect unless the corresponding statistics function is enabled.
Enabling/Disabling the Zone-Based Connection
Rate Monitoring
Using this command, you can configure the threshold value for the rate (per second) of TCP/UDP connections based on one direction in a zone. According to the above configuration, you can restrict the rate of connections to or from the current zone. In other words, the system will export alarm log and deny the subsequent connection requests without any alarm if the connection rate is greater than the set threshold value. Once the zone-based statistics function is enabled, the default value of the connection rate monitoring function takes effect automatically.
Perform the following configuration in zone view.
Table 181 Enable/disable the zone-based statistics function
Operation Command
Enable the zone-based statistics function statistics enable zone { inzone | outzone }
Disable the zone-based statistics function undo statistics enable zone { inzone | outzone }
Table 182 Enable/disable the zone-based connection count monitoring function
Operation Command
Enable the zone-based connection count monitoring function
statistics connect-number { zone | ip } { inzone | outzone } { tcp | udp } { high high-limit low low-limit } [ acl acl-number ]
Disable the zone-based connection count monitoring function
undo statistics connect-number { zone | ip } { inzone | outzone } { tcp | udp } [ acl acl-number ]
Configuring IP-Based Statistics 161
By default, the zone-based connection rate restriction function is disabled. The default upper threshold value of the zone-based TCP/UDP connections is 10,000, and the lower threshold value is 1.
c CAUTION: The connection rate restriction function of a zone will not take effect unless the corresponding statistics function is enabled.
Configuring IP-Based Statistics
The IP-based statistics function configuration includes:
■ Enabling the IP-based statistics function
■ Enabling the IP-based connection count monitoring
■ Enabling the IP-based connection rate monitoring
Enabling/Disabling the IP-Based Statistics
Function
Once the IP-based statistics function is enabled, the firewall will perform statistics on the outbound/inbound data packets in the current zone based on IP addresses (source addresses in outbound direction and destination addresses in inbound direction).
The inbound direction indicates the packet whose destination address is the local zone and source address is other zone. The outbound direction is on the contrary.
Perform the following configuration in security zone view.
By default, the IP-based statistics function is disabled.
c CAUTION: Once the IP-based statistics function is disabled, the IP-based traffic monitoring function will be invalid accordingly.
Enabling/Disabling the IP-Based Connection
Count Monitoring Function
Using this command, you can configure the maximum number of TCP and UDP connections in the outbound/inbound direction of a local IP address. With the above configuration, you can restrict not only the number of connections initiated from the current zone but also that of connections initiated from external networks to the current zone. In other words, the system will deny the subsequent connection requests without any alarm if the connection count is greater than the set threshold value.
Perform the following configuration in security zone view.
Table 183 Enable/disable zone-based connection rate monitoring function
Operation Command
Enable the zone-based connection rate monitoring function
statistics connect-speed { zone | ip } { inzone | outzone } { tcp | udp } { high high-limit low low-limit }
Disable the zone-based connection rate monitoring function
undo statistics connect-speed { zone | ip } { inzone | outzone } { tcp | udp }
Table 184 Enable/disable the IP-based statistics function
Operation Command
Enable the IP-based statistics function statistics enable ip { in | out }
Disable the IP-based statistics function undo statistics enable ip { in | out }
162 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
By default, the IP-based connection count monitoring function is disabled. The default upper threshold value of the IP-based TCP/UDP connections is 500,000, and the lower threshold value is 450,000.
c CAUTION:
■ The IP-based connection count monitoring function will not take effect unless the corresponding IP-based statistics function is enabled.
■ The ACL rule can only be used in one direction if you want to account the number of the IP-based connection that matches an ACL rule at the same time.
Enabling/Disabling the IP-Based Connection
Rate Monitoring Function
Using this command, you can configure the maximum rate of TCP and UDP connections in the outbound/inbound direction of a local IP address. With the above configuration, you can restrict not only the rate of connections initiated from the current zone but also that of connections initiated from external networks to the current zone. In other words, the system will deny the subsequent connection requests without any alarm if the connection rate is greater than the set threshold value.
Perform the following configuration in security zone view.
By default, the IP-based connection rate restriction function is disabled. The default upper threshold value of the IP-based TCP/UDP connections is 10,000, and the lower threshold value is 1.
c CAUTION: The ACL rule can only be used in one direction if you want to account the number of the IP-based connection that matches an ACL rule at the same time.
Table 185 Enable/disable the IP-based connection count monitoring function
Operation Command
Enable the IP-based connection count monitoring function
statistics connect-number ip { inbound | outbound } { tcp | udp } { high high-limit low low-limit } [ acl acl-number ]
Disable the IP-based connection count monitoring function
undo statistics connect-number ip { inbound | outbound } { tcp | udp } [ acl acl-number ]
Table 186 Enable/disable monitor of the IP-based connection rate
Operation Command
Enable monitor of the IP-based connection rate
statistics connect-speed ip { inzone | outzone } { tcp | udp } { high high-limit low low-limit } [ acl acl-number ]
Disable monitor of the IP-based connection rate
undo statistics connect-speed ip { inzone | outzone } { tcp | udp } [ acl acl-number ]
Displaying and Debugging Attack Prevention and Packet Statistics 163
Displaying and Debugging Attack Prevention and Packet Statistics
Displaying and Debugging Attack
Prevention
After the above configuration, execute the display command in all views to display the running of the attack prevention to verify the effect of the configuration. Execute the debugging command to debug the attack prevention.
Table 187 Display and debug attack prevention
Operation Command
Display the currently enabled attack prevention type display firewall defend flag
Enable all attack prevention debugging debugging firewall defend all
Enable debugging for ARP Flood attack prevention debugging firewall defend arp-flood
Enable debugging for attack prevention for reverse ARP lookup
debugging firewall defend arp-reverse-query
Enable debugging for ARP spoofing attack prevention debugging firewall defend arp-spoofing
Enable the debugging of IP spoofing attack prevention debugging firewall defend ip-spoofing
Enable the Land attack prevention debugging debugging firewall defend land
Enable the debugging of Smurf attack prevention debugging firewall defend smurf
Enable the debugging of Fraggle attack prevention debugging firewall defend fraggle
Enable debugging for Frag Flood attack prevention debugging firewall defend frag-flood
Enable the WinNuke attack prevention debugging debugging firewall defend winnuke
Enable the debugging of SYN Flood attack prevention debugging firewall defend syn-flood
Enable the debugging of ICMP Flood attack prevention debugging firewall defend icmp-flood
Enable the debugging of UDP Flood attack prevention debugging firewall defend udp-flood
Enable the debugging of ICMP redirection packet attack prevention debugging firewall defend icmp-redirect
Enable the debugging of ICMP unreachable packet attack prevention
debugging firewall defend icmp-unreachable
Enable the debugging of address sweep attack prevention debugging firewall defend ip-sweep
Enable the debugging of port sweep attack prevention debugging firewall defend port-scan
Enable debugging for attack prevention for route record options debugging firewall defend route-record
Enable the debugging of source route option packet attack prevention debugging firewall defend source-route
Enable the debugging of Tracert attack prevention debugging firewall defend tracert
164 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
Displaying and Debugging Packet
Statistics
You can execute the display command in any view and the reset command in user view.
Configuring an SMTP Client
The Firewall module supports SMTP client functions, which can create and send mails to the specified address at a predefined time. Timed mails can provide the administrator with firewall information on attacks and defends, traffic alarms, web page filtering and mail filtering. This enables the administrator informed of firewall statistics, and improves firewall flexibility and maintainability significantly.
n Normal SMTP client operation relies on the name resolution by the DNS client (DNSC). For DNSC configuration, see section “Configuring DNS Client” “Configuring DNS Client”.
Configuring Mail Triggering Time
This is to specify the time that the firewall triggers mails.
Perform the following configurations in system view.
By default, no mail triggering time is configured.
Enable the debugging of Ping of Death attack prevention debugging firewall defend ping-of-death
Enable the debugging of TearDrop attack prevention debugging firewall defend teardrop
Enable the debugging of TCP flag validity detection attack prevention debugging firewall defend tcp-flag
Enable the debugging of IP fragmentation packet detection attack prevention debugging firewall defend ip-fragment
Enable the debugging of large ICMP packet attack prevention debugging firewall defend large-icmp
Table 187 Display and debug attack prevention
Operation Command
Table 188 Displaying packet statistics
Operation Command
Display statistics of the firewall display firewall statistic { system | zone zone-name { inzone | outzone } | ip ip-address { source-ip | destination-ip | both } }
Display the statistics of the firewall display firewall statistic system [ defend | flow-percent ]
Clear the statistics of the firewall reset firewall statistic system [ defend | current ]
Clear the zone statistics of the firewall reset firewall statistic zone zone-name { inzone | outzone }
Clear the IP statistics of the firewall reset firewall statistic ip ip-address { source-ip | destination-ip | both }
Table 189 Configure mail triggering time
Operation Command
Configure mail triggering time. smtpc trigger time hh:mm
Cancel the configured mail triggering time. undo smtpc trigger { all | time hh:mm }
Configuring DNS Client 165
The value for hh:mm falls between 00:00 to 23:59. You can execute this command for several times to add up to five triggering time points.
Configuring Timed Mail Check Interval
This is to specify the interval at which the firewall check whether the triggering time for timed mails arrives. If yes, it will then send the mail. If not, no operation is performed.
Perform the following configurations in system view.
By default, the time interval for timed mail check is 1 minute.
The shorter the interval is, the more instant information and efficiency is provided. However, this also occupies more system resources.
Configuring Mail Addresses
This is to configure the receiver’s address of timed mails.
Perform the following configurations in system view.
By default, no receiver’s address is configured for timed mails.
The specified address must be a standard SMTP mail address. You can execute this command for several times to add up to five addresses.
Displaying and Debugging SMTP Client
After the above configurations, you can execute the display command to display configuration statistics of the SMTP client, so as to validate your configurations. You can also run the debugging command to debug the SMTP client.
Configuring DNS Client
A DNS client (DNSC) is a component that is important for normal SMTP client operation. A DNSC resolves a domain name into an IP address so that the SMTP client can send the mail to the right destination address.
Table 190 Configure timed mail check interval
Operation Command
Configure timed mail check interval. smtpc timer interval minutes
Restore the default check interval for timed mails. undo smtpc timer interval
Table 191 Configure a timed mail address
Operation Command
Configure a receiver’s address of timed mail. smtpc administrator mail mail-address
Cancel the configured timed mail addresses. undo smtpc administrator { all | mail mail-address }
Table 192 Display and debug SMTP client
Operation Command
Display SMTP client configuration information display smtpc [ administrator | timer | trigger ]
Enable SMTP client debugging. debugging smtpc
Disable SMTP client debugging. undo debugging smtpc
166 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
Configuring a DNS Server
For DNS domain name resolution, a domain name server address is required so that the query request message can be sent to the correct server for resolution. You can use the following commands to configure or remove the IP address of a DNS server.
Perform the following configuration in system view.
By default, no DNS server is configured.
Configuring DNS Cache When resolving a name, a DNSC caches the result returned by the name server. In this way, upon receiving a request for resolving the same name, the DNSC can directly search for the name in the DNS cache, instead of sending a query request to the name server again. This reduces network traffic.
Perform the following configuration in system view.
By default, no DNS cache entry is configured.
Displaying and Debugging DNS Client
Configuration
After the above-mentioned configuration, you can display the DNS client configuration by using the display command in any view, so as to verify the configuration. You can debug DNS client configuration by using the debugging command in user view.
Table 193 Configure a DNS server
Operation Command
Configure a DNS server IP address dnsc server ip ip-address
Remove the DNS server IP address configured undo dns server { all | ip ip-address ]
Table 194 Configure the DNS cache
Operation Command
Add a DNS cache entry dnsc cache add domain domain-name type { a | mx } ip ip-address ttl ttl
Remove a DNS cache entry dnsc cache delete domain domain-name type { a | mx }
undo dnsc cache { all | domain domain-name type { a | mx } }
Table 195 Display and debug DNS client configuration
Operation Command
Display DNS client configuration display dnsc { server | cache }
Enable DNS client debugging debugging dnsc
Disable DNS client debugging undo debugging dnsc
Attack Prevention and Packet Statistics Configuration Example 167
Attack Prevention and Packet Statistics Configuration Example
Enabling the Land Attack Prevention
Function
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone, DMZ respectively.
Network diagram
Figure 31 Network diagram for firewall attack prevention configuration
Configuration procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
SecBlade S8505
Vlan 60
Vlan10
Vlan 50
Vlan 30
Trust Zone
Untrust Zone
10.0.0.1/24
30.0.0.1/24
10.0.0.254/24
DMZ Zone
Server
60.0.0.1/24 Vlan 60
Vlan 50 PC_B 50.0.0.254/24 60.0.0.254/24
50.0.0.1/24 30.0.0.254/24 SecBlade S8800
Vlan 60
Vlan10
Vlan 50
Vlan 30
Trust Zone
Untrust Zone
10.0.0.1/24
30.0.0.1/24
10.0.0.254/24
DMZ Zone
Server
60.0.0.1/24 Vlan 60
Vlan 50 PC_B 50.0.0.254/24 60.0.0.254/24
50.0.0.1/24 30.0.0.254/24
168 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure the aggregation of the Firewall module interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
Attack Prevention and Packet Statistics Configuration Example 169
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add sub-interface GigabitEthernet0/0.3 to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable Land attack prevent function.
[secblade] firewall defend land
Enabling the SYN Flood Attack Prevention
Function
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ zone respectively. You are required to enable the SYN Flood attack prevention function on the server in the DMZ zone.
Network diagram
Refer to Figure 31.
Configuration procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit
170 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
[SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure the aggregation of the Firewall module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
Attack Prevention and Packet Statistics Configuration Example 171
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable the inbound IP statistics function in the DMZ zone.
[secblade] firewall zone DMZ [secblade-zone-DMZ] statistics enable ip inzone [secblade-zone-DMZ] quit
# Enable the SYN Flood attack prevention function in the global scope.
[secblade] firewall defend syn-flood enable
# Enable the SYN Flood attack prevention function on the server at 60.0.0.1, set the maximum connection rate of SYN packets to 500 packets per second, the maximum number of semi-connections to 2,000 and enable the TCP proxy manually.
[secblade] firewall defend syn-flood ip 60.0.0.1 max-rate 500 max-number 2000 tcp-proxy on
Enabling the Address Scanning Attack
Prevention Function
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively. You are required to enable the address scanning attack prevention function on the server in the untrust zone.
Network diagram
Refer to Figure 31.
Network procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit
172 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
[SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of the Firewall module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60
Attack Prevention and Packet Statistics Configuration Example 173
[secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable the outbound IP statistics function in the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] statistics enable ip outzone [secblade-zone-untrust] quit
# Enable the address scanning attack prevention, set the maximum scanning rate to 1,000 packets per second and the valid time of the blacklist to 5 minutes, and enable the blacklist function.
[secblade] firewall defend ip-sweep max-rate 1000 blacklist-timeout 5 [secblade] firewall blacklist enable
Enabling the Zone-Based Connection Count
Monitoring Function
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively. You are required to configure restriction on the number of connections to or from the trust zone respectively.
Network diagram
Refer to Figure 31.
Configuration procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit
174 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
[SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure theaggregation of Firewall module interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50
Attack Prevention and Packet Statistics Configuration Example 175
[secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable the outbound packet statistics function in the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] statistics enable zone outzone
# Enable the inbound packet statistics function in the trust zone.
[secblade-zone-trust] statistics enable zone inzone
# Configure the upper limit of the number for the inbound TCP connections in the trust zone as 120,000.
[secblade-zone-trust] statistics enable zone inzone tcp high 120000 low 10000
# Configure the upper limit of the number for the outbound TCP connections in the trust zone as 200,000.
[secblade-zone-trust] statistics enable zone inzone tcp high 200000 low 10000
Monitoring the Number of the IP-Based
Connections Matching with the ACL Rule
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively. You are required to configure restriction on the number of connections from the host whose IP address is 10.0.0.1 in the trust zone.
Network diagram
Refer to Figure 31.
176 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
Network procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of the Firewall module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
Attack Prevention and Packet Statistics Configuration Example 177
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Configure the ACL rule.
[secblade] acl number 1 [secblade-acl-basic-1] rule permit source 10.0.0.1 0
# Enter zone view, and configure the upper limit of the number for TCP connections initiated by the IP source address and matching ACL rule as 2,000.
[secblade] firewall zone trust [secblade-zone-trust] statistic connect-number ip outzone tcp high 2000 low 512 acl 1
Displaying Statistics Information of Specified
IP Address
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively.
Network diagram
Refer to Figure 31.
178 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
Network procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of the Firewall module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
Attack Prevention and Packet Statistics Configuration Example 179
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enter zone view.
[secblade] firewall zone trust
# Enable the outbound IP packet statistics function in the zone to perform statistics on source addresses.
[secblade-zone-trust] statistic enable ip outzone
# Enable the inbound IP packet statistics function in the zone to perform statistics on destination addresses.
[secblade-zone-trust] statistic enable ip inzone
# Display statistics of connections initiated from 192.168.1.3 in the trust zone to the external zone.
<secblade> display firewall statistics ip 10.0.0.1 source-ip
180 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
# Display statistics of connections initiated from the external zone to 192.168.1.3 in the trust zone.
<secblade> display firewall statistics ip 10.0.0.1 destination-ip
Attack Prevention Troubleshooting
Fault1: The SYN Flood attack prevention function is invalid.
Troubleshooting: Take the following procedure.
1 Check whether the SYN Flood attack prevention function is enabled for the destination zone or for the destination IP.
2 Check whether the SYN Flood attack prevention function is enabled in the global scope.
3 Check whether the inbound IP statistics function is enabled in the destination zone or in the zone to which the destination IP belongs.
Fault2: The address scanning attack prevention function is invalid.
Troubleshooting: Take the following procedure.
1 Check whether the address scanning attack prevention function is enabled.
2 Check whether the outbound IP statistics function is enabled in the zone to which the scanning source belongs.
Introduction to Log 181
11LOG MAINTENANCE
Introduction to Log Types
Log functions to save system messages or packet filtering actions to the buffer, or direct them to log host. By analyzing and managing log information, network administrators can detect security leaks and attack types. Furthermore, real-time log records help to detect ongoing intrusions.
The Firewall module uniformly takes various attacks and events into account, and standardizes kinds of log formats and statistics, so as to ensure a uniform log style and serious log functions.
The Firewall module includes the following log information:
■ NAT/ASPF log
■ Attack prevention log
■ Traffic monitoring log
■ Black list log
■ Address binding log
Output principle
On the Firewall module, log information can be output in binary-flow format or in Syslog format. Figure 32 shows the corresponding relationship between log type and log output format.
Figure 32 Log output principles on the Firewall module
Log Server
Informationcenter
Attackdefence
Blacklist
Addressbinding
Binary-f low log
Syslog log
Monitoring terminal
Console
BufferRedirection
NAT/ASPF Log information
Log information
Log information
Traff icstatistics
Log information
Log information
Log information
182 CHAPTER 11: LOG MAINTENANCE
In the Firewall module, the log information about attack prevention, traffic monitoring, blacklist and address binding are generated in little capacities. Therefore, such logs are outputted in Syslog format. The information must be sent to the Comware-based information center for log management and redirection. In this case, you can choose to either display the log information on the terminal screen or output the Syslog log to the log server for storage and analysis.
Conversely, log information about NAT/ASPF is generated in a large capacity, and so the system directly outputs this type of log traffic in binary format to the log server for storage and analysis, regardless of the Comware-based information centre. Therefore, the transmission efficiency of binary-flow log seems to be higher than that of Syslog log.
Configuring Syslog Log
Syslog configuration includes:
■ Configuring Syslog log output format
■ Configuring the sweep time for the Syslog log buffer
■ Configuring the log redirection of the information center
Configuring Syslog Log Output Format
Use this command to configure the output mode of the log to text format.
Perform the following configuration in system view.
By default, the output mode of the log is Syslog.
Configuring the Log Redirection for the Information Center
Generally, the log information exported to the information center is redirected in the following ways:
■ Export information to the local console through the Console port.
■ Export information to the remote Telnet terminal, which can be used for remote maintenances.
■ Allocate log buffer with proper size inside the Firewall module that can be used to record information.
■ Configure log server to which the information center sends information directly, and the information will be saved in the format of file for you to view it anytime.
■ Allocate trap buffer with proper size inside the Firewall module, which can be used to record information.
■ Export information to SNMP agent.
Perform the following configuration in system view.
Table 196 Configure the output mode of the log to text format
Operation Command
Configure the output mode of the log to text format firewall session log-type syslog
Binary-Flow Log Configuration 183
Binary-Flow Log Configuration
Binary-flow log configuration includes:
■ Enabling binary-flow log output in interzone
■ Configuring host address and port of receiving binary-flow log
Enabling/Disabling Binary-Flow Log Output
in Interzone
Use the following commands to enable/disable interzone binary-flow log.
Perform the following configuration in interzone view.
By default, binary-flow log is disabled.
Configuring Host Address and Port of
Receiving Binary-Flow Log
Use this command to configure the host address and port of receiving binary-flow log.
Perform the following configuration in system view.
Table 197 Configure the log redirection for the information center
Operation Command
Export information to the console info-center console channel { channel-number | channel-name }
Export information to the Telnet terminal or dumb terminal
info-center monitor channel { channel-number | channel-name }
Export information to SNMP info-center snmp channel { channel-number | channel-name }
Set the log buffer size, and set the information channel to the log buffer
info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] *
Set the information channel to the log host and other parameters
info-center loghost X.X.X.X [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ] *
Set the trap buffer size, and set the information channel to the trap buffer
info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] *
Table 198 Enable interzone binary-flow log output
Operation Command
Enable to output the binary-flow log matching ACL session log enable [ acl-number access-list ]
Disable interzone binary-flow log output undo session log enable
Table 199 Configuring host address and port of receiving binary-flow log
Operation Command
Configure host address and port of receiving binary-flow log
firewall session log-type binary host ipaddr port
Delete the host address and port of receiving binary-flow log and restore the default log output format
undo firewall session log-type
184 CHAPTER 11: LOG MAINTENANCE
Clearing Log Execute the reset command in user view to clear the log buffer.
Log Configuration Example
Outputting Attack Prevention Log to Host
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively.
Network diagram
Refer to Figure 31.
Configuration procedures
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure aggregation of Firewall module interfaces (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
Table 200 Display and debug log
Operation Command
Clear the log buffer on the firewall reset firewall log-buff { defend | session | statistics | http | smtp }
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
186 CHAPTER 11: LOG MAINTENANCE
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable the information center and set the IP address of the log host in the trust zone to 10.0.0.1.
[secblade] info-center enable [secblade] info-center loghost 10.0.0.1 language english
# Enable the port-scan attack switch to add source address of the attacker to blacklist, set aging time to 10 minutes, and enable the blacklist function.
[secblade] firewall defend port-scan max-rate 100 blacklist-timeout 10 [secblade] firewall blacklist enable
# Enable IP outbound packet statistics in the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] statistics enable ip outzone
You can use a tool (such as nmap) on the PC in untrust zone to perform port scanning over the server in trust zone. Then, the firewall adds the address of the PC to blacklist (aging time is set to 10 minutes) and immediately outputs blacklist log information. After the scanning time for attack prevention reaches, the system outputs log information about UDP port-scan attack.
Outputting Binary-Flow Log to Host
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively.
Network diagram
Refer to Figure 31.
Configuration procedures
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit
# Configure the IP address.
[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30
Log Configuration Example 187
[3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit
# Configure the static route.
[SW8800] ip route-static 0.0.0.0 0 30.0.0.254
# Configure the aggregation of the Firewall module interface (the module resides in slot 2).
[SW8800] secblade aggregation slot 2
# Create a SecBlade test.
[SW8800] secblade test
# Specify the Firewall module interface VLAN.
[3Com-secblade-test] secblade-interface vlan-interface 30
# Set the protected VLAN.
[3Com-secblade-test] security-vlan 50 60
# Map the module to the specified slot.
[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit
# Log into the module on the specified slot.
<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit
188 CHAPTER 11: LOG MAINTENANCE
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Configure the ACL rule.
[secblade] acl number 3000 [secblade-acl-adv-3000] rule permit ip source 10.0.0.0 0.0.0.255
# Enter interzone mode and enable binary-flow log switch matching ACL.
[secblade] firewall interzone trust untrust [secblade-interzone-trust-untrust] session log enable acl-number 3000
# Configure the binary-flow log output format and set the IP address of log host and the interface receiving log.
[secblade] firewall session log-type binary host 10.0.0.5 9002
You can connect the PC in untrust zone to the server in trust zone through FTP. Then, you can see the firewall outputs the connection established binary-flow log information.
12
RELIABILITY OVERVIEWn The content below applies to the Firewall and IPsec modues, so the command views in this document apply to the modules and not the Switch 8800 Family switches.
Introduction to Reliability
During communication, any software or hardware error, network device or line fault for example, may disrupt the connection, causing transmission failure. To avoid these situations, Comware provides, virtual router redundancy protocol (VRRP) and hot backup technologies to ensure availability of a backup scheme when faults occur. This guarantees smooth communication, and makes the network more robust and reliable.
VRRP improves reliability of connections to the outside networks and as such, is well suited to multicast or broadcast LANs such as Ethernet. Multiple routers can form a standby group or a virtual router, acting as the only egress gateway for the local network. These routers, however, are transparent to the local network. In the standby group, a router is engaged in packet forwarding, a backup router is ready for replacing the active router, and the other routers are listening. In case the active router fails, the backup router would take over and the other routers would elect from them a new backup router. This improves reliability, allowing the local hosts to continue their operation without any modification.
190 CHAPTER 12: RELIABILITY OVERVIEW
13
VRRP CONFIGURATIONSIntroduction to VRRP Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. Normally, you can configure a default route for the hosts on a network, for example, 10.100.10.1 in the following figure. All packets destined to the external network are sent over this default route to Router to gain access to the external networks. When Router fails, all the hosts using Router as the default next-hop router are isolated from the external network.
Figure 33 Network diagram for a LAN
VRRP was designed to address this problem on multicast and broadcast LANs such as Ethernet.
The following figure illustrates how VRRP is implemented.
VRRP combines a group of routers on a LAN (including a master and multiple backups) into a virtual router called standby group.
