Академический Документы
Профессиональный Документы
Культура Документы
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1Comprehensive E-Learning Courses e n
m/
ContentAll Huawei Career Certification E-Learning courses
c o
i .
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com . we
u a
2 Training Material Download
. h
Content: Huawei product training material and Huawei career certification
n g training material
MethodLogon http://learning.huawei.com/en and enter HuaWei n iTraining/Classroom Training ,then you can
ar
: /
ContentThe Huawei career certification training covering
t p all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei ht professional instructors
MethodThe plan and participate method please
s : refer to LVC Open Courses Schedule
e
r n
In addition, Huawei has built
Huawei experts , share
e a exam experiences with others or be acquainted with Huawei Products(
L
http://support.huawei.com/ecommunity/
r e
Mo
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
CSBN-HCNA-Security
Lab Guide
e n
m /
c o
ISSUE 2.00 i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
ISSUE 2.00 .............................................................................................................................................................. 1
1 Overview ............................................................................................................................................................ 3
1.1 Application Scope ........................................................................................................................................ 3
1.2 Introduction of Firewall Products ................................................................................................................ 3
1.2.1 USG2200 Description....................................................................................................................... 3
1.2.2 USG5120 Description....................................................................................................................... 5
1.2.3 USG5150 Description....................................................................................................................... 6
e n
1.2.4 Physical Port Naming Methods ........................................................................................................ 8
m /
c o
1.3 Terminal Security Products .......................................................................................................................... 9
1.3.1 Introduction of the TSM Products .................................................................................................... 9
i .
w e
1.3.2 TSM System Deployment ................................................................................................................. 9
ua
1.3.3 TSM Performance Specifications ................................................................................................... 11
h
.
1.4 Diagram of Network Elements .................................................................................................................. 13
ng
2 How to Login Firewall ..................................................................................................................................... 13
i
n
2.1 Login Through the Console Port ............................................................................................................... 13
ar
2.2 Login Through Web Management Interface (Default Web-manager) ....................................................... 16
e
l
2.3 Remote Login Through Telnet ................................................................................................................... 17
//
2.4 Remote Login Through SSH ..................................................................................................................... 21
:
p
2.5 Login Through the Web ............................................................................................................................. 26
tt
3 Firewall Basic Configuration ............................................................................................................................ 31
h
3.1 Firewall System Managment ..................................................................................................................... 31
:
4 Firewall Security Forwarding Policy ................................................................................................................ 40
s
ce
2.1 Configuring IP Address-Based Forwarding Policy .................................................................................... 40
r
5 Network Address Translate Lab........................................................................................................................ 46
u
so
5.1 NAT Outbound Lab ................................................................................................................................... 46
Re
5.2 NAT inbound & NAT Server Lab .............................................................................................................. 50
6 Firewall Networking Lab.................................................................................................................................. 56
n g
6.1 VLAN Lab (Configuring the Communications Between VLANs Through the Vlanif Interface) ............. 70
n i
6.2 E1 Lab ....................................................................................................................................................... 78
a r
6.3 SA Lab ....................................................................................................................................................... 86
L e
6.4 3G Lab ....................................................................................................................................................... 92
r e
7 VPN Lab ........................................................................................................................................................... 97
1 c o
i .
w e
a
Overview
u
. h
n g
n i
ar
This document describes the configuration and deployment of Huawei security products. You can understand
e
the lab on security products and have the capability of deploying devices and operating offices.
l
: //
1.1 Application Scope p
h tt
This document is applicable to the lab described in the security product training courses for Huawei system
security engineers.
s :
ce
The lab is applicable to the following products:
r
USG2200&5100 V300R001
u
o are Layer-2 switching ports. You must allocate VLANs for the
s
Note: Eight LAN ports of the USG2100
e ports can be configured with IP addresses. Only the Layer-3 VLAN ports
R
USG2100 because only the VLAN
g
(Vlanif) can be added to the Security Zone.
n
n i
a r
Le1.2 Introduction of Firewall Products
r e
Mo 1.2.1 USG2200 Description
Chassis size
The USG2200 consists of integrated chassis and extension interface card. The size of the integrated chassis is
43.6 mm (H) x 442mm (W) x 414mm (D), which can be installed in the 19-inch standard cabinet.
Front panel
The power and fan of the USG2200 are embedded so that you cannot view the power and fan on the exterior.
The USG2200 series include the USG2210, USG2220, USG2230, and USG2250. These products all support
AC power. The USG2250 also supports DC power.
e n
m /
c o
i .
w e
h ua
1. AC/DC power socket 2. AC/DC power switch
.
3. system reset button
ng
4. Console port 5. Flash card slot 6. USB2.0 ports
7. GE Combo ports
n i
Rear panel
e ar
l
//
The rear panel layout of the USG2210, USG2220, USG2230, and USG2250 is the same. The real panel
:
provides four MIC slots on the left and two FIC slots on the right.
p
Rear panel of the USG2200 h tt
s :
r ce
u
so
Re
n g
n i
a r 1. MIC1/DMIC1 slot 2. MIC2/DMIC2 slot 3. MIC3 slot
L e 4. MIC4 slot
7. slot identifier
5. FIC5/DFIC5 slot
8. grounding termination
6. FIC6 slot
r e
Mo Slot locations and numbering
The FIC5 slot supports a DFIC interface card.
n
86.1mm (H) x 442mm (W) x 414mm (D), which can be installed in the 19-inch standard cabinet.
Front panel
/ e
The USG5120 supports AC and DC power types. The following figure shows the front panel of the
o m
USG5120.
.c
e i
w
Front panel of the USG5120 (DC type)
h ua
.
i ng
n
e ar
l
: //
Front panel of the USG5120 (AC type)
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e1. indicators 2. system reset button 3. Console port
re
4. Flash card slot 5. USB2.0 ports 6. 10/100/1000M Ethernet ports
10. Clip jack 11. AC/DC power socket 12. AC/DC power switch
Rear panel
e n
m /
1. MIC1/DMIC1 slot 2. MIC2/DMIC2 slot 3. MIC3 slot
c o
4. MIC4 slot 5. FIC5/DFIC5 slot 6. FIC6/DFIC6 slot
i .
w e
ua
7. FIC7 slot 8. FIC8 slot 9. slot location
t t
h
s :
c e
u r
s o
1.2.3 USG5150
R e Description
Chassis size
n g
n i
The USG5150 consists of integrated chassis and extension interface card. The size of the integrated chassis is
130.5mm (H)rx 442mm (W) x 414mm (D), which can be installed in the 19-inch standard cabinet.
e a panel
LFront
e
The power and fan modules of the USG5150 support hop swapping. The following figures show the front
r
Mo panels of the USG5150 of the AC and DC types.
Front panel of the USG5150 (DC type)
e n
Front panel of the USG5150 (AC type)
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
://
p
htt
1. air filter
s :
2. indicators 3. system reset button
ce
4. Console port 5. Flash card slot 6. USB2.0 ports
7. GE Combo port 0
r
8. GE Combo port 1
u
9. GE Combo port 2
so
10. GE Combo port 3 11. fan module 12. ESD jack
Re
13. dust-proof panel 14. AC/DC power module 1 15. AC/DC power module 0
Rear panel
n g
n i
a r
Rear panel of the USG5150
L e
r e
Mo
e n
m /
c o
i .
w e
1. MIC1/DMIC1 slot 2. MIC2/DMIC2 slot 3. MIC3 slot
h ua
.
4. MIC4 slot 5. FIC5/DFIC5 slot 6. FIC6/DFIC6 slot
ng
7. FIC7/DFIC7 slot 8. FIC8/DFIC8 slot 9. FIC9 slot
10. FIC10 slot 11. grounding termination
n i
Slot locations and numbering
e ar
l
Besides a DFIC interface card, you must also insert an FIC interface card at the lower part of the FIC5, FIC6,
//
FIC7, and FIC8 slots of the USG5150. To prevent the dust, you must install a dust-proof panel at the upper
:
part of the DFIC slot to enclose the rear panel.
p
Slot locations and numbering diagram of the USG5150
h tt
s :
r ce
u
so
Re
n g
n i
r
aand FIC10 do not support the 1GE interface card, 4GE interface card, 1GPON interface card,
The FIC9 and FIC10 support only FIC interface cards.
e
L interface card, or 32POTS interface card.
The FIC9
r e
16POTS
o
M 1.2.4 Physical Port Naming Methods
The naming principles for the physical ports are as follows:
The ports are numbered from bottom to top and from left to right. The physical port naming format is
interface-type X/0/Y. Where, interface-type indicates the interface type (such as the Ethernet interface), X
indicates the slot number, and 0 indicates the sub-card. At present, the interface card does not support the
sub-card. Therefore, the card number is always 0. Y indicates the port number. The slot number of the main
board is 0.
Assume that a 5FSW interface card is installed in slot 2 of the USG. The port numbers are Ethernet2/0/0,
Ethernet2/0/1, Ethernet2/0/2, Ethernet2/0/3, and Ethernet2/0/4.
h
terminal security management, patch management, terminal user behavior management, software distribution,
.
ng
and asset management. The core objective of the TSM product is to establish the network access control
i
mechanism. The basic functions of the TSM product are security check, access control, and security repair.
n
ar
The TSM product effectively controls the increasing access points, including the access of enterprise
e
employees, visitors, partners, and temporary employees. The TSM product can detect and isolate the terminal
l
//
hosts that threaten the enterprise networks, thus improving the network security capability.
e
The TSM Manager provides the following functions: system configuration, organization personnel
rmanagement,
Mo advertisement
security policy management, patch management, software distribution, asset management,
management, and report management.
TSM Controller
The TSM Manager is the TSM control server. The TSM Controller authenticates the terminal users, perform
security checks on terminal hosts, and implement minimum authorized access control.
The TSM Controller provides the following functions: providing services for the TSM Agent, Web Agent
plug-in, and Web client and controlling the access of terminal hosts by interconnecting with the security
access control gateways or 802.1x switch.
Scanner
The scanner detects and manages the existing devices on the network, especially the quantity of terminals on
which the TSM Agent is installed or is not installed. The administrator can refer to this information when
stipulating or adjusting the TSM Agent deployment policies.
The TSM Agent is a phase of the TSM service. The TSM service is divided into trail and promotion phases.
The final objective of the TSM service is to achieve overall coverage of networks. During the step-by-step
deployment of the TSM service, you must focus on how to ensure that all the terminals install the TSM
Agent so that the terminal security does not become the weakest link in the network security system.
The scanner helps the administrator to detect terminals on which the TSM Agent is not installed. Based on
the scanning tasks, the scanner can identify the terminals on which the TSM Agent is installed or not installed.
e n
The administrator can identify the terminal hosts that are required or are not required to install the TSM
m /
Agent. The scanner supports real-time enabling or disabling the scanning tasks. The scanner supports the
c o
periodical scanning tasks and one-time scanning tasks. The scanner can detect devices based on the IP
i .
address segment and APP table. When new devices access the controlled network or TSM Agent is
w e
ua
uninstalled, the scanner can inform the administrator of the event by emails. The scanner supports the
h
management of devices in groups.
.
