H3C SecPath UTM Series Configuration Examples · UTM Unified Threat Management AV Anti-virus IPS Intrusion Prevention System . UTM Series Signature Upgrade Configuration Example Hangzhou

H3C SecPath UTM Series

Configuration Examples

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 5W101-20100520

Copyright © 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors

All Rights Reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Technical Support

[email protected]

http://www.h3c.com

About This Manual

Organization

H3C SecPath UTM Series Configuration Examples is organized as follows:

Configuration Maintenance Example Signature Upgrade Configuration Example PPPoE Configuration Example NAT Configuration Example Layer 2 and Layer 3 Forwarding Configuration Examples DHCP Configuration Examples TR-069 Configuration Example Interzone Policy Configuration Example ARP Attack Protection Configuration Example Attack Protection Configuration Example (SmartBits) Bandwidth Management Configuration Example IPS Configuration Example Anti-Virus Configuration Example Flow Logging Configuration Example Protocol Auditing Configuration Example Protocol Auditing and SecCenter Configuration Example Anti-Spam Configuration Example URL Filtering Configuration Example IPsec Configuration Example L2TP Configuration Example

Conventions

The manual uses the following conventions:

Command conventions

Convention Description

Boldface The keywords of a command line are in Boldface.

italic Command arguments are in italic.

[ ] Items (keywords or arguments) in square brackets [ ] are optional.

{ x | y | ... } Alternative items are grouped in braces and separated by vertical bars. One is selected.

[ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

{ x | y | ... } * Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected.

[ x | y | ... ] * Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

&<1-n> The argument(s) before the ampersand (&) sign can be entered 1 to n times.

# A line starting with the # sign is comments.

GUI conventions


Boldface Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols


Means reader be extremely careful. Improper operation may cause bodily injury.

Means reader be careful. Improper operation may cause data loss or damage to equipment.

Means an action or information that needs special attention to ensure successful configuration or good performance.

Means a complementary description.

Means techniques helpful for you to make configuration with ease.

Related Documentation

In addition to this manual, each H3C SecPath UTM series documentation set includes the following:

Manual Description

H3C SecPath U200 Series Unified Threat Management Products Installation Manual

Briefly introduces the H3C SecPath U200 series Unified Threat Management products, and presents the methods for software maintenance, hardware maintenance, troubleshooting, preparations before installation, installation procedure, interface cards and interface modules.

H3C SecPath U Series Unified Threat Management Products User Manual

Describes the features, operation fundamentals, and configuration commands of the H3C SecPath U series United Threat Management products, guides you through Web configuration, and provides command description for supplementary configuration.

Obtaining Documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com.

The following are the columns from which you can obtain different categories of product documentation:

[Products & Solutions]: Provides information about products and technologies, as well as solutions.

[Technical Support & Document > Technical Documents]: Provides several categories of product documentation, such as installation, configuration, and maintenance.

[Technical Support & Document > Software Download]: Provides the documentation released with the software version.

Documentation Feedback

You can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

mailto:[email protected]

UTM Series Configuration Maintenance Example

Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/10


Keywords: Configuration maintenance, backup

Abstract: The configuration maintenance module is used to save the configuration (with/without encryption),

back up the configuration, restore the configuration, and restore the configuration to the factory

defaults. You can easily implement configuration maintenance and management on the Web

interface.

Acronyms:

Acronym Full spelling

— —



Table of Contents

Feature Overview·············································································································································3

Application Scenarios·····································································································································3

Configuration Guidelines································································································································3

Configuration Maintenance Example ············································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································3 Software Version Used ······························································································································3 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 Configuration Maintenance ················································································································6 Verification··········································································································································9



Feature Overview The configuration maintenance page has four tabs: Save, Backup, Restore, and Initialize.

Saving the configuration encrypts the saved file at the same time. The saved file is displayed in cipher text.

You can also back up and restore the configuration information on the configuration maintenance page. Besides, you can upgrade the system software and restart the system through the web interface.

Application Scenarios Configuration maintenance is used for routine device maintenance. When the configuration is changed, you can save the configuration in case of configuration loss due to power interruption. You can also back up the configuration for future configuration restoration. To clear the configuration that you have made, you can restore the device to the factory defaults.

Configuration Guidelines When upgrading the software, select a time range with small traffic to avoid affecting users. When performing configuration file backup or restoration, back up and restore the two files,

startup.cfg and system.xml, together.

Configuration Maintenance Example

Network Requirements Figure 1 Network diagram for configuration maintenance

Configuration Considerations Interface GigabitEthernet 0/1 in the internal network is assigned with IP address 1.1.1.1/24, and resides in the Trust zone.

Software Version Used F5118



Configuration Procedures

Basic Configuration

Assigning an IP address to an interface

1) Select Device Management > Interface from the navigation tree.

2) Click of GigabitEthernet 0/1 to enter the Edit Interface page. Configure GigabitEthernet 0/1

and click Apply, as shown in the following figure.



Adding GigabitEthernet 0/1 to Trust zone

1) Select Device Management > Zone from the navigation tree.

2) Click of Trust to enter the Modify Zone page. Add interface GigabitEthernet 0/1 to the Trust

zone, and click Apply to return to the Zone page.



Configuration Maintenance

Saving the current configuration

1) Select Device Management > Maintenance from the navigation tree, click the Save tab, and click Apply to save the current configuration. The page displays a prompt that the system is saving the configuration.



2) To encrypt the saved configuration file, select Encrypt the configuration file before clicking Apply.

Backing up the current configuration

1) Select Device Management > Maintenance from the navigation tree, click the Backup tab, and click the Backup button.

2) Specify the path and file for storing the configuration on the popup dialog box, and click Save.

Restoring the configuration

1) Select Device Management > Maintenance from the navigation tree, click the Restore tab, and click the Browse button to specify the configuration file.

2) Click Apply to import the configuration file.

The page will display the following prompt after finishing the import. The restored configuration file takes effect at next startup.



Restoring to the factory defaults

Select Device Management > Maintenance from the navigation tree, click the Initialize tab, and click the Restore Factory-Default Settings button.

Upgrading the software

Select Device Management > Software Upgrade from the navigation tree, and click the Browse button. Specify the upgrade file, and click Open.



Rebooting the device

Select Device Management > Reboot from the navigation tree, and click Apply.

Verification

Verifying configuration saving

When the current configuration is saved, the configuration information is not lost when you reboot the device.

If the saved configuration file is encrypted, the configuration information in the file is displayed in cipher text.

Verifying configuration backup

You can back up the saved configuration file to a PC or other storage media.

Verifying configuration restoration

After the configuration file is imported, the Web page displays success of import. After the device is rebooted, the configuration information and the imported configuration file are

consistent.



Verifying configuration restoration to the factory defaults

The system can automatically reboot, delete the current configuration information, and restore to the factory defaults.

Verifying software upgrade

The system displays upgrading during the software upgrade. If you select Reboot after the upgrade is finished, the system will reboot after the upgrade

finishes. If you do not select Reboot after the upgrade is finished, you need to manually reboot the

device.

Verifying device reboot

After clicking Apply, the device automatically reboots. If you select Check whether the configuration is saved to the configuration file for next

boot, and click Apply, the system gives prompt in the case that the configuration is not saved, and the system does not reboot automatically.

Copyright © 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C

Technologies Co., Ltd.

The information in this document is subject to change without notice.

UTM Series Signature Upgrade Configuration Example



Keyword: Signature, signature database

Abstract: This document describes configuration examples of signature upgrade for UTM series devices.

Acronyms:


UTM Unified Threat Management

AV Anti-virus

IPS Intrusion Prevention System



Table of Contents




Signature Upgrade Configuration Example··································································································3 Network Requirements·······························································································································3 Configuration Consideration ······················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 Configuring Signature Upgrade··········································································································5

Verification ·················································································································································7

References ·······················································································································································8 Related Documentation ·····························································································································8



Feature Overview Signature databases maintain the attack signatures and virus signatures that can be recognized by the device. Therefore, for security devices to work properly, their signature databases must be upgraded in real time and must be of the latest version.

Signature databases can be upgraded either automatically or manually:

Auto upgrade: Automatically obtains the latest signature files from a certain signature server to the device at a specified interval by using a specific protocol.

Manual upgrade: Allows you to perform signature upgrade when needed. You can specify the protocol for obtaining the signature file, the server address, and the signature file name. In addition, manual upgrade allows you to obtain any version of the signature file that is compatible with the device. Manual upgrade is generally performed within the LAN.

Application Scenarios The signature upgrade is required in scenarios where the signature database needs to be upgraded for UTM devices with IPS and anti-virus enabled.

Configuration Guidelines When upgrading the signature databases, make sure that the current license file is valid and has not expired.

To automatic upgrade the signature database, make sure the UTM device can reach the website www.h3c.com.

Signature Upgrade Configuration Example

Network Requirements As shown in Figure 1, the Device connects the internal network 192.168.1.0/24 through GigabitEthernet 0/0 and connects the external network through GigabitEthernet 0/2. You can log in to the IP address of GigabitEthernet 0/0 or GigabitEthernet 0/2 to configure auto upgrade of signatures, so that the Device can automatically complete signature upgrade at a specified interval.

Figure 1 Network diagram for configuring signature upgrade



Configuration Consideration Manage the signature package version Manual upgrade the signature package Auto upgrade the signature package



Basic Configuration

Configuring interfaces

Assign the IP address 192.168.1.1/24 to GigabitEthernet 0/0, and add the interface to zone Trust. Assign the IP address 192.168.103.171/22 to GigabitEthernet 0/2, and add the interface to zone Untrust.

Figure 2 Configure interfaces

Configuring NAT

Configure dynamic NAT on GigabitEthernet 0/2, selecting ACL 3000 and configuring Easy IP as the address translation mode.

Figure 3 Configure NAT

Configure a rule for ACL 3000 to permit packets sourced from 192.168.1.0/24.

Figure 4 Configure the ACL



Configuring a static route

Add a default static route with the next hop being 192.168.100.254, which is the IP address of the gateway for accessing the interface.

Figure 5 Configure a default static route

Configuring DNS

Configure the IP address of the DNS server so that the website for signature upgrade, namely www.h3c.com, can be resolved.

Figure 6 Configure the IP address of the DNS server

Configuring Signature Upgrade

Perform signature upgrade configurations on the Application Security Policy page. To enter the page, select IPS | AV| Application Control > Advanced Configuration from the navigation tree and click the Application Security Policy link.

Figure 7 Application Security Policy page

Managing signature database versions

Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page.

In the Current Version area and History Version area, you can view the current version and previous version of each type of signature database.

In the History Version area, you can click the icon to roll back a certain type of signature database to the previous version.



Figure 8 Current version and history version

Upgrading signature database manually

Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. You can upgrade signature databases manually in the Manual Upgrade area. Select IPS as the signature database type, select HTTP as the protocol, and click Browse to select the upgrade file.

Figure 9 Upgrade signature database manually

Click OK. The signature upgrade starts.

Figure 10 Upgrade progress indicator



Configuring auto upgrade of signature database

Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. You can configure auto upgrade parameters in the Auto Upgrade area.

On the page, you can view the types of signature databases from the leftmost list, enable/disable the auto upgrade function, and set the time and interval of auto upgrade on the right side of the page. For example, you can enable auto upgrade for anti-virus signature database and set the first upgrade time to 17:00 2009-04-17 and upgrade interval to 3 days, while disabling the auto upgrade for IPS signature database.

Figure 11 Configure auto upgrade

Auto upgrade will start as scheduled and the upgrade progress will be indicated in the manual upgrade area.

Figure 12 Upgrade progress indicator

Verification Select System Management > Device Management > Signature Upgrade from the navigation tree to enter the signature upgrade page. The IPS signature database is up-to-date after the manual upgrade and the anti-virus signature database is up-to-date after the auto upgrade.



Figure 13 View signature database version

References

Related Documentation Device Management in the web configuration manual





UTM Series PPPoE Configuration Example



Keywords: PPPoE

Abstract: The PPPoE dial-up method is typically used for ADSL access, through which you can access

resources on the public network.

Acronyms:


PPPoE Point-to-Point Protocol over Ethernet



Table of Contents




PPPoE Configuration Example ······················································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································3 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configurations···························································································································4 Adding Interfaces to Zones and Configuring Inter-Zone Policies·······················································5 Configuring PPPoE·····························································································································7 Configuring NAT on the Outgoing Interface ·······················································································8

Verification ·················································································································································8 Verifying the PPPoE Configuration ····································································································8

References ·······················································································································································9 Related Documentation ·····························································································································9



Feature Overview Point-to-Point Protocol (PPP) is a link layer protocol that carries network layer packets over point-to-point links. It gains popularity because it provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension.

PPP contains a set of protocols, including the Link Control Protocol (LCP), the Network Control Protocol (NCP), and authentication protocols such as the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Among these protocols,

LCP is responsible for establishing, tearing down, and monitoring data links; NCP is used to negotiate the format and type of the packets over data links; PAP and CHAP are used for network security.

Application Scenarios PPPoE is often used by medium and small-sized enterprises in ADSL broadband access applications. You can use the PPPoE dialup function of the UTM device to access ADSL networks, and then you can further access resources on the public network.

Configuration Guidelines You can only create dialer interfaces through the interface management module. To set parameters such as username, password, and bundled physical interfaces for a dialer interface, you need to go to the Web page of PPPoE.

PPPoE Configuration Example

Network Requirements Figure 1 Network diagram for PPPoE dialup configuration

Configuration Considerations Specify the private IP address of GigabitEthernet 0/2 as 2.1.1.1/24 and add the interface to the

Trust zone. Configure GigabitEthernet 0/1 as a dialer interface and add the interface to the Untrust zone.





Basic Configurations

Configuring the IP address of GigabitEthernet 0/2

Select Device Management > Interface from the navigation tree.

Click the icon of GigabitEthernet 0/2 to enter the Edit Interface page. Configure the interface

as shown in the figure below, and then click Apply to return to the Interface page.



Configuring ACL

Select Firewall > ACL from the navigation tree and then click Add on the page that appears. Create ACL 2000 as shown in the figure below.

Click the icon of ACL 2000 and then click Add to add a basic ACL rule for ACL 2000.

Click Apply.

Adding Interfaces to Zones and Configuring Inter-Zone Policies

Adding GigabitEthernet 0/2 to the Trust zone

Select Device Management > Zone from the navigation tree.



Click the icon of the zone named Trust to enter the Modify Zone page. Add GigabitEthernet

0/2 to zone Trust as shown in the figure below, and then click Apply to return to the Zone page.

Configuring inter-zone policies

Select Firewall > Security Policy > Interzone Policy from the navigation tree.

Click Add and then configure a policy to control traffic from zone Untrust to zone Trust as shown in the figure below.



Configuring PPPoE

Select Network > PPPoE > Client from the navigation tree, and then click Add on the page that appears to enter the page for creating a PPPoE client, as shown in the following figure. Configure the PPPoE client as shown in the figure, and then click Apply.



Configuring NAT on the Outgoing Interface

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Click Add in the Dynamic NAT field.

Configure NAT on outgoing interface Dialer 1 as shown in the figure below, and then click Apply.

Verification

Verifying the PPPoE Configuration If the PPPoE username and password are set correctly, you should be able to see the following

information on the serial port. The information shows that the link status and protocol status of interface Dialer 1 are both up, and that a PPPoE connection is established.

<Device>

%Apr 2 16:43:59:349 2009 Device IFNET/4/LINK UPDOWN:

Dialer1:0: link status is UP

%Apr 2 16:44:02:340 2009 Device IFNET/4/UPDOWN:

Line protocol on the interface Dialer1:0 is UP

%Apr 2 16:44:02:497 2009 Device IFNET/4/UPDOWN:

Protocol PPP IPCP on the interface Dialer1:0 is UP

<Device>dis i i br

*down: administratively down

(s): spoofing

Interface Physical Protocol IP Address Description

Dialer1 up up 8.1.1.227 Dialer1 I...

GigabitEthernet0/0 up up 192.168.103.152 GigabitEt...

GigabitEthernet0/1 up down unassigned GigabitEt...

GigabitEthernet0/2 up up 2.1.1.1 GigabitEt...



GigabitEthernet0/3 down down unassigned GigabitEt...

GigabitEthernet0/4 down down unassigned GigabitEt...

PCs in the network can access public network 8.1.1.20 by using the PPPoE dialup method.

References

Related Documentation PPPoE Configuration in the Web configuration documentation set





H3C SecPatch UTM Series NAT Configuration Example


UTM Series NAT Configuration Example

Keywords: NAT, NAPT

Abstract: Network Address Translation (NAT) provides a way of translating the IP address in an IP packet

header to another IP address. In practice, NAT is primarily used to allow users using private IP

addresses to access public networks. With NAT, a smaller number of public IP addresses are

used to meet public network access requirements from a larger number of private hosts, and thus

NAT effectively alleviates the depletion of IP addresses.

Acronyms:


NAPT Network Address Port Translation

NAT Network Address Translation



Table of Contents

Feature Overview·············································································································································3 Many-to-Many NAT and NAT Control ········································································································3 NAPT··························································································································································3 Easy IP·······················································································································································4 Internal Server············································································································································4



NAT Configuration Example···························································································································5 Network Requirements·······························································································································5 Configuration Considerations·····················································································································5 Software Version Used ······························································································································5 Configuration Procedures ··························································································································5

Basic Configuration ····························································································································5 NAT Configuration ······························································································································9 Verification········································································································································13

References ·····················································································································································15 Protocols and Standards··························································································································15 Related Documentation ···························································································································15



Feature Overview Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address.

A private or internal IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique. According to RFC 1918, three blocks of IP addresses are reserved for private networks:

In Class A: 10.0.0.0 to 10.255.255.255, In Class B: 172.16.0.0 to 172.31.255.255, In Class C: 192.168.0.0 to 192.168.255.255.

No hosts with an IP address in the above three ranges can exist on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or a registration center.

Many-to-Many NAT and NAT Control A NAT gateway can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, NAT chooses an available public IP address (if any) to replace the source IP address, forwards the packet, and records the mapping between the two addresses. In this way, multiple internal hosts can access external networks simultaneously. This is called many-to-many NAT.

In practice, an enterprise may need to allow some internal hosts to access external networks while prohibiting others. This can be achieved through the NAT control mechanism. If a source IP address is among addresses denied, the NAT gateway will not translate the address.

Many-to-many NAT can be implemented through an address pool. An address pool is a collection of consecutive public IP addresses for address translation. The NAT gateway will select an address from the address pool during operation. The number of addresses in the pool depends on the number of available public IP addresses, the number of internal hosts, and network requirements.

NAT control can be achieved through access control lists (ACLs). Only packets matching the ACL rules are served by NAT.

NAPT Network Address Port Translation (NAPT) is a variation of NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT or address multiplexing.



NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts have their source IP addresses mapped to the same public IP address but have their source port numbers mapped to different port numbers.

Easy IP Easy IP uses the public IP address of an interface on the device as the translated source address, and uses ACLs to permit only certain private IP addresses to be NATed.

Internal Server NAT hides the internal network structure, including the identities of internal hosts. However, internal hosts such as a web server or an FTP server may need to be accessed by external hosts in practice. NAT satisfies this requirement by supporting internal servers.

With NAT, you can deploy an internal server easily and flexibly. For instance, you can use 20.1.1.10 as the web server’s external address and 20.1.1.11 as the FTP server’s external address. You can even use an address like 20.1.1.12:8080 as the web server’s external address.

Currently, the device supports this feature. When a packet destined for an internal server arrives, NAT translates the destination address in the packet to the private IP address of the internal server. When a response packet from the internal server arrives, NAT translates the source address (a private IP address) of the packet into a public IP address.

Application Scenarios NAT enables users on a private campus network or enterprise network using private IP addresses to access public networks.

Configuration Guidelines When configuring the NAT policy module, note that:

1) An address pool to be configured on the device cannot overlap any existing NAT address pool, IP addresses of the interfaces with Easy IP enabled, and public IP addresses of internal servers.

2) A low priority address pool cannot overlap any non-low priority address pool, public IP address in a one-to-one NAT entry, or public IP addresses of internal servers.

3) If the protocol type is not 6(TCP) or 17(UDP), you can configure mappings between internal IP address and external IP address, but cannot configure External Port and Internal Port.

4) You can modify address pools, dynamic NAT entries, static NAT entries, and internal servers through the web interface. Note that the system actually removes the former entries and creates new entries according to the configuration.



NAT Configuration Example

Network Requirements

The UTM 200-S is used in this configuration example.

Figure 1 Network diagram for NAT configuration

Configuration Considerations Specify the internal IP address of GigabitEthernet 0/2 as 2.1.1.1/24 and add the interface to the

Trust zone. Specify the external IP address of GigabitEthernet 0/1 as 1.1.1.1/24 and add the interface to the

Untrust zone.



Basic Configuration

Specify interface IP addresses





as shown in the figure below. Then click Apply to return to the Interface page.


as shown in the figure below. Then click Apply to return to the Interface page.



Configure ACL 2000

Select Firewall > ACL from the navigation tree and click Add. Define ACL 2000 as shown in the figure below.

Click the icon of ACL 2000 and then click Add. Define a basic ACL rule as shown in the

figure below.



Click Apply.

Add interfaces to the Trust zone


Click the icon of the Trust zone to enter the Modify Zone page. Add GigabitEthernet 0/2 to

the Trust zone as shown in the figure below. Click Apply to return to the Zone page.

Add GigabitEthernet 0/1 to the Untrust zone in a similar way.



Configure policies


Click Add and then configure a policy to control traffic from the Untrust zone to the Trust zone as shown in the figure below.

NAT Configuration

Create an address pool

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Click Add in the Address Pool field.



Create an address pool containing IP addresses 1.1.1.10 through 1.1.1.20, and then click Apply.

Configure dynamic NAT

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Click Add in the Dynamic NAT field.

Configure dynamic NAT on GigabitEthernet 0/1 as shown in the figures below. Then click Apply.



Configure static NAT

Select Firewall > NAT Policy > Static NAT from the navigation tree. Click Add in the Static Address Mapping field.

Configure a static mapping between 2.1.1.10 and 1.1.1.120.



Select Firewall > NAT Policy > Static NAT from the navigation tree. Click Add in the Interface Static Translation field.

Select GigabitEthernet0/1 for Interface and click Apply.

Configure an internal server

Select Firewall > NAT Policy > Internal Server from the navigation tree. Click Add in the Internal Server field.

Configure an FTP server on internal PC1 as shown in the figure below.



Verification

PAT

PC1 accesses PC2 via FTP. Select Firewall > Session Table > Session Summary from the navigation tree to view session

information. The source IP address (2.1.1.10) and port number (2357) are translated into 1.1.1.20 and 1027

respectively.

No-PAT


information. The source IP address (2.1.1.10) is translated into 1.1.1.10, but the source port number is

unchanged.



Easy IP


information. The source IP address is translated into the IP address of the external interface (1.1.1.1), and the

source port number 2575 is translated into 1024.

One-to-one static NAT

FTP to 1.1.1.120 from PC2. Actually you FTP to the private IP address 2.1.1.10 (PC1). Select Firewall > Session Table > Session Summary from the navigation tree to view session

information.

Internal server

FTP to 1.1.1.1 from PC2. Actually you FTP to the private IP address 2.1.1.10 (PC1). Select Firewall > Session Table > Session Summary from the navigation tree to view session

information.



References

Protocols and Standards RFC 1631: The IP Network Address Translator (NAT)

Related Documentation NAT Configuration in the Web configuration documentation set





H3C SecPath UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples


UTM Series Layer 2 and Layer 3 Forwarding Configuration Examples

Keywords: Transparent mode, routing mode, hybrid mode, VLAN

Abstract: This document presents configuration examples for the UTM operating in transparent mode,

routing mode, and hybrid mode respectively.