192 CHAPTER 13: VRRP CONFIGURATIONS
Figure 34 VRRP networking diagram
This virtual router has its own IP address: 10.100.10.1 (it can be the interface address on a router in the standby group). The routers in the standby group also have their own IP addresses: 10.100.10.2 for the master and 10.100.10.3 for a backup router for example.
The hosts on the LAN, however only know the IP address of this virtual router or 10.100.10.1 and as such, use this IP address as the address of the default next-hop router when communicating with the external network.
When the master in the standby group fails, the backup routers in the standby group elects a new master to take over, allowing the hosts on the network to communicate with the external network without interruption.
For more information about VRRP, refer to RFC 2338.
Configuring VRRP The basic VRRP configuration tasks are described in the following sections:
■ “Adding or Deleting a Virtual IP Address”
■ “Configuring Priority in a Standby Group”
■ “Configuring Preemption Mode and Preemption Delay”
The advanced VRRP configuration tasks are described in the following sections:
■ “Configuring Authentication Mode and Authentication Key”
■ “Configuring the Adver_Timer of VRRP”
■ “Configuring Interface Tracking”
■ “Enabling/Disabling Virtual IP Address Pinging”
■ “Enabling/Disabling TTL Check for VRRP Packets”
Configuring VRRP 193
Adding or Deleting a Virtual IP Address
You may assign an IP address on this network segment to a virtual router or standby group or delete the specified or all virtual IP address from the virtual address list.
Perform the following configuration in interface view.
The standby group number virtual-router-ID is in the range 1 to 255. The virtual IP address can be an unassigned address on the network segment to which the standby group belongs, or the IP address of an interface in the standby group. In the latter case, the security gateway with the IP address is called IP address owner.
The system creates a standby group the first time that you assign an IP address to it. When you assign virtual IP addresses to the group after that, the system only adds the addresses to the virtual IP address list of this standby group. You can assign an interface to 14 standby groups, while one standby group can accommodate up to 16 virtual IP addresses.
Note that before you can configure a standby group, you must create it by assigning an IP address to it. Deleting the last virtual IP address from the standby group also deletes the standby group. After that, all its configurations become invalid.
Configuring Priority in a Standby Group
In VRRP, the role that a security gateway plays in a standby group depends on its priority. The security gateway with the highest priority becomes the master.
The priority is in the range 0 to 255, with a larger number indicating a higher priority. However, the configurable range is 1 to 254. The priority 0 is reserved for special use and 255 for the IP address owner.
Perform the following configuration in interface view.
The priority is 100 by default.
n The IP address owner has two priorities: configurable and operating. The configurable priority is the one assigned using the vrrp vrid command and the operating priority is always 255 and not configurable.
Table 201 Add/delete a virtual IP address
Operation Command
Add a virtual IP address. vrrp vrid virtual-router-ID virtual-ip virtual-address
Delete the specified or all virtual IP addresses. undo vrrp vrid virtual-router-ID virtual-ip virtual-address
Table 202 Configure the priority of the interface in the standby group
Operation Command
Configure the priority of the interface in the standby group.
vrrp vrid virtual-router-ID priority priority-value
Restore the default value. undo vrrp vrid virtual-router-ID priority
194 CHAPTER 13: VRRP CONFIGURATIONS
Configuring Preemption Mode and Preemption
Delay
In non-preemption mode, once a security gateway in the standby group becomes the master and operates well, other security gateways, even assigned higher priority later, cannot preempt it. A security gateway working in preemption mode however, can preempt a lower priority master. Accordingly, the existing master becomes a backup.
When enabling preemption in a standby group, you can configure a delay by using the vrrp vrid command to have the backup wait for a while before preempting the existing master. This is to prevent frequent state transitions on an unstable network where the backup group security gateways cannot receive packets from the master regularly due to network congestion.
The delay is in the range 0 to 255 seconds.
Perform the following configuration in interface view.
The default mode is preemption without delay.
n After you disable preemption, the preemption delay automatically becomes to 0 seconds.
Configuring Authentication Mode
and Authentication Key
VRRP provides two authentication modes: simple (simple text authentication) and MD5.
On a secure network, you can use the default where no authentication key is required. It this way, the security gateway will authenticate neither VRRP packets to be sent nor those received.
On a network where potential threats are present, you can set the authentication mode to simple, where the authentication key must not be greater than eight bytes. When the security gateway sends a VRRP packet, it fills the authentication key into the VRRP packet. When the security gateway receives a VRRP packet, it compares the authentication key in the packet with the one that it retains. If they are the same, the packet is considered genuine and legitimate. Otherwise, the packet is considered illegitimate and is discarded.
On an unsafe network, you can set the authentication mode to MD5, where the authentication key must not be greater than eight bytes. This allows the security gateway to authenticate VRRP packets using the authentication method provided by authentication header (AH) and the MD5 algorithm. The length of the authentication key can be either less than eight characters or 24 characters. If you input in plain text, the length ranges from one to eight characters, such as 1234567; if you input in encrypted text, the length must be 24 characters, such as (TT8F]Y5SQ=^Q‘MAF4<1!!.
The security gateway discards the packets that fail authentication and sends traps.
Table 203 Configure the preemption mode and preemption delay for a standby group
Operation Command
Enable preemption and configure preemption delay for a standby group.
vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]
Disable preemption in the standby group. undo vrrp vrid virtual-router-ID preempt-mode
Configuring VRRP 195
Perform the following configuration in interface view.
By default, the security gateway does not authenticate VRRP packets.
n For the standby groups on the same interface, you must set the same authentication mode and authentication key.
Configuring the Adver_Timer of VRRP
In a VRRP standby group, the master security gateway tells other security gateways that it is alive by sending VRRP packets regularly. If no VRRP packets are received after a specified period, the backup assumes the master has failed and changes its state to master. The VRRP packet sending interval and the state transition of the backup are controlled by two timers: Adver_Timer and Master_Down_Timer.
The Master_Down_Timer is about three times that of the Adver_Timer. Either enormous traffic or difference of the timer settings on the security gateways can result in abnormal timeout of the Master_Down_Timer, causing state transition. One solution to this problem is to set Adver_Timer (in seconds) to a greater value and/or configure preemption delay.
Perform the following configuration in interface view.
The adver_interval argument is in the range of 1 to 255 seconds and defaults to 1 second.
Configuring Interface Tracking
The interface tracking function expands the backup functionality of VRRP. It provides backup not only when the interface to which a standby group is assigned fails but also when other interfaces on the security gateway become unavailable. This is achieved by tracking interfaces. When a monitored interface goes down, the priority of the security gateway owning this interface automatically decreases by the value specified by value-reduced, allowing a higher priority security gateway in the standby group to take over as the master.
Perform the following configuration in interface view.
Table 204 Configure the authentication mode and authentication key
Operation Command
Configure the authentication mode and authentication key.
vrrp authentication-mode { md5 key | simple key }
Restore the default. undo vrrp authentication-mode
Table 205 Configure the Adver_Timer of VRRP
Operation Command
Configure the Adver_Timer of VRRP. vrrp vrid virtual-router-ID timer advertise adver-interval
Restore the default. undo vrrp vrid virtual-router-ID timer advertise
196 CHAPTER 13: VRRP CONFIGURATIONS
The priority-reduced argument defaults to 10.
n You cannot configure interface tracking on the security gateway that is IP address owner.
Enabling/Disabling Virtual IP Address
Pinging
This configuration enables the users to ping the virtual IP addresses of the standby groups. According to VRRP, users cannot ping the virtual IP addresses of standby groups. In this case, users cannot determine whether an IP address is assigned to a standby group by using the ping command. If a host on the network uses the same IP address of a standby group coincidently, all packets in this network will be forwarded to the host, so that the data in this network segment cannot be forwarded properly.
However, you can use the following configuration to enable users to ping the virtual IP addresses of standby groups.
Perform the following configuration in system view.
By default, virtual IP address pinging is disabled.
Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.
Enabling/Disabling TTL Check for VRRP Packets
This configuration disables the backup switch from checking TTL values for VRRP packets. According to VRRP, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup switch will drop the packet.
You can use the following configuration to disable TTL check for VRRP packets.
Perform the following configuration in VLAN interface view.
Table 206 Configure interface tracking
Operation Command
Configure the interface to be tracked. vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]
Disable to track the specified interface. undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]
Table 207 Enable/disable virtual IP address pinging
Operation Command
Enable virtual IP address pinging. vrrp ping-enable
Disable virtual IP address pinging. undo vrrp ping-enable
Table 208 Enable/Disable TTL check for VRRP packets
Operation Command
Disable TTL check for VRRP packets vrrp un-check ttl
Restore TTL check for VRRP packets undo vrrp un-check ttl
Displaying and Debugging VRRP 197
By default, the backup switch checks the TTL value for VRRP packets.
Displaying and Debugging VRRP
After completing the above configurations, you may execute the display command in any view to view the operating state about VRRP after VRRP configuration, and to verify the effect of the configurations.
Execute the debugging command in user view.
You may enable/disable VRRP packet debugging and VRRP state debugging to check VRRP debugging state.
By default, the debugging for VRRP is disabled.
VRRP Configuration Examples
VRRP Single Standby Group Example 1
Network requirements
As shown in Figure 35, insert two modules into a Switch 8807. Two modules run VRRP and a virtual IP address is provided for the switch to implement redundant backup. Normally, the data stream to the Internet passes by SecBlade_A. When SecBlade_A fails, all data stream to the Internet passes by SecBlade_B.
Table 209 Display and debug VRRP
Operation Command
Display state information about VRRP. display vrrp [ interface type number [ virtual-router-ID ] ]
Enable VRRP packet debugging. debugging vrrp packet
Disable VRRP packet debugging. undo debugging vrrp packet
Enable VRRP state debugging. debugging vrrp state
Disable VRRP state debugging. undo debugging vrrp state
198 CHAPTER 13: VRRP CONFIGURATIONS
Network diagram
Figure 35 VRRP network diagram
Configuration procedure
1 PC A
IP address: 10.0.0.1/24.
Gateway address: 10.0.0.254.
2 PC B
IP address: 20.0.0.1/24.
Gateway address: 20.0.0.254.
3 Switch 8807
# Divide VLANs.
<Switch 8807> system-view [Switch 8807] vlan 10 [Switch 8807-vlan10] quit [Switch 8807] vlan 20 [Switch 8807-vlan20] quit [Switch 8807] vlan 30 [Switch 8807-vlan30] quit [Switch 8807] vlan 50 [Switch 8807-vlan50] quit
# Configure the IP address.
SecBlade
S 8800 Vlan 10
Vlan 50
Internet
PC _ A 10 . 0 . 0 . 1 / 24
PC _ B 20 . 0 . 0 . 1 / 24
Vlan 2 0
10 . 0 . 0 . 254 / 24
20 . 0 . 0 . 254 / 24
Vlan 3 0
Vlan 50
Vlan 50 _ A
SecBlade _ B 50 . 0 . 0 . 2 / 24
50 . 0 . 0 . 1 / 24
30 . 0 . 0 . 254 / 24
30 . 0 . 0 . 1 / 24
30 . 0 . 0 . 2 / 24
Virtual IP 30 . 0 . 0 . 100 / 24
VRRP Configuration Examples 199
[Switch 8807] interface vlan-interface 10 [Switch 8807-Vlan-interface10] ip address 10.0.0.254 24 [Switch 8807-Vlan-interface10] quit [Switch 8807] interface vlan-interface 20 [Switch 8807-Vlan-interface20] ip address 20.0.0.254 24 [Switch 8807-Vlan-interface20] quit [Switch 8807] interface vlan-interface 30 [Switch 8807-Vlan-interface30] ip address 30.0.0.254 24 [Switch 8807-Vlan-interface30] quit
# Configure the static route. The next hop is the virtual IP address of the VRRP standby group.
[Switch 8807] ip route-static 0.0.0.0 0 30.0.0.100
# Configure aggregation of interfaces on the SecBlade_A card (the module resides in slot 1).
[Switch 8807] secblade aggregation slot 1
# Create module test1 for SecBlade_A.
[Switch 8807] secblade test1
# Specify the Firewall module interface VLAN.
[Switch 8807-secblade-test1] secblade-interface vlan-interface 30
# Set the protected VLAN.
[Switch 8807-secblade-test1] security-vlan 50
# Map module test1 for SecBlade_A to the module of slot 1.
[Switch 8807-secblade-test1] map to slot 1 [Switch 8807-secblade-test1] quit [Switch 8807] quit
# Configure aggregation of interfaces on the SecBlade_B card (the module resides in slot 2).
[Switch 8807] secblade aggregation slot 2
# Create module test2 for SecBlade_B.
[Switch 8807] secblade test2
# Specify the Firewall module interface VLAN.
[Switch 8807-secblade-test2] secblade-interface vlan-interface 30
# Set the protected VLAN.
[Switch 8807-secblade-test2] security-vlan 50
# Map the SecBlade_B module to the module of slot 2.
200 CHAPTER 13: VRRP CONFIGURATIONS
[Switch 8807-secblade-test2] map to slot 2 [Switch 8807-secblade-test2] quit [Switch 8807] quit
4 SecBlade_A
# Log into the SecBlade_A card of slot 1.
<Switch 8807> secblade slot 1 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_A> system-view
# Create the sub-interface.
[SecBlade_A] interface GigabitEthernet0/0.1 [SecBlade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade_A-GigabitEthernet0/0.1] ip address 30.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [SecBlade_A-GigabitEthernet0/0.1] quit [SecBlade_A] interface GigabitEthernet0/0.2 [SecBlade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.2] quit
# Quit Firewall module configuration view.
[SecBlade_A] quit <SecBlade_A> quit [Switch 8807_A]
5 SecBlade_B
# Log into the SecBlade_B card of slot 2.
<Switch 8807> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_B> system
# Create the sub-interface.
[SecBlade_B] interface GigabitEthernet0/0.1 [SecBlade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade_B-GigabitEthernet0/0.1] ip address 30.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100 [SecBlade_B-GigabitEthernet0/0.1] quit [SecBlade_B] interface GigabitEthernet0/0.2 [SecBlade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.2] quit
# Quit Firewall module configuration view.
VRRP Configuration Examples 201
[SecBlade_B] quit <SecBlade_B> quit [Switch 8807_B]
VRRP Single Standby Group Example 2
Network requirements
The VRRP standby group consisting of SecBlade_A and SecBlade_B serves as the default gateway of hosts in VLAN 10. Hosts in Vlan10 access the Internet through their gateway.
About the VRRP standby group: the standby group number is 1; the virtual IP address is 10.0.0.254; SecBlade_A functions as the Master, while SecBlade_B as the Backup. Preemption is enabled.
Network diagram
Figure 36 Network diagram for VRRP configuration
Network procedure
1 PC A
IP address: 10.0.0.50/24.
Gateway address: 10.0.0.254 (the virtual IP address of the standby group)
2 PC B
IP address: 10.0.0.60/24.
Vlan 50
SecBlade _ A
S 8800 _ A
Vlan 50
Vlan 50
Vlan 10
50 . 0 . 0 . 1 / 24 10 . 0 . 0 . 1 / 24
SecBlade _ B
S 8800 _ B
Vlan 50 Vlan 10
Vlan 10
50 . 0 . 0 . 2 / 24 2
The Internet
10 . 0 . 0 . 2 / 24
Vlan 10
Trunk
Virtual IP address 10 . 0 . 0 . 254 / 24
PC A
PC B
202 CHAPTER 13: VRRP CONFIGURATIONS
Gateway address: 10.0.0.254 (the virtual IP address of the standby group)
3 Switch 8807_A (SecBlade_A)
# Divide VLANs.
<Switch 8807_A> system-view [Switch 8807_A] vlan 10 [Switch 8807_A-vlan10] quit [Switch 8807_A] vlan 50 [Switch 8807_A-vlan50] quit
# Configure aggregation of Firewall module interfaces (the module interface resides in slot 2).
[Switch 8807_A] secblade aggregation slot 2
# Create a SecBlade test.
[Switch 8807_A] secblade test
# Set the protected VLAN.
[Switch 8807_A-secblade-test] security-vlan 10 50
# Map the module to the specified slot.
[Switch 8807_A-secblade-test] map to slot 2 [Switch 8807_A-secblade-test] quit [Switch 8807_A] quit
# Log into the module on the specified slot.
<Switch 8807_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_A> system-view
# Create the sub-interface.
[SecBlade_A] interface g0/0.1 [SecBlade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_A-GigabitEthernet0/0.1] ip address 10.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [SecBlade_A-GigabitEthernet0/0.1] quit [SecBlade_A] interface g0/0.2 [SecBlade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.2] quit
# Quit Firewall module configuration view.
[SecBlade_A] quit <SecBlade_A> quit [Switch 8807_A]
VRRP Configuration Examples 203
4 Switch 8807_B (SecBlade_B)
# Divide VLANs.
<Switch 8807_B> system-view [Switch 8807_B] vlan 10 [Switch 8807_B-vlan10] quit [Switch 8807_B] vlan 50 [Switch 8807_B-vlan50] quit
# Configure aggregation of two GigabitEthernet interfaces of the SecBlade (SecBlade slot number is 2).
[Switch 8807_B] secblade aggregation slot 2
# Create a SecBlade test.
[Switch 8807_B] secblade test
# Set the protected VLAN.
[Switch 8807_B-secblade-test] security-vlan 10 50
# Map the module to the specified slot.
[Switch 8807_B-secblade-test] map to slot 2 [Switch 8807_B-secblade-test] quit [Switch 8807_B] quit
# Log into the module on the specified slot.
<Switch 8807_B> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_B> system-view
# Create the sub-interface.
[SecBlade_B] interface g0/0.1 [SecBlade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_B-GigabitEthernet0/0.1] ip address 10.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254 [SecBlade_B-GigabitEthernet0/0.1] quit [SecBlade_B] interface g0/0.2 [SecBlade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.2] quit
# Quit Firewall module configuration view.
[SecBlade_B] quit <SecBlade_B> quit [Switch 8807_B]
In normal cases, SecBlade_A is responsible for gateway work, unless it is switched off or malfunctioning. And then SecBlade_B shall take the charge. The preemption
204 CHAPTER 13: VRRP CONFIGURATIONS
mode is configured for SecBlade_A to resume its gateway function as the Master when it recovers.
Multi-Standby Group Configuration Example
Network requirements
Such a multi-standby configuration can implement load sharing. SecBlade_A serves as the Master of standby group 1 and simultaneously a backup of standby group 2, while SecBlade_B is quite the contrary, serving as the Master of standby group 2 but a backup of standby group 1. PC A shall take standby group 1 as its gateway, and PC B takes standby group 2 as its gateway. In this way, both purposes of data stream balancing and mutual standby are achieved.
Network diagram
Figure 37 Network diagram for VRRP configuration
Configuration procedure
1 PC A
IP address: 10.0.0.50/24.
Gateway address: 10.0.0.253 (the virtual IP address of standby group 1)
2 PC B
IP address: 10.0.0.60/24.
SecBlade
Vlan10
Vlan 50
Internet
PC_A 10.0.0.1/24
PC_B 20.0.0.1/24
Vlan20
10.0.0.254/24
20.0.0.254/24
Vlan30
Vlan 50
Vlan 50
_A
SecBlade _B 50.0.0.2/24
50.0.0.1/24
30.0.0.254/24
30.0.0.1/24
30.0.0.2/24
Virtual IP 30.0.0.100/24
Switch 8800
VRRP Configuration Examples 205
Gateway address: 10.0.0.254 (the virtual IP address of standby group 2)
3 Switch 8807_A (SecBlade_A)
# Divide VLANs.
<Switch 8807_A> system-view [Switch 8807_A] vlan 10 [Switch 8807_A-vlan10] quit [Switch 8807_A] vlan 50 [Switch 8807_A-vlan50] quit
# Configure aggregation of two GigabitEthernet interfaces of the Firewall module (the module slot number is 2).
[Switch 8807_A] secblade aggregation slot 2
# Create a SecBlade test.
[Switch 8807_A] secblade test
# Set the protected VLAN.
[Switch 8807_A-secblade-test] security-vlan 10 50
# Map the module to the specified slot.
[Switch 8807_A-secblade-test] map to slot 2 [Switch 8807_A-secblade-test] quit [Switch 8807_A] quit
# Log into the module on the specified slot.
<Switch 8807_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_A> system-view
# Create the sub-interface.
[SecBlade_A] interface g0/0.1 [SecBlade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_A-GigabitEthernet0/0.1] ip address 10.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254 [SecBlade_A-GigabitEthernet0/0.1] quit [SecBlade_A] interface g0/0.2 [SecBlade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.2] quit
# Quit Firewall module configuration view.
206 CHAPTER 13: VRRP CONFIGURATIONS
[SecBlade_A] quit <SecBlade_A> quit [Switch 8807_A]
4 Switch 8807_B (SecBlade_B)
# Divide VLANs.
<Switch 8807_B> system-view [Switch 8807_B] vlan 10 [Switch 8807_B-vlan10] quit [Switch 8807_B] vlan 50 [Switch 8807_B-vlan50] quit
# Configure aggregation of two GigabitEthernet interfaces of the Firewall module (the module slot number is 2).
[Switch 8807_B] secblade aggregation slot 2
# Create a SecBlade test.
[Switch 8807_B] secblade test
# Set the protected VLAN.
[Switch 8807_B-secblade-test] security-vlan 10 50
# Map the module to the specified slot.
[Switch 8807_B-secblade-test] map to slot 2 [Switch 8807_B-secblade-test] quit [Switch 8807_B] quit
# Log into the module on the specified slot.
<Switch 8807_B> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_B> system-view
# Create the sub-interface.
[SecBlade_B] interface g0/0.1 [SecBlade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_B-GigabitEthernet0/0.1] ip address 10.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 2 priority 120 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 2 preempt-mode [SecBlade_B-GigabitEthernet0/0.1] quit [SecBlade_B] interface g0/0.2 [SecBlade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.2] quit
# Quit the Firewall module configuration view.
VRRP Troubleshooting 207
[SecBlade_B] quit <SecBlade_B> quit [Switch 8807_B]
VRRP Troubleshooting The configuration of VRRP is simple. You can locate most of the problems by checking the output of the display command and the debugging command. The following present some troubleshooting cases.
Symptom 1:
The console screen displays error prompts frequently.
Solution:
Check that the received VRRP packets are correct.
The security gateway may receive an incorrect VRRP packet for two reasons: its configuration is inconsistent with that on another security gateway in the standby group; a device is attempting to send illegitimate VRRP packets. In the first case, modify the configuration. In the second case, you must resort to non-technical measures.
Symptom 2:
Multiple master security gateways are present in the same standby group.
Solution:
If presence of multiple masters lasts a short period, this is normal and requires no manual intervention. If it lasts long, you must check that these masters can receive VRRP packets and the received packets are legitimate.
Do the following:
Have these masters ping each other.
If they can be pinged, check that their configurations are consistent, making sure that the same number of virtual IP addresses, the configured virtual IP addresses, timer setting and authentication mode are configured for the same VRRP standby group.
If they cannot be pinged, check for other reasons.
Symptom 3:
Frequent VRRP state transition is present.
Solution:
Set the Adver_Timer of the standby group to a larger value or configure a preemption delay.
208 CHAPTER 13: VRRP CONFIGURATIONS
14
FIREWALL CONFIGURATION COMMANDSFirewall Configuration Commands
default-login-user Syntax
default-login-user
undo default-login-user
View
Firewall system view
Parameter
None
Description
Use the default-login-user command to enable default Firewall login user function.
Use the undo default-login-user command to disable default Firewall login user function.
For login convenience, a user whose name and password are both SecBlade is created in the Firewall module.
By default, the Firewall login user function is enabled. That is, the user created internally in the Firewall module is allowed to log into the module.
n This command is configured on the Firewall module.
Example
# Disable default Firewall module login user function.
[SecBlade_FW] undo default-login-user
display secblade module Syntax
display secblade module [sec-mod-name ]
View
Any view of the switch
Parameter
sec-mod-name: The module name.
210 CHAPTER 14: FIREWALL CONFIGURATION COMMANDS
Description
Use the display secblade module command to view the Firewall module information.
Example
# Display the Firewall module information.
[SW8800]display secblade module newsec module newsec: security-vlan: 10,20,30 secblade-interface: Vlan-interface192 vlan passing: 10,20,30,192 map to slot: 5
map to slot Syntax
map to slot slot-number
undo map to slot slot-number
View
Firewall module view of the switch
Parameter
slot-number: The number of the slot where the Firewall module is located.
Description
Use the map to slot command to map the current module to the Firewall module corresponding to the slot number.
Use the undo map to slot command to cancel the mapping relation.
By default, no module is mapped to any card.
Example
# Map the current module to the Firewall module in slot 2.
[3Com-secblade-newsec] map to slot 2
secblade aggregation slot
Syntax
secblade aggregation slot slot-number
undo secblade aggregation slot slot-number
View
System view of the switch
Parameter
slot-number: The number of slot where the Firewall module is located.
Description
Use the secblade aggregation slot command to configure the Firewall module interface aggregation.
Firewall Configuration Commands 211
Use the undo secblade aggregation slot command to cancel the configuration.
Two internal GigabitEthernet interfaces connect the Firewall module to the switch. You can aggregate these two interfaces into a logical interface to provide broader interface bandwidth.
By default, the interface is not aggregated. Only one GigabitEthernet interface can be used.
n When you use the secblade aggregation slot command to configure the Firewall module interface aggregation, the Firewall module will occupy the resources occupied by other aggregation groups if aggregation resources are not sufficient.
Example
# Set the interface aggregation for the Firewall module of slot 2.
[SW8800] secblade aggregation slot 2
secblade module Syntax
secblade module sec-mod-name
undo secblade module sec-mod-name
View
System view of the switch
Parameter
sec-mod-name: Firewall module name, which must start with letters or numbers.
Description
Use the secblade module command to create a Firewall module and enter the Firewall module view to configure the Firewall attribute.
Use the undo secblade module command to remove the Firewall module. You cannot remove the module if it has been mapped to a Firewall module.
Example
# Enter Firewall module View.
[SW8800] secblade module newsec [3Com-secblade-newsec]
secblade slot Syntax
secblade slot slot-number
View
User view of the switch
Parameter
slot-number: The number of slot where the Firewall module is located.