Security access control gateway
i ng
n
The security access control gateway controls the permissions of the network access. It grants different
ar
permissions to terminal users and terminals based on roles and security status.
e
l
The security access control gateway provides the following functions: granting the network access
//
permissions to terminal users based on the information provided by the TSM Controller, preventing the
:
p
external unauthorized terminal users from accessing the controlled networks, preventing the internal
tt
legitimate but insecure terminal users from accessing the controlled network, isolating the terminal users who
h
connect to the controlled network but are not authenticated, supporting the escape channel.
802.1x switch
s :
ce
The 802.1x switch controls the access of the terminal hosts. With the port control technology, only the
r
authenticated terminal hosts can access the controlled network.
u
so
The TSM server corresponds to the IEEE802.1x authentication server system. The user access layer devices
Re
function as the IEEE802.1x access control units. The IEEE802.1x user access system is integrated in the
TSM Agent.
n g
The physical ports of the access control unit are classified into controlled port and non-controlled port. The
n i
non-controlled port is in bidirectional connection status. It is used to transmit the EAPOL protocol frames. It
a r
ensures that the access control unit can receive the authentication EAPOL packets from the user access
L e
system anytime. The controlled port is enabled only when the user is authenticated. The controlled port
r e
transmits network resources and services.
Mo TSM Agent
Functioning as a TSM system component, the TSM Agent is installed on the terminal host. It interconnects
with the TSM Manager. The TSM Agent implements the security management policies stipulated by the
administrator on the TSM Manager.
The TSM Agent can provide the Web Agent plug-in on the terminal hosts in the TSM Agent or plug-in
registration mode, according to the installation wizards.
The TSM Agent provides the following functions: identity authentication, security authentication, asset
management, patch management, software distribution, and advertisement management.
TSM system networking diagram
Authentication pre-domain
TSM Manager + TSM Controller + TSM Controller + FTP TSM Controller + FTP
Scanner + FTP + Authentication + Primary database + Mirroring database
database
Isolation
LAN domain
Anti-virus server Patch server
e n
Router
m /
Security access control
gateway
c o
Service system A Service system B
i .
e
Authentication post-domain
w
ua
Switch Switch
. h
i ng
n
Terminals
e ar
l
: //
t p
1.3.3 TSM Performance Specifications h t
Performance specifications of the TSM:
c
The following table describes the performance
r
u
authentication and policy implementation.
Performance Item o
e s Performance Specifications
The maximumRterminal users supported by 10000
n g
one TSM Controller
n
Numberi of terminal hosts that can be 2500
a r
authenticated by a TSM Controller per
Le Network connection success rate of the In the case that a TSM Controller can
minute
. h
ng
Microsoft Windows XP maximum memory usage when 29MB
no policy is implemented
n i
ar
Microsoft Windows XP maximum memory usage when 35MB
all policies are implemented
l e
//
Microsoft Windows Vista authentication duration when no 3s
policy is implemented
p :
tt
Microsoft Windows Vista maximum memory usage when 30MB
no policy is implemented
h
s :
Microsoft Windows Vista maximum memory usage when 36MB
ce
all policies are implemented
Average CPU usage.
u r with the TSM Controller 15%
s o
Interval for detecting heartbeat 30s
Re
n g
n i
a r
Le
r e
Mo
1.4 Diagram of Network Elements
Internet PC
l e
: //
p
h tt
s :
r ce
2
u
so
Re How to Login Firewall
i ng
r n
e a
2.1LLogin Through the Console Port
r eObjectives
Mo
Lab
Through this task, you will know how to configure the terminal to access the device through the console
port, thus implementing the configuration and management on the device.
Lab Devices
Lab Topology
Management PC USG
COM 1
Console
Interface
RS-232
e n
m /
c o
Consiguration Procedure
.
After the connection to the device is established, power on both devices, and ensure thatithe
Step 1
w e
devices run normally.
Run the terminal emulation program (such as the HyperTerminal on Windowsu
a
Step 2
. hTerminal. The
XP) on the PC.
Choose Start > All programs > Accessories > Communications > Hyper
n g
iUSG, such as COMM1.
Connection Description dialog box is displayed.
Step 3
r
In Name, enter the name of the connection between the PC and the n
Then, select an icon in Icon, as shown in below figure.
e a
/ l
: /
t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
e 4 Click OK. The Connect dialog box is displayed.
rStep
Mo Step 5 Select a serial interface (such as COM1) from the Connect using drop-down list for the
connection between the PC and the USG, as shown in below figure.
e n
m /
c o
i .
w e
h ua
.
Step 6 Click OK. The COM1 Properties dialog box is displayed.
i ng
n
ar
Step 7 Set the communication parameters of the port, as shown in below figure.
l e
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Please confirm if you can log in the USG through the Console port successfully or not?
Yes No
s :
COM 1
c e Console
Interface
u r
s o RS-232
Re
Cable
n g
n i
Configuration Procedure
Step 1
a r therunconnection
After to the device is established, power on both devices, and ensure that the
L e devices normally.
e
Step 2 Connect USG GE0/0/0 and PC by network cable.
rStep 3 Set the IP address of PC to 192.168.0.2/24.
M o
Step 4 Input http://192.168.0.1 to browser on PC, login USG firewall with the default account
(admin/Admin@123).
e n
m /
c o
i .
w e
h ua
.
i ng
n
Note
e ar
l
By default, the HTTP protocol is enabled. The default user name is admin and the password is
Admin@123.
: //
p
Result Verification
h tt
:
Check whether you have logged in the web GUI.
s
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
2.3 Remote Login Through Telnet
Lab Objectives
Through this task, you will know how to configure the terminal to access the device through Telnet, thus
implementing the configuration and management on the device.
Lab Devices
Lab Topology
G0/0/1
Management PC 10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port
e n
m /
COM 1
Console
c o
Interface
i .
w e
ua
RS-232
h
Cable
.
Configureation Procedure (CLI)
ing
n
ar
Step 1 Enter the user view of the USG through the console port.
Step 2 Enable telnet service.
l e
[USG] telnet server enable
: //
tp
Info: The Telnet server has been enabled.
Step 3
h t
Set the IP address of the interface of the USG.
s
For example, a local user connects: to GigabitEthernet0/0/1 of the USG through Telnet. The IP
c e the subnet mask is 255.255.255.0.
address of the interface is 10.1.1.1;
<USG> system-view r
o u
s
[USG] interface GigabitEthernet0/0/1
e
R
[USG-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
g
[USG-GigabitEthernet0/0/1] quit
n
Step 4
n iuser information of the USG.
Set the
a rFor example, the authentication mode of the user interface on the virtual type terminal (VTY)
Le isin AAA; the Telnet user name is user1; the password is password@123; the password is stored
Mo <USG> system-view
[USG] user-interface vty 0 4
[USG-ui-vty0-4] authentication-mode aaa
[USG-ui-vty0-4] protocol inbound telnet
[USG-ui-vty0-4] quit
[USG] aaa
[USG-aaa] local-user user1 password cipher password@123
[USG-aaa] local-user user1 service-type telnet
[USG-aaa] local-user user1 level 3
e n
m /
c o
i .
w e
h ua
.
Step 7 Click OK, and the PC starts to connect to the USG
i ng
Step 8
n
ar
After passing the authentication configured on the USG, you can enter the user view and log in
to the device.
l e
/ go to 2.1 for the reference.
Configuration Procedure (WEB)
Step 1 /
:and enable the telnet management access.
Log into USG web GUI through GE0/0/0. Details please
Step 2 p
t GE0/0/1 and click . Shown as below figure:
t
Configure the IP address of USG to 10.1.1.1/24,
h
Choose Network > Interface > Interface, select
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
Thinking:
p
tt
Why should configure the Telnet management access function? (Answer: allow the administrator to
h
manage firewall through this interface by Telnet.)
Step 3
s :
Configure the Tenlnet user. (telnetuser/Admin@123)
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
u aThe Run
Step 4 The following takes a Windows OS for example. On the PC, choose Start > Run.
. h of the connected
window is displayed. Enter telnet 10.1.1.1 in Open (for example, the IP address
interface is 10.1.1.1), as shown in below figure.
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
Step 5 Click OK, connect USG.
s o with telnet account (telnetuser/Admin@123), you can login USG
Re
Step 6 After the authentication
firewall.
Result Verification
n g
n iif you can log in the USG by telnet successfully or not?
r
Please confirm
a
L e Yes No
Lab Devices
G0/0/1
Management PC 10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port
COM 1
Console
Interface
e n
m /
RS-232
c o
Cable
i .
w e
ua
Configureation Procedure (CLI)
Step 1 Telnet to USG device.
. h
Step 2 Enter the user view of the USG through the console port.
i ng
n
ar
<USG> system-view
[USG] interface GigabitEthernet0/0/1
l e
//
[USG-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
[USG-GigabitEthernet0/0/1] quit
p :
Step 3
t
Configure SSH mangamen access on GE0/0/1.t
h
<USG>system-view
s :0/0/1
e
[USG]interface GigabitEthernet
c
u r
[USG-GigabitEthernet0/0/1]service-manage enable
s o
[USG-GigabitEthernet0/0/1]service-manage ssh permit
R e
[USG-GigabitEthernet0/0/1]quit
Step 4
g
Create SSH users Client001.
n
n i the VTY user interface.
Configure
Step 5 Configure the service mode for SSH user Client001 as STelnet, and enable the STelnet service.
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e3
Step Configure the SSH user account. (sshuser/Admin@123).
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 4 Enable STelnet service. Choose System > Admin > Settings, in the SSH configuration list,
enable STelnet service.
e n
m /
c o
i .
w e
h ua
.
i ng
Step 5 n
ar
Configure the IP address of PC as 10.1.1.2/24. Then login USG by using Putty client through
SSH.
l e
Result Verification
e n
m /
c o
i .
w e
h ua
Input the ssh user account and login:
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
2.5 Login Through the Web
Lab Objectives
Through this task, you will know how to configure the terminal to access the device through Web, thus
implementing the configuration and management on the device.
Lab Devices
Lab Topology
G0/0/1
Management PC 10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port
e n
m /
c o
Cable
i .
w e
h ua
.
ng
Configureation Procedure (CLI)
Step 1 Telnet/SSH to USG.
n i
Step 2 Set the IP address of the PC to 10.1.1.2/24.
e ar
Step 3
l
//
Configure the IP address of GE0/0/1.
<USG>system-view
p :
t
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1]ip address t
h 10.1.1.1 24
Step 4
s : on GE0/0/1.
Configure HTTP and Https management
c e
<USG>system-view
u r 0/0/1
o
[USG]interface GigabitEthernet
s
R e
[USG-GigabitEthernet0/0/1]service-manage
[USG-GigabitEthernet0/0/1]service-manage
enable
http permit
n g
[USG-GigabitEthernet0/0/1]service-manage https permit
n i
r
[USG-GigabitEthernet0/0/1]quit
Step 5 aEnable the Web management function. By default, the HTTP protocol has been enabled. Here
Le we enable the HTTPS protocol.
re [USG] web-manager security enable port 8088
Mo Note
Paremeter security indicate https management, if there is no parementer security, USG will enable HTTP
management by default.
Note
Can not to configure the same port to HTTP and HTTPS. That will be conflict.
[USG] aaa
[USG-aaa] local-user webuser password cipher Admin@123
[USG-aaa] local-user webuser service-type web
[USG-aaa] local-user webuser level 3
Use the Web browser on the PC to access http://10.1.1.1, enter the user name (webuser) and
password (Admin@123), and check whether you can log in to the USG. If the login succeeds,
the configuration is successful. If the login fails, check the configuration.
e n
Configuration Procedure (WEB)
m /
Step 1
c o
After the connection to the device is established, power on both devices, and ensure that the
devices run normally.
i .