Acronyms:



VLAN Virtual Local Area Network



Table of Contents




Configuration Examples ·································································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································3 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Transparent Mode ······························································································································4 Routing Mode ···································································································································12 Hybrid Mode ·····································································································································23



Feature Overview For enterprise networks with broadband access devices, the UTM series operate in transparent mode to deliver only security protection and auditing functions, minimizing their impact to the networks.

The UTM series operating in routing mode or hybrid mode are applicable to enterprise networks that have no access gateways, serving as protection and access devices.

Application Scenarios The three operating modes are applicable to prevalent multilayer switched networks, providing rich security features such as firewall, VPN, intrusion prevention, anti-virus, URL filtering, and application control.

Configuration Guidelines Refer to the configuration guidelines mentioned in configuration steps.

Configuration Examples

Network Requirements Figure 1 Network diagram for Layer 2 and Layer 3 forwarding configuration example (I)

Figure 2 Network diagram for Layer 2 and Layer 3 forwarding configuration example (II)

Configuration Considerations Configure the operating mode for interfaces.



Add interfaces to security zones. Configure NAT entries, ACLs, routes, and other necessary information.



Transparent Mode

Configuring general Layer 2 forwarding

1) Configuration description

Configure hosts in the same VLAN with IP addresses on the same network segment, so that the hosts can communicate with each other.

2) Configuration procedure (see Figure 1) Select Device Management > Interface from the navigation tree. Configure GigabitEthernet 0/1

and GigabitEthernet 0/2 as Layer 2 interfaces.

Figure 3 Configure GigabitEthernet 0/1 as a Layer 2 interface



Figure 4 Configure GigabitEthernet 0/2 as a Layer 2 interface

Select Network > VLAN > VLAN from the navigation tree, create VLAN 2, and add GigabitEthernet 0/1 and GigabitEthernet 0/2 to VLAN 2.

Figure 5 Add interfaces to VLAN 2

Configure IP addresses for PCs: 192.168.2.10/24 for PC1 and 192.168.2.11/24 for PC2.

Select Device Management > Zone from the navigation tree and edit the Trust zone of the root virtual device. Add GigabitEthernet 0/1 to the Trust zone, and GigabitEthernet 0/2 to the Untrust zone. Ping PC2 from PC1. Result A is obtained.

Edit the Trust zone and modify the VLAN for GigabitEthernet 0/1 from the default 1-4094 to 2, as shown in the figure below. Modify the VLAN for GigabitEthernet 0/2 to 2 and add the interface to the Untrust zone. Ping PC2 from PC1. Result B is obtained.



Figure 6 Modify the Trust zone (1)

Edit the Trust zone again. Set the VLAN for GigabitEthernet 0/1 to a value different from the PVID 2. In this example, the VLAN is set to 1, as shown in the figure below. Ping PC2 from PC1. Result C is obtained.

Figure 7 Modify the Trust zone (2)

3) Verification

Result A: The ping operation succeeds.

Result B: The ping operation succeeds.

Result C: The ping operation fails. Layer 2 packets are forwarded between security zones according to those zones where the interfaces' VLANs reside. In this example, GigabitEthernet 0/1 rejects VLAN 2 packets because VLAN 2 to which GigabitEthernet 0/1 belongs is not added to the Trust zone, though GigabitEthernet 0/1 is added to the Trust zone.

4) Configuration guidelines



When editing VLANs for a Layer 2 interface in a security zone, pay attention to the VLANs you specify, as the Layer 2 interface may be used by other security zones on the virtual device.

Configuring inline Layer 2 forwarding


Add interfaces to an inline forwarding group.

2) Configuration procedure (see Figure 1)

Select Network > Forwarding from the navigation tree, type 1 for Policy ID, and select GigabitEthernet 0/1 and GigabitEthernet 0/2 as Port 1 and Port 2 respectively. Note that you need to configure the two interfaces as Layer 2 interfaces in advance.

Figure 8 Create an inline forwarding policy


Add GigabitEthernet 0/1 to the Trust zone, and GigabitEthernet 0/2 to the Untrust zone. Ping PC2 from PC1. Result A is obtained.

Add GigabitEthernet 0/1 to VLAN 2, and GigabitEthernet 0/2 to VLAN 3. Ping PC2 from PC1. Result B is obtained.

Configure GigabitEthernet 0/1 as an access port, and GigabitEthernet 0/2 as a trunk port. Ping PC2 from PC1. Result C is obtained.

3) Verification



Result C: The ping operation succeeds. Inline Layer 2 forwarding is not affected by the VLAN configurations or the port type.

4) Configuration guidelines Inline Layer 2 forwarding is implemented through inline forwarding groups, but not MAC

addresses. Inline Layer 2 forwarding can be configured on Layer 2 interfaces only. You cannot configure it

on a subinterface or a virtual interface. In the process of inline Layer 2 forwarding, the tag of an incoming packet is checked at the

ingress only to determine whether to forward the packet at Layer 3. Note that the VLANs specified for the interface in a security zone are used, instead of the PVID. That is, inline Layer 2



forwarding permits a packet if its VLAN tag is configured in the security zone of the virtual device, and rejects the packet if not.

If the input interface is an access port, the interface does not check the VLAN tag against the PVID upon receiving packets with different VLAN tags. When general Layer 2 forwarding is implemented, the interface accepts packets with no tag or with the same VLAN tag as the PVID.

Inline Layer 2 forwarding on a trunk port is not affected by the permitted VLANs configured on the ingress. In the process of general Layer 2 forwarding on a trunk port, a packet is forwarded only if its VLAN is permitted.

In this example, a packet forwarded by GigabitEthernet 0/2 is transparently transmitted without having the tag removed. That is, the packet is received on one interface of the inline forwarding group, and after processed by the security module, is forwarded through the other interface transparently.

Configuring inter-VLAN Layer 2 forwarding


Configure hosts in different VLANs but with IP addresses on the same network segment to communicate with each other.

2) Configuration procedure (see Figure 2) Configure devices through CLI

On the switch:

#

interface GigabitEthernet1/0/1

port access vlan 102

#



#


port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 102 to 103

#

On the Device:

#

vlan 102 to 103

#

vlan 1000

#

interface GigabitEthernet0/1

port link-mode bridge


port trunk permit vlan 1 102 to 103

#

Configure the Device through the web interface



Select Device Management > Interface from the navigation tree and create Layer 2 subinterfaces GigabitEthernet 0/1.102 and GigabitEthernet 0/1.103.

Figure 9 Create GigabitEthernet 0/1.102

Select Network > VLAN > VLAN from the navigation tree, and add GigabitEthernet 0/1.102 and GigabitEthernet 0/1.103 to VLAN 1000.

Figure 10 Add subinterfaces to VLAN 1000

Select Device Management > Zone from the navigation tree. Add GigabitEthernet 0/1 and GigabitEthernet 0/1.102 to the Trust zone and make sure that VLAN 1000 is included in the VLANs permitted on the interfaces. Add GigabitEthernet 0/1.103 to the Untrust zone and make sure that VLAN 1000 is included in the VLANs permitted on the interface.



Figure 11 Edit the Trust zone


Ping PC2 from PC1. Result A is obtained. Ping PC1 from PC2. Result B is obtained. Add GigabitEthernet 0/1 to the Untrust zone and then ping PC2 from PC1. Result C is obtained. Delete VLAN 1000 and configure VLAN 102 and VLAN 103 on the Device. Ping PC2 from PC1.

Result D is obtained. Delete VLAN 102 and VLAN 103 and configure VLAN 1000 on the Device. Ping PC2 from PC1.

Result E is obtained.

Configuring Inter-VLAN Layer 2 forwarding on a non default virtual device:

Select Device Management > Virtual Device > Configuration from the navigation tree and click Add to create a virtual device named H3C.

Figure 12 Create a virtual device

Select Device Management > Virtual Device > VLAN from the navigation tree, and configure VLAN 1000 as the VLAN member of the virtual device H3C.



Figure 13 Configure the VLAN member for the virtual device

Select Device Management > Zone from the navigation tree. Create security zones H3C_trust and H3C_untrust for the virtual device.

Figure 14 Create security zone H3C_trust

Figure 15 Create security zone H3C_untrust

Add GigabitEthernet 0/1.102 to H3C_trust, and GigabitEthernet 0/1.103 to H3C_untrust. Ping PC2 from PC1. Result F is obtained.

3) Verification


Result B: The ping operation fails. This is because PC2 resides in the Untrust zone, whereas PC1 resides in the Trust zone, which has a higher priority than the Untrust zone.



Result C: The ping operation succeeds. On a physical port working in bridge mode, Layer 2 subinterfaces are configured to implement inter-VLAN Layer 2 forwarding. Packets are forwarded between security zones according to those permitted on the Layer 2 subinterfaces, instead of the security zone where the physical interface resides. Therefore, the forwarding is not affected after GigabitEthernet 0/1 is added to the Untrust zone.

Result D: The ping operation succeeds. Although VLAN 1000 is deleted, traffic can be forwarded because the PVID of GigabitEthernet 0/1.102 and GigabitEthernet 0/1.103 is VLAN 1.

Result E: The ping operation fails. No Layer 2 forwarding entry is created because VLAN 102 and VLAN 103 do not exist.

Result F: The ping operation succeeds.

4) Configuration guidelines To implement Inter-VLAN Layer 2 forwarding, make sure that the VLAN with the same ID as the

Layer 2 subinterface ID exists. On a physical port working in bridge mode, Layer 2 subinterfaces are configured to implement

inter-VLAN Layer 2 forwarding. Packets are forwarded between security zones according to those permitted on the Layer 2 subinterfaces, instead of the security zone where the physical interface resides.

To implement inter-VLAN Layer 2 forwarding, make sure that you add the PVID of the subinterface to the VLAN range of the security zone.

If no VLAN is configured for a subinterface, the PVID is 1, and therefore, you need to add VLAN 1 in the VLAN range of the security zone.

When configuring inter-VLAN Layer 2 forwarding, do not set the PVID of a subinterface to the subinterface ID; otherwise, the downstream switches may fail to learn the MAC address of the subinterface. This is a defect at present.

Routing Mode

Configuring Layer 3 interface forwarding


Configure the Device to route packets between hosts on different network segments.


Select Device Management > Interface from the navigation tree. Configure the router mode for GigabitEthernet 0/1 and specify the IP address as 192.168.2.1/24. Configure the router mode for GigabitEthernet 0/2 and specify the IP address as 192.168.3.1/24.



Figure 16 Configure GigabitEthernet 0/1




Select Device Management > Zone from the navigation tree. Add GigabitEthernet 0/1 to the Trust zone and GigabitEthernet 0/2 to the Untrust zone.

Figure 18 Add GigabitEthernet 0/1 to the Trust zone



Figure 19 Add GigabitEthernet 0/2 to the Untrust zone

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Apply ACL 3000 to GigabitEthernet 0/2 and enable Easy IP. ACL 3000 allows packets from 192.168.2.0/24 to pass.

Figure 20 Configure dynamic NAT

Figure 21 Configure ACL 3000

3) Verification

Configure IP address 192.168.2.10/24 and gateway 192.168.2.1 for PC1, and IP address 192.168.3.11/24 and gateway 192.168.3.1 for PC2. Ping PC2 from PC1. The ping operation succeeds and the session information displayed on the Device is as follows:



Figure 22 Session information

Configuring inter-VLAN Layer 3 forwarding


Configure the Device to forward packets through VLAN virtual interfaces.


Select Device Management > Interface from the navigation tree. Configure the access mode for GigabitEthernet 0/1, add the interface to VLAN 2, create VLAN-interface 2 and specify the IP address as 192.168.2.1/24. Configure the access mode for GigabitEthernet 0/2, add the interface to VLAN 3, create VLAN-interface 3 and specify the IP address as 192.168.3.1/24.

Figure 23 Create VLAN-interface 2




Select Device Management > Zone from the navigation tree. Add VLAN-interface 2 to the Trust zone, and add VLAN-interface 3 to the Untrust zone.



Figure 25 Add interfaces to the Trust zone

Figure 26 Add interface to the Untrust zone



Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Apply ACL 3000 to VLAN-interface 3 and enable Easy IP. ACL 3000 allows packets from 192.168.2.0/24 to pass.



3) Verification



Configuring Layer 3 subinterface forwarding


Configure the Device to forward packets through Layer 3 subinterfaces.

2) Configuration procedure (see Figure 2) Configure the switch interface GigabitEthernet1/0/1


#



#







#

Configure the Device

Select Device Management > Interface from the navigation tree. Configure the router mode for GigabitEthernet 0/1. Create subinterface GigabitEthernet 0/1.1 and specify the VID as 102, and the IP address as 192.168.2.1/24. Create subinterface GigabitEthernet 0/1.2 and specify the VID as 103, and the IP address as 192.168.3.1/24.






Select Device Management > Zone from the navigation tree. Add GigabitEthernet 0/1 and GigabitEthernet 0/1.1 to the Trust zone, and GigabitEthernet 0/1.2 to the Untrust zone.




Configure IP address 192.168.2.10 and default gateway 192.168.2.1 for PC1, and IP address 192.168.3.11 and default gateway 192.168.3.1 for PC2.

Ping PC2 from PC1. Result A is obtained. Ping PC1 from PC2. Result B is obtained. Add GigabitEthernet 0/1 to the Untrust zone, and then ping PC2 from PC1. Result C is obtained. Remove the VID specified for the Layer 3 subinterfaces of the Device and then ping PC2 from

PC1. Result D is obtained.

Configure Layer 3 subinterface forwarding on a non-default virtual device. Create a virtual device named H3C, create H3C_trust and H3C_untrust zones for the virtual device, and add subinterface GigabitEthernet 0/1.1 and GigabitEthernet 0/1.2 to the virtual device as interface members.

Figure 34 Add interfaces to the virtual device



Add GigabitEthernet 0/1.1 to H3C_trust, and GigabitEthernet 0/1.2 to H3C_untrust. Ping PC2 from PC1. Result E is obtained.

3) Verification


Result B: The ping operation fails.

Result C: The ping operation succeeds. After Layer 3 subinterfaces are configured on a physical port working in router mode, packets are forwarded between security zones according to the security zones where Layer 3 subinterfaces reside.

Result D: The ping operation fails. The VID is needed to specify the tag type and VLAN.

Result E: The ping operation succeeds.

4) Configuration guidelines After Layer 3 subinterfaces are configured on a physical port working in router mode, packets are

forwarded between security zones according to the security zones where Layer 3 subinterfaces reside.

To implement Layer 3 subinterface forwarding in a non-default virtual device, you need to configure the subinterfaces used for forwarding packets as the interface members of the virtual device.

Hybrid Mode

Configuring general hybride mode


Configure VLAN virtual interfaces and Layer 3 interfaces on the Device to forward packets.


Select Device Management > Interface from the navigation tree. Configure GigabitEthernet 0/1 as an access port working in bridge mode, add the interface to VLAN 2, create VLAN-interface 2 and specify the IP address as 192.168.2.1/24. Configure the router mode for GigabitEthernet 0/2 and specify the IP address as 192.168.3.1/24.







Select Device Management > Zone from the navigation tree. Add VLAN-interface 2 to the Trust zone, and GigabitEthernet 0/2 to the Untrust zone.


Figure 38 Add GigabitEthernet 0/2 to the Untrust zone



Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Apply ACL 3000 to GigabitEthernet 0/2 and enable Easy IP. ACL 3000 allows packets from 192.168.2.0/24 to pass.



3) Verification



Configuring Layer 2 and Layer 3 hybrid forwarding


Configure Layer 2 and Layer 3 hybrid forwarding on the Device.

2) Configuration procedure (see Figure 2) Configure devices through CLI

On the switch:

#



#





#





#

On the Device:

#

vlan 100 to 103

#

interface GigabitEthernet0/1

port link-mode bridge


port trunk permit vlan 1 102 to 103

#

Configure the Device through the web interface

Select Device Management > Interface from the navigation tree. Create Layer 2 subinterface GigabitEthernet 0/1.102, add it to VLAN 100. Create VLAN-interface 100 and specify the IP address as 192.168.2.1/24. Create VLAN-interface 103 and specify the IP address as 192.168.3.1/24.






Select Device Management > Zone from the navigation tree. Add VLAN-interface 100 to the Trust zone. Add VLAN-interface 103 to the Untrust zone.




Figure 46 Add VLAN-interface 103 to the Untrust zone

Configure IP address 192.168.2.10 and default gateway 192.168.2.1 for PC1, and IP address 192.168.3.11 and default gateway 192.168.3.1 for PC2.

Ping the IP address of PC2 from PC1. Result A is obtained.



Select Firewall > Security Policy > Interzone Policy from the navigation tree. Define a policy to permit all traffic from the Untrust zone to the Trust zone. Ping the gateway of PC1 from PC2. Result B is obtained.

Figure 47 Define an inter-zone policy

Configure Layer 2 and Layer 3 hybrid forwarding on a non-default virtual device. Create a virtual device named H3C and configure VLAN 100 and VLAN 103 as the device members of the virtual device. Type 100 in the VLAN text box next to GigabitEthernet 0/1.102 and add VLAN-interface 100 to the H3C_trust zone. Type 103 in the VLAN text box next to GigabitEthernet 0/1 and add VLAN-interface 103 to the H3C_untrust zone. Ping PC2 from PC1. Result C is obtained.

3) Verification



Result C: The ping operation succeeds.

4) Configuration guidelines

The PVID of a Layer 2 subinterface cannot be the same as the subinterface ID, or the same as the ID of the VLAN to which a Layer 3 VLAN virtual interface belongs. In this example, the ID of the Layer 2 subinterface is 102, the PVID is 100, and the VLAN ID of the Layer 3 virtual interface is 103.





H3C SecPath UTM Series DHCP Configuration Examples


UTM Series DHCP Configuration Examples

Keywords: DHCP

Abstract: This document describes DHCP configuration methods and configuration examples.

Acronyms:


DHCP Dynamic Host Configuration Protocol



Table of Contents

Feature Overview·············································································································································3 DHCP Overview·········································································································································3 Address Allocation Mechanisms ················································································································3 IP Address Allocation Sequence················································································································3


DHCP Configuration Example I ······················································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 Configuration on the DHCP Server ····································································································6 Configuration on DHCP Clients··········································································································7 Verification··········································································································································8

Configuration Guidelines····························································································································9

Troubleshooting ··············································································································································9

DHCP Configuration Example II ···················································································································10 Network Requirements·····························································································································10 Configuration Considerations···················································································································10 Software Version Used ····························································································································10 Configuration Procedure ··························································································································11

Configuration on the DHCP Server ··································································································11 Configuration on the DHCP Relay····································································································11 Configuration on DHCP Client··········································································································12 Verification········································································································································13

Configuration Guidelines··························································································································13

Troubleshooting ············································································································································13




Feature Overview

DHCP Overview A DHCP client sends a configuration request and then a DHCP server returns a reply to send configuration parameters such as an IP address to the client.

Address Allocation Mechanisms DHCP supports three mechanisms for IP address allocation.

Manual allocation: The network administrator assigns an IP address to a client like a web server, and DHCP conveys the assigned address to the client.

Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is

called a lease. Most DHCP clients obtain their addresses in this way.

IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence:

1) The IP address manually bound to the client’s MAC address or ID 2) The IP address that was ever assigned to the client 3) The IP address designated by the Option 50 field in the DHCP-DISCOVER message 4) The first assignable IP address found in a proper common address pool 5) The IP address that was a conflict or passed its lease duration

If no IP address is assignable, the server does not respond.

Application Scenarios As many people need to take their laptops across networks, the IP addresses need to be changed accordingly. Therefore, related configurations on hosts become more complex. Built on a client-server model, DHCP provides dynamic address allocation to simplify host configuration.

DHCP Configuration Example I


The U200-S is used in this configuration example.



As shown in Figure 1, two DHCP clients, the router and PC, reside on the same subnet as the DHCP server. The router is connected to the DHCP server through GigabitEthernet 0/1, and the PC is connected to the DHCP sever through a network interface card. The IP address of the GigabitEthernet 0/1 of the DHCP server is 10.1.1.1/24.

Configure the devices to allow the PC to obtain an IP address and other parameters dynamically from the DHCP server, and to allow the router to obtain a fixed IP address and other parameters from the DHCP server.

Figure 1 Network diagram for DHCP configuration example I

DHCP Server

GE 0/110.1.1.1/24

Client 1 Client 2

GE 0/1

Configuration Considerations Configure the UTM as the DHCP server. Configure the PC and the router as DHCP clients.



Basic Configuration

Specify the IP address of GigabitEthernet 0/1





as shown in the figure below, and then click Apply to return the Interface page.

Add GigabitEthernet 0/1 to the Trust zone



the Trust zone as shown in the figure below, and then click Apply to return to the Zone page.



Configuration on the DHCP Server Enable DHCP.

Select Network > DHCP > DHCP Server from the navigation tree, and then click on the Enable radio button, as shown in the figure below.

Create a dynamic DHCP address pool

On the DHCP Server page, click on the Dynamic radio button and click Add to enter the page shown below:



Create a static DHCP address pool

On the DHCP Server page, click on the Static radio button and click Add to enter the page shown below:

Configuration on DHCP Clients Configure GigabitEthernet 0/1 of the router to obtain an IP address through DHCP.



Configure the PC (running Window XP in the example) as a DHCP client.

Right-click Network Neighborhood on the desktop and select Properties from the shortcut menu to enter the Network Connections window. Right-click Local Area Connection and select Properties from the shortcut menu to enter the Local Area Connection Properties window. Select a proper network interface card for Connect using and select Internet Protocol (TCP/IP). Click Internet Protocol (TCP/IP) and then click Properties to enter the Internet Protocol (TCP/IP) Properties window. Click on radio buttons next to Obtain an IP address automatically and Obtain DNS server address automatically.

Verification

After the preceding configurations are complete, you can see that the router obtains a fixed IP address 10.1.1.5, and the PC obtains an IP address on subnet 10.1.1.0/24.

1) View the detailed information of GigabitEthernet 0/1 on the router. You can view the IP address that the interface has obtained.

2) Run the ipconfig/all command in the Command Prompt window. You can see configuration information including that the corresponding network interface card has obtained IP address 10.1.1.6 from the DHCP server.



Configuration Guidelines 1) When a DHCP client resides on the same subnet as the DHCP server, to ensure communication

between them after the client obtains an IP address, it is recommended that you configure the interface through which the server is connected to the client with an IP address from the address pool and with the same mask as the address pool.

2) To configure a valid static binding, you need to bind an IP address to a MAC address or a client ID. In this example, you can also bind the MAC address of the PC to the IP address, so that the PC can obtain a fixed IP address.

3) If you bind an IP address to both a client ID and a MAC address, the IP-to-client ID binding is preferential.

4) You can use the display shcp client verbose command on a DHCP client to view the client ID. 5) Currently, a static DHCP address pool supports one static binding only. That is, each static

binding is a static address pool. 6) The DHCP server does not perform address conflict detection on the IP address in a static

binding. To ensure communication after the client obtains the IP address, it is recommended that you specify the static binding with the IP address on the same network segment as the server's interface.

7) To exclude specific IP addresses from dynamic allocation, use the dhcp server forbidden-ip command in system view.

Troubleshooting

Symptom

The router in the preceding example obtains no IP address.

Analysis

The network connection fails or the interface of the DHCP server does not reside on the network segment of the DHCP address pool.



Solution

1) Check that the interface through which the DHCP server is connected to the client resides in the address pool.