212 CHAPTER 14: FIREWALL CONFIGURATION COMMANDS
Description
Use the secblade slot command to log into the Firewall module.
Example
# Log into the Firewall module in slot 2.
<SW8800> secblade slot 2
secblade-interface Syntax
secblade-interface vlan-interface interface-number
undo secblade-interface vlan-interface interface-number
View
Firewall module view of the switch
Parameter
interface-number: Number of the specified interface.
Description
Use the secblade-interface command to set an interface as a Layer 3 interface connecting the switch and SecBlade.
Use the undo secblade-interface command to cancel the configuration.
By default, the Layer 3 interface connecting the switch and SecBlade is not configured.
The VLAN which the specified VLAN interface corresponds to cannot belong to the security-vlan.
Example
# Set the VLAN interface 40 of the switch as the Layer 3 interface connecting the switch and SecBlade module.
[3Com-secblade-newsec] secblade-interface vlan-interface 40
security-vlan Syntax
security-vlan vlan-range
undo security-vlan vlan-range
View
Firewall module view of the switch
Parameter
vlan-range: VLAN range.
Description
Use the security-vlan command to specify all VLANs in the VLAN range are protected by SecBlade.
Firewall Configuration Commands 213
Use the undo security-vlan command to cancel the configuration.
By default, no VLAN is protected.
Example
# Set 10, 20 and 30 VLANs to be protected by SecBlade.
[3Com-secblade-newsec] security-vlan 10 20 30
214 CHAPTER 14: FIREWALL CONFIGURATION COMMANDS
15
AAA/RADIUS/HWTACACS CONFIGURATION COMMANDSn The commands described in this document apply to the Firewall module, and not to the Switch 8800 Family switches.
AAA Configuration Commands
access-limit Syntax
access-limit { disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable: No limit to the supplicant number in the current ISP domain.
enable max-user-number: Specifies the maximum supplicant number in the current ISP domain, ranging from 1 to 1048.
Description
Use the access-limit command to configure a limit to the amount of supplicants in the current ISP domain.
Use the undo access-limit command to restore the limit to the default setting.
By default, there is no limit to the amount of supplicants in the current ISP domain.
This command limits the amount of supplicants contained in the current ISP domain. The supplicants may compete for the network resources. So setting a suitable limit to the amount will guarantee the reliable performance to the existing supplicants.
Example
# Set a limit of 500 supplicants for the ISP domain 3com163.net.
[SecBlade_FW-isp-3com163.net] access-limit enable 500
accounting Syntax
accounting { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name | none }
216 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
undo accounting
View
ISP domain view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme used for accounting.
radius-scheme radius-scheme-name: Specifies the RADIUS scheme used for accounting.
none: Indicates that no accounting scheme is adopted.
Description
Use the accounting command to configure the accounting scheme adopted by the current ISP domain.
Use the undo accounting command to delete the accounting scheme adopted by the current ISP domain.
By default, the system does not adopt any accounting scheme.
The adopted RADIUS/HWTACACS scheme which is specified by the accounting command for the current ISP domain must have been configured already.
If you configure the accounting command in domain view, the accounting scheme specified by this command will be adopted. Otherwise, the accounting scheme specified by the scheme command is adopted.
Related command: scheme, radius scheme, and hwtacacs scheme.
Example
# Specify the current ISP domain, h3c163.net, to adopt the RADIUS accounting scheme radius.
[SecBlade_FW-isp-h3c163.net] accounting radius-scheme radius
# Specify the current ISP domain, h3c, to adopt the HWTACACS accounting scheme hwtac.
[SecBlade_FW-isp-h3c] accounting hwtacacs-scheme hwtac
accounting optional Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
AAA Configuration Commands 217
Description
Use the accounting optional command to enable optional accounting.
Use the undo accounting optional command to disable it.
By default, optional accounting is disabled.
With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting.
Example
# Enable optional accounting for users in the domain 3com163.net.
[SecBlade_FW] domain 3com163.net [SecBlade_FW-isp-3com163.net] accounting optional
authentication Syntax
authentication { hwtacacs-scheme hwtacacs-scheme-name [ local ] | radius-scheme radius-scheme-name [ local ] | local | none }
undo authentication
View
ISP domain view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme adopted for authentication.
radius-scheme radius-scheme-name: Specifies the RADIUS scheme adopted for authentication.
local: Local authentication scheme.
none: Indicates that no authentication scheme is adopted.
Description
Use the authentication command to configure the authentication scheme adopted by the current ISP domain.
Use the undo authentication command to restore the default authentication scheme.
By default, the local authentication scheme is adopted.
The adopted RADIUS/HWTACACS scheme which is specified by the authentication command for the current ISP domain must have been configured already.
218 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.
When the authentication radius-scheme radius-scheme-name local command or the authentication hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local authentication scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.
If the local or none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.
If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.
Related command: scheme, radius scheme, hwtacacs scheme.
Example
# Specify the current ISP domain, h3c163.net, to adopt the RADIUS authentication scheme radius.
[SecBlade_FW-h3c163.net] authentication radius-scheme radius
# Specify the ISP domain, h3c, to adopt the RADIUS authentication scheme rd and the local scheme to be the backup scheme.
[SecBlade_FW-isp-h3c] authentication radius-scheme rd local
# Specify the ISP domain, h3c, to adopt the HWTACACS authentication scheme hwtac and the local scheme to be the backup scheme.
[SecBlade_FW-isp-h3c] authentication hwtacacs-scheme hwtac local
authorization Syntax
authorization { hwtacacs-scheme hwtacacs-scheme-name | none }
undo authorization
View
ISP domain view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme adopted for authorization.
none: Indicates that no authorization scheme is adopted.
Description
Use the authorization command to configure the authorization scheme adopted by the current ISP domain.
AAA Configuration Commands 219
Use the undo authorization command to restore the default authorization scheme.
By default, the local authorization scheme is adopted.
The adopted RADIUS/HWTACACS scheme which is specified by the authorization command for the current ISP domain must have been configured already.
If you configure the authorization command in domain view, the authorization scheme specified by this command will be adopted. Otherwise, the authorization scheme specified by the scheme command is adopted.
Related command: scheme, radius scheme, hwtacacs scheme.
Example
# Specify the ISP domain h3c to adopt the HWTACACS authorization scheme hwtac.
[SecBlade_FW-isp-h3c] authorization hwtacacs-scheme hwtac
display connection Syntax
display connection [ domain isp-name ip ip-address | mac mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | ucibindex ucib-index | user-name user-name ]
View
Any view
Parameter
domain isp-name: Displays all the user connections belonging to the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must an existing one.
ip ip-address: Displays all the user connections related to the specified IP address.
mac mac-address: Displays a user connection by specifying its hexadecimal MAC address in the format of x-x-x.
radius-scheme radius-scheme-name: Displays all the user connections of the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections of the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.
ucibindex ucib-index: Displays information on a user connection by specifying its connection index number, that is, ucib-index ranging from 0 to 7,071.
user-name user-name: Displays the connection information of a specific user. user-name are in the format of pure-username@domain. pure-username comprises up to 55 characters and domain is the domain name, consisting of up to 24 characters.
220 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Description
Use the display connection command to view the relevant information on the specified user connection or all the connections. The output can help you troubleshoot user connections.
By default, information about all user connections is displayed.
Related command: cut connection.
Example
# Display information on the connections of the user system.
<SecBlade_FW> display connection domain system Index=0 ,Username=hfx@system IP=188.188.188.3 Total 1 connections matched, 1 listed.
display domain Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name: Specifies the ISP domain name, with a string of up to 24 characters. The specified ISP domain must be an existing one.
Description
Use the display domain command to view the configuration of a specified ISP domain or display the summary information of all ISP domains.
If the domain name is not specified, the summary information of all ISP domains is displayed.
This command is used to output the configuration of a specified ISP domain or display the summary information of all ISP domains. If an ISP domain is specified, the configuration information will be displayed exactly the same, concerning the content and format, as the displayed information of the display domain command. The output information can help with ISP domain diagnosis and troubleshooting.
Related command: access-limit, domain, scheme, state, display domain.
Example
# Display the summaries of all ISP domains in the system.
Table 210 Description on the fields of the display connection command
Field Description
Index Index number
Username User name
IP IP address of the user
AAA Configuration Commands 221
<SecBlade_FW> display domain 0 Domain = system State = Active Scheme = LOCAL Access-limit = Disable Domain User Template: Default Domain Name: system Total 1 domain(s).1 listed.
display local-user Syntax
display local-user [ domain isp-name | service-type { telnet | ssh | terminal | dvpn | ftp | ppp } | state { active | block } | user-name user-name ]
View
Any view
Parameter
domain isp-name: Displays all the local users in the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must be an existing one.
service-type: Displays local users by specifying service type, which can be telnet for Telnet users, ssh for SSH users, terminal for terminal users logging on from Console, or AUX port, ftp for FTP users, ppp for PPP users, or dvpn for DVPN users.
state { active | block }: Displays local users by specifying user state, where active means users allowed to request for network services and block means the opposite.
user-name user-name: Displays a user by specifying its user-name, a string of up to 80 characters. It must exclude forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be present once in a user name. The user name without domain name (the part before @, namely the user ID) cannot exceed 55 characters.
Description
Use the display local-user command to view the relevant information on the specified local user or all the local users. The output can help you troubleshoot faults related to local user.
By default, information on all local users is displayed.
Related command: local-user.
Table 211 Description on the fields of the display domain command
Field Description
Domain Domain name and sequence number
State State of the domain user (active/block)
Scheme Authentication scheme for the domain user (local/RADIUS/TACACS)
Access-limit Whether to limit the number of accessed users (disable/enable)
222 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Example
# Display the relevant information of all the local users.
<SecBlade_FW> display local-user The contents of local user admin: State: Active ServiceType Mask: T Idle-cut: Disable Access-limit: Disable Current AccessNum: 0 Bind location: Disable Vlan ID: Disable IP address: Disable MAC address: Disable User Privilege: 3 The contents of local user ftpuser: State: Active ServiceType Mask: F Idle-cut: Disable Access-limit: Disable Current AccessNum: 0 Bind location: Disable Vlan ID: Disable IP address: Disable MAC address: Disable FTP Directory: flash: Total 2 local user(s) Matched, 2 listed. ServiceType Mask Meaning: A--PAD C--Terminal D--DVPN F--FTP P--PPP S--SSH T-Telnet
domain Syntax
domain [ isp-name | default { disable | enable isp-name } ]
undo domain isp-name
View
System view
Parameter
isp-name: Specifies an ISP domain name. It comprises up to 24 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).
default: Configures the default ISP domain. The system-default ISP domain is system.
Table 212 Description on the fields of the display local-user command
Field Description
State User state (active/block)
ServiceType Mask Abbreviation for service type
Idle-cut Idle-cut switch
Access-Limit Limit of user connections
Current AccessNum Number of the current login users
Bind location Indicates if it is bound with the port
VLAN ID VLAN for the user
IP address User IP address
MAC address User MAC address
FTP Directory Directory authorized to FTP users
User Privilege User level
AAA Configuration Commands 223
disable: Disables the configured default ISP domain. It results in refusal of the usernames that are sent excluding domain names. If you configure user names to be sent to RADIUS servers without domain names, these user names will not be rejected.
enable: Enables the configured default ISP domain. It is to be appended to the usernames that are received without domain name before they are sent to the intended AAA servers. If you configure user names to be sent to RADIUS servers without domain names, these user names will not appended with the default domain name.
Description
Use the domain command to configure an ISP domain or enter the view of an existing ISP domain.
Use the undo domain command to cancel a specified ISP domain.
By default, the system uses the domain named system. You cannot delete it, but you are allowed to modify its configuration. In addition, you can view its settings using the display domain command.
ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, [email protected] for example, the isp-name ("3com163.net" in the example) following the "@" is the ISP domain name. When an AAA server controls user access, for an ISP user whose username is in userid@isp-name format, the system takes the part "userid" as username for identification and takes the part "isp-name" as domain name.
The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of ISP domain attributes for each ISP domain, including an AAA scheme (the RADIUS scheme applied).
For a security gateway, each supplicant belongs to an ISP domain. The system supports to configure up to 16 ISP domains.
When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.
Related command: access-limit, scheme, state, and display domain.
Example
# Create a new ISP domain, 3com163.net, and enters its view.
[SecBlade_FW] domain 3com163.net New Domain added. [SecBlade_FW-isp-3com163.net]
ip pool Syntax
ip pool pool-number low-ip-address [ high-ip-address ]
224 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
undo ip pool pool-number
View
System view, ISP domain view
Parameter
pool-number: Address pool number, ranging from 0 to 99.
low-ip-address and high-ip-address: The start and end IP addresses of the address pool. The number of in-between addresses cannot exceed 1024. If end IP address is not specified, there will be only one IP address in the pool, namely the start IP address.
Description
Use the ip pool command to configure a local address pool for assigning addresses to PPP users.
Use the undo ip pool command to delete the specified local address pool.
By default, no local IP address pool is configured.
You can configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users.
You can also configure an IP address pool in ISP domain view for assigning IP addresses to PPP users in the current ISP domain. This applies to the case where an interface serves a great amount of PPP users but with inadequate address resources for allocation. For example, an Ethernet interface running PPPoE can accommodate 4095 users at most. However, only one address pool with up to 1024 addresses can be configured on its Virtual Template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to their PPP users.
Related command: remote address.
Example
# Configure the local IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.
[SecBlade_FW] domain 3com163.net [SecBlade_FW-isp-3com163.net] ip pool 0 129.102.0.1 129.102.0.10
level Syntax
level level
undo level
View
Local user view
Parameter
level: Specifies user priority level, an integer ranging from 0 to 3.
AAA Configuration Commands 225
Description
Use the level command to configure user priority level.
Use the undo level command to restore the default user priority level.
By default, user priority level is 0.
Related command: local user.
n If the configured authentication mode is none authentication or password authentication, the command level that a user can access after login depends on the priority of user interface. For the users employing RAS authentication, the accessible command level depends on the priority of user interface. In the case of authentication requiring both username and password, however, the accessible command level depends on user priority level.
Example
# Set the priority level of the 3com user to 3.
[SecBlade_FW-luser-3com] level 3
local-user Syntax
local-user user-name
undo local-user user-name [ service-type | level ]
undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]
View
System view
Parameter
user-name: Specifies a local username with a string of up to 80 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 55 characters. user-name is case-insensitive, so UserA and usera are the same.
service-type: Service type.
all: All the users.
ftp: FTP service type.
ppp: PPP service type.
ssh: SSH service type.
telnet: Telnet service type.
terminal: Terminal service type.
226 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Description
Use the local-user command to add a local user and enter the local user view.
Use the undo local-user user-name command to remove the specified local user or the related attributes of the specified local user.
Use the undo local-user all command to remove all local users or all local users of a specific service type.
By default, no local user is configured.
Related command: display local-user.
Example
# Add a local user named 3com1.
[SecBlade_FW] local-user 3com1 [SecBlade_FW-luser-3com1]
local-user password-display-mode
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force: Forced cipher mode specifies that the passwords of all the accessed users must be displayed in cipher text.
auto: The auto mode specifies that a user is allowed to use the password command to set a password display mode.
Description
Use the local-user password-display-mode command to configure the password display mode of all the local users.
Use the undo local-user password-display-mode command to restore the default password display mode of all the local users.
If cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless.
By default, auto applies when displaying passwords of local users.
Related command: display local-user and password.
Example
# Force all the local users to have passwords displayed in cipher text.
[SecBlade_FW] local-user password-display-mode cipher-force
AAA Configuration Commands 227
password Syntax
password { simple | cipher } password
undo password
View
Local user view
Parameter
simple: Specifies to display passwords in simple text.
cipher: Specifies to display passwords in cipher text.
password: Defines a password. For the simple keyword, the password is a string of 1 to 16 characters in simple text; for the cipher keyword, the password can be a string of 1 to 16 characters in simple text, 1234567 for example, or a string of 24 characters in cipher text, (TT8F]Y5SQ=^Q‘MAF4<1!! for example.
Description
Use the password command to configure a password for a local user.
Use the undo password command to cancel the password of the local user.
If local-user password-display-mode cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless.
Related command: display local-user.
Example
# Display the password of the user 3com1 in simple text, with the password being 20030422.
[SecBlade_FW-luser-3com1] password simple 20030422
scheme Syntax
scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo scheme [ radius-scheme | hwtacacs-scheme | none ]
View
ISP domain view
Parameter
radius-scheme-name: RADIUS scheme, a string of up to 32 characters
hwtacacs-scheme-name: HWTACACS scheme, a string of up to 32 characters
local: Local authentication
none: No authentication
228 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Description
Use the scheme command to configure the AAA scheme to be referenced by the current ISP domain.
Use the undo scheme command to restore the default AAA scheme.
The default AAA scheme in the system is local.
With this command the current ISP domain can reference a RADIUS/HWTACACS scheme that has been configured.
When the radius-scheme radius-scheme-name local command or the hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme if the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.
If the local scheme applies as the first scheme, only the local authentication is adopted, and no RADIUS or HWTACACS scheme can be adopted.
If the none scheme applies as the first scheme, no authentication is adopted, and no RADIUS or HWTACACS scheme can be adopted.
An FTP user login cannot be authenticated in none mode because an FTP server implemented with Comware does not support anonymous login.
If the scheme none command is used, the priority level of a user logged into the system is level 0.
Related command: radius scheme and hwtacacs scheme.
Example
# Specify the current ISP domain, 3com163.net, to use the RADIUS scheme 3Com.
[SecBlade_FW-isp-3com163.net] scheme radius 3Com
# Set the authentication scheme referenced by the ISP domain 3Com to radius-scheme "rd", using the local scheme as the backup.
[SecBlade_FW-isp-3com] scheme radius-scheme rd local
# Set the authentication scheme referenced by the ISP domain 3Com to hwtacacs-scheme "hwtac", using the local scheme as the backup.
[SecBlade_FW-isp-3com] scheme hwtacacs-scheme hwtac local
service-type Syntax
service-type { telnet | ssh | terminal }* [ level level ]
undo service-type { telnet | ssh | terminal }*
View
Local user view
AAA Configuration Commands 229
Parameter
telnet: Authorizes the user to use the Telnet service.
ssh: Authorizes the user to use the SSH service.
terminal: Authorizes the user to use the terminal service (login from the Console, or AUX port).
level level: Specifies user priority. level is a integer in the range of 0 to 3.
Description
Use the service-type command to configure a service type for a particular user.
Use the undo service-type command to delete one or all service types configured for the user.
By default, no service is available for the user.
Related command: service-type ppp and service-type ftp.
Example
# Authorize the user to use the Telnet service.
[SecBlade_FW-luser-3com1] service-type telnet
service-type dvpn Syntax
service-type dvpn
undo service-type dvpn
View
Local user view
Parameter
None
Description
Use the service-type dvpn command to authorize DVPN service to a particular user.
Use the undo service-type dvpn command to remove DVPN service authorization.
By default, DVPN service is not authorized to users.
Example
# Authorize DVPN service the user.
[SecBlade_FW-luser-3com1] service-type dvpn
service-type ftp Syntax
service-type ftp [ ftp-directory directory]
230 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
undo service-type ftp [ ftp-directory ]
View
Local user view
Parameter
ftp-directory directory: Specifies a directory accessible for the FTP user.
Description
Use the service-type ftp command to authorize the user to use FTP service and specify a directory accessible for the FTP user.
Use the undo service-type ftp command to forbid the use to use FTP service and restore the default directory accessible for the FTP user.
By default, no services of any type are authorized to any user and access of anonymous FTP users is not allowed, but a user that is granted the FTP service is authorized to access the root directory "flash:/".
Example
# Authorize the user to use the FTP service.
[SecBlade_FW-luser-3com1] service-type ftp
service-type ppp Syntax
service-type ppp
undo service-type ppp
View
Local user view
Parameter
None
Description
Use the service-type command to authorize the user to use the PPP service.
Use the undo service-type command to forbid the user to use the PPP service.
By default, no service of any type is authorized to any user.
Example
# Allow PPP users to use the PPP service.
[3Com-luser-3com1] service-type ppp
state Syntax
state { active | block }
View
ISP domain view, local user view
RADIUS Protocol Configuration Commands 231
Parameter
active: Configured to allow users in the current ISP domain or the current local user to request for network services.
block: Configured to block users in the current ISP domain or the current local user to request for network services.
Description
Use the state command to configure the state of the current ISP domain or local user.
By default, both ISP domain (in ISP domain view) and local user (in local user view) are in the active state upon their creation (in ISP domain view).
Every ISP domain can be active or blocked. If an ISP domain is configured to be active, the supplicants in it can request for network services; whereas in the block state, its users are disallowed to request for any network service, which does not affect the users currently online. This is also applies to local users.
Related command: domain.
Example
# Set the state of the current ISP domain "3com163.net" to block. The supplicants in this domain cannot request for network services.
[SecBlade_FW-isp-3com163.net] state block
# Set the state of the user "3com1" to block.
[SecBlade_FW-luser-3com1] state block
RADIUS Protocol Configuration Commands
accounting optional Syntax
accounting optional
undo accounting optional
View
RADIUS domain view
Parameter
None
Description
Use the accounting optional command to enable optional accounting.
Use the undo accounting optional command to disable it.
By default, the optional accounting is disabled.
232 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting.
Example
# Enable the optional accounting of the RADIUS scheme 3com.
[SecBlade_FW-radius-3com] accounting optional
data-flow-format Syntax
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }
undo data-flow-format
View
RADIUS view
Parameter
data: Sets data unit.
byte: Data flows are sent in bytes.
giga-byte: Data flows are sent in gigabytes.
kilo-byte: Data flows are sent in kilobytes.
mega-byte: Data flows are sent in megabytes.
packet: Sets data packet unit.
giga-packet: Data packets are sent in giga-packets.
kilo-packet: Data packets are sent in kilo-packets.
mega-packet: Data packets are sent in mega-packets.
one-packet: Data packets are sent in the units of one-packet.
Description
Use the data-flow-format command to configure the unit in which data flows are sent to a RADIUS Server.
Use the undo data-flow-format command to restore the unit to the default setting.
By default, data flows are sent in bytes and data packets in the units of one-packet.
Related command: display radius.
RADIUS Protocol Configuration Commands 233
Example
# Send data flows and packets destined for the RADIUS server "3Com" in kilobytes and kilo-packets.
[SecBlade_FW-radius-3com] data-flow-format data kilo-byte packet kilo-packet
debugging local-server Syntax
debugging local-server { all | error | event | packet }
undo debugging local-server { all | error | event | packet }
View
User view
Parameter
all: All debugging.
error: Error debugging.
event: Event debugging.
packet: Packet debugging.
Description
Use the debugging local-server command to enable the debugging for the local RADIUS authentication server.
Use the undo debugging local-server command to disable the debugging for the local RADIUS authentication server.
By default, the debugging for the local RADIUS authentication server is disabled.
Example
# Enable the debugging for the local RADIUS authentication server.
[SecBlade_FW] debugging local-server all *0.9045238 3Com LS/8/EVENT-MSG:Message received. MessageType = 1 *0.9045238 3Com LS/8/PACKET:Packet Received,Code = 1 *0.9045239 3Com LS/8/PACKET:Packet Send auth pkt ,Code =
debugging radius Syntax
debugging radius packet
undo debugging radius packet
View
User view
Parameter
packet: Enables packet debugging.
234 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Description
Use the debugging radius command to enable RADIUS debugging.
Use the undo debugging radius command to disable RADIUS debugging.
By default, RADIUS debugging is disabled.
Example
# Enable RADIUS debugging.
<SecBlade_FW> debugging radius packet
display local-server statistics
Syntax
display local-server statistics
View
All views
Parameter
None
Description
Use the display local-server statistics command to display the statistics of the local RADIUS authentication server.
Related command: local-server.
Example
# Display the statistics of the local RADIUS authentication server.
<SecBlade_FW> display local-server statistics The localserver packet statistics: Receive: 82 Send: 61 Discard: 21 Receive Packet Error: 0 Auth Receive: 82 Auth Send: 61 Acct Receive: 0 Acct Send: 0
display radius Syntax
display radius [ radius-scheme-name ]
View
Any view
Parameter
radius-scheme-name: Specifies a RADIUS scheme with a string of up to 32 characters. If no scheme is specified, all RADIUS schemes are displayed.
Description
Use the display radius command to view the configuration information about the specified or all RADIUS schemes or to view statistics about RADIUS.
By default, the configuration information about all RADIUS schemes is displayed.
RADIUS Protocol Configuration Commands 235
Related command: radius scheme.
Example
# Display the configurations of all RADIUS schemes.
<SecBlade_FW> display radius ------------------------------------------------------------------ SchemeName = system Index=0 Type=3com Primary Auth IP =127.0.0.1 Port=1645 State=active Primary Acct IP =127.0.0.1 Port=1646 State=active Second Auth IP =0.0.0.0 Port=1812 State=block Second Acct IP =0.0.0.0 Port=1813 State=block Auth Server Encryption Key= 3com Acct Server Encryption Key= 3com Accounting method = required TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-PKT =500 Quiet-interval(min) =5 Username format =without-domain Data flow unit =Byte Packet unit =one packet ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed
display radius statistics Syntax
display radius statistics
Table 213 Information about RADIUS server configuration
Field Description
SchemeName RADIUS scheme name
Index Index number of the RADIUS scheme
Type Type of the RADIUS scheme
Primary Auth IP/ Port/ State IP address/access port number/current state of the primary authentication server
Primary Acct IP/ Port/ State IP address/access port number/current state of the primary accounting server
Second Auth IP/ Port/ State IP address/access port number/current state of the secondary authentication server
Second Acct IP/ Port/ State IP address/access port number/current state of the secondary accounting server
Auth Server Encryption Key Shared key of the authentication server
Acct Server Encryption Key Shared key of the accounting server
TimeOutValue (seconds) Duration of the RADIUS server timeout timer
Permitted send realtime PKT failed counts
The maximum number of realtime-accounting packet transmission attempts
Retry sending times of noresponse acct-stop-PKT
The maximum number of retries allowed when sending a buffered stop-accounting packet
Quiet-interval(min) The interval for the primary server to resume the active state.
Username format Format of username
Data flow unit Unit of data flows
Packet unit Unit of packets
236 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
View
Any view
Parameter
None
Description
Use the display radius statistics command to view the statistics information on RADIUS packets. The displayed packet information can help you troubleshoot RADIUS faults.