Step 2 e
w as below
Configure the IP address of USG to 10.1.1.1/24, and enable the HTTP & HTTPS management
access. Choose Network > Interface > Interface, select GE0/0/1 and click
u a
. Shown
figure:
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Step 3 Enable Web management. Enable the HTTP/HTTPS management, configure the HTTPS port as
8088. Choose System > Admin > Settings, click the check box of HTTP and HTTPS service.
Shown as below figure.
e n
m /
c o
Step 4 Configure the web user accunt. (webuser/Admin@123).
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
3 Firewall Basic Configuration
ng
Configure license.
Configure the file backup and recover.
n i
Lab Device
e ar
l
//
One USG firewall and one PC.
Lab Topologyc
p :
h tt
s :
ce
Management PC USG
Ethernet Port G0/0/1
u r
192.168.0.2 192.168.0.1/24
so
Re
ng
Cable
n i
a r
Configuration Procedure (CLI)
Step 1 e After the connection to the device is established, power on both devices, and ensure that the
L devices run normally.
r e Login USG firewall through Console/Telnet/SSH. Details please refer to 2.1-2.6. (omitted.)
Mo Step 2
Step 3 Configure the hostname of USG.
<USG>system-view
[USG]sysname USG_A
[USG_A]
s
[USG] info-center loghost source :GigabitEthernet 0/0/1
Configure a log host whose e
r c name is local2 . The IP address of the log host is 192.168.1.1, and
u
the output language is English.
[USG] info-center o
s loghost 192.168.1.1 facility local2 language english
e of the information severity level to informational. The information about the
R
Set the threshold
g
PPP module and the IP module can be output.
[USG]ninfo-center source acl channel loghost log level informational
n i info-center source ip channel loghost log level informational
a r[USG]
n
226iTransfer complete.
a rftp: got 5203 bytetime 0.01Seconds 346.87Kbytes/sec.
Le ftp> lcd
re
Local directory now C:\Documents and Settings\Administrator.
Mo
ftp>
Configure system recover.
Run put command to upload files to USG device.
ftp> put vrpcfg.cfg
200 Port command okay.
150 Opening ASCII mode data connection for vrpcfg.cfg.
226 Transfer complete.
ftp: send 5203 bytetime 0.00Seconds 5203000.00Kbytes/sec.
By using startup saved-configuration vrpcfg.cfg command to configure the next-startup
configuration file.
<sysname> startup saved-configuration vrpcfg.cfg
n g
n i
a r
Le
r e
Mo
You can set the time zone, date and system time by manually, or select the configuration mode
to choose use NTP server to synchronize the time.
e n
m /
c o
i .
w e
Step 5 Configuring SNMP V2c Server. The server address is 192.168.1.2.
u a devices
. h
Go to System > Configuration > SNMP, Set the parameters for connecting managed
to the NMS. Click Apply.
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Step 6 Reserver.
g
Configuring log
Go tonLog > Log Configuration > Information Center Configuration, click the enable
n i box of information center switch.
a rcheck
Le
r e
Mo
Choose Log > Log Configuration > Syslog Configuration. Select parameter Log Host
Source Interface in Configure Syslog. Select GE0/0/0 as the log host source interface. Click
Apply.
e n
m /
c o
Adding a Log Host. Choose Log > Log Configuration > Syslog Configuration. Click Add in
Log Host List. Enter or select parameters, Click Apply.
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
Step 7 Configure the License h tt
s :
ce
Check the ESN code. Log in to the device. Choose System > Dashboard > Status. The ESN
r
is SN in System Information.
u
so
Re
n g
n i
a r
L e
r e
Mo
Go to System > Maintenance > License Management. Check the license state.
e n
m /
c o
i .
w e
Go to System > Maintenance > License Management. Select Local Manual Activation
ua
from the License Activation Mode. Click Browse. Select the license file to be uploaded.
h
Click Activate to activate the current license file.
.
i ng
n
e ar
l
: //
p
h tt
Step 8
s :
Configure the system backup and recover.
n g
n i
a r
Le
r e
Mo
e n
m /
o
indicatescthe
Click to download the configuration file to local PC to backup it.
i .
configuration file is in use, indicates the configuration file is not in use.
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
Configure system recover:
s :
c
Click Upload. The Upload File
e window is displayed.
u r
s o
Re
n g
n i
a r
Le
r e
Mo Click Browse. Select the configuration file to be uploaded. Click Import to upload the
configuration file.
e n
After the configuration file is successfully uploaded, return to the Configuration File
m /
c
Management window. The corresponding file is displayed in the list. Click to configure the o
i .
current configuration file as the next startup configuration file. The user should re-startup the
device to complete updating system configuration.
w e
ua
Choose System > Maintenance > Restart. Enter the password of the current login user in
h
.
Password. Click Save and Restart to save the configuration and restart the system.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
Result Verification
u
o > Configuration Management to check the next startup configuration
s
Re
Choose System > Maintenance
file.
n g
n i
a r
Le
r e
Mo
4 Firewall Security Forwarding Policy
//
Internal User USG 1.1.1.2/24
192.168.5.2/24 G0/0/0 G0/0/1
:
192.168.5.1/24 1.1.1.1/24
192.168.5.3/24
p
192.168.5.4/24
htt
s :
Configuration Procedure (CLI)
r ce
u
so
Step 1 Set IP addresses for interfaces and add the interfaces to security zones.
R e
<USG>system-view
g
[USG]interface GigabitEthernet 0/0/0
n
n i
[USG-GigabitEthernet0/0/2]ip address 192.168.5.1 24
r
a [USG]interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/2]quit
e
L [USG-GigabitEthernet0/0/3]ip address 1.1.1.1 24
r e
Mo [USG-GigabitEthernet0/0/3]quit
[USG]firewall zone trust
[USG-zone-trust]add interface GigabitEthernet 0/0/0
[USG-zone-trust]quit
[USG]firewall zone untrust
[USG-zone-untrust]add interface GigabitEthernet0/0/1
[USG-zone-untrust]quit
Step 2 Configure address set ip_deny, and add the denied IP addresses to the address set.
Step 3
n
Create a forwarding policy preventing some special IP addresses from accessing the Internet.
e
[USG-policy-interzone-trust-untrust-outbound-1]policy source a
[USG-policy-interzone-trust-untrust-outbound-1]action
/ l permit
:
[USG-policy-interzone-trust-untrust-outbound-1]quit /
t p
[USG-policy-interzone-trust-untrust-outbound]quit
g
If we dont deny the default packet-filter between trust and untrust zone, the packet which source address
n
i
segment is not 192.168.5.0/24
will forwardnit as well.)
didnt hit the policy 1 will match the default forwarding policy, firewall
a r
L e Procedure (WEB)
Configuration
r e
Step 1 Set IP addresses for interfaces and add the interfaces to security zones. Shown as the below
M o figure:
e n
m /
c o
i .
w e
h ua
.
i ng
n
ar
Repeat the previous steps to configure interface GigabitEthernet 0/0/1.
e
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 2 Configure an address group named deny_ip and add the IP addresses not permitted to access the
Internet to the address group. Choose Firewall > Address > Address Group. In Address
Group List, click to access the Add Address Group interface. Configure a name and
description information for the address group. Click to add the denied IP address.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
Step 3
s :
Configure a forwarding policy denying Internet accesses of users whose IP addresses are in the
ce
deny_ip address group. Choose Firewall > Security Policy > Forward Policy. Click the
r
u
Forward Policy tab. In Forward Policy List, click .
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
Step 4
l
//
Configure another forwarding policy permitting users on network segment 192.168.5.0/24 to
access the Internet and reference the Web filtering policy in the forwarding policy. Choose
p :
Firewall > Security Policy > Forward Policy. Click the Forward Policy tab. In Forward
Policy List, click .
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
tt
If we dont deny the default packet-filter between trust and untrust zone, the packet which source address
h
segment is not 192.168.5.0/24 didnt hit the policy 1 will match the default forwarding policy, firewall
will forward it as well.)
s :
Result Verification
r ce
u
so
Check whether the Internet accesses of the three PCs whose IP addresses are respectively 192.168.5.2,
Re
192.168.5.3, and 192.168.5.4 are denied.
Check whether users with other IP addresses on network segment 192.168.5.0/24 can access the Internet.
n g
n i
a r
L e
r e
Mo
5 Network Address Translate Lab
s :
Configuration Procedure (CLI)
r ce
u
so
Step 1 Set the IP address of PC1 and PC2 as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
Step 2
R e
Set the IP addresses of interfaces, and then add the interfaces to security zones.
n g GigabitEthernet 0/0/0
[USG]interface
n i
[USG-GigabitEthernet0/0/0]ip address 192.168.1.1 255.255.255.0
a r[USG-GigabitEthernet0/0/0]quit
Le [USG]interface GigabitEthernet 0/0/1
re
[USG-GigabitEthernet0/0/1]ip address 2.2.2.1 255.255.255.0
Mo
[USG-GigabitEthernet0/0/1]quit
Step 4 Configure IP address pool 1, the range of the address is 2.2.2.2 2.2.2.5
:
interfaces. Click Apply when you finished below figure:
e s
r c
o u
s
Re
n g
n i
a r
Le
re
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
rcommunication. Choose
Step 3
Firewall > Security Policy > Forward Policy. Click the e
a
Configure interzone packet filtering to ensure normal network
l Forward Policy tab. In Forward
/the configuration. Shown as the below
Policy List, click
: /
. Click Apply when you finished
figure:
t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Step 4 Configure IP address pool 1, the range of the address is 2.2.2.2 2.2.2.5. Choose Firewall >
NAT > Source NAT. Click the NAT Address Pool tab. In NAT Address Pool List, click .
Click Apply when you finished the configuration. Shown as the below figure:
e n
m /
c o
i .
w e
u aClick the
Step 5
hyou finished the
Configure the NAT outbound policyChoose Firewall > NAT > Source NAT.
.
n g
Source NAT tab. In Source NAT Policy List, click . Click Apply when
configuration. Shown as the below figure:
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Result Verification
e
5 packet(s) received
l
//
0.00% packet loss
round-trip min/avg/max = 31/72/94 ms
p :
tt
Check the address translation by using display firewall session table command:
[USG]dis firewall session table
h
Current Total Sessions : 15
s :
icmp
e
VPN:public --> public 192.168.1.10:45346[2.2.2.5:45346]-->2.2.2.10:2048
icmp VPN:public --> publicc192.168.1.10:45602[2.2.2.5:45602]-->2.2.2.10:2048
u r 192.168.1.10:45858[2.2.2.5:45858]-->2.2.2.10:2048
opublic 192.168.1.10:46114[2.2.2.5:46114]-->2.2.2.10:2048
icmp VPN:public --> public
s
Re--> public 192.168.1.10:46370[2.2.2.5:46370]-->2.2.2.10:2048
icmp VPN:public -->
wegcan see that the source address of 192.168.1.10 has translated to 2.2.2.5 which in the
icmp VPN:public
From the result n
n i
r
address pool.