2) Check that the dhcp enable command is configured on the DHCP server. 3) Configure the interface of the router with an IP address from the address pool and ping from the

IP address to the UTM to ensure the network connectivity. 4) Use the debug command on the DHCP server and the client respectively to verify that the packet

exchange process is normal.

DHCP Configuration Example II No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way.

The DHCP relay agent works as follows:

1) A DHCP client broadcasts a DHCP-DISCOVER message. 2) The DHCP relay agent forwards the message to the designated DHCP server in unicast mode. 3) The DHCP server returns an IP address and other configuration parameters to the relay agent,

which conveys them to the client.

Network Requirements As shown in Figure 2, Device B is connected to the network where the DHCP client (PC) resides through GigabitEthernet 0/1, and is connected to the DHCP server (Device A) through GigabitEthernet 0/2. The IP address of GigabitEthernet 0/1 on Device A is 2.1.1.1/24, and that of GigabitEthernet 0/2 on Device B is 2.1.1.2/24. Device B serves as a DHCP relay agent to forward DHCP messages, so that the DHCP client can obtain an IP address and other parameters from the DHCP server.

Figure 2 Network diagram for DHCP configuration example II

Configuration Considerations Configure Device A as the DHCP server. Configure Device B as the DHCP replay. Configure the PC as the DHCP client.




Configuration Procedure

Configuration on the DHCP Server Specify the IP address of GigabitEthernet 0/1 on Device A as 2.1.1.1/24 and add the interface to

the Trust zone. For details, refer to Basic Configuration. Select Network > DHCP > DHCP Server from the navigation tree, click on the Enable radio

button, and configure a dynamic DHCP address pool, as shown in the figure below.

Add a static route to the network segment 10.1.1.0. Select Network Management > Routing Management > Static Routing from the navigation tree, click Add, and then perform the operations as shown in the figure below.

Configuration on the DHCP Relay Specify the IP address of GigabitEthernet 0/2 on the Device B as 2.1.1.2/24 and that of

GigabitEthernet 0/1 as 10.1.1.1/24. Add GigabitEthernet 0/1 and GigabitEthernet 0/2 to the security zones as needed. For detailed

configurations, refer to Basic Configuration. Select Network > DHCP > DHCP Relay from the navigation tree, click on the Enable radio

button and then click Apply. Create a server group with IP address 2.1.1.1, that is, the IP address of GigabitEthernet on the DHCP server, as shown in the figure below.



On the Interface Config field, click the icon of GigabitEthernet 0/1. Click on the Enable radio

button next to DHCP Relay, select 0 for Server Group ID, and click Apply.

Configuration on DHCP Client Configure the PC (running Window XP in the example) as a DHCP client.

Right-click Network Neighborhood on the desktop and select Properties from the shortcut menu to enter the Network Connections window. Right-click Local Area Connection and select Properties from the shortcut menu to enter the Local Area Connection Properties window. Select a proper network interface card for Connect using and select Internet Protocol (TCP/IP). Click Internet Protocol (TCP/IP) and then click Properties to enter the Internet Protocol (TCP/IP) Properties window. Click on radio buttons next to Obtain an IP address automatically and Obtain DNS server address automatically.



Verification

After the preceding configurations are complete, you can see that the PC obtains an IP address from the address pool configured on the DHCP server (Device A). Run the ipconfig/all command in the Command Prompt window and you can see detailed configuration information.

Configuration Guidelines 1) When the DHCP server resides on a different network from the DHCP client, the interface

through which the DHCP server is connected to the DHCP relay agent can be configured with any IP address not belonging to the address pool, whereas the interface through which the DHCP relay agent is connected to the DHCP client needs to be configured with an IP address from the address pool. To ensure normal communication after the client obtains an IP address, you need to configure the interface with the same mask as the address pool.

2) You can configure static bindings in a similar way as that of configuration example I. The DHCP server does not perform conflict detection on the IP address of a static binding. Therefore, to ensure the interconnection after the client obtains the IP address, it is recommended that you specify the static binding with the IP address on the same network segment as the DHCP relay agent's interface.

3) Configure a reachable route between the DHCP server and the DHCP client; otherwise, the client may fail to communicate with the server after obtaining an IP address, or the client cannot obtain an IP address because the server cannot forward the DHCP-OFFER message to the client. In this example, static routes are configured on the server and the client. You can use other routing protocols as well.

4) When multiple DHCP relay agents exist, you need to configure the interface address, relay agent mode and the corresponding next server group for each DHCP relay agent, and ensure that the route is reachable. You can also select the DHCP server address as the server group and ensure the route to the DHCP server is reachable.

5) To enhance security, you can enable the invalid IP address check feature on the interface through which the DHCP relay agent is connected to the client. With this feature enabled, the DHCP relay agent checks whether a requesting client’s security entry exists on the DHCP relay agent. If not, the client cannot access outside networks via the DHCP relay agent. Note that the security entry of a client is added in the user information.

Troubleshooting

Symptom

The DHCP client (PC) cannot obtain an IP address.

Analysis

The network connection fails, the routes are unreachable, or the interface enabled with DHCP relay agent does not belong to the DHCP address pool configured on the DHCP server.



Solutioin

1) Check that the IP address of GigabitEthernet 0/1 of the DHCP relay agent (Device B) belongs to the DHCP address pool.

2) Check that the DHCP service is enabled on Device B. 3) Check that routes between devices are reachable. You can manually configure an IP address for

the PC and ping the DHCP server and relay agent to check connectivity. 4) Check that the invalid IP address check feature is disabled on GigabitEthernet 0/2. If the feature

is enabled, remove the configuration or add a static security entry for the server on the DHCP relay agent, so as to ensure the normal packet exchange between the server and the client.

5) View the server group information on the DHCP relay agent and make sure that the relay agent interface address is not used as the IP address of the server group.

6) Run the debug command on the server and the relay agent respectively to verify that the packet exchange process is normal.

References

Protocols and Standards Routing TCP/IP, Volume II RFC 2131, Dynamic Host Configuration Protocol RFC 2132, DHCP Options and BOOTP Vendor Extensions RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

Related Documentation H3C MSR 20/30/50 Series Routers User Manual





UTM Series TR-069 Configuration Example



Keywords: TR-069, CWMP, CPE, ACS

Abstract: The CPE WAN Management Protocol (CWMP) is initiated and developed by the Digital

Subscriber’s Line (DSL) Forum. CWMP is numbered TR-069 by the forum, and is thus also called

the TR-069 protocol. It can be used for the management and configuration to remote devices.

Acronyms:


CWMP CPE WAN Management Protocol

DSL Digital Subscriber's Line

ACS Auto-Configuration Server



Table of Contents




Configuration Example ···································································································································4 Network Requirements·······························································································································4 Configuration Considerations·····················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configurations···························································································································4 Configuring Zones and Interzone Policies··························································································7 Configuring TR-069 Parameters ········································································································9 Configuring NAT for the Outbound Interface····················································································10

Verification ···············································································································································10 TR-069 Verification···························································································································10 Debugging Information ·····················································································································11

Related Documentation ···························································································································11



Feature Overview The CPE WAN Management Protocol (CWMP) is initiated and developed by the Digital Subscriber’s Line (DSL) Forum. CWMP is numbered TR-069 by the forum, and is thus also called the TR-069 protocol. It defines the general framework, message format, management method, and data model for the management and configuration of home network devices in next-generation networks.

The following figure illustrates the basic framework of a CWMP network.

Figure 1 Network diagram for CWMP

As shown in the figure, the basic network elements of CWMP include:

ACS: Auto-configuration server, the management device in the network. CPE: Customer premise equipment, the managed device in the network. DNS server: Domain name system server. CWMP defines that an ACS and a CPE use URLs to

identify and access each other. DNS is used to resolve the URLs. DHCP server: Dynamic Host Configuration Protocol server, which assigns IP addresses to ACSs

and CPEs, and uses the options field in the DHCP packet to provide configuration parameters to the CPE.

H3C SecPath U200-S is the CPE and uses CWMP to communicate with the ACS.

Application Scenarios CWMP is mainly applied to DSL access networks, which are hard to manage because user devices are located at the customer premise, dispersed, and large in number. CWMP makes the management easier by using an ACS to perform remote centralized management of CPE.

Configuration Guidelines When configuring TR-069, note the following:

1) Check that the ACS server operates normally and make sure that the background database of the ACS server is open.

2) The username and password of the ACS server are obtained.



3) The username and password of the CPE are configured. 4) TR-069 configuration through the ACS is of higher priority than that through Web. You cannot

use a configuration mode to modify parameters configured through a configuration mode with a higher priority.

Configuration Example


In this example, the UTM device used is an UTM200-S; the simplest networking is applied; the CPE and ACS are directly connected. When you connect the CPE with an ACS of the public network, a DNS is needed.

Figure 2 Network diagram for TR-069

Configuration Considerations Configure the IP address for the LAN (internal network) interface GigabitEthernet 0/2 as

2.1.1.1/24, and add it to zone Trust. Configure the IP address for the LAN egress interface GigabitEthernet 0/1 as 1.1.1.1/24, and add

it to zone Untrust.




Assigning IP addresses to interfaces

Select Device Management > Interface from the navigation tree to enter the interface management page.



Click the icon of GigabitEthernet 0/1 to enter the Edit Interface page, and then configure the

interface as shown in the following figure. Click Apply to return to the interface management page.

Click the icon of GigabitEthernet 0/2 to enter the Edit Interface page, and then configure the

interface as shown in the following figure and click Apply to return to the interface management page.



Configuring an ACL

Click Firewall > ACL from the navigation tree to enter the ACL management page, and then click Add to create ACL 2000.

On the ACL management page, click the icon of ACL 2000 and then click Add to create a

rule.



Click Apply.

Configuring Zones and Interzone Policies

Adding interfaces to zones

Select Device Management > Zone from the navigation tree to enter the zone management page.

Click the icon of zone Trust to enter the zone modification page, add interface

GigabitEthernet 0/2 to the zone as shown in the following figure, and then click Apply to return to the zone management page.



Add interface GigabitEthernet 0/1 to zone Untrust in the same way.

Configuring interzone policies


Click Add and then configure an interzone policy from Trust to Untrust as shown in the following figure.



Configuring TR-069 Parameters

TR-069 parameters

Assume the ACS server and CPE parameters are as follows:

ACS server address: http://1.1.1.1:7547/ACS-server/ACS ACS username: 1234 ACS password: 5678 CPE username: bbms CPE password: bbms

All ACS server and CPE parameters are provided by the ACS server. Configure the ACS server address. The port number and the URL address must be correct and

the letters are case sensitive.

Select Device Management > TR-069 from the navigation tree, and configure TR-069 parameters as shown in the following figure. Then, click Apply.



Configuring NAT for the Outbound Interface

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Then click Add.

Configure NAT for interface GigabitEthernet 0/1 as shown in the following figure, and then click Apply.

Verification

TR-069 Verification Log in to the ACS server website, and you can see that the CPE (UTM device) is online. And

then, you can send configurations to the UTM device.



Debugging Information

If the ACS fails to connect with the CPE, you can display the following debugging information on the UTM device to locate the problem. In addition, you need to check whether the following parameters of the ACS server are correctly configured on the UTM device.

1) Check that the ACS username and password are correct. 2) Check that the database of the ACS server is open. 3) Check that the CPE username and password are correct. 4) Enable TR-069 debugging: <U200-S>debugging cwmp ?

all All

error Error

information Information

packet Packet

<U200-S>debugging cwmp all

<U200-S>t d

Info: Current terminal debugging is on.

<U200-S>t m

5) To connect to the ACS server immediately after modifying the CWMP configurations, execute the following commands. To view the detailed information of the connection, enable TR-069 debugging again.

[U200-S]undo cwmp enable

[U200-S]cwmp enable

Related Documentation TR-069 Configuration in the Web configuration documentation set.





UTM Series Interzone Policy Configuration Example



Keyword: interzone policy

Abstract: Interzone policies, based on ACLs, are used for identification and monitoring of traffic between

zones.

Acronyms:

Acronym Full name

ACL Access Control List



Table of Contents




Interzone Policy Configuration Example·······································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Assigning IP Addresses to Interfaces·································································································4 Adding Interfaces to Zones ················································································································5 Configuring a Time Range Resource ·································································································7 Configuring an Address Resource ·····································································································7 Configuring an Interzone Policy ·········································································································8

Verification ···············································································································································10 Accessing the External Network from Host Public in Working Hours ··············································10 Accessing the External Network from Other Hosts in Working Hours ·············································11




Feature Overview Interzone policies, based on access control lists (ACLs), are used for identification of traffic between zones. An interzone policy references one ACL for a pair of source zone and destination zone. This ACL contains a group of ACL rules, each of which permits or denies packets matching the match criteria.

Interzone policies can reference address resources and service resources to define the packet match criteria and reference time range resources to specify the effective time ranges of the rules.

Application Scenarios The interzone policies can be used for Identifying traffic and monitoring traffic.

Configuration Guidelines The number of an ACL referenced by an interzone policy is assigned automatically by the system. When you create the first rule for two zones, the system automatically creates an ACL, and assigns it an ACL number that is one more than the last assigned ACL number, starting from 6000. If you remove all rules of the interzone policy, the system automatically removes the ACL.

Rules for a pair of source zone and destination zone are listed in match order on the web page. A rule listed earlier has a higher priority, and is matched earlier. By default, the rules are in the order they are created, and you can manually adjust the order.

Interzone Policy Configuration Example


U200-S of the UTM series is used in this example.

As shown in Figure 1, Device connects the corporate network to the Internet. The corporate network belongs to zone Trust, while the external network belongs to zone Untrust.

Configure an interzone policy, allowing internal host Public to access the external network at any time and denying all the other internal hosts’ access to the external network during working hours (from 8:00 to 18:00) on working days (Monday through Friday).



Figure 1 Network diagram for configuring interzone policies

Configuration Considerations Assign IP addresses to the interfaces Configure zones Configure a time range resource Configure an address resource Configure an interzone policy



Assigning IP Addresses to Interfaces

Configuring GigabitEthernet 0/2

From the navigation tree, select Device Management > Interface to enter the interface management page.

Figure 2 Interface management page

Click the icon of interface GigabitEthernet 0/2 to enter the page for configuring the interface.

Configure the interface information as shown in the following figure, and then click Apply. The interface management page appears, displaying the configuration result.



Figure 3 Configure interface GigabitEthernet 0/2


Follow the same procedure to configure GigabitEthernet 0/1. Figure 4 shows the configuration result.


Adding Interfaces to Zones

Adding GigabitEthernet 0/2 to the Trust zone

Select Device Management > Zone from the navigation tree to display the zone list.



Figure 5 Zone list

Click the icon of zone Trust to enter the page for modifying the zone. Add interface

GigabitEthernet 0/2 to zone Trust as shown in the following figure, and then click Apply.


Adding GigabitEthernet 0/1 to the Untrust zone

Follow the same procedure to add GigabitEthernet 0/1 to zone Untrust. Select Device Management > Zone from the navigation tree to display the zone list. The interface management page appears, displaying the configuration result.




Configuring a Time Range Resource

Configure a time range from 8:00 to 18:00 on working days (Monday through Friday).

Select Resource > Time Range from the navigation tree, and click Add. Perform the

configurations shown in Figure 8.

Figure 8 Configure a time range resource

Type worktime in the Name text box. Select the Periodic Time Range check box. Set the start time to 8:00. Set the end time to 18:00. Select the Mon., Tues., Wed., Thurs., and Fri., check boxes. Click Apply.

Configuring an Address Resource

Configuring an IP address resource

Select Resource > Address > IP Address from the navigation tree, and then click Add. Perform the configurations shown in Figure 9.



Figure 9 Create an IP address resource

Select the IP Address option. Type public as the name. Type 10.1.1.12 as the IP address. Then click Add to add the address to the IP address list. Click Apply.

Configuring an Interzone Policy

Configure an access rule for host public to access the external network at any time

Select Firewall > Security Policy > Interzone Policy from the navigation tree, and then click Add. Perform the configurations shown in Figure 11.



Figure 10 Allow host public to access the external network at any time

Select Trust as the source zone and Untrust as the destination zone. Select public as the source address. Select Permit as the filter action. Select the Enable Syslog check box. Select the Status check box. Select the Continue to add next rule check box. Click Apply.

Configuring a rule to deny access of all the other hosts to the external network during working time

After the last configuration step, the interzone policy rule configuration page appears, with the source and destination zones selected for the last rule. Perform the configurations shown in Figure 11.



Figure 11 Deny all the other hosts' access to the external network during working time

Select Deny as the filter action. Select worktime as the time range. Select the Enable Syslog check box. Select the Status check box. Click Apply.

Verification

Accessing the External Network from Host Public in Working Hours

You are allowed to access the external network from host Public in working hours. Select Log Report > Report > Interzone Policy Log to enter the interzone policy log page. The log shows that access to the external network is permitted.

Figure 12 Interzone policy log



Accessing the External Network from Other Hosts in Working Hours

In working hours, you cannot access the external network from any other hosts, for example a host at 10.1.1.13/24. Select Log Report > Report > Interzone Policy Log to enter the interzone policy log page. The log shows that access to the external network is denied.

Figure 13 Interzone policy log

References

Protocols and Standards TCP/IP Routing, Volume II

Related Documentation Interzone Policy Configuration in the web configuration manual

Address Resource Configuration in the web configuration manual





H3C SecPath UTM Series ARP Attack Protection Configuration Example


UTM Series ARP Attack Protection Configuration Example

Keywords: UTM, ARP

Abstract: ARP provides no security mechanism and thus is prone to network attacks. The device provides

multiple features to detect and prevent ARP attacks. This document describes a configuration

example using these features.

Acronyms:



ARP Address Resolution Protocol



Table of Contents




ARP Attack Protection Configuration Example····························································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································3 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Specify Interface Addresses···············································································································4 Add Interfaces to Zones ·····················································································································5 Configure Gratuitous ARP··················································································································7 Configure ARP Automatic Scanning ··································································································8 Configure Fixed ARP··························································································································9 Verification········································································································································10




Feature Overview Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device provides multiple features to detect and prevent such attacks.

Application Scenarios ARP attack protection is applicable to LANs such as a cybercafe and a campus network.

Configuration Guidelines Sending of gratuitous ARP packets takes effect on an interface only when the link of the interface

goes up and an IP address has been assigned to the interface. If you change the interval for sending gratuitous ARP packets, the configuration is effective at the

next sending interval. Do not enable gratuitous ARP on an interface configured with a VRRP group. You are recommended not to perform other operations during an ARP automatic scan. Fixed ARP changes dynamic ARP entries into static only when these entries are learnt on a

Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, or VLAN interface.

ARP Attack Protection Configuration Example


The U200-S is used in this configuration example.

Figure 1 Network diagram for ARP attack protection configuration example

Configuration Considerations Specify interface addresses.



Add interfaces to security zones. Configure gratuitous ARP. Configure ARP automatic scanning. Configure fixed ARP.



Specify Interface Addresses



Figure 2 Interfaces


as shown in the figure below, and then click Apply to return to the Interface page.



Figure 3 Edit interface GigabitEthernet 0/1


Specify the IP address of GigabitEthernet 0/2 in a similar way, as shown in the figure below.

Figure 4 Interfaces

Add Interfaces to Zones

Add GigabitEthernet 0/1 to the Trust zone




Figure 5 Security zones


the Trust zone as shown in the figure below, and then click Apply to return to the Zone page.


Add GigabitEthernet 0/2 to the Untrust zone

Add GigabitEthernet 0/2 to the Untrust zone in a similar way, and the output is shown in the figure below.



Figure 7 Interfaces

Configure Gratuitous ARP

Introduction to gratuitous ARP

In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.

A device implements the following functions by sending gratuitous ARP packets:

Determining whether its IP address is already used by another device. Informing other devices about the change of its MAC address so that they can update their ARP

entries.

A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry exists in the cache.

Configuring sending of gratuitous ARP packets

Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree.

Select GigabitEthernet 0/1, leave the default sending interval unchanged or type a specific value, click <<, and then click Apply. After that, all devices on the internal network will record an ARP entry for the internal interface GigabitEthernet 0/1.



Figure 8 Configure sending of gratuitous ARP packets

Configure ARP Automatic Scanning

Introduction to ARP automatic scanning

With ARP automatic scanning enabled on an interface, the device scans neighbors on the interface, requests their MAC addresses, and creates dynamic ARP entries.

Configuring ARP automatic scanning

Select Firewall > ARP Anti-Attack > Scan from the navigation tree.

Select GigabitEthernet 0/1 and type the start IP address and the end IP address, as shown in the figure below. If no start IP address and end IP address are specified, the system scans the network segment according to the mask of the interface address.

Figure 9 Configure ARP automatic scanning



Configure Fixed ARP

Introduction to Fixed ARP

Fixed ARP allows the device to change dynamic ARP entries (including those generated automatically) into static ARP entries, thus effectively preventing attackers from modifying ARP entries.

Configuring Fixed ARP

Select Firewall > ARP Anti-Attack > Fix from the navigation tree. All dynamic and static ARP entries learnt by the UTM are displayed, including those obtained by ARP automatic scanning.

Figure 10 ARP entries

Select one or multiple dynamic ARP entries you want to change into static, and click Fix. Select one or multiple static ARP entries you want to remove, and click Del Fixed. To change all dynamic ARP entries into static, click Fix All. To delete all static ARP entries, click Del All Fixed.

Figure 11 Configure fixed ARP



Verification

Verify gratuitous ARP

Capture packets on the internal network 192.168.1.0/24. A gratuitous ARP packet sent from GigabitEthernet 0/1 is captured every two seconds.

Figure 12 Capture gratuitous ARP packets

Verfiy automatic ARP scanning

After an automatic ARP scan is complete, all ARP entries of the internal network are displayed in the ARP table. Select Firewall > ARP Management > ARP Table from the navigation tree to view all ARP entries. For example, you can view the ARP entries for network segment 192.168.1.0/24 as shown in the figure below:

Figure 13 ARP entries

Verify fixed ARP

On the Firewall > ARP Anti-Attack > Fix page, select the ARP entry containing 192.168.1.13, and click Fix. When a dynamic ARP entry is changed into static, it is displayed on the beginning of the ARP table.



Figure 14 Verify fixed ARP

Verfiy deletion of fixed ARP entries

On the Firewall > ARP Anti-Attack > Fix page, select the static ARP entry containing 192.168.1.13, and click Del Fixed. A message box is displayed as shown in the figure below. Click OK. After that, the static ARP entry is removed. This entry is displayed when it is learnt again or an ARP scan is carried out on corresponding interfaces.

Figure 15 Verify deletion of fixed ARP entries

References

Protocols and Standards RFC 826: An Ethernet Address Resolution Protocol



Related Documentation ARP Attack Protection Configuration in the Web configuration documentation set





UTM Series Attack Protection Configuration Example



Keywords: Attack protection, scanning, blacklist

Abstract: This document describes the attack protection functions of the H3C UTM firewalls, including SYN

flood attack protection, UDP flood attack protection, ICMP flood attack protection, scanning attack

protection, single-packet attack protection, static blacklist, and dynamic blacklist. This document

also presents the configuration and verification methods in detail through examples.