Related command: radius scheme.
Example
# Display the statistics information on RADIUS packets.
<SecBlade_FW> display radius statistics state statistic(total=1048): DEAD=1047 AuthProc=0 AuthSucc=0 AcctStart=0 RLTSend=0 RLTWait=1 AcctStop=0 OnLine=1 Stop=0 StateErr=0 Received and Sent packets statistic: Sent PKT total :38 Received PKT total:2 Resend Times Resend total 1 12 2 12 Total 24 RADIUS received packets statistic: Code= 2,Num=1 ,Err=0 Code= 3,Num=0 ,Err=0 Code= 5,Num=1 ,Err=0 Code=11,Num=0 ,Err=0 Running statistic: RADIUS received messages statistic: Normal auth request , Num=13 , Err=0 , Succ=13 EAP auth request , Num=0 , Err=0 , Succ=0 Account request , Num=1 , Err=0 , Succ=1 Account off request , Num=0 , Err=0 , Succ=0 PKT auth timeout , Num=36 , Err=12 , Succ=24 PKT acct_timeout , Num=0 , Err=0 , Succ=0 Realtime Account timer , Num=0 , Err=0 , Succ=0 PKT response , Num=2 , Err=0 , Succ=2 EAP reauth_request , Num=0 , Err=0 , Succ=0 PORTAL access , Num=0 , Err=0 , Succ=0 Update ack , Num=0 , Err=0 , Succ=0 PORTAL access ack , Num=0 , Err=0 , Succ=0 Session ctrl pkt , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept , Num=0 Auth reject , Num=0 EAP auth replying , Num=0 Account success , Num=0 Account failure , Num=0 Cut req , Num=0 RecError_MSG_sum:0 SndMSG_Fail_sum :0 Timer_Err :0 Alloc_Mem_Err :0 State Mismatch :0 Other_Error :0
RADIUS Protocol Configuration Commands 237
No-response-acct-stop packet =0 Discarded No-response-acct-stop packet for buffer overflow =0
Table 214 Description on the fields for the display radius statistics command
Field Description
state statistic(total=1048)
DEAD=1047 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=1
AcctStop=0 OnLine=1 Stop=0
StateErr=0
Packet statistics:
Total outbound packets: 38 Total inbound packets: 2
Retransmission number: Total packets retransmitted:
1 12
2 12
Total 24
Statistics on the packets that the RADIUS server receives:
Code = 2, Num = 1 ,Err = 0
One authentication response packet received, no error packet
Code = 3, Num = 0 ,Err = 0
One authentication reject packet received, no error packet
Code= 5, Num = 1 ,Err = 0
One accounting response packet received, no error packet
Code = 11, Num = 0 ,Err = 0
One Access-Challenge (for EAP authentication) packet received, no error packet
238 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Received and Sent packets statistic:
Sent PKT total :38 Received PKT total:2
Resend Times Resend total
1 12
2 12
Total 24
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=1 ,Err=0
Code=11,Num=0 ,Err=0
Statistics on the information the RADIUS server receives:
Normal authentication request
Count = 13, Error = 0, Success = 0
EAP authentication request
Count = 0, Error = 0, Success = 0
Accounting request
Count = 0, Error = 0, Success = 0
Accounting stop request
Count = 0, Error = 0, Success = 0
Authentication timeout
Count = 36, Error = 0, Success = 0
Accounting timeout
Count = 0, Error = 0, Success = 0
Number of real-time accounting attempts
Count = 0, Error = 0, Success = 0
Response packet
Count = 2, Error = 0, Success = 2
EAP re-authentication request
Count = 0, Error = 0, Success = 0
PORTAL access authentication request
Count = 13, Error = 0, Success = 0
Upgrade packet
Count = 0, Error = 0, Success = 0
Session control packet
Authentication request
Count = 0, Error = 0, Success = 0
Statistics on the information the RADIUS server sends:
Authentication succeeds, Count = 0
Authentication rejected, Count = 0
Accounting succeeds, Count = 0
Accounting fails, Count = 0
EAP authentication response, Count = 0
Accounting succeeds, Count = 0
Accounting fails, Count = 0
Delete request, Count = 0
Number of error packets received: 0
Number of failed send attempts: 0
Time error: 0 Memory allocation error: 0
State mismatch error: 0 Other error: 0
Table 214 Description on the fields for the display radius statistics command
Field Description
RADIUS Protocol Configuration Commands 239
display stop-accounting-buffer
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=13 , Err=0 , Succ=13
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=36 , Err=12 , Succ=24
PKT acct_timeout , Num=0 , Err=0 , Succ=0
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=2 , Err=0 , Succ=2
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
-
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
-
Table 214 Description on the fields for the display radius statistics command
Field Description
240 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
View
Any view
Parameter
radius-scheme radius-scheme-name: Displays information on buffered stop-accounting requests related to the RADIUS scheme specified by radius-scheme-name. It is a string not exceeding 32 characters and excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).
session-id session-id: Displays information on the buffered stop-accounting requests related to the session ID specified by session-id, a string of up to 50 characters.
time-range start-time stop-time: Displays the buffered stop-accounting requests by the time range of requests. It is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.
user-name user-name : Displays information on the buffered stop-accounting requests by user name.
Description
Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the security gateway by RADIUS scheme, session ID, or time range. The displayed packet information can help you troubleshoot RADIUS faults.
If receiving no response after sending a stop-accounting request to a RADIUS server, the security gateway buffers the request packet and retransmits it. The number of allowed transmission attempts can be set using the retry stop-accounting command.
Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.
Example
# Display information on the buffered stop-accounting requests between 0:0:0 and 23:59:59 on August 31, 2002.
<SecBlade_FW> display stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002 Total find 0 record
key Syntax
key { accounting | authentication } string
undo key { accounting | authentication }
View
RADIUS view
RADIUS Protocol Configuration Commands 241
Parameter
accounting: Sets/Deletes a shared key for encrypting RADIUS accounting packets.
authentication: Sets/Deletes a shared key for encrypting RADIUS authentication/authorization packets.
string: Shared key, a string of up to 16 characters.
Description
Use the key command to configure a shared key for encrypting RADIUS authentication/authorization or accounting packets.
Use the undo key command to restore the default shared key.
The RADIUS client (that is, the security gateway) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the security gateway and the RADIUS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.
By default, the key for authentication/authorization packets and accounting packets is "3com".
Related command: primary accounting, primary authentication, and radius scheme.
Example
# In the RADIUS scheme "3com", set the shared key used for encrypting authentication/authorization packets to "hello".
[SecBlade_FW-radius-3com] key authentication hello
# In the RADIUS scheme "3com", set the shared key for encrypting accounting packets to "ok".
[SecBlade_FW-radius-3com] key accounting ok
local-server Syntax
local-server nas-ip ip-address key password
undo local-server nas-ip ip-address
View
System view
Parameter
nas-ip ip-address: NAS-IP address of the access server, in dotted decimal format.
key password: Shared key of the access server, with a character string of up to 16 characters.
242 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Description
Use the local-server command to configure related parameters of the local RADIUS authentication server.
Use the undo local-server command to delete some configured NAS-IP address.
By default, the system creates a local RADIUS authentication server with the NAS-IP address being 127.0.0.1 and the shared key being 3com.
Note the following:
■ The device not only can serve as the RADIUS client to perform authentication management on users through the authentication/authorization server and the accounting server, but also can function as a simple RADIUS server (including authentication and authorization).
■ If the local RADIUS authentication server function is adopted, the UDP port used for authentication/authorization must be 1645, and the UDP port used for accounting must be 1646.
■ The key configured by this command must be consistent with the key used for authentication/authorization which is configured by the key authentication command in RADIUS scheme view.
■ The device supports up to 16 network access servers, including the local RADIUS authentication server created by the system.
Related command: radius scheme, state.
Example
# For the local RADIUS authentication server, set the IP address to be 10.110.1.2 and the login password to be aabbcc.
[SecBlade_FW] local-server nas-ip 10.110.1.2 key aabbcc
nas-ip Syntax
nas-ip ip-address
undo nas-ip
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format.
Description
Use the nas-ip command to set the source IP address of the network access server (NAS, the security gateway in this manual), so that all packets destined for the RADIUS server carry the same source IP address.
Use the undo nas-ip command to cancel the configuration.
RADIUS Protocol Configuration Commands 243
Specifying a source address for the RADIUS packets to be transmitted can avoid the situation where the packets sent back by the RADIUS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address.
By default, the source IP address of packets is the IP address of the output port.
Related command: display radius.
Example
# Set the source IP address that is carried in the RADIUS packets sent by the NAS (the security gateway) to 10.1.1.1.
[SecBlade_FW] radius scheme test1 [SecBlade_FW-radius-test1] nas-ip 10.1.1.1
primary accounting Syntax
primary accounting ip-address [ port-number ]
undo primary accounting
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary accounting server is 127.0.0.1; in the newly added RADIUS scheme, the IP address of the primary accounting server is 0.0.0.0.
port-number: UDP port number of the primary accounting server, which is ranging from 1 to 65535. By default, in system scheme, the UDP port of the primary accounting server is 1646; in the newly added RADIUS scheme, the UDP port of the primary accounting server is 1813.
Description
Use the primary accounting command to configure IP address and port number of the primary RADIUS accounting server.
Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server.
After creating a RADIUS scheme, you are supposed to configure IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the security gateway are consistent with the port settings on the RADIUS servers.
Related command: key, radius scheme, and state.
244 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Example
# Set the IP address of the primary accounting server in the RADIUS scheme "3com" to 10.110.1.2 and use the UDP port 1813 to provide the RADIUS accounting service.
[SecBlade_FW-radius-3com] primary accounting 10.110.1.2 1813
primary authentication Syntax
primary authentication ip-address [ port-number ]
undo primary authentication
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary authentication/authorization server is 127.0.0.1; in the newly added RADIUS scheme, the IP address of the primary authentication/authorization server is 0.0.0.0.
port-number: UDP port number of the primary authentication/authorization server, which is ranging from 1 to 65535. By default, in system scheme, the UDP port of the primary authentication/authorization server is 1645; in the newly added RADIUS scheme, the UDP port of the primary authentication/authorization server is 1812.
Description
Use the primary authentication command to configure IP address and port number of the primary RADIUS authentication/authorization server.
Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization server.
After creating a RADIUS scheme, you are supposed to configure IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the security gateway are consistent with the port settings on the RADIUS servers.
Related command: key, radius scheme, and state.
Example
# Set IP address of the primary authentication/authorization server in the RADIUS scheme "3com" to 10.110.1.1 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.
[SecBlade_FW-radius-3com] primary authentication 10.110.1.1 1812
RADIUS Protocol Configuration Commands 245
radius scheme Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
View
System view
Parameter
radius-scheme-name: RADIUS scheme name, a string of up to 32 characters.
Description
Use the radius scheme command to configure a RADIUS scheme and enter its view.
Use the undo radius scheme command to delete the specified RADIUS scheme.
By default, the RADIUS scheme named system exists in the system, with all attributes being the defaults that are not configurable. You can use the display radius command to view the settings of the system scheme.
RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify IP address and UDP port number of RADIUS authentication/authorization/accounting server and the parameters necessary for the RADIUS client (a security gateway) to interact with the servers. You must first create a RADIUS scheme and enter its view before you can perform RADIUS protocol configurations.
A RADIUS scheme can be referenced by several ISP domains at the same time.
The undo radius scheme command can be used to delete any RADIUS scheme except for the default one. Note that a RADIUS scheme currently being used by any online users cannot be removed.
Related command: key, retry realtime-accounting, scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius and display radius statistics.
Example
# Create a RADIUS scheme named "3com" and enter its view.
[SecBlade_FW] radius scheme 3com [SecBlade_FW-radius-3com]
radius nas-ip Syntax
radius nas-ip ip-address
undo radius nas-ip
View
System view
246 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, or class D address, or network address, or an address starting with 127.
Description
Use the radius nas-ip command to specify the source address of the RADIUS packet sent from NAS.
Use the undo radius nas-ip command to restore the default setting..
By specifying the source address of the RADIUS packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.
By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.
This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.
Example
# Configure the security gateway to send RADIUS packets from 129.10.10.1.
[SecBlade_FW] radius nas-ip 129.10.10.1
radius trap Syntax
radius trap { authentication-server-down | accounting-server-down }
undo radius trap { authentication-server-down | accounting-server-down }
View
System view
Parameter
authentication-server-down: RADIUS authentication server goes down.
accounting-server-down: RADIUS accounting server goes down.
Description
Use the radius trap command to configure the RADIUS server to send a trap packet when it goes down.
Use the undo radius trap command to configure the RADIUS server not to send a trap packet when it goes down.
By default, the RADIUS server does not send a trap packet when it goes down.
Example
# Configure the RADIUS server to send a trap packet when it goes down.
[SecBlade_FW] radius trap authentication-server-down
RADIUS Protocol Configuration Commands 247
reset radius statistics Syntax
reset radius statistics
View
User view
Parameter
None
Description
Use the reset radius statistics command to clear the statistic information related to the RADIUS protocol.
Related command: display radius.
Example
# Clear the RADIUS protocol statistics.
<SecBlade_FW> reset radius statistics
reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
System view
Parameter
radius-scheme radius-scheme-name: Clears the buffered stop-accounting requests related to the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.
session-id session-id: Clears the buffered stop-accounting requests related to the session ID specified by session-id, a string of up to 50 characters.
time-range start-time stop-time: Clears the buffered stop-accounting requests by the time range of requests. The time range is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.
user-name user-name: Clears the buffered stop-accounting requests by user name.
Description
Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that have no responses.
If receiving no response after sending a stop-accounting request to a RADIUS server, the security gateway buffers the request packet and retransmits it. The number of allowed transmission attempts can be set using the retry stop-accounting command.
248 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
You can clear the buffered stop-accounting requests by RADIUS scheme, session ID, username, or time range.
Related command: stop-accounting-buffer enable, retry stop-accounting, and display stop-accounting-buffer.
Example
# Clear the buffered stop-accounting requests related to the user "[email protected]".
<SecBlade_FW> reset stop-accounting-buffer user-name [email protected]
# Clear the buffered stop-accounting requests in the time range 0:0:0 to 23:59:59 on August 31, 2002.
<SecBlade_FW> reset stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002
retry Syntax
retry retry-times
undo retry
View
RADIUS view
Parameter
retry-times: The maximum number of request attempts, which is ranging from 1 to 20.
Description
Use the retry command to configure the number of RADIUS request attempts.
Use the undo retry command to restore the default.
In the RADIUS protocol, UDP applies to provide unreliable transmission. If the NAS receives no response from the current RADIUS server when the response timeout timer expires, it has to retransmit the RADIUS request. If the number of request attempts exceeds the specified retry-times, the NAS considers that the current RADIUS server is disconnected and turns to another RADIUS server.
Appropriately set the retry-times parameter to maintain an acceptable system response speed.
The default retry times is 3.
Related command: radius scheme.
Example
# With the RADIUS scheme "3com", a RADIUS request can be sent up to five times.
[SecBlade_FW-radius-3com] retry 5
RADIUS Protocol Configuration Commands 249
retry realtime-accounting
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
View
RADIUS view
Parameter
retry-times: The maximum number of real-time accounting request attempts that have no responses. It is in the range 1 to 255.
Description
Use the retry realtime-accounting command to configure the maximum number of real-time accounting request attempts allowed to have no responses.
Use the undo retry realtime-accounting command to restore the default.
RADIUS server usually checks whether a user is online using a timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS, it will consider that there is line or device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unexpected failure occurs. 3Com Series Security Gateways support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.
Suppose the response timeout timer of the RADIUS server is T and the real-time accounting interval of NAS is t. Set T to 3, t to 12, and the maximum number of real-time request retries to 5. With these values being configured, the NAS generates an accounting request every 12 minutes, and retries if no response is received within 3 minutes. If no response is received after five attempts, the NAS assumes that this accounting fails. Normally, the result of retry-times multiple by T is smaller than t.
The default realtime accounting retry times is 5.
Related command: radius scheme and timer realtime-accounting.
Example
# Configure the RADIUS scheme "3com" to allow up to ten real-time accounting request attempts.
[SecBlade_FW-radius-3com] retry realtime-accounting 10
retry stop-accounting Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
RADIUS view
250 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Parameter
retry-times: Specifies the maximal retransmission times after stop-accounting request,. ranging from 10 to 65535.
Description
Use the retry stop-accounting command to configure the maximal retransmission times after stop-accounting request.
Use the undo retry stop-accounting command to restore the retransmission times to the default value.
Because the stop-accounting request concerns account balance and will affect the amount of charge, which is very important for both the user and ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from the security gateway to RADIUS accounting server has not been responded, the security gateway shall save it in the local buffer and retransmit it until the server responds or discard the messages after transmitting for specified times.
Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.
The default maximal retransmission times after stop-accounting request is 500.
Example
# Indicate that, when stop-accounting request for the server in the RADIUS scheme "3com", the security gateway system will retransmit the packets for up to 1000 times.
[SecBlade_FW-radius-3com] retry stop-accounting 1000
secondary accounting Syntax
secondary accounting ip-address [ port-number ]
undo secondary accounting
View
RADIUS view
Parameter
ip-address: IP address, in dotted decimal format. By default, the IP address of secondary accounting server is at 0.0.0.0.
port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the accounting service is provided through UDP 1813.
Description
Use the secondary accounting command to configure the IP address and port number for the secondary RADIUS accounting server.
Use the undo secondary accounting command to restore the IP address and port number to the defaults.
RADIUS Protocol Configuration Commands 251
For detailed information, refer to the description of the primary accounting command.
Related command: key, radius scheme, and state.
Example
# Set the IP address of the secondary accounting server of RADIUS scheme, 3com, to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.
[SecBlade_FW-radius-3com] secondary accounting 10.110.1.1 1813
secondary authentication
Syntax
secondary authentication ip-address [ port-number ]
undo secondary authentication
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format.
port-number: UDP port number, ranging from 1 to 65535. By default, the authentication/authorization service is provided through UDP 1812
Description
Use the secondary authentication command to configure the IP address and port number of the secondary RADIUS authentication/authorization server.
Use the undo secondary authentication command to restore the IP address and port number to the defaults.
For detailed information, refer to the description of the primary authentication command.
By default, the IP address of the secondary authentication/authorization server is 0.0.0.0.
Related command: key, radius scheme, and state.
Example
# Set IP address of the secondary authentication/authorization server in the RADIUS scheme "3com" to 10.110.1.2 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.
[SecBlade_FW-radius-3com] secondary authentication 10.110.1.2 1812
server-type Syntax
server-type { 3com | standard }
undo server-type
252 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
View
RADIUS view
Parameter
3com: Specifies the RADIUS server of 3Com type (generally CAMS), which requires the RADIUS client (security gateway) and RADIUS server to interact according to the procedures and packet format provisioned by the private RADIUS protocol of 3Com Corporation.
standard: Specifies the RADIUS server of Standard type, which requires the RADIUS client end (security gateway) and RADIUS server to interact according to the regulation and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).
Description
Use the server-type command to configure the RADIUS server type supported by the security gateway.
Use the undo server-type command to restore the default type of the RADIUS server.
By default, in system scheme, the RADIUS server type is 3com; in the newly added RADIUS scheme, the RADIUS server type is standard.
Related command: radius scheme.
Example
# Set RADIUS server type of RADIUS scheme 3com to 3com.
[SecBlade_FW-radius-3com] server-type 3com
state Syntax
state { primary | secondary } { accounting | authentication } { block | active }
View
RADIUS view
Parameter
primary: Sets the state of the primary RADIUS server.
secondary: Sets the state of the secondary RADIUS server.
accounting: Sets the state of RADIUS accounting server.
authentication: Sets the state of RADIUS authentication/authorization server.
block: Sets state of the RADIUS server to block.
active: Sets state of the RADIUS server to active, namely the normal operation state.
RADIUS Protocol Configuration Commands 253
Description
Use the state command to configure the state of a RADIUS server.
By default, in system scheme, the primary authentication/authorization and accounting servers are in active state, and the secondary authentication/authorization and accounting servers are in block state; in the newly added RADIUS scheme, all RADIUS servers are in block state.
When the primary server (accounting or authentication) in a RADIUS scheme becomes unavailable, the NAS automatically turns to the secondary server. After the primary one recovers however, the NAS does not resume the communication with it at once; instead, the NAS continues the communication with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the state of the primary server to active.
When both the primary and secondary servers are active or blocked, the NAS only sends packets to the primary server.
Related command: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.
Example
# Set the state of the secondary authentication server in the RADIUS scheme "3com" to active.
[SecBlade_FW-radius-3com] state secondary authentication active
stop-accounting-buffer enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
RADIUS view
Parameter
None
Description
Use the stop-accounting-buffer enable command to enable the security gateway to buffer the stop-accounting requests that have no responses.
Use the undo stop-accounting-buffer enable command to disable the security gateway to buffer the stop-accounting requests that have no responses.
By default, the security gateway is enabled to buffer the stop-accounting requests that have no responses.
Since the stop-accounting packet affects the charge to a user, it has importance for both users and ISPs. Therefore, the NAS makes its best effort to send every stop-accounting request to RADIUS accounting servers. If receiving no response after a specified period of time, the NAS buffers and resends the packet until
254 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
receiving a response or discards the packet when the number of transmission retries reaches the configured limit.
Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.
Example
# In the RADIUS scheme "3Com", enable the security gateway to buffer the stop-accounting requests that have no responses.
[SecBlade_FW-radius-3com] stop-accounting-buffer enable
timer quiet Syntax
timer quiet minutes
undo timer quiet
View
RADIUS view
Parameter
minutes: Ranges from 1 to 255.
Description
Use the timer quiet command to set the duration that the primary server must wait before it can resume the active state.
Use the undo timer quiet command to restore the default (five minutes).
By default, the primary server must wait five minutes before it can resume the active state.
Related command: display radius.
Example
# Set the quiet timer for the primary server to ten minutes.
[SecBlade_FW] radius scheme test1 [SecBlade_FW-radius-test1] timer quiet 10
timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
RADIUS view
Parameter
minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.
RADIUS Protocol Configuration Commands 255
Description
Use the timer realtime-accounting command to configure a real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default interval.
The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.
The setting of real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.
By default, the interval of realtime accounting is 12 minutes.
Related command: retry realtime-accounting and radius scheme.
Example
# Set the real-time accounting interval in the RADIUS scheme "3com" to 51 minutes.
[SecBlade_FW-radius-3com] timer realtime-accounting 51
timer response-timeout Syntax
timer seconds
undo timer
timer response-timeout seconds
undo timer response-timeout
View
RADIUS view
Parameter
seconds: RADIUS server response timeout timer, ranging from 1 to 10 seconds.
Table 215 Recommended ratio of minutes to the number of users
Number of users Real-time accounting interval (minute)
1 - 99 3
100 - 499 6
500 - 999 12
Š1000 Š15
256 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Description
Use the timer response-timeout command and the timer command to configure the RADIUS server response timer.
Use the undo timer command and the undo timer response-timeout command to restore the default.
If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS resends the request, thus ensuring the user can obtain the RADIUS service. You can specify this period by setting the RADIUS server response timeout timer using the timer command and the timer response-timeout command, taking into consideration the network condition and the desired system performance.
By default, the response timeout timer of the RADIUS server is three seconds.
Related command: radius scheme and retry.
Example
# Set the response timeout timer in the RADIUS scheme 3com to 5 seconds.
[SecBlade_FW-radius-3com] timer response-timeout 5
user-name-format Syntax
user-name-format { with-domain | without-domain }
View
RADIUS view
Parameter
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Description
Use the user-name-format command to configure the format of the username to be sent to a RADIUS server.
By default, in system scheme, the NAS server sends user names without the ISP domain name to the RADIUS server; in the newly added RADIUS scheme, the NAS server sends user names with the ISP domain name to the RADIUS server.
The supplicants are generally named in the userid@isp-name format, of which isp-name is used by the security gateway to decide the ISP domain to which a supplicant belongs. Some earlier RADIUS servers however, cannot recognize usernames including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the security gateway must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.
HWTACACS Configuration Commands 257
n If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domains, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.
Related command: radius scheme.
Example
# Send the username without the domain name to the RADIUS servers in the RADIUS scheme "3com".
[SecBlade_FW-radius-3com] user-name-format without-domain
HWTACACS Configuration Commands
data-flow-format Syntax
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }
data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }
undo data-flow-format { data | packet }
View
HWTACACS view
Parameter
data: Sets data unit.
byte: Sets ’byte’ as the unit of data flow.
giga-byte: Sets ’giga-byte’ as the unit of data flow.
kilo-byte: Sets ’kilo-byte’ as the unit of data flow.
mega-byte: Sets ’mega-byte’ as the unit of data flow.
packet: Sets data packet unit.
giga-packet: Sets ’giga-packet’ as the unit of packet flow.
kilo-packet: Sets ’kilo-packet’ as the unit of packet flow.
mega-packet: Sets ’mega-packet’ as the unit of packet flow.
one-packet: Sets ’one-packet’ as the unit of packet flow.
Description
Use the data-flow-format command to configure the unit of data flows sent to the TACACS server.
258 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Use the undo data-flow-format command to restore the default.
By default, the data unit is byte and the data packet unit is one-packet.
Related command: display hwtacacs.
Example
# Set the unit of data flow destined for the HWTACACS server "3com" to be kilo-byte and the data packet unit be kilo-packet.
[SecBlade_FW-hwtacacs-3com] data-flow-format data kilo-byte packet kilo-packet
debugging hwtacacs Syntax
debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
View
User view
Parameter
all: Specifies all HWTACACS debugging.
error: Specifies error debugging.
event: Specifies event debugging.
message: Specifies message debugging.
receive-packet: Specifies incoming packet debugging.
send-packet: Specifies outgoing packet debugging.
Description
Use the debugging hwtacacs command to enable HWTACACS debugging.
Use the undo debugging hwtacacs command to disable HWTACACS debugging.
By default, HWTACACS debugging is disabled.
Example
# Enable the event debugging of HWTACACS.
<SecBlade_FW> debugging hwtacacs event
display hwtacacs Syntax
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]
HWTACACS Configuration Commands 259
View
Any view
Parameter
hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 case-insensitive characters. If no HWTACACS scheme is specified, the system displays the configuration of all HWTACACS schemes.
statistics: Displays complete statistics about HWTACACS packets.