5.2 L
a
e inbound & NAT Server Lab
NAT
r eObjectives
Mo
Lab
Through this experiment, you will able to configure the NAT server. And also know how to configure the
bidectional NAT.
Lab Device
G0/0/0 G0/0/1
192.168.1.1/24 2.2.2.1/24
DMZ Untrust
FTP Server PC
192.168.1.2/24 2.2.2.2/24
e n
Configuration Procedure (CLI)
m /
Step 1
c
Set the IP address of server and PC as 192.168.1.2/24 and 2.2.2.2/24 respectively. (omitted)o
Step 2 i .
e
Set the IP addresses of GE0/0/0 and GE0/0/1. And then add the interfaces to security zones.
w
[USG]interface GigabitEthernet 0/0/0
u a
[USG-GigabitEthernet0/0/0]ip address 192.168.1.1 255.255.255.0
. h
[USG-GigabitEthernet0/0/0]quit
n g
[USG]interface GigabitEthernet 0/0/1
n i
[USG-GigabitEthernet0/0/1]ip address 2.2.2.1 255.255.255.0
a r
[USG-GigabitEthernet0/0/1]quit
l e
/ /
[USG]firewall zone DMZ :
p 0/0/0
t
ht
[USG-zone-dmz]add interface GigabitEthernet
[USG-zone-dmz]quit
s :
e GigabitEthernet 0/0/1
[USG]firewall zone untrust
r c
[USG-zone-untrust]add interface
o
[USG-zone-untrust]quit u
Step 3
e s
R
Configure interzone packet filtering to ensure normal network communication.
g
[USG]policy interzone dmz untrust inbound
n
n i
[USG-policy-interzone-dmz-untrust-inbound]policy 0
[USG]nat server protocol tcp global 2.2.2.4 ftp inside 192.168.1.2 ftp
Step 6 Apply the NAT ALG function to the DMZ-Untrust interzone to ensure that the server provides
FTP services for extranet users normally.
[USG] firewall interzone dmz untrust
[USG-interzone-dmz-untrust] detect ftp
[USG-interzone-dmz-untrust] quit
Step 7 Create a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for
NAT, and bind the NAT policy to NAT address pool 1.
. h
Configuration Procedure (WEB)
i ng
Step 1
n
Set the IP address of server and PC as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
rinterfaces to security zones.
Step 2 a
e click of interfaces, Configure
Set the IP addresses of GE0/0/0 and GE0/0/1, and then add the
Choose Network > Interface > Interface. In InterfacelList,
/ / Shown as the below figure:
interfaces. Click Apply when you finished the configuration.
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Step 3 Configure interzone packet filtering to ensure normal network communication. Choose
Firewall > Security Policy > Forward Policy. Click the Forward Policy tab. In Forward
n i
ar
Policy List, click . Click Apply when you finished the configuration. Shown as the below
figure:
l e
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e4
Mo Step Configure the NAT server. Create the mapping relations between the public IP addresses and
private IP addresses of internal servers. Choose Firewall > NAT > Virtual Server. In Address
Mapping List, click . Click Apply when you finished the configuration. Shown as the below
figure:
e n
m /
c o
i .
w e
h ua
.
ng
Step 5 Configure the NAT address pool. Choose Firewall > NAT > Source NAT. Click the NAT
Address Pool tab. In NAT Address Pool List, click .
n i
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 6
rCreate a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for
aClick the Source NAT tab. In Source NAT Policy List, click
NAT, and bind the NAT policy to NAT address pool 1. Choose Firewall > NAT > Source NAT.
L e .
r e
Mo
e n
m /
c o
i .
w e
hua
.
i ng
n
e ar
l
: //
p
Result Verification htt
s :
ce
Login PC (2.2.2.2/24) and access to the FTP server (2.2.2.4), then check the below infomations.
r
Check the NAT server mapping relationship by using display nat server command.
u
[USG]dis nat server
s o information:
Re : 0
Server in private network
id
zone
n g : ---
n i
r
interface : ---
a
e inside-start-addr : 192.168.1.2
global-start-addr : 2.2.2.4 global-end-addr : ---
L inside-end-addr : ---
Mo insideport : ---
globalvpn : public insidevpn : public
protocol : --- vrrp : ---
no-reverse : no
r eDevice
Mo
Lab
Master
USG_A
Backup Group 1
G0/0/0 G0/0/1
Virtual IP Address
10.100.10.2/24 202.38.10.2/24
10.100.10.1/24 PC2
202.38.10.100/24
E2/0/0
10.0.0.1/24
e n
PC1
10.100.10.100/24 E2/0/0
m /
Trust
10.0.0.2/24
Untrust
c o
G0/0/0 G0/0/1 Backup Group 2
i .
10.100.10.3/24 202.38.10.3/24 Virtual IP Address
202.38.10.1/24
w e
ua
Backup
USG_B
. h
ng
Configuration Procedure (CLI)
n
Step 1 Complete the configurations of the upstream and downstream interfaces of USG_A. Set IP i
ar
addresses for interfaces and add the interfaces to security zones.
<USG_A> system-view
l e
[USG_A] interface GigabitEthernet 0/0/0
: //
[USG_A-GigabitEthernet0/0/0] ip address 10.100.10.2 24
p
[USG_A-GigabitEthernet0/0/0] quit
htt
:
[USG_A] interface GigabitEthernet 0/0/1
e s
[USG_A-GigabitEthernet0/0/3] ip address 202.38.10.2 24
r
[USG_A-GigabitEthernet0/0/3]cquit
o u
[USG_A] firewall zone trust
[USG_A-zone-trust] s
Requit
add interface GigabitEthernet 0/0/0
[USG_A-zone-trust]
n g zone untrust
[USG_A] firewall
n i
[USG_A-zone-untrust] add interface GigabitEthernet 0/0/1
a r
[USG_A-zone-untrust] quit
LeCreate VRRP backup group 1 on interface GigabitEthernet 0/0/0, and add it to the VGMP
re
management group whose status is Master.
Mo
[USG_A] interface GigabitEthernet 0/0/0
[USG_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 10.100.10.1 master
[USG_A-GigabitEthernet0/0/1] quit
Create VRRP backup group 2 on interface GigabitEthernet 0/0/1, and add it to the VGMP
management group whose status is Master.
[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 202.38.10.1 master
[USG_A-GigabitEthernet0/0/3] quit
p :
Step 5 Configure the forward policy for the Trust-Untrust interzone.
t t outbound
h
HRP_M[USG_A] policy interzone trust untrust
s :
HRP_M[USG_A-policy-interzone-trust-untrust-outbound] policy 1
c e
HRP_M[USG_A-policy-interzone-trust-untrust-outbound-1] policy source 10.100.10.0 0.0.0.255
u r
HRP_M[USG_A-policy-interzone-trust-untrust-outbound-1] action permit
s o
HRP_M[USG_A-policy-interzone-trust-untrust-outbound-1] quit
R e
HRP_M[USG_A-policy-interzone-trust-untrust-outbound] quit
On the switches, add the three interfaces of each switch to the same VLAN. For configuration
commands, refer to related documents of the switch.
Configure static routes on PCs on the internal network. Set the virtual IP address of the VRRP
backup group as the next-hop IP address for reaching other subnets.
Configuration Procedure (WEB)
Step 1 Set the IP addresses of interfaces on USG_A, and add the interfaces to security zones. Choose
Network > Interface > Interface, In Interface List, click of the interface, On the Modify
GigabitEthernet Interface page, complete the configurations then click Apply.
e n
m /
c o
i .
w e
h ua
.
Step 2 Configure a forwarding policy for USG_A. i ng
n
r Choose Firewall > Security
a
eof Implicit under trust->untrust and
Forwarding policy between the Trust zone to access the Untrust zone:
/ l
/
Policy > Forward Policy, In Forward Policy List, click
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
eFirewall DMZ local policy: choose Firewall > Security Policy > Local Policy, in access control
L over the device list, choose the default policy and modify the action to permit, click Apply.
r e
Mo
e n
m /
c o
i .
w e
a backup
Step 3 Configure the VRRP backup group 1 and backup group 2 of USG_A, and add theuVRRP
group to the active management group.
. h
Choose System > High Availability > HRP, Click Add in VRID List, n
g
n i On the Add VRID page,
configure VRRP backup group 1.
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r VRRP backup group 2 as above.
Le
Configure
r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Step 4 Specify the HRP backup channel on USG_A and enable HRP. Choose System > High
Availability > HRP. Click Enable HRP, Select FE2/0/0 as the HRP backup channel on the
Configure HRP page. Click Apply.
n i
e ar
l
://
p
h tt
s :
The configurations on USG_Bc
e
ur on USG_B are different from those of interfaces on USG_A.
are similar to those on USG_A except that: (ommitted)
The service R es of USG_B, namely, interfaces GE0/0/1 and GE0/0/0, are added to the
interfaces
standbygmanagement group
i n
r n
e a
Result Verification
L Run the display vrrp command on USG_A to check the status of the interfaces in the VRRP backup
r e group. If the following information is displayed, the VRRP backup group is successfully created.
Mo HRP_M<USG_A>dis vrrp
16:12:02 2013/06/08
GigabitEthernet0/0/1 | Virtual Router 2
VRRP Group : Master
state : Master
Virtual IP : 202.38.10.1
Virtual MAC : 0000-5e00-0102
Primary IP : 202.38.10.2
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0
Advertisement Timer : 1
Auth Type : NONE
Check TTL : YES
e n
m /
GigabitEthernet0/0/0 | Virtual Router 1
c o
VRRP Group : Master
i .
state : Master
w e
Virtual IP : 10.100.10.1
h ua
Virtual MAC : 0000-5e00-0101
.
Primary IP : 10.100.10.2
i ng
n
ar
PriorityRun : 120
e
PriorityConfig : 100
l
//
MasterPriority : 120
Preempt : YES Delay Time : 0
p :
tt
Advertisement Timer : 1
Auth Type : NONE
h
Check TTL : YES
s :
ce
Run the display hrp state command on USG_A to check the current HRP status. If the following
r
output is displayed, an HRP relationship is successfully established.
u
s o
HRP_M<USG_A>dis hrp state
g
The firewall's config
n
n istate of virtual routers configured as master:
r
Current
a
L e GigabitEthernet0/0/1
GigabitEthernet0/0/0
vrid 2 : master
vrid 1 : master
r e
Mo Ping the virtual IP address 10.100.10.1 of VRRP group 1 on PC1 in the Trust zone. Then check the
sessions on USG_A.
HRP_M<USG_A>display firewall session table
16:17:36 2013/06/08
Current Total Sessions : 1
icmp VPN:public --> public 10.100.10.100:1-->10.100.10.1:2048
The virtual IP address of VRRP group 1 can be pinged on PC1 after the VRRP groups are
configured correctly.
PC2 is the server in the Untrust zone. PC1 on trust zone can ping the server on Untrust zone. Check
session information on USG_A and USG_B.
HRP_M<USG_A>display firewall session table
16:19:42 2013/06/08e
Current Total Sessions : 1
icmp VPN:public --> public 10.100.10.100:1-->202.38.10.100:2048
Lab Device
Auth.
Exemption user
G0/0/0 Internet Server
192.168.0.2/24 USG Eth1/0/0
192.168.0.1/24 1.1.1.2/24
1.1.1.1/24
e n
/
Auth. Exemption traffic flow
m
Local password auth. Traffic flow
c o
i .