Acronyms:


DDOS Distributed Denial of Service

HTTP Hypertext Transfer Protocol

ICMP Internet Control Message Protocol

IP Internet Protocol

TCP Transfer Control Protocol

UDP User Datagram Protocol



Table of Contents





Basic Configurations···························································································································4 Configuring Attack Protection ····················································································································9

Configuring the Static Blacklist Function····························································································9 Configuring the Dynamic Blacklist Function·······················································································9 Configuring ICMP Flood Attack Protection·······················································································10 Configuring UDP Flood Attack Protection ························································································10 Configuring SYN Flood Attack Protection ························································································11 Configuring Scanning Prevention·····································································································11 Configuring Packet Inspection··········································································································11

Verification ···············································································································································12 Static Blacklist ··································································································································12 Dynamic Blacklist ·····························································································································13 ICMP Flood Attack Protection ··········································································································13 UDP Flood Attack Protection············································································································14 SYN Flood Attack Protection············································································································15 Scanning Prevention ························································································································16 Packet Inspection ·····························································································································17



Feature Overview Attack protection is an important firewall feature. It allows a firewall to detect attacks by analyzing the contents and behavior characteristics of received packets and, based on the analysis result, takes countermeasures such as blacklisting the source IP addresses, outputting alarm logs, and/or discarding packets.

The attack protection feature can detect kinds of Denial of Service (DoS) attacks, scanning attacks, and malformed packet attacks, and take actions in response. It does so by using blacklists, matching packets against attack signatures, and detecting traffic abnormalities. The attack protection feature also provides attack statistics.

Application Scenarios The attack protection feature is usually deployed at the egress of a campus network or corporate network to detect and handle with possible attack packets between the internal network and external network, so as to protect the security of the internal network.

Configuration Guidelines 1) Packet inspection and scanning prevention apply to only the inbound direction, that is, the

internal zone. When deployed in the outbound direction, that is, the external zone, they do not take effect.

2) The flood attack protection functions apply to only the outbound direction. When deployed in the inbound direction, they do not take effect.



In this configuration example, the model of the UTM device is UTM200-S.



Figure 1 Network diagram for attack protection configuration

Configuration Considerations Add the interface connecting the internal network (that is, GigabitEthernet 0/2) to zone Trust. Add the interface connecting the external network (that is, GigabitEthernet 0/1) to zone Untrust.




Assigning IP addresses to interfaces

From the navigation tree, select Device Management > Interface to enter the interface management page.

Click the icon of GigabitEthernet 0/1 to enter the interface configuration page. Then,

configure the interface as follows and click Apply to return to the interface management page.



Click the icon of GigabitEthernet 0/2 to enter the interface configuration page. Then,

configure the interface as follows and click Apply to return to the interface management page.



Configuring the ACL

From the navigation tree, click Firewall > ACL to enter the ACL management page. Then, click Add to create ACL 2000.

On the ACL management page, click the icon of ACL 2000 and then click Add to create a

rule that allows all packets to pass.

Click Apply.

Adding interfaces to zones

From the navigation tree, select Device Management > Zone to enter the security zone management page.

Click the icon of zone Trust to enter the security zone modification page. Then, add interface

GigabitEthernet 0/2 to the zone as follows and click Apply to return to the security zone management page.



Add interface GigabitEthernet 0/1 to zone Untrust in the same way.

Configuring interzone policies

From the navigation tree, select Firewall > Security Policy > Interzone Policy.

Click Add and then configure an interzone policy from Untrust to Trust as follows:



Configuring NAT for the outbound interface

From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. Then click Add.

Configure NAT for interface GigabitEthernet 0/1 as follows, and then click Apply.



Configuring Attack Protection

Configuring the Static Blacklist Function

From the navigation tree, select Intrusion Detection > Blacklist. Then, select the Enable Blacklist check box and click Apply to enable the blacklist function.

Click Add. Type the address to be blacklisted and specify the lifetime of the blacklist entry. Then, click

Apply.

Configuring the Dynamic Blacklist Function

From the navigation tree, select Intrusion Detection > Blacklist. Then, select the Enable Blacklist check box and click Apply to enable the blacklist function.



Configuring ICMP Flood Attack Protection

From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood. Then, select security zone Trust and select Discard packets when the specified attack is detected and click Apply.

In the ICMP Flood Configuration area, click Add and add host address 2.0.0.2 as an object to be protected.

Configuring UDP Flood Attack Protection

From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood. Then, select security zone Trust and select Discard packets when the specified attack is detected and click Apply.

In the UDP Flood Configuration area, click Add and add host address 2.0.0.2 as an object to be protected.



Configuring SYN Flood Attack Protection

From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. Then, select security zone Trust and select Discard packets when the specified attack is detected and click Apply.

In the SYN Flood Configuration area, click Add and add host address 2.0.0.2 as an object to be protected.

Configuring Scanning Prevention

From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection. Then, select security zone Untrust and select Enable Scanning Detection and Add a source IP to the blacklist and click Apply.

Configuring Packet Inspection

Packet inspection is used to detect single-packet attacks, which has nothing to do with traffic and sessions. Packet inspection is implemented by checking whether a packet has the specified signatures.

From the navigation tree, select Intrusion Detection > Packet Inspection. Then, select security zone Untrust and the types of attacks to be detected, and click Apply.



Verification On PC 2, use a packet constructing tool to simulate various attacks targeting the host or server of the internal network.

Static Blacklist Before the static blacklist entry expires or is cleared, PC 2 cannot ping the IP address (1.0.0.1) of

the UTM device’s interface GigabitEthernet 0/1.

When PC 2 is not in the blacklist, PC 2 can ping the IP address (1.0.0.1) of the UTM device’s interface GigabitEthernet 0/1.



Dynamic Blacklist Use a PC (1.0.0.100, for example) in the external network to log in to the server in the internal

network, inputting the correct username but a wrong password for five times. Selecting Intrusion Detection > Blacklist from the navigation tree, you can see that the IP

address of the PC (1.0.0.100) has been added to the blacklist. Because you selected Add a source IP to the blacklist when configuring scanning prevention,

the device also automatically adds scanning sources to the blacklist. For details, refer to Scanning Prevention.

ICMP Flood Attack Protection Use SmartBits to send ICMP packets with the destination address 2.0.0.2 to zone Trust at a rate

higher than 1000 frames per second, changing the source address frequently.



SmartBits is a data protocol analyzer from Spirent Communications. For ICMP flood, UDP flood, and SYN flood attacks, the sampling interval of the device is one

second. If the number of half-open connections or the session establishment rate exceeds the threshold in three consecutive sampling intervals, the device considers that an attack has occurred. Therefore, when using SmartBits to simulate a flood attack, be sure to send attack packets for at least four seconds.

Select Intrusion Detection > Statistics from the navigation tree and then select zone Trust. You can view the number of ICMP flood attacks and the number of dropped ICMP flood attack packets.

UDP Flood Attack Protection Use SmartBits to send UDP packets from zone Untrust to 2.0.0.2 in zone Trust at a rate higher

than 1000 frames per second, changing the source address frequently. Select Intrusion Detection > Statistics from the navigation tree and then select zone Trust.

You can view the number of UDP flood attacks and the number of dropped UDP flood attack packets.



SYN Flood Attack Protection Use SmartBits to send TCP SYN packets from zone Untrust to 2.0.0.2 in zone Trust at a rate

higher than 1000 frames per second, changing the source address frequently. Select Intrusion Detection > Statistics from the navigation tree and then select zone Trust.

You can view the number of SYN flood attacks and the number of dropped SYN flood attack packets.



Scanning Prevention Use SmartBits to send packets from zone Untrust to zone Trust at a rate higher than 500 frames

per second, keeping the source address the same and changing the destination address frequently.

Select Intrusion Detection > Statistics from the navigation tree and then select zone Untrust. You can view the number of scanning attacks and the number of dropped scanning attack packets.

Because you selected Add a source IP to the blacklist when configuring scanning prevention, the device automatically adds scanning sources to the blacklist. You can see the source address used in the attack packets is on the blacklist.



Packet Inspection Construct test packets as described in the following table. This table lists the types of attacks that

the device can detect and protect against.

No. Attack type Packet characteristics

1 Tracert ICMP packets with an increasing TTL (starting from 1) on Windows system, or UDP packets with a large destination port number and an increasing TTL (starting from 1)

2 Large_ICMP ICMP packets larger than the allowed size

3 Smurf ICMP packets whose destination address is a broadcast address or a subnet address

4 ICMP Redirect ICMP redirect packets (type 5)

5 ICMP Unreachable ICMP unreachable packets (type 3)



No. Attack type Packet characteristics

6 Fraggle UDP packets with the destination port number of 19 or 7

7 WinNuke TCP packets with the destination port number of 139, with the URG bit set, and with a non-null urgent pointer.

8 TCP Flag TCP packets with improper flags

9 Land TCP SYN packets whose source address is on the 127.0.0.0 segment, or is the same as the destination address.

10 Route Record IP data packets with the Route Record option (0x07) selected

11 Source Route IP data packets with the Source Route option select and with the code field set to loose source routing (0x83) or strict source routing (0x89).

Select Intrusion Detection > Statistics from the navigation tree and then select zone Untrust, you can view the counts of kinds of attacks and the counts of dropped attack packets.





UTM Series Bandwidth Management Configuration Example



Keyword: Bandwidth management

Abstract: The UTM bandwidth management function can block some applications and perform application

bandwidth control and policy bandwidth control as required.

Acronyms:


HTTP Hypertext Transfer Protocol



Table of Contents

Overview···························································································································································3 Introduction to Bandwidth Management ····································································································3 Introduction to Services······························································································································3


Precautions ······················································································································································3

Configuration Example ···································································································································4 Network Requirements·······························································································································4 Configuration Considerations·····················································································································4 Applicable Versions····································································································································4 Configuration Procedures ··························································································································5

Basic Configuration ····························································································································5 Configuring a Bandwidth Management Policy ···················································································8

Verification ···············································································································································11



Overview

Introduction to Bandwidth Management By purposes, network traffic can be divided into multiple service types, such as the E-mail service and VoIP service. Bandwidth management refers to performing different management and control behaviors for different service types. Therefore, bandwidth management includes two major components: service and service-specific control behavior.

A service can be system-defined or user-defined. All services are organized into a tree, which is called a service tree. A node of the service tree represents a service.

The device determines the service type of a received packet by its application protocol and IP address, and then performs the corresponding action (block or rate-limit) for the packet according to the user-defined rule for the service.

Additionally, you can configure per-segment bandwidth management policies so that you can more flexibly control the network traffic.

Introduction to Services A service is a set of match rules. All network behaviors conforming to the match rules belong to the service.

A match rule consists of protocol, node, and direction, where protocol indicates the network protocol, node indicates a certain device or devices in a certain network segment, and direction indicates the probe direction. The three factors together determine that packets of a certain protocol sent or received by a specific device (or devices in the specific network segment) match the rule.

The service itself does not manage or control the network. A service can be referenced by a policy in the system. Then, the policy cooperates with the service to manage and control the network.

In the system, services are organized into a tree with only one root node. Except the root node, any other service can be appended to another service, with the former as the child service and the latter as the parent service.

Application Scenarios Bandwidth management is applicable to enterprises and campuses. It guarantees bandwidth for mission-critical applications of the user network by performing flexible bandwidth controls for applications and limiting non-critical applications.

Precautions When configuring bandwidth management, note that:



1) A bandwidth management policy applied to a segment cannot be deleted. In this case, when you delete the bandwidth management policy on the bandwidth management displaying page, you just delete its application.

2) A packet can match only one bandwidth management policy on a segment. When multiple bandwidth management policies are configured for a segment, a policy configured with a smaller IP address range has a higher priority. When multiple policies are configured with the same IP address range, the policy configured first is preferentially matched.



The UTM device used in this example is an UTM200-S.

The internal network segment of the company is 10.1.1.0/24. Configure a bandwidth management policy on the Device to perform the following actions for the services of the incoming and outgoing traffic of the users in the company (excluding the host with IP address 10.1.1.12).

Block the FTP service. Rate-limit the BitTorrent service.

Figure 1 Network diagram for bandwidth management configuration

Configuration Considerations Redirect the traffic to be detected into the Device. Configure a bandwidth management policy. Activate the configuration.

Applicable Versions F5118




Basic Configuration

Configure interface GigabitEthernet 0/2

Select Device Management > Interface from the navigation tree. Click the icon corresponding to

GigabitEthernet 0/2 to enter the Edit Interface page. Configure interface GigabitEthernet 0/2 as shown in the following figure, and then click Apply.

Select Device Management > Zone from the navigation tree. Click the icon corresponding to

zone Trust to enter the Modify Zone page. In the following page, add GigabitEthernet 0/2 to zone Trust and click Apply to return to the Zone page.



Configure interface GigabitEthernet 0/1

In a similar way, configure the IP address of interface GigabitEthernet 0/1 as 20.1.1.1/24, and add the interface to zone Untrust. After the configuration, select Device Management > Interface from the navigation tree, and you can see information about interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2.

Configure NAT

Because the internal network and external network are on different network segments, for the internal users to access the external network through the Device, you must configure a NAT policy on interface GigabitEthernet 0/1. In this example, configure ACL 2000 to match the traffic, and configure the NAT method as Easy IP.



Select Firewall > ACL from the navigation tree and then click Add on the displayed page. On the Add ACL page, create ACL 2000. Then configure rules for the ACL. In this example, configure the ACL to permit packets with source address 10.1.1.0/24.

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree, click Add in the Dynamic NAT field, and perform configuration as shown in the following figure.

Configure a flow redirecting policy

Configure a flow redirecting policy to redirect the traffic matching ACL 3000 between zone Trust and zone Untrust to segment 0.

First, select Firewall > ACL from the navigation tree and then click Add on the displayed page. On the Add ACL page, create ACL 3000. Then configure rules for ACL 3000 as shown in the following figure.

Select IPS|AV|Application Control > Advanced Configuration from the navigation tree, click Add in the Flow Redirect Policy field, and configure redirecting traffic matching ACL 3000 between zone Trust and zone Untrust to segment 0, as shown in the following figure.



Configuring a Bandwidth Management Policy

Enter the application security policy configuration page

Select IPS|AV|Application Control > Advanced Configuration from the navigation tree, and click Application Security Policy to enter the application security policy configuration page.

Configure a bandwidth management policy

Configure rules for the default bandwidth management policy Service Control Policy, and apply the policy to segment 0.

On the Bandwidth Management > Bandwidth Policies page, select the icon corresponding to policy Service Control Policy.

On the Rule Configuration page, click Add to create a rule and then click the icon of the rule. On the Select Service page that appears, select BitTorrent, and then click Apply.

On the Rule Configuration page, click Add to create a rule and then click the icon of the rule. On the Select Service page that appears, select File Server, and then click Apply.

On the Rule Configuration page, select action set Block for the File Server service. On the Rule Configuration page, select action set Rate Limit for the BitTorrent service, and

set both the up bandwidth and down bandwidth to 400 kbps. On the Apply Policy to page, click Add to add a scope, and click the icon of the new entry.

On the Apply Policy page that appears, perform the configuration as follows:



Select segment 0. Select Internal Zone for the Management Zone. Add IP addresses 10.1.1.0/24 to Internal Zone IP Addresses. Add IP addresses 10.1.1.12/32 to Internal Zone Excluded IP Addresses. Click Apply. After the configuration above, the Bandwidth Management Policy Application page appears.

On the page, click Apply.



Activate the configuration

After the configuration above, the policy application displaying page appears, as shown in the following figure. Click Activate, and a confirmation dialog box appears.

Click OK on the dialog box to activate the configuration.



Verification 1) The internal user with IP address 10.1.1.12 tries to access the external FTP server and download

external BT resources. Because the IP address of the user is an excluded IP address, the user is not restricted by the bandwidth management policy. As a result, the user can successfully access the FTP server, and the BT downloading rate of the user can reach 280 kbps.

2) The other internal network users try to access the external FTP server and download external BT resources. Because of the bandwidth management policy, the users fail to access the FTP server, and the BT downloading rate is about 50 kbps.

Copyright © 2010Hangzhou H3C Technologies Co., Ltd. All rights reserved.




UTM Series IPS Configuration Example



Keywords: IPS

Abstract: This document describes IPS configuration example for the UTM device.

Acronyms:



IPS Intrusion prevention system



Table of Contents




IPS Configuration Example ····························································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 IPS Detection Configuration ···············································································································8 Verification········································································································································10

References ·····················································································································································11 Related Documentation ···························································································································11



Feature Overview Intrusion Prevention System (IPS) runs on network trunks. It analyzes packets and traffic passing through it and automatically blocks the abnormal ones. Generally, an IPS can block, isolate or interfere these abnormal traffics to prevent suspicious code from being injected into target hosts and executed. You can configure policies to implement real-time analysis, traffic detection, and execute predefined actions through the IPS.

Application Scenarios The IPS feature is used to analyze and detect abnormal traffic and packets in the network, and perform corresponding actions to protect the host from being attacked.

Configuration Guidelines All configurations are based on the default configurations of the device.

When configuring IPS, note that:

You cannot delete an IPS policy that has been applied to a segment. You cannot delete the system default IPS policy and rules. For a packet of a segment, the system can use up to one IPS policy application scheme. If you

configure multiple application schemes for a segment, the system will, for each packet to be processed, sort the application schemes matching the packet by IP address scope and use the scheme with the smallest IP address scope for the packet. If two schemes have the same IP address scope, the one configured earlier has a higher priority.

IPS Configuration Example

Network Requirements A company’s internal network segment is 192.168.1.0/24, and the external network segment is 192.168.100.0/22. The host at 192.168.1.3 acts as the Web server in the internal network, and connects to interface GigabitEthernet 0/2 of the UTM device. Configure IPS policy on the UTM device to protect the host from attacks from external networks.

Figure 1 Network diagram for IPS configuration



Configuration Considerations Redirect the traffic requiring detection to depth detection. Create an IPS policy Configure rules for the IPS policy Apply the IPS policy to a segment



Basic Configuration

Configuring interface GigabitEthernet 0/1

Select Device Management > Interface from the navigation tree, and click of GigabitEthernet 0/1

to enter the page for editing the interface. Perform the configurations as in the following figure and click Apply to finish the configuration.



Select Device Management > Zone from the navigation tree, and click of the Untrust zone to

enter the page for modifying the zone. Add interface GigabitEthernet 0/1 to the Untrust zone, and click Apply to return to the Zone page.


Assign IP address 192.168.1.1/24 to interface GigabitEthernet 0/2, and add the interface to the Trust zone. Select Device Management > Interface to view the configuration result, as shown in the following figure.



Configuring the NAT server

In this example, a NAT server is required to assign an external IP address 192.168.102.132 to the internal Web server at 192.168.1.3. Select Firewall > NAT Policy > Internal Server from the navigation tree, and click Add in the Internal Server area.

On the Add Internal Server page, configure interface as GigabitEthernet 0/1, protocol type as TCP, external IP address as 192.168.102.132, internal IP address as 192.168.1.3, and both the global port and internal port as 80, as shown in the following figure.

Configuring interzone policy

Configure to allow PCs in the Untrust zone to access the internal Web server in the Trust zone. Select Firewall > Security Policy > Interzone Policy from the navigation tree, and click Add to enter the



page for adding an interzone policy. Configure the source zone as Untrust, destination zone as Trust, source IP address as any_address, destination IP address as 192.168.1.0/24, and filter action as Permit, as shown in the following figure.

Configuring flow redirect policy

This configuration is to redirect the flow matching ACL 3000 between Trust and Untrust to segment 0.

Select Firewall > ACL from the navigation tree, and create an ACL with ID being 3000. Configure rules to ACL 3000, allowing traffic sourced from Untrust zone, as shown in the following figure.



Select IPS | AV | Application Control > Advanced Configuration from the navigation tree, and create a flow redirect policy to redirect the flow matching ACL 3000 to segment 0.

IPS Detection Configuration

Select IPS | AV | Application Control > Advanced Configuration from the navigation tree, and click the Application Security Policy link to enter the depth detection page.

Creating an IPS policy

Select IPS > IPS Policies to enter the IPS policy list page, as shown in the following figure.

Click Add to enter the IPS policy configuration page. Configure the policy name as IPS enable, description as IPS enable all, specify to copy rules from Attack Policy, and click Apply.



Configuring rules for the IPS policy

After the above configuration, the Rule Management page appears. Policy IPS enable has been selected by default. Select the Modify all matched rules option, and click Enable Rule.

Applying the IPS policy to a segment

Select IPS > Segment Policies from the navigation tree, and click Add to enter the page for applying an IPS policy to a segment.

Specify the segment to be associated as 0, the policy as IPS enable, and the direction as Both, and then click Apply.



Activating the configuration

After the above configuration, the page turns to the segment policy list page. Click Activate. A confirmation dialog box appears. Click OK to confirm to activate the configuration.

Verification

A PC in the external network acts as the attacker, and it is installed with X-Scan V3.3, which can scan the ports of the target host.

X-Scan is a commonly used scanner, adopting multi-thread to detect vulnerabilities of a specified IP address range or a single host, and supporting plug-in function. It can scan such contents as remote service type, operating system type and version, weak password, backdoor, application service vulnerabilities, network device vulnerabilities, and DoS vulnerabilities.

An external user at 192.168.100.5 enables X-Scan and scans the target host 192.168.102.132.

Select Log Management > Attack Logs > Recent Logs from the navigation tree to view the generated block logs and alarm logs.



References

Related Documentation UTM Series Signature Update Configuration Example

IPS Configuration in the Web configuration documentation set





UTM Series Anti-Virus Configuration Example



Keywords: Anti-virus

Abstract: This document presents the typical methods for anti-virus configuration on the UTM devices.

Acronyms:



AV Anti-virus



Table of Contents





Basic Configurations···························································································································4 Anti-Virus Configurations····················································································································7

Verification ·················································································································································9




Feature Overview The UTM anti-virus feature can be deployed on the network backbone in inline mode to analyze packets in real time and take countermeasures against packets with viruses and abnormal traffic automatically, so as to prevent viruses from spreading.

Application Scenarios The UTM anti-virus feature can be applied to scenarios where it is required to analyze network traffic and detect traffic abnormalities so as to prevent viruses from spreading.

Configuration Guidelines When performing anti-virus configurations, note that:

1) You cannot delete an anti-virus policy that has been applied to a segment. 2) You cannot delete the system default anti-virus policy and rules. 3) On a segment, only one anti-virus policy application will be used for a packet, if any. If a packet

matches multiple anti-virus policy applications, the policy application with the smallest IP address scope is used. If two policy applications have the same IP address scope, the one configured earlier has a higher priority.

4) To perform anti-virus configurations, you need to enter the application security policy page first by selecting IPS|AV|Application Control > Advanced Configuration from the navigation tree and then clicking the Application Security Policy link.


Network Requirements The address of the internal network of a company is 192.168.1.0/24. Perform anti-virus policy configurations on the Device, so that internal users cannot upload viruses through FTP or send viruses through mails to the Internet.

Figure 1 Network diagram for anti-virus configuration

Internet

Device

GE0/2192.168.1.1/24

GE0/1192.168.100.1/24

192.168.1.2/24

TrustUntrust

Configuration Considerations Redirect the traffic for in-depth detection



Create an anti-virus policy Configure an anti-virus rule Apply the policy to a specific segment




Configuring interface GE 0/2

Select Device Management > Interface from the navigation tree and then click the icon of

interface GE 0/2, configure the interface as follows, and click Apply.

Select Device management > Zone from the navigation tree and then click the icon of zone

Trust. Then, add interface GE 0/2 to zone Trust and click Apply, as shown in the following figure.




Similarly, assign IP address 192.168.100.1/24 to interface GE 0/1 and add the interface to zone Untrust. Then, select Device Management > Interface from the navigation tree to verify your configuration:

Configuring NAT

Because the internal network and external network are two different network segments, to allow internal users to access the external network through the Device, you need to configure a NAT policy on interface GE 0/1. In this example, ACL 2000 is configured and the easy IP mode is used.