Description
Use the display hwtacacs command to view configuration information of one or all HWTACACS schemes.
Without any parameter, the command displays the configuration information of all HWTACACS schemes.
Related command: hwtacacs scheme.
Example
# View all configuration information of HWTACACS schemes gy.
<SecBlade_FW> display hwtacacs gy -------------------------------------------------------------------- HWTACACS-server template name : gy Primary-authentication-server : 172.31.1.11:49 Primary-authorization-server : 172.31.1.11:49 Primary-accounting-server : 172.31.1.11:49 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 172.31.1.11:49 Current-authorization-server : 172.31.1.11:49 Current-accounting-server : 172.31.1.11:49 Source-IP-address : 0.0.0.0 key authentication : 790131 key authorization : 790131 key accounting : 790131 Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : No Traffic-unit : B Packet traffic-unit : one-packet
Table 216 Description on the fields of the display stop-accounting-buffer command
Field Description
HWTACACS-server template name HWTACACS server template name (that is, HWTACACS scheme name)
Primary-authentication-server IP address and port number of the primary authentication server
Primary-authorization-server IP address and port number of the primary authorization server
Primary-accounting-server IP address and port number of the primary accounting server
260 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
display stop-accounting-buffer
Syntax
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
View
Any view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests related to the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.
Secondary-authentication-server IP address and port number of the secondary authentication server
Secondary-authorization-server IP address and port number of the secondary authorization server
Secondary-accounting-server IP address and port number of the secondary accounting server
Current-authentication-server IP address and port number of the current authentication server
Current-authorization-server IP address and port number of the current authorization server
Current-accounting-server IP address and port number of the current accounting server
Source-IP-address Source IP address used by the router to send HWTACACS packets
key authentication Shared key of the HWTACACS authentication server
key authorization Shared key of the HWTACACS authorization server
key accounting Shared key of the HWTACACS accounting server
Quiet-interval(min) Time period for the primary server to restore its active state
Response-timeout-Interval(sec) Response timeout of the TACACS server
Domain-included Format of the user name which is sent to the TACACS server with the domain name included
Traffic-unit
Traffic unit:
B: Data are sent in bytes.
GB: Data are sent in gigabytes.
KB: Data are sent in kilobytes.
MB: Data are sent in megabytes.
Packet traffic-unit
Packet unit:
giga-packet: Data packets are sent in giga-packets.
kilo-packet: Data packets are sent in kilo-packets.
mega-packet: Data packets are sent in mega-packets.
one-packet: Data packets are sent in one-packets.
Table 216 Description on the fields of the display stop-accounting-buffer command
Field Description
HWTACACS Configuration Commands 261
Description
Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the security gateway.
Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.
Example
# Display information on the buffered stop-accounting requests related to the HWTACACS scheme "3com".
<SecBlade_FW> display stop-accounting-buffer hwtacacs-scheme 3com ------------------------------------------------------------- NO. SendTime IP Address Template 1 10 172.31.1.27 3com ------------------------------------------------------------- Whole accounting stop packet to resend:1
hwtacacs nas-ip Syntax
hwtacacs nas-ip ip-address
undo hwtacacs nas-ip
View
System view
Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, r class D address, or network address, or an address starting with 127.
Description
Use the hwtacacs nas-ip command to specify the source address of the hwtacacs packet sent from NAS.
Use the undo hwtacacs nas-ip command to restore the default setting.
By specifying the source address of the hwtacacs packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.
By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.
This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.
Table 217 Description on the fields of the display stop-accounting-buffer command
Filed Description
NO. Sequence number of the accounting stop request packet
SendTime Number of the accounting stop request packets
IP Address IP address of the TACACS server
Template Name of the HWTACACS authentication scheme
262 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
Example
# Configure the security gateway to send hwtacacs packets from 129.10.10.1.
[SecBlade_FW] hwtacacs nas-ip 129.10.10.1
hwtacacs scheme Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
View
System view
Parameter
hwtacacs-scheme-name: Specifies an HWTACACS server scheme, with a character string of 1 to 32 characters.
Description
Use the hwtacacs scheme command to enter HWTACACS Server view. If the specified HWTACACS server scheme does not exist, you can create a new HWTACACS scheme.
Use the .undo hwtacacs scheme command to delete an HWTACACS scheme.
Example
# Create an HWTACACS scheme named "test1" and enter the relevant HWTACACS scheme view.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1]
key Syntax
key { accounting | authentication | authorization } string
undo key { accounting | authentication | authorization } string
View
HWTACACS view
Parameter
accounting: Shared key of the accounting server.
authentication: Shared key of the authentication server.
authorization: Shared key of the authorization server.
string: The shared key, a string up to 16 characters.
Description
Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting.
HWTACACS Configuration Commands 263
Use the undo key command to delete the configuration.
By default, no key is set for any TACACS server.
The TACACS client (the security gateway) and TACACS server use the MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the security gateway and the TACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.
Related command: display hwtacacs.
Example
# Use hello as the shared key for HWTACACS accounting.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] key accounting hello
nas-ip Syntax
nas-ip ip-address
undo nas-ip
View
HWTACACS view
Parameter
ip-address: IP address in dotted decimal format.
Description
Use the nas-ip command to have all the HWTACACS packets sent by the NAS (the security gateway) carry the same source address.
Use the undo nas-ip command to delete the setting.
Specifying a source address for the HWTACACS packets to be transmitted can avoid the situation where the packets sent back by the TACACS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address.
By default, the source IP address of a HWTACACS packet sent by the NAS is the IP address of the output port.
Related command: display hwtacacs.
Example
# Set the source IP address carried in the HWTACACS packets that are sent by the NAS to 10.1.1.1.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] nas-ip 10.1.1.1
264 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
primary accounting Syntax
primary accounting ip-address [ port ]
undo primary accounting
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.
Description
Use the primary accounting command to configure a primary TACACS accounting server.
Use the undo primary accounting command to delete the configured primary TACACS accounting server.
By default, IP address of TACACS accounting server is 0.0.0.0.
You are not allowed to assign the same IP address to both primary and secondary accounting servers.
You can configure only one primary accounting server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Example
# Configure a primary accounting server.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary accounting 10.163.155.12 49
primary authentication Syntax
primary authentication ip-address [ port ]
undo primary authentication
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
HWTACACS Configuration Commands 265
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Use the primary authentication command to configure a primary TACACS authentication server.
Use the undo primary authentication command to delete the configured authentication server.
By default, IP address of TACACS authentication server is 0.0.0.0.
You are not allowed to assign the same IP address to both primary and secondary authentication servers.
You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Related command: display hwtacacs.
Example
# Configure a primary authentication server.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary authentication 10.163.155.13 49
primary authorization Syntax
primary authorization ip-address [ port ]
undo primary authorization
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Use the primary authorization command to configure a primary TACACS authorization server.
Use the undo primary authorization command to delete the configured primary authorization server.
266 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
By default, IP address of TACACS authorization server is 0.0.0.0.
If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of any user type.
You are not allowed to assign the same IP address to both primary and secondary authorization servers.
You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Related command: display hwtacacs.
Example
# Configure a primary authorization server.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary authorization 10.163.155.13 49
reset hwtacacs statistics Syntax
reset hwtacacs statistics { accounting | authentication | authorization | all }
View
User view
Parameter
accounting: Clears all the HWTACACS accounting statistics.
authentication: Clears all the HWTACACS authentication statistics.
authorization: Clears all the HWTACACS authorization statistics.
all: Clears all statistics.
Description
Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.
Related command: display hwtacacs.
Example
# Clear all HWTACACS protocol statistics.
<SecBlade_FW> reset hwtacacs statistics
reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
HWTACACS Configuration Commands 267
View
User view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a string of up to 32 characters.
Description
Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the security gateway.
Related command: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.
Example
# Delete the buffered stop-accounting requests that are related to the HWTACACS scheme "3com".
<SecBlade_FW> reset stop-accounting-buffer hwtacacs-scheme 3com
retry stop-accounting Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
HWTACACS view
Parameter
retry-times: The maximum number of real-time accounting request attempts. It is in the range 1 to 300.
Description
Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.
Use the undo retry stop-accounting command to restore the default setting.
By default, stop-accounting packet retransmission is enabled and up to 100 packets are allowed to be transmitted for each request.
Related command: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.
Example
# Enable stop-accounting packet retransmission and allow up to 50 packets to be transmitted for each request.
[SecBlade_FW-hwtacacs-test] retry stop-accounting 50
268 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
secondary accounting Syntax
secondary accounting ip-address [ port ]
undo secondary accounting
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.
Description
Use the secondary accounting command to configure a secondary TACACS accounting server.
Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.
By default, IP address of TACACS accounting server is 0.0.0.0.
You are not allowed to assign the same IP address to both primary and secondary accounting servers.
You can configure only one secondary accounting server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Example
# Configure a secondary accounting server.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary accounting 10.163.155.12 49
secondary authentication
Syntax
secondary authentication ip-address [ port ]
undo secondary authentication
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
HWTACACS Configuration Commands 269
port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.
Description
Use the secondary authentication command to configure a secondary TACACS authentication server.
Use the undo secondary authentication command to delete the configured secondary authentication server.
By default, IP address of TACACS authentication server is 0.0.0.0.
You are not allowed to assign the same IP address to both primary and secondary authentication servers.
You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Related command: display hwtacacs.
Example
# Configure a secondary authentication server.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary authentication 10.163.155.13 49
secondary authorization Syntax
secondary authorization ip-address [ port ]
undo secondary authorization
View
HWTACACS view
Parameter
ip-address: IP address of the server, a legal unicast address in dotted decimal format.
port: Port number of the server, ranging from 1 to 65535. By default, it is 49.
Description
Use the secondary authorization command to configure a secondary TACACS authorization server.
Use the .undo secondary authorization command to delete the configured secondary authorization server.
By default, IP address of TACACS authorization server is 0.0.0.0.
270 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
You are not allowed to assign the same IP address to both primary and secondary authorization servers.
You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Related command: display hwtacacs.
Example
# Configure the secondary authorization server.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary authorization 10.163.155.13 49
stop-accounting-buffer enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
HWTACACS view
Parameter
None
Description
Use the stop-accounting-buffer enable command to buffer the stop-accounting request packets with no response on the security gateway.
Use the undo stop-accounting-buffer enable command to forbid buffering the stop-accounting request packets with no response on the security gateway.
By default, the stop-accounting request packets with no response can be buffered on the security gateway.
For the detailed description, refer to the stop-accounting-buffer enable command in the RADIUS scheme.
Example
# For the server in the HWTACACS scheme named "3com", allow the stop-accounting request packets with no response to be buffered on the security gateway system.
[3Com-hwtacacs-test] stop-accounting-buffer enable
timer quiet Syntax
timer quiet minutes
HWTACACS Configuration Commands 271
undo timer quiet
View
HWTACACS view
Parameter
minutes: Ranges from 1 to 255 minutes.
Description
Use the timer quiet command to set the duration that a primary server must wait before it can resume the active state.
Use the undo timer quiet command to restore the default (five minutes).
By default, the primary server must wait five minutes before it resumes the active state.
Related command: display hwtacacs.
Example
# Set the quiet timer for the primary server to ten minutes.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] timer quiet 10
timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
HWTACACS view
Parameter
minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.
Description
Use the timer realtime-accounting command to configure a real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default interval.
Real-time accounting interval is necessary for real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the TACACS accounting server at intervals of this value.
The setting of real-time accounting interval depends somewhat on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval
272 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.
By default, the real-time accounting interval is 12 minutes.
Related command: retry realtime-accounting and radius scheme.
Example
# Set the real-time accounting interval in the HWTACACS scheme "3com" to 51 minutes.
[SecBlade_FW-hwtacacs-3com] timer realtime-accounting 51
timer response-timeout Syntax
timer response-timeout seconds
undo timer response-timeout
View
HWTACACS view
Parameter
seconds: Ranges from 1 to 300 seconds.
Description
Use the timer response-timeout command to set the response timeout timer of the TACACS server.
Use the .undo timer response-timeout command to restore the default (five seconds).
By default, the response timeout timer of the TACACS server is five seconds.
n As the HWTACACS is based on TCP, either the server response timeout and or the TCP timeout may cause disconnection to the TACACS server.
Related command: display hwtacacs.
Example
# Set the response timeout time of the TACACS server to 30 seconds.
[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] timer response-timeout 30
Table 218 Recommended ratio of minutes to the number of users
Number of users Real-time accounting interval (minute)
1 - 99 3
100 - 499 6
500 - 999 12
Š1000 Š15
HWTACACS Configuration Commands 273
user-name-format Syntax
user-name-format { with-domain | without-domain }
View
HWTACACS view
Parameter
with-domain: Specifies to send the username with domain name to the TACACS server..
without-domain: Specifies to send the username without domain name to the TACACS server.
Description
Use the user-name-format command to configure the username format sent to the TACACS server.
By default, HWTACACS scheme acknowledges that the username sent to it includes ISP domain name.
The supplicants are generally named in userid@isp-name format. The part following the @ sign is the ISP domain name, according to which the security gateway assigns a user to the corresponding ISP domain. However, some earlier TACACS servers reject the user name including ISP domain name. In this case, the user name is sent to the TACACS server after its domain name is removed. Accordingly, the security gateway provides this command to decide whether the username is sent to the TACACS server, carrying ISP domain name or not.
n If a HWTACACS scheme is configured to reject usernames including ISP domain names, the TACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the TACACS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)
Related command: hwtacacs scheme.
Example
# Specify to send the username without domain name to the HWTACACS scheme "3com".
[SecBlade_FW-hwtacacs-3com] user-name-format without-domain
274 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
16
ACCESS CONTROL LIST CONFIGURATION COMMANDSACL Configuration Commands
acl Syntax
acl number acl-number [ match-order { config | auto } ]
undo acl { number acl-number | all }
View
System View
Parameter
number: Defines a numbered access control list (ACL).
acl-number: ACL number, with the range 1000 to 1999 for interface-based ACLs, 2000 to 2999 for basic ACLs, 3000 to 3999 for advanced ACLs, and 4000 to 4999 for MAC-based ACLs.
match-order: Indicates the order in which rules are configured.
config: Indicates to match the rule according to configuration order that the user configured them.
auto: Indicates to match the rule in automatic order (in accordance with "Depth first" principle.)
all: Deletes all ACLs.
Description
Use the acl command to create an access control list and enter ACL view.
Use the undo acl command to delete an access control list.
An access control list consists of a list of rules that are described by a series of permit or deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for an access control list, you should create the access control list first.
Example
# Create an ACL numbered 2000.
[SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000]
276 CHAPTER 16: ACCESS CONTROL LIST CONFIGURATION COMMANDS
description Syntax
description text
undo description
View
ACL view
Parameter
text: ACL description, a string of up to 127 characters.
Description
Use the description command to add description to an ACL.
Use the undo description command to delete the description of the ACL.
Example
# Add description to ACL 2001.
[SecBlade_FW-acl-basic-2001] description Deny HTTP from host 10.0.0.1
display acl Syntax
display acl { all | acl-number }
View
Any view
Parameter
all: All ACL rules.
acl-number: ACL expressed by number.
Description
Use the display acl command to view the rules of access control list.
The rule match order defaults to config or the configuration order. If it applies, the display command does not show information on the match order. If the match order auto applies, the display command shows that.
Example
# Display the contents of ACL 2000 rule.
[SecBlade_FW-acl-basic-2000] display acl 2000 Basic ACL 2000, 2 rules, rule 1 permit (0 times matched) rule 2 permit source 1.1.1.1 0 (0 times matched)
reset acl counter Syntax
reset acl counter { all | acl-number }
View
User View
ACL Configuration Commands 277
Parameter
acl-number: ACL expressed by number.
all: All ACL rules.
Description
Use the reset acl counter command to clear the statistics of access control list.
Example
# Reset the statistics of access control list 1000.
<SecBlade_FW> reset acl counter 1000
rule Syntax
1 Create or delete a rule of a basic access control list.
rule [ rule-id ] { permit | deny } [ source sour-addr sour-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ]
undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ]
2 Create or delete a rule of an advanced access control list.
rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]
undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ dscp ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]
3 Create or delete a rule of an interface-based ACL rule.
rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]
undo rule rule-id [ time-range | logging ] *
4 Add/delete a MAC-based ACL rule
rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ]
undo rule rule-id
View
ACL view
Parameter
In the rule command:
278 CHAPTER 16: ACCESS CONTROL LIST CONFIGURATION COMMANDS
rule-id: ID of an ACL rule, optional, ranging from 0 to 65534. If you specify a rule-id, and the ACL rule related to the ID already exists, the newly defined rule will overwrite the existing rule, just as editing the existing ACL rule. If the rule-id you specify does not exist, a new rule number with the specified rule-id will be created. If you do not specify the rule-id, A new rule will be created and the system will assign a rule-id to the ACL rule automatically.
deny: Discards matched packets.
permit: Permits matched packets.
protocol: Protocol type over IP expressed by name or number. The number range is from 0 to 255, and the name range covers GRE, ICMP, IGMP, IP, IPINIP, OSPF, TCP and UDP.
source: Optional, specify source address information of ACL rule. If it is not configured, it indicates that any source address of the packets matches.
sour-addr: Source IP address of packets in dotted decimal format.
sour-wildcard: Source address wildcard in dotted decimal format.
destination: Optional, specify destination address information of ACL rule. If it is not configured, it indicates that any destination address of the packets matches.
dest-addr: Destination IP address of packets in dotted decimal format.
dest-wildcard: Destination address wildcard in dotted decimal format.
any: Represents the source or destination address 0.0.0.0 with the wildcard 255.255.255.255.
icmp-type: Optional, specify ICMP packet type and ICMP message code, only valid when packet protocol is ICMP. If it is not configured, it indicates any ICMP packet matches.
icmp-type: ICMP packet can be filtered according to ICMP message type. It is a number ranging from 0 to 255.
icmp-code: ICMP packets that can be filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.
icmp-message: ICMP packets can be filtered according to ICMP message type or ICMP message code.
source-port: Optional, specify source port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any source port information of TCP/UDP packets matches.
destination-port: Optional, specify destination port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any destination port information of TCP/UDP packets matches.
ACL Configuration Commands 279
operator: Optional, comparison between port numbers of source and destination addresses. Their names and meanings are as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). If the operator is range, two port numbers should follow it. Others only need one port number.
port1, port2: Optional, port number of TCP or UDP, expressed by name or number. The number range is from 0 to 65535.
dscp dscp: Specifies a DSCP field, the DS byte in IP packets.
established: Compares all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets. This option can compare the traffic of the established TCP session, that is, filtering out initial TCP session requests.
precedence: Optional, a number ranging from 0 to 7, or a name. Packets can be filtered according to precedence field.
tos tos: Optional, a number ranging from 0 to 15 or a name. Packets can be filtered according to type of service.
logging: Optional, indicating whether to log qualified packets. The log contents include sequence number of ACL rule, packets passed or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets.
time-range time-name: Specifies that the ACL is valid in this time range.
fragment: Specifies that this rule is only valid for the fragment packets that are not the first fragment. When this parameter is contained, it indicates that the rule is only valid for the fragment packets that are not the first fragment.
interface interface-type interface-number: Specifies the interface information of the packets. If no interface is specified, all interfaces can be matched. any represents all interfaces.
In the undo rule command:
rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the command is not followed by other parameters, this ACL rule will be deleted completely; otherwise, only part of information related to this ACL rule will be deleted.
source: Optional. Only the information settings related to the source address part of the ACL rule number will be deleted.
destination: Optional. Only the information setting related to the destination address part of the ACL rule number will be deleted.
source-port: Optional. Only the information setting related to the source port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.
280 CHAPTER 16: ACCESS CONTROL LIST CONFIGURATION COMMANDS
destination-port: Optional. Only the information setting related to the destination port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.
icmp-type: Optional. Only the information setting related to ICMP type and message code part of the ACL rule number will be deleted, valid only when the protocol is ICMP.
precedence: Optional. Only the setting of precedence configuration of the ACL rule will be deleted.
tos tos: Optional. Only related tos setting corresponding to the ACL rule will be deleted.
time-range time-name: Optional, specifies that the ACL is valid in this time range.
logging: Optional. Only the setting corresponding to the logging part of the ACL rule will be deleted.
fragment: Optional. Only the setting corresponding to the validity of non-first packets fragmentation of the ACL rule will be deleted.
type-code: Type of the Data frame, a 16-bit hexadecimal number corresponds to the type-code field in Ethernet_II and Ethernet_SNAP frames.
type-mask: A 16-bit hexadecimal number used for specifying the mask bits.
lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.
lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.
sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the source address of a packet.
sour-mask: Source MAC address mask.
dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, Used to match the destination address of a packet.
dest-mask: Destination MAC address mask.
Description
Use the rule command to add a rule in current ACL view.
Use the undo rule command to delete a rule.
The rule ID is needed when you try to delete a rule. If you do not know the ID, using the display acl command to find it out.
Example
# Create ACL 3001 and add a rule to deny RIP packets.
[SecBlade_FW] acl number 3001 [SecBlade_FW-acl-adv-3001] rule deny udp destination-port eq rip
ACL Configuration Commands 281
# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet to hosts in the network segment 202.38.160.0.
[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255. 255 destination 202.38.160.0 0.0.0.255 destination-port eq www
# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0 to the host in network segment 202.38.160.0, and log events that violate the rule.
[SecBlade_FW-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255. 255 destination 202.38.160. 0 0.0.0.255 eq www logging
# Add a rule to permit the WWW access (80) from the host in network segment 129.9.8.0 to the host in network segment 202.38.160.0.
[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0. 255 destination 202.38.160.0 0.0.0.255 destination-port eq www
# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host with the IP address 202.38.160.1.
[SecBlade_FW-acl-adv-3001] rule deny tcp destination 202.38.160.1 0 destination-port eq telnet
# Add a rule to prohibit create UDP connections with port number greater than 128 from the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0
[SecBlade_FW-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port gt 128
rule comment Syntax
rule rule-id comment text
undo rule rule-id comment
View
ACL view
Parameter
rule-id: ID of an existing ACL rule.
comment text: Comment of an ACL rule, a string of up to 128 characters.
Description
Use the rule comment command to add comment to an ACL rule.
Use the undo rule comment command to remove the comment of the ACL rule.
Example
# Add comment to ACL rule 7.
282 CHAPTER 16: ACCESS CONTROL LIST CONFIGURATION COMMANDS
[SecBlade_FW-acl-adv-3001] rule 7 comment Allow FTP from any source to host 172.16.0.1
Time-range Configuration Commands
display time-range Syntax
display time-range { all | time-name }
View
Any view
Parameter
time-name: Name of the time range.
all: Displays all the configured time ranges.
Description
Use the display time-range command to view the configuration and the status of time range. For the active time range at present, it displays "active" and for the inactive time range, it displays "inactive".
Since there is a time deviation when the system updates acl status, which is about 1 minute, but display time-range will display the information of time range at the current time exactly. Thus, the following case may happen: use the command display time-range to find that a time range is activated but the acl that should be active in the time range is inactive. This case is normal.
Example
# Display all time ranges.
[SecBlade_FW] display time-range all
# Display the time range named trname.
[SecBlade_FW] display time-range trname Current time is 02:49:36 2/15/2003 Saturday Time-range : trname ( Inactive ) 14:00 to 16:00 off-day from 00:00 12/1/2002 to 00:00 12/1/2003
time-range Syntax
time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]
undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]
View
System view
Time-range Configuration Commands 283
Parameter
time-name: Name of time range, which consists of 32 characters at most and must start with a letter of a-z or A-Z.
start-time: Start time of a time range, in the format of HH:MM.
end-time: End time of a time range, in the format of HH:MM.
days: Indicates on which day of a week the time range is valid or from which day in a week the time range is valid. It is represented by numbers 0 through 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday.
Working-day includes Monday through Friday;
Off-day includes Saturday and Sunday;
Daily includes the seven days of a week.
from time1 date1: Optional, which is used to indicate the start time and date. The input format of time is hh:mm, which is shown in 24-hour notation. The range of hh is from 0 to 23 and the range of mm is from 0 to 59. The input format of date is MM/DD/YYYY. DD can be in the value range from 1 to 31. MM is one number in the range form 1 to 12 and YYYY is a 4-digit number and in the range of 1970 to 2100. If no start time is set, it means that there is no restriction on start time and only the end time should be considered.
to time2 date2: Optional. It is used to indicate the end time and date. In addition, the input format of time and date is the same with that of the start time. The end time must be greater than the start time. If the end time is not set, it will be the maximum time that the system can set.
Description
Use the time-range command to specify a time range.
Use the undo time-range command to delete a time range.
A time range consists of 2 parts, the first is the periodic time range within one week described by the parameters start-time and end-time, depending on the parameter days to specify on which day it is valid; the second is the time range specified by from and to, which can be used to emphasize in what time range the periodical time range is valid.
You can configure multiple time ranges with the same time-name, which are in "OR" relationship.
Example
# Configure the time range valid at 0:0 on Jan. 1, 2003, always valid.
[SecBlade_FW] time-range test from 0:0 1/1/2003
# Configure the time range valid between 14:00 and 16:00 in every weekend from 20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.
284 CHAPTER 16: ACCESS CONTROL LIST CONFIGURATION COMMANDS
[SecBlade_FW] time test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00 12/10/2003
# Configure the time range valid between 8:00 and 18:00 in each working day.
[SecBlade_FW] time-range test 8:00 to 18:00 working-day
# Configure the time range valid between 14:00 and 18:00 in each weekend day.
[SecBlade_FW] time-range test 14:00 to 18:00 off-day
17
NAT CONFIGURATION COMMANDSNAT Configuration Commands
debugging nat Syntax
debugging nat { alg | event | packet } [ interface { interface-type interface-number ]
undo debugging nat { alg | event | packet } [ interface interface-type interface-number ]
View
User view
Parameter
alg: Enables the application level gateway NAT debugging information.
event: Enables NAT event debugging information.
packet: Enables NAT data packet debugging information.
interface: Enables NAT packet debugging for a special interface.
Description
Use the debugging nat command to enable the NAT debugging function.
Use the undo debugging nat command to disable the NAT debugging function.