Configuration Procedure (WEB)
w e
ua
Step 1 Configure the basic parameters of the interfaces and add the interface to security zones. Add
h
.
GE0/0/0 to guest zone, adds GE0/0/1 to trust zone and add Eth1/0/0 to untrust zone. (ommitted)
Step 2 Configure the default route. Assume that the next-hop IP address is 1.1.1.2.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 3
a r
Create authentication exemption user group. Choose User > Internet Access User > Group/User.
L e In Organizational Structure, select root. Click Add in Member Management and select
Create Group, create a group named Guest.
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
Step 4
u
Create a user authentication policy Guest specifically for the subnet 192.168.0.0/24. Choose
so
User > Internet Access User > Authentication Policy, click Add Enter or select parameters,
Re
Click Apply.
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
Step 5 n
ar
Create local password authentication user and user group. Choose User > Internet Access User >
Group/User. In Organizational Structure, select root. Click Add in Member Management
l
and select Create Group, name the new group as Normal.e
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
In Organizational Structure, select Normal. In Member Management, select Add, choose
create a user, create a new user user01/Admin@123.
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 6 Create a user authentication policy Normal specifically for the subnet 192.168.1.0/24.
e n
m /
c o
i .
w e
h ua
g.
Step 7 Add a new forwarding policy for exemption authentication user. Selectnsource as Guest, the
destination as untrust, add select user as guest, action as permit. ni
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
L e
e untrust, the user is normal and action is permit.
Step 8 Add a new forwarding policy for local password authentication user. Source is turst, destination is
r
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 6
a r
Configuring Global Parameters. Choose User > Internet Access User > Authentication Item.
Click the Global Configuration tab. Configure the Redirection Authentication Mode as HTTP
r e
Mo
e n
m /
c o
i .
w e
h ua
.
When users access the service, the device pushes the authentication URL to the users for authentication.
Thinking: Whats the difference between HTTP and HTTPS?
i ng
n
Answer: HTTP indicates that the Web browser exchanges with the device through HTTP. HTTPS
ar
indicates that the Web browser exchanges with the device through HTTPS.
e
Result Verification
l
/account and password, they can access to
: /
After a guest connects to the intranet, there is no need to enter
internet. p
t will redirect the uaser authentication page, ask
h t
When the normal employee access to internet, USG firewall
:
the user to enter accout and password. Only when user entered the right account and password, they can
s
access to the network resource.
c e
u r
s o
Re
n g
n i
8
a r
Le
re Firewall Networking Lab
Mo
8.1 VLAN Lab (Configuring the Communications Between
VLANs Through the Vlanif Interface)
Lab Objectives
Upon completion of this experiment, you will able to know how to configure the Communications
between VLANs through the Vlanif Interface.
Lab Device
Lab Topologyc
As shown in the figure below, the VLAN100 of the USG includes Ethernet 4/0/0 and Ethernet 4/0/1. The
VLAN200 includes Ethernet 4/0/2 and Ethernet 4/0/3. It is required that the hosts in VLAN100 and
VLAN200 can communicate with each other.
e n
m /
c o
VLAN 100 VLAN 200
i .
Ethernet Ethernet Ethernet w e
Ethernet
2/0/0 2/0/1 2/0/2
h ua
2/0/3
.
i ng
n
ar
e130.1.1.0/24
l
120.1.1.0/24
: //
p
Configuration Procedure (CLI)
h tt
Step 1
s :
Configure VLANs and add interfaces.
Create VLAN100.
r ce
o u
<USG> system-view
[USG] vlan 100 s
Requit
[USG-vlan-100]
n g 2/0/0 to VLAN100.
Add Ethernet
e n
Set the IP address of Vlanif 100.
m /
[USG] interface vlanif 100
c o
[USG-Vlanif100] ip address 120.1.1.1 24
i .
[USG-Vlanif100] quit
w e
ua
Set the IP address of Vlanif 200.
[USG] interface vlanif 200
. h
ng
[USG-Vlanif200] ip address 130.1.1.1 24
[USG-Vlanif200] quit
n i
Step 3
a r packet filtering to ensure
Add interfaces to corresponding security zones and configure interzone
normal network communication.
l e
[USG]firewall zone trust
/ /
[USG-zone-trust]add interface Vlanif 100 :
t p
ht
[USG-zone-trust]quit
[USG]firewall zone untrust
s :Vlanif 200
e
[USG-zone-untrust]add interface
c
[USG-zone-trust]quit
u rtrust untrust inbound
o
[USG]policy interzone
s
R e
[USG-policy-interzone-trust-untrust-inbound]policy 0
[USG-policy-interzone-trust-untrust-inbound-0]action permit
n g
[USG-policy-interzone-trust-untrust-inbound-0]quit
n i
r[USG]policy interzone trust untrust outbound
[USG-policy-interzone-trust-untrust-inbound]quit
a
Le [USG-policy-interzone-trust-untrust-outbound]policy 0
r e [USG-policy-interzone-trust-untrust-outbound-0]action permit
Mo [USG-policy-interzone-trust-untrust-outbound-0]quit
[USG-policy-interzone-trust-untrust-outbound]quit
Step 4 Set the IP address of the host gateway that belongs to VLAN100 to 120.1.1.1 and set that
belongs to VLAN200 to 130.1.1.1.
Configuration Procedure (WEB)
Step 1 Configure VLANs and add interfaces.
Add Ethernet 2/0/0 Ethernet 2/0/1 to VLAN100 and add the interface to trust zone. Choose
Network > Interface > Interface. Click of the line where the entry to be modified resides.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
AddiEthernet 2/0/2 Ethernet 2/0/3 to VLAN200 and add the interface to trust zone. Choose
r n
ea Network > Interface > Interface. Click of the line where the entry to be modified resides.
L
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
Step 2
socreate
Create Vlanif interfaces
Interface. Click e
and add them to the security zones. Choose Network > Interface >
R
Add, vlanif 100 and vlanif 200. Shown as below figure.
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
Step 3
s :
Configure interzone packet filtering to ensure normal network communication. Choose
r ce
Firewall > Security Policy > Forward Policy. Click Add in Forward Policy List. Enter or
select parameters which shown as below figure.
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 4 Set the IP address of the host gateway that belongs to VLAN100 to 120.1.1.1 and set that
belongs to VLAN200 to 130.1.1.1.
Result Verification
After the configuration, the hosts in VLAN100 and VLAN200 can ping through each other
PC2>ping 120.1.1.2
l e
From 130.1.1.2: bytes=32 seq=1 ttl=127 time=16 ms //
Ping 130.1.1.2: 32 data bytes, Press Ctrl_C to break
: time=47 ms
From 130.1.1.2: bytes=32 seq=4 ttl=127 time=31 ms
s
e
From 130.1.1.2: bytes=32 seq=5 ttl=127
c
r
--- 130.1.1.2 ping statisticsu---
s o
Re
5 packet(s) transmitted
g loss
5 packet(s) received
n
i min/avg/max = 16/31/47 ms
0.00% packet
n
a r
round-trip
L e
r e E1 Lab
8.2
o
M Lab Objectives
Configure the E1 interface so that the PCs can conmnunication with each through E1 cable.
Lab Device
e n
m /
Configuration Procedure (CLI)
c o
Step 1 Configure E1 interface, set the the work mode of interface as E1 mode.
i .
w e
ua
<USG-A>system-view
[USG-A]controller E1 1/0/0
. h
ng
[USG-A-E1 1/0/0]using e1
[USG-A-E1 1/0/0]quit
n i
ar
<USG-B>system-view
[USG-B]controller E1 1/0/0
l e
//
[USG-B-E1 1/0/0]using e1
[USG-B-E1 1/0/0]quit
p :
Configure the IP address of Serial1/0/0:0. t
Step 2
h t
[USG-A]interface Serial1/0/0:0
s :200.200.200.1 255.255.255.0
e
[USG-A-Serial1/0/0:0]ip address
[USG-A-Serial1/0/0:0]quitc
u r
o address 200.200.200.2 255.255.255.0
[USG-B]interface Serial1/0/0:0
s
Re
[USG-B-Serial1/0/0:0]ip
g
[USG-B-Serial1/0/0:0]quit
r e [USG-A-zone-untrust]quit
Mo
[USG-B]firewall zone untrust
[USG-B-zone-untrust]add interface Serial1/0/0:0
[USG-B-zone-untrust]quit
Step 6
. h
Configure interzone packet filtering to ensure normal network communication.
p :
[USG-B]ip route-static 0.0.0.0 0.0.0.0 200.200.200.1
t t
Configuration Procedure (WEB)
h
Step 1
s : Click>Apply
Configure E1 interface. Choose Network Interface > Interface. In Interface List, click
c e
of E1 4/0/0, Configure E1 interfaces. when you finished the configuration. Shown
as the below figure:
u r
s o
R e
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
Step 2 p
Click Configure Timeslot Binding select the Binding Mode asBinding All into One
tt
Serial Port Click Add. Leave other configurations as default. Click Apply.
h
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
After E1 1/0/0 is configured, new interface Serial 1/0/0:0 (Layer-3 interface) is displayed in
Interface List.
e n
m /
Step 3
o
Add interface Serial 1/0/0:0 to untrust zone and add GigabitEthernet0/0/1 to trust zone. Choose
c
List. Then enter or select parameters listed in the following:
i .
Network > Interface > Interface. Click in the row where Serial 1/0/0:0 resides in Interface
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
Keep default values for other parameters.
s :
ce
Step 4 Configure USG_B. (The procedure is the same as USG_A except the IP addresses. Omitted
here.)
u r
so
Step 5 Configure interzone packet filtering to ensure normal network communication on USG_A and
Re
USG_B. Choose Firewall > Security Policy > Forward Policy. Click Add in Forward Policy
List. Enter or select parameters which shown as below figure.
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
htt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 6 Configure the route on USG-A and USG-B to ensure normal network communication. Choose
Router > Static > Static Route, click Add, Enter or select parameters which shown as below
figure.
L e
In Web GUI of USG_A, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
192.168.2.1 in Host Name or IP Address. Click Advance; enter 192.168.1.1 in Source IP Address.
r e
Mo <USG-A>PING 192.168.2.1
56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/12/20 ms
Ping from 192.168.2.1 to 192.168.1.1 on USG_A should be sccuessful.
In Web GUI of USG_B, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
e n
192.168.1.1 in Host Name or IP Address. Click Advance; enter 192.168.2.1 in Source IP Address:
m /
<USG-B>PING 192.168.1.1
c o
56 data bytes, press CTRL_C to break
i .
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms
w e
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=20 ms
h ua
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
.
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
i ng
n
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms
e ar
--- 192.168.1.1 ping statistics ---
l
5 packet(s) transmitted
: //
p
tt
5 packet(s) received
h
0.00% packet loss
:
round-trip min/avg/max = 10/12/20 ms
s
r ce
8.3 SA Lab u
e so
Lab Objectives
R
n g
Configure the SA interface so that the PCs can conmnunication with each through E1 cable.
Lab Device
n i
a rfirewalls, 2 PCs and one V35 cable.
Le
Two USG
e
Lab Topologyc
r
Mo
USG-A USG-B PC2:
PC1 192.168.2.1
192.168.1.1 G0/0/1: Serial4/0/0: Serial4/0/0: G0/0/1:
192.168.1.254 100.100.100.1 100.100.100.2 192.168.2.254
Configuration Procedure (CLI)
Step 1 Set the IP address of the Serial 4/0/0 interface on USG_A and USG_B.