Select Firewall > ACL from the navigation tree. Create ACL 2000 and add a rule to permit the traffic to be processed by NAT. In this example, the rule permits packets from 192.168.1.0/24.



Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Then under Dynamic NAT, click Add and perform the following configurations:

Configuring flow redirect policies

This task is to configure flow redirect policies to redirect traffic between zones Trust and Untrust to segment 0.

First, select Firewall > ACL from the navigation tree. Create ACL 3000 and add the rules shown in the following figure:

Then, select IPS | AV | Application Control > Advanced Configuration from the navigation tree, create flow redirect policies and apply them to segment 0, as shown in the following figure:



Anti-Virus Configurations

Creating anti-virus policy RD

Enter the application security policy page by selecting IPS|AV|Application Control > Advanced Configuration from the navigation tree and then clicking the Application Security Policy link. Then, select Anti-Virus > Anti-Virus Policies from the navigation tree to enter the anti-virus policy management page. Click Add and configure the policy as follows:

Type RD as the policy name. Type AV policy for RD as the description. Select Anti-Virus Policy for the Copy Rules from drop-down list. Click Apply.

Configuring anti-virus rule Virus

After the policy configuration is complete, the rule management page appears. Leave the default policy RD unchanged and perform the following configurations:



Select RD as the policy name. Type virus in the Name field in the query area. Click Query to find the rule named Virus. Select the check box before rule Virus. Select Block+Notify as the action set and click Modify Action Set. Click Enable Rule.

Applying the anti-virus policy to segment 0

Select Anti-Virus > Segment Policies from the navigation tree and then click Add and perform the following configurations:

Select segment 0. Select the policy of RD. Select External zone to Internal zone. Click Apply.

Activiating configurations

After the configuration is complete, the policy application management page appears. Click Activate and confirm your operation to activate the configurations.



Verification To verify the configurations, simulate an Eicar virus first. You may follow these steps:

On a host in the internal network, launch Notepad and copy the following text into it.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*---------

Save the file, selecting All Files for the Save as type field and naming the file EICAR.COM. Compress the file into a WinRAR file named eicar.rar.

Eicar is a harmless test virus developed by Computer Antivirus Research (EICAR) and global anti-virus companies for testing the anti-virus function of anti-virus products.

Using the host, access and upload file eicar.rar to FTP server 192.168.100.10, which resides on the Internet. The upload operation will fail. Selecting Log Management > Virus Log > Recent Logs from the navigation tree, you can see a block log.

Using the host, access mail server 192.168.100.240, which resides on the Internet. Then, try to send a mail appended with file eicar.rar. The sending operation will fail. Selecting Log Management > Virus Log > Recent Logs from the navigation tree, you can see the block logs.



References

Related Documentation Anti-Virus Configuration in the Web configuration manual.





UTM Series Flow Logging Configuration Example



Keywords: Flow logging

Abstract: This document describes the flow logging configuration method of the H3C UTM devices.

Acronyms:





Table of Contents





Basic Configurations···························································································································4 Configuring Flow Logging···················································································································7

Verification ·················································································································································9 Troubleshooting ·······································································································································10




Feature Overview UTM devices can provide in-depth inspection and recognition to Layer 4 to Layer 7 applications. Based on the system configurations, a UTM device generates and transmits various kinds of flow logs, and sends them to the management host installed with the UTM Manager, which then collects and analyzes the current traffic.

Application Scenarios Flow logging collects real-time traffic on the network, analyzes various applications, and records users’ access to the network.

Configuration Guidelines At present, only the U200-A, U200-M, and U200-CA devices support flow logging.


Network Requirements Internal user Client with the IP address of 4.1.1.2 connects to interface GigabitEthernet 0/4 on the Device and accesses the external network through the Device. Flow logging is configured on the Device, which sends logs to the remote UTM Manager with the IP address of 192.168.96.15 for data collection and analysis.

Figure 1 Network diagram for flow logging

Internet

Client

Device

GE0/44.1.1.1

GE0/1192.168.102.139

4.1.1.2

Trust Untrust

UTM Manager192.168.96.15

Configuration Considerations Configure flow logging on the Device Add the Device on the SecCenter (UTM Manager), which receives flow logs reported by the

Device.






Configuring interface GigabitEtherent 0/1

Select Device Management > Interface from the navigation tree to enter the interface management

page. Click the icon of GigabitEthernet 0/1 to enter the interface configuration page. Configure

the interface as shown in the following figure, and click Apply to return to the interface management page.

Select Device Management > Zone from the navigation tree to enter the Modify Zone page. Click

the icon of zone Untrust to enter the zone modification page, add interface GigabitEthernet 0/1 to

the zone as shown in the following figure, and then click Apply to return to the Zone page.




Configure the IP address of GigabitEthernet 0/4 as 4.1.1.1/24 and add it to zone Trust in the same way. To view the interface after the configuration, select Device Management > Interface from the navigation tree.

Configuring NAT

To make the internal host be able to connect to the external network through the Device, configure NAT policies on interface GigabitEthernet 0/1. In this example, the ACL number is 3004, and the address translation method is Easy IP.

Select Firewall > ACL from the navigation tree to enter the ACL management page, and then click

Add to create ACL 3004. On the ACL management page, click the icon of ACL 3004 and then



click Add to create a rule to define the traffic to be configured. In this example, the rule is to permit the packets with the source IP address of 4.1.1.0/24, as shown in the following figure:

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. Then click Add and perform the configuration shown in the following figure.

Routing information

Select Network > Routing Management > Static Routing from the navigation tree. Add a static route with the next hop 192.168.100.254, which is the IP address of the external router’s interface that is within the same network segment as GigabitEthernet 0/1.

Configuring a flow redirect policy

Redirect the traffic to be managed to the i-Ware platform for in-depth inspection configuration. In this example, redirect the traffic between zone Trust and zone Untrust that match ACL 3000 to segment 0.

Select Firewall > ACL from the navigation tree. Create ACL 3000 and add rules for the ACL to define the traffic to be configured, as shown in the following figure:

Select IPS | AV | Application Control > Advanced Configuration from the navigation tree to add a flow redirect policy, redirecting the traffic that matches ACL 3000 to segment 0.



Enabling the SNMP agent

[U200S] snmp-agent sys-info version all

[U200S] snmp-agent community read public

[U200S] snmp-agent community write private

Configuring Flow Logging

Configuring flow logging on the Device

Configure flow control communication parameters

Select Log Management > Flow Log > Configure Communication Parameters from the navigation tree to enter the page as shown in the following figure. You can set the IP address for the remote log server, port number and log sending rate.

Configure flow logging

Select Log Management > Flow Log > Configure Flow Logging from the navigation tree to enter the page as shown in the following figure. Select the checkboxes, click Apply, and then click Activate to activate the configuration.

In the above figure, to record the traffic of various services on the entire link, select Link Logs; to record user-specific traffic of various services, select User Logs; to record session-specific traffic of various services, select Session Logs. Generally, Link Logs is selected.



Before selecting Session Logs, select Bandwidth Management > Service Management from the navigation tree and then select the Record Logs check box to enable the recording of logs.

Adding the Device to the SecCenter

On the SecCenter interface, select the System Management tab to enter the system management configuration page. Then from the navigation tree, select Device List under Device Management to enter the device management page. Then, click Add to enter the page for adding a device. Type the IP address of the external interface of Device as the host IP address. Specify the device label. If the Device system time zone is UTC, select Greenwich Mean Time for the time calibration. Leave the default settings for other parameters.



Verification The host can browse web pages through HTTP, and download files through FTP. By selecting Bandwidth Management > Traffic Snapshot, you can display the statistics of the traffic passing through this device.

Network traffic snapshot:

Service traffic distribution graph:



Top users’ statistics graph:

Troubleshooting If you have configured flow logging, but the SecCenter does not output statistics, check the following:

The traffic is redirected to the i-Ware platform. The configuration is activated after flow logging is configured. The remote network management host and the device can reach each other and the port number

is correctly configured. The device is added to the SecCenter. Capture packets on the host and check whether there is traffic corresponding to the destination

port.



References

Related Documentation UTM Series Signature Upgrade Configuration Example

UTM Series Protocol Auditing and SecCenter Configuration Example





UTM Series Protocol Auditing Configuration Example



Keywords: protocol auditing, syslog

Abstract: This document describes configuration examples of protocol auditing for UTM series devices.

Acronyms:





Table of Contents




Protocol Auditing Configuration Example····································································································3 Network Requirements·······························································································································3 Configuration Consideration ······················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 Configuring Protocol Auditing·············································································································8

Verification ···············································································································································11




Feature Overview You can configure protocol auditing to audit the following protocols:

HTTP protocol: Audits the URL that users have accessed and the host field. SMTP/POP3 protocols: Audits receivers, senders, those mails that are carbon copied or blind

carbon copied, and mail subjects. FTP protocol: Audits information of the file that users upload or download, like the file name.

The logs of the protocol auditing are output to a syslog host.

Application Scenarios Protocol auditing can be used to audit and analyze user behavior, helping you analyze which are the popular websites, who are the most active users in the network, and what are the network trends.

Configuration Guidelines When configuring protocol auditing, note that:

You cannot delete a protocol auditing policy that has been applied to a segment. The logs generated during protocol auditing can be output to only syslog hosts. To output

protocol auditing logs to a syslog host, be sure to specify the syslog host. A packet of a segment can use up to one protocol auditing application scheme. If you configure

multiple application schemes for a segment, the system will, for each packet to be processed, sort the application schemes matching the packet by IP address scope and use the scheme with the smallest IP address scope for the packet. If two schemes have the same IP address scope, the one configured earlier has a higher priority.

Protocol Auditing Configuration Example

Network Requirements The Device connects the internal network 10.1.1.0/24 through GigabitEthernet 0/2 and connects the external network through GigabitEthernet 0/1. Configure a protocol auditing policy on the Device to audit the SMTP and POP3 traffic of all internal users except for the host at 10.1.1.12. Configure the Device to send logs to syslog server 20.1.1.3, which is in the external network.



Figure 1 Network diagram for configuring protocol auditing

Configuration Consideration Configure a redirect policy for in-depth inspection Create a protocol auditing policy Configure rules in the protocol auditing policy Configure the notify action so that the auditing log files are sent to the destination syslog host Apply the policy to a segment



Basic Configuration


Select Device Management > Interface from the navigation tree. Click the icon of interface

GigabitEthernet 0/2 to enter the page for configuring the interface. Perform the configurations shown in Figure 2, and click Apply.




Select Device Management > Zone from the navigation tree to enter the zone list page. Click the icon of zone Trust to enter the page for editing the zone. Add GigabitEthernet 0/2 to zone Trust as shown in Figure 3. Click Apply. The zone list page appears again.

Figure 3 Add GigabitEthernet 0/2 to zone Trust




Follow the same procedure to assign IP address 20.1.1.1/24 to GigabitEthernet 0/1 and add the interface to zone Untrust. Then, select Device Management > Interface from the navigation tree to view the configuration result, as shown in Figure 4.

Figure 4 Interface list

Configuring NAT

As the internal network and external network are on different network segments, you need to configure a NAT policy to allow internal users to access the external network. In this example, configure dynamic NAT on GigabitEthernet 0/1, referencing ACL 2000 and configuring Easy IP as the address translation mode. To do so, follow these steps:

1) Select Firewall > ACL from the navigation tree. Add ACL 2000 and configure a rule for the ACL to permit packets sourced from 10.1.1.0/24, as shown in Figure 5.


2) Select Firewall > NAT Policy > Dynamic NAT, and click Add in the Dynamic NAT area. Perform the configurations shown in Figure 6.




Configuring a redirect policy

For in-depth inspection, you need to configure a redirect policy to redirect all traffic flows between zones Trust and Untrust that match ACL 3000 to segment 0. Follow these steps:

1) Select Firewall > ACL from the navigation tree. Create ACL 3000 and configure rules for the ACL as shown in Figure 7.


2) Select IPS | AV | Application Control > Advanced Configuration to enter the advanced configuration page. Create a redirect policy to redirect all traffic flows that match ACL 3000 to segment 0.

Figure 8 Configure a redirect policy



Configuring Protocol Auditing

Entering the application security policy configuration page

Select IPS | AV | Application Control > Advanced Configuration to enter the advanced configuration page. Click the Application Security Policy link to enter the application security policy configuration page.

Figure 9 Application security policy link

Creating a protocol auditing policy

Select Protocol Audit > Policy Management from the navigation tree to enter the policy configuration page. Click Add to enter the page for creating a protocol auditing policy. Perform the configurations shown in Figure 10.

Figure 10 Create a protocol auditing policy

Type SMTP+POP3 as the policy name. Type Audit policy for SMTP+POP3 as the policy description. Specify to copy rules from Audit Policy. Click Apply.

Configuring rules for the protocol auditing policy

After the policy is created, the page for configuring rules appears. The policy you have just created is selected by default. Perform the configurations shown in Figure 11.



Figure 11 Configure rules

Select check boxes HTTP and FTP. Click Disable Rule.

Configuring the notify action

Select System Management > Action Management > Notify Actions to enter the page that

displays the notify actions. Click the icon of the Notify action to enter the page for configuring the actions. Perform the configurations shown in Figure 12.

Figure 12 Configure the notify action

Select the Output to syslog host check box. Type host1 as the name. Type 20.1.1.3 as the IP address. Type 514 as the port number. Click Add to add the host to the syslog host list.



Select host1 in the list box. Click Apply.

Applying the protocol auditing policy to segment 0

Select Protocol Audit > Segment Policy Management from the navigation tree and then click Add to enter the page for applying a policy to a segment. Perform the configurations shown in Figure 13.

Figure 13 Apply the protocol auditing policy

Select segment 0. Select SMTP+POP3 as the policy. Select Both for Direction. Add 10.1.1.0/24 to the IP address list of the internal zone. Add 10.1.1.12/32 to the excluded IP address list for the internal zone. Click Apply.


After the configuration above, the policy application list page appears, as shown in Figure 14. Click Activate and confirm your operation to activate the configuration.



Figure 14 Activate the configuration

Verification The mail server is at 20.1.1.3 in the external network. When internal users receive and send mails, the syslog host will receive SMTP and POP3 protocol auditing logs like the following:

Jan 31 10:55:34 2010 H3C %%11DATALOG/

3/AUDIT(l):-DEV_TYPE=UTM-PN=210235A312A08B000004 data_type(1)=audit;log_type(2)=smtp

audit;app_protocol_name(6)=(84021328)SMTP;src_ip(22)=10.1.1.13;src_port(23)=1645;dst_ip(

24)=20.1.1.3;dst_port(25)=25;ifname_in(16)=eth0/1;ifname_out(17)=eth0/1;from(94)=apple@h

a;to(95)=banana@ha;cc(96)=apple@ha;subject(98)=hi;net_user(122)=10.1.1.13

Jan 31 10:55:37 2010 H3C %%11DATALOG/

3/AUDIT(l):-DEV_TYPE=UTM-PN=210235A312A08B000004 data_type(1)=audit;log_type(2)=pop3

audit;app_protocol_name(6)=(84020174)pop3(TCP);src_ip(22)=10.1.1.13;src_port(23)=1647;ds

t_ip(24)=20.1.1.3;dst_port(25)=110;ifname_in(16)=eth0/1;ifname_out(17)=eth0/1;from(94)=a

pple@ha;to(95)=banana@ha;cc(96)=apple@ha;subject(98)=hi;net_user(122)=20.1.1.3;;

References

Related Documentation Protocol Auditing Configuration in the web configuration manual








Keywords: protocol auditing, syslog, SecCenter

Abstract: This document descries an example of configuring UTM device protocol auditing and the

SecCenter.

Acronyms:



SNMP Simple Network Management Protocol



Table of Contents




Configuration Example ···································································································································3 Network Requirements·······························································································································3 Configuration Consideration ······················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration on the Device ·····································································································4 Configuring Protocol Auditing on the Device······················································································8 Configuring the SecCenter ···············································································································10

Verification ···············································································································································11




Feature Overview You can configure protocol auditing to audit the following protocols:

HTTP protocol: Audits the URL that users have accessed and the host field. SMTP/POP3 protocols: Audits receivers, senders, those mails that are carbon copied or blind

carbon copied, and mail subjects. FTP protocol: Audits information of the file that users upload or download, like the file name.

When the protocol auditing logs are sent to SecCenter that acts as the syslog host, SecCenter will analyze and audit the log data.

Analyzes the popular websites, active users, website visit trend, and the possible spam senders. Audits details about user website visit behaviors, FTP downloading, and Email operations.

Application Scenarios The protocol auditing function and the SecCenter cooperate to audit and analyze user behavior, helping you analyze which are the popular websites, who are the most active users in the network, and what are the network trends.

Configuration Guidelines When configuring the UTM device and SecCenter, note that:

Enable SNMP for communications between the UTM device and SecCenter. A reachable route exists from the UTM device to the SecCenter.


Network Requirements The Device connects the internal network 10.1.1.0/24 through GigabitEthernet 0/2 and connects the external network through GigabitEthernet 0/1. Configure a protocol auditing policy on the Device to audit HTTP, FTP, SNMP, and POP3 traffic when internal users (excluding user 10.1.1.12) access the external network through the Device. Configure the Device to send logs to the syslog server with IP address 20.1.1.3 in the external network.



Figure 1 Network diagram for configuring protocol auditing on the Device and the SecCenter

Configuration Consideration Create a protocol auditing policy on the Device. Add the Device to the SecCenter system so that the SecCenter system can receive the syslog

files from the Device.

Software Version Used The Device

F5118

The SecCenter

Figure 2 SecCenter version information


Basic Configuration on the Device


Select Device Management > Interface from the navigation tree. Click the icon of interface

GigabitEthernet 0/2 to enter the page for editing the interface. Perform the configurations shown in Figure 3, and click Apply.




Select Device Management > Zone from the navigation tree. Click the icon of zone Trust to enter the page for editing the zone. Add GigabitEthernet 0/2 to zone Trust as shown in Figure 4. Click Apply. The zone list page appears.

Figure 4 Add GigabitEthernet 0/2 to zone Trust




Follow the same procedure to assign IP address 20.1.1.1/24 to GigabitEthernet 0/1 and add the interface to zone Untrust. Then, select Device Management > Interface from the navigation tree to view the configuration result, as shown in Figure 5.

Figure 5 Interface list

Configuring NAT

As the internal network and external network are on different network segments, you need to configure a NAT policy to allow internal users to access the external network. In this example, configure dynamic NAT on GigabitEthernet 0/1, referencing ACL 2000, and configuring Easy IP as the address translation mode.

Select Firewall > ACL to enter the ACL configuration page. Create ACL 2000, and configure a rule for the ACL to permit packets sourced from 10.1.1.0/24.


Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Dynamic NAT area, click Add and perform the configurations shown in Figure 7.





For in-depth inspection, configure a redirect policy to redirect all traffic flows between zones Trust and Untrust that match ACL 3000 to segment 0.

Create ACL 3000 first. Select Firewall > ACL from the navigation tree. Create ACL 3000 and configure rules for the ACL as shown in Figure 8.


Select IPS | AV | Application Control > Advanced Configuration to enter the advanced configuration page. Create a redirect policy to redirect all traffic flows that match ACL 3000 to segment 0.




Configuring SNMP on the Device

Enable the use of SNMP function of all versions. Create a community with the name of public, allowing read-only access right using this community name. Create a community with the name of private, allowing write operations using the community name.

[U200S] snmp-agent sys-info version all

[U200S] snmp-agent community read public

[U200S] snmp-agent community write private

Configuring Protocol Auditing on the Device

Entering the protocol auditing policy configuration page

Select IPS | AV | Application Control > Advanced Configuration to enter the advanced configuration page. Click the Application Security Policy link to enter the application security policy configuration page.

Figure 10 Application security policy link

Configuring the notify action

Select System Management > Action Management > Notify Actions to enter the page

displaying the notify actions. Click the icon of the Notify action to enter the page for configuring the actions. Perform the configurations shown in Figure 11.

Figure 11 Configure the notify action

Select the Output to syslog host check box.



Type host1 as the name. Type 20.1.1.3 as the IP address. Type 30514 as the port number. Click Add to add the host to the syslog host list. Select host1 in the list box. Click Apply.

Applying the protocol auditing policy to segment 0

Select Protocol Audit > Segment Policy Management from the navigation tree and then click Add to enter the page for applying a policy to a segment. Perform the configurations shown in Figure 12.

Figure 12 Apply the protocol auditing policy

Select segment 0. Select Audit Policy as the policy. Select Both as the direction. Add 10.1.1.0/24 to the IP address list of the internal zone. Add 10.1.1.12/32 to the excluded IP address list for the internal zone. Click Apply.


After the configuration above, the policy application list page appears, as shown in Figure 13. Click Activate and confirm your operation to activate the configuration.



Figure 13 Activate the configuration

Configuring the SecCenter

Adding the Device to the SecCenter

Select the System Management tab to enter the system management configuration page. Then from the navigation tree, select Device List under Device Management to enter the device management page. Then, click Add to enter the page for adding a device. Type the IP address of GigabitEthernet 0/1 of Device as the host IP address. Specify the device label. If the Device system time zone is UTC, select Greenwich Mean Time for the time calibration. Leave the default settings for other parameters.

Figure 14 Add the Device to the SecCenter

Specifying the syslog port for receiving syslogs

The default syslog port is 30514, which is consistent with that configured on the Device. Therefore, no modification is needed. Make sure that the syslog port on the SecCenter must be identical to that on the Device so that the SenCenter can receive syslogs from the Device.



Figure 15 Specify the syslog port

Verification After finishing the configuration, follow the following steps to check whether the SecCenter receives the protocol auditing logs sent from the Device and makes analysis and auditing. This example uses web application for illustration.

From host 10.1.1.13, access web server 20.1.1.33, which is in the external network. In the SecCenter system, select the Behavior Auditing tab to enter the behavior auditing configuration page. Then from the navigation tree, select Web Applications under User Behavior Auditing to view the web access details.

Figure 16 View web access details

From host 10.1.1.13, access the FTP server 20.1.1.33, which is in the external network. In the SecCenter system, select the Behavior Auditing tab to enter the behavior auditing configuration page. Then from the navigation tree, select FTP Applications under User Behavior Auditing to view FTP access details.



Figure 17 View FTP access details

From host 10.1.1.13, send and receive Emails to and from the mail server 20.1.1.33, which is in the external network. In the SecCenter system, select the Behavior Auditing tab to enter the behavior auditing configuration page. Then from the navigation tree, select Email Applications under User Behavior Auditing to view the Email application details.

Figure 18 View Email application details

References

Related Documentation Protocol Auditing Configuration in the web configuration manual





UTM Series Anti-Spam Configuration Example



Keywords: Anti-spam, SMTP, POP3

Abstract: This document presents an anti-spam configuration example for UTM devices.

Acronyms:



SMTP Simple Mail Transfer Protocol

POP3 Post Office Protocol, Version 3



Table of Contents




Anti-Spam Configuration Example ················································································································3 Network Requirements·······························································································································3 Configuration Considerations·····················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 Anti-Spam Configuration ····················································································································7

Verification ···············································································································································10

Related Documentation·································································································································11



Feature Overview By cooperating with a Commtouch mail server (a third-party mail server), the anti-spam feature of an H3C UTM device can inspect all emails sent from external networks to the internal network and process the emails as configured, so as to prevent spam from wasting the resources of the internal network.

With the anti-spam feature configured, the device forwards all emails received from external networks to the Commtouch mail server for inspection and, after receiving the inspection results, processes the emails based on the actions specified in the anti-spam policy.