Example
# Enable the NAT event debugging.
<SecBlade_FW> debugging nat event
display nat Syntax
display nat { address-group | aging-time | all | outbound | server | statistics | session [ source { global global-addr | inside inside-addr } ]
View
Any view
Parameter
address-group: Displays the information of the address pool.
286 CHAPTER 17: NAT CONFIGURATION COMMANDS
aging-time: Displays the effective time for NAT connection.
all: Displays all the information about NAT.
outbound: Displays the information of the outbound NAT.
server: Displays the information of the internal server.
statistics: Displays the statistics of current NAT records.
session: Displays the information of the currently activated connection.
source global global-addr: Only displays the NAT entry with address as global-addr after NAT.
source inside inside-addr: Only displays the NAT entry with internal address as inside-addr.
destination ip-addr: Displays the NAT table items of a special IP destination.
Description
Use the display nat command to display the configuration of address translation. Users can verify if the configuration of address translation is correct according to the output information after execution of this command. When address translation connection information is displayed, the parameters of global-addr and inside-addr can be specified for the display nat session command simultaneously.
Example
# Display all the information about address translation.
<SecBlade_FW> display nat all NAT address-group Information: 1: from 11.1.1.1 to 11.1.1.20 2: from 22.1.1.1 to 22.1.1.20 NAT outbound information: GigabitEthernet0/0.1: acl(2011)-NAT address-group(1) [no-pat] GigabitEthernet0/0.1: acl(2022)-NAT address-group(2) [no-pat] Server in private network information: Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro GigabitEthernet0/0.1 201.119.11.3 8080 5.5.5.5 80(www) 6(tcp) GigabitEthernet0/0.1 201.119.11.3 2121 5.5.5.5 21(ftp) 6(tcp) NAT aging-time value information: tcp ---- aging-time value is 86400 (seconds) udp ---- aging-time value is 300 (seconds) icmp ---- aging-time value is 60 (seconds) pptp ---- aging-time value is 86400 (seconds) dns ---- aging-time value is 60 (seconds) tcp-fin ---- aging-time value is 60 (seconds) tcp-syn ---- aging-time value is 60 (seconds) ftp-ctrl ---- aging-time value is 7200 (seconds) ftp-data ---- aging-time value is 300 (seconds)
The information above indicates:
Two address pools are configured: Address pool 1 ranges from 11.1.1.1 to 11.1.1.20, and address tool 2 ranges from 22.1.1.1 to 22.1.1.20.
NAT Configuration Commands 287
Two address translation associations are configured at GigabitEthernet0/0.1: ACL 2011 is associated with address pool 1 and one-to-one address translation is performed; and ACL 2022 is associated with address pool 2, and one-to-one address translation is performed.
GgiabitEthernet0/0.1 is configured with 2 internal servers: the www server of http://202.119.11.3:8080, whose internal address is 5.5.5.5; and the ftp server of ftp://202.119.11.3:2121, whose internal address is 5.5.5.5.
# Display NAT information.
<SW8800> display nat session There are currently 40001 NAT sessions: Protocol GlobalAddr Port InsideAddr Port DestAddr Port - 192.168.100.10 --- 192.168.1.5 --- --- --- status: NOPAT, TTL: 00:04:00, Left: 00:04:00 6 192.168.100.10 1024 192.168.1.5 1024 192.168.100.1 1025 status: NOPAT, TTL: 00:01:00, Left: 00:00:59 6 192.168.100.10 2048 192.168.1.5 2048 192.168.100.1 2049 status: NOPAT, TTL: 00:01:00, Left: 00:01:00 6 192.168.100.10 1025 192.168.1.5 1025 192.168.100.1 1026 status: NOPAT, TTL: 00:01:00, Left: 00:00:59
n In No-PAT address translation, when you use the display nat session command to display NAT entries, you can see that multiple No-PAT entries correspond to multiple connection translations initiated by each internal network address, as shown above. This ensures that only the connections initiated from the internal network to the external network will be translated and no connection initiated from the external network will be translated, thereby enhancing network security.
nat address-group Syntax
nat address-group group-number start-addr end-addr
undo nat address-group group-number
View
System view
Parameter
group-number: Address pool number, an integer ranging from 0 to 31.
start-addr: Starting IP address in the address pool.
end-addr: Ending IP address in the address pool.
Description
Use the nat address-group command to configure an address pool.
Use the undo nat address-group command to delete an IP address pool.
Address pool indicates the cluster of some outside IP addresses. If start-addr and end-addr are the same, it means that there is only one address.
288 CHAPTER 17: NAT CONFIGURATION COMMANDS
c CAUTION:
■ The length of an address pool (numbers of all addresses contained in an address pool) cannot exceed 255.
■ The address pool cannot be deleted, if it has been correlated to some certain access control list to perform the address translation.
Example
# Configure an address pool from 202.110.10.10 to 202.110.10.15, with its NAT pool ID being 1.
[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.15
nat aging-time Syntax
nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }
View
System view
Parameter
default: Sets the address translation lifetime values to the defaults.
dns: Sets the address translation lifetime for DNS, which defaults to 60 seconds.
ftp-ctrl: Sets the address translation lifetime for FTP control links, which defaults to 7200 seconds.
ftp-data: Sets the address translation lifetime for FTP data links, which defaults to 300 seconds.
icmp: Sets the address translation lifetime for ICMP, which defaults to 60 seconds.
pptp: Sets the address translation lifetime for PPTP, which defaults to 86400 seconds.
tcp: Sets the address translation lifetime for TCP, which defaults to 86400 seconds.
tcp-fin: Sets the address translation lifetime for TCP FIN or TCP RST connections, which defaults to 60 seconds.
tcp-syn: Sets the address translation lifetime for TCP SYN connections, which defaults to 60 seconds.
udp: Sets the address translation lifetime for UDP, which defaults to 300 seconds.
seconds: Time value, in the range 10 to 86400 (24 hours).
Description
Use the nat aging-time command to set the lifetime of NAT connections.
This command is used to set the lifetime of address translation connection in seconds, and different time values are set for different types of protocols. The
NAT Configuration Commands 289
default ALG aging time depends on the specific application type. To effectively prevent attacks, you can set the aging time of first packet to five seconds.
Example
# Set the valid connection time of TCP to 240 seconds.
[SecBlade_FW] nat aging-time tcp 240
nat alg Syntax
nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }
undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }
View
System view
Parameter
dns: Supports the DNS protocol.
ftp: Supports the FTP protocol.
h323: Supports the H.323 protocol.
ils: Supports the ILS protocol.
msn: Supports the MSN protocol.
nbt: Supports the NBT protocol.
pptp: Supports the PPTP protocol.
Description
Use the nat alg command to enable the application level gateway (ALG) function of NAT.
Use the undo nat alg command to disable the ALG function of NAT.
By default, the ALG function of NAT is enabled.
Example
# Enable the ALG function of NAT, allowing it to support FTP.
[SecBlade_FW] nat alg ftp
nat dns-map Syntax
nat dns-map domain-name global-addr global-port [ tcp | udp ]
undo nat dns-map domain-name
View
System view
290 CHAPTER 17: NAT CONFIGURATION COMMANDS
Parameter
domain-name: Valid domain name that can be correctly translated by external DNS servers.
global-addr: IP address (a valid one) that outside hosts can access.
global-port: Port number of the services that outside hosts can access.
tcp: Indicates that TCP protocol is borne by the IP protocol.
udp: Indicates that UDP protocol is borne by the IP protocol.
Description
Use the nat dns-map command to configure a mapping entry from a domain name to the external IP address, port number and protocol type.
Use the undo nat dns-map command to remove the mapping entry from a domain name to the external IP address, port number and protocol type.
If an internal host does not have any DNS server configured, the host can differentiate various internal servers and access them with the domain names after you configure the mapping entries with this command.
By default, no mapping entry is configured. Then the domain name request of the internal host can be mapped only to one internal server after being resolved by the external DNS server to get the external IP address.
Up to 16 mapping entries can be added.
Example
# Configure a mapping entry from the domain name to the external IP address, port number and protocol type.
[SecBlade_FW] nat dns-map www.abc.com 202.112.0.1 80 tcp
nat outbound Syntax
nat outbound acl-number [ address-group group-number [ no-pat ] ]
undo nat outbound acl-number [ address-group group-number [ no-pat ] ]
View
Interface view
Parameter
address-group: Configures address translation by means of address pool. If the address pool is not specified, use the IP address of the interface as the translated address, i.e., the "easy-ip" feature.
no-pat: Uses simple address translation, which means only to translate the address of the packet but not use port information.
acl-number: ACL index in the range of 2000 to 3999 (the advanced ACL can be used).
NAT Configuration Commands 291
group-number: The number of a defined address pool.
Description
Use the nat outbound command to associate an ACL with an address pool, indicating that the address specified in the acl-number can be translated by using address pool group-number.
Use the undo nat outbound command to remove the corresponding address translation.
Translation of the source address of the packet that conforms to the ACL is accomplished by configuring the association between the ACL and the address pool. The system performs address translation by selecting one address in the address pool or by directly using the IP address of the interface. Users can configure different address translation associations at the same interface. The corresponding undo form of the command can be used to delete the related address translation association. Normally, this interface is connected to ISP, and serves as the exit interface of the inside network.
The command without the address-group parameter implements the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated.
Example
# Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface GigabitEthernet0/0.1 connects to ISP.
[SecBlade_FW] acl number 2001 [SecBlade_FW-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255 [SecBlade_FW-acl-basic-2001] rule deny
# Configure the address pool.
[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.12
# Allow address translation and use the addresses of address pool 1 for address translation. During translation, the information of TCP/UDP port is used.
[SecBlade_FW-GigabitEthernet0/0/0] nat outbound 2001 address-group 1
# Delete the corresponding configuration.
[SecBlade_FW-GigabitEthernet0/0/0] undo outbound 2001 address-group 1
# Configuration of simple address translation (Not using the TCP/UDP port information to perform the address translation)
[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001 address-group 1 no-pat
# Delete the corresponding configuration.
[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001 address-group 1 no-pat
292 CHAPTER 17: NAT CONFIGURATION COMMANDS
# The configuration that can be used when performing address translation by using the IP address of interface GigabitEthernet0/0.1 directly.
[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001
# Delete the corresponding configuration.
[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001
nat outbound interface Syntax
nat outbound acl-number interface interface-type interface-number
undo nat outbound acl-number interface interface-type interface-number
View
Interface view
Parameter
acl-number: ACL index, in the range of 2000 to 3999.
interface interface-type interface-number: Specified interface type and interface number, Currently, only the loopback interface is supported.
Description
Use the nat outbound interface command to associate an ACL with a specific interface and to set the interface address as the converted address (that is, to replace the source address of the data packets with the IP address of the specified interface).
Use the undo nat outbound interface command to remove the configuration.
Currently, only the loopback interface address can be specified as the converted address.
Example
# Set the IP address of the loopback0 interface as the converted address.
[SecBlade_FW]interface loopback0 [SecBlade_FW-LoopBack0] ip address 202.38.160.106 [SecBlade_FW-LoopBack0] quit [SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000] rule permit source 10.110.12.0 0.0.0.255 [SecBlade_FW-acl-basic-2000] quit [SecBlade_FW] interface GigabitEthernet0/0.3 [SecBlade_FW- GigabitEthernet0/0.3] nat outbound 2 interface loopback 0
nat outbound static Syntax
nat outbound static
undo nat outbound static
View
Interface view
NAT Configuration Commands 293
Parameter
None
Description
Use the nat outbound static command to apply on the interface the static NAT entries configured using the nat static command.
Use the undo nat outbound static command to disable the static NAT entries on the interface.
Example
# Apply the static NAT entries on the interface GigabitEthernet0/0.1.
[SecBlade_FW-GigabitEthernet0/0.1] nat outbound static
nat overlapaddress Syntax
nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }
undo nat overlapaddress number
View
System view
Parameter
number: Sequence number of the address pool pair, in the range of 0 to 7.
overlappool-startaddress: Start address of the overlap address pool. Note that no intersection is allowed between overlap address pools.
temppool-startaddress: Start address of the temporary address pool. Note that no intersection is allowed between temporary address pools. Temporary addresses cannot be the existing internal or external addresses, so you are recommended to choose private network addresses as temporary addresses.
pool-length: Length of the address pool, in decimal format. The associated overlap and temporary address pools must be configured in the same length, with one overlap address corresponding to one temporary.
mask: Subnet mask of the address pool.
Description
Use the nat overlapaddress command to configure the mapping entry from an overlap address pool to a temporary address pool.
Use the undo nat overlapaddress command to remove the mapping configuration.
n One overlap address pool corresponds to one temporary address pool. The conversion rule is as follows:
Temporary address = Start address of the temporary address pool + (overlap address - start address of the overlap address pool)
294 CHAPTER 17: NAT CONFIGURATION COMMANDS
Overlap address = Start address of the overlap address pool + (temporary address - start address of the temporary address pool)
Example
# Configure a mapping entry from 171.69.100.0 to 192.168.0.0, with address pool pair number as 0.
[SecBlade_FW] nat overlapaddress 0 171.69.100.0 192.168.0.0 address-mask 24
nat server Syntax
nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port
nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]
undo nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port
undo nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]
View
Interface view
Parameter
acl-number: Basic or advanced ACL number, in the range of 2000 to 3999.
global-addr: An IP address provided for the outside to access (a legal IP address).
global-port: A service port number provided for the outside to access. If ignored, its value shall be the same with the host-port’s value.
host-addr: IP address of the server in internal LAN.
host-port: Service port number provided for a server in the range of 0 to 65535, and the common used port numbers are replaced by key words. For example, www service port number is 80, which can also be represented by www. ftp service port number is 21, and ftp can also stands for it. If the inside-port is 0, it indicates that all the types of services can be provided and the key word any can be used to stand for it in this situation. If the parameter is not configured, it is considered as the case of any, which is the same as that there is a static connection between global-addr and host-addr. When the host-port is configured as any, the global-port also should be any, otherwise the configuration is illegal.
global-port1, global-port2: Specifies a port range through two port numbers, forming a corresponding relation with the internal host address range. global-port2 must be larger than global-port1.
host-addr1, host-addr2: Defines a group of consecutive address ranges, which respectively one-to-one matches the port ranges defined above. host-addr2 must be bigger than host-addr1. The number of the address ranges should be the same as the number of ports defined by global-port1 and global-port2.
NAT Configuration Commands 295
pro-type: The protocol type carried by IP, possibly being a protocol ID, or a key word as a substitution. For example: icmp (its protocol ID is 1), tcp (its protocol ID is 6), udp (its protocol ID is 7).
Description
Use the nat server command to define the mapping table of an internal server. Users can access the internal server with the address and port as host-addr and host-port respectively through the address port defined by global-addr and global-port.
Use the undo nat server command to remove the mapping table.
Through this command, you can configure some internal network servers for outside use. The internal server can locate in the ordinary private network. For example, www, ftp, telnet, pop3, dns and so on.
Up to 256 internal server conversion commands can be configured on one interface and at most 4096 internal servers can be configured on one interface. Up to 1024 internal server conversion commands can be configured in one system. If the nat servers are configured in the form of port range (i.e., specify a port range through configuring global-port1 and global-port2, forming a corresponding relation with the address range of the internal hosts), then the number of internal servers will be the same as that of the ports configured, and the max number of them are also 4096.
TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.
The interface on which this command is configured is interconnected with ISP and serves as the gateway of the internal network.
Example
# Specify the IP address of the interior www server of the LAN as 10.110.10.10, the IP address of the interior ftp server as 10.110.10.11. It is expected that the outside can access WEB through http:// 202.110.10.10:8080 and connect FTP web site through ftp://202.110.10.10. Suppose that GigabitEthernet0/0.1 is connected to ISP.
[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp
# Specify one interior host 10.110.10.12, expecting that the host of the exterior network can ping it with ping 202.110.10.11 command.
[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12
# Delete the www server.
[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.10 8070 inside 10.110.10.10 www
296 CHAPTER 17: NAT CONFIGURATION COMMANDS
# By the command below, the internal ftp server of VPN vrf10 can be removed.
[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.11 8070 inside 10.110.10.11 ftp
# Specify an outside address as 202.110.10.10, and map the ports ranging from 1001 to 1100 to the addresses of 10.110.10.1 to 10.110.10.100 respectively to access ftp service inside VPN vrf10. 202.110.10.10:1001 accesses 10.110.10.1 and 202.110.10:1002 accesses 10.110.10.2, etc.
[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet
nat static Syntax
nat static ip-addr1 ip-addr2
undo nat static ip-addr1 ip-addr2
View
System view
Parameter
ip-addr1: Private IP address of an internal host.
ip-addr2: Public IP address.
Description
Use the nat static command to configure a one-to-one private-to-public address binding.
Use the undo nat static command to delete an existing one-to-one private-to-public address binding.
Example
# Bind an internal private IP address with a public IP address for one-to-one address translation.
[SecBlade_FW] nat static 192.168.1.1 2.2.2.2
nat static inside ip Syntax
nat static inside ip inside-start-address inside-end-address global global-address mask
undo nat static inside ip inside-start-address inside-end-address global global-address mask
View
System view
Parameter
inside-start-address: Start internal address that the specified static NAT entry will convert.
NAT Configuration Commands 297
inside- end -address: End internal address that the specified static NAT entry will convert.
global-address: Public network address converted by the specified static NAT entry.
mask: Subnet address of the public network segment address.
Description
Use the nat static inside ip command to configure the static NAT entry. Then in the conversion with the static NAT entry, only the network address is converted and the host address remains unchanged.
Use the undo nat static inside ip command to delete the existing static NAT entry.
The global-address can be any address. Then it will be calculated by combining with the mask and the length of the mask.
The nat static inside ip and nat static commands create two different types of static NAT entries. Note that the two types of addresses cannot be in conflict.
By default, no static NAT entry is configured.
Example
# Configure the static NAT entry, which can convert the network addresses of 10.1.1.1 to 10.1.1.100 to 211.1.1.0 and remains their host addresses unchanged.
[SecBlade_FW] nat static inside ip 10.1.1.1 10.1.1.100 global 211.1.1.0 255.255.255.0
reset nat Syntax
reset nat { log-entry | session }
View
User view
Parameter
log-entry: Clears NAT log buffer.
session: Clears the information of the address translation table.
Description
This command is used to clear up the mapping tables of address translation in the memory and release all the memory dynamically allocated to store the mapping tables.
Example
# Clear NAT log buffer.
<SecBlade_FW> reset nat log-entry
# Clear information of the address translation table.
<SecBlade_FW> reset nat session
298 CHAPTER 17: NAT CONFIGURATION COMMANDS
18
FIREWALL CONFIGURATION COMMANDSPacket Filtering Firewall Configuration Commands
debugging firewall packet-filter
Syntax
debugging firewall packet-filter { { all | icmp | tcp | udp | fragments-inspect | others } [ interface type number ] | denied | permitted }
undo debugging firewall packet-filter { { all | icmp | tcp | udp | fragments-inspect | others } [ interface type number ] | denied | permitted }
View
User view
Parameter
all: Debugging for all packets.
icmp: ICMP packet filtering debugging.
packet: Packet filtering debugging. You can specify the permitted or denied keyword to display the debugging information about the permitted or denied packets.
tcp: TCP packet filtering debugging.
udp: UDP packet filtering debugging.
fragments-inspect: Fragment debugging.
others: Debugging of all the packets except ICMP, TCP and UDP.
interface type number: Debugging information of the corresponding packets passing the interface. The debugging information of all the interfaces will be displayed if this parameter is not configured.
Denied: Debugging for the denied packets.
Permitted: Debugging for the permitted packets.
Description
Use the debugging firewall packet-filter command to enable the debugging for the firewall packet filtering.
300 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Use the undo debugging firewall packet-filter command to disable the debugging output.
By default, all the debugging for the firewall packet filtering is disabled.
Related command: display debugging.
Example
# Enable the debugging information about UDP packet filtering.
<SecBlade_FW> debugging firewall packet-filter udp
debugging firewall packet-filter
fragments-inspect events
Syntax
debugging firewall packet-filter fragments-inspect events
undo debugging firewall packet-filter fragments-inspect events
View
User view
Parameter
None
Description
Use the debugging firewall packet-filter fragments-inspect events command to enable the debugging of fragments detection events.
Use the undo debugging firewall packet-filter fragments-inspect events command to disable it.
By default, the debugging of fragments detection events is disabled.
Example
# Enable the debugging of fragments detection events.
<SecBlade_FW> debugging firewall packet-filter fragments-inspect events
display firewall fragment
Syntax
display firewall fragment
View
Any view
Parameter
None
Description
Use the display firewall fragment command to display the fragment table of the firewall.
Example
# Display the fragment table of the firewall.
Packet Filtering Firewall Configuration Commands 301
<SecBlade_FW> display firewall fragment
display firewall packet-filter statistics
Syntax
display firewall packet-filter statistics { all | interface type number | fragments-inspect }
View
Any view
Parameter
all: Displays the filtering packet statistics of all the interfaces.
interface type number: Displays the filtering packets statistics of the specified interface.
fragments-inspect: Displays the fragment inspection information.
Description
Use the display firewall packet-filter statistics command to view the firewall packet filtering statistics.
Example
# Display the information of fragment inspection.
<SecBlade_FW> display firewall-statistics fragments-inspect Fragments inspection is enabled. The high-watermark for clamping is 10000. The low-watermark for clamping is 1000. Current records for fragments inspection is 0.
firewall packet-filter default
Syntax
firewall packet-filter default { permit | deny }
View
System view
Parameter
permit: Default filter rule is permitting packets to pass.
deny: Default filter rule is denying packets to pass.
Description
Use the firewall packet-filter default command to configure the default filtering rule of the firewall packet filtering, whether to be "permit" or "deny".
By default, the system denies all packets.
Example
# Set the default filtering rule of the firewall packet filtering to "deny".
[SecBlade_FW] firewall packet-filter default deny
302 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
firewall packet-filter enable
Syntax
firewall packet-filter enable
undo firewall packet-filter enable
View
System view
Parameter
None
Description
Use the firewall packet-filter enable command to enable the firewall packet filtering.
Use the undo firewall packet-filter enable command to disable the firewall packet filtering.
By default, the firewall is disabled.
Example
# Enables the firewall
[SecBlade_FW] firewall packet-filter enable
firewall packet-filter fragments-inspect
Syntax
firewall packet-filter fragments-inspect
undo firewall packet-filter fragments-inspect
View
System view
Parameter
None
Description
Use the firewall packet-filter fragments-inspect command to enable fragment inspection switch.
Use the undo firewall packet-filter fragments-inspect command to disable fragment inspection switch.
By default, fragment inspection switch is disabled.
This command is the premise of realizing exact match. Only after fragment inspection switch is enabled, can fragment exact match be implemented. Packet filtering firewall will record the status of a fragment, and perform the exact matching to advanced ACL rules according to the information beyond the layer 3 (IP layer).
Packet Filtering Firewall Configuration Commands 303
Packet filtering firewall will consume some system resources for recording the fragment status. If the exact match mode is not used, you are recommended to disable this function so as to improve the running efficiency of system and reduce the system cost.
Only when the fragment packet inspection is enabled, can the exact match really take effect.
Related command: firewall packet-filter (interface view).
Example
# Enable the fragment inspection switches
[SecBlade_FW] firewall packet-filter fragments-inspect
firewall packet-filter fragments-inspect { high
| low }
Syntax
firewall packet-filter fragments-inspect { high | low }
undo firewall packet-filter fragments-inspect { high | low }
View
System view
Parameter
high number: Specifies the high threshold of the fragment status records. It is in the range from 100 to 10000.
low number: Specifies the low threshold of the fragment status records. It is in the range from 100 to 10000.
default: Default number of fragment status records. The default high threshold of the fragment status records is 2000 and the default low threshold of the fragment status records is 1500.
Description
Use the firewall packet-filter fragments-inspect { high | low } command to configure the high and low thresholds of records for fragment inspection.
Use the undo firewall packet-filter fragments-inspect { high | low } command to restore the default high and low thresholds.
If fragment inspection switch is enabled and exact match filtering is applied, the executing efficiency of the packet filtering will be slightly reduced. As the number of matching entries increases, efficiency is reduced. Therefore, the (high and low) thresholds should be set. When the number of fragment status records reaches the high threshold, those status entries first reserved will be deleted until the number of records is below the low threshold.
The low threshold must be no greater than the high threshold.
Related command: display firewall packet-filter statistics fragments-inspect and firewall packet-filter fragments-inspect.
304 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Example
# Configure the high threshold for fragment packet inspection to 3000 and configure the low threshold to the default value.
[SecBlade_FW] firewall packet-filter fragments-inspect high 3000 [SecBlade_FW] firewall packet-filter fragments-inspect low default
firewall packet-filter Syntax
firewall packet-filter acl-number { inbound | outbound } [ match-fragments { normally | exactly } ]
undo firewall packet-filter acl-number { inbound | outbound }
View
Interface view
Parameter
acl-number: Serial number of access control list rule.
inbound: Filters the packet received on the interface.
outbound: Filters the packet sent on the interface.
match-fragments: Specify the matching mode of fragments. This parameter can only be applied to advanced ACLs.
Packet-filtering on Comware platform can filter fragment packets, which matches and filters all fragment packets on the third layer (IP layer) by source IP address, destination IP address etc. It also provides standard matching and exact matching for advanced ACL rules that contain extended information such as TCP/UDP port number and type of ICMP. The standard matching matches information of the third layer, Information that is not of the third layer will be ignored. The exact matching matches packets according to all advanced ACL rules. To do this, the firewall must be able to store the state of the first fragment packet to get the whole matching information of the followed fragments. The standard matching is the default.
normally: Normal matching mode, the default mode. This parameter is only available for the advanced ACLs.
exactly: Exact matching mode. This parameter is only available for the advanced ACLs.
Description
Use the firewall packet-filter command to apply the access control list to the corresponding interface.
Use the undo firewall packet-filter command to delete the corresponding setting.
Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can only use the parameter outbound.
ASPF Configuration Commands 305
Packet-filtering on Comware platform can filter fragment packets, which matches and filters all fragment packets on the third layer (IP layer) by source IP address, destination IP address etc. It also provides standard matching and exact matching for advanced ACL rules that contain extended information such as TCP/UDP port number and type of ICMP. The standard matching matches information of the third layer, Information that is not of the third layer will be ignored. The exact matching matches packets according to all advanced ACL rules. To do this, the firewall must be able to store the state of the first fragment packet to get the whole matching information of the followed fragments. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface.