<USG-A->system-view
[USG-A]interface Serial 4/0/0
[USG-A-Serial4/0/0]ip address 100.100.100.1 255.255.255.0
<USG-B>system-view
e n
[USG-B]interface Serial 4/0/0
m /
[USG-B-Serial4/0/0]ip address 100.100.100.2 255.255.255.0
c o
Step 2 Restart the interface to active the configuration.
i .
w e
ua
[USG-A-Serial4/0/0]shutdown
[USG-A-Serial4/0/0]undo shutdown
. h
[USG-B-Serial4/0/0]shutdown
i ng
n
ar
[USG-B-Serial4/0/0]undo shutdown
o
[USG-B-zone-untrust]quit
s
Step 4
R e 0/0/1 to trust zone.
Add the GigabitEthernet
n g zone trust
[USG-A]firewall
n i
[USG-A-zone-trust]add interface GigabitEthernet 0/0/1
a r[USG-A-zone-trust]quit
Le [USG-B]firewall zone trust
r e
Mo [USG-B-zone-trust]add interface GigabitEthernet 0/0/1
[USG-B-zone-trust]quit
u rparameters
communication. Choose Firewall > Security Policy > Forward Policy. Click Add in Forward
s o
Policy List. Enter or select which shown as below figure.
R e
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
htt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e4
Step Configure the route on USG-A and USG-B to ensure normal network communication. Choose
Mo Router > Static > Static Route, click Add, Enter or select parameters which shown as below
figure.
L e
In Web GUI of USG_A, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
192.168.2.1 in Host Name or IP Address. Click Advance; enter 192.168.1.1 in Source IP Address.
r e
Mo <USG-A>PING 192.168.2.1
56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/12/20 ms
Ping from 192.168.2.1 to 192.168.1.1 on USG_A should be sccuessful.
In Web GUI of USG_B, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
e n
192.168.1.1 in Host Name or IP Address. Click Advance; enter 192.168.2.1 in Source IP Address:
m /
<USG-B>PING 192.168.1.1
c o
56 data bytes, press CTRL_C to break
i .
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms
w e
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=20 ms
h ua
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
.
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
ing
n
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms
e ar
--- 192.168.1.1 ping statistics ---
l
5 packet(s) transmitted
: //
p
tt
5 packet(s) received
h
0.00% packet loss
:
round-trip min/avg/max = 10/12/20 ms
s
r ce
8.4 3G Lab u
e so
Lab Objectives
R
n g this task you will know how to configure 3G function.
When installed the 3G interface card on USG firewall, we can configure 3G fuction to access internet
n i
through 3G. Through
Lab Device r
e a
L
One USG2110-X firewall, one USB 3G card and one PC.
r eTopologyc
Mo
Lab
Cellular 2/0/0
Intranet
USG
Configuration Procedure (WEB)
Step 1 Configure the basic parameters of the interfaces. Choose Network > Interface > Interface. In
Interface List, click of GE0/0/1. In Modify GigabitEthernet Interface, the configurations are
as below figure:
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
:
Keep the default settings for other parameters and click Apply.
s
Step 2
ce 3G networks.
Configure 3G dial-up for accessing
Basic Configuration, ther
Choose Wireless&DSL > 3G > Settings. In
u
configurations are as shown in below figure.
s o
R e
n g
n i
a r
Le
r e
Mo
In the Advanced area, select Obtain an IP Address Automatically and Obtain DNS Server
Address Automatically. Click Apply.
Step 3 Configure DHCP to allow the users to automatically obtain the IP addresses. Choose Network >
DHCP Server > Settings. In DHCP Service Information List click Add, the configurations
are as follow:
e n
Select the Enable check box corresponding to DHCP Service in Configure DHCP Basic
m /
Parameter.
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
ce
Keep the default settings for other parameters. Click Apply.
Step 4
u r
Configure interzone packet filtering to ensure normal network communication. Choose
so
Firewall > Security Policy > Forward Policy. Click Add in Forward Policy List. Enter or
Re
select parameters which shown as below figure.
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
Step 5 n
ar
Configure the PC (assume that the PC runs Windows 7). Right-click My Network Places and
click Properties. The Network Connections window is displayed. Select the Local Area
l e
Connection of the network adapter, and right-click Properties. The Local Area Connection
//
Properties window is displayed.
p :
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Select Internet Protocol (TCP/IP), and click Properties. The Internet Protocol (TCP/IP)
Properties page is displayed. Select Obtain an IP address automatically and Obtain DNS
server address automatically.
e n
m /
c o
i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
Result Verification
e n
m /
c o
i .
w e
ua
e
9
ar
n
ng
. h
i VPN Lab
l
: VPN
9.1 L2TPVPN LabClient-Initialized //
tp
Lab Objectives
h t
s :
Through this task, you will know how to configure the Client-Initialized L2TP.
Lab Device
r ce
u
so
One USG and two PCs.
Lab Topologyc
Re
n g
n i
a r
L e
r e
Mo
Step 5
r on the LAC client side).
Define an address pool and allocate
u
o
password (the same as those
s
e
[LNS-aaa] ipRpool 1 192.168.0.2 192.168.0.100
[LNS]aaa
Step 6 eaAllocate an IP address for the peer interface from the IP address pool.
L [LNS] interface virtual-template 1
re
Mo
[LNS-Virtual-Template1] remote address pool 1
[LNS-Virtual-Template1] quit
Step 7 Add the interface to the security zones and configure the interzone packet filtering.
Step 8 Configure the LAC client side. The LAC client must be installed with the L2TP client software
and is connected to the Internet in dialing mode. The following takes the Secoway VPN Client
e n
m /
o
as an example. Click to establish a new connection according the New Connection
Wizard. Choose Create a new connection by inputing paremeters, then clicks Next.
.c
e i
w
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 9
a r
Set LNS Server IP, Username, and Passwordvpdnuser/Hello123on the Basic Settings page.
L e Click Next.
r e
Mo
e n
m /
c o
i .
w e
hua
.
ing
n
e ar
l
/ModeCHAPSelect Enable Tunnel
Step 10 Input Tunnel Nameclient1and Authentication /
: Passwordpassword123. Complete to
t p
Authentication and input the Tunnel Authentication
create L2TP connection. Click Next.
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Step 2 Configure the security forwarding poliy. Choose Firewall > Security Policy > Forward Policy.
Click the Forward Policy tab. In Forward Policy List, click . Click Apply when you
finished the configuration. Shown as the below figure:.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e3
Step Configure the L2TP parameters. Choose VPN > L2TP > L2TP. In Configure L2TP, select the
e n
m /
c o
i .
w e
h ua
.
i ng
n
ar
Step 5 Configure other L2TP parameters. Tunnel Name on Peer must be the same as Tunnel Name
on Local configured on the LAC side. The peer tunnel name should be client1/Password123.
l e
: //
p
h tt
s :
r ce
u
so
Re
Step 6
n g
Configure the server address and address pool. As shown in below figure. Click Apply after
n i
finished all the configurations.
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
Step 7
l
Configura LAC client. Steps are the same as CLI configuration procedure, see step 8 step 11 in
configuration procedure (CLI) for your reference.
: //
Result Verification
tp
Check the VPN users by using display l2tp tunnel t
h command on LNS side.
[LNS] display l2tp tunnel
s :
ce
Total tunnel = 1
LocalTID RemoteTID r
u
RemoteAddress Port Sessions RemoteName
1 1
s o 192.168.2.2 1701 1 client1
In the web GUI, Choose e
R VPN > L2TP > Monitor. If the ID of the L2TP tunnel exists, the L2TP tunnel
g
is successfully established.
n
n i
a r
Le
r e Click Number of Sessions to view the detailed session information.
Mo
e n
m /
c o
9.2 GRE VPN Lab i .
w e
ua
Lab Objectives
. h
Upon completion this experiment, you will able to know how to configure GER VPN.
Lab Device
ing
n
ar
One USG firewall, and two PCs.
Lab Topologyc
l e
: //
p
GRE Tunnel
USG_A
htt USG_B
:
G0/0/1
s
192.13.2.1/24
ce
Tunnel 0 Tunnel 0
r
10.1.2.1/24 G0/0/1 10.1.3.1/24
u 192.13.2.2/24
so
G0/0/0 G0/0/0
Re
192.168.0.1/24 192.168.1.1/24
n g
n i
a r
L e PC A PC B
r e 192.168.0.2/24 192.168.1.2/24
Mo
Configuration Procedure (CLI)
Step 1 Configeure the IP address of PCs. (omitted)
Step 2 Configure the IP address of firewall interface.
Configure USG_A
[USG_A]interface GigabitEthernet 0/0/0
[USG_A-GigabitEthernet0/0/0]ip address 192.168.0.1 24
[USG_A-GigabitEthernet0/0/0]qu
[USG_A]interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1]ip add 192.13.2.1 30
Configure USG_B
[USG_B]interface GigabitEthernet 0/0/0
[USG_B-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[USG_B-GigabitEthernet0/0/0]qu
e n
[USG_B]interface GigabitEthernet 0/0/1
m /
[USG_B-GigabitEthernet0/0/1]ip add 192.13.2.2 30
c o
Add the interfaces into security zones and configure the interzone packet filtering policy. .
Step 3
e i
Configure USG_A
a w
[USG_A]firewall zone trust
h u
[USG_A-zone-trust]add interface GigabitEthernet 0/0/0
g .
i n
n
[USG_A-zone-trust]quit
[USG_A]firewall zone untrust
[USG_A-zone-untrust]add interface GigabitEthernet e a r
/ l 0/0/1
[USG_A-zone-untrust]quit
/
[USG_A]firewall packet-filter default permit:interzone trust untrust direction outbound
t p interzone trust untrust direction inbound
ht
[USG_A]firewall packet-filter default permit
Configure USG_B
[USG_B]firewall zone trust
s :
c e GigabitEthernet 0/0/0
[USG_B-zone-trust]add interface
[USG_B-zone-trust]quitr
ouuntrust
[USG_B]firewallszone
Re
[USG_B-zone-untrust]add interface GigabitEthernet 0/0/1
n g
[USG_B-zone-untrust]quit
n i
[USG_B]firewall packet-filter default permit interzone trust untrust direction outbound
r e
o
Configure USG_A
M [USG_A]interface Tunnel 0
[USG_A-Tunnel0]tunnel-protocol gre
[USG_A-Tunnel0]ip address 10.1.2.1 24
[USG_A-Tunnel0]source 192.13.2.1
[USG_A-Tunnel0]destination 192.13.2.2
[USG_A-Tunnel0]quit
[USG_A]firewall zone untrust
[USG_A-zone-untrust]add interface Tunnel 0
[USG_A-zone-untrust]quit
Configure USG_B
[USG_B]interface Tunnel 0
[USG_B-Tunnel0]tunnel-protocol gre
[USG_B-Tunnel0]ip address 10.1.3.1 24
[USG_B-Tunnel0]source 192.13.2.2
[USG_B-Tunnel0]destination 192.13.2.1
e n
[USG_B-Tunnel0]quit
m /
[USG_B]firewall zone untrust
c o
[USG_B-zone-untrust]add interface Tunnel 0
i .