The anti-spam feature supports inspecting Simple Mail Transfer Protocol (SMTP) emails and Post Office Protocol, Version 3 (POP3) emails:

SMTP: In a scenario where the SMTP clients are on the external network and the SMTP server is on the internal network.

POP3: In a scenario where the POP3 clients are on the internal network and the POP3 server is on the external network.

Application Scenarios The anti-spam feature can be deployed to check emails entering an internal network to prevent email spam from occupying resources of the internal network.

Configuration Guidelines Before configuring the anti-spam feature, ensure that:

The device can communicate with the Commtouch mail server normally. The address of the Commtouch mail server is http://resolver%d.h3c.ctmail.com, where %d indicates a number in the range from 1 to 10.

The device has a legal, effective license of the anti-spam feature. The device can connect to http://www.h3c.com to verify the validity of the license for the anti-spam

feature. When the license of the anti-spam feature expires, all anti-spam configurations will not be effective any more.

Anti-Spam Configuration Example Network Requirements

As shown in Figure 1, the internal network of a company is 4.1.1.0/24, and the external network is 192.168.100.0/22. Configure the UTM device to inspect emails received from the POP3 server and process those emails as follows:

Modify the subjects of emails from known spam sources and log them. Modify the subjects of emails from unknown spam sources and log them. Log suspicious emails. Forward normal emails normally.



Figure 1 Network diagram for anti-spam configuration

Configuration Considerations Redirect the traffic of interest for in-depth inspection. Configure the anti-spam policy and rules. Apply the policy to the segment.


Configuration Procedures Basic Configuration


Select Device Management > Interface from the navigation tree and then click the icon of GE

0/1 to enter the interface configuration page. Perform the following configurations and click Apply.



Select Device Management > Zone from the navigation tree and then click the icon of the

Untrust zone to enter the page for modifying the security zone configurations. Add interface GE 0/1 to the Untrust zone as shown in the following figure, and click Apply to complete the operation and return to the security zone page.


Similarly, assign IP address 4.1.1.1/24 to interface GE 0/4 and add the interface to security zone Trust. Selecting Device Management > Interface from the navigation tree, you should see the following list:

Configuring NAT

To enable internal hosts to connect to the external network through the UTM device, you need to configure a NAT policy on interface GE 0/1. In this example, the policy references ACL 3004 and uses the NAT mode of Easy IP.

Select Firewall > ACL from the navigation tree and then create ACL 3004 and add a rule to the ACL to identify the flow of interest. In this example, the ACL permits packets sourced from 4.1.1.0/24. The configurations are shown in the following figure:



Select Firewall > NAT Policy > Dynamic NAT from the navigation tree and then under Dynamic NAT, click Add and then specify ACL 3004 and Easy IP for interface GigabitEthernet 0/1. The following figure shows the configuration result:

Configuring DNS

Configure the DNS server, so that the Commtouch mail server and license time verification server can be resolved.

Select Network > DNS > Dynamic from the navigation tree and then click Add IP and configure the IP address of the DNS server.

Configuring a route

Select Network > Routing Management > Static Routing from the navigation tree and configure a default route, setting the next hop to the IP address for the intranet side interface of the router that connects the GE 0/1 interface of the UTM device with the external network (192.168.100.254 in this example).


Configure a redirect policy to redirect the flow of interest to the i-Ware platform for in-depth analysis. In this example, traffic between zone Trust and zone Untrust that matches ACL 3000 will be redirected to segment 0.

First , select Firewall > ACL from the navigation tree and then create ACL 3000 and add rules to the ACL to identify the traffic of interest. The configurations are shown in the following figure:



Then, select IPS | AV | Application Control > Advanced Configuration from the navigation tree and create a redirect policy to redirect traffic matching ACL 3000 to segment 0.

Anti-Spam Configuration Select IPS | AV | Application Control > Advanced Configuration from the navigation tree and click the Application Security Policy link to enter the in-depth inspection configuration page.

Enabling anti-spam inspection

Select Anti-Spam > Anti-Spam from the navigation tree and perform the following configurations in the Server Configuration area:

Select the Antispam inspection check box. Click Apply. After a while, you will see that the operation status becomes normal.



If the UTM device connects to the Commtouch mail server through a proxy server, you need to configure the proxy server according to the networking scheme.

The anti-spam signature database stores all email spam signatures that the device can identify. The license of the anti-spam feature has a validity period specified. After the license expires, you need to recharge to obtain a new license before upgrading the anti-spam signature database.

Creating and applying the anti-spam policy

Under Policy Application List, click Add and perform the following configurations:

Type test as the name. Select Modify subject and log as the action for POP3 emails from known spam sources. Select Modify subject and log as the action for POP3 emails from unknown spam sources. Select Log as the action for suspicious POP3 emails. Select Log as the action for normal POP3 emails.



Under Apply Policy, click Add and perform the following configurations on the page that appears: Select segment 0. Click Apply.

Now, segment 0 should appear on the list under Apply Policy. Click Apply to complete the operation.



Activating configurations

After the application operation is complete, the anti-spam configuration page appears again, as shown in the following figure. Click Activate and confirm your operation.

Verification On internal host 4.1.1.2, configure Outlook Express to receive emails. Then, on the web interface of the device, select Log Management > Anti-Spam Logs from the navigation tree. Logs about inspection and processing of emails destined for the user should appear on the list.



Related Documentation Anti-Spam Configuration in the web configuration manual.





UTM Series URL Filtering Configuration Example



Keywords: URL, category

Abstract: This document presents an URL filtering configuration example for UTM devices.

Acronyms:



URL Uniform Resource Locator



Table of Contents




URL Filtering Configuration Example············································································································4 Network Requirements·······························································································································4 Configuration Considerations·····················································································································4 Software Version Used ······························································································································4 Configuration Procedures ··························································································································4

Basic Configuration ····························································································································4 URL Filtering Configuration ················································································································7

Verification ···············································································································································13 URL Filtering Rule Configuration Guidelines ···························································································13 Usage Guide for URL Category Query Server ························································································15




Feature Overview The URL filtering function is used to filter HTTP requests. URL filtering includes user-defined URL filtering and category-based URL filtering.

User-defined URL filtering: Allows you to specify the matching criteria for a domain name and Uniform Resource Identifier (URI) path, and configure the corresponding actions to be performed on matched HTTP request packets.

Category-based URL filtering: Refers to the process in which the device, upon receiving an HTTP request, sends a URL category request to the specified URL category server, obtains the category result, and processes the HTTP request based on predefined category-based URL filtering rules.

Application Scenarios URL filtering can control accesses to the Internet. You can use URL filtering rules to define when employees can do personal affairs using the Internet in the company. For example, you can configure different filtering rules for different time ranges to implement that employees can access sports websites after work or at lunch time but cannot do so during work time.

Configuration Guidelines When performing URL filtering configurations, note that:

You cannot delete a URL filtering policy that has been applied to a segment. You cannot delete the system default URL filtering policy and rule. On a segment, only one URL filtering policy application will be used for a packet, if any. If a

packet matches multiple URL filtering policy applications, the policy application with the smallest IP address scope is used. If two policy applications have the same IP address scope, the one configured earlier has a higher priority.

If a step fails during the creation of a URL filtering policy, all executed steps are cancelled. However, the failure of a step during the modification of a URL filtering policy does not cancel executed steps.

To implement category-based URL filtering, make sure the normal communications between the device and the specified URL category server. After specifying a URL category server properly and activating the configurations, you can view the connection status between the device and the URL category server by displaying the system logs.

A valid, unexpired license has been imported to the device. Make sure that the device is able to connect to http://www.h3c.com.cn for license validity

checking. Expiration of the license for category-based URL filtering disables category-based URL filtering, but does not impact user-defined URL filtering.



URL Filtering Configuration Example

Network Requirements As shown in Figure 1, the internal network segment and external network segment of a company are 4.1.1.0/24 and 192.168.100.0/22 respectively. On the UTM, configure a URL filtering policy with rules to prohibit users except user 4.1.1.10 from accessing website www.h3c.com.cn/Training during the work time 8:30 to 12:00, and record user access logs.

Figure 1 Network diagram for URL filtering configuration

Configuration Considerations Import the traffic of interest for in-depth inspection. Configure the URL filtering policy and rules. Apply the URL filtering policy to the specified segment.



Basic Configuration


Select Device Management > Interface from the navigation tree and then click the icon of

interface GigabitEthernet 0/1 to enter the page for editing the interface. Perform the configurations shown in the following figure for the interface, and then click Apply.



Select Device Management > Zone from the navigation tree and then click the icon of zone

Untrust to enter the page for modifying the zone configuration. As shown in the following figure, add interface GigabitEthernet 0/1 to zone Untrust and then click Apply to complete the configuration and return to the security zone page.




Similarly, assign IP address 4.1.1.1/24 to interface GigabitEthernet 0/4 and add this interface to zone Trust. After the configuration, select Device Management > Interface from the navigation tree, and you should see the interface information you configured just now.

Configuring NAT

To let the internal host be able to access the Internet through UTM, you need to configure a NAT policy on interface GigabitEthernet 0/1. In this example, configure ACL 3004 and configure the address translation mode as easy IP.

Select Firewall > ACL from the navigation tree. Create ACL 3004 and add a rule for the ACL to define the target traffic. In this example, create a rule to permit packets sourced from 4.1.1.0/24.

Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Dynamic NAT area, click Add, and then specify ACL 3004 and Easy IP for interface GigabitEthernet 0/1. The following figure shows the configuration result.

Configuring a static route

Select Network > Routing Management > Static Routing from the navigation tree. Add a static route with the next hop being 192.168.100.254, which is the IP address of the interface on the router



that connects to the external network and the interface of the router is within the same network segment as GigabitEthernet 0/1 of the UTM device.

Configuring DNS

Specify the DNS server to be used to resolve the address of the license validity checking server (www.h3c.com.cn).

Select Network > DNS > Dynamic from the navigation tree. Click Add IP to add the IP address of the DNS server.


Configure a redirect policy to redirect the traffic of interest to the i-Ware platform for in-depth analysis. In this example, traffic between zone Trust and zone Untrust that matches ACL 3000 will be redirected to segment 0.

First, select Firewall > ACL from the navigation tree. Create ACL 3000 and add rules to identify the traffic of interest. The configurations are shown in the following figure:

Then, select IPS | AV | Application Control > Advanced Configuration from the navigation tree to add a flow redirect policy to redirect traffic matching ACL 3000 to segment 0.

URL Filtering Configuration

Select IPS | AV | Application Control > Advanced Configuration from the navigation tree. Then, click the Application Security Policy link to enter the in-depth inspection configuration page.



Creating a time table named morning

Select System Management > Time Table List from the navigation tree and then click Add to enter the time table configuration page. Type the name of the time table and select the time range 8:30 to 12:00 from Monday to Friday, as shown in the following figure:

Configuring global parameters for URL filtering

Select URL Filtering > Global Configuration from the navigation tree and then perform the following configurations:

Select Enable category-based URL filtering. Select Enable user-defined URL filtering. Type 192.168.96.11 as the IP address of the URL category server. Type 5000 as the port number of the URL category server. Click Apply.



Creating and applying a URL filtering policy

Click Add in the Policy Application List area to enter the policy application configuration page and perform the following configurations:

Type the policy name URL policy for company. Click the expansion button before Category-Based URL Rule. Click category group Information Technology in the Category-Based URL Rule area. Select Never from the Block at drop-down list and Any time from the Log at drop-down list for

category Software/Hardware.

Click the expansion button before User-Defined URL Rule. Click Add in the User-Defined URL Rule area, and perform the following configurations on the

pop-up page: Type h3c as the rule name. Select By fixed string for the Domain Name Filtering field, and type domain name string

www.h3c.com.cn.



Select By fixed string for the URI Filtering field, and type URI string /Training?. Select morning from the Block at drop-down list as the blocking time. Select Any time from the Log at drop-down list as the logging time. Click Apply. Click Cancel to close the Add-User-Defined URL Filtering Rule page.

Click Add in the Apply Policy to area and on the pop-up page perform the following configurations:

Select segment 0. Add 4.1.1.0/24 to the IP addresses list. Add 4.1.1.10/32 to the Excluded IP addresses list. Click Apply. Click Cancel to close this configuration page.

After the preceding configurations are complete, the following page appears, displaying the policy application configuration. Click Apply.



Note:

1) For a user-defined URL filtering rule, the configuration of domain name filtering is required, while URI path filtering configuration is optional. The following table describes the configuration effects of domain name filtering and URI path filtering of a rule:

Domain name string

Domain name regular

expression URI path

string URI regular expression Configuration effect

www.abc.com — — — Filtering out all web pages on www.abc.com



Domain name string

Domain name regular

expression URI path

string URI regular expression Configuration effect

www.abc.com — /index.html — Filtering out web page /index.html on www.abc.com

www.abc.com — — /index.html? Filtering out /index.html and /index.htm web pages on www.abc.com

— (news|tech)\.abc\.com — —

Filtering out all web pages on news.abc.com and tech.abc.com

— (news|tech)\.abc\.com /index.html —

Filtering out the /index.html web pages on news.abc.com and tech.abc.com

— (news|tech)\.abc\.com — /index.html?

Filtering out the /index.html and /index.htm web pages on news.abc.com and tech.abc.com

2) You can specify the rule to trigger different action sets in different time ranges. However, if the time ranges defined in two time tables overlap, the action set that corresponds to the upper time table in the Time Table-Action Set list will be carried out. The available time tables are those configured on the page you enter by selecting System Management > Time Table List. The available action sets are those configured on the page you enter by selecting System Management > Action Management. Up to six Time Table-Action Set combinations can be configured.

3) If both user-defined URL filtering and category-based URL filtering enabled, for a URL that does not match any user-defined URL filtering rule, the device will match the URL against with the category-based URL filtering rules; if only the user-defined URL filtering function is enabled, the device will process the URLs that do not match the user-defined URL rules according to other rules; if neither user-defined URL filtering nor category-based URL filtering is enabled, the device will forward the HTTP packets.

Activating configurations

After the configurations, the URL filtering policy application list appears, as shown in the following figure. Click Activate and confirm your action. Click OK.



Verification Using the IE browser, the internal user (4.1.1.2) can access http://www.h3c.com.cn normally but cannot access http://www.h3c.com.cn/Training.

Selecting Log Management > URL Logs from the navigation tree, you should see URL filtering logs.

URL Filtering Rule Configuration Guidelines The following contents are supplementary to the previous mentioned precautions in user-defined rule configuration.



As shown in the figure, the domain name filtering configuration is required while the URI path filtering configuration is optional. The domain name filtering and URI path filtering each has two configuration methods, and therefore there are totally six configuration methods:

Domain name filtering by fixed string

Domain name filtering by regular expression

Domain name filtering by fixed string + URI path filtering by fixed string

Domain name filtering by fixed string + URI path filtering by regular expression

Domain name filtering by regular expression + URI path filtering by fixed string

Domain name filtering by regular expression + URI path filtering by regular expression

The configured domain name string will exactly match the whole contents after the Host filed in an HTTP request; the configured URI string will exactly match the whole contents after the Get field in an HTTP request. If you configure domain name filtering or URI path filtering by fixed string but input a string containing only part of a URL address, the URL address will not be matched. The URI in an HTTP request starts from the first left slash (/). Do note drop some contents. If you want to match URIs that containing a specific string, you need to use a regular expression. The following contents are examples for the six URL filtering configuration methods:

1) www.sina.com

Filters all HTTP requests with the domain name being www.sina.com.

2) (news|sports)\.sina\.com\.cn

Filters all HTTP requests with the domain name being news.sina.com.cn or sports.sina.com.cn.

Note that you need to escape dots (.) by right slashes (\); otherwise dots (.) will be misunderstood as wildcards in the regular expression.

3) Domain name: www.sina.com; URI: /index=1.html

Filters HTTP requests to http://www.sina.com/index=1.html.

4) Domain name: www.sina.com; URI: .*badthing.*

Filters all web pages containing badthing on www.sina.com.



5) Domain name: .*sina.*; URI: /index.php

Filters all HTTP requests whose host name contains sina and URI is /index.php.

6) Domain name: .*sina.*; URI: .*badthing.*

Filters all HTTP requests whose host name contains sina and URI contains badthing.

URL filtering configuration is case sensitive unless a regular expression is used and the regular expression starts with (?i).

Usage Guide for URL Category Query Server 1) Copy the server installation package to a PC that can access the Internet. Double click the

package to install the server.

URLCatServer-setup-v1.0.exe

2) Select a language.

3) Select an installation folder.



4) After the installation, select Start > All Programs > URLCatServer > URLCatServer Parameter Setting, or, double click the server icon in the notification area to bring up the parameter setup page.

5) After you install the server, the server loads the category database automatically. You can view whether the category database is loaded successfully in the DB Status field.



6) If the category database upgrade fails, its most possible reason is that the category database server is unreachable. Locate configuration file URLCatServer.conf from the installation folder.

7) Open the configuration file and check whether the URL category database server configured in this file is accessible by using, for example, the IE browser. The configuration is the default access path to the URL category database server and normally, you need not to modify the path.

8) You can modify the listening port on the server parameter configuration page. The listening port is the port from which the listening device sends URL category requests. It must be consistent with that configured on the device and defaults to 5000. Normally, you need not to modify this value. Note that you need to restart the service to make the change take effect.

9) As the category database will be upgraded periodically, you need to specify an upgrade interval and upgrade time for the URL category server to download the up-to-date category database periodically. In this example, the server is configured to upgrade the category database at 0 o'clock every day.



10) Click OK to save the configuration parameter. Click Upgrade Now to upgrade the category database immediately. Click Start, Stop, or Restart to start, stop or restart the URL category filtering service.

References

Related Documentation URL Filtering Configuration in the web configuration manual.





UTM Series IPsec Configuration Example


UTM Series IPSec Configuration Examples

Keyword: IKE, IPSec

Abstract: This document describes basic concepts of IKE and IPsec, and provides configuration examples for

UTM series devices.

Acronyms:


IKE Internet Key Exchange

IPsec IP Security



Table of Contents

IPsec Configuration·········································································································································3 IPsec Overview ··········································································································································3

Implementation of IPsec·····················································································································3 Basic Concepts of IPsec·····················································································································4


Configuration Guidelines································································································································5 Configuring IPsec·······································································································································5

Configuring ACLs ·······························································································································6 Configuring IKE ··········································································································································7

Configuring Global IKE Parameters ···································································································7 Configuring an IKE Proposal ··············································································································8 Configuring an IKE Peer·····················································································································9

Configuring an IPsec Proposal ················································································································11 Configuring an IPsec Policy Template ·····································································································13 Configuring an IPsec Policy ·····················································································································15 Applying an IPsec Policy Group···············································································································17

IPsec Configuration Example I: Basic Application ····················································································18 Network Requirements·····························································································································18 Software Version Used ····························································································································18 Configuration Procedures ························································································································19 Verification ···············································································································································26

Viewing IPsec SAs ···························································································································27 Viewing Packet Statistics··················································································································27

IPsec Configuration Example: Working with NAT ·····················································································27 Network Requirements·····························································································································27 Configuration Procedures ························································································································28 Verification ···············································································································································34

Viewing IPSec SAs···························································································································34 Viewing Packet Statistics··················································································································34

Configuration Guidelines··························································································································35




IPsec Configuration IPsec Overview

IP Security (IPsec) refers to a series of protocols defined by the Internet Engineering Task Force (IETF) to provide high quality, interoperable, and cryptology-based security for IP packets. By means of facilities including encryption and data origin authentication, it delivers these security services at the IP layer:

Confidentiality: The sender encrypts packets before transmitting them over the Internet. Data integrity: The receiver verifies the packets received from the sender to ensure they are not

tampered during transmission. Data origin authentication: The receiver authenticates the legality of the sender. Anti-replay: The receiver examines packets and rejects outdated or repeated packets.

IPsec delivers these benefits:

Reduced key negotiation overheads and streamlined IPsec maintenance by supporting the Internet Key Exchange (IKE) protocol, which provides automatic key negotiation and automatic IPsec security association (SA) setup and maintenance.

Good compatibility. IPsec can be applied to all IP-based application systems and services without any modification to them.

Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly enhances IP security.

Implementation of IPsec IPsec consists of a series of protocols for IP data security, including Authentication Header (AH), Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption. AH and ESP provides security services and IKE performs key exchange. For how IKE works, refer to IKE Configuration.

IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered. The encryption mechanism ensures data confidentiality and protects data from being eavesdropped en route.

IPsec is available with two security protocols:

AH (protocol 51): Provides data origin authentication, data integrity, and anti-replay services. For these purposes, an AH header is added to each IP packet. AH is suitable for transmitting non-critical data, because it cannot prevent eavesdropping even though it works fine in preventing data tampering. AH supports authentication algorithms such as Message Digest (MD5) and Secure Hash Algorithm (SHA-1).

ESP (protocol 50): Provides data encryption in addition to origin authentication, data integrity, and anti-replay services. ESP works by inserting an ESP header and an ESP tail in IP packets. Unlike AH, ESP encrypts data before it is encapsulated in the IP header to ensure data confidentiality. ESP supports the encryption algorithms including Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES), and authentication algorithms such as MD5 and SHA-1 algorithms.



Both AH and ESP provide authentication services. However, the authentication service provided by AH is stronger than that provided by ESP. In practice, you can choose either or both security protocols as required. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

Basic Concepts of IPsec

Security association

IPsec enables secure communication between two ends, which are called IPsec peers.

Security associations (SAs) are fundamental to IPsec. An SA is a set of elements including the protocols (AH, ESP or both), encapsulation mode (transport mode or tunnel mode), encryption algorithm (DES, 3DES, or AES), shared key used for flow protection, and key lifetime. An SA can be created with IKE.

Encapsulation modes

IPsec can work in the following two modes:

Tunnel mode: The whole IP packet is used to calculate the AH/ESP header, which will be encapsulated into a new IP packet together with the ESP-encrypted data. Generally, tunnel mode is used for communication between two security gateways.

Transport mode: Only the transport layer data is used to calculate the AH/ESP header, which will be put after the original IP header and before the ESP-encrypted data. Generally, transport mode is used for communication between two hosts or a host and a security gateway.

Figure 1 illustrates how data are encapsulated by different security protocols in tunnel and transport modes. Here, the term data refers to the transport layer data.

Figure 1 Encapsulation by security protocols in different modes

Authentication algorithms and encryption algorithms

1) Authentication algorithms

Authentication algorithms are implemented through hash functions. A hash function takes a message of arbitrary length and generates a message digest of fixed length. IPsec peers calculate the message digests respectively. If the resulting digests are identical, the packet is considered intact and not tampered.

There are two types of IPsec authentication algorithms:

MD5: Takes a message of arbitrary length and generates a 128-bit message digest. SHA-1: Takes a message less than the 64th power of 2 in bits and generates a 160-bit message

digest.



Slower than MD5, SHA-1 provides higher security.

2) Encryption algorithms

Most encryption algorithms depend on symmetric key systems, which decrypt data by using the same keys for encryption. Currently, three encryption algorithms are available for IPsec on the device:

DES: Data encryption standard, encrypts a 64-bit block of plain text with a 56-bit key. 3DES: Triple DES, encrypts a plain text with three 56-bit DES keys, which total up to 168 bits. AES: Advanced encryption standard, encrypts a plain text with a 128-bit, 192-bit, or 256-bit key.

AES, 3DES, and DES are in descending order in terms of security. Higher security means more complex implementation and lower speed. DES is enough to meet general requirements.

Application Scenarios IPsec is a VPN technology that delivers the security services of confidentiality, data integrity, and origin authentication at the IP layer. IPsec can use IKE to update keys periodically, enhancing system security. IPsec is widely used for transmitting sensitive data in VPN networks.