The standard matching is the default.
Related command: acl, display acl and firewall packet-filter fragments-inspect.
Example
# Apply ACL 3001 to the GigabitEthernet0/0.2 interface to filter the packets sent on the interface.
[SecBlade_FW-GigabitEthernet0/0.2] firewall packet-filter 3001 outbound
reset firewall packet-filter statistics
Syntax
reset firewall packet-filter statistics { all | interface type number }
View
User view
Parameter
all: Clears the filtering packet statistics of all the interfaces.
interface: Clears the filtering packet statistics of a certain interface.
type number: Specifies an interface by its type and number.
Description
Use the reset firewall packet-filter statistics command to clear the firewall statistics.
Example
# Clear filtering packet statistics of the interface GigabitEthernet0/0.2.
< SecBlade_FW > reset firewall packet-filter statistics interface GigabitEthernet0/0.2
ASPF Configuration Commands
aging-time Syntax
aging-time { syn | fin | tcp | udp } seconds
306 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
undo aging-time { syn | fin | tcp | udp }
View
ASPF policy view
Parameter
seconds: Idle timeout time of the session entry when the SYN and FIN packets or TCP and UDP protocols are detected.
Description
Use the aging-time command to configure SYN status waiting timeout value and FIN status waiting timeout value of TCP, session entry idle timeout value of TCP and UDP.
Use the undo aging-time command to restore the default value.
Before the aging-time expires, the system will retain the connections and the sessions that have been set up.
By default, the timeout time for SYN packets, FIN packets, TCP protocol and UDP protocol are 30 seconds, 30 seconds, 3,600 seconds and 30 seconds respectively.
Related command: display aspf all, display aspf policy, display aspf session and display aspf interface.
Example
# Configure SYN status waiting timeout value of TCP as 20 seconds.
[SecBlade_FW-aspf-policy-1] aging-time syn 20
# Configure FIN status waiting timeout value of FIN as 10 seconds.
[SecBlade_FW-aspf-policy-1] aging-time fin 10
# Configure TCP idle timeout value as 3000 seconds.
[SecBlade_FW-aspf-policy-1] aging-time tcp 3000
# Configure UDP idle timeout value as 110 seconds.
[SecBlade_FW-aspf-policy-1] aging-time udp 110
aspf-policy Syntax
aspf-policy aspf-policy-number
undo aspf-policy aspf-policy-number
View
System view
Parameter
aspf-policy-number: ASPF policy number, ranging from 1 to 99.
ASPF Configuration Commands 307
Description
Use the aspf-policy command to define an ASPF policy. For a defined policy, the policy can be invoked through its policy number.
Example
# Define an ASPF policy and enter ASPF view.
[SecBlade_FW] aspf-policy 1 [SecBlade_FW-aspf-policy-1]
debugging aspf Syntax
debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }
undo debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }
View
User view
Parameter
all: All ASPF debugging switch.
verbose: Detailed debugging switch.
events: Event debugging switch.
ftp: Debugging switch for FTP detect information .
h323: Debugging switch for H.323 information detection.
rtsp: Debugging switch for RTSP information detection.
session: Debugging switch for Session information .
smtp: Debugging switch for SMTP information detection.
tcp : Debugging switch for TCP information detection.
timers: Debugging switch for Timer information .
udp: Debugging switch for UDP information detection.
Description
Use the debugging aspf command to enable ASPF debugging function.
Use the undo debugging aspf command to disable ASPF debugging function.
By default, ASPF debugging function is disabled.
Related command: display aspf all, display aspf policy, display aspf session and display aspf interface.
308 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Example
# Open all the switches of debugging aspf
<SecBlade_FW> debugging aspf all
debugging aspf http Syntax
debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }
undo debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }
View
User view
Parameter
java-blocking: Java Applet blocking debugging.
activex-blocking: ActiveX blocking debugging.
all: All debugging.
error: Error debugging.
event: Event debugging.
filter: Filter debugging.
packet: Packet debugging.
Description
Use the debugging aspf http java-blocking command to enable Java Applet blocking debugging for HTTP detection.
Use the undo debugging aspf http java-blocking command to disable Java Applet blocking debugging for HTTP detection.
Use the debugging aspf http activex-blocking command to enable ActiveX blocking debugging for HTTP detection.
Use the undo debugging aspf http activex-blocking command to disable ActiveX blocking debugging for HTTP detection.
By default, neither Java Applet blocking debugging nor ActiveX blocking debugging for HTTP detection is enabled.
Example
# Enable all Java Applet blocking debugging.
<SecBlade_FW> debugging aspf http java-blocking all
detect Syntax
detect protocol [ aging-time seconds ]
ASPF Configuration Commands 309
undo detect protocol
View
ASPF policy view
Parameter
protocol: Name of the protocol supported by ASPF. It can be an application layer protocol of ftp, http, h323, smtp, or rtsp, or a transport layer protocol of tcp or udp.
seconds: Configures the idle timeout time of the protocol, ranging from 5 to 43200 seconds. The default TCP-based timeout time is 3600 seconds, and the default UDP-based timeout time is 30 seconds.
Description
Use the detect command to specify ASPF policy for application layer protocols.
Use the undo detect command to cancel the configuration.
When the protocol is HTTP, Java Applet blocking and Active X control blocking are permitted.
If both application layer protocol specific detection and generic TCP/UDP-based detection are configured, the former has priority.
ASPF uses the timeout mechanism to manage session state information of protocols so that it can decide when to stop managing the state information of a session or delete a session that cannot be set up normally. The timeout time setting is a global setting applicable to all sessions; it can protect system resources against malicious occupation.
Related command: display aspf all, display aspf policy, display aspf session and display aspf interface.
Example
# Configure to specify an ASPF policy for FTP protocol with policy number 1.
[SecBlade_FW] acl number 1 [SecBlade_FW-aspf-policy-1] detect ftp
detect http Syntax
detect http [ java-blocking [ acl-number1 ] | activex-blocking [ acl-number2 ] ]* [ aging-time seconds ]
undo detect http [ java-blocking | activex-blocking ]*
View
ASPF policy view
Parameter
java-blocking: Indicates that Java Applet is blocked.
310 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
acl-number1: Number of a basic ACL, in the range of 2000 to 2999. If this argument is not specified, it indicates that all Java Applets are blocked.
activex-blocking: Indicates that ActiveX is blocked.
acl-number2: Number of a basic ACL, in the range of 2000 to 2999. If this argument is not specified, it indicates that all ActiveX controls are blocked.
seconds: Protocol idle timeout, in the range of 5 to 43200 seconds. By default, it is 3600 seconds for the application layer protocols and the TCP protocol, and is 30 seconds for the UDP protocol.
Description
Use the detect http command to configure the detection of the HTTP protocol and the blocking of Java Applet and ActiveX as well.
Use the undo detect http command to cancel the detection.
By default, HTTP is not detected.
Example
# Configure the ASPF policy to detect HTTP and block all ActiveX controls and the Java Applet from the server at 10.1.1.1.
[SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000] rule permit source 10.1.1.1 0 [SecBlade_FW-acl-basic-2000] rule deny source any [SecBlade_FW-acl-basic-2000] quit [SecBlade_FW] aspf-policy 1 [SecBlade_FW-aspf-policy-1] detect http activex-blocking java-blocking 2000
display aspf all Syntax
display aspf all
View
Any view
Parameter
None
Description
Use the display aspf all command to view the information of all ASPF policies and sessions.
Example
# View the information of ASPF policy and session.
[SecBlade_FW] display aspf all [ASPF Policy Configuration] Policy Number 1: Log: disable SYN timeout: 30 s FIN timeout: 30 s TCP timeout: 3600 s UDP timeout: 30 s
ASPF Configuration Commands 311
Detect Protocols: h323 timeout 3600 rtsp timeout 3600 http timeout 3600 smtp timeout 3600 ftp timeout 3600 tcp timeout 3600 udp timeout 30 [Interface Configuration] Interface InboundPolicy OutboundPolicy --------------------------------------------------------------- GigabitEthernet0/0.1 none 1
display aspf interface Syntax
display aspf interface
View
Any view
Parameter
None
Description
Use the display aspf interface command to view the interface configuration of the inspection policy.
Example
# View the interface configuration of the inspection policy.
[SecBlade_FW] display aspf interface [Interface Configuration] Interface InboundPolicy OutboundPolicy --------------------------------------------------------------- GigabitEthernet0/0.1 none 1
Table 219 Description on the fields of the display aspf all command
Field Description
Log Whether the session logging function is enabled.
SYN timeout The timeout value of the SYN status in TCP connection is 30 seconds.
FIN timeout The timeout value of the FIN status in RCP connection is five seconds.
TCP timeout The idle timeout value of TCP sessions is 3,600 seconds.
UDP timeout The idle timeout value of UDP sessions is 30 seconds.
Detect Protocols Protocols detected by the ASPF policies
InboundPolicy Inbound ASPF policies
OutboundPolicy Outbound ASPF policies
Table 220 Description on the fields of the display aspf interface command
Field Description
Inbound Policy Inbound ASPF policies
outbound Policy Outbound ASPF policies
312 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
display aspf policy Syntax
display aspf policy aspf-policy-number
View
Any view
Parameter
aspf-policy-number: ASPF policy number, ranging from 1 to 99.
Description
Use the display aspf policy command to view the configuration of a specific inspection policy.
Example
# Display the configuration information of the inspection policy with policy number of 1.
[SecBlade_FW] display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: Log: disable SYN timeout: 30 s FIN timeout: 30 s TCP timeout: 3600 s UDP timeout: 30 s Detect Protocols: h323 timeout 3600 rtsp timeout 3600 http timeout 3600 smtp timeout 3600 ftp timeout 3600 tcp timeout 3600 udp timeout 30
Refer to Table 219 for the description on the fields above.
display aspf session Syntax
display aspf session [ verbose ]
View
Any view
Parameter
verbose: Displays the detail information of the sessions.
Description
Use the display aspf session command to display the information of the ASPF sessions.
The display aspf session command and the display firewall session table command display different session tables with different default aging time. A data flow may be present in the ASPF session table but aged out and removed from the
ASPF Configuration Commands 313
session table of the firewall, or the data flow may be present in the session table of the firewall but aged out and removed from the ASPF session table.
Example
# Display information on current ASPF sessions.
[SecBlade_FW] display aspf session [Established Sessions] Session Initiator Responder Application Status 212BA84 169.254.1.121:1427 169.254.1.52:0 ftp-data TCP_DOWN 2B738C4 169.254.1.121:1426 169.254.1.52:21 ftp FTP_CONXN_UP
# Display detailed information of current ASPF sessions.
[SecBlade_FW] display aspf session verbose [ Established Sessions ] [ Session 0xC7E2B4 ] (192.168.0.1:2125)=>(13.1.0.5:2093) h245-media-control H245_OPEN SessNum: 229, TransProt: 6, AppProt: 21 Prev: 0x0, Next: 0x0, Child: 0xCA9EA4, Parent: 0x0 SynNode: 0x0, FinNode: 0x0 Interface: GigabitEthernet0/0.2, Direction: outbound Bytes/Packets sent (initiator:responder) [1339/15 : 1309/12] Tcp SeqNum/AckNum [352115193/62885460 : 62885456/352115193] Timeout 00:02:00(120),
display firewall session aging-time
Syntax
display firewall session aging-time
View
Any view
Parameter
None
Description
Use the display firewall session aging-time command to display the session timeout values of all firewall protocols.
Table 221 Information of current ASPF sessions
Field Description
TransProt: 6 Transport layer protocol is numbered 6, which means that TCP is used.
AppProt: 21 Application layer protocol uses port 21, which means that the sessions are FTP sessions
Interface: GigabitEthernet0/0.1
Direction: outbound
ASPF policy is applied in outbound direction of the interface Ethernet1/0/0
Bytes/Packets sent Bytes/Packets transmitted between the originating and responding sides of the connection
Timeout 00:02:00(120) Timeout time set for the protocol is 120 seconds
314 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Related command: firewall session aging-time and firewall session aging-time default.
Example
# Display the session timeout values of all firewall protocols.
[SecBlade_FW] display firewall session aging-time NAT aging-time value information: tcp ---- aging-time value is 240 (seconds) udp ---- aging-time value is 40 (seconds) icmp ---- aging-time value is 20 (seconds) finrst ---- aging-time value is 10 (seconds) syn ---- aging-time value is 5 (seconds) fragment ---- aging-time value is 5 (seconds) h.323 ---- aging-time value is 600 (seconds) ftp ---- aging-time value is 600 (seconds) ras ---- aging-time value is 600 (seconds) http ---- aging-time value is 240 (seconds) smtp ---- aging-time value is 40 (seconds) rtsp ---- aging-time value is 240 (seconds) telnet ---- aging-time value is 240 (seconds) netbios ---- aging-time value is 240 (seconds)
display firewall session table
Syntax
display firewall session table
View
Any view
Parameter
None
Description
Use the display firewall session table command to display the session tables of the firewall.
The display firewall session table command and the display aspf session command display different session tables with different default aging time. A data flow may be present in the ASPF session table but aged out and removed from the session table of the firewall, or the data flow may be present in the session table of the firewall but aged out and removed from the ASPF session table.
A firewall session enters the timeout state once it is aged out. A time interval elapses before a session in timeout state is removed. This time interval varies depending on actual networking.
Example
# Display the session tables of the firewall.
[Quiddway] display firewall session table Total session number: 12 HTTP:192.168.4.1:80<--192.168.4.8:3391 HTTP:192.168.4.1:80<--192.168.4.8:3392 HTTP:192.168.4.1:80<--192.168.4.8:3387
ASPF Configuration Commands 315
NBT datagram:192.168.4.255:138<--192.168.4.8:138 HTTP:192.168.4.1:80<--192.168.4.8:3396 NBT name:192.168.4.255:137<--192.168.4.8:137 HTTP:192.168.4.1:80<--192.168.4.8:3389 HTTP:192.168.4.1:80<--192.168.4.8:3398 HTTP:192.168.4.1:80<--192.168.4.8:3397 HTTP:192.168.4.1:80<--192.168.4.8:3393 HTTP:192.168.4.1:80<--192.168.4.8:3390 HTTP:192.168.4.1:80<--192.168.4.8:3395
display port-mapping Syntax
display port-mapping [ application-name | port port-number ]
View
Any view
Parameter
application-name: Specifies the name of application for PAM. Optional applications include FTP, HTTP, H323, SMTP and RTSP.
port-number: Port number in the range of 0 to 65,535.
Description
Use the display port-mapping command to view PAM information.
Related command: port-mapping.
Example
# Display all PAM information.
[SecBlade_FW] display port-mapping SERVICE PORT ACL TYPE ------------------------------------------------- ftp 21 system defined smtp 25 system defined http 80 system defined rtsp 554 system defined h323 1720 system defined
firewall aspf Syntax
firewall aspf aspf-policy-number { inbound | outbound }
undo firewall aspf aspf-policy-number { inbound | outbound }
View
Interface view
Parameter
aspf-policy-number: ASPF policy number used on the interface.
inbound: Applies ASPF policy in inbound direction of the interface.
outbound: Applies ASPF policy in outbound direction of the interface.
316 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Description
Use the firewall aspf command to apply ASPF policy in specified direction to an interface.
Use the undo firewall aspf command to delete the applied ASPF policy on the interface.
There are two concepts is ASPF: inbound interface and outbound interface. If the security gateway connects with both intranet and internet, and uses ASPF to protect the servers of intranet, the security gateway interface connected with intranet is regarded as inbound interface and that connected with internet is regarded as outbound interface.
When ASPF is applied on outbound interface, ASPF will refuse the access of intranet from internet users, but the returning packets of intranet users accessing internet can pass the detection of ASPF.
Example
# Configure ASPF firewall function in outbound direction of GigabitEthernet0/0.2.
[SecBlade_FW-GigabitEthernet0/0.2] firewall aspf 1 outbound
firewall session aging-time
Syntax
firewall session aging-time { fin-rst | fragment | ftp | h323 | http | icmp | netbios | ras | rtsp | smtp | syn | tcp | telnet | udp } { default | seconds }
View
System view
Parameter
default: Chooses the default timeout values for the protocols.
seconds: Default timeout value for the protocol, in seconds.
The default timeout values for the different protocols are as follows:
fin-rst: 10 seconds
fragment: 5 seconds
ftp: 600 seconds
h323: 600 seconds
http: 240 seconds
icmp: 20 seconds
netbios: 240 seconds
ras: 600 seconds
rtsp: 240 seconds
ASPF Configuration Commands 317
smtp: 40 seconds
syn: 5 seconds
tcp: 240 seconds
telnet: 240 seconds
udp: 40 seconds
Description
Use the log enable command to set the session timeout values for different protocols.
Related command: firewall session aging-time default and display firewall session aging-time.
Example
# Set the session timeout value for the HTTP protocol to 1200 seconds.
[SecBlade_FW] firewall session aging-time http 1200
firewall session aging-time default
Syntax
firewall session aging-time default
View
System view
Parameter
None
Description
Use the firewall session aging-time default command to restore the default session timeout values of all firewall protocols.
Related command: firewall session aging-time and display firewall session aging-time.
Example
# Restore the default session timeout values of all firewall protocols.
[SecBlade_FW] firewall session aging-time default
log enable Syntax
log enable
undo log enable
View
ASPF policy view
318 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Description
Use the log enable command to enable ASPF session logging function.
Use the undo log enable command to disable logging function.
By default, session logging function is disabled.
ASPF provides enhanced session logging function, which can log all connections, including connection time, source address, destination address, port in use and transmitted bytes number.
Related command: display aspf all, display aspf policy, display aspf session, display aspf interface.
Example
# Enable ASPF session logging function.
[SecBlade_FW-aspf-policy-1] log enable
port-mapping Syntax
port-mapping application-name port port-number [ acl acl-number ]
undo port-mapping [ application-name port port-number [ acl acl-number ] ]
View
System view
Parameter
application-name: Name of the application protocol, including FTP, HTTP, H323, SMTP and RTSP.
port-number: Port number, ranging from 0 to 65,535.
acl-number: Number of basic ACL, which is in the range from 2,000 to 2,999.
Description
Use the port-mapping command to establish a mapping from the port to application layer protocol.
Use the undo port-mapping command to delete the PAM ingress defined by the user.
PAM supports two mapping mechanisms: general port mapping and host port mapping based on basic ACL. The former is to establish the mapping relation between a user-defined port number and an application protocol. For example, mapping the port 8080 to the HTTP will make all the TCP packets destined to 8080 be regarded as HTTP packets. The latter is to map the self-defined port number to the application protocol for the packets from some specific hosts. For example, you can map the TCP packets using the port 8080, which destine to the hosts residing on the segment 1.1.0.0 to be the HTTP packets. The range of hosts will be specified by the basic ACL.
ASPF Configuration Commands 319
For the same port, general port mapping and host port mapping based on basic ACL cannot be configured at the same time.
Related command: display port-mapping.
Example
# Map port 3456 to FTP service, with this configuration, all the data flows destined to port 3456 will be regarded as FTP data flows.
[SecBlade_FW] port-mapping ftp port 3456
reset aspf session Syntax
reset aspf session
View
User view
Parameter
None
Description
Use the reset aspf session command to reset ASPF session information.
<SW8800> reset aspf session
Example
# Reset ASPF session information.
<SW8800> reset aspf session
reset firewall session table
Syntax
reset firewall session table
View
User view
Parameter
None
Description
Use the reset firewall session table command to clear the session tables of the firewall.
Example
# Clear the session tables of the firewall.
<SecBlade_FW> reset firewall session table
320 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Blacklist Configuration Commands
debugging firewall blacklist
Syntax
debugging firewall blacklist { all | item | packet }
undo debugging firewall blacklist { all | item | packet }
View
User view
Parameter
all: Specifies to enable all debugging for blacklist.
item: Specifies to enable debugging for the changes of blacklist items.
packet: Specifies to enable debugging for blacklist items in packets.
Description
Use the debugging firewall blacklist command to enable debugging for blacklist on the firewall.
Use the undo debugging firewall blacklist command to disable debugging for blacklist on the firewall.
Any debugging for blacklist is disabled by default.
Related command: display debugging.
Example
# Enable all debugging for blacklist function.
<SecBlade_FW> debugging firewall blacklist all
display firewall blacklist Syntax
display firewall blacklist { enable | item [ sour-addr ]
View
Any view
Parameter
enable: Displays the operation of blacklist.
item sour-addr: Displays one specific entry (with the IP address sour-addr) or all of the entries of blacklist.
Description
Use the display firewall blacklist command to view the running state and entries of the blacklist on the firewall. You can view item information in the blacklist by configuring the item keyword in the command. If no IP address is specified, you can view the summary information of the current blacklist items.
Blacklist Configuration Commands 321
You can view the verbose information of a specific blacklist item by configuring the corresponding IP address in the command. By configuring the enable keyword, you can view the running state of the blacklist.
Example
# Display the summary information of all blacklist entries.
<SecBlade_FW> display firewall blacklist item Firewall blacklist items : Current manual insert items:2 Current automatic insert items:0 Need aging items:1 192.168.1.1 20.202.16.5
# Display the verbose information of a specific blacklist entries.
<SecBlade_FW> display firewall blacklist item 192.168.1.1 Firewall blacklist items : 192.168.1.1 Insert reason : Manual Insert time : 2003/06/11 08:04:56 Age action : Aging Age time : 100 minutes
# Display the running of the blacklist.
<SecBlade_FW> display firewall blacklist enable Blacklist is Disabled
firewall blacklist Syntax
firewall blacklist { enable | sour-addr [ timeout minutes ] }
undo firewall blacklist [ enable | sour-addr ]
View
System view
Parameter
enable: Enables blacklist.
sour-addr: Specifies the IP address to be added into the blacklist.
timeout minutes: Specifies the timeout time. The minutes argument ranges from 1 to 1000 (in minutes).
Description
Use the firewall blacklist command to enable the blacklist function, add blacklist items and configure the blacklist filtering types and filtering range.
Use the undo firewall blacklist command to disable the blacklist function, remove a blacklist item, or revert to the default filtering type and filtering range.
322 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Example
# Add a blacklist item with IP address of 192.168.10.10 and timeout time of 100 minutes.
[SecBlade_FW] firewall blacklist item 192.168.10.10 timeout 100
# Enable the blacklist function.
[SecBlade_FW] firewall blacklist enable
MAC/IP Address Binding Configuration Commands
debugging firewall mac-binding
Syntax
debugging firewall mac-binding { all | item | packet }
undo debugging firewall mac-binding { all | item | packet }
View
User view
Parameter
all: Enables all debugging.
item: Enables debugging for changes of address binding items.
packet: Enables debugging for address binding items in packets.
Description
Use the debugging firewall mac-binding command to enable debugging for address binding on a firewall.
Use the undo debugging firewall mac-binding command to disable debugging for address binding on a firewall.
Any debugging for address binding function is disabled by default.
Related command: display debugging.
Example
# Enable all debugging for address binding items.
<SecBlade_FW> debugging firewall mac-binding all
display firewall mac-binding
Syntax
display firewall mac-binding { enable | item [ ip-addr ] [ statistic ] }
View
Any view
MAC/IP Address Binding Configuration Commands 323
Parameter
enable: Displays the running state of address binding.
item: Displays address binding items.
ip-addr: Entries with the specified IP address.
statistic: Displays statistics on address binding.
Description
Use the display firewall mac-binding command to view the running state and items of address binding on the firewall. You can view the information of address binding items by configuring item [ ip-addr ] in the command. If no IP address is specified, you can view the summary information of all the current address binding items. You can view the verbose information of a specific address binding item by configuring the corresponding IP address in the command. And you can specify the enable keyword in the command to view the running state of address binding.
Example
# Display the summary information of all address binding items.
<SecBlade_FW> display firewall mac-binding item Firewall mac-binding items : Current items:2 192.168.1.1 00e0-0f0c-1149 20.202.16.5 0adc-0e0f-23ed
# Display the verbose information of a specific address binding item.
<SecBlade_FW> display firewall mac-binding item 192.168.1.1 Firewall mac-binding items : 192.168.1.1 00e0-0f0c-1149
# Display the running state of address binding.
<SecBlade_FW> display firewall mac-binding enable Mac-binding is Disabled
# Display the statistics on address binding.
<SecBlade_FW> display firewall mac-binding item statistic Firewall Mac-binding item(s) : IP Address Mac True Pkts False Pkts 192.168.1.2 000f-1f73-fec5 0 57
firewall mac-binding Syntax
firewall mac-binding { enable | ip-addr mac-addr }
undo firewall mac-binding { enable | ip-addr }
View
System view
324 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Parameter
enable: Enables address binding.
ip-addr: Specifies an IP address of an address binding pair.
mac-addr: Specifies a MAC address of an address binding pair.
Description
Use the firewall mac-binding command to enable address binding and add an address binding entry.
Use the undo firewall mac-binding command to disable address binding or delete an address binding entry.
Example
# Add an address binding item with IP address of 192.168.10.10 and MAC address of 00e0-0000-0001.
[SecBlade_FW] firewall mac-binding 192.168.10.10 00e0-0000-0001
# Enable address binding.
[SecBlade_FW] firewall blacklist enable
firewall mac-binding enable
Syntax
firewall mac-binding enable
undo firewall mac-binding enable
View
System view
Parameter
enable: Enables the address binding function.
Description
Use the firewall mac-binding enable command to enable the MAC address binding function.
Use the command to disable the MAC address binding function.
Example
# Enable the MAC address binding function.
[SecBlade_FW] firewall mac-binding enable
reset firewall mac-binding
Syntax
reset firewall mac-binding item [ ip-addr ] statistic
View
User view
Security Zone Configuration Commands 325
Parameter
item: MAC-to-IP binding entries.
ip-addr: Clears the binding information about the specified IP address.
statistic: Statistics information about MAC-to-IP binding.
Description
Use the reset firewall mac-binding command to clear the statistics information about MAC-to-IP binding.
Example
# Clear the statistics information about all the MAC-to-IP binding.
<SecBlade_FW> reset firewall mac-binding item statistic
Security Zone Configuration Commands
add interface Syntax
add interface interface-type interface-number
undo add interface interface-type interface-number
View
Zone view
Parameter
interface-type interface-number: Specifies interface type and interface number.