[USG_B-zone-untrust]quit
w e
Step 5 Configure the static route.
h ua
.
ng
Configure USG_A
[USG_A]ip route-static 192.168.1.0 24 Tunnel 0
n i
ar
Configure USG_B
[USG_B]ip route-static 192.168.0.0 24 Tunnel 0
l e
Configuration Procedure (WEB)
: //
Step 1 Configeure the IP address of PCs. (omitted)p
t Choose Network > Interface > Interface. In
Step 2
h t
Configure the IP address of firewall interface.
Interface List, click
:
of interfaces.
s
Configure USG_A
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
hua
Configure USG_B
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 3 Configure the interzone packet filtering policy to ensure normal network communication.
Choose Firewall > Security Policy > Local Policy. In Forward Policy List, click .
Configure USG_A
e n
m /
c o
i .
w e
h ua
.
i ng
n
Configuration on USG_B is the same as USG_A.
e ar
l
//
Step 4 Configure the tunnel interface, and add the tunnel interface into untrust zone. Choose VPN >
:
GRE > GRE. In GRE Interface List, click Add. Configure GRE interface parameters, shown
p
tt
as below figure:
Configure USG_A
h
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Configure USG_B
e n
m /
c o
i .
w e
h ua
.
i ng
n
ar
e
l
/ Route. In Static Route List, click
Step 5
/
: which shown as below figures:
Configure the static route. Choose Route > Static > Static
p
Add. On Add Static Route, set the following parameters
t
Configure USG_A
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Configure USG_B
e n
m /
c o
i .
w e
h ua
.
ng
Result Verification
so
u r ce
s :
10 IPSec VPN Lab
Re
g
in
10.1 Configuring
n
Point-to-Point IPSec Tunnel
a
Lab Objectivesr
e
L this task, you will know how to configure point-point IPSec tunnel with the fixed public IP
Through
USG_A USG_B
G0/0/1 G0/0/1
10.10.10.1/24 10.10.10.2/24
G0/0/0 G0/0/0
192.168.0.1/24 192.168.1.1/24
e n
m /
Host 1 Host 2
c o
192.168.0.2/24 192.168.1.2/24
i .
w e
ua
Configuration Procedure (CLI)
Configure USG_A
. h
n g(omitted)
Step 1
iTrust zone and the Untrust
Basic configurations which contain IP address of PC and USG interface.
n
Step 2
r
Configure the default interzone packet filtering policy between the
a
zone.
s :
[USG_A-policy-interzone-trust-untrust-inbound]qu
c e untrust outbound
[USG_A]policy interzone trust
u r
[USG_A-policy-interzone-trust-untrust-outbound]policy 0
s o
[USG_A-policy-interzone-trust-untrust-outbound-0]action permit
R e
[USG_A-policy-interzone-trust-untrust-outbound-0]qu
n i
[USG_B]firewall
r e [USG_A]acl 3000
[USG_A]ike peer b
p :
[USG_A-ike-peer-b]ike-proposal 10
t t
h
[USG_A-ike-peer-b]remote-address 10.10.10.2
[USG_A-ike-peer-b]quit es
:
[USG_A-ike-peer-b]pre-shared-key abcde
r c
Step 8
u
Create IPSec policies on USG_A
o
e s map1 10 isakmp
[USG_A] ipsec policy
R
[USG_A-ipsec-policy-isakmp-map1-10] security acl 3000
n g
[USG_A-ipsec-policy-isakmp-map1-10] proposal tran1
n i
r[USG_A-ipsec-policy-manual-map1-10] quit
[USG_A-ipsec-policy-isakmp-map1-10] ike-peer b
a
e Apply IPSec policies to interfaces on USG_A
Step L
9
r e
Mo [USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1] ipsec policy map1
Configure USG_B
Step 10 Basic configurations which contain IP address of PC and USG interface. (omitted)
Step 11 Configure the default interzone packet filtering policy between the Trust zone and the Untrust
zone.
Step 12 w e
a
Configure ACL on USG_B to define the data flow to be protected.
[USG_B]acl 3000
h u
g . 192.168.0.0
n
[USG_B-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination
0.0.00.255
n i
[USG_B-acl-adv-3000]quit
a r
Step 13 Configure static routes from USG_B to the peer end.
l e
/ /
:
[USG_B] ip route-static 192.168.0.0 255.255.255.0 10.10.10.1
pthe encapsulation mode for IPSec is the tunnel
Step 14 t
htTheThe
Create IPSec proposals on USG_B. (by default,
mode, the security protocol for IPSec is ESP. authentication algorithm for ESP is MD5, and
c e
u r
[USG_B-ipsec-proposal-tran1]encapsulation-mode tunnel
s o
[USG_B-ipsec-proposal-tran1]transform esp
R e
[USG_B-ipsec-proposal-tran1]esp authentication-algorithm md5
g
[USG_B-ipsec-proposal-tran1]esp encryption-algorithm des
n
iIKE proposals on USG_B. (By default, the authentication mode for IKE is pre-shared key,
[USG_B-ipsec-proposal-tran1]quit
n
Step 15
a r
Create
[USG_B]ike peer a
[USG_B-ike-peer-b]ike-proposal 10
[USG_B-ike-peer-b]remote-address 10.10.10.1
[USG_B-ike-peer-b]pre-shared-key abcde
[USG_B-ike-peer-b]quit
Configure USG_A
n i
Step 19 a rinterface. (omitted)
e the Trust zone and the Untrust
Basic configurations which contain IP address of PC and USG
Step 20 l
/zone and the Untrust zone.
Configure the default interzone packet filtering policy between
: /
zone. Configure the security policy between the Local
t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
Step 21
g
Configure a static route from USG_A to network B, with the next-hop IP address of 1.1.1.2.
n
i
Choose Route > Static > Static Route. In Static Route List, click Add. On the Add Static
n
Route page, configure the following parameters.
r
ea
L
r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Step 22 Configure IKE phase 1 and IKE phase 2. Choose VPN > IPSec > IKE Negotiation. Click
Phase 1, set IKE phase 1 parameters on the Add Phase 1 page, Pre-Shared Key is set to abcde.
n i
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 23 Click of ike_b to create IKE phase 2. Configure IKE phase 2 parameters on the Add Phase
2 page, Click Apply.
e n
m /
c o
i .
w e
ua
Step 24 Apply the IPSec policy. Choose VPN > IPSec > IPSec Policy. Click Add, Configure IPSec
policy parameters on the Add IPSec Policy page, configure the data flow to be protected by
IPSec tunnel.
. h
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
e so
R
Step 25
n g- NONE
Bind the IPSec policy to interfaces. Choose VPN > IPSec > IPSec Policy, Click Applied to
n i
interface: - of policy1, Select GE0/0/1 from the drop-down list. Click Apply.
a r
L e
r e
Mo
NOTE:
e n
m /
The configuration of USG_B is simiral with USG_A except the static route, peer end IP address and data
c o
.
flow to be protected. For those three different parts of configuration, please see below procedures. Others
omitted.
i e
Result Verification
a w
After the configuration is complete, ping an IP address of network B from network u
can be pinged through successfully. Run the display ike sa and display ipsec sa .
h A. The IP address
n gfollowing information is
commands on USG_A
and USG_B to view the establishment of SAs. For example, for USG_B, if the
n i
displayed, it indicates that the IKE SA and IPSec SA are established successfully.
a r
l e
<USG_B> display ike sa
/ /
current ike sa number: 2
p :
t phase vpn
---------------------------------------------------------------------------------------------------
t
conn-id peer
hflag
10.10.10.1es
: RD
---------------------------------------------------------------------------------------------------
101
r c v2:2 public
100
u
10.10.10.1 RD v2:1 public
flag meaninge
so
R ST--STAYALIVE RL--REPLACED FD--FADING
g
RD--READY
n
i
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING DDPD
n check the establishment of a security association (SA) on USG_A and USG_B. For
r
In Web GUI,
a on USG_A, if the following information is displayed, an IPSec tunnel is established
L e
example,
successfully.Choose VPN > IPSec > Monitor.
r e In IPSec Traffic Statistics, click Refresh to view traffic statistics of all IPSec tunnels
Mo
e n
m /
c o
i .
w e
h ua
.
In SA Monitoring, select IKE SA List and click Refresh to view information about the established IKE
SA.
i ng
n
e ar
l
: //
p
tRefresh to view information about the established
h t
In SA Monitoring, select IPSec SA List and click
IPSec SA.
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
11 SSL VPN Lab
e n
11.1 Web Proxy/File Sharing/Port Forwarding/Network om /
Extention .c i
w e
Lab Objectives
u a
.
Through this task, you will know how to configure below functions of SSL VPN:h
Web Porxy
i ng
n
ar
Port Forwading
File sharing
l e
Network extension
: //
p
tt
Lab Device
Re
ng
PC 2 USG PC 1
192.168.1.2/24
n i 10.10.10.2/24
Configuration r
a Procedure (WEB)
1 e Basic configurations which contain IP address of PC and USG interface. (omitted)
Step L
r e 2 virtual
Step Cretate a virtual gateway. Choose VPN > SSL VPN > VG Management. Click Add. Name the
Mo
gataway as Test and configure the basic information about the virtual gateway.
e n
m /
c o
i .
w e
Choose VPN > SSL VPN > VG Menu, choose Test which created just now.ua
Step 3
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e 4 Create user account. Click VG Test, choose VPNDB configuration, click
Mo Step
a new user named TestUser, and password is password123
to create
e n
m /
o
Enable Web porxy service. In the VG Menu navigation tree, choose VG Menu > test >iWeb
.c
Step 5
w e the
a
Proxy. In the Web Proxy group box, select the check box of Enable web proxy to enable
Web proxy function.
h u
g .
i n
r n
e a
/ l
/
: click the Web-link Resource tab. Click
In the Web Proxy Resource Management group box,
Add to add resources of the Web mail server. t
p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Step L
6
e Enable file sharing function. Choose VPN > SSL VPN > VG Menu. In the VG Menu
r e function
navigation tree, choose VG Menu > test > File Sharing. Select the Enable file sharing
Mo check box.
l e
: //
p
h tt
s :
r ce
u
so
Step 8 Enable network extension function. In the VG Menu navigation tree, choose VG Menu > test >
Network Extension. Select the Enable network extension function check box to enable the
Re
network extension function.
n g
n i
a r
L e
r e In the IP Address Allocation Mode of the Client group box, allocate the IP address to the
Mo client.
In the Client Routing Mode group box, click Split Tunnel.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
Result Verification h tt
s :
ce
Open USG SSL VPN page through https://10.10.10.1 , using the account just created to login.
u r
so
Re
n g
n i
a r
L e
r e
Mo
After login successfully, you will see the Web Porcy, File Sharing, Port Forwarding and Network
extension services.
e n
m /
c o
i .
w e
h ua
.
ng
Click Test Web Server, another IE tab will display, and the USG address will be added to the server
i
address.
n
e ar
l
//
Clicks file sharing resource, you will be asked to log in file share server to fetch the file resources.
:
p
h tt
s :
r ce
o u
Under the port forwarding, s
Re
click Start to start the por forwarding service, try to connect the test server
by using telnet.
n g
n i
a r
Le
r e
Mo
Start network extension service under network extension service.