Configuration Guidelines Configuring IPsec

At present, the device supports IPsec tunnel setup with IPsec polices. In this approach, ACLs are used in IPsec policies to identify data flows to be protected. The use of ACLs adds flexibility to IPsec policies. IPsec policies can take effect only after they are applied to physical interfaces.

The following is the generic IPsec policy configuration procedure:

1) Configure ACLs for identifying data flows to be protected. 2) Configure IPsec proposals to speficy the security protocols, authentication and encryption

algorithms, and encapsulation mode. 3) Configure IPsec policies to associate data flows with IPsec proposals and specify the SA

negotiation mode, peer IP addresses (namely the start and end points of the IPsec tunnel), required keys, and SA lifetime.

4) Apply the IPsec policies to interfaces to finish IPsec tunnel configuration.

Perform the tasks in Table 1 to configure IPsec.

Table 1 IPsec configuration task list

Task Remarks

Configuring ACLs

Required One important function of ACLs is identifying traffic based on matching criteria. They are widely used in scenarios where traffic identification is desired such as QoS and IPsec.

This document covers only referencing ACLs in IPsec. To create ACLs, select Firewall > ACL from the navigation tree.



Task Remarks

Configuring IKE

Required IKE provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

Configuring an IPsec Proposal

Required An IPsec proposal defines a set of security parameters for IPsec SA negotiation, including the security protocol, encryption/authentication algorithms, and encapsulation mode.

Changes to an IPsec proposal affect only SAs negotiated after the changes.

Configuring an IPsec Policy Template

Required when an IPsec policy needs to reference an IPsec policy template group. An IPsec policy template group is a collection of IPsec policy templates with the same name but different sequence numbers. In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority.

Configuring an IPsec Policy

Required Configure an IPsec policy by specifying the parameters directly or by referencing a created IPsec policy template. The Web interface supports only IKE-dependent IPsec policies. An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

An IKE-dependent IPsec policy created by referencing a template cannot be used to initiate SA negotiation, but it can be used to respond to a negotiation request. The parameters specified in the IPsec policy template must match those of the remote end, while the parameters not defined in the template are determined by the initiator.

Applying an IPsec Policy Group Required Apply an IPsec policy group to an interface (logical or physical) to protect certain data flows.

Viewing IPsec SAs Optional View brief information about established IPsec SAs to verify your configuration.

Viewing Packet Statistics Optional View packet statistics to verify your configuration.

Configuring ACLs

IPsec uses ACLs to identify data flows. Each ACL rule contains a deny or permit keyword and is regarded as a deny or permit statement. A rule with the permit keyword identifies a data flow to be protected by IPsec, while a rule with the deny keyword identifies a data flow that does not need to be protected by IPsec.



To configure ACLs, select Firewall > ACL to enter the ACL configuration page, and peform the following configurations:

1) Create an ACL.

2) Configure rules for the ACL.

Ensure that all permit statements applied in the inbound direction are for IPsec protected traffic flows only. This is to avoid normal incoming packets from being dropped because of permit statement hits.

Configuring IKE An SA can be created with IKE. This section describes how to configure IKE.

Configuring Global IKE Parameters Select VPN > IKE > Global from the navigation tree to enter IKE global configuration page, as shown in Figure 2.

Figure 2 IKE global configuration

Table 2 describes the configuration items for configuring global IKE parameters.

Table 2 Global IKE configuration items

Item Description

IKE Local Name

Type a name for the local security gateway. If the local device needs to act as the IKE negotiation initiator and use the local gateway name for IKE negotiation, you need to configure this argument on the local device. Then, the local device sends its gateway name as identification to its peer and the peer uses the locally configured remote gateway name to authenticate the local device. Therefore, make sure that the local gateway name configured here is identical to the remote gateway name configured on its peer. By default, the device name is used as the local gateway name.

NAT Keepalive Interval

Set the interval at which the ISAKMP SA sends NAT keepalive packets to its peer. NAT mappings on a NAT gateway may get aged. If no packet traverses an IPsec tunnel in a certain period of time, the NAT mapping will be deleted, disabling the tunnel beyond the NAT gateway from transferring data. To prevent NAT mappings from being aged, an ISAKMP SA sends to its peer NAT keepalive packets at a certain interval to keep the NAT session alive.



Configuring an IKE Proposal

Select VPN > IKE > Proposal from the navigation tree to display existing IKE proposals, as shown in Figure 3. Then, click Add to enter the IKE proposal configuration page, as shown in Figure 4.

Figure 3 IKE proposal list

Typically, IKE proposal configuration is omitted and the default IKE proposal named default is used.

Figure 4 Add an IKE proposal

Table 3 describes the configuration items for creating an IKE proposal.

Table 3 IKE proposal configuration items

Item Description

IKE Proposal Number

Type the IKE proposal number. The number also stands for the priority of the IKE proposal, with a smaller value meaning a higher priority. During an IKE negotiation, the system matches IKE proposals in order of proposal number, starting from the smallest one.

Authentication Method

Select the authentication method to be used by the IKE proposal. Preshared Key: Uses the pre-shared key method. RSA Signature: Uses the RSA digital signature method.



Item Description

Authentication Algorithm

Select the authentication algorithm to be used by the IKE proposal. SHA1: Uses HMAC-SHA1. MD5: Uses HMAC-MD5.

Encryption Algorithm

Select the encryption algorithm to be used by the IKE proposal. DES-CBC: Uses the DES algorithm in CBC mode and 56-bit keys for

encryption. 3DES-CBC: Uses the 3DES algorithm in CBC mode and 168-bit keys for

encryption. AES-128: Uses the AES algorithm in CBC mode and 128-bit keys for



encryption.

DH Group

Select the DH group to be used in key negotiation phase 1. Group1: Uses the 768-bit Diffie-Hellman group. Group2: Uses the 1024-bit Diffie-Hellman group. Group5: Uses the 1536-bit Diffie-Hellman group. Group14: Uses the 2048-bit Diffie-Hellman group.

SA Lifetime

Type the ISAKMP SA lifetime of the IKE proposal. Before an SA expires, IKE negotiates a new SA. As soon as set up, the new SA takes effect immediately and the old one is cleared automatically when it expires.

If the SA lifetime expires, the system automatically updates the ISAKMP SA. As DH calculation in IKE negotiation takes time, especially on low-end devices, it is recommended to set the lifetime greater than 10 minutes to prevent the SA update from influencing normal communication.

Configuring an IKE Peer Select VPN > IKE > Peer from the navigation tree to display existing IKE peers, as shown in Figure 5. Then, click Add to enter the IKE peer configuration page, as shown in Figure 6.

Figure 5 IKE peer list



Figure 6 Add an IKE peer

Table 4 describes the configuration items for creating an IKE peer.

Table 4 IKE peer configuration items

Item Description

Peer Name Type a name for the IKE peer.

IKE Negotiation Mode

Select the IKE negotiation mode for phase 1, which can be Main or Aggressive.

If one end of an IPsec tunnel is configured to obtain an IP address

dynamically, the IKE negotiation mode must be Aggressive. In this case, SAs can be established as long as the username and password are correct.

The specified negotiated mode is used when the local peer is the negotiation initiator. When acting as the responder, the negotiation mode of the initiator is used.

Local ID Type

Select the local ID type for IKE negotiation phase 1.

IP Address: Uses an IP address as the ID in IKE negotiation. Gateway Name: Uses a gateway name as the ID in IKE negotiation.

In main mode, only the ID type of IP address can be used in IKE negotiation and SA establishment.



Item Description

Local IP Address

Type the IP address of the local security gateway. By default, it is the primary IP address of the interface referencing the security policy. Configure this item when you want to specify a special address for the local security gateway.

Normally, you do not need to specify the local IP address. You only need to do so when you want to specify a special address, such as the loopback interface address. For the local peer to act as the initiator, you need to configure the remote security gateway name or IP address, so that the local peer can find the remote peer during the negotiation.

IP Address

Remote Gateway

Hostname

Type the IP address or host name of the remote security gateway.

You can specify an IP address or a range of IP addresses for the remote gateway. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP address must match the local IP address configured on its peer. If the local end is the responder of IKE negotiation, it can have more than one remote IP address and one of its remote IP addresses must match the local IP address configured on its peer.

The host name of the remote gateway is the only identifier of the IPsec peer in the network. The host name can be resolved into an IP address by the DNS server. If host name is used, the local end can serve as the initiator of IKE negotiation.

Remote ID

Type the name of the remote security gateway. If the local ID type configured for the IKE negotiation initiator is Gateway Name, the initiator sends its gateway name (IKE Local Name) to the responder for identification. The responder then uses the locally configured remote gateway name (Remote ID) to authenticate the initiator. Therefore, make sure that the remote gateway name configured here is identical to the local gateway name (IKE Local Name) configured on its peer.

Pre-Shared Key

PKI Domain

Configure one of these two items according to the authentication method: If the authentication method is pre-shared key, select Pre-Shared Key

and then type the pre-shared key in the following text box. If the authentication method is RSA signature, select PKI Domain and

then select the PKI domain to which the certificate belongs in the following drop-down box.

Enable DPD Select the IKE DPD to be applied to the IKE peer.

Enable the NAT traversal function

Enable the NAT traversal function for IPsec/IKE. The NAT traversal function must be enabled if a NAT security gateway exists in an IPsec/IKE VPN tunnel. In main mode, IKE does not support NAT traversal and therefore this item is unavailable.

To save IP addresses, ISPs often deploy NAT gateways on public networks to allocate private IP addresses to users. In this case, one end of an IPsec/IKE tunnel may have a public address while the other end may have a private address, and therefore NAT traversal must be configured at the private network side to set up the tunnel.

Configuring an IPsec Proposal Select VPN > IPSec > Proposal from the navigation tree to display existing IPsec proposals.



The Web interface provides two modes for configuring an IPsec proposal, suite mode and custom mode.

Suite mode: This mode allows you to select a pre-defined encryption suite. Figure 7 shows the IPsec proposal configuration in suite mode.

Figure 7 IPsec proposal configuration in suite mode

Table 5 describes the configuration items in this mode.

Table 5 IPsec proposal configuration items in suite mode

Item Description

Proposal Name Type the name for the IPsec proposal.

Encryption Suite

Select the encryption suite for the proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used. Following are the available encryption suites, of which Tunnel means that a security protocol encapsulates IP packets in tunnel mode:

Tunnel-ESP-DES-MD5: Uses the ESP security protocol, the DES encryption algorithm, and the MD5 authentication algorithm.

Tunnel-ESP-3DES-MD5: Uses the ESP security protocol, the 3DES encryption algorithm, and the MD5 authentication algorithm.

Tunnel-AH-MD5-ESP-DES: Uses the ESP and AH security protocols successively, making ESP use the DES encryption algorithm and perform no authentication and making AH use the MD5 authentication algorithm

Tunnel-AH-MD5-ESP-3DES: Uses the ESP and AH security protocols successively, making ESP use the 3DES encryption algorithm and perform no authentication, and making AH use the MD5 authentication algorithm.

Custom mode: This mode allows you to configure IPsec proposal parameters discretionarily. Figure 8 shows the IPsec proposal configuration in custom mode.

Figure 8 IPsec proposal configuration in custom mode



Table 6 describes the configuration items in this mode.

Table 6 IPsec proposal configuration items in custom mode

Item Description

Proposal Name Type the name for the IPsec proposal.

Encapsulation Mode

Select the IP packet encapsulation mode for the IPsec proposal. Tunnel: Uses the tunnel mode. Transport: Uses the transport mode.

Security Protocol

Select the security protocol for the proposal. AH: Uses the AH protocol. ESP: Uses the ESP protocol. AH-ESP: Uses ESP first and then AH.

AH Authentication Algorithm

Select an authentication algorithm for AH when the security protocol is AH or AH-ESP. Available authentication algorithms include MD5 and SHA1.

ESP Authentication Algorithm

Select an authentication algorithm for ESP when the security protocol is ESP or AH-ESP. You can select MD5 or SHA1, or leave it null so the ESP performs no authentication.

The ESP authentication algorithm and ESP encryption algorithm cannot be both null.

ESP Encryption Algorithm

Select an encryption algorithm for ESP when the security protocol is ESP or AH-ESP.

DES: Uses the DES algorithm and 56-bit keys for encryption. 3DES: Uses the 3DES algorithm and 168-bit keys for encryption. AES128: Uses the AES algorithm and 128-bit keys for encryption. AES192: Uses the AES algorithm and 192-bit keys for encryption. AES256: Uses the AES algorithm and 256-bit keys for encryption. Leave it null so the ESP performs no encryption.

Higher security means more complex implementation and lower speed. DES

is enough to meet general requirements. Use 3DES when there are very high confidentiality and security requirements.

The ESP authentication algorithm and ESP encryption algorithm cannot be both null.

Configuring an IPsec Policy Template Select VPN > IPSec > Policy-Template from the navigation tree to display existing IPsec policy templates, as shown in Figure 9. Then, click Add to enter the IPsec policy template configuration page, as shown in Figure 10.



Figure 9 IPsec policy template list

Figure 10 IPsec policy template configuration page

Table 7 describes the configuration items for creating an IPsec policy template.

Table 7 Configuration items for an IPsec policy template

Item Description

Template Name Type the name for the IPsec policy template.

Sequence Number

Type the sequence number for the IPsec policy template. In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority.

IKE Peer Select the IKE peer for the IPsec policy template to reference. Available IKE peers are those configured by selecting VPN > IKE > Peer from the navigation tree.

IPSec Proposal

Select up to six IPsec proposals for the IPsec policy template to reference. The IKE negotiation process will search for and use the exactly matching IPsec proposal. If no matching IPsec proposal is found, the expected SAs cannot be established and the packets that need to be protected will be discarded.



Item Description

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.

dh-group1: Uses the 768-bit Diffie-Hellman group. dh-group2: Uses the 1024-bit Diffie-Hellman group. dh-group5: Uses the 1536-bit Diffie-Hellman group. dh-group14: Uses the 2048-bit Diffie-Hellman group.

dh-group14, dh-group5, dh-group2, and dh-group1 are in the descending

order of security and calculation time. When IPsec uses an IPsec policy configured with PFS to initiate negotiation,

an additional key exchange is performed in phase 2 for higher security. Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL Select the ACL for the IPsec policy template to reference. The specified ACL must be created already and contains at least one rule. ACL configuration supports VPN multi-instance.

Time Based SA

Lifetime Traffic

Based

Type the SA lifetime, which can be time-based or traffic-based.

When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set locally and the lifetime proposed by the peer.

Configuring an IPsec Policy Select VPN > IPSec > Policy from the navigation tree to display existing IPsec policies, as shown in Figure 11. Then, click Add to enter the IPsec policy configuration page, as shown in Figure 12.

Figure 11 IPsec policy list



Figure 12 IPsec policy configuration page

Table 8 describes the configuration items for creating an IPsec policy.

Table 8 IPsec policy configuration items

Item Description

Policy Name Type the name for the IPsec policy.

Sequence Number

Type the sequence number for the IPsec policy. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

Template

Select the IPsec policy template to be referenced.

If you select an IPsec policy template, all subsequent configuration items are unavailable but the aggregation setting.

IKE Peer Select the IKE peer for the IPsec policy to reference. Available IKE peers are those configured by selecting VPN > IKE > Peer from the navigation tree.

IPSec Proposal

Select up to six IPsec proposals for the IPsec policy to reference. The IKE negotiation process will search for and use the exactly matched IPsec proposal. If no IPsec proposal is found exactly matched, the expected SAs cannot be established and the packets that need to be protected will be discarded.



Item Description

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.

dh-group1: Uses the 768-bit Diffie-Hellman group. dh-group2: Uses the 1024-bit Diffie-Hellman group. dh-group5: Uses the 1536-bit Diffie-Hellman group. dh-group14: Uses the 2048-bit Diffie-Hellman group.

dh-group14, dh-group5, dh-group2, and dh-group1 are in the descending

order of security and calculation time. When IPsec uses an IPsec policy configured with PFS to initiate negotiation,

an additional key exchange is performed in phase 2 for higher security. Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL Select the ACL for the IPsec policy to reference. The specified ACL must be created already and contains at least one rule. ACL configuration supports VPN multi-instance.

Aggregation

Select this check box to specify to protect traffic in aggregation mode. If you do not select check box, the standard mode is used. This setting takes effect only when you specify an ACL for the IPsec policy to reference.

When configuring devices supporting both the standard mode and aggregation mode, be sure to configure the two ends of a tunnel to work in the same mode.

Time Based SA

Lifetime Traffic

Based

Type the SA lifetime, which can be time-based or traffic-based.

When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set locally and the lifetime proposed by the peer.

Applying an IPsec Policy Group Select VPN > IPSec > IPSec Application from the navigation tree to display the IPsec policy application situation, as shown in Figure 13. Find the interface to which you want to apply an IPsec

policy group and then click the corresponding icon to enter the IPsec policy application page, as shown in Figure 14.

Figure 13 IPsec policy application



Figure 14 IPsec policy application page

Table 9 describes the configuration items for applying an IPsec policy group.

Table 9 Configuration items for IPsec policy group application

Item Description

Interface Displays the interface to which you want to apply an IPsec policy group.

Policy Select the IPsec policy group to be applied.

Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application and then apply the new one to the interface. An IPsec policy group can be applied to more than one interface.

IPsec Configuration Example I: Basic Application Network Requirements

As shown in Figure 15, an IPsec tunnel is established between Device A and Device B to protect traffic between subnet 192.168.1.0/24 (where Host A resides) and subnet 172.16.0.0/24 (where Host B resides).

The security protocol to be used is ESP, encryption algorithm is DES, and authentication algorithm is MD5.

Figure 15 Network diagram for IPsec configuration




Configuration Procedures Configuring Device A

# Assign IP addresses to the interfaces and add them to their target zones. (Omitted)

# Define ACL 3101 to permit packets from subnet 192.168.1.0/24 to subnet 172.16.0.0/24.

Select Firewall > ACL from the navigation tree, and then click Add. Configure the ACL as shown in Figure 16.

Figure 16 Create ACL 3101

Type 3101 as the ACL number. Select the match order of Config. Click Apply. From the ACL list, select ACL 3101 and click the corresponding icon. Then, click Add to enter

the ACL rule configuration page. Create an ACL rule as shown in Figure 17.

Figure 17 Configure a rule to permit packets from 192.168.1.0/24 to 172.16.0.0/24



Select Permit from the Operation drop-down box. Select the Source IP Address check box and type 192.168.1.0 and 0.0.0.255 respectively in the

following text boxes. Select the Destination IP Address check box and type 172.16.0.0 and 0.0.0.255 respectively in

the following text boxes. Click Apply.

Note that on an outbound interface where both NAT and IPsec are configured, if an ACL is configured to identify the traffic for NAT, the target traffic is translated first. If the NATed traffic does not match any ACL for IPsec, the traffic cannot be IPsec protected. To solve this problem, you need to configure an additional rule in the ACL for NAT. For example, if ACL 3901 shown in Figure 18 is configured on GigabitEthernet 0/0 for NAT to process traffic sourced from 192.168.1.0/24, you need to add rule 1 to ACL 3901 as shown in Figure 19 so that traffc from 192.168.1.0/24 to 172.16.0.0/24 are not translated, but protected by IPsec.

Figure 18 ACL 3101

Figure 19 Add rule 1 for ACL 3901

# Configure a static route to Host B.

Select Network > Routing Management > Static Routing from the navigation tree, and then click Add. Create a static route as shown in Figure 20.

Figure 20 Configure a static route to Host B



Type 172.16.0.0 as the destination IP address. Type 255.255.255.0 as the mask. Type 192.168.250.230 as the next hop. Select GigabitEthernet0/1 as the outbound interface. Click Apply.

# Configure the IKE peer.

Select VPN > IKE > Peer from the navigation tree and then click Add. Perform the configurations shown in Figure 21.

Figure 21 Configure an IKE peer

Type peer as the peer name. Select Main as the negotiation mode. Type 192.168.250.230 as the IP address of the remote gateway. Select Pre-Shared Key and type 123456 as the pre-shared key. Click Apply.

# The default IKE proposal is used.

# Configure an IPsec proposal named proposal as follows:

Select VPN > IPSec > Proposal from the navigation tree and then click Add. Select Custom mode from the IPSec Proposal Configuration Wizard page. Make the

configuration as shown in Figure 22.



Figure 22 Configure an IPsec proposal

Type proposal as the name of the IPsec proposal. Select Tunnel as the packet encapsulation mode. Select ESP as the security protocol. Select MD5 as the ESP authentication algorithm. Select DES as the ESP encryption algorithm. Click Apply.

# Configure an IPsec policy.

Select VPN > IPSec > Policy from the navigation tree and then click Add. Perform the configurations shown in Figure 23.

Figure 23 Configure an IPsec policy

Type policy as the policy name. Type 1 as the sequence number. Select the IKE peer of peer. Select the IPsec proposal of proposal and click <<.



Type 3101 as the ACL. Click Apply.

# Apply the IPsec policy to interface GigabitEthernet 0/0.

Select VPN > IPSec > IPSec Application from the navigation tree, and then click the icon of interface GigabitEthernet 0/0. Perform the configurations shown in Figure 24.

Figure 24 Apply the IPsec policy to interface GigabitEthernet 0/0

Select the policy of policy. Click Apply.

Configure Device B

# Assign IP addresses to the interfaces and then add them to their target zones. (Omitted)

# Define an ACL to permit traffic from subnet 172.16.0.0/24 to subnet 192.168.1.0/24.

Select Firewall > ACL from the navigation tree, and then click Add. Type 3101 as the ACL number. Select the match order of Config. Click Apply. From the ACL list, select ACL 3101 and click the corresponding icon. Then, click Add to enter

the ACL rule configuration page. Configure a rule for ACL 3101 as shown in the following figure.

Figure 25 Configure a rule for ACL 3101

# Configure a static route to Host A.

Select Network > Routing Management > Static Routing from the navigation tree, and then click Add. Perform the configurations shown in Figure 26.



Figure 26 Configure a static route to Host A

# Configure IKE peer peer.

Select VPN > IKE > Peer from the navigation tree and then click Add. Perform the configurations shown in Figure 27.


Type peer as the peer name. Select Main as the negotiation mode. Type 192.168.250.12 as the IP address of the remote gateway. Select Pre-Shared Key and type 123456 as the pre-shared key. Click Apply.

# The default IKE proposal is used.



# Configure an IPsec proposal.

Select VPN > IPSec > Proposal from the navigation tree and then click Add. Select Custom mode from the IPSec Proposal Configuration Wizard page. Perform the

configureations shown in Figure 28.


Type proposal as the name of the IPsec proposal. Select Tunnel as the packet encapsulation mode. Select ESP as the security protocol. Select MD5 as the ESP authentication algorithm. Select DES as the ESP encryption algorithm. Click Apply.

# Configure IPsec policy policy.

Select VPN > IPSec > Policy from the navigation tree and then click Add. Perform the configureations shown in Figure 29.




Type policy as the policy name. Type 1 as the sequence number. Select the IKE peer of peer. Select the IPsec proposal of proposal and click <<. Type 3101 as the ACL. Click Apply.

# Apply IPsec policy policy to GigabitEthernet 0/0.

Select VPN > IPSec > IPSec Application from the navigation tree, and then click the icon of interface GigabitEthernet 0/0.

Select the policy of policy. Click Apply.

Figure 30 Apply the IPsec policy to GigabitEthernet 0/0

Verification After configuration, packets to be exchanged between subnet 192.168.1.0/24 and subnet 172.16.0.0/24 will trigger the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are



established, traffic between subnet 192.168.1.0/24 and subnet 172.16.0.0/24 will be protected by IPsec.

Viewing IPsec SAs

Select VPN > IPSec > IPSec SA from the navigation tree to display brief information about established IPsec SAs, as shown in Figure 31.

Figure 31 IPsec SAs

Viewing Packet Statistics

Select VPN > IPSec > Statistics from the navigation tree to view packet statistics, as shown in Figure 32.

Figure 32 Packet statistics

IPsec Configuration Example: Working with NAT Network Requirements

This example descirbes the combination of IPsec and ADSL, which is a popular application of IPsec.

As shown in Figure 33, Device B uses an ADSL card to connect to the DLSAM access side of the public network directly, and functions as the PPPoE client. Because Device B obtains only a private address dynamically from its ISP, you must configure NAT traversal on both Device A and Device B.

The headquarters LAN connects to the intranet network through Device A. To ensure data security, IPsec/IKE is adopted to create an IPsec tunnel.



Because the branch obtains an IP address dynamicllay, the IKE negotiation mode must be aggressive. Configure the local peer to use the gateway name as the ID type, and enable NAT traversal.

Figure 33 Network diagram for configuring IPsec to work with NAT

Configuration Procedures Configuring DeviceA

# Assign IP addresses to the interfaces and add the intrfaces to their target zones. (Omitted)

# Configure the IKE local name as head.

Figure 34 IKE global configuration

# Configure the IKE peer.

Select VPN > IKE > Peer from the navigation tree and then click Add. Type gate as the peer name. Select Aggressive as the negotiation mode. Type branch as the host name of the remote gateway. Select Pre-Shared Key and type 123456 as the pre-shared key. Select the Enable NAT traversal function check box. Click Apply.




# Configure an IPsec proposal named proposal.

Select VPN > IPSec > Proposal from the navigation tree and then click Add. Select Custom mode from the IPSec Proposal Configuration Wizard page. Type proposal as the IPsec proposal name, and use the default settings for the proposal, as

shown in Figure 36.


# Configure an IPsec policy template.

Type 1 as the sequence number. Select gate as the IKE peer. Select IPsec proposal proposal, and click <<. Click Apply.



Figure 37 Add an IPsec policy template

# Configure an IPsec policy named policy_nat.



# Apply the IPsec policy to interface GigabitEthernet 0/0.



Figure 39 Apply the IPsec policy

Configuring Device B

# Assign IP addresses to the interfaces and add the intrfaces to their target zones. (Omitted)

# Configure ACL 3101 to permit packets from subnet 192.168.1.0/24 to subnet 172.16.0.0/24.

Figure 40 Configure a rule for ACL 3101

Note that on an outbound interface where both NAT and IPsec are configured, if an ACL is configured to identify the traffic for NAT, the target traffic is translated first. If the NATed traffic does not match any ACL for IPsec, the traffic cannot be IPsec protected. To solve this problem, you need to configure an additional rule in the ACL for NAT. For example, if ACL 3901 shown in Figure 41 is configured on GigabitEthernet 0/0 for NAT to process traffic sourced from 192.168.1.0/24, you need to add rule 1 to ACL 3901 as shown in Figure 42 so that traffc from 192.168.1.0/24 to 172.16.0.0/24 are not translated, but protected by IPsec.

Figure 41 ACL 3101

Figure 42 Add rule 1 to ACL 3901



# Configure the IKE local name named branch.

Figure 43 Configure the IKE local name

# Configure an IKE peer named gate.

Select VPN > IKE > Peer from the navigation tree and then click Add. Type gate as the peer name. Select Aggressive as the negotiation mode. Select IP Address as the gateway name. Type 100.1.1.1 as the IP address of the remote gateway. Type head as the remote ID. Select Pre-Shared Key and type 123456 as the pre-shared key. Select the Enable NAT traversal function check box. Click Apply.


# Configure an IPsec proposal named proposal.

Select VPN > IPSec > Proposal from the navigation tree and then click Add.



Select Custom mode from the IPSec Proposal Configuration Wizard page. Type proposal as the proposal name, and use the default settings for the proposal, as shown in

Figure 45.


# Configure an IPsec policy named policy_nat.


Figure 46 Configure an IPSec policy

Type policy_nat as the policy name. Type 1 as the sequence number. Selete gate as the IKE peer. Select proposal for the IPsec policy, and click <<. Type 3101 in the ACL text box. Click Apply.



# Apply IPsec policy policy_nat to interface Dialer 1.

Figure 47 Apply the IPsec policy to an interface

Verification After configuration, packets to be exchanged between subnet 192.168.1.2 and subnet 172.16.1.2 will trigger the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are established, traffic between subnet 172.16.1.2 and subnet 172.16.1.2 will be protected by IPsec.

Viewing IPSec SAs Select VPN > IPSec > IPSec SA from the navigation tree to display brief information about established IPsec SAs, as shown in Figure 48.

Figure 48 IPsec SAs

Viewing Packet Statistics Select VPN > IPSec > Statistics from the navigation tree to view packet statistics, as shown in Figure 49.

Figure 49 Packet statistics



Configuration Guidelines When configuring IPsec, follow these guidelines:

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50 respectively. Therefore, you need to make sure that flows of these protocols are not denied on the interfaces with IKE and/or IPsec configured.

If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction may be discarded, resulting in packet loss. Therefore, when using IPsec together with QoS, ensure that they use the same classification rules. IPsec classification rules depend on the referenced ACL rules.

References Protocols and Standards

RFC 2401: Security Architecture for the Internet Protocol RFC 2402: IP Authentication Header RFC 2406: IP Encapsulating Security Payload

Related Documentation IPsec Configuration in the web configuration manual





UTM Series L2TP Configuration Example



Keywords: VPDN, L2TP

Abstract: This document introduces basic concepts of L2TP, describes how to configure L2TP on a UTM

device, and presents an L2TP configuration example for UTM devices.

Acronyms:


VPDN Virtual Private Dial-up Network

L2TP Layer 2 Tunneling Protocol

LNS L2TP Network Server



Table of Contents

Feature Overview·············································································································································3 Typical Networking Application of L2TP ····································································································3 L2TP Tunnel Modes···································································································································4


Configuration Guidelines································································································································5 L2TP Configuration Task List·····················································································································5 Enabling L2TP············································································································································5 Adding an L2TP Group ······························································································································6 Displaying L2TP Tunnel Information········································································································13

Client-Initiated L2VPN Configuration Example ··························································································14 Software Version Used ····························································································································14 Network Requirements·····························································································································14 Configuration Procedure ··························································································································14

Configuring the VPN User ················································································································14 Configuring the LNS ·························································································································15

Verification ···············································································································································17




Feature Overview A virtual private dial-up network (VPDN) is a virtual private network (VPN) that utilizes the dial-up function of public networks such as ISDN or PSTN networks to provide access services for enterprises, small Internet service providers (ISPs), and telecommuters. VPDN provides an economical and effective point-to-point method for remote users to connect to their home LANs.

A VPDN tunnel can be NAS-initiated or client-initiated:

NAS-initiated VPDN tunnel. The network access server (NAS) connects a user’s PPP connection to the corporate VPDN gateway through a VPDN tunneling protocol, establishing a tunnel with the VPDN gateway. The tunneling is transparent to users. A user only needs to perform login operation once to access the enterprise network, which authenticates the user and assigns the user a private IP address, eliminating the necessity of the user for a public address. This mode requires that the NAS support VPDN and the authentication system support VPDN attributes.

Client-initiated VPDN tunnel. A user accesses the Internet first, and then establishes a tunnel with the VPDN gateway through dedicated client software, such as the L2TP client software offered by Windows 2000. In this mode, a user can access the enterprise network anytime from any place, without the involvement of any ISP. However, users must install dedicated software, which means that users must use platforms supporting the L2TP client. Usually, Windows 2000 platform is used.

In general, a VPDN gateway can be a router or a dedicated VPN server.

There are primarily three VPDN tunneling protocols:

PPTP: Point-to-Point Tunneling Protocol L2F: Layer 2 Forwarding L2TP: Layer 2 Tunneling Protocol

L2TP is currently the most widely-used VPDN tunneling protocol.

Typical Networking Application of L2TP Figure 1 shows a typical VPDN built by using L2TP.

Figure 1 VPDN built by using L2TP

A VPDN built by using L2TP consists of three components:

Remote system



A remote system is usually a remote user’s host or a remote branch’s routing device that needs to access the VPDN network.

LAC

An L2TP access concentrator (LAC) is a device that has PPP and L2TP capabilities. An LAC is usually a Network Access Server (NAS) located at a local ISP, which provides access services mainly for PPP users.

An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system using L2TP and then sends the resulting packets to the LNS. It de-encapsulates packets received from the LNS and then sends the resulting packets to the intended remote system.

The connection between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used in a VPDN application.

LNS

An L2TP network server (LNS) functions as both the L2TP server and the PPP end system. It is usually an edge device on an enterprise network.

An LNS is the other endpoint of an L2TP tunnel and is a peer to the LAC. It is the logical termination point of a PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS to an LNS, logically.

L2TP Tunnel Modes There are two typical L2TP tunnel modes: NAS-initiated and client-initiated.

NAS-initiated

In this mode, a remote system dials in the LAC through a PPPoE/ISDN network, and the LAC initiates a tunneling request to the LNS over the Internet, as shown in Figure 2. The LNS will assign the remote system a private IP address. Authentication and accounting of the remote system can be implemented on the LAC by an agent or on the LNS.

Figure 2 NAS-initiated tunnel mode

Client-initiated

In this mode, after obtaining the access right to the Internet, a remote system running the L2TP client software (LAC client) initiates a tunneling request to the LNS directly without requiring a separate LAC. The LNS will assign the LAC client a private IP address. An LAC client needs a public IP address to communicate with the LNS directly through the Internet.



Figure 3 Client-initiated tunnel mode

Application Scenarios L2TP can be used to build secure VPNs for enterprises across public networks. Branch offices and traveling staff can remotely access the headquarters’ Intranet resources through a virtual tunnel over public networks. Other users on the public networks are not permitted access.

Configuration Guidelines L2TP Configuration Task List

At present, you can perform only the LNS configuration through Web.

Perform the tasks in Table 1 to configure L2TP on the LNS.

Table 1 L2TP configuration task list

Task Remarks

Enabling L2TP Required By default, L2TP is disabled.

Adding an L2TP Group Required Create a L2TP group and configure L2TP group related parameters.By default, no L2TP group is created.

Displaying L2TP Tunnel Information

Optional View the L2TP tunnel information.

Enabling L2TP Select VPN > L2TP > L2TP Configuration from the navigation tree to enter the L2TP configuration page, as shown in Figure 4. On the upper part of the page, you can enable or disable L2TP.



Figure 4 L2TP configuration page

Table 2 describes the configuration item for enabling L2TP.

Table 2 Configuration item for enabling L2TP

Item Description

Enable L2TP Specify whether to enable L2TP globally.

Adding an L2TP Group Select VPN > L2TP > L2TP Configuration from the navigation tree to enter the L2TP configuration page, as shown in Figure 4. On the lower part of the page, you can view and configure L2TP groups. Click Add to add an L2TP group, as shown in Figure 5.



Figure 5 Add an L2TP group

Table 3 describes the L2TP group configuration items.

Table 3 Configuration items for adding an L2TP group

Item Description

L2TP Group Name Specify the name of the L2TP group.

Peer Tunnel Name Specify the peer name of the tunnel.

Local Tunnel Name Specify the local name of the tunnel.



Item Description

Tunnel Authentication

Authentication Password

Enable or disable L2TP tunnel authentication in the group. If you enable tunnel authentication, you need to set the authentication password. The tunnel authentication request can be initiated by the LAC or LNS. Once tunnel authentication is enabled on one end, a tunnel can be established if tunnel authentication is also enabled on the other end and the passwords configured on the two ends are the same and not null; if these requirements cannot be satisfied, the tunnel initiator will tear down the tunnel connection automatically. If tunnel authentication is disabled on both ends, the tunnel authentication passwords configured will not take effect.

You are recommended to enable tunnel authentication on both ends of

the tunnel for security. You can disable tunnel authentication if you want to test the network connectivity or let the local end receive connections initiated by unknown peers.

If you modify the tunnel authentication password when the tunnel is working, you need to tear down the tunnel, so that the modified authentication password can take effect when the tunnel is reestablished.

Authentication Method

Select the authentication method for PPP users on the local end. You can select PAP or CHAP. If you do not select an authentication method, no authentication will be performed.

PPP Authentication Configuration ISP

Domain

Specify the ISP domain for PPP user authentication. You can: Click Add to enter the page for adding an ISP domain, as shown in

Figure 6. Refer to Table 4 for further details. Select an ISP domain and click Modify to enter the ISP domain

modification page. Refer to Table 4 for configuration details. Select an ISP domain and click Delete to delete the ISP domain.

Note that: If you specify an ISP domain, the specified domain will be used for

authentication, and IP addresses must be assigned from the address pool configured in the specified domain. Refer to description on the User Address parameter for details.

If you do not specify any ISP domain, the system will check whether domain information is carried in a username. If yes, the domain will be used for authentication (if the domain does not exist, the authentication will fail); otherwise, the default domain (system by default) will be used for authentication.



Item Description

PPP Server IP/Mask

Specify the IP address and mask of the local end.

PPP Server Zone

Specify the security zone to which the local end belongs. If you do not select a zone, the global address pool will be used.

User Address

Specify the address pool for assigning IP addresses to users on the peer end, or assign an IP address to a user directly. If you have specified an ISP domain in PPP authentication configuration, the address pools in the ISP domain will be listed in the User Address drop-down list. You can:

Click Add to add an address pool, as shown in Figure 7. Refer to Table 5 for further details.

Select an address pool and click Modify to enter the address pool modification page. Refer to Table 5 for configuration details.

Select an address pool and click Delete to delete the address pool.

PPP Address

Assign Address Forcibly

Specify whether to force the peer end to use the IP address assigned by the local end. If you enable this function, the peer end is not allowed to use its locally configured IP address.

Hello Interval

Specify the interval between sending hello packets. To check the connectivity of a tunnel, the LAC and LNS regularly send Hello packets to each other. Upon receipt of a Hello packet, the LAC/LNS returns a response packet. If the LAC or LNS receives no Hello response packet from the peer within a specified period of time, it retransmits the Hello packet. If it receives no response packet from the peer after transmitting the Hello packet for three times, it considers that the L2TP tunnel is down and tries to re-establish a tunnel with the peer. The Hello intervals on the LAC and LNS ends of the tunnel can be different.

AVP Hidden

Specify whether to transfer attribute value pair (AVP) data in hidden mode. With L2TP, some parameters are transferred as AVP data. You can configure an LAC to transfer AVP data in hidden mode, so that AVP data is encrypted before transmission for higher security. This configuration takes effect only on an LAC.

Flow Control

Specify whether to enable flow control for the L2TP tunnel. The L2TP tunnel flow control function is for control of data packets in transmission. The flow control function helps in buffering and adjusting the received out-of-order data packets.

Mandatory CHAP

Advanced Configuration

Mandatory LCP

Specify user authentication on the LNS end. After the LAC authenticates the client, the LNS may re-authenticate the client for higher security. In this case, only when both the authentications succeed can an L2TP tunnel be set up. On an L2TP network, an LNS authenticates users in three ways: mandatory CHAP authentication, LCP re-negotiation, and proxy authentication.

Mandatory CHAP authentication: With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate tunneling requests is authenticated twice: once when accessing the NAS and once on the LNS by using CHAP.



Item Description LCP re-negotiation: For a PPP user that depends on a NAS to initiate

tunneling requests, the user first performs PPP negotiation with the NAS. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends the user’s authentication information to the LNS. The LNS then determines whether the user is valid according to the user authentication information received. Under some circumstances (when authentication and accounting are required on the LNS for example), another round of Link Control Protocol (LCP) negotiation is required between the LNS and the user. In this case, the user authentication information from the NAS will be neglected.

Proxy authentication: If neither LCP re-negotiation nor mandatory CHAP authentication is configured, an LNS performs proxy authentication of users. In this case, the LAC sends to the LNS all authentication information from users as well as the authentication mode configured on the LAC itself.

Among these three authentication methods, LCP re-negotiation has

the highest priority. If both LCP re-negotiation and mandatory CHAP authentication are configured, the LNS uses LCP re-negotiation and the PPP authentication method configured in the L2TP group,

Some PPP clients may not support re-authentication, in which case LNS side CHAP authentication will fail.

With LCP re-negotiation, if no PPP authentication method is configured in the L2TP group, the LNS will not re-authenticate users; it will assign public addresses to the PPP users immediately. In other words, the users are authenticated only once at the LAC end.

When the LNS uses proxy authentication and the user authentication information passed from the LAC to the LNS is valid: if the authentication method configured in the L2TP group is PAP, the proxy authentication succeeds and a session can be established for the user; if the authentication method configured in the L2TP group is CHAP but that configured on the LAC is PAP, the proxy authentication will fail and no session can be set up. This is because the level of CHAP authentication, which is required by the LNS, is higher than that of PAP authentication, which the LAC provides.



Figure 6 Add an ISP domain

Table 4 Configuration items for adding an ISP

Item Description

ISP Domain Specify the name of the ISP domain.

Server Type

Select the authentication server type for PPP users. HWTACACS: Uses HWTACACS authentication. Local: Uses local authentication. None: All users are trusted and no authentication is

performed. Generally, this method is not recommended.

RADIUS: Uses RADIUS authentication. If you do not select any authentication method, the

default authentication method of the ISP domain will be used, which is Local by default.

Primary

Scheme Scheme for the primary authentication method, which is displayed when you select HWTACACS or RADIUS as the server type. At present, the scheme is always system.

Authentication Methods

Backup Specify whether to enable the backup authentication method.



Item Description

Server Type

Select the authorization server type for PPP users. HWTACACS: Uses HWTACACS authorization. Local: Uses local authorization. None: No authorization exchange is performed. Every

user is trusted and has the corresponding default rights of the system.

RADIUS: Uses RADIUS authorization. If you do not select any authorization method, the

default authorization method of the ISP domain will be used, which is Local by default.

Primary

Scheme Scheme for the primary authorization method, which is displayed when you select HWTACACS or RADIUS as the server type. At present, the scheme is always system.

Authorization Methods

Backup Specify whether to enable the backup authorization method.

Accounting Optional

Specify whether to enable the accounting optional function.

For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current accounting server fails, the user will be disconnected. However, with the accounting optional function enabled, the user can still use the network resources in such case, but the system will not send the accounting information of the user to the accounting server any more.

Server Type

Select the accounting server type for PPP users. HWTACACS: Uses HWTACACS accounting. Local: Uses local accounting. None: The system does not perform accounting for the

users. RADIUS: Uses RADIUS accounting. If you do not select any accounting method, the default

accounting method of the ISP domain will be used, which is Local by default.

Primary

Scheme Scheme for the primary accounting method, which is displayed when you select HWTACACS or RADIUS as the server type. At present, the scheme is always system.

Accounting Methods

Backup Specify whether to enable the backup accounting method.

Max. Number of Users

Specify the maximum number of users the ISP domain can accommodate. If you do not specify the maximum number, the system will not limit the number of users of the ISP domain. As users may compete for resources, setting a proper limit on the number of users of an ISP domain helps guarantee performance for the users of the ISP domain.



Figure 7 Add an address pool

Table 5 Configuration items for adding an IP address pool

Item Description

ISP Domain Select the ISP domain for the IP address pool to be created.

IP Address Pool Number Specify the number of the IP address pool. If you set the IP address pool number to 1, the name of the IP address pool is pool1.

Start IP

End IP

Specify the start IP address and end IP address of the IP address pool. The number of addresses between the start IP address and end IP address must not exceed 1024. If you specify only the start IP address, the IP address pool will contain only one IP address, namely, the start IP address.

Displaying L2TP Tunnel Information Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page, as shown in Figure 8.

Figure 8 L2TP tunnel information

Table 6 describes the L2TP tunnel information in details.

Table 6 L2TP tunnel information

Item Description

Local Tunnel ID Local ID of the tunnel

Peer Tunnel ID Peer ID of the tunnel



Item Description

Peer Tunnel Port Peer port of the tunnel

Peer Tunnel IP Peer IP address of the tunnel

Session Count Number of sessions on the tunnel

Peer Tunnel Name Peer name of the tunnel

Client-Initiated L2VPN Configuration Example Software Version Used

F5118

Network Requirements As shown in Figure 9, a VPN user accesses the corporate headquarters as follows:

1) The user first connects to the Internet, and then initiates a tunneling request to the LNS directly. 2) After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the

VPN user. 3) The VPN user communicates with the headquarters over the tunnel.

Figure 9 Network diagram for client-initiated VPN configuration

Configuration Procedure Configuring the VPN User

On the user host, create a virtual private network connection using the Windows operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode. Assign an IP address (222.10.20.5 in this example) to the user host and then configure a route to ensure the connectivity between the user host and the LNS (202.1.1.2).

Perform the following configurations on the user host (the configuration procedure depends on the client software):

Specify the VPN username as ppp and the password as ppp. Set the Internet interface address of the security gateway as the IP address of the LNS. In this

example, the Ethernet interface on the LNS, the interface for the tunnel, has an IP address of 202.1.1.2.

Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to customized and the authentication mode to CHAP.



Configuring the LNS

Step1 Configure IP addresses for interfaces (omitted).

Step2 Configure a route to ensure the reachability of the LNS to the user host (omitted).

Step3 Create a local user named ppp, and set the password to ppp and the service type to PPP.

Select User > Local User from the navigation tree and then click Add. Perform the configurations shown in Figure 10.

Figure 10 Add a local user

Type ppp as the username. Select PPP as the user type. Type password ppp. Type ppp to confirm the password. Click Apply.

Step4 Enable L2TP.

Select VPN > L2TP > L2TP Configuration from the navigation tree. Then, perform the configurations shown in Figure 11.

Figure 11 Enable L2TP

Select the check box before Enable L2TP. Click Apply.

Step5 Add an L2TP group

On the L2TP configuration page, click Add and then perform the following configurations.



Type the L2TP group name test. Type the peer tunnel name user. Type the local tunnel name lns. Select Disable for Tunnel Authentication. Select CHAP as the PPP authentication method. Select ISP domain system (the default ISP domain). Click the Modify button of the ISP domain to perform the configurations shown in Figure 12.

Figure 12 Configure local authentication method for VPN users

Select the server type Local as the PPP authentication method. Click Apply to return to the L2TP group configuration page. Type 172.16.0.1/255.255.255.0 as the PPP server IP address/mask. Select Trust from the PPP Server Zone drop-down list. (Select a security zone according to your

network configuration.) Click the Add button of the User Address parameter and then perform the configurations shown in

Figure 13.

Figure 13 Add an IP address pool

Select domain system. Type 0 as the IP address pool number.



Type the start IP address 172.16.0.2. Type the end IP address 172.16.0.30. Click Apply to finish the IP address pool configuration and return to the L2TP group configuration

page. Select pool0 from the User Address drop-down list. Select Enable from the Assign Address Forcibly drop-down list. Figure 14 shows the L2TP

group configuration page after the above configurations. Click Apply.

Figure 14 L2TP group configurations

Verification # On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address (172.16.0.2) and will be able to ping the private address of the LNS (172.16.0.1).

# On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information of the established L2TP tunnel should appears, as shown in Figure 15.



Figure 15 L2TP tunnel information

References Protocols and Standards

RFC 1661: The Point-to-Point Protocol (PPP) RFC 1918: Address Allocation for Private Internets RFC 2661: Layer Two Tunneling Protocol "L2TP"

Related Documentation L2TP Configuration in the web configuration manual