Description
Use the command to add an interface into the security zone.
Use the undo add interface command to remove the interface from the security zone.
An interface can belong to only one security zone. You must remove the interface from the original security zone before adding it to another security zone if an interface already belongs to a security zone.
By default, no interface is added in the security zone.
To interwork the firewall with other devices, you need to add the corresponding interface in a security zone.
Example
# Add the GigabitEthernet0/0.1 interface to the DMZ zone.
[SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] undo add interface GigabitEthernet0/0.1 [SecBlade_FW-zone-trust] quit
326 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
[SecBlade_FW] firewall zone DMZ [SecBlade_FW-zone-DMZ] add interface GigabitEthernet0/0.1
display zone Syntax
display zone [ zone-name ] [ interface | priority ]
View
Any view
Parameter
zone-name: Name of the security zone. There are four pre-defined security zones in the system, which are Trust, Untrust, DMZ, and Local.
interface: Displays the interfaces in the security zone.
priority: Displays the priority of the security zone.
Description
Use the command to display the interfaces in the security zone and the priority of the security zone.
Example
# Display the priorities of all the security zones.
<SW8800> display zone priority local priority is 100 # trust priority is 85 # untrust priority is 5 # DMZ priority is 50 #
set priority Syntax
set priority number
View
Area view
Parameter
number: Priority value of the security zone, in the range of 1 to 100.
Description
Use the set priority command to set priority value for the security zone. High priority value means high security.
Security Zone Configuration Commands 327
Four security zones are predefined in the system: Local, Trust, Untrust and DMZ. You cannot change their priority values, but you can use this command to set and change the priority values of the security zone you define.
By default, the priority value for the Local zone is 100; that for the Trust zone is 85; that for Untrust zone is 5; that for DMZ zone is 50.
Example
# Set the priority value of the security zone newzone to 70.
[SecBlade_FW] firewall zone newzone [SecBlade_FW-zone-newzone] set priority 70
firewall interzone Syntax
firewall interzone zone1 zone2
View
System view
Parameter
zone1: Security zone name.
zone2: Security zone name.
Description
Use the firewall interzone command to enter the specific inter-zone view.
Example
# Enter the inter-zone view between the Trust and Untrust zone.
[SecBlade_FW] firewall interzone trust untrust [SecBlade_FW-interzone-trust-untrust]
firewall zone Syntax
firewall zone zonename
View
System view
Parameter
zonename: Security zone name.
Description
Use the firewall zone command to enter the security zone view.
Example
# Enter the DMZ zone view.
[SecBlade_FW] firewall zone DMZ [SecBlade_FW_FW-zone-DMZ]
328 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
firewall zone name Syntax
firewall zone name zonename
undo firewall zone name zonename
View
System view
Parameter
zonename: Security zone name.
Description
Use the firewall zone name command to create a new security zone.
Use the undo firewall zone name command to remove the existing security zone.
Four security zones are predefined in the system: Local, Trust, Untrust and DMZ. You cannot change their priority values.
Example
# Create the new security zone newzone.
[SecBlade_FW] firewall zone name newzone [SecBlade_FW-zone-newzone]
19
TRANSPARENT FIREWALL CONFIGURATION COMMANDSTransparent Firewall Configuration Commands
acl number Syntax
acl number acl-number
undo acl { number acl-number | all }
View
System view
Parameter
number acl-number: Sequence number of the MAC-address based ACL, in the range of 4000 to 4999.
all: Removes all ACLs, including the interface-based ACLs, basic ACLs and advanced ACLs.
Description
Use the acl number command to create ACLs.
Use the undo acl command to remove the existing ACLs.
By default, no MAC address-based ACL is defined.
Refer to “acl” and “rule” for other ACL commands.
Example
# Create the MAC address-based ACL 4009.
[SecBlade_FW] acl number 4009
debugging firewall eff Syntax
debugging firewall eff [ interface interface-type interface-number ]
undo debugging firewall eff [ interface interface-type interface-number ]
View
User view
330 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS
Parameter
interface interface-type interface-number: Debugging information about the specified interface.
Description
Use the debugging firewall eff command to enable debugging for Ethernet frame filtering.
Use the undo debugging firewall eff command to disable debugging for Ethernet frame filtering.
By default, debugging for Ethernet frame filtering is not enabled.
Example
# Enable debugging for Ethernet frame filtering.
<SecBlade_FW> debugging firewall eff Ethernet-frame-filter’s debugging is on <SecBlade_FW> *0.1350738 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1350739 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.1352740 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1352740 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.1352925 3Com EFF/8/DEBUGGING: InBound List 4001, deny the frame with the following head : dest-mac is ffff-ffff-ffff,sour-mac is 000f-1f7e-fec5, type is 0806 *0.1352925 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on inport ; received from interface GigabitEthern et0/0, with following frame head : ff ff ff ff ff ff 00 0f 1f 7e fe c5 08 06 *0.1354741 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1354741 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.1356742 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1356742 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00
debugging firewall transparent-mode
eth-forwarding
Syntax
debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]
Transparent Firewall Configuration Commands 331
undo debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]
View
User view
Parameter
None
Description
Use the debugging firewall transparent-mode eth-forwarding command to enable debugging for Ethernet forwarding on the transparent firewall.
Use the undo debugging firewall transparent-mode eth-forwarding command to disable debugging for Ethernet forwarding on the transparent firewall.
By default, debugging for Ethernet forwarding on the transparent firewall is not enabled.
Example
# Enable debugging for Ethernet forwarding on the transparent firewall.
<SecBlade_FW> debugging firewall transparent-mode eth-forwarding The Transparent-mode eth-forwarding Debugging is on *0.695514 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00 *0.695514 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696515 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00 *0.696515 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696582 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696582 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00 *0.696584 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696584 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00
debugging firewall transparent-mode
ip-forwarding
Syntax
debugging firewall transparent-mode ip-forwarding
332 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS
undo debugging firewall transparent-mode ip-forwarding
View
User view
Parameter
None
Description
Use the debugging firewall transparent-mode ip-forwarding command to enable debugging for IP packet forwarding on the transparent firewall.
Use the undo debugging firewall transparent-mode ip-forwarding command to disable debugging for IP packet forwarding on the transparent firewall.
By default, debugging for IP packet forwarding on the transparent firewall is not enabled.
Example
# Enable debugging for IP packet forwarding on the transparent firewall.
<SecBlade_FW> debugging firewall transparent-mode ip-forwarding The Transparent-mode Ip-forwarding Debugging is on <SecBlade_FW> *0.11355193 3Com FWTP/8/rcv_ip:Receive an IP packet interface: GigabitEthernet0/0 source_ip_addr : 192.168.3.6 source_port : 33073 destination_ip_addr : 192.168.3.8 destination_port : 52128 protocol : 1 *0.11355193 3Com FWTP/8/sndto_secur:Send an IP packet to security module source_ip_addr : 192.168.3.6 source_port : 17664 destination_ip_addr : 192.168.3.8 destination_port : 60 protocol : 1 return value:0 *0.11355193 3Com FWTP/8/snd_ip:Send an IP packet interface: GigabitEthernet0/1 source_ip_addr : 192.168.3.6 source_port : 0 destination_ip_addr : 192.168.3.8 destination_port : 1 protocol : 1 *0.11355193 3Com FWTP/8/rcv_ip:Receive an IP packet interface: GigabitEthernet0/1 source_ip_addr : 192.168.3.8 source_port : 33073 destination_ip_addr : 192.168.3.6 destination_port : 52128 protocol : 1 *0.11355193 3Com FWTP/8/sndto_secur:Send an IP packet to security module source_ip_addr : 192.168.3.8 source_port : 17664 destination_ip_addr : 192.168.3.6 destination_port : 60 protocol : 1 return value:0
Transparent Firewall Configuration Commands 333
*0.11355193 3Com FWTP/8/snd_ip:Send an IP packet interface: GigabitEthernet0/0 source_ip_addr : 192.168.3.8 source_port : 0 destination_ip_addr : 192.168.3.6 destination_port : 1 protocol : 1
display firewall ethernet-frame-filter
Syntax
display firewall ethernet-frame-filter { all | interface interface-type interface-number }
View
Any view
Parameter
all: Ethernet frame filtering statistics on all interfaces.
interface interface-type interface-number: Ethernet frame filtering statistics on a specified interface.
Description
Use the display firewall ethernet-frame-filter command to display Ethernet frame filtering statistics.
Example
# Display Ethernet frame filtering statistics on all interfaces.
<SecBlade_FW> display firewall ethernet-frame-filter all Interface: GigabitEthernet0/1 In-bound Policy: acl 4000 From 2099-08-02 5:55:05 to 2099-08-02 5:55:41 11 packets, 668 bytes, 100% permitted, 0 packets, 0 bytes, 0% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 0% denied default, Totally 11 packets, 668 bytes, 100% permitted, Totally 0 packets, 0 bytes, 0% denied. Out-bound Policy: acl 4000 From 2099-08-02 5:55:07 to 2099-08-02 5:55:41 0 packets, 0 bytes, 0% permitted, 0 packets, 0 bytes, 0% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 100% denied default, Totally 0 packets, 0 bytes, 0% permitted, Totally 0 packets, 0 bytes, 100% denied.
display firewall mode Syntax
display firewall mode
View
Any view
334 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS
Parameter
None
Description
Use the display firewall mode command to display the operating mode of the current firewall.
Example
# Display the operating mode of the current firewall.
<SecBlade_FW> display firewall mode Firewall mode: transparent
display firewall transparent-mode
address-table
Syntax
display firewall transparent-mode address-table [ interface interface-type interface-number | mac mac-address ]
View
Any view
Parameter
interface interface-type interface-number: Information about the MAC address associated the specified interface.
mac mac-address: Information about the specified MAC address entry.
Description
Use the display firewall transparent-mode address-table command to display the MAC address table of the transparent firewall.
Example
# Display the MAC address table of the transparent firewall.
<SecBlade_FW> display firewall transparent-mode address-table The total of the address-items is 2 Mac-address Flag Aging-time Receive Send Interface-name 00e0-fc36-a7a9 PD 00:01:41 23 13 GigabitEthernet0/0.1 000f-1f7e-fec5 PD 00:03:28 121 12 GigabitEthernet0/0.2 Flag meaning: P--PERMIT N--DENY D--DYNAMIC S--STATIC
display firewall transparent-mode
config
Syntax
display firewall transparent-mode config
View
Any view
Parameter
None
Description
Use the display firewall transparent-mode config command to display the configuration information of the transparent firewall.
Transparent Firewall Configuration Commands 335
Example
# Display the configuration information of the transparent firewall.
<SecBlade_FW> display firewall transparent-mode config Firewall transparent-info: ARP learning : enable System IP address: 169.0.0.1 System IP mask : 255.0.0.0 Unknown-mac: Unicast IP packet : arp broadcast IP packet: drop Multicast IP packet: drop
display firewall transparent-mode traffic
Syntax
display firewall transparent-mode traffic [ interface interface-type interface-number ]
View
Any view
Parameter
interface interface-type interface-number: Displays the traffic information about the specified interface.
Description
Use the display firewall transparent-mode traffic command to display the traffic information about the transparent firewall.
Example
# Display the traffic information about the transparent firewall.
<SecBlade_FW> display firewall transparent-mode traffic system error is 0,inport error is 0, outport error is 0 ,other error is 0 the total statistic : Input: 860 total, 0 bpdu, 750 single, 0 multi, 110 broadcast; 860 ip,0 ipx, 0 other protocol; 860 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Output: 747 total, 0 bpdu, 747 single, 0 multi, 0 broadcast; 747 ip, 0 ipx, 0 other protocol; 747 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Send way: 0 broadcast, 0 fast, 747 other Discard: 0 by inport state, 0 for local frame , 0 by mac table,
336 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS
0 by inport filter, 0 by outport filter, 113 by ip filter , 0 other the statistic of interface GigabitEthernet0/1 Input: 376 total, 0 bpdu, 375 single, 0 multi, 1 broadcast; 376 ip,0 ipx, 0 other protocol; 376 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Output: 374 total, 0 bpdu, 374 single, 0 multi, 0 broadcast; 374 ip, 0 ipx, 0 other protocol; 374 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Send way: 0 broadcast, 0 fast, 374 other Discard: 0 by inport state, 0 for local frame , 0 by mac table, 0 by inport filter, 0 by outport filter, 3 by ip filter , 0 other the statistic of interface GigabitEthernet0/0 Input: 484 total, 0 bpdu, 375 single, 0 multi, 109 broadcast; 484 ip,0 ipx, 0 other protocol; 484 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Output: 373 total, 0 bpdu, 373 single, 0 multi, 0 broadcast; 373 ip, 0 ipx, 0 other protocol; 373 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Send way: 0 broadcast, 0 fast, 373 other Discard: 0 by inport state, 0 for local frame , 0 by mac table, 0 by inport filter, 0 by outport filter, 110 by ip filter , 0 other
Transparent Firewall Configuration Commands 337
firewall arp-learning enable
Syntax
firewall arp-learning enable
undo firewall arp-learning enable
View
System view
Parameter
None
Description
Use the firewall arp-learning enable command to enable learning of dynamic ARP entries on the transparent firewall.
Use the undo firewall arp-learning enable command to disable learning of dynamic ARP entries on the transparent firewall.
By default, learning of dynamic ARP entries on the transparent firewall is enabled.
Example
# Enable learning of dynamic ARP entries on the transparent firewall.
[SecBlade_FW] firewall arp-learning enable
firewall ethernet-frame-filter
Syntax
firewall ethernet-frame-filter acl-number { inbound | outbound }
undo firewall ethernet-frame-filter { inbound | outbound }
View
Ethernet interface view
Parameter
acl-number: Sequence number of the MAC-address based ACL, in the range of 4000 to 4999.
inbound: Filters inbound frames.
outbound: Filters outbound frames.
Description
Use the firewall ethernet-frame-filter command to apply the MAC address-based ACL to the interface.
Use the undo firewall ethernet-frame-filter command to remove the MAC address-based ACL from the interface.
By default, no MAC address-based ACL is applied to the interface.
Example
# Apply the MAC address-based ACL 4009 to GigabitEthernet0/0.1.
338 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS
[SecBlade_FW-GigabitEthernet0/0.1] firewall ethernet-frame-filter 4009 inbound
firewall mode Syntax
firewall mode { route | transparent }
undo firewall mode
View
System view
Parameter
route: Specifies that the firewall operate in routing mode.
transparent: Specifies that the firewall operate in transparent mode.
Description
Use the firewall mode command to specify the operating mode of a firewall.
Use the undo firewall mode command to revert to the default operating mode.
A firewall operates in routing mode by default.
When a firewall operates in routing mode, all the interfaces of it operate in Layer 3. That is, you can assign IP addresses for these interfaces. Whereas when a firewall operates in transparent mode, all the interfaces of it operate in Layer 2. That is, the interfaces act as switching ports, and you cannot specify Layer 3 properties (such as assigning IP addresses) for them.
Example
# Specify the firewall to operate in transparent mode.
[SecBlade_FW] firewall mode transparent Set system ip address successfully. All the Interfaces’s ips have been deleted. The mode is set successfully.
The output indicates that the firewall operates in transparent mode, and the IP addresses of all its interfaces are removed.
firewall system-ip Syntax
firewall system-ip ip-address [ mask ]
undo firewall system-ip
View
System view
Parameter
ip-address: IP address of the firewall system.
Transparent Firewall Configuration Commands 339
mask: Subnet mask of the firewall system. If not provided, the default subnet mask of the class to which the IP address belongs is used.
Description
Use the firewall system-ip command to assign an IP address for a firewall system.
Use the undo firewall system-ip command to revert to the default system IP address.
The IP address of a firewall system is 169.0.0.1/8 by default.
When a firewall operates in transparent mode, all the interfaces of it operate in Layer 2. That is, the interfaces act as switching ports, and you cannot specify Layer 3 properties (such as assigning IP addresses) for them. But a firewall must have an IP address for administrators to manage it or for it to provide network services. To solve this problem, a firewall that operates in transparent mode is assigned a default system IP address (169.0.0.1/8). You can change this IP address using this command.
You cannot configure the system IP address of a firewall when the firewall operates in routing mode.
Example
# Configure a system IP address for a firewall.
[SecBlade_FW] firewall mode transparent Set system ip address successfully. All the Interfaces’s ip addresses have been deleted. The mode is set successfully. [SecBlade_FW] firewall system-ip 10.1.1.5 255.255.255.0 Set system ip address successfully.
firewall transparent-mode
aging-time
Syntax
firewall transparent-mode aging-time seconds
undo firewall transparent-mode aging-time
View
System view
Parameter
seconds: Aging time of the MAC forwarding table, in the range of 10 to 1000000 (seconds).
Description
Use the firewall transparent-mode aging-time command to configure the aging time of the MAC forwarding table.
Use the undo firewall transparent-mode aging-time command to restore the default configuration.
By default, the aging time of the MAC forwarding table is 300 seconds.
340 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS
Example
# Configure the aging time of the MAC forwarding table to 1800 seconds.
[SecBlade_FW] firewall transparent-mode aging-time 1800
firewall transparent-mode
transmit
Syntax
firewall transparent-mode transmit { bpdu | dlsw | ipx }
undo firewall transparent-mode transmit { bpdu | dlsw | ipx }
View
System view
Parameter
bpdu: Bridge protocol data unit.
dlsw: Data link switching.
ipx: Internetwork packet exchange.
Description
Use the firewall transparent-mode transmit command to define the type of packets that are allowed to pass.
Use the undo firewall transparent-mode transmit command to define the type of packets that are not allowed to pass.
By default, the firewall filters out all packets.
Example
# Configure the transparent firewall to allow BPDU packets to pass.
[SecBlade_FW] firewall transparent-mode transmit bpdu
firewall unknown-mac Syntax
firewall unknown-mac { drop | flood }
undo firewall unknown-mac
View
System view
Parameter
drop: Drops the IP unicast, multicast and broadcast packets with unknown MAC address.
flood: Floods the IP unicast, multicast and broadcast packets with unknown MAC address to the interfaces in a specific security zone other than the interface receiving the packet. The system saves the MAC address after receiving the ARP response packet, and forwards subsequent packets through this MAC address.
20
VRRP CONFIGURATION COMMANDSn The commands described in this document apply to the Firewall module, and not to the Switch 8800 Family switches.
VRRP Configuration Commands
n You can also use the following commands with SecBlade_VPN prompt character.
debugging vrrp Syntax
debugging vrrp { packet | state }
undo debugging vrrp { packet | state }
View
User view
Parameter
packet: Enables VRRP packet debugging.
state: Enables VRRP state debugging.
Description
Use the debugging vrrp command to enable VRRP debugging.
Use the undo debugging vrrp command to disable VRRP debugging.
By default, VRRP debugging is disabled.
Example
# Enable VRRP packet debugging.
[SecBlade_FW] debugging vrrp packet
display vrrp Syntax
display vrrp [ interface type number [ virtual-router-ID ] ]
View
Any view
342 CHAPTER 20: VRRP CONFIGURATION COMMANDS
Parameter
interface type number: Specifies an interface type and interface number.
virtual-router-ID: Standby group number.
Description
Use the display vrrp command to view current configuration and state information about VRRP.
If the interface and standby group number are not specified, the state information about all the standby groups is displayed. If only the interface is specified, the state information about all the standby groups on the interface is displayed. If both arguments are specified, the state information about the specified standby group is displayed.
Example
# Display information about all standby groups.
<SecBlade_FW> display vrrp Virtual Ip Ping : Disable GigabitEthernet0/0.1 | Virtual Router 1 state : Initialize Virtual IP : 22.2.2.2 Config Priority : 100 Run Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NONE GigabitEthernet0/0.2 | Virtual Router 1 state : Initialize Virtual IP : 1.1.11.1 Config Priority : 100 Run Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NONE
vrrp authentication-mode
Syntax
vrrp authentication-mode { md5 key | simple key }
undo vrrp authentication-mode
View
Interface view
Parameter
simple: Adopts plain text authentication.
md5: Adopts ciphertext authentication using the MD5 algorithm.
key: Authentication key. When simple authentication applies, the authentication key is in plain text with a length of 1 to 8 characters. When md5 authentication applies, the authentication key is in MD5 ciphertext and the length of the key
VRRP Configuration Commands 343
depends on its input format. If the key is input in plain text, its length is 1 to 8 characters, such as 1234567; if the key is input in ciphertext, its length must be 24 characters, such as _(TT8F]Y5SQ=^Q‘MAF4<1!!.
Description
Use the vrrp authentication-mode command to configure authentication mode and authentication key for the VRRP standby groups on the interface.
Use the undo vrrp authentication-mode command to disable authentication in the VRRP standby groups on the interface.
By default, authentication is disabled.
With this command, all standby groups on the interface share the same authentication type and authentication key.
Note that the members of the same standby group must use the same authentication mode and authentication key.
The authentication key is case sensitive.
Example
# Set the authentication mode and authentication key of all VRRP standby groups on GigabitEthernet0/0.1 sub-interface.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp authentication-mode simple aabbcc
vrrp ping-enable Syntax
vrrp ping-enable
undo vrrp ping-enable
View
System view
Parameter
None
Description
Use the vrrp ping-enable command to enable users to ping the virtual IP addresses of standby groups.
Use the undo vrrp ping-enable command to disable users to ping the virtual IP addresses of standby groups.
By default, users cannot ping the virtual IP addresses of standby groups.
Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.
Example
# Enable users to ping the virtual IP addresses of standby groups.
344 CHAPTER 20: VRRP CONFIGURATION COMMANDS
[SecBlade_FW] vrrp ping-enable
vrrp un-check ttl Syntax
vrrp un-check ttl
undo vrrp un-check ttl
View
Interface view
Parameter
None
Description
Use the vrrp un-check ttl command to disable time to live (TTL) check for VRRP packets.
Use the undo vrrp ping-enable command to enable TTL check for VRRP packets.
According to the VRRP protocol, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup security gateway drops the packet.
By default, the TTL value of VRRP packets will be checked.
Example
# Disable TTL check for VRRP packets.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp un-check ttl
vrrp vrid preempt-mode Syntax
vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]
undo vrrp vrid virtual-router-ID preempt-mode
View
Interface view
Parameter
virtual-router-ID: Virtual router ID or VRRP standby group number, in the range of 1 to 255.
delay-value: Delay in the range of 0 to 255 in seconds.
Description
Use the vrrp vrid preempt-mode command to enable preemption on the security gateway and configure its preemption delay in the specified standby group.
Use the undo vrrp vrid preempt-mode command to disable preemption on the security gateway in the specified standby group.
VRRP Configuration Commands 345
To allow a backup security gateway in a standby group to preempt the current master when it has a higher priority, you must enable preemption on it. If immediate preemption is not desired, you can set a preemption delay. The delay automatically changes to 0 seconds when preemption is disabled.
By default, the preemption mode is adopted with the delay of 0 seconds.
Example
# Enable preemption on the security gateway in standby group 1.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode
# Set the preemption delay to five seconds.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode timer delay 5
# Disable preemption on the security gateway in standby group 1.
[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 preempt-mode
vrrp vrid priority Syntax
vrrp vrid virtual-router-ID priority priority-value
undo vrrp vrid virtual-router-ID priority
View
Interface view
Parameter
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
priority-value: Priority value, in the range 1 to 254.
Description
Use the vrrp vrid priority command to configure the priority of the security gateway in the specified standby group.
Use the undo vrrp vrid priority command to restore the default.
In VRRP, the role that a Firewall module plays in a standby group depends on its priority. A higher priority means that the security gateway is more likely to become the master. Note that priority 0 is reserved for special use and 255 for the IP address owner.
BY default, the priority is 100.
Example
# Set the priority of the security gateway in standby group 1 to 150.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 priority 150
vrrp vrid timer advertise Syntax
vrrp vrid virtual-router-ID timer advertise adver-interval
346 CHAPTER 20: VRRP CONFIGURATION COMMANDS
undo vrrp vrid virtual-router-ID timer advertise
View
Interface view
Parameter
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
adver-interval: Interval at which the master in the specified standby group sends VRRP packets. It is in the range of 1 to 255 in seconds.
Description
Use the vrrp vrid timer advertise command to configure the Adver_Timer of the specified standby group.
Use the undo vrrp vrid timer advertise command to restore the default.
The Adver_Timer controls the interval at which the master sends VRRP packets.
By default, the value of the timer is 1 second.
Example
# Set the master in standby group 1 to send VRRP packets at intervals of five seconds.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 timer advertise 5
vrrp vrid track Syntax
vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]
undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]
View
Interface view
Parameter
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
interface-type interface-number: Interface to be tracked.
priority-reduced: Value by which the priority is reduced. It is in the range of 1 to 255.
Description
Use the vrrp vrid track command to configure the interface to be tracked.
Use the undo vrrp vrid track command to disable tracking the specified interface.
The interface tracking function expands the backup functionality of VRRP. It provides backup not only when a security gateway fails but also when a network interface goes down.
VRRP Configuration Commands 347
When the monitored interface specified in this command goes down, the priority of the security gateway owning this interface automatically decreased by the value specified by value-reduced, allowing a higher priority member in the standby group to take over as the master. When the security gateway is the IP address owner, however, you cannot configure interface tracking on it.
By default, the priority is reduced by 10.
Example
# Track GigabitEthernet0/0.1 sub-interface.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 track GigabitEthernet0/0.300 reduced 50
# Disable the tracking of GigabitEthernet0/0.1 sub-interface.
[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 track GigabitEthernet0/0.300
vrrp vrid virtual-ip Syntax
vrrp vrid virtual-router-ID virtual-ip virtual-address
undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]
View
Interface view
Parameter
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
virtual-address: Virtual IP address.
Description
Use the vrrp vrid virtual-ip command to create a standby group the first time that you add a virtual IP address or add a virtual IP address to it after that.
Use the undo vrrp vrid virtual-ip virtual-router-ID command to remove a standby group.
Use the undo vrrp vrid virtual-router-ID virtual-ip virtual-address command to delete a virtual IP address from the specified standby group.
The system removes a standby group after you delete all the virtual IP addresses in it.
By default, no standby group exists.
Example
# Create a standby group.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.10
# Add a virtual IP address to the existing standby group.
348 CHAPTER 20: VRRP CONFIGURATION COMMANDS
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.11
# Delete a virtual IP address.
[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 virtual-ip 10.10.10.10