After started, check the IP address of PC, you will find that PC got an IP address from the addresspool
configured on USG.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
12
a r
L e
r e UTM Lab
Mo
12.1 Virus Database or IPS Signature Database Update
Lab Objectives
Get firamily with how to update AV database and IPS singnature database through schedule online update.
1. Update AV database and IPS singnature database through security service center with scheduled
time;
2. Confirure IPS schedule online update function, update time is 02:00 am;
3. Configure AV database schedule online update function; the update time is 01:00 am.
Lab Device
Lab Topology
e n
1
m /
c o
i .
2
w e
h ua
.
i ng
n
UTM
e ar Security Service
Firewall
l Center
//
Intranet
p :
Item Device
USG(whose signature database t
t Data
(1)
h Interface numberGigabitEthernet 0/0/0
s :
and virus database need to be IP address192.168.17.3/24
updated)
c e Secuirty zoneTrust
updated)e
s
and virus database
R
n g
n i (CLI)
Configuration Procedure
a r basic configuration.
Step 1 Firewall
LeConfigure firewall IP address and add the interface into security zones. Then configure the default
r e route and security forwarding policy. (Omitted)
Mo Step 2 Set the running mode to UTM.
<USG> system-view
[USG] runmode utm
NOTE: Switching the running mode takes effect only after the device restart. You are advised to
save configurations and restart the device as prompted.
e n
Enable the scheduled online update for the IPS and AV.
m /
[USG] update schedule ips enable
c o
[USG] uupdate schedule av enable
i .
Set the time of the scheduled online update.
w e
ua
[USG] update schedule ips daily 0200
[USG] update schedule AV daily 0100
. h
ng
Install the newest IPS signature version.
[USG] update apply ips
n i
Configuration Procedure (WEB)
ear
l
Step 1 Enbale UTM function. Choose UTM > Settings > Settings, Select Enable, enable the UTM. Click
Apply.
: //
p
h tt
s :
r ce
u
so
Re
Step 2 Configure security service center. Choose System > Maintenance > Update Center. Do not select
n g
Open corresponding to Internal Update. In the Domain Name of Security Service Server text
i
box, enter the domain name: sec.huawei.com.
n
a r
L e
r e
Mo
Step 3 Add DNS server. Choose network > DNS > DNS. In DNS Server List, input the IP address of DNS
server. Then click Add.
e n
m /
Step 4 Configure the scheduled online update of the USG. Choose System > Maintenance > Update
c o
update time. Click Apply.
i .
Center. Select Anti Virus or Intrusion Prevention, click Secheduled Update, input the daily
w e
h ua
.
i ng
n
e ar
l
://
p
h tt
s :
rce
u
so
Re
Result Verification
n g
n i
Result: (CLI)
r display update configuration command, check internal update information.
1.aRun
Le<USG2200>display update configuration
r e 11:04:44 2013/06/09
t p
Issue time of the update file : 07:44:08 2013/06/06
h t
Backup version :
s : : 20130522.011
Version number
c e : 4.5.6.37
Engine version
u r
Engine size
o : 5757574 bytes
s version : 20130522.011
e
Signature database
R size : 695019 bytes
Updateg
Signature database
ea
L Factory default version :
r e Version number : 0.000
e
Engine size : 4106904 bytes
Signature database version : 20130527.004
/ l
Signature database size /
:2013/06/08
: 111538965 bytes
Update time
t p
: 17:45:41
Issue time of the update file : 09:57:49t2013/05/27
h
s :
Factory default version :
c e : 0.000
Version number
u r
Engine version
s o : 0.0.0.0
Engine size
R e : 0 bytes
g
Signature database version : 0.000
r n time
Update : 00:00:00 0000/00/00
Le
r e
Mo
Lab Topologyc
Trust Untrust
UTM Firewall
G0/0/0 G0/0/1
10.0.0.1/24 192.168.17.3/24
192.168.17.254/24
Ethernet2/0/0
10.0.10.1/24 HTTP Server
n
Internal
/ e
o m
.c
e i
w
HTTP Server
h ua
.
DMZ
i ng
n
ar
Configuration Procedure (CLI)
Step 1 Set the running mode to UTM.
l e
<USG> system-view
: //
[USG] runmode utm
p
tonly after the device restart. You are advised to
t
hprompted.
NOTE: Switching the running mode takes effect
:
save configurations and restart the device as
n g
Step 3 Enable the IPS function and configure its working mode as protective.
n i enable
r ips mode protective
[USG] ips
a
LeConfigure the IPS policy to protect the HTTP server on the intranet.
[USG]
e s
[USG-policy-interzone-dmz-untrust-inbound-0] policy service service-set http
r c
[USG-policy-interzone-dmz-untrust-inbound-0] policy destination 10.0.10.0 0.0.0.255
o u
[USG-policy-interzone-dmz-untrust-inbound-0] action permit
e s
[USG-policy-interzone-dmz-untrust-inbound-0] policy ips protecthttp
R
[USG-policy-interzone-dmz-untrust-inbound-0] return
n g protectpc in the outbound direction of the interzone between the Trust zone and
Apply IPS policy
n i zone.
the Untrust
a r system-view
<USG>
e[USG] policy interzone trust untrust outbound
L [USG-policy-interzone-trust-untrust-outbound] policy 1
r e
Mo [USG-policy-interzone-trust-untrust-outbound-1] policy service service-set http
[USG-policy-interzone-trust-untrust-outbound-1] policy source 10.0.0.0 0.0.0.255
[USG-policy-interzone-trust-untrust-outbound-1] action permit
[USG-policy-interzone-trust-untrust-outbound-1] policy ips protectpc
It is recommended to choose Save configurations and restart device to save the configurations
and then restart the device. Otherwise, after the device restarts, the unsaved configurations will be
lost.
e n
m /
c o
i .
w e
u a connect
Step 3 Configure static routing to ensure the network connection. The next-hop is the directly
Add. In Add Static Route, input the next-hop address and click Apply. .
h List, click
interface IP address on router. Choose Router > Static > Static Route. In Static Route
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
Step 4 enable IPS function and o
s configure IPS mode. Choose UTM > Intrusion Prevention > Policy.
Click the IPS Policyetab. In the Configure Global Parameter group box , the configurations are as
R
g
follows:
n
i Enable
n
IPS Function:
r Mode: Protective
a
Le
Working
Create IPS policy protecthttp. Choose UTM > Intrusion Prevention > Policy.hClick
g . named
n
Policy tab. In IPS Policy List, click Add. In Add IPS Policy, create an IPS policy
protecthttp. Click Apply.
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
Createran
i
aIn Signature Set List, click Add. In Add Signature Set, configure the below parameters and
signature set in the IPS policy and configure the status and response mode of the signature
e
Lclick Apply.
set.
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
tt
Apply the IPS policy. Choose Firewall > Security Policy > Forward Policy. In Forward Policy
h
List, click Add, configure the below parameters. And click Apply.
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Apply the IPS policy. Choose Firewall > Security Policy > Forward Policy. In Forward Policy
i
n
List, click Add, configure the below parameters. And click Apply.
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo Result Verification
1. When a malicious user on the Internet launches HTTP attacks with a severity level higher than
major to the intranet HTTP server, the connection is blocked.
2. When a user wants to access the spite website, the connection will be blocked.
12.3 UTM AV Lab
Lab Objectives
Be familiar with the configuration of the AV for intranet users accessing Web pages and FTP servers on
the Internet
Lab Device
ar
PC
10.0.0.100/24
l e
Configuration Procedure (CLI)
: //
Step 1 Set the running mode to UTM. p
<USG> system-view
h tt
[USG] runmode utm
s :
Switching the running mode takes
c e effect only after the device restart. You are advised to save
configurations and restart ther
u device as prompted.
oof the USG. (Omitted)
s
Rewe need to configure the default route to let the firewall access to internet. The
Step 2 Configure the basic data
i n
next-hop address
re [USG] av scan-level 2
Mo [USG] av max-decompress-layer 10
Step 4 Create an AV policy and complete the public configuration of the AV policy.
Step 5 Configure the AV policy for the files transmitted through HTTP.
e n
[USG-av-policy-policy1] http web-push-notification find-virus
m /
[USG-av-policy-policy1] http scan-mode intelliscan
c o
[USG-av-policy-policy1] http enable
i .
[USG-av-policy-policy1] http max-file-size 10
w e
ua
[USG-av-policy-policy1] http download enable
[USG-av-policy-policy1] http resume-transfer enable
. h
Step 6 Configure the AV policy for the files transmitted through FTP.
i ng
[USG-av-policy-policy1] ftp action block n
r risks
e a
[USG-av-policy-policy1] ftp push-notification the file has security
[USG-av-policy-policy1] ftp scan-mode intelliscan
/ l
[USG-av-policy-policy1] ftp enable
: /
[USG-av-policy-policy1] ftp max-file-size 10 p
[USG-av-policy-policy1] ftp upload enablet
t
h
s : enable
[USG-av-policy-policy1] ftp download enable
c e
[USG-av-policy-policy1] ftp resume-transfer
u r
[USG-av-policy-policy1] quit
s o in the interzone between the DMZ and the Untrust zone, and apply the
Step 7 Configure the firewall policy
n g
[USG] policy interzone trust untrust outbound
n i
[USG-policy-interzone-trust-untrust-outbound] policy 5
a r
[USG-policy-interzone-trust-untrust-outbound-5] action permit
i
lost.
r n
e a
/ l
: /
t p
ht
s : > Anti Virus > Policy. In Configure Global Parameter
e click Apply.
Step 4 Set AV global parameters. Choose UTM
c
r
configure the below parameters and
o u
s
Re
n g
n i
a r
Le
re
Mo
Step 5 Create an AV policy. Choose UTM > Anti Virus > Policy. In AV Policy List, click Add. In Add
Policy, create an AV policy named policy1. Click Apply.
e n
m /
c o
Step 6 In HTTP Settings, configure the paremeters as below:
i .
w e
h ua
.
i ng
n
ear
l
: //
p
h tt
s :
ce
Step 7 In FTP Settings, configure the parameters as below:
r
u
so
1. In the SMTP Settings area, clear the Virus Scan check box to disable the AV scanning for
Re
SMTP.
2. In the POP3 Settings area, clear the Virus Scan check box to disable the AV scanning for
POP3.
n g
n i
a r
L e
r e
Mo
Step 8 Apply the AV policy. Choose Firewall > Security Policy > Forward Policy. In Forward Policy List,
click Add, configure the parameters as below, and then click Apply.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
://
Result Verification p
t blocks the connection.
h t
When users access Web pages containing viruses, the USG
:
When users upload or download files containing viruses, the USG blocks the connection.
s
c e
u r
s o
Re
n g
n i
a r
Le
re
Mo
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1Comprehensive E-Learning Courses e n
m/
ContentAll Huawei Career Certification E-Learning courses
c o
i .
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com . we
u a
2 Training Material Download
. h
Content: Huawei product training material and Huawei career certification
n g training material
MethodLogon http://learning.huawei.com/en and enter HuaWei n iTraining/Classroom Training ,then you can
ar
: /
ContentThe Huawei career certification training covering
t p all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei ht professional instructors
MethodThe plan and participate method please
s : refer to LVC Open Courses Schedule
e
r n
In addition, Huawei has built
Huawei experts , share
e a exam experiences with others or be acquainted with Huawei Products(
L
http://support.huawei.com/ecommunity/
r e
Mo
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